From 735bb1170100e71eed6c54a8c2c87942df01f864 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Thu, 14 Apr 2016 14:40:16 +0200
Subject: kernel-ALSA: CVE-2016-2384

Fixes double-free in usb-audio triggered by invalid USB descriptor
(in the linux-yocto-3.14).

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2384

Reference to the upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=05dd81eafd796a5f1db09cc9fe2bff44cfd56dfe

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 .../linux-yocto-3.14/ALSA-CVE-2016-2384.patch      | 40 ++++++++++++++++++++++
 recipes-kernel/linux/linux-yocto_3.14.bbappend     |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-yocto-3.14/ALSA-CVE-2016-2384.patch

diff --git a/recipes-kernel/linux/linux-yocto-3.14/ALSA-CVE-2016-2384.patch b/recipes-kernel/linux/linux-yocto-3.14/ALSA-CVE-2016-2384.patch
new file mode 100644
index 0000000..5846c4f
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto-3.14/ALSA-CVE-2016-2384.patch
@@ -0,0 +1,40 @@
+From 05dd81eafd796a5f1db09cc9fe2bff44cfd56dfe Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: ALSA: usb-audio: avoid freeing umidi object twice
+
+commit 07d86ca93db7e5cdf4743564d98292042ec21af7 upstream.
+
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+
+Found by KASAN.
+
+CVE: CVE-2016-2384
+Upstream-Status: Backport
+
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ sound/usb/midi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index 9123fc5..424c1e8 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -2365,7 +2365,6 @@ int snd_usbmidi_create(struct snd_card *card,
+ 	else
+ 		err = snd_usbmidi_create_endpoints(umidi, endpoints);
+ 	if (err < 0) {
+-		snd_usbmidi_free(umidi);
+ 		return err;
+ 	}
+ 
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 54a092d..bc3a24f 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -27,4 +27,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://ipc-CVE-2015-7613.patch \
             file://net-unix-CVE-2013-7446.patch \
             file://ALSA-CVE-2016-2546.patch \
+            file://ALSA-CVE-2016-2384.patch \
            "
-- 
cgit v1.2.3-54-g00ecf