Bluetooth: ISO: Fix issue with BIS tx_complete

BIS termination as broadcaster is handled different
than ACL and CIS, and in rare chances the
tx_complete for BIS may not have been completed in
the system workqueue before iso_new was called for the
same bt_conn struct (e.g. via bt_iso_cig_create), which
would perform

k_work_init(&conn->tx_complete_work, tx_complete_work);

but where conn->tx_complete_work still existed in
the system workqueue, which would cause the list
of pending items on the system workqueue to be removed
as the `next` pointer would be NULL.

This also adds an assert in bt_conn_new to prevent this
issue from appearing again.

Signed-off-by: Emil Gydesen <[email protected]>

Author: Thalley

subsys/bluetooth/host/conn.c

@@ -372,6 +372,8 @@ struct bt_conn *bt_conn_new(struct bt_conn *conns, size_t size)
 	k_work_init_delayable(&conn->deferred_work, deferred_work);
 #endif /* CONFIG_BT_CONN */
 #if defined(CONFIG_BT_CONN_TX)
+	__ASSERT(!k_work_is_pending(&conn->tx_complete_work),
+		 "tx_complete_work is pending, performing k_work_init will break the workqueue");
 	k_work_init(&conn->tx_complete_work, tx_complete_work);
 #endif /* CONFIG_BT_CONN_TX */
 

subsys/bluetooth/host/iso.c

@@ -511,6 +511,15 @@ static void bt_iso_chan_disconnected(struct bt_iso_chan *chan, uint8_t reason)
 			}
 #endif /* CONFIG_BT_ISO_CENTRAL */
 		}
+	} else if (IS_ENABLED(CONFIG_BT_ISO_BROADCASTER) &&
+		   conn_type == BT_ISO_CHAN_TYPE_BROADCASTER) {
+		/* BIS do not get a HCI Disconnected event and will not handle cleanup of pending TX
+		 * complete in the same way as ACL and CIS do. Call bt_conn_tx_notify directly here
+		 * to flush the chan->iso->tx_complete for each disconnected BIS
+		 */
+		bt_conn_tx_notify(chan->iso, true);
+	} else {
+		/* No special handling for BT_ISO_CHAN_TYPE_SYNC_RECEIVER */
 	}
 }