[PATCH 0/2] brcmfmac: fix two regressions

[PATCH 0/2] brcmfmac: fix two regressions

[Arend van Spriel]

Here two patches that:

* fix regressions introduced in earlier v4.2 patches.

It applies to the master branch of wireless-drivers-next repository.

Arend van Spriel (2):
  brcmfmac: fix double free of p2pdev interface
  brcmfmac: make brcmf_p2p_detach() call conditional

 drivers/net/wireless/brcm80211/brcmfmac/core.c | 3 ++-
 drivers/net/wireless/brcm80211/brcmfmac/p2p.c  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

-- 
1.9.1

[PATCH 1/2] brcmfmac: fix double free of p2pdev interface

[Arend van Spriel]

When freeing the driver ifp pointer it should also be removed from
the driver interface list, which is what brcmf_remove_interface()
does. Otherwise, the ifp pointer will be freed twice triggering
a kernel oops.

Fixes: f37d69a4babc ("brcmfmac: free ifp for non-netdev interface in p2p module")
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
---
 drivers/net/wireless/brcm80211/brcmfmac/p2p.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
index 2e1598f..a9ba775 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -2140,7 +2140,7 @@ static void brcmf_p2p_delete_p2pdev(struct brcmf_p2p_info *p2p,
 {
 	cfg80211_unregister_wdev(&vif->wdev);
 	p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif = NULL;
-	kfree(vif->ifp);
+	brcmf_remove_interface(vif->ifp->drvr, vif->ifp->bssidx);
 	brcmf_free_vif(vif);
 }
 
-- 
1.9.1

[PATCH 2/2] brcmfmac: make brcmf_p2p_detach() call conditional

[Arend van Spriel]

During verification of error handling in brcmf_cfg80211_attach() a
null pointer dereference occurred upon calling brcmf_p2p_detach()
from brcmf_detach(). This should only be called when the
brcmf_cfg80211_attach() has succeeded.

Fixes: f7a40873d2fa ("brcmfmac: assure p2pdev is unregistered upon driver unload")
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
---
 drivers/net/wireless/brcm80211/brcmfmac/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/core.c b/drivers/net/wireless/brcm80211/brcmfmac/core.c
index 866b818..fe9d3fb 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/core.c
@@ -1098,7 +1098,8 @@ void brcmf_detach(struct device *dev)
 
 	/* stop firmware event handling */
 	brcmf_fweh_detach(drvr);
-	brcmf_p2p_detach(&drvr->config->p2p);
+	if (drvr->config)
+		brcmf_p2p_detach(&drvr->config->p2p);
 
 	brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN);
 
-- 
1.9.1

Re: [1/2] brcmfmac: fix double free of p2pdev interface

[Kalle Valo]

> When freeing the driver ifp pointer it should also be removed from
> the driver interface list, which is what brcmf_remove_interface()
> does. Otherwise, the ifp pointer will be freed twice triggering
> a kernel oops.
> 
> Fixes: f37d69a4babc ("brcmfmac: free ifp for non-netdev interface in p2p module")
> Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
> Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
> Signed-off-by: Arend van Spriel <arend@broadcom.com>

Thanks, 2 patches applied to wireless-drivers-next.git:

cb700df8c8a6 brcmfmac: fix double free of p2pdev interface
40b503c76481 brcmfmac: make brcmf_p2p_detach() call conditional

Kalle Valo