ucode: ubus: fix use-after-free on deferred request reply() method

Hold a reference to the defer resource as long as it is still needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 87bfde67f2504bbd649e185fc15619d769ab9b26)

1 files changed, 27 insertions, 0 deletions

diff --git a/package/utils/ucode/patches/020-ubus-fix-use-after-free-on-deferred-request-reply-me.patch b/package/utils/ucode/patches/020-ubus-fix-use-after-free-on-deferred-request-reply-me.patch
new file mode 100644
index 0000000000..142595a5bd
--- /dev/null
+++ b/package/utils/ucode/patches/020-ubus-fix-use-after-free-on-deferred-request-reply-me.patch
@@ -0,0 +1,27 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 12 May 2025 12:43:44 +0200
+Subject: [PATCH] ubus: fix use-after-free on deferred request reply() method
+
+Hold a reference to the defer resource as long as it is still needed
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/lib/ubus.c
++++ b/lib/ubus.c
+@@ -636,6 +636,7 @@ uc_ubus_call_user_cb(uc_ubus_deferred_t
+ 	uc_value_t *this, *func;
+ 
+ 	request_reg_get(defer->vm, defer->registry_index, &this, &func, NULL, NULL);
++	ucv_get(this);
+ 
+ 	if (ucv_is_callable(func)) {
+ 		uc_vm_stack_push(defer->vm, ucv_get(this));
+@@ -648,6 +649,7 @@ uc_ubus_call_user_cb(uc_ubus_deferred_t
+ 	}
+ 
+ 	request_reg_clear(defer->vm, defer->registry_index);
++	ucv_put(this);
+ }
+ 
+ static void