[2/2] Bluetooth: ISO: Send BIG Create Sync via hci_sync

Message ID	20241108160723.3399-3-iulia.tanasescu@nxp.com (mailing list archive)
State	Superseded
Headers	show Received: from EUR02-VI1-obe.outbound.protection.outlook.com (mail-vi1eur02on2083.outbound.protection.outlook.com [40.107.241.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 31092139D0B for <linux-bluetooth@vger.kernel.org>; Fri, 8 Nov 2024 16:07:39 +0000 (UTC) From: Iulia Tanasescu <iulia.tanasescu@nxp.com> To: linux-bluetooth@vger.kernel.org Cc: claudia.rosu@nxp.com, mihai-octavian.urzica@nxp.com, andrei.istodorescu@nxp.com, luiz.dentz@gmail.com, Iulia Tanasescu <iulia.tanasescu@nxp.com> Subject: [PATCH 2/2] Bluetooth: ISO: Send BIG Create Sync via hci_sync Date: Fri, 8 Nov 2024 18:07:22 +0200 Message-ID: <20241108160723.3399-3-iulia.tanasescu@nxp.com> In-Reply-To: <20241108160723.3399-1-iulia.tanasescu@nxp.com> References: <20241108160723.3399-1-iulia.tanasescu@nxp.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: bulk MIME-Version: 1.0
Series	Bluetooth: ISO: PA/BIG sync fixes \| expand [0/2] Bluetooth: ISO: PA/BIG sync fixes [1/2] Bluetooth: hci_conn: Remove alloc from critical section [2/2] Bluetooth: ISO: Send BIG Create Sync via hci_sync

Message ID

20241108160723.3399-3-iulia.tanasescu@nxp.com (mailing list archive)

State

Superseded

Headers

From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
To: linux-bluetooth@vger.kernel.org
Cc: claudia.rosu@nxp.com,
	mihai-octavian.urzica@nxp.com,
	andrei.istodorescu@nxp.com,
	luiz.dentz@gmail.com,
	Iulia Tanasescu <iulia.tanasescu@nxp.com>
Subject: [PATCH 2/2] Bluetooth: ISO: Send BIG Create Sync via hci_sync
Date: Fri,  8 Nov 2024 18:07:22 +0200
Message-ID: <20241108160723.3399-3-iulia.tanasescu@nxp.com>
In-Reply-To: <20241108160723.3399-1-iulia.tanasescu@nxp.com>
References: <20241108160723.3399-1-iulia.tanasescu@nxp.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Precedence: bulk
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 UQf/dGvgsz1xtb51QHYidiQqfDnLVLfErnV6RvufWd70i59onVHrwipm0392GC6cK9Kw94nb1MtEIO5vAohVD0SFHszg8u4ccP1kFjz42xjbF1Yf/E8kp+SqJt3VW4pcP8I87WPUvGtNWI53rbvIYLLEJcId5TY3AIRdSzUpC6um/1LIZSg1qeLfKC6mGHdrlumlALzk3f2STMbWxiAWbO0OyzVnqkqqVSBCRS1j6vBau5J/ECvxHnIaB31eM5aD5/Cn9ioBvfQpVNmBPDRgljmy/b0ocUHJNoOqSTG2JXEKTUTFj0OIefZACPrzl15h/29fBY0qy+frNBx3Ty8pQubKC6XTZ0Y/9Wv7+6xFWJT5orDAg/4hhGYyntjeivyF6aDWE/7f5fT9jSMdVnxT437haliXPmL2MSmS1BqA26iNV70PhOvHnZhXxprnrl8w5rek88YVSmcd+P0nK3FkIn3vfw1ViWEsbYbCoRYBFLlPx5VpC+UovOAyWa30yCZD65Eh78EoaqSMKrG5+7b2I92djLqMm3KayWPEhkS+JIAtiTA7qYGUcuUBFxysTXXvSqDRkXBZVgFcrwsW5xSpKiVOE1RVMMzsYQbHP/FPZvOIDgklUt+/P9z0QCNYxRVSiVZN8WLfiv9QSQ4bcwsDr7nAJ5nQaSm4dLFVsuuHsdjoBeYj1wo4Y5ETEXTrxepftIHbSyjVxAOEvAa3t89Iv8WgE90nVxen6DabTmO9FCMTYszsIU0nu80zxITHl6SL8aq26+jHZ83WFpsupthWNm/JHevleBeWHnaeF3TEitUlG8Wabhg90hK/x+WZbvWTTDbD3hR5O7g173SF0QJflYqQmIMRy2EJo5BQvg7zpJA2bAO5hdwnlQzfpwaNkXDKCufdpVPU0F7qcFMvutEmWsHksW/7yt4KsY5DvdOD8r0VP1SJWD/I+c9nck2dPRi30lqqvH6d0p1MYb2wjXxhnpCoRkR7mkzfL/TpKvBH7kSooJICWiBHK95JW1CMRKKX7Hlj1d6CltAoMPSVB8FDouXRZBa+5F9aaTU0cCv5W3q5mWoInZGscrM4p2wZ9PEzR1765/iqBfhvhqXV3eiFkdsaEWWo6iPf2FP1LUvDv8gdJgy65LJ7VNAVkuk0xSAoHKzc+BZc65uRxF1g2u8knD+EYnt55IQJJdF7bzTJ1Z7zJ/V7zoiYr4z/YWTTSMtxWcC4HgiGKvzQ6Rcw2j0s6hRHD5XW1IqG2v9jroBopXk97+44BsvkZ2PBRrFlmiXC7vAqi0uxHHw57MVL+OGjDJxDACdIeIUw/lz78j/CbW3gZEW3Gw8CGyEFfGOxZnFiLPdsX44dlLrxeBNR4hIHjsUGDjxwAipVbsiiDPpobR/mi/X+auxoNpgYMnCFInHe5LCRZ8TM2lbjRbEQG0njI3jn1zX9f4BkODWxdIn4p2sTQjgiNEQ9iSahvSZwKYHlyVLmBsOgZbnEsUz2k+rli4UR2ibbu3RdPOc3tpW78mj6+Ytk+thOxF8k6T6NfzkiCfOhxelXVHthObOVJmjgFEG00qm9asPLv9KiSGx64BGok+SNJ+0pV+gnd1DPwetMMtvaavNGgaug08znw1SNIQ==
X-OriginatorOrg: nxp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 6fff5602-0d37-41ee-7a9d-08dd000f7648
X-MS-Exchange-CrossTenant-AuthSource: AS8PR04MB8898.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2024 16:07:36.6775
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 1WOZhUwXQBiOe6r0Yn7ajPCemrLCpy3IFSnHyOjRb47r/RxmzV/yVWzC7IHYYZ4An4P/Xn2A5Kbq/on1ioWfOQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB6829

Series

Bluetooth: ISO: PA/BIG sync fixes | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	success	Gitlint PASS
tedd_an/SubjectPrefix	success	Gitlint PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

success

Gitlint PASS

tedd_an/SubjectPrefix

success

Gitlint PASS

Commit Message

Iulia Tanasescu Nov. 8, 2024, 4:07 p.m. UTC

Before issuing the LE BIG Create Sync command, an available BIG handle
is chosen by iterating through the conn_hash list and finding the first
unused value.

If a BIG is terminated, the associated hcons are removed from the list
and the LE BIG Terminate Sync command is sent via hci_sync queue.
However, a new LE BIG Create sync command might be issued via
hci_send_cmd, before the previous BIG sync was terminated. This
can cause the same BIG handle to be reused and the LE BIG Create Sync
to fail with Command Disallowed.

< HCI Command: LE Broadcast Isochronous Group Create Sync (0x08|0x006b)
        BIG Handle: 0x00
        BIG Sync Handle: 0x0002
        Encryption: Unencrypted (0x00)
        Broadcast Code[16]: 00000000000000000000000000000000
        Maximum Number Subevents: 0x00
        Timeout: 20000 ms (0x07d0)
        Number of BIS: 1
        BIS ID: 0x01
> HCI Event: Command Status (0x0f) plen 4
      LE Broadcast Isochronous Group Create Sync (0x08|0x006b) ncmd 1
        Status: Command Disallowed (0x0c)
< HCI Command: LE Broadcast Isochronous Group Terminate Sync (0x08|0x006c)
        BIG Handle: 0x00

This commit fixes the ordering of the LE BIG Create Sync/LE BIG Terminate
Sync commands, to make sure that either the previous BIG sync is
terminated before reusing the handle, or that a new handle is chosen
for a new sync.

Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
---
 net/bluetooth/hci_conn.c | 19 ++++++++++++++++++-
 net/bluetooth/iso.c      |  4 ++++
 2 files changed, 22 insertions(+), 1 deletion(-)

Comments

Luiz Augusto von Dentz Nov. 8, 2024, 6 p.m. UTC | #1

Hi Iulia,

On Fri, Nov 8, 2024 at 11:07 AM Iulia Tanasescu <iulia.tanasescu@nxp.com> wrote:
>
> Before issuing the LE BIG Create Sync command, an available BIG handle
> is chosen by iterating through the conn_hash list and finding the first
> unused value.
>
> If a BIG is terminated, the associated hcons are removed from the list
> and the LE BIG Terminate Sync command is sent via hci_sync queue.
> However, a new LE BIG Create sync command might be issued via
> hci_send_cmd, before the previous BIG sync was terminated. This
> can cause the same BIG handle to be reused and the LE BIG Create Sync
> to fail with Command Disallowed.

We should be using hci_send_cmd anymore, so
hci_le_big_create_sync_pending shall be used whenever we want to queue
LE BIG Create Sync command, we shall also make it safe to be called
multiple times by using hci_cmd_sync_queue_once so it doesn't get
queued multiple times.

> < HCI Command: LE Broadcast Isochronous Group Create Sync (0x08|0x006b)
>         BIG Handle: 0x00
>         BIG Sync Handle: 0x0002
>         Encryption: Unencrypted (0x00)
>         Broadcast Code[16]: 00000000000000000000000000000000
>         Maximum Number Subevents: 0x00
>         Timeout: 20000 ms (0x07d0)
>         Number of BIS: 1
>         BIS ID: 0x01
> > HCI Event: Command Status (0x0f) plen 4
>       LE Broadcast Isochronous Group Create Sync (0x08|0x006b) ncmd 1
>         Status: Command Disallowed (0x0c)
> < HCI Command: LE Broadcast Isochronous Group Terminate Sync (0x08|0x006c)
>         BIG Handle: 0x00
>
> This commit fixes the ordering of the LE BIG Create Sync/LE BIG Terminate
> Sync commands, to make sure that either the previous BIG sync is
> terminated before reusing the handle, or that a new handle is chosen
> for a new sync.

If it is a fix of a previous change then we need to add the Fixes tag.
Regarding the order, hci_cmd_sync_queue also fix that since then the
command shall be executed in the order and in the situation where it
needs to be canceled we can do so with hci_cmd_sync_dequeue.

> Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
> ---
>  net/bluetooth/hci_conn.c | 19 ++++++++++++++++++-
>  net/bluetooth/iso.c      |  4 ++++
>  2 files changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index b5b78d469d54..ba74fac823c5 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -2180,11 +2180,20 @@ static bool hci_conn_check_create_big_sync(struct hci_conn *conn)
>         return true;
>  }
>
> -int hci_le_big_create_sync_pending(struct hci_dev *hdev)
> +static void big_create_sync_complete(struct hci_dev *hdev, void *data, int err)
> +{
> +       bt_dev_dbg(hdev, "");
> +
> +       if (err)
> +               bt_dev_err(hdev, "Unable to create BIG sync: %d", err);
> +}
> +
> +static int big_create_sync(struct hci_dev *hdev, void *data)
>  {
>         DEFINE_FLEX(struct hci_cp_le_big_create_sync, pdu, bis, num_bis, 0x11);
>         struct hci_conn *conn;
>
> +       hci_dev_lock(hdev);

I'd add a comment why we are acquiring the dev lock here, sync
functions typically aren't allowed to do that except for minor updates
but never when you can sleep/yield waiting for something to complete.

>         rcu_read_lock();
>
>         pdu->num_bis = 0;
> @@ -2229,6 +2238,7 @@ int hci_le_big_create_sync_pending(struct hci_dev *hdev)
>
>  unlock:
>         rcu_read_unlock();
> +       hci_dev_unlock(hdev);
>
>         if (!pdu->num_bis)
>                 return 0;
> @@ -2237,6 +2247,13 @@ int hci_le_big_create_sync_pending(struct hci_dev *hdev)
>                             struct_size(pdu, bis, pdu->num_bis), pdu);
>  }
>
> +int hci_le_big_create_sync_pending(struct hci_dev *hdev)
> +{
> +       /* Queue big_create_sync */
> +       return hci_cmd_sync_queue(hdev, big_create_sync,
> +                                 NULL, big_create_sync_complete);
> +}
> +
>  int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
>                            struct bt_iso_qos *qos,
>                            __u16 sync_handle, __u8 num_bis, __u8 bis[])
> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> index 9e119da43147..ac1598b1e1b6 100644
> --- a/net/bluetooth/iso.c
> +++ b/net/bluetooth/iso.c
> @@ -1338,6 +1338,8 @@ static void iso_conn_big_sync(struct sock *sk)
>         if (!hdev)
>                 return;
>
> +       hci_dev_lock(hdev);

Same thing here, typically we don't use hci_dev_lock at the socket
layer as there is the likes of iso_conn to interface with HCI layer,
so we need to put some comments when there really is no other way and
hci_dev_lock must be used.

>         if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
>                 err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
>                                              &iso_pi(sk)->qos,
> @@ -1348,6 +1350,8 @@ static void iso_conn_big_sync(struct sock *sk)
>                         bt_dev_err(hdev, "hci_le_big_create_sync: %d",
>                                    err);
>         }
> +
> +       hci_dev_unlock(hdev);
>  }
>
>  static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
> --
> 2.43.0
>

Iulia Tanasescu Nov. 11, 2024, 11:48 a.m. UTC | #2

Hi Luiz,

> -----Original Message-----
> From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
> Sent: Friday, November 8, 2024 8:01 PM
> To: Iulia Tanasescu <iulia.tanasescu@nxp.com>
> Cc: linux-bluetooth@vger.kernel.org; Claudia Cristina Draghicescu
> <claudia.rosu@nxp.com>; Mihai-Octavian Urzica <mihai-
> octavian.urzica@nxp.com>; Andrei Istodorescu
> <andrei.istodorescu@nxp.com>
> Subject: Re: [PATCH 2/2] Bluetooth: ISO: Send BIG Create Sync via
> hci_sync
> 
> Hi Iulia,
> 
> On Fri, Nov 8, 2024 at 11:07 AM Iulia Tanasescu <iulia.tanasescu@nxp.com>
> wrote:
> >
> > Before issuing the LE BIG Create Sync command, an available BIG handle
> > is chosen by iterating through the conn_hash list and finding the
> > first unused value.
> >
> > If a BIG is terminated, the associated hcons are removed from the list
> > and the LE BIG Terminate Sync command is sent via hci_sync queue.
> > However, a new LE BIG Create sync command might be issued via
> > hci_send_cmd, before the previous BIG sync was terminated. This can
> > cause the same BIG handle to be reused and the LE BIG Create Sync to
> > fail with Command Disallowed.
> 
> We should be using hci_send_cmd anymore, so
> hci_le_big_create_sync_pending shall be used whenever we want to queue LE
> BIG Create Sync command, we shall also make it safe to be called multiple
> times by using hci_cmd_sync_queue_once so it doesn't get queued multiple
> times.
> 
> > < HCI Command: LE Broadcast Isochronous Group Create Sync
> (0x08|0x006b)
> >         BIG Handle: 0x00
> >         BIG Sync Handle: 0x0002
> >         Encryption: Unencrypted (0x00)
> >         Broadcast Code[16]: 00000000000000000000000000000000
> >         Maximum Number Subevents: 0x00
> >         Timeout: 20000 ms (0x07d0)
> >         Number of BIS: 1
> >         BIS ID: 0x01
> > > HCI Event: Command Status (0x0f) plen 4
> >       LE Broadcast Isochronous Group Create Sync (0x08|0x006b) ncmd 1
> >         Status: Command Disallowed (0x0c) < HCI Command: LE Broadcast
> > Isochronous Group Terminate Sync (0x08|0x006c)
> >         BIG Handle: 0x00
> >
> > This commit fixes the ordering of the LE BIG Create Sync/LE BIG
> > Terminate Sync commands, to make sure that either the previous BIG
> > sync is terminated before reusing the handle, or that a new handle is
> > chosen for a new sync.
> 
> If it is a fix of a previous change then we need to add the Fixes tag.
> Regarding the order, hci_cmd_sync_queue also fix that since then the
> command shall be executed in the order and in the situation where it needs to
> be canceled we can do so with hci_cmd_sync_dequeue.
> 
> > Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
> > ---
> >  net/bluetooth/hci_conn.c | 19 ++++++++++++++++++-
> >  net/bluetooth/iso.c      |  4 ++++
> >  2 files changed, 22 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index
> > b5b78d469d54..ba74fac823c5 100644
> > --- a/net/bluetooth/hci_conn.c
> > +++ b/net/bluetooth/hci_conn.c
> > @@ -2180,11 +2180,20 @@ static bool
> hci_conn_check_create_big_sync(struct hci_conn *conn)
> >         return true;
> >  }
> >
> > -int hci_le_big_create_sync_pending(struct hci_dev *hdev)
> > +static void big_create_sync_complete(struct hci_dev *hdev, void
> > +*data, int err) {
> > +       bt_dev_dbg(hdev, "");
> > +
> > +       if (err)
> > +               bt_dev_err(hdev, "Unable to create BIG sync: %d",
> > +err); }
> > +
> > +static int big_create_sync(struct hci_dev *hdev, void *data)
> >  {
> >         DEFINE_FLEX(struct hci_cp_le_big_create_sync, pdu, bis, num_bis,
> 0x11);
> >         struct hci_conn *conn;
> >
> > +       hci_dev_lock(hdev);
> 
> I'd add a comment why we are acquiring the dev lock here, sync functions
> typically aren't allowed to do that except for minor updates but never when
> you can sleep/yield waiting for something to complete.

I added hci_dev_lock here thinking that it might be necessary to protect
iterating through hdev->conn_hash.list, but I think rcu_read_lock and
list_for_each_entry_rcu already offer the required protection, so I
removed hci_dev_lock.

However, I think hci_dev_lock is necessary in iso.c, to protect
hci_le_big_create_sync_pending, since hci_cmd_sync_queue_once checks
hdev flags which might change. I added a comment to explain this.

> 
> >         rcu_read_lock();
> >
> >         pdu->num_bis = 0;
> > @@ -2229,6 +2238,7 @@ int hci_le_big_create_sync_pending(struct
> > hci_dev *hdev)
> >
> >  unlock:
> >         rcu_read_unlock();
> > +       hci_dev_unlock(hdev);
> >
> >         if (!pdu->num_bis)
> >                 return 0;
> > @@ -2237,6 +2247,13 @@ int hci_le_big_create_sync_pending(struct
> hci_dev *hdev)
> >                             struct_size(pdu, bis, pdu->num_bis), pdu);
> > }
> >
> > +int hci_le_big_create_sync_pending(struct hci_dev *hdev) {
> > +       /* Queue big_create_sync */
> > +       return hci_cmd_sync_queue(hdev, big_create_sync,
> > +                                 NULL, big_create_sync_complete); }
> > +
> >  int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
> >                            struct bt_iso_qos *qos,
> >                            __u16 sync_handle, __u8 num_bis, __u8
> > bis[]) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index
> > 9e119da43147..ac1598b1e1b6 100644
> > --- a/net/bluetooth/iso.c
> > +++ b/net/bluetooth/iso.c
> > @@ -1338,6 +1338,8 @@ static void iso_conn_big_sync(struct sock *sk)
> >         if (!hdev)
> >                 return;
> >
> > +       hci_dev_lock(hdev);
> 
> Same thing here, typically we don't use hci_dev_lock at the socket layer as
> there is the likes of iso_conn to interface with HCI layer, so we need to put
> some comments when there really is no other way and hci_dev_lock must be
> used.
> 
> >         if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
> >                 err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
> >                                              &iso_pi(sk)->qos, @@
> > -1348,6 +1350,8 @@ static void iso_conn_big_sync(struct sock *sk)
> >                         bt_dev_err(hdev, "hci_le_big_create_sync: %d",
> >                                    err);
> >         }
> > +
> > +       hci_dev_unlock(hdev);
> >  }
> >
> >  static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
> > --
> > 2.43.0
> >
> 
> 
> --
> Luiz Augusto von Dentz

Regards,
Iulia

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b5b78d469d54..ba74fac823c5 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -2180,11 +2180,20 @@  static bool hci_conn_check_create_big_sync(struct hci_conn *conn)
 	return true;
 }
 
-int hci_le_big_create_sync_pending(struct hci_dev *hdev)
+static void big_create_sync_complete(struct hci_dev *hdev, void *data, int err)
+{
+	bt_dev_dbg(hdev, "");
+
+	if (err)
+		bt_dev_err(hdev, "Unable to create BIG sync: %d", err);
+}
+
+static int big_create_sync(struct hci_dev *hdev, void *data)
 {
 	DEFINE_FLEX(struct hci_cp_le_big_create_sync, pdu, bis, num_bis, 0x11);
 	struct hci_conn *conn;
 
+	hci_dev_lock(hdev);
 	rcu_read_lock();
 
 	pdu->num_bis = 0;
@@ -2229,6 +2238,7 @@  int hci_le_big_create_sync_pending(struct hci_dev *hdev)
 
 unlock:
 	rcu_read_unlock();
+	hci_dev_unlock(hdev);
 
 	if (!pdu->num_bis)
 		return 0;
@@ -2237,6 +2247,13 @@  int hci_le_big_create_sync_pending(struct hci_dev *hdev)
 			    struct_size(pdu, bis, pdu->num_bis), pdu);
 }
 
+int hci_le_big_create_sync_pending(struct hci_dev *hdev)
+{
+	/* Queue big_create_sync */
+	return hci_cmd_sync_queue(hdev, big_create_sync,
+				  NULL, big_create_sync_complete);
+}
+
 int hci_le_big_create_sync(struct hci_dev *hdev, struct hci_conn *hcon,
 			   struct bt_iso_qos *qos,
 			   __u16 sync_handle, __u8 num_bis, __u8 bis[])
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 9e119da43147..ac1598b1e1b6 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1338,6 +1338,8 @@  static void iso_conn_big_sync(struct sock *sk)
 	if (!hdev)
 		return;
 
+	hci_dev_lock(hdev);
+
 	if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
 		err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
 					     &iso_pi(sk)->qos,
@@ -1348,6 +1350,8 @@  static void iso_conn_big_sync(struct sock *sk)
 			bt_dev_err(hdev, "hci_le_big_create_sync: %d",
 				   err);
 	}
+
+	hci_dev_unlock(hdev);
 }
 
 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,