CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445)

ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch

@@ -0,0 +1,34 @@
+From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice
+
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+
+Found by KASAN.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/midi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index cc39f63299ef..007cf5831121 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
+ 	else
+ 		err = snd_usbmidi_create_endpoints(umidi, endpoints);
+ 	if (err < 0) {
+-		snd_usbmidi_free(umidi);
+ 		return err;
+ 	}
+ 
+-- 
+2.5.0
+

kernel.spec

@@ -631,6 +631,9 @@ Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
 #CVE-2016-0617 rhbz 1305803 1305804
 Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
 
+#CVE-2016-2384 rhbz 1308444 1308445
+Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2074,6 +2077,9 @@ fi
 #
 # 
 %changelog
+* Mon Feb 15 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445)
+
 * Fri Feb 12 2016 Laura Abbott <labbott@fedoraproject.org>
 - Turn off W+X warnings (rhbz 1306885)