From c8d52e0361c0e9df6e32bab700fe92da78a90005 Mon Sep 17 00:00:00 2001 From: Fredrik Danebjer Date: Tue, 29 Apr 2025 07:44:08 +0200 Subject: [PATCH] bluetooth: host: Fix premature semaphore giving There was a semaphore in hci_core which was given to early when receiving the BT_HCI_EVT_NUM_COMPLETED_PACKETS message from the controller. This would sometimes cause an assert to happen in function hci_num_completed_packets, where there would arise a mismatch in the bookkept count, and actually stored nodes. More concretely, due to premature semaphore giveing, the tx_pending node would be have been removed in another context before it could be fetched and moved to complete list in this function. Signed-off-by: Fredrik Danebjer --- subsys/bluetooth/host/hci_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c index 45be1425f466..e43f448ca179 100644 --- a/subsys/bluetooth/host/hci_core.c +++ b/subsys/bluetooth/host/hci_core.c @@ -601,8 +601,6 @@ static void hci_num_completed_packets(struct net_buf *buf) while (count--) { sys_snode_t *node; - k_sem_give(bt_conn_get_pkts(conn)); - /* move the next TX context from the `pending` list to * the `complete` list. */ @@ -614,6 +612,8 @@ static void hci_num_completed_packets(struct net_buf *buf) break; } + k_sem_give(bt_conn_get_pkts(conn)); + sys_slist_append(&conn->tx_complete, node); /* align the `pending` value */