From 009a1eba7c0fd935acee9e54d848cfc156d5f937 Mon Sep 17 00:00:00 2001
From: zhanghongyu <zhanghongyu@xiaomi.com>
Date: Mon, 18 Dec 2023 11:33:08 +0800
Subject: [PATCH] bcmf_driver: add ioctl_mutex to restrict ioctl from reentrant

avoiding resource race conditions

Signed-off-by: zhanghongyu <zhanghongyu@xiaomi.com>
---
 .../wireless/ieee80211/bcm43xxx/bcmf_driver.c | 20 +++++++------------
 .../wireless/ieee80211/bcm43xxx/bcmf_driver.h |  3 +++
 .../wireless/ieee80211/bcm43xxx/bcmf_netdev.c |  7 +++++++
 3 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/drivers/wireless/ieee80211/bcm43xxx/bcmf_driver.c b/drivers/wireless/ieee80211/bcm43xxx/bcmf_driver.c
index 3c58fedf53..879e8fc941 100644
--- a/drivers/wireless/ieee80211/bcm43xxx/bcmf_driver.c
+++ b/drivers/wireless/ieee80211/bcm43xxx/bcmf_driver.c
@@ -1143,7 +1143,6 @@ int bcmf_wl_get_interface(FAR struct bcmf_dev_s *priv, FAR struct iwreq *iwr)
 
 FAR struct bcmf_dev_s *bcmf_allocate_device(void)
 {
-  int ret;
   FAR struct bcmf_dev_s *priv;
 
   /* Allocate a bcmf device structure */
@@ -1160,25 +1159,20 @@ FAR struct bcmf_dev_s *bcmf_allocate_device(void)
 
   /* Init control frames mutex and timeout signal */
 
-  if ((ret = nxsem_init(&priv->control_mutex, 0, 1)) != OK)
-    {
-      goto exit_free_priv;
-    }
+  nxsem_init(&priv->control_mutex, 0, 1);
+  nxsem_init(&priv->control_timeout, 0, 0);
 
-  if ((ret = nxsem_init(&priv->control_timeout, 0, 0)) != OK)
-    {
-      goto exit_free_priv;
-    }
+  /* Init ioctl mutex */
+
+#ifdef CONFIG_NETDEV_IOCTL
+  nxmutex_init(&priv->ioctl_mutex);
+#endif
 
   /* Init scan timeout timer */
 
   priv->scan_status = BCMF_SCAN_DISABLED;
 
   return priv;
-
-exit_free_priv:
-  kmm_free(priv);
-  return NULL;
 }
 
 /****************************************************************************
diff --git a/drivers/wireless/ieee80211/bcm43xxx/bcmf_driver.h b/drivers/wireless/ieee80211/bcm43xxx/bcmf_driver.h
index eec2a25ada..f405ce5c68 100644
--- a/drivers/wireless/ieee80211/bcm43xxx/bcmf_driver.h
+++ b/drivers/wireless/ieee80211/bcm43xxx/bcmf_driver.h
@@ -82,6 +82,9 @@ struct bcmf_dev_s
   uint16_t control_rxdata_len; /* Received control frame out buffer length */
   FAR uint8_t *control_rxdata; /* Received control frame out buffer */
   uint32_t control_status;     /* Last received frame status */
+#ifdef CONFIG_NETDEV_IOCTL
+  mutex_t ioctl_mutex;         /* Avoid handle multiple ioctl requests */
+#endif
 
   /* AP Scan state machine.
    * During scan, control_mutex is locked to prevent control requests
diff --git a/drivers/wireless/ieee80211/bcm43xxx/bcmf_netdev.c b/drivers/wireless/ieee80211/bcm43xxx/bcmf_netdev.c
index 0c5dbe88b7..73211164fb 100644
--- a/drivers/wireless/ieee80211/bcm43xxx/bcmf_netdev.c
+++ b/drivers/wireless/ieee80211/bcm43xxx/bcmf_netdev.c
@@ -936,6 +936,11 @@ static int bcmf_ioctl(FAR struct net_driver_s *dev, int cmd,
       return -EPERM;
     }
 
+  if ((ret = nxmutex_lock(&priv->ioctl_mutex)) < 0)
+    {
+      return ret;
+    }
+
 #ifdef CONFIG_IEEE80211_BROADCOM_LOWPOWER
   bcmf_lowpower_poll(priv);
 #endif
@@ -1072,6 +1077,8 @@ static int bcmf_ioctl(FAR struct net_driver_s *dev, int cmd,
         break;
     }
 
+  nxmutex_unlock(&priv->ioctl_mutex);
+
   return ret;
 }
 #endif