brcmfmac: fix double free of p2pdev interface

When freeing the driver ifp pointer it should also be removed from
the driver interface list, which is what brcmf_remove_interface()
does. Otherwise, the ifp pointer will be freed twice triggering
a kernel oops.

Fixes: f37d69a4babc ("brcmfmac: free ifp for non-netdev interface in p2p module")
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
index 2e1598f76d4b7821c129b9cd904c43f74012cb3f..a9ba775a24c1c1eb6c17f3717e76e994d849f325 100644 (file)
--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -2140,7 +2140,7 @@ static void brcmf_p2p_delete_p2pdev(struct brcmf_p2p_info *p2p,
 {
        cfg80211_unregister_wdev(&vif->wdev);
        p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif = NULL;
-       kfree(vif->ifp);
+       brcmf_remove_interface(vif->ifp->drvr, vif->ifp->bssidx);
        brcmf_free_vif(vif);
 }