From: Arend van Spriel <arend@broadcom.com>
Date: Mon, 15 Jun 2015 22:48:38 +0200
Subject: [PATCH] brcmfmac: fix double free of p2pdev interface

When freeing the driver ifp pointer it should also be removed from
the driver interface list, which is what brcmf_remove_interface()
does. Otherwise, the ifp pointer will be freed twice triggering
a kernel oops.

Fixes: f37d69a4babc ("brcmfmac: free ifp for non-netdev interface in p2p module")
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---

--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -2140,7 +2140,7 @@ static void brcmf_p2p_delete_p2pdev(stru
 {
 	cfg80211_unregister_wdev(&vif->wdev);
 	p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif = NULL;
-	kfree(vif->ifp);
+	brcmf_remove_interface(vif->ifp->drvr, vif->ifp->bssidx);
 	brcmf_free_vif(vif);
 }