From d1e8884f89111726446bdba70ef3a17f84336613 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 4 Nov 2020 16:20:14 +0100
Subject: bridge: fix use-after-free bug on bridge member free

When removing the device reference, the core might free the device.
Use device_lock/unlock to keep the reference valid until it is no longer needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 bridge.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bridge.c b/bridge.c
index 91036d2..eebd8e9 100644
--- a/bridge.c
+++ b/bridge.c
@@ -447,6 +447,8 @@ bridge_free_member(struct bridge_member *bm)
 		}
 	}
 
+	device_lock();
+
 	device_remove_user(&bm->dev);
 
 	/*
@@ -461,6 +463,8 @@ bridge_free_member(struct bridge_member *bm)
 		device_set_present(dev, true);
 	}
 
+	device_unlock();
+
 	free(bm);
 }
 
-- 
cgit v1.2.3