From: Arend van Spriel <arend@broadcom.com>
Date: Mon, 15 Jun 2015 20:48:38 +0000 (+0200)
Subject: brcmfmac: fix double free of p2pdev interface
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=cb700df8c8a62061b573322c4d0b292a9010aa3c;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git

brcmfmac: fix double free of p2pdev interface

When freeing the driver ifp pointer it should also be removed from
the driver interface list, which is what brcmf_remove_interface()
does. Otherwise, the ifp pointer will be freed twice triggering
a kernel oops.

Fixes: f37d69a4babc ("brcmfmac: free ifp for non-netdev interface in p2p module")
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
index 2e1598f76d4b..a9ba775a24c1 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -2140,7 +2140,7 @@ static void brcmf_p2p_delete_p2pdev(struct brcmf_p2p_info *p2p,
 {
 	cfg80211_unregister_wdev(&vif->wdev);
 	p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif = NULL;
-	kfree(vif->ifp);
+	brcmf_remove_interface(vif->ifp->drvr, vif->ifp->bssidx);
 	brcmf_free_vif(vif);
 }