From: GONG Ruiqi <gongruiqi1@huawei.com>
Date: Thu, 23 Apr 2026 03:10:56 +0000 (+0800)
Subject: apparmor/lsm: Fix aa_dfa_unpack's error handling in aa_setup_dfa_engine
X-Git-Tag: v7.1-rc1~32^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=11b7df0952663f20ce72c9a22a3cf9278cf84db7;p=thirdparty%2Flinux.git

apparmor/lsm: Fix aa_dfa_unpack's error handling in aa_setup_dfa_engine

aa_dfa_unpack returns ERR_PTR not NULL when it fails, but aa_put_dfa
only checks NULL for its input, which would cause invalid memory access
in aa_put_dfa. Set nulldfa to NULL explicitly to fix that.

Fixes: 98b824ff8984 ("apparmor: refcount the pdb")
Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 467f7ac476aa..3491e9f60194 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2456,6 +2456,7 @@ static int __init aa_setup_dfa_engine(void)
 			    TO_ACCEPT2_FLAG(YYTD_DATA32));
 	if (IS_ERR(nulldfa)) {
 		error = PTR_ERR(nulldfa);
+		nulldfa = NULL;
 		goto fail;
 	}
 	nullpdb->dfa = aa_get_dfa(nulldfa);