Re: [PATCH] lsm: Fix the crash issue in xfrm_decode_session

Next message: Kyrie Wu: "[PATCH v13 09/12] media: dt-bindings: mediatek,jpeg: Add mediatek, mt8196-jpgdec compatible"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v6 1/4] ethtool: Track user-provided RSS indirection table size"
In reply to: Casey Schaufler: "Re: [PATCH] lsm: Fix the crash issue in xfrm_decode_session"
Next in thread: Casey Schaufler: "Re: [PATCH] lsm: Fix the crash issue in xfrm_decode_session"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Feng Yang

Date: Wed Mar 18 2026 - 22:25:35 EST

On Wed, 18 Mar 2026 10:09:47 -0700, Casey Schaufler wrote:
> On 3/17/2026 11:19 PM, Feng Yang wrote:
> > From: Feng Yang <yangfeng@xxxxxxxxxx>
> >
> > After hooking the following BPF program:
> > SEC("lsm/xfrm_decode_session")
> > int BPF_PROG(lsm_hook_xfrm_decode_session, struct sk_buff *skb, u32 *secid, int ckall)
> > {
> > return 1; // Any non-zero value
> > }
> > Subsequent packet transmission triggers will cause a kernel panic:

> LSM hooks that use or provide secids cannot be stacked. That is,
> you can't provide a BPF LSM hook and an SELinux LSM hook and expect
> correct behavior. Your proposed "fix" removes a legitimate check.

I'm very sorry, I didn't quite understand what you meant.

Maybe my commit message wasn't clear. I only used a BPF LSM hook without SELinux stacking enabled.

Therefore, is it the expected behavior that simply using
SEC("lsm/xfrm_decode_session")
int BPF_PROG(lsm_hook_xfrm_decode_session, struct sk_buff *skb, u32 *secid, int ckall) {
return -1;
}
would cause a kernel panic? If not, and if the BUG_ON check is still necessary,
then does it mean we need to modify the return value validation logic in the BPF
verifier to ensure that only BPF programs returning 0 are accepted for this hook?

Thanks.