From 0a258f6398d5c1c05a046c845365ec5fd9e5545e Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 13 Sep 2019 22:24:23 -0700
Subject: [PATCH] apparmor: reduce rcu_read_lock scope for aa_file_perm
 mediation

References: bnc#1158765
Patch-mainline: v5.5-rc1
Git-commit: bce4e7e9c45ef97ac1e30b9cb4adc25b5b5a7cfa

Now that the buffers allocation has changed and no longer needs
the full mediation under an rcu_read_lock, reduce the rcu_read_lock
scope to only where it is necessary.

Fixes: df323337e507 ("apparmor: Use a memory pool instead per-CPU caches")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Mel Gorman <mgorman@suse.de>
---
 security/apparmor/file.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 2ca31b9c7eb4..e2d087bc5d23 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -617,7 +617,8 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
 	fctx = file_ctx(file);
 
 	rcu_read_lock();
-	flabel  = rcu_dereference(fctx->label);
+	flabel  = aa_get_newest_label(rcu_dereference(fctx->label));
+	rcu_read_unlock();
 	AA_BUG(!flabel);
 
 	/* revalidate access, if task is unconfined, or the cached cred
@@ -642,8 +643,7 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
 		error = __file_sock_perm(op, label, flabel, file, request,
 					 denied);
 done:
-	rcu_read_unlock();
-
+	aa_put_label(flabel);
 	return error;
 }