bluetooth: buf: Fix callback protection for ISR context

Fix assertion failure when buf_rx_freed_notify() is called from ISR
by replacing k_sched_lock with atomic_ptr operations for callback
pointer access.

The scheduler lock is retained during callback execution in thread
context to maintain backward compatibility, but is skipped in ISR
context where it's not available.

Updated documentation to clarify the behavior difference between
thread and ISR contexts.

Signed-off-by: Pavel Vasilyev <[email protected]>

Author: PavelVPV

include/zephyr/bluetooth/buf.h

@@ -196,9 +196,12 @@ struct net_buf *bt_buf_get_rx(enum bt_buf_type type, k_timeout_t timeout);
  * @ref bt_buf_get_rx function. However, this callback is called from the context of the buffer
  * freeing operation and must not attempt to allocate a new buffer from the same pool.
  *
- * @warning When this callback is called, the scheduler is locked and the callee must not perform
- * any action that makes the current thread unready. This callback must only be used for very
- * short non-blocking operation (e.g. submitting a work item).
+ * @warning This callback must only be used for very short non-blocking operations  (e.g. submitting
+ * a work item). When called from thread context, the scheduler is locked during execution and the
+ * callee must not perform any action that makes the current thread unready. When called from ISR
+ * context, the callback runs without scheduler lock (ISRs cannot lock the scheduler). For shared
+ * data access, use IRQ locks or atomic operations to ensure ISR-safe synchronization.
+ *
  *
  * @param type_mask A bit mask of buffer types that have been freed.
  */

subsys/bluetooth/host/buf.c

@@ -36,17 +36,26 @@ LOG_MODULE_REGISTER(bt_buf, CONFIG_BT_LOG_LEVEL);
  */
 #define SYNC_EVT_SIZE (BT_BUF_RESERVE + BT_HCI_EVT_HDR_SIZE + 255)
 
-static bt_buf_rx_freed_cb_t buf_rx_freed_cb;
+static atomic_ptr_t buf_rx_freed_cb;
 
 static void buf_rx_freed_notify(enum bt_buf_type mask)
 {
-	k_sched_lock();
+	bt_buf_rx_freed_cb_t cb;
+	bool in_isr = k_is_in_isr();
 
-	if (buf_rx_freed_cb) {
-		buf_rx_freed_cb(mask);
+	if (!in_isr) {
+		k_sched_lock();
 	}
 
-	k_sched_unlock();
+	cb = (bt_buf_rx_freed_cb_t)atomic_ptr_get(&buf_rx_freed_cb);
+
+	if (cb) {
+		cb(mask);
+	}
+
+	if (!in_isr) {
+		k_sched_unlock();
+	}
 }
 
 #if defined(CONFIG_BT_ISO_RX)
@@ -134,15 +143,11 @@ struct net_buf *bt_buf_get_rx(enum bt_buf_type type, k_timeout_t timeout)
 
 void bt_buf_rx_freed_cb_set(bt_buf_rx_freed_cb_t cb)
 {
-	k_sched_lock();
-
-	buf_rx_freed_cb = cb;
+	atomic_ptr_set(&buf_rx_freed_cb, (void *)cb);
 
 #if defined(CONFIG_BT_ISO_RX)
 	bt_iso_buf_rx_freed_cb_set(cb != NULL ? iso_rx_freed_cb : NULL);
 #endif
-
-	k_sched_unlock();
 }
 
 struct net_buf *bt_buf_get_evt(uint8_t evt, bool discardable,

subsys/bluetooth/host/iso.c

@@ -52,14 +52,18 @@ LOG_MODULE_REGISTER(bt_iso, CONFIG_BT_ISO_LOG_LEVEL);
 #define iso_chan(_iso) ((_iso)->iso.chan);
 
 #if defined(CONFIG_BT_ISO_RX)
-static bt_iso_buf_rx_freed_cb_t buf_rx_freed_cb;
+static atomic_ptr_t buf_rx_freed_cb;
 
 static void iso_rx_buf_destroy(struct net_buf *buf)
 {
+	bt_iso_buf_rx_freed_cb_t cb;
+
+	cb = (bt_iso_buf_rx_freed_cb_t)atomic_ptr_get(&buf_rx_freed_cb);
+
 	net_buf_destroy(buf);
 
-	if (buf_rx_freed_cb) {
-		buf_rx_freed_cb();
+	if (cb) {
+		cb();
 	}
 }
 
@@ -643,7 +647,7 @@ struct net_buf *bt_iso_get_rx(k_timeout_t timeout)
 
 void bt_iso_buf_rx_freed_cb_set(bt_iso_buf_rx_freed_cb_t cb)
 {
-	buf_rx_freed_cb = cb;
+	atomic_ptr_set(&buf_rx_freed_cb, (void *)cb);
 }
 
 void bt_iso_recv(struct bt_conn *iso, struct net_buf *buf, uint8_t flags)