From 0afe1074cac8a1f28242538df1c2afa90512fb44 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Feb 15 2016 13:28:02 +0000
Subject: CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445)


---

diff --git a/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch b/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
new file mode 100644
index 0000000..c59d683
--- /dev/null
+++ b/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
@@ -0,0 +1,34 @@
+From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice
+
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+
+Found by KASAN.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/midi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index cc39f63299ef..007cf5831121 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
+ 	else
+ 		err = snd_usbmidi_create_endpoints(umidi, endpoints);
+ 	if (err < 0) {
+-		snd_usbmidi_free(umidi);
+ 		return err;
+ 	}
+ 
+-- 
+2.5.0
+
diff --git a/kernel.spec b/kernel.spec
index 6295bac..c44620b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -699,6 +699,9 @@ Patch647: rtlwifi-fix-memory-leak-for-USB-device.patch
 #CVE-2016-0617 rhbz 1305803 1305804
 Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
 
+#CVE-2016-2384 rhbz 1308444 1308445
+Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2142,6 +2145,9 @@ fi
 #
 # 
 %changelog
+* Mon Feb 15 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445)
+
 * Tue Feb 09 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2016-0617 fix hugetlbfs inode.c issues (rhbz 1305803 1305804)