--- /dev/null
+From c6b39f070722ea9963ffe756bfe94e89218c5e63 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Mon, 20 Apr 2020 13:35:28 +0800
+Subject: apparmor: Fix aa_label refcnt leak in policy_update
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit c6b39f070722ea9963ffe756bfe94e89218c5e63 upstream.
+
+policy_update() invokes begin_current_label_crit_section(), which
+returns a reference of the updated aa_label object to "label" with
+increased refcount.
+
+When policy_update() returns, "label" becomes invalid, so the refcount
+should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+policy_update(). When aa_may_manage_policy() returns not NULL, the
+refcnt increased by begin_current_label_crit_section() is not decreased,
+causing a refcnt leak.
+
+Fix this issue by jumping to "end_section" label when
+aa_may_manage_policy() returns not NULL.
+
+Fixes: 5ac8c355ae00 ("apparmor: allow introspecting the loaded policy pre internal transform")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/apparmorfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -426,7 +426,7 @@ static ssize_t policy_update(u32 mask, c
+ */
+ error = aa_may_manage_policy(label, ns, mask);
+ if (error)
+- return error;
++ goto end_section;
+
+ data = aa_simple_write_to_buffer(buf, size, size, pos);
+ error = PTR_ERR(data);
+@@ -434,6 +434,7 @@ static ssize_t policy_update(u32 mask, c
+ error = aa_replace_profiles(ns, label, mask, data);
+ aa_put_loaddata(data);
+ }
++end_section:
+ end_current_label_crit_section(label);
+
+ return error;
--- /dev/null
+From 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 16 May 2020 23:42:05 +0200
+Subject: dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 upstream.
+
+Commit b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
+has moved some code in the probe function and reordered the error handling
+path accordingly.
+However, a goto has been missed.
+
+Fix it and goto the right label if 'dma_async_device_register()' fails, so
+that all resources are released.
+
+Fixes: b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20200516214205.276266-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/tegra210-adma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -793,7 +793,7 @@ static int tegra_adma_probe(struct platf
+ ret = dma_async_device_register(&tdma->dma_dev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "ADMA registration failed: %d\n", ret);
+- goto irq_dispose;
++ goto rpm_put;
+ }
+
+ ret = of_dma_controller_register(pdev->dev.of_node,
projects / thirdparty / kernel / stable-queue.git / commitdiff
