On 2026/02/04 7:40, Paul Moore wrote:

        This is not an unusual request for such a proposed change, and
is something that I would expect a LSM maintainer to do without much
hesitation.  If you are unwilling to investigate this, can you explain
why?

Because I'm not familiar with how XFRM works; I'm not a user of LSM XFRM hooks.

I can't judge whether the current code is COMPREHENSIVELY GATING;
I can't imagine what the state you call COMPREHENSIVELY GATING is.



P.S. For your investigation, I attach a new report that syzbot found today, and
I'll drop "xfrm: always fail xfrm_dev_{state,policy}_flush_secctx_check()"
because these three reports will be sufficient for people to understand that
we need to kill xfrm_dev_{state,policy}_flush_secctx_check() calls.