From: John Johansen <john.johansen@canonical.com>
Date: Sun, 14 Jun 2026 23:16:59 +0000 (-0700)
Subject: apparmor: fix label can not be immediately before a declaration
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ed40bd525c00d22af666016af9aef7167f8085f;p=thirdparty%2Flinux.git

apparmor: fix label can not be immediately before a declaration

Fix error reported by kernel test robot

security/apparmor/policy.c:1381:2: error: a label can only be part of
a statement and a declaration is not a statement

All errors (new ones prefixed by >>):

   security/apparmor/policy.c: In function 'aa_replace_profiles':
>> security/apparmor/policy.c:1381:2: error: a label can only be part
   of a statement and a declaration is not a statement
     ssize_t udata_sz = udata->size;
     ^~~~~

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202606150525.npax8WiH-lkp@intel.com/
Fixes: 7b42f95813dc9 ("apparmor: fix potential UAF in aa_replace_profiles")
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index b59e827747da..94b4a7e727cc 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1397,9 +1397,10 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
 	mutex_unlock(&ns->lock);
 
 out:
+	aa_put_ns(ns);
+
 	ssize_t udata_sz = udata->size;
 
-	aa_put_ns(ns);
 	aa_put_profile_loaddata(udata);
 	kfree(ns_name);