platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver

After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. Fixes: 26a14267aff2 ("platform/chrome: Add ChromeOS EC ISHTP driver") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20251031033900.3577394-1-tzungbi@kernel.org Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
author: Tzung-Bi Shih <tzungbi@kernel.org> 2025-10-31 03:39:00 +0000
committer: Tzung-Bi Shih <tzungbi@kernel.org> 2025-11-10 06:29:54 +0000
commit: 944edca81e7aea15f83cf9a13a6ab67f711e8abd (patch)
tree: b151072a0cc00335c91c4b9dde15873408b66815
parent: c862381bd03ad4d999e0f1b3f8d1119ed7aa2e96 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/platform/chrome/cros_ec_ishtp.c b/drivers/platform/chrome/cros_ec_ishtp.c
index 4e74e702c5a2..3766cef81fe8 100644
--- a/drivers/platform/chrome/cros_ec_ishtp.c
+++ b/drivers/platform/chrome/cros_ec_ishtp.c
@@ -667,6 +667,7 @@ static void cros_ec_ishtp_remove(struct ishtp_cl_device *cl_device)
 
 	cancel_work_sync(&client_data->work_ishtp_reset);
 	cancel_work_sync(&client_data->work_ec_evt);
+	cros_ec_unregister(client_data->ec_dev);
 	cros_ish_deinit(cros_ish_cl);
 	ishtp_put_device(cl_device);
 }
author	Tzung-Bi Shih <tzungbi@kernel.org>	2025-10-31 03:39:00 +0000
committer	Tzung-Bi Shih <tzungbi@kernel.org>	2025-11-10 06:29:54 +0000
commit	944edca81e7aea15f83cf9a13a6ab67f711e8abd (patch)
tree	b151072a0cc00335c91c4b9dde15873408b66815
parent	c862381bd03ad4d999e0f1b3f8d1119ed7aa2e96 (diff)