Yet another case of bad syncronization or just performing operations in the wrong order. IIn this case ene_remove called when removing the device, will remove its internal allocations and everything before it actually unregisters the device. Meaning that there is a window of time where the pointers are free but the device is still accessible and so can lead to a use after free. It was also noticed that they did not clean up timers at all, so setting a timer then removing the device can lead to the timer triggering during the cleanup process, again leading to a use-after-free.