[apparmor] [PATCH] apparmor: AA_BUG on null path mnt pointer in apparmor_file_open

[Ryan Lee]

We aren't expecting a null path mnt pointer here, and file_mnt_idmap
dereferences it without checking for null, leading to a null pointer
dereference BUG print. Instead, explicitly check for this via AA_BUG
line in order to get more useful diagnostics.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
 security/apparmor/lsm.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 45cc81234c0d..d0facedb1cfd 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -649,12 +649,23 @@ static int apparmor_file_open(struct file *file)
 
 	label = aa_get_newest_cred_label_condref(file->f_cred, &needput);
 	if (!unconfined(label)) {
-		struct mnt_idmap *idmap = file_mnt_idmap(file);
-		struct inode *inode = file_inode(file);
+		struct mnt_idmap *idmap;
+		struct inode *inode;
 		vfsuid_t vfsuid;
+		/* Set a dummy value to default-initialize the rest, and then
+		 * write the correct value to mode once we have an inode ptr.
+		 * Unfortunately, default-initializing everything with {} is
+		 * only supported since C23.
+		 */
 		struct path_cond cond = {
-			.mode = inode->i_mode,
+			.mode = 0
 		};
+
+		AA_BUG(!(file->f_path.mnt));
+		idmap = file_mnt_idmap(file);
+		inode = file_inode(file);
+		cond.mode = inode->i_mode;
+
 		vfsuid = i_uid_into_vfsuid(idmap, inode);
 		cond.uid = vfsuid_into_kuid(vfsuid);
 
-- 
2.43.0

base-kernel: v6.14-rc6