From 87bfde67f2504bbd649e185fc15619d769ab9b26 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Mon, 12 May 2025 12:46:12 +0200
Subject: [PATCH] ucode: ubus: fix use-after-free on deferred request reply()
 method

Hold a reference to the defer resource as long as it is still needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 ...er-free-on-deferred-request-reply-me.patch | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 package/utils/ucode/patches/020-ubus-fix-use-after-free-on-deferred-request-reply-me.patch

diff --git a/package/utils/ucode/patches/020-ubus-fix-use-after-free-on-deferred-request-reply-me.patch b/package/utils/ucode/patches/020-ubus-fix-use-after-free-on-deferred-request-reply-me.patch
new file mode 100644
index 00000000000..142595a5bdb
--- /dev/null
+++ b/package/utils/ucode/patches/020-ubus-fix-use-after-free-on-deferred-request-reply-me.patch
@@ -0,0 +1,27 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 12 May 2025 12:43:44 +0200
+Subject: [PATCH] ubus: fix use-after-free on deferred request reply() method
+
+Hold a reference to the defer resource as long as it is still needed
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/lib/ubus.c
++++ b/lib/ubus.c
+@@ -636,6 +636,7 @@ uc_ubus_call_user_cb(uc_ubus_deferred_t
+ 	uc_value_t *this, *func;
+ 
+ 	request_reg_get(defer->vm, defer->registry_index, &this, &func, NULL, NULL);
++	ucv_get(this);
+ 
+ 	if (ucv_is_callable(func)) {
+ 		uc_vm_stack_push(defer->vm, ucv_get(this));
+@@ -648,6 +649,7 @@ uc_ubus_call_user_cb(uc_ubus_deferred_t
+ 	}
+ 
+ 	request_reg_clear(defer->vm, defer->registry_index);
++	ucv_put(this);
+ }
+ 
+ static void