[nrf fromtree] Bluetooth: UBSAN warnings fixes

subsys/bluetooth/host/adv.c

@@ -2064,7 +2064,7 @@ void bt_hci_le_per_adv_response_report(struct net_buf *buf)
 		response = net_buf_pull_mem(buf, sizeof(struct bt_hci_evt_le_per_adv_response));
 		info.tx_power = response->tx_power;
 		info.rssi = response->rssi;
-		info.cte_type = BIT(response->cte_type);
+		info.cte_type = bt_get_df_cte_type(response->cte_type);
 		info.response_slot = response->response_slot;
 
 		if (buf->len < response->data_length) {

subsys/bluetooth/host/hci_core.c

@@ -422,6 +422,22 @@ uint8_t bt_get_phy(uint8_t hci_phy)
 	}
 }
 
+int bt_get_df_cte_type(uint8_t hci_cte_type)
+{
+	switch (hci_cte_type) {
+	case BT_HCI_LE_AOA_CTE:
+		return BT_DF_CTE_TYPE_AOA;
+	case BT_HCI_LE_AOD_CTE_1US:
+		return BT_DF_CTE_TYPE_AOD_1US;
+	case BT_HCI_LE_AOD_CTE_2US:
+		return BT_DF_CTE_TYPE_AOD_2US;
+	case BT_HCI_LE_NO_CTE:
+		return BT_DF_CTE_TYPE_NONE;
+	default:
+		return BT_DF_CTE_TYPE_NONE;
+	}
+}
+
 #if defined(CONFIG_BT_CONN_TX)
 static void hci_num_completed_packets(struct net_buf *buf)
 {

subsys/bluetooth/host/hci_core.h

@@ -434,7 +434,14 @@ int bt_le_set_data_len(struct bt_conn *conn, uint16_t tx_octets, uint16_t tx_tim
 int bt_le_set_phy(struct bt_conn *conn, uint8_t all_phys,
 		  uint8_t pref_tx_phy, uint8_t pref_rx_phy, uint8_t phy_opts);
 uint8_t bt_get_phy(uint8_t hci_phy);
-
+/**
+ * @brief Convert CTE type value from HCI format to @ref bt_df_cte_type format.
+ *
+ * @param hci_cte_type   CTE type in an HCI format.
+ *
+ * @return CTE type (@ref bt_df_cte_type).
+ */
+int bt_get_df_cte_type(uint8_t hci_cte_type);
 int bt_le_scan_update(bool fast_scan);
 
 int bt_le_create_conn(const struct bt_conn *conn);

subsys/bluetooth/host/iso.c

@@ -233,9 +233,10 @@ static int hci_le_setup_iso_data_path(const struct bt_conn *iso, uint8_t dir,
 	cp->codec_id.vs_codec_id = sys_cpu_to_le16(path->vid);
 	sys_put_le24(path->delay, cp->controller_delay);
 	cp->codec_config_len = path->cc_len;
-	cc = net_buf_add(buf, cp->codec_config_len);
-	memcpy(cc, path->cc, cp->codec_config_len);
-
+	cc = net_buf_add(buf, path->cc_len);
+	if (path->cc_len) {
+		memcpy(cc, path->cc, path->cc_len);
+	}
 	err = bt_hci_cmd_send_sync(BT_HCI_OP_LE_SETUP_ISO_PATH, buf, &rsp);
 	if (err) {
 		return err;

subsys/bluetooth/host/l2cap.c

@@ -977,7 +977,9 @@ static void l2cap_chan_destroy(struct bt_l2cap_chan *chan)
 	 * In the case where we are in the context of executing the rtx_work
 	 * item, we don't sync as it will deadlock the workqueue.
 	 */
-	if (k_current_get() != &le_chan->rtx_work.queue->thread) {
+	struct k_work_q *rtx_work_queue = le_chan->rtx_work.queue;
+
+	if (rtx_work_queue == NULL || k_current_get() != &rtx_work_queue->thread) {
 		k_work_cancel_delayable_sync(&le_chan->rtx_work, &le_chan->rtx_sync);
 	} else {
 		k_work_cancel_delayable(&le_chan->rtx_work);

subsys/bluetooth/host/l2cap_br.c

@@ -165,7 +165,9 @@ static void l2cap_br_chan_destroy(struct bt_l2cap_chan *chan)
 	 * In the case where we are in the context of executing the rtx_work
 	 * item, we don't sync as it will deadlock the workqueue.
 	 */
-	if (k_current_get() != &br_chan->rtx_work.queue->thread) {
+	struct k_work_q *rtx_work_queue = br_chan->rtx_work.queue;
+
+	if (rtx_work_queue == NULL || k_current_get() != &rtx_work_queue->thread) {
 		k_work_cancel_delayable_sync(&br_chan->rtx_work, &br_chan->rtx_sync);
 	} else {
 		k_work_cancel_delayable(&br_chan->rtx_work);

subsys/bluetooth/host/scan.c

@@ -825,7 +825,7 @@ static void bt_hci_le_per_adv_report_common(struct net_buf *buf)
 
 	info.tx_power = evt->tx_power;
 	info.rssi = evt->rssi;
-	info.cte_type = BIT(evt->cte_type);
+	info.cte_type = bt_get_df_cte_type(evt->cte_type);
 	info.addr = &per_adv_sync->addr;
 	info.sid = per_adv_sync->sid;