There are use-after-free vulnerabilities in drivers/net/usb/lan78xx.c of linux that allow attacker to crash linux kernel when LAN78XX USB device is detaching. The timer dev->stat_monitor can schedule the delayed work dev->wq and the delayed work dev->wq can also arm the dev->stat_monitor timer. When the device is detaching, the net_device will be deallocated. But the net_device private data could still be dereferenced in delayed work or timer handler. As a result, the UAF bugs will happen. Refer: https://github.com/torvalds/linux/commit/1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3