[PATCH] security: remove BUG_ON in security_skb_classify_flow

[PATCH] security: remove BUG_ON in security_skb_classify_flow

[Jiayuan Chen]

A BPF program attached to the xfrm_decode_session hook can return a
non-zero value, which causes BUG_ON(rc) in security_skb_classify_flow()
to trigger a kernel panic.

Remove the BUG_ON and change the return type from void to int, so that
callers can optionally handle the error.

Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/4c4d04ba.6c12b.19c039b69e6.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
 include/linux/security.h |  7 ++++---
 security/security.c      | 16 +++++++++++-----
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ee88dd2d2d1f..6d210dc4c649 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1975,7 +1975,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
 				       struct xfrm_policy *xp,
 				       const struct flowi_common *flic);
 int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
-void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic);
+int security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic);
 
 #else	/* CONFIG_SECURITY_NETWORK_XFRM */
 
@@ -2038,9 +2038,10 @@ static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
 	return 0;
 }
 
-static inline void security_skb_classify_flow(struct sk_buff *skb,
-					      struct flowi_common *flic)
+static inline int security_skb_classify_flow(struct sk_buff *skb,
+					     struct flowi_common *flic)
 {
+	return 0;
 }
 
 #endif	/* CONFIG_SECURITY_NETWORK_XFRM */
diff --git a/security/security.c b/security/security.c
index a26c1474e2e4..26a34eb363c2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4990,12 +4990,18 @@ int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
 	return call_int_hook(xfrm_decode_session, skb, secid, 1);
 }
 
-void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
+/**
+ * security_skb_classify_flow() - Set the flow's secid from the security label
+ * @skb: packet
+ * @flic: flow common structure to set
+ *
+ * Decode the packet in @skb and set the flow's secid in @flic.
+ *
+ * Return: Return 0 if successful.
+ */
+int security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
 {
-	int rc = call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid,
-			       0);
-
-	BUG_ON(rc);
+	return call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid, 0);
 }
 EXPORT_SYMBOL(security_skb_classify_flow);
 #endif	/* CONFIG_SECURITY_NETWORK_XFRM */
-- 
2.43.0

Re: [PATCH] security: remove BUG_ON in security_skb_classify_flow

[Serge E. Hallyn]

On Wed, Apr 08, 2026 at 07:42:57PM +0800, Jiayuan Chen wrote:
> A BPF program attached to the xfrm_decode_session hook can return a
> non-zero value, which causes BUG_ON(rc) in security_skb_classify_flow()
> to trigger a kernel panic.

It would seem worth it to have pointed at the previous discussion at

https://lore.kernel.org/all/CAEjxPJ5aA01in+Z1yLF1cwe-3uqL_E8SKGK4J294D5eRG5__5Q@mail.gmail.com/

Based on that, I guess this is probably ok, but still,

> Remove the BUG_ON and change the return type from void to int, so that
> callers can optionally handle the error.

but you don't have the existing callers handling the error.  It's
conceivable they won't care, but it's also possible that they were
counting on a BUG_ON in that case.

What *should* callers (icmp_reply, etc) do if an error code is
returned?  Should they ignore it?  In that case, would it be
better to change security_skb_classify_flow() to return void?

> Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
> Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
> Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
> Closes: https://lore.kernel.org/bpf/4c4d04ba.6c12b.19c039b69e6.Coremail.kaiyanm@hust.edu.cn/
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> ---
>  include/linux/security.h |  7 ++++---
>  security/security.c      | 16 +++++++++++-----
>  2 files changed, 15 insertions(+), 8 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index ee88dd2d2d1f..6d210dc4c649 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1975,7 +1975,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
>  				       struct xfrm_policy *xp,
>  				       const struct flowi_common *flic);
>  int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
> -void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic);
> +int security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic);
>  
>  #else	/* CONFIG_SECURITY_NETWORK_XFRM */
>  
> @@ -2038,9 +2038,10 @@ static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
>  	return 0;
>  }
>  
> -static inline void security_skb_classify_flow(struct sk_buff *skb,
> -					      struct flowi_common *flic)
> +static inline int security_skb_classify_flow(struct sk_buff *skb,
> +					     struct flowi_common *flic)
>  {
> +	return 0;
>  }
>  
>  #endif	/* CONFIG_SECURITY_NETWORK_XFRM */
> diff --git a/security/security.c b/security/security.c
> index a26c1474e2e4..26a34eb363c2 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -4990,12 +4990,18 @@ int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
>  	return call_int_hook(xfrm_decode_session, skb, secid, 1);
>  }
>  
> -void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
> +/**
> + * security_skb_classify_flow() - Set the flow's secid from the security label
> + * @skb: packet
> + * @flic: flow common structure to set
> + *
> + * Decode the packet in @skb and set the flow's secid in @flic.
> + *
> + * Return: Return 0 if successful.
> + */
> +int security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
>  {
> -	int rc = call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid,
> -			       0);
> -
> -	BUG_ON(rc);
> +	return call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid, 0);
>  }
>  EXPORT_SYMBOL(security_skb_classify_flow);
>  #endif	/* CONFIG_SECURITY_NETWORK_XFRM */
> -- 
> 2.43.0

Re: [PATCH] security: remove BUG_ON in security_skb_classify_flow

[Jiayuan Chen]

On 4/10/26 8:58 AM, Serge E. Hallyn wrote:
> On Wed, Apr 08, 2026 at 07:42:57PM +0800, Jiayuan Chen wrote:
>> A BPF program attached to the xfrm_decode_session hook can return a
>> non-zero value, which causes BUG_ON(rc) in security_skb_classify_flow()
>> to trigger a kernel panic.
> It would seem worth it to have pointed at the previous discussion at
>
> https://lore.kernel.org/all/CAEjxPJ5aA01in+Z1yLF1cwe-3uqL_E8SKGK4J294D5eRG5__5Q@mail.gmail.com/
>
> Based on that, I guess this is probably ok, but still,
>
>> Remove the BUG_ON and change the return type from void to int, so that
>> callers can optionally handle the error.
> but you don't have the existing callers handling the error.  It's
> conceivable they won't care, but it's also possible that they were
> counting on a BUG_ON in that case.
>
> What *should* callers (icmp_reply, etc) do if an error code is
> returned?  Should they ignore it?  In that case, would it be
> better to change security_skb_classify_flow() to return void?
>
Thanks for your pointer.

So I think Feng's patch is sufficient and can by applied ?