Merge tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git...

Pull apparmor updates from John Johansen:
 "Cleanups
   - optimization: try to avoid refing the label in apparmor_file_open
   - remove useless static inline function is_deleted
   - use kvfree_sensitive to free data->data
   - fix typo in kernel doc

  Bug fixes:
   - unpack transition table if dfa is not present
   - test: add MODULE_DESCRIPTION()
   - take nosymfollow flag into account
   - fix possible NULL pointer dereference
   - fix null pointer deref when receiving skb during sock creation"

* tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: unpack transition table if dfa is not present
  apparmor: try to avoid refing the label in apparmor_file_open
  apparmor: test: add MODULE_DESCRIPTION()
  apparmor: take nosymfollow flag into account
  apparmor: fix possible NULL pointer dereference
  apparmor: fix typo in kernel doc
  apparmor: remove useless static inline function is_deleted
  apparmor: use kvfree_sensitive to free data->data
  apparmor: Fix null pointer deref when receiving skb during sock creation

diff --combined security/apparmor/lsm.c
index 16568b6d589d3111e00f78f9e245db10267957bc,242d4cf857a7bb1c8289bfd62ad4ce9b91e55320..808060f9effb73f14e4cb894db98c4e887501597
--- 1/security/apparmor/lsm.c
--- 2/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@@ -461,6 -461,7 +461,7 @@@ static int apparmor_file_open(struct fi
        struct aa_file_ctx *fctx = file_ctx(file);
        struct aa_label *label;
        int error = 0;
+       bool needput;
  
        if (!path_mediated_fs(file->f_path.dentry))
                return 0;
@@@ -477,7 -478,7 +478,7 @@@
                return 0;
        }
  
-       label = aa_get_newest_cred_label(file->f_cred);
+       label = aa_get_newest_cred_label_condref(file->f_cred, &needput);
        if (!unconfined(label)) {
                struct mnt_idmap *idmap = file_mnt_idmap(file);
                struct inode *inode = file_inode(file);
@@@ -494,7 -495,7 +495,7 @@@
                /* todo cache full allowed permissions set and state */
                fctx->allow = aa_map_file_to_perms(file);
        }
-       aa_put_label(label);
+       aa_put_label_condref(label, needput);
  
        return error;
  }
@@@ -1124,7 -1125,7 +1125,7 @@@ static int apparmor_socket_create(int f
   * @sock: socket that is being setup
   * @family: family of socket being created
   * @type: type of the socket
-  * @ptotocol: protocol of the socket
+  * @protocol: protocol of the socket
   * @kern: socket is a special kernel socket
   *
   * Note:
@@@ -1304,6 -1305,13 +1305,13 @@@ static int apparmor_socket_sock_rcv_skb
        if (!skb->secmark)
                return 0;
  
+       /*
+        * If reach here before socket_post_create hook is called, in which
+        * case label is null, drop the packet.
+        */
+       if (!ctx->label)
+               return -EACCES;
+ 
        return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
                                      skb->secmark, sk);
  }
@@@ -2029,7 -2037,7 +2037,7 @@@ static int __init alloc_buffers(void
  }
  
  #ifdef CONFIG_SYSCTL
 -static int apparmor_dointvec(struct ctl_table *table, int write,
 +static int apparmor_dointvec(const struct ctl_table *table, int write,
                             void *buffer, size_t *lenp, loff_t *ppos)
  {
        if (!aa_current_policy_admin_capable(NULL))
@@@ -2064,6 -2072,7 +2072,6 @@@ static struct ctl_table apparmor_sysctl
                .mode           = 0600,
                .proc_handler   = apparmor_dointvec,
        },
 -      { }
  };
  
  static int __init apparmor_init_sysctl(void)