CVE-2025-21929

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()<br /> <br /> During the `rmmod` operation for the `intel_ishtp_hid` driver, a<br /> use-after-free issue can occur in the hid_ishtp_cl_remove() function.<br /> The function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(),<br /> which can lead to accessing freed memory or resources during the<br /> removal process.<br /> <br /> Call Trace:<br /> ? ishtp_cl_send+0x168/0x220 [intel_ishtp]<br /> ? hid_output_report+0xe3/0x150 [hid]<br /> hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid]<br /> ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid]<br /> hid_hw_request+0x1f/0x40 [hid]<br /> sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub]<br /> _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger]<br /> hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger]<br /> sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub]<br /> hid_device_remove+0x49/0xb0 [hid]<br /> hid_destroy_device+0x6f/0x90 [hid]<br /> ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid]<br /> hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid]<br /> ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp]<br /> ...<br /> <br /> Additionally, ishtp_hid_remove() is a HID level power off, which should<br /> occur before the ISHTP level disconnect.<br /> <br /> This patch resolves the issue by reordering the calls in<br /> hid_ishtp_cl_remove(). The function ishtp_hid_remove() is now<br /> called before hid_ishtp_cl_deinit().