From: "Serge E. Hallyn" <serge@hallyn.com>
To: Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: linux-security-module@vger.kernel.org, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com,
linux-kernel@vger.kernel.org, Kaiyan Mei <M202472210@hust.edu.cn>,
Yinhao Hu <dddddd@hust.edu.cn>, Dongliang Mu <dzm91@hust.edu.cn>
Subject: Re: [PATCH] security: remove BUG_ON in security_skb_classify_flow
Date: Thu, 9 Apr 2026 19:58:40 -0500 [thread overview]
Message-ID: <adhLQDIILT/sHpzL@mail.hallyn.com> (raw)
In-Reply-To: <20260408114257.298500-1-jiayuan.chen@linux.dev>
On Wed, Apr 08, 2026 at 07:42:57PM +0800, Jiayuan Chen wrote:
> A BPF program attached to the xfrm_decode_session hook can return a
> non-zero value, which causes BUG_ON(rc) in security_skb_classify_flow()
> to trigger a kernel panic.
It would seem worth it to have pointed at the previous discussion at
https://lore.kernel.org/all/CAEjxPJ5aA01in+Z1yLF1cwe-3uqL_E8SKGK4J294D5eRG5__5Q@mail.gmail.com/
Based on that, I guess this is probably ok, but still,
> Remove the BUG_ON and change the return type from void to int, so that
> callers can optionally handle the error.
but you don't have the existing callers handling the error. It's
conceivable they won't care, but it's also possible that they were
counting on a BUG_ON in that case.
What *should* callers (icmp_reply, etc) do if an error code is
returned? Should they ignore it? In that case, would it be
better to change security_skb_classify_flow() to return void?
> Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
> Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
> Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
> Closes: https://lore.kernel.org/bpf/4c4d04ba.6c12b.19c039b69e6.Coremail.kaiyanm@hust.edu.cn/
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> ---
> include/linux/security.h | 7 ++++---
> security/security.c | 16 +++++++++++-----
> 2 files changed, 15 insertions(+), 8 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index ee88dd2d2d1f..6d210dc4c649 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1975,7 +1975,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
> struct xfrm_policy *xp,
> const struct flowi_common *flic);
> int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
> -void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic);
> +int security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic);
>
> #else /* CONFIG_SECURITY_NETWORK_XFRM */
>
> @@ -2038,9 +2038,10 @@ static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
> return 0;
> }
>
> -static inline void security_skb_classify_flow(struct sk_buff *skb,
> - struct flowi_common *flic)
> +static inline int security_skb_classify_flow(struct sk_buff *skb,
> + struct flowi_common *flic)
> {
> + return 0;
> }
>
> #endif /* CONFIG_SECURITY_NETWORK_XFRM */
> diff --git a/security/security.c b/security/security.c
> index a26c1474e2e4..26a34eb363c2 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -4990,12 +4990,18 @@ int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
> return call_int_hook(xfrm_decode_session, skb, secid, 1);
> }
>
> -void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
> +/**
> + * security_skb_classify_flow() - Set the flow's secid from the security label
> + * @skb: packet
> + * @flic: flow common structure to set
> + *
> + * Decode the packet in @skb and set the flow's secid in @flic.
> + *
> + * Return: Return 0 if successful.
> + */
> +int security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
> {
> - int rc = call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid,
> - 0);
> -
> - BUG_ON(rc);
> + return call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid, 0);
> }
> EXPORT_SYMBOL(security_skb_classify_flow);
> #endif /* CONFIG_SECURITY_NETWORK_XFRM */
> --
> 2.43.0
next prev parent reply other threads:[~2026-04-10 0:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 11:42 [PATCH] security: remove BUG_ON in security_skb_classify_flow Jiayuan Chen
2026-04-10 0:58 ` Serge E. Hallyn [this message]
2026-04-10 1:56 ` Jiayuan Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adhLQDIILT/sHpzL@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=M202472210@hust.edu.cn \
--cc=dddddd@hust.edu.cn \
--cc=dzm91@hust.edu.cn \
--cc=jiayuan.chen@linux.dev \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox