[apparmor] [PATCH] apparmor: return -ENOMEM in unpack_perms_tableupon alloc failure

[John Johansen]

On 1/14/26 09:42, Zygmunt Krynicki wrote:
> W dniu 13.01.2026 o 18:35 Ryan Lee pisze:
>> In policy_unpack.c:unpack_perms_table, the perms struct is allocated via
>> kcalloc, with the position being reset if the allocation fails. However,
>> the error path results in -EPROTO being retured instead of -ENOMEM. Fix
>> this to return the correct error code.
>>
>> Reported-by: Zygmunt Krynicki <zygmunt.krynicki at canonical.com>
>> Fixes: fd1b2b95a2117 ("apparmor: add the ability for policy to specify
>> a permission table")
>> Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
>> ---
>>   security/apparmor/policy_unpack.c | 6 ++++--
>>   1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/apparmor/policy_unpack.c
>> b/security/apparmor/policy_unpack.c
>> index 019430225e4a..2280a8f7a843 100644
>> --- a/security/apparmor/policy_unpack.c
>> +++ b/security/apparmor/policy_unpack.c
>> @@ -700,8 +700,10 @@ static ssize_t unpack_perms_table(struct aa_ext
>> *e, struct aa_perms **perms)
>>   		if (!aa_unpack_array(e, NULL, &size))
>>   			goto fail_reset;
>>   		*perms = kcalloc(size, sizeof(struct aa_perms), GFP_KERNEL);
>> -		if (!*perms)
>> -			goto fail_reset;
>> +		if (!*perms) {
>> +			e->pos = pos;
>> +			return -ENOMEM;
>> +		}
>>   		for (i = 0; i < size; i++) {
>>   			if (!unpack_perm(e, version, &(*perms)[i]))
>>   				goto fail;
>> -- 
>> 2.43.0
> 
> This looks good.
> 
> I'm unfamiliar with kernel acked protocol so I'll refrain from that.
> 
Essentially here, since you reviewed the patch you could add a
Reviewed-by: Zygmunt Krynicki <me at zygoon.pl>
like Tyler did.

You can find the tag descriptions in
Documentation/process/5.Posting.rst

search for "tags in common"