[PATCH 1/2] bpf: lsm: disable xfrm_decode_session hook attachment
Alexei Starovoitov
alexei.starovoitov at gmail.com
Tue Jun 23 03:11:04 UTC 2026
On Fri, Jun 19, 2026 at 6:03 AM Bradley Morgan <include at grrlz.net> wrote:
>
> BPF LSM programs can currently attach to xfrm_decode_session(). That
> hook may return an error, but security_skb_classify_flow() calls it
> from a void path and triggers BUG_ON() if an error is returned.
>
> Disable BPF attachment to the hook to prevent a BPF LSM program from
> turning packet classification into a full panic.
>
> Fixes: 9e4e01dfd325 ("bpf: lsm: Implement attach, detach and execution")
> Cc: stable at vger.kernel.org
> Signed-off-by: Bradley Morgan <include at grrlz.net>
> ---
> kernel/bpf/bpf_lsm.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
> index 564071a92d7d..1433809bb166 100644
> --- a/kernel/bpf/bpf_lsm.c
> +++ b/kernel/bpf/bpf_lsm.c
> @@ -51,6 +51,9 @@ BTF_ID(func, bpf_lsm_key_getsecurity)
> #ifdef CONFIG_AUDIT
> BTF_ID(func, bpf_lsm_audit_rule_match)
> #endif
> +#ifdef CONFIG_SECURITY_NETWORK_XFRM
> +BTF_ID(func, bpf_lsm_xfrm_decode_session)
> +#endif
Applied this fix to bpf tree.
More information about the Linux-security-module-archive
mailing list