From 38b8a3439be1727edbc3360c1ca0281da020a44d Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 16 Feb 2016 16:18:55 +0100
Subject: [PATCH] Fix CVE-2016-2391: usb: ohci avoid multiple eof timers

---
 ...1-usb-ohci-avoid-multiple-eof-timers.patch | 40 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch

diff --git a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
new file mode 100644
index 0000000..923c5a5
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
@@ -0,0 +1,40 @@
+From f2575bbcfe89deabe1f8eab306854d35d7418537 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 16 Feb 2016 15:34:14 +0530
+Subject: [PATCH] usb: ohci avoid multiple eof timers
+
+When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
+state, it creates an eof timer object in 'ohci_bus_start'.
+It does not check if one already exists. This results in memory
+leakage and null dereference issue. Add a check to avoid it.
+
+Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/usb/hcd-ohci.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 7d65818..15f0b44 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -1331,11 +1331,11 @@ static void ohci_frame_boundary(void *opaque)
+  */
+ static int ohci_bus_start(OHCIState *ohci)
+ {
+-    ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
+-                    ohci_frame_boundary,
+-                    ohci);
+-
+-    if (ohci->eof_timer == NULL) {
++    if (!ohci->eof_timer) {
++        ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
++                                        ohci_frame_boundary, ohci);
++    }
++    if (!ohci->eof_timer) {
+         trace_usb_ohci_bus_eof_timer_failed(ohci->name);
+         ohci_die(ohci);
+         return 0;
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index e109baa..47b2b01 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -51,3 +51,4 @@ extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
 extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch
 extra/CVE-2016-2197-ahci-null-pointer.patch
 extra/CVE-2016-2198-ehci-null-pointer.patch
+extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
-- 
2.39.2