HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

JIRA: https://issues.redhat.com/browse/RHEL-94431
Upstream status: v6.15

commit 07583a0
Author: Zhang Lixu <lixu.zhang@intel.com>
Date:   Tue Feb 18 14:37:30 2025 +0800

    HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

    The system can experience a random crash a few minutes after the driver is
    removed. This issue occurs due to improper handling of memory freeing in
    the ishtp_hid_remove() function.

    The function currently frees the `driver_data` directly within the loop
    that destroys the HID devices, which can lead to accessing freed memory.
    Specifically, `hid_destroy_device()` uses `driver_data` when it calls
    `hid_ishtp_set_feature()` to power off the sensor, so freeing
    `driver_data` beforehand can result in accessing invalid memory.

    This patch resolves the issue by storing the `driver_data` in a temporary
    variable before calling `hid_destroy_device()`, and then freeing the
    `driver_data` after the device is destroyed.

    Fixes: 0b28cb4 ("HID: intel-ish-hid: ISH HID client driver")
    Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
    Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.com>

Signed-off-by: Tony Camuso <tcamuso@redhat.com>

Author: camuso

drivers/hid/intel-ish-hid/ishtp-hid.c

@@ -261,12 +261,14 @@ int ishtp_hid_probe(unsigned int cur_hid_dev,
  */
 void ishtp_hid_remove(struct ishtp_cl_data *client_data)
 {
+	void *data;
 	int i;
 
 	for (i = 0; i < client_data->num_hid_devices; ++i) {
 		if (client_data->hid_sensor_hubs[i]) {
-			kfree(client_data->hid_sensor_hubs[i]->driver_data);
+			data = client_data->hid_sensor_hubs[i]->driver_data;
 			hid_destroy_device(client_data->hid_sensor_hubs[i]);
+			kfree(data);
 			client_data->hid_sensor_hubs[i] = NULL;
 		}
 	}