Comment 0 for bug 1883962

[Impact]

 * Users of the Crypto (user-space) API (i.e., AF_ALG)
   can trigger refcount errors in AppArmor under high
   load (might lead to memory leak or use after free.)

 * There is a reference leak in AppArmor when af_alg_accept()
   calls security_sock_graft() and then security_sk_clone().

 * Both acquire a reference to a label, to assign it to the
   same pointer, but the latter does not release the former's
   acquired reference (before overwriting the pointer value.)

 * This reference leak builds up over time, and under high
   load can eventually overflow/underflow/saturate refcount,
   depending on which value it has when a program hits that.

 * The fix just checks if the pointer has an assigned label,
   then releases its acquired reference.

[Test Case]

 * See comment # for the test-case 'aa-refcnt-af_alg.c'.

 * Exercise that code path indefinitely until it hits
   the refcount_t overflow/underflow/saturate message.
   (in a few hours.)

 * It's possible to monitor refcount values with kprobes.

[Other Info]

 * Patch applied upstream on v5.8-rc1 [1]
 * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1)
 * Not required on Groovy (still 5.4; should sync from Unstable)
 * Not required on Eoan (EOL date before SRU cycle release date)
 * Required on Bionic and Focal.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8