Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced

This attempts to detect if HCI_EV_NUM_COMP_PKTS contain an unbalanced
(more than currently considered outstanding) number of packets otherwise
it could cause the hcon->sent to underflow and loop around breaking the
tracking of the outstanding packets pending acknowledgment.

Fixes: f42809185896 ("Bluetooth: Simplify num_comp_pkts_evt function")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index ce0ff06f2f731af7e865796bcac20a6dd4faf166..904bcff4f4cac5f3ffb672eacae605b51657d063 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4404,7 +4404,17 @@ static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
                if (!conn)
                        continue;
 
-               conn->sent -= count;
+               /* Check if there is really enough packets outstanding before
+                * attempting to decrease the sent counter otherwise it could
+                * underflow..
+                */
+               if (conn->sent >= count) {
+                       conn->sent -= count;
+               } else {
+                       bt_dev_warn(hdev, "hcon %p sent %u < count %u",
+                                   conn, conn->sent, count);
+                       conn->sent = 0;
+               }
 
                for (i = 0; i < count; ++i)
                        hci_conn_tx_dequeue(conn);