Merge tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git...

Pull SELinux fixes from Paul Moore:
 "Three small patches to fix problems in the SELinux code, all found via
  clang.

  Two patches fix potential double-free conditions and one fixes an
  undefined return value"

* tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: fix undefined return of cond_evaluate_expr
  selinux: fix a double free in cond_read_node()/cond_read_list()
  selinux: fix double free

diff --combined security/selinux/ss/conditional.c
index da94a1b,7a92b02..0cc7cdd
--- 1/security/selinux/ss/conditional.c
--- 2/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@@ -27,6 -27,9 +27,9 @@@ static int cond_evaluate_expr(struct po
        int s[COND_EXPR_MAXDEPTH];
        int sp = -1;
  
+       if (expr->len == 0)
+               return -1;
+ 
        for (i = 0; i < expr->len; i++) {
                struct cond_expr_node *node = &expr->nodes[i];
  
@@@ -392,27 -395,19 +395,19 @@@ static int cond_read_node(struct policy
  
                rc = next_entry(buf, fp, sizeof(u32) * 2);
                if (rc)
-                       goto err;
+                       return rc;
  
                expr->expr_type = le32_to_cpu(buf[0]);
                expr->bool = le32_to_cpu(buf[1]);
  
-               if (!expr_node_isvalid(p, expr)) {
-                       rc = -EINVAL;
-                       goto err;
-               }
+               if (!expr_node_isvalid(p, expr))
+                       return -EINVAL;
        }
  
        rc = cond_read_av_list(p, fp, &node->true_list, NULL);
        if (rc)
-               goto err;
-       rc = cond_read_av_list(p, fp, &node->false_list, &node->true_list);
-       if (rc)
-               goto err;
-       return 0;
- err:
-       cond_node_destroy(node);
-       return rc;
+               return rc;
+       return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
  }
  
  int cond_read_list(struct policydb *p, void *fp)
@@@ -429,7 -424,7 +424,7 @@@
  
        p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL);
        if (!p->cond_list)
 -              return rc;
 +              return -ENOMEM;
  
        rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
        if (rc)