bridge: fix use-after-free bug on bridge member free

When removing the device reference, the core might free the device.
Use device_lock/unlock to keep the reference valid until it is no longer needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/bridge.c b/bridge.c
index 91036d26a09cb8aa6c3c08ec918512aba51142ec..eebd8e9df98b10c3bf2be31c24f0ca21578d4a7f 100644 (file)
--- a/bridge.c
+++ b/bridge.c
@@ -447,6 +447,8 @@ bridge_free_member(struct bridge_member *bm)
                }
        }
 
+       device_lock();
+
        device_remove_user(&bm->dev);
 
        /*
@@ -461,6 +463,8 @@ bridge_free_member(struct bridge_member *bm)
                device_set_present(dev, true);
        }
 
+       device_unlock();
+
        free(bm);
 }