Re: [PATCH 1/2] bpf: lsm: disable xfrm_decode_session hook attachment

From: Alexei Starovoitov

Date: Mon Jun 22 2026 - 23:11:46 EST


On Fri, Jun 19, 2026 at 6:03 AM Bradley Morgan <include@xxxxxxxxx> wrote:
>
> BPF LSM programs can currently attach to xfrm_decode_session(). That
> hook may return an error, but security_skb_classify_flow() calls it
> from a void path and triggers BUG_ON() if an error is returned.
>
> Disable BPF attachment to the hook to prevent a BPF LSM program from
> turning packet classification into a full panic.
>
> Fixes: 9e4e01dfd325 ("bpf: lsm: Implement attach, detach and execution")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Bradley Morgan <include@xxxxxxxxx>
> ---
> kernel/bpf/bpf_lsm.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
> index 564071a92d7d..1433809bb166 100644
> --- a/kernel/bpf/bpf_lsm.c
> +++ b/kernel/bpf/bpf_lsm.c
> @@ -51,6 +51,9 @@ BTF_ID(func, bpf_lsm_key_getsecurity)
> #ifdef CONFIG_AUDIT
> BTF_ID(func, bpf_lsm_audit_rule_match)
> #endif
> +#ifdef CONFIG_SECURITY_NETWORK_XFRM
> +BTF_ID(func, bpf_lsm_xfrm_decode_session)
> +#endif

Applied this fix to bpf tree.