bridge: fix use-after-free bug on bridge member free

When removing the device reference, the core might free the device. Use device_lock/unlock to keep the reference valid until it is no longer needed Signed-off-by: Felix Fietkau <nbd@nbd.name>
author: Felix Fietkau <nbd@nbd.name> 2020-11-04 16:20:14 +0100
committer: Felix Fietkau <nbd@nbd.name> 2020-11-05 12:03:49 +0100
commit: d1e8884f89111726446bdba70ef3a17f84336613 (patch)
tree: 8dc03a95007daf6348a8e026190ee9dda82453e3
parent: a56e14afa612da95cf989b13a84bdb4e93bdcfee (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/bridge.c b/bridge.c
index 91036d2..eebd8e9 100644
--- a/bridge.c
+++ b/bridge.c
@@ -447,6 +447,8 @@ bridge_free_member(struct bridge_member *bm)
 		}
 	}
 
+	device_lock();
+
 	device_remove_user(&bm->dev);
 
 	/*
@@ -461,6 +463,8 @@ bridge_free_member(struct bridge_member *bm)
 		device_set_present(dev, true);
 	}
 
+	device_unlock();
+
 	free(bm);
 }
author	Felix Fietkau <nbd@nbd.name>	2020-11-04 16:20:14 +0100
committer	Felix Fietkau <nbd@nbd.name>	2020-11-05 12:03:49 +0100
commit	d1e8884f89111726446bdba70ef3a17f84336613 (patch)
tree	8dc03a95007daf6348a8e026190ee9dda82453e3
parent	a56e14afa612da95cf989b13a84bdb4e93bdcfee (diff)