diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index e23f4aadc1ff214b15a46b40eebd705a8101e46a..f280b046361e69f4c4b1575d748f852b3ce91e2b 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -181,5 +181,9 @@ static inline void aa_put_dfa(struct aa_dfa *dfa)
 
 #define MATCH_FLAG_DIFF_ENCODE 0x80000000
 #define MARK_DIFF_ENCODE 0x40000000
+#define MATCH_FLAG_OOB_TRANSITION 0x20000000
+#define MATCH_FLAGS_MASK 0xff000000
+#define MATCH_FLAGS_VALID MATCH_FLAG_DIFF_ENCODE
+#define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)
 
 #endif /* __AA_MATCH_H */
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 525ce22dc0e99f24cadc6879f90e2bb7e8030435..b477352305edf34c1786fde9ebe013cb10d6dd93 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -202,6 +202,10 @@ static int verify_dfa(struct aa_dfa *dfa)
 		if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
 		    (DEFAULT_TABLE(dfa)[i] >= state_count))
 			goto out;
+		if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) {
+			pr_err("AppArmor DFA state with invalid match flags");
+			goto out;
+		}
 		if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
 			pr_err("AppArmor DFA next/check upper bounds error\n");
 			goto out;