From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2023-52840: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

The put_device() calls rmi_release_function() which frees "fn" so the
dereference on the next line "fn->num_of_irqs" is a use after free.
Move the put_device() to the end to fix this.

The Linux kernel CVE team has assigned CVE-2023-52840 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.18 with commit 24d28e4f1271 and fixed in 4.19.299 with commit 2f236d8638f5
	Issue introduced in 4.18 with commit 24d28e4f1271 and fixed in 5.4.261 with commit 50d122536661
	Issue introduced in 4.18 with commit 24d28e4f1271 and fixed in 5.10.201 with commit 6c71e065befb
	Issue introduced in 4.18 with commit 24d28e4f1271 and fixed in 5.15.139 with commit 303766bb92c5
	Issue introduced in 4.18 with commit 24d28e4f1271 and fixed in 6.1.63 with commit 7082b1fb5321
	Issue introduced in 4.18 with commit 24d28e4f1271 and fixed in 6.5.12 with commit cc56c4d17721
	Issue introduced in 4.18 with commit 24d28e4f1271 and fixed in 6.6.2 with commit c8e639f5743c
	Issue introduced in 4.18 with commit 24d28e4f1271 and fixed in 6.7 with commit eb988e46da2e

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52840
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/input/rmi4/rmi_bus.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f
	https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff
	https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5
	https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2
	https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f
	https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683
	https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585
	https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1