From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 4 Nov 2020 15:20:14 +0000 (+0100)
Subject: bridge: fix use-after-free bug on bridge member free
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=d1e8884f89111726446bdba70ef3a17f84336613;p=project%2Fnetifd.git

bridge: fix use-after-free bug on bridge member free

When removing the device reference, the core might free the device.
Use device_lock/unlock to keep the reference valid until it is no longer needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/bridge.c b/bridge.c
index 91036d2..eebd8e9 100644
--- a/bridge.c
+++ b/bridge.c
@@ -447,6 +447,8 @@ bridge_free_member(struct bridge_member *bm)
 		}
 	}
 
+	device_lock();
+
 	device_remove_user(&bm->dev);
 
 	/*
@@ -461,6 +463,8 @@ bridge_free_member(struct bridge_member *bm)
 		device_set_present(dev, true);
 	}
 
+	device_unlock();
+
 	free(bm);
 }