From b029cf08aa43064556d0fd4fb9fa132023af6715 Mon Sep 17 00:00:00 2001
From: RainerXE <88084796+RainerXE@users.noreply.github.com>
Date: Thu, 11 Jun 2026 23:34:20 +0200
Subject: [PATCH] core/nbio: fix use-after-free of op.l in cross-thread exec

---
 core/nbio/nbio.odin | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/core/nbio/nbio.odin b/core/nbio/nbio.odin
index 703a2b4d7..69fd9d10f 100644
--- a/core/nbio/nbio.odin
+++ b/core/nbio/nbio.odin
@@ -406,13 +406,18 @@ exec :: proc(op: ^Operation, trigger_wake_up := true) {
 	if op.l == &_tls_event_loop {
 		_exec(op)
 	} else {
-		for !mpsc_enqueue(&op.l.queue, op) {
+		// Capture the loop pointer before the enqueue publishes `op`: the
+		// target loop can complete the operation and return it to the
+		// operation pool before `op.l` is re-read below, and `l` is in a
+		// raw union with the pool's free-list link.
+		l := op.l
+		for !mpsc_enqueue(&l.queue, op) {
 			warn("operation queue on event loop filled up")
-			wake_up(op.l)
+			wake_up(l)
 			_yield()
 		}
 		if trigger_wake_up {
-			wake_up(op.l)
+			wake_up(l)
 		}
 	}
 }