diff --git a/SOURCES/0001-tabrmd-options-fix-memory-leak.patch b/SOURCES/0001-tabrmd-options-fix-memory-leak.patch
new file mode 100644
index 0000000..e8c5ec1
--- /dev/null
+++ b/SOURCES/0001-tabrmd-options-fix-memory-leak.patch
@@ -0,0 +1,211 @@
+From ff90674fd801dd369231a20c47ebef0d08402e9e Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Tue, 12 Jan 2021 14:12:48 -0600
+Subject: [PATCH 1/6] tabrmd-options: fix memory leak
+
+The tabrmd_options_t structure is initialized with static char *
+strings. These strings can be replaced by g_option_context_parse().
+However, g_option_context_parse() replaces the string with allocated
+memory and thus needs a call to g_free. Either one would need to keep
+track if glib allocated the string and conditionally free it, or just
+set all the strings to glib allocated strings. This patch takes the
+approach of always allocating the option strings.
+
+Fixes leaks like:
+==2677142==ERROR: LeakSanitizer: detected memory leaks
+
+Direct leak of 9 byte(s) in 1 object(s) allocated from:
+    #8 0x7fbd1acd5da1 in g_option_context_parse (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5eda1)
+    #9 0x4cc438 in parse_opts /home/wcrobert/workspace/tpm2-abrmd/src/tabrmd-options.c:103:10
+    #10 0x4c7ffe in main /home/wcrobert/workspace/tpm2-abrmd/src/tabrmd.c:41:10
+    #11 0x7fbd1a8770b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
+    #12 0x42004d in _start (/home/wcrobert/workspace/tpm2-abrmd/src/tpm2-abrmd+0x42004d)
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/tabrmd-init.c    |  2 ++
+ src/tabrmd-options.c | 53 +++++++++++++++++++++++++++++++++++++++-----
+ src/tabrmd-options.h | 11 +++++----
+ src/tabrmd.c         |  4 +++-
+ 4 files changed, 59 insertions(+), 11 deletions(-)
+
+diff --git a/src/tabrmd-init.c b/src/tabrmd-init.c
+index 2ad7539..58e0103 100644
+--- a/src/tabrmd-init.c
++++ b/src/tabrmd-init.c
+@@ -99,6 +99,8 @@ gmain_data_cleanup (gmain_data_t *data)
+     if (data->loop != NULL) {
+         main_loop_quit (data->loop);
+     }
++
++    tabrmd_options_free(&data->options);
+ }
+ /*
+  * This function initializes and configures all of the long-lived objects
+diff --git a/src/tabrmd-options.c b/src/tabrmd-options.c
+index 0dd7b87..22f249c 100644
+--- a/src/tabrmd-options.c
++++ b/src/tabrmd-options.c
+@@ -16,6 +16,12 @@
+ #define G_OPTION_FLAG_NONE 0
+ #endif
+ 
++#define SET_STR_IF_NULL(var, value) \
++    do { \
++        var = var == NULL ? g_strdup(value) : var; \
++        g_assert(var); \
++    } while(0)
++
+ /*
+  * This is a GOptionArgFunc callback invoked from the GOption processor from
+  * the parse_opts function below. It will be called when the daemon is
+@@ -36,6 +42,22 @@ show_version (const gchar  *option_name,
+     g_print ("tpm2-abrmd version %s\n", VERSION);
+     exit (0);
+ }
++
++/**
++ * Frees internal memory associated with a tabrmd_options_t struct.
++ * @param opts
++ *  The options to free, note it doesn't free opts itself.
++ */
++void
++tabrmd_options_free(tabrmd_options_t *opts)
++{
++    g_assert(opts);
++
++    g_clear_pointer(&opts->dbus_name, g_free);
++    g_clear_pointer(&opts->prng_seed_file, g_free);
++    g_clear_pointer(&opts->tcti_conf, g_free);
++}
++
+ /**
+  * This function parses the parameter argument vector and populates the
+  * parameter 'options' structure with data needed to configure the tabrmd.
+@@ -51,7 +73,7 @@ parse_opts (gint argc,
+             gchar *argv[],
+             tabrmd_options_t *options)
+ {
+-    gchar *logger_name = "stdout";
++    gchar *logger_name = NULL;
+     GOptionContext *ctx;
+     GError *err = NULL;
+     gboolean session_bus = FALSE;
+@@ -105,33 +127,52 @@ parse_opts (gint argc,
+         return FALSE;
+     }
+     g_option_context_free (ctx);
++
++    /*
++     * Set unset STRING options to defaults, we do this so we can free allocated
++     * string options with gfree, having a mix of const and allocated ptr's
++     * causes leaks
++     */
++    SET_STR_IF_NULL(options->dbus_name, TABRMD_DBUS_NAME_DEFAULT);
++    SET_STR_IF_NULL(options->prng_seed_file, TABRMD_ENTROPY_SRC_DEFAULT);
++    SET_STR_IF_NULL(options->tcti_conf, TABRMD_TCTI_CONF_DEFAULT);
++    SET_STR_IF_NULL(logger_name, "stdout");
++
+     /* select the bus type, default to G_BUS_TYPE_SESSION */
+     options->bus = session_bus ? G_BUS_TYPE_SESSION : G_BUS_TYPE_SYSTEM;
+-    if (set_logger (logger_name) == -1) {
++    gint ret = set_logger (logger_name);
++    if (ret == -1) {
+         g_critical ("Unknown logger: %s, try --help\n", logger_name);
+-        return FALSE;
++        g_free(logger_name);
++        goto error;
+     }
++    g_free(logger_name);
++
+     if (options->max_connections < 1 ||
+         options->max_connections > TABRMD_CONNECTION_MAX)
+     {
+         g_critical ("maximum number of connections must be between 1 "
+                     "and %d", TABRMD_CONNECTION_MAX);
+-        return FALSE;
++        goto error;
+     }
+     if (options->max_sessions < 1 ||
+         options->max_sessions > TABRMD_SESSIONS_MAX_DEFAULT)
+     {
+         g_critical ("max-sessions must be between 1 and %d",
+                     TABRMD_SESSIONS_MAX_DEFAULT);
+-        return FALSE;
++        goto error;
+     }
+     if (options->max_transients < 1 ||
+         options->max_transients > TABRMD_TRANSIENT_MAX)
+     {
+         g_critical ("max-trans-obj parameter must be between 1 and %d",
+                     TABRMD_TRANSIENT_MAX);
+-        return FALSE;
++        goto error;
+     }
+     g_warning ("tcti_conf after: \"%s\"", options->tcti_conf);
+     return TRUE;
++
++error:
++    tabrmd_options_free(options);
++    return FALSE;
+ }
+diff --git a/src/tabrmd-options.h b/src/tabrmd-options.h
+index 4994920..d6bcfe9 100644
+--- a/src/tabrmd-options.h
++++ b/src/tabrmd-options.h
+@@ -15,10 +15,10 @@
+     .max_connections = TABRMD_CONNECTIONS_MAX_DEFAULT, \
+     .max_transients = TABRMD_TRANSIENT_MAX_DEFAULT, \
+     .max_sessions = TABRMD_SESSIONS_MAX_DEFAULT, \
+-    .dbus_name = TABRMD_DBUS_NAME_DEFAULT, \
+-    .prng_seed_file = TABRMD_ENTROPY_SRC_DEFAULT, \
++    .dbus_name = NULL, \
++    .prng_seed_file = NULL, \
+     .allow_root = FALSE, \
+-    .tcti_conf = TABRMD_TCTI_CONF_DEFAULT, \
++    .tcti_conf = NULL, \
+ }
+ 
+ typedef struct tabrmd_options {
+@@ -28,7 +28,7 @@ typedef struct tabrmd_options {
+     guint           max_transients;
+     guint           max_sessions;
+     gchar          *dbus_name;
+-    const gchar    *prng_seed_file;
++    gchar          *prng_seed_file;
+     gboolean        allow_root;
+     gchar          *tcti_conf;
+ } tabrmd_options_t;
+@@ -38,4 +38,7 @@ parse_opts (gint argc,
+             gchar *argv[],
+             tabrmd_options_t *options);
+ 
++void
++tabrmd_options_free(tabrmd_options_t *opts);
++
+ #endif /* TABRMD_OPTIONS_H */
+diff --git a/src/tabrmd.c b/src/tabrmd.c
+index 7c93e90..e015de3 100644
+--- a/src/tabrmd.c
++++ b/src/tabrmd.c
+@@ -43,7 +43,8 @@ main (int argc, char *argv[])
+     }
+     if (geteuid() == 0 && ! gmain_data.options.allow_root) {
+         g_print ("Refusing to run as root. Pass --allow-root if you know what you are doing.\n");
+-        return 1;
++        ret = 1;
++        goto out;
+     }
+ 
+     g_mutex_init (&gmain_data.init_mutex);
+@@ -63,6 +64,7 @@ main (int argc, char *argv[])
+     if (ret == 0 && gmain_data.ipc_disconnected) {
+         ret = EX_IOERR;
+     }
++out:
+     gmain_data_cleanup (&gmain_data);
+     return ret;
+ }
+-- 
+2.34.3
+
diff --git a/SOURCES/0002-resource-manager-rm-ref-count-inc-of-handle_entry.patch b/SOURCES/0002-resource-manager-rm-ref-count-inc-of-handle_entry.patch
new file mode 100644
index 0000000..4d473ca
--- /dev/null
+++ b/SOURCES/0002-resource-manager-rm-ref-count-inc-of-handle_entry.patch
@@ -0,0 +1,49 @@
+From ec7116d0e4de535a90c1dc5edabe821f04a0f8e0 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Wed, 13 Jan 2021 12:21:47 -0600
+Subject: [PATCH 2/6] resource-manager: rm ref count inc of handle_entry
+
+Per:
+  - https://developer.gnome.org/gobject/stable/gobject-memory.html
+
+g_object_new sets the ref count to 1, so their is no need to bump it
+again, we already have ownership.
+
+Fixes leaks like:
+Direct leak of 10480 byte(s) in 2 object(s) allocated from:
+    #0 0x7f1aa88aabc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
+    #1 0x7f1aa848acd8 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57cd8)
+    #2 0x7f1aa84a32c5 in g_slice_alloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x702c5)
+    #3 0x7f1aa84a38ed in g_slice_alloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x708ed)
+    #4 0x7f1aa85970cf in g_type_create_instance (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x3b0cf)
+    #5 0x7f1aa857634c  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x1a34c)
+    #6 0x7f1aa8578377 in g_object_new_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x1c377)
+    #7 0x7f1aa85786cc in g_object_new (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x1c6cc)
+    #8 0x561e13d667d3 in handle_map_entry_new src/handle-map-entry.c:138
+    #9 0x561e13d540d3 in create_context_mapping_transient src/resource-manager.c:1160
+    #10 0x561e13d547b1 in resource_manager_create_context_mapping src/resource-manager.c:1261
+    #11 0x561e13d54ec8 in resource_manager_process_tpm2_command src/resource-manager.c:1359
+    #12 0x561e13d55365 in resource_manager_thread src/resource-manager.c:1424
+    #13 0x7f1aa8384608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
+    #14 0x7f1aa82ab292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/resource-manager.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/resource-manager.c b/src/resource-manager.c
+index 904f683..050436f 100644
+--- a/src/resource-manager.c
++++ b/src/resource-manager.c
+@@ -1167,7 +1167,6 @@ create_context_mapping_transient (ResourceManager  *resmgr,
+     handle_map_insert (handle_map, vhandle, handle_entry);
+     g_object_unref (handle_map);
+     tpm2_response_set_handle (response, vhandle);
+-    g_object_ref (handle_entry);
+ }
+ /*
+  * This function after a Tpm2Command is sent to the TPM and:
+-- 
+2.34.3
+
diff --git a/SOURCES/0003-tabrmd-init.c-fix-leaks-on-main-to-thread-tpm2-insta.patch b/SOURCES/0003-tabrmd-init.c-fix-leaks-on-main-to-thread-tpm2-insta.patch
new file mode 100644
index 0000000..9ee33ae
--- /dev/null
+++ b/SOURCES/0003-tabrmd-init.c-fix-leaks-on-main-to-thread-tpm2-insta.patch
@@ -0,0 +1,51 @@
+From 62ae28635ada2a74b526244e8ea69cef74c6c022 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Wed, 13 Jan 2021 13:52:06 -0600
+Subject: [PATCH 3/6] tabrmd-init.c: fix leaks on main to thread tpm2 instance
+
+Theirs a case where the Tpm2 object coming in from main to the thread
+fails setup and the cleanup function doesn't unref it. Move it to the
+main cleanup routine and use g_clear_object to be *clear* on whom owns
+the reference.
+
+Fixes leaks like:
+Indirect leak of 4176 byte(s) in 1 object(s) allocated from:
+    #0 0x7f652e71cdc6 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
+    #1 0x7f652e25ad30 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57d30)
+    #2 0x555ebb1a1c5f in sapi_context_init src/tpm2.c:162
+    #3 0x555ebb1a2fa8 in tpm2_new src/tpm2.c:438
+    #4 0x555ebb19d665 in init_thread_func src/tabrmd-init.c:178
+    #5 0x555ebb19bede in init_thread_func_tpm2_init_fail test/tabrmd-init_unit.c:199
+    #6 0x7f652e6074e0  (/usr/lib/x86_64-linux-gnu/libcmocka.so.0+0x54e0)
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/tabrmd-init.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/tabrmd-init.c b/src/tabrmd-init.c
+index 58e0103..866c852 100644
+--- a/src/tabrmd-init.c
++++ b/src/tabrmd-init.c
+@@ -99,6 +99,9 @@ gmain_data_cleanup (gmain_data_t *data)
+     if (data->loop != NULL) {
+         main_loop_quit (data->loop);
+     }
++    if (data->tpm2) {
++        g_clear_object (&data->tpm2);
++    }
+ 
+     tabrmd_options_free(&data->options);
+ }
+@@ -208,7 +211,7 @@ init_thread_func (gpointer user_data)
+     g_clear_object (&session_list);
+     data->response_sink = response_sink_new ();
+     g_object_unref (command_attrs);
+-    g_object_unref (data->tpm2);
++    g_clear_object (&data->tpm2);
+     /*
+      * Wire up the TPM command processing pipeline. TPM command buffers
+      * flow from the CommandSource, to the Tab then finally back to the
+-- 
+2.34.3
+
diff --git a/SOURCES/0004-init_thread_func-fix-deadlock.patch b/SOURCES/0004-init_thread_func-fix-deadlock.patch
new file mode 100644
index 0000000..61afc17
--- /dev/null
+++ b/SOURCES/0004-init_thread_func-fix-deadlock.patch
@@ -0,0 +1,28 @@
+From 545287019c1b9689c92900330be058b5ab9cf5d6 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Wed, 13 Jan 2021 15:11:42 -0600
+Subject: [PATCH 4/6] init_thread_func: fix deadlock
+
+The caller locks the mutex and never releases on the error path, only
+the success path.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/tabrmd-init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/tabrmd-init.c b/src/tabrmd-init.c
+index 866c852..ea71155 100644
+--- a/src/tabrmd-init.c
++++ b/src/tabrmd-init.c
+@@ -249,6 +249,7 @@ init_thread_func (gpointer user_data)
+     return GINT_TO_POINTER (0);
+ 
+ err_out:
++    g_mutex_unlock (&data->init_mutex);
+     g_debug ("%s: calling gmain_data_cleanup", __func__);
+     gmain_data_cleanup (data);
+     return GINT_TO_POINTER (ret);
+-- 
+2.34.3
+
diff --git a/SOURCES/0005-ResourceManager-Avoid-double-free-in-resource-manage.patch b/SOURCES/0005-ResourceManager-Avoid-double-free-in-resource-manage.patch
new file mode 100644
index 0000000..f3fcfd7
--- /dev/null
+++ b/SOURCES/0005-ResourceManager-Avoid-double-free-in-resource-manage.patch
@@ -0,0 +1,30 @@
+From a97e07d5a5947f5749e4ea25d0f538eeee8997bb Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Mon, 23 Nov 2020 11:45:31 -0700
+Subject: [PATCH 5/6] ResourceManager: Avoid double free in resource-manager.c
+
+Clean up potential double free found by coverity in
+resource_manager_load_session_from_handle. If flush_session has been
+called, don't call session_list_remove which is already called in
+flush_session.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ src/resource-manager.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/resource-manager.c b/src/resource-manager.c
+index 050436f..556184b 100644
+--- a/src/resource-manager.c
++++ b/src/resource-manager.c
+@@ -239,6 +239,7 @@ resource_manager_load_session_from_handle (ResourceManager *resmgr,
+         rc = tpm2_response_get_code (response);
+         if (rc != TSS2_RC_SUCCESS) {
+             flush_session (resmgr, session_entry);
++            goto out;
+         }
+     }
+     if (will_flush) {
+-- 
+2.34.3
+
diff --git a/SOURCES/0006-tcti-initialize-GError-to-NULL.patch b/SOURCES/0006-tcti-initialize-GError-to-NULL.patch
new file mode 100644
index 0000000..947001c
--- /dev/null
+++ b/SOURCES/0006-tcti-initialize-GError-to-NULL.patch
@@ -0,0 +1,40 @@
+From a645f8c656b47568072351f4bfa58960016fbbac Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@ledger.fr>
+Date: Mon, 27 Sep 2021 16:46:42 +0200
+Subject: [PATCH 6/6] tcti: initialize GError to NULL
+
+When an error happens in `tcti_tabrmd_read`, Glib reports:
+
+    (process:905338): GLib-WARNING **: 06:59:08.971: GError set over the
+    top of a previous GError or uninitialized memory.
+    This indicates a bug in someone's code. You must ensure an error is
+    NULL before it's set.
+    The overwriting error message was: Error receiving data: Connection
+    reset by peer
+
+This warning was reported on
+https://github.com/tpm2-software/tpm2-pkcs11/issues/705
+
+Fix the warning by initializing `error` correctly.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
+---
+ src/tcti-tabrmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tcti-tabrmd.c b/src/tcti-tabrmd.c
+index d96709e..d0ab74d 100644
+--- a/src/tcti-tabrmd.c
++++ b/src/tcti-tabrmd.c
+@@ -187,7 +187,7 @@ tcti_tabrmd_read (TSS2_TCTI_TABRMD_CONTEXT *ctx,
+                   size_t size,
+                   int32_t timeout)
+ {
+-    GError *error;
++    GError *error = NULL;
+     ssize_t num_read;
+     int ret;
+ 
+-- 
+2.34.3
+
diff --git a/SPECS/tpm2-abrmd.spec b/SPECS/tpm2-abrmd.spec
index 793fe66..c723509 100644
--- a/SPECS/tpm2-abrmd.spec
+++ b/SPECS/tpm2-abrmd.spec
@@ -2,7 +2,7 @@
 
 Name: tpm2-abrmd
 Version: 2.3.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: A system daemon implementing TPM2 Access Broker and Resource Manager
 
 License: BSD
@@ -21,6 +21,13 @@ BuildRequires: pkgconfig(tss2-sys)
 # tpm2-abrmd depends on tpm2-tss-devel for tss2-mu/sys libs
 BuildRequires: tpm2-tss-devel >= 2.3.1-2%{?dist}
 
+Patch0: 0001-tabrmd-options-fix-memory-leak.patch
+Patch1: 0002-resource-manager-rm-ref-count-inc-of-handle_entry.patch
+Patch2: 0003-tabrmd-init.c-fix-leaks-on-main-to-thread-tpm2-insta.patch
+Patch3: 0004-init_thread_func-fix-deadlock.patch
+Patch4: 0005-ResourceManager-Avoid-double-free-in-resource-manage.patch
+Patch5: 0006-tcti-initialize-GError-to-NULL.patch
+
 # tpm2-abrmd depends on the package that contains its SELinux policy module
 Requires: (%{name}-selinux >= 2.0.0-1%{?dist} if selinux-policy-%{selinuxtype})
 
@@ -90,6 +97,10 @@ required to build applications that use tpm2-abrmd.
 %systemd_postun tpm2-abrmd.service
 
 %changelog
+* Thu Aug 11 2022 Štěpán Horáček <shoracek@redhat.com> - 2.3.3-3
+- Fix memory leaks and double free
+  resolves: rhbz#2041912
+
 * Mon Nov 23 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.3-2
 - Update tpm2-tss-devel BuildRequires
 resolves: rhbz#1855177