[PATCH] security: remove BUG_ON in security_skb_classify_flow
Jiayuan Chen
jiayuan.chen at linux.dev
Fri Apr 10 01:56:22 UTC 2026
On 4/10/26 8:58 AM, Serge E. Hallyn wrote:
> On Wed, Apr 08, 2026 at 07:42:57PM +0800, Jiayuan Chen wrote:
>> A BPF program attached to the xfrm_decode_session hook can return a
>> non-zero value, which causes BUG_ON(rc) in security_skb_classify_flow()
>> to trigger a kernel panic.
> It would seem worth it to have pointed at the previous discussion at
>
> https://lore.kernel.org/all/CAEjxPJ5aA01in+Z1yLF1cwe-3uqL_E8SKGK4J294D5eRG5__5Q@mail.gmail.com/
>
> Based on that, I guess this is probably ok, but still,
>
>> Remove the BUG_ON and change the return type from void to int, so that
>> callers can optionally handle the error.
> but you don't have the existing callers handling the error. It's
> conceivable they won't care, but it's also possible that they were
> counting on a BUG_ON in that case.
>
> What *should* callers (icmp_reply, etc) do if an error code is
> returned? Should they ignore it? In that case, would it be
> better to change security_skb_classify_flow() to return void?
>
Thanks for your pointer.
So I think Feng's patch is sufficient and can by applied ?
More information about the Linux-security-module-archive
mailing list