From b167df155f827f31c740cd37ba03b300ffd21454 Mon Sep 17 00:00:00 2001
From: jgujarathi <jash.gujarathi@espressif.com>
Date: Fri, 17 Nov 2023 12:39:13 +0530
Subject: [PATCH] fix(wpa_supplicant): Fix a crash in esp_wifi_wps_disable

- Fixes a crash observed in esp_wifi_wps_disable when wps process
  is ongoing, caused due to concurrency issues in cancelling timers.
---
 .../esp_supplicant/src/esp_wps.c              | 32 +++++++++++--------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wps.c b/components/wpa_supplicant/esp_supplicant/src/esp_wps.c
index 5d4eb7b8a2..885418dac7 100644
--- a/components/wpa_supplicant/esp_supplicant/src/esp_wps.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_wps.c
@@ -185,9 +185,11 @@ void wps_task(void *pvParameters )
                 if (e->sig == SIG_WPS_ENABLE) {
                     param->ret = wifi_wps_enable_internal((esp_wps_config_t *)(param->arg));
                 } else if (e->sig == SIG_WPS_DISABLE) {
+                    DATA_MUTEX_TAKE();
                     param->ret = wifi_wps_disable_internal();
                     del_task = true;
                     s_wps_task_hdl = NULL;
+                    DATA_MUTEX_GIVE();
                 } else {
                     param->ret = wifi_station_wps_start();
                 }
@@ -248,6 +250,12 @@ int wps_post(uint32_t sig, uint32_t par)
     wpa_printf(MSG_DEBUG, "wps post: sig=%d cnt=%d", sig, s_wps_sig_cnt[sig]);
 
     DATA_MUTEX_TAKE();
+
+    if (!s_wps_task_hdl) {
+        wpa_printf(MSG_DEBUG, "wps post: sig=%" PRId32 " failed as wps task has been deinited", sig);
+        DATA_MUTEX_GIVE();
+        return ESP_FAIL;
+    }
     if (s_wps_sig_cnt[sig]) {
         wpa_printf(MSG_DEBUG, "wps post: sig=%d processing", sig);
         DATA_MUTEX_GIVE();
@@ -2002,12 +2010,6 @@ int wps_task_deinit(void)
         wps_rxq_deinit();
     }
 
-    if (s_wps_data_lock) {
-        vSemaphoreDelete(s_wps_data_lock);
-        s_wps_data_lock = NULL;
-        wpa_printf(MSG_DEBUG, "wps task deinit: free data lock");
-    }
-
     return ESP_OK;
 }
 
@@ -2019,10 +2021,12 @@ int wps_task_init(void)
      */
     wps_task_deinit();
 
-    s_wps_data_lock = xSemaphoreCreateRecursiveMutex();
     if (!s_wps_data_lock) {
-        wpa_printf(MSG_ERROR, "wps task init: failed to alloc data lock");
-        goto _wps_no_mem;
+        s_wps_data_lock = xSemaphoreCreateRecursiveMutex();
+        if (!s_wps_data_lock) {
+            wpa_printf(MSG_ERROR, "wps task init: failed to alloc data lock");
+            goto _wps_no_mem;
+        }
     }
 
     s_wps_api_sem = xSemaphoreCreateCounting(1, 0);
@@ -2202,6 +2206,11 @@ int wifi_wps_enable_internal(const esp_wps_config_t *config)
 int wifi_wps_disable_internal(void)
 {
     wps_set_status(WPS_STATUS_DISABLE);
+
+    /* Call wps_delete_timer to delete all WPS timer, no timer will call wps_post()
+     * to post message to wps_task once this function returns.
+     */
+    wps_delete_timer();
     wifi_station_wps_deinit();
     return ESP_OK;
 }
@@ -2227,11 +2236,6 @@ int esp_wifi_wps_disable(void)
     wpa_printf(MSG_INFO, "wifi_wps_disable");
     wps_set_type(WPS_TYPE_DISABLE); /* Notify WiFi task */
 
-    /* Call wps_delete_timer to delete all WPS timer, no timer will call wps_post()
-     * to post message to wps_task once this function returns.
-     */
-    wps_delete_timer();
-
 #ifdef USE_WPS_TASK
     ret = wps_post_block(SIG_WPS_DISABLE, 0);
 #else