ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-XXXX)

debian/changelog

@@ -12,6 +12,7 @@ linux (4.4.1-1) UNRELEASED; urgency=medium
     (regression in 4.4, 4.3.4)
   * bpf: fix branch offset adjustment on backjumps after patching ctx expansion
     (CVE-2016-XXXX)
+  * ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-XXXX)
 
   [ Roger Shimizu ]
   * Enable TTY_PRINTK as module (Closes: #814540).

debian/patches/bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch

@@ -0,0 +1,31 @@
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: ALSA: usb-audio: avoid freeing umidi object twice
+Origin: https://git.kernel.org/linus/07d86ca93db7e5cdf4743564d98292042ec21af7
+
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+
+Found by KASAN.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/midi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index cc39f63299ef..007cf5831121 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
+ 	else
+ 		err = snd_usbmidi_create_endpoints(umidi, endpoints);
+ 	if (err < 0) {
+-		snd_usbmidi_free(umidi);
+ 		return err;
+ 	}
+ 

debian/patches/series

@@ -123,3 +123,4 @@ bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
 bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch
 bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch
 bugfix/all/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
+bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch