untrusted comment: signature from openbsd 6.0 base secret key

untrusted comment: signature from openbsd 6.0 base secret key
RWSho3oKSqgLQ0Y5LwhaZH3c8OR9Xuv0EA/fqm0Oq+DX/EqooxCbX6MKedhyLERxSoN25oRiSTN2g/UXlcpZxjfYYkHvSlWxOAQ=

OpenBSD 6.0 errata 029, August 3, 2017:

Use-after-free can occur related to SIGIO in two drivers.

Apply by doing:
signify -Vep /etc/signify/openbsd-60-base.pub -x 029_sigio.patch.sig \
-m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
cd /usr/src/sys/arch/`machine`/conf
KK=`sysctl -n kern.osversion | cut -d# -f1`
config $KK
cd ../compile/$KK
make
make install

Index: sys/dev/midi.c
===================================================================
RCS file: /cvs/src/sys/dev/midi.c,v
--- sys/dev/midi.c 22 May 2015 12:52:00 -0000 1.40
+++ sys/dev/midi.c 2 Aug 2017 16:24:57 -0000
@@ -98,8 +98,6 @@ midi_iintr(void *addr, int data)
wakeup(&sc->rchan);
}
selwakeup(&sc->rsel);
- if (sc->async)
- psignal(sc->async, SIGIO);
}
}

@@ -208,8 +206,6 @@ midi_out_stop(struct midi_softc *sc)
wakeup(&sc->wchan);
}
selwakeup(&sc->wsel);
- if (sc->async)
- psignal(sc->async, SIGIO);
}

void
@@ -431,20 +427,9 @@ midiioctl(dev_t dev, u_long cmd, caddr_t
case FIONBIO:
/* All handled in the upper FS layer */
break;
- case FIOASYNC:
- if (*(int *)addr) {
- if (sc->async) {
- error = EBUSY;
- goto done;
- }
- sc->async = p;
- } else
- sc->async = 0;
- break;
default:
error = ENOTTY;
}
-done:
device_unref(&sc->dev);
return error;
}
@@ -467,7 +452,6 @@ midiopen(dev_t dev, int flags, int mode,
MIDIBUF_INIT(&sc->outbuf);
sc->isbusy = 0;
sc->rchan = sc->wchan = 0;
- sc->async = 0;
sc->flags = flags;
error = sc->hw_if->open(sc->hw_hdl, flags, midi_iintr, midi_ointr, sc);
if (error)
Index: sys/dev/usb/uhid.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/uhid.c,v
--- sys/dev/usb/uhid.c 24 May 2016 05:35:01 -0000 1.66
+++ sys/dev/usb/uhid.c 1 Aug 2017 21:55:02 -0000 1.66.6.1
@@ -75,7 +75,6 @@ struct uhid_softc {

struct clist sc_q;
struct selinfo sc_rsel;
- struct process *sc_async; /* process that wants SIGIO */
u_char sc_state; /* driver state */
#define UHID_ASLP 0x01 /* waiting for device data */

@@ -198,10 +197,6 @@ uhid_intr(struct uhidev *addr, void *dat
wakeup(&sc->sc_q);
}
selwakeup(&sc->sc_rsel);
- if (sc->sc_async != NULL) {
- DPRINTFN(3, ("uhid_intr: sending SIGIO %p\n", sc->sc_async));
- prsignal(sc->sc_async, SIGIO);
- }
}

int
@@ -228,7 +223,6 @@ uhidopen(dev_t dev, int flag, int mode,
clalloc(&sc->sc_q, UHID_BSIZE, 0);

sc->sc_obuf = malloc(sc->sc_hdev.sc_osize, M_USBDEV, M_WAITOK);
- sc->sc_async = NULL;

return (0);
}
@@ -244,7 +238,6 @@ uhidclose(dev_t dev, int flag, int mode,

clfree(&sc->sc_q);
free(sc->sc_obuf, M_USBDEV, 0);
- sc->sc_async = NULL;
uhidev_close(&sc->sc_hdev);

return (0);
@@ -367,24 +360,6 @@ uhid_do_ioctl(struct uhid_softc *sc, u_l
switch (cmd) {
case FIONBIO:
/* All handled in the upper FS layer. */
- break;
-
- case FIOASYNC:
- if (*(int *)addr) {
- if (sc->sc_async != NULL)
- return (EBUSY);
- sc->sc_async = p->p_p;
- DPRINTF(("uhid_do_ioctl: FIOASYNC %p\n", p));
- } else
- sc->sc_async = NULL;
- break;
-
- /* XXX this is not the most general solution. */
- case TIOCSPGRP:
- if (sc->sc_async == NULL)
- return (EINVAL);
- if (*(int *)addr != sc->sc_async->ps_pgid)
- return (EPERM);
break;

case USB_GET_DEVICEINFO: