untrusted comment: signature from openbsd 6.1 base secret key RWQEQa33SgQSEswegK0xk2A85Po4l4IwwYVbBMV/ZFPn+6B4hPHpmBf8CM1E9P/U0yLarzX60Oh6G2u7fCA0xBcdVnkhVRTgxwk= OpenBSD 6.1 errata 015, August 3, 2017: Use-after-free can occur related to SIGIO in two drivers. Apply by doing: signify -Vep /etc/signify/openbsd-61-base.pub -x 015_sigio.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install a new kernel: KK=`sysctl -n kern.osversion | cut -d# -f1` cd /usr/src/sys/arch/`machine`/compile/$KK make obj make config make make install Index: sys/dev/midi.c =================================================================== RCS file: /cvs/src/sys/dev/midi.c,v --- sys/dev/midi.c 3 Jan 2017 06:39:44 -0000 1.42 +++ sys/dev/midi.c 19 Jul 2017 22:23:54 -0000 1.43 @@ -97,8 +97,6 @@ midi_iintr(void *addr, int data) wakeup(&sc->rchan); } selwakeup(&sc->rsel); - if (sc->async) - psignal(sc->async, SIGIO); } } @@ -206,8 +204,6 @@ midi_out_stop(struct midi_softc *sc) wakeup(&sc->wchan); } selwakeup(&sc->wsel); - if (sc->async) - psignal(sc->async, SIGIO); } void @@ -427,20 +423,9 @@ midiioctl(dev_t dev, u_long cmd, caddr_t case FIONBIO: /* All handled in the upper FS layer */ break; - case FIOASYNC: - if (*(int *)addr) { - if (sc->async) { - error = EBUSY; - goto done; - } - sc->async = p; - } else - sc->async = 0; - break; default: error = ENOTTY; } -done: device_unref(&sc->dev); return error; } @@ -463,7 +448,6 @@ midiopen(dev_t dev, int flags, int mode, MIDIBUF_INIT(&sc->outbuf); sc->isbusy = 0; sc->rchan = sc->wchan = 0; - sc->async = 0; sc->flags = flags; error = sc->hw_if->open(sc->hw_hdl, flags, midi_iintr, midi_ointr, sc); if (error) Index: sys/dev/usb/uhid.c =================================================================== RCS file: /cvs/src/sys/dev/usb/uhid.c,v --- sys/dev/usb/uhid.c 8 Apr 2017 02:57:25 -0000 1.67 +++ sys/dev/usb/uhid.c 20 Jul 2017 16:54:45 -0000 1.68 @@ -75,7 +75,6 @@ struct uhid_softc { struct clist sc_q; struct selinfo sc_rsel; - struct process *sc_async; /* process that wants SIGIO */ u_char sc_state; /* driver state */ #define UHID_ASLP 0x01 /* waiting for device data */ @@ -198,10 +197,6 @@ uhid_intr(struct uhidev *addr, void *dat wakeup(&sc->sc_q); } selwakeup(&sc->sc_rsel); - if (sc->sc_async != NULL) { - DPRINTFN(3, ("uhid_intr: sending SIGIO %p\n", sc->sc_async)); - prsignal(sc->sc_async, SIGIO); - } } int @@ -228,7 +223,6 @@ uhidopen(dev_t dev, int flag, int mode, clalloc(&sc->sc_q, UHID_BSIZE, 0); sc->sc_obuf = malloc(sc->sc_hdev.sc_osize, M_USBDEV, M_WAITOK); - sc->sc_async = NULL; return (0); } @@ -244,7 +238,6 @@ uhidclose(dev_t dev, int flag, int mode, clfree(&sc->sc_q); free(sc->sc_obuf, M_USBDEV, 0); - sc->sc_async = NULL; uhidev_close(&sc->sc_hdev); return (0); @@ -367,24 +360,6 @@ uhid_do_ioctl(struct uhid_softc *sc, u_l switch (cmd) { case FIONBIO: /* All handled in the upper FS layer. */ - break; - - case FIOASYNC: - if (*(int *)addr) { - if (sc->sc_async != NULL) - return (EBUSY); - sc->sc_async = p->p_p; - DPRINTF(("uhid_do_ioctl: FIOASYNC %p\n", p)); - } else - sc->sc_async = NULL; - break; - - /* XXX this is not the most general solution. */ - case TIOCSPGRP: - if (sc->sc_async == NULL) - return (EINVAL); - if (*(int *)addr != sc->sc_async->ps_pgid) - return (EPERM); break; case USB_GET_DEVICEINFO: