CVE-2025-21929

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: Fix use-after-free issue in hidishtpcl_remove()

During the rmmod operation for the intel_ishtp_hid driver, a use-after-free issue can occur in the hidishtpclremove() function. The function hidishtpcldeinit() is called before ishtphidremove(), which can lead to accessing freed memory or resources during the removal process.

Call Trace: ? ishtpclsend+0x168/0x220 [intelishtp] ? hidoutputreport+0xe3/0x150 [hid] hidishtpsetfeature+0xb5/0x120 [intelishtphid] ishtphidrequest+0x7b/0xb0 [intelishtphid] hidhwrequest+0x1f/0x40 [hid] sensorhubsetfeature+0x11f/0x190 [hidsensorhub] hidsensorpowerstate+0x147/0x1e0 [hidsensortrigger] hidsensorruntimeresume+0x22/0x30 [hidsensortrigger] sensorhubremove+0xa8/0xe0 [hidsensorhub] hiddeviceremove+0x49/0xb0 [hid] hiddestroydevice+0x6f/0x90 [hid] ishtphidremove+0x42/0x70 [intelishtphid] hidishtpclremove+0x6b/0xb0 [intelishtphid] ishtpcldeviceremove+0x4a/0x60 [intel_ishtp] ...

Additionally, ishtphidremove() is a HID level power off, which should occur before the ISHTP level disconnect.

This patch resolves the issue by reordering the calls in hidishtpclremove(). The function ishtphidremove() is now called before hidishtpcldeinit().