[syzbot] [net?] WARNING in xfrm_state_fini (3)

[syzbot] [net?] WARNING in xfrm_state_fini (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    038d61fd6422 Linux 6.16
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140194a2580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6505c612be11/disk-038d61fd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e466ef29c1ca/vmlinux-038d61fd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b6d3d8fc5cbb/bzImage-038d61fd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 36 at net/xfrm/xfrm_state.c:3284 xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
Modules linked in:
CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted 6.16.0-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: netns cleanup_net
RIP: 0010:xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 68 fa 0b f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 56 c8 ec f7 e8 51 e8 a9 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 43 e8 a9 f7 90 0f 0b 90 e9 60 fe ff ff
RSP: 0018:ffffc90000ac7898 EFLAGS: 00010293
RAX: ffffffff8a163e8f RBX: ffff888034008000 RCX: ffff888143299e00
RDX: 0000000000000000 RSI: ffffffff8db8419f RDI: ffff888143299e00
RBP: ffffc90000ac79b0 R08: ffffffff8f6196e7 R09: 1ffffffff1ec32dc
R10: dffffc0000000000 R11: fffffbfff1ec32dd R12: ffffffff8f617760
R13: 1ffff92000158f40 R14: ffff8880340094c0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125d23000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbd9e960960 CR3: 00000000316d3000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4348
 ops_exit_list net/core/net_namespace.c:200 [inline]
 ops_undo_list+0x49a/0x990 net/core/net_namespace.c:253
 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[Hillf Danton]

> Date: Tue, 29 Jul 2025 00:08:31 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    038d61fd6422 Linux 6.16
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
> dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140194a2580000

#syz test

--- x/net/xfrm/xfrm_state.c
+++ y/net/xfrm/xfrm_state.c
@@ -615,6 +615,15 @@ static void xfrm_state_gc_destroy(struct
 		put_page(x->xfrag.page);
 	xfrm_dev_state_free(x);
 	security_xfrm_state_free(x);
+	spin_lock_bh(&x->lock);
+	do {
+		struct net *net = xs_net(x);
+
+		spin_lock(&net->xfrm.xfrm_state_lock);
+		list_del_init(&x->km.all);
+		spin_unlock(&net->xfrm.xfrm_state_lock);
+	} while (0);
+	spin_unlock_bh(&x->lock);
 	xfrm_state_free(x);
 }
 
@@ -816,7 +825,7 @@ int __xfrm_state_delete(struct xfrm_stat
 		x->km.state = XFRM_STATE_DEAD;
 
 		spin_lock(&net->xfrm.xfrm_state_lock);
-		list_del(&x->km.all);
+		list_del_init(&x->km.all);
 		hlist_del_rcu(&x->bydst);
 		hlist_del_rcu(&x->bysrc);
 		if (x->km.seq)
--

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in xfrm_state_fini

------------[ cut here ]------------
WARNING: CPU: 1 PID: 1084 at net/xfrm/xfrm_state.c:3293 xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3293
Modules linked in:
CPU: 1 UID: 0 PID: 1084 Comm: kworker/u8:6 Not tainted 6.16.0-syzkaller-g86aa72182095-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: netns cleanup_net
RIP: 0010:xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3293
Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 18 dd 09 f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 06 ab ea f7 e8 31 c4 a7 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 23 c4 a7 f7 90 0f 0b 90 e9 60 fe ff ff
RSP: 0018:ffffc90003a8f898 EFLAGS: 00010293
RAX: ffffffff8a17909f RBX: ffff888035c00000 RCX: ffff888026f79e00
RDX: 0000000000000000 RSI: ffffffff8db5f1fd RDI: ffff888026f79e00
RBP: ffffc90003a8f9b0 R08: ffffffff8f6025e7 R09: 1ffffffff1ec04bc
R10: dffffc0000000000 R11: fffffbfff1ec04bd R12: ffffffff8f600660
R13: 1ffff92000751f40 R14: ffff888035c014c0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125d86000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efd65a94e9c CR3: 0000000031b09000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4348
 ops_exit_list net/core/net_namespace.c:200 [inline]
 ops_undo_list+0x49a/0x990 net/core/net_namespace.c:253
 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


Tested on:

commit:         86aa7218 Merge tag 'chrome-platform-v6.17' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=100531bc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6aef71a615d0cdf2
dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16798cf0580000

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[Steffen Klassert]

On Tue, Jul 29, 2025 at 12:08:31AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    038d61fd6422 Linux 6.16
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
> dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140194a2580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/6505c612be11/disk-038d61fd.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/e466ef29c1ca/vmlinux-038d61fd.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/b6d3d8fc5cbb/bzImage-038d61fd.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 36 at net/xfrm/xfrm_state.c:3284 xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
> Modules linked in:
> CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted 6.16.0-syzkaller #0 PREEMPT(full) 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
> Workqueue: netns cleanup_net
> RIP: 0010:xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
> Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 68 fa 0b f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 56 c8 ec f7 e8 51 e8 a9 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 43 e8 a9 f7 90 0f 0b 90 e9 60 fe ff ff
> RSP: 0018:ffffc90000ac7898 EFLAGS: 00010293
> RAX: ffffffff8a163e8f RBX: ffff888034008000 RCX: ffff888143299e00
> RDX: 0000000000000000 RSI: ffffffff8db8419f RDI: ffff888143299e00
> RBP: ffffc90000ac79b0 R08: ffffffff8f6196e7 R09: 1ffffffff1ec32dc
> R10: dffffc0000000000 R11: fffffbfff1ec32dd R12: ffffffff8f617760
> R13: 1ffff92000158f40 R14: ffff8880340094c0 R15: dffffc0000000000
> FS:  0000000000000000(0000) GS:ffff888125d23000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fbd9e960960 CR3: 00000000316d3000 CR4: 0000000000350ef0
> Call Trace:
>  <TASK>
>  xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4348
>  ops_exit_list net/core/net_namespace.c:200 [inline]
>  ops_undo_list+0x49a/0x990 net/core/net_namespace.c:253
>  cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
>  process_one_work kernel/workqueue.c:3238 [inline]
>  process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
>  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
>  kthread+0x711/0x8a0 kernel/kthread.c:464
>  ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>  </TASK>

Hi Sabrina, your recent ipcomp patches seem to trigger this issue.
At least reverting them make it go away. Can you please look
into this?

Please note that

CONFIG_INET_DIAG_DESTROY=y

has to be set to trigger the warining.

Thanks!

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[Sabrina Dubroca]

Hi Steffen,

2025-07-29, 13:01:22 +0200, Steffen Klassert wrote:
> On Tue, Jul 29, 2025 at 12:08:31AM -0700, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    038d61fd6422 Linux 6.16
> > git tree:       upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
> > dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
> > compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140194a2580000
> > 
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/6505c612be11/disk-038d61fd.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/e466ef29c1ca/vmlinux-038d61fd.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/b6d3d8fc5cbb/bzImage-038d61fd.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
> > 
> > ------------[ cut here ]------------
> > WARNING: CPU: 1 PID: 36 at net/xfrm/xfrm_state.c:3284 xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
> > Modules linked in:
> > CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted 6.16.0-syzkaller #0 PREEMPT(full) 
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
> > Workqueue: netns cleanup_net
> > RIP: 0010:xfrm_state_fini+0x270/0x2f0 net/xfrm/xfrm_state.c:3284
> > Code: c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 68 fa 0b f8 48 8b 3b 5b 41 5c 41 5d 41 5e 41 5f 5d e9 56 c8 ec f7 e8 51 e8 a9 f7 90 <0f> 0b 90 e9 fd fd ff ff e8 43 e8 a9 f7 90 0f 0b 90 e9 60 fe ff ff
> > RSP: 0018:ffffc90000ac7898 EFLAGS: 00010293
> > RAX: ffffffff8a163e8f RBX: ffff888034008000 RCX: ffff888143299e00
> > RDX: 0000000000000000 RSI: ffffffff8db8419f RDI: ffff888143299e00
> > RBP: ffffc90000ac79b0 R08: ffffffff8f6196e7 R09: 1ffffffff1ec32dc
> > R10: dffffc0000000000 R11: fffffbfff1ec32dd R12: ffffffff8f617760
> > R13: 1ffff92000158f40 R14: ffff8880340094c0 R15: dffffc0000000000
> > FS:  0000000000000000(0000) GS:ffff888125d23000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007fbd9e960960 CR3: 00000000316d3000 CR4: 0000000000350ef0
> > Call Trace:
> >  <TASK>
> >  xfrm_net_exit+0x2d/0x70 net/xfrm/xfrm_policy.c:4348
> >  ops_exit_list net/core/net_namespace.c:200 [inline]
> >  ops_undo_list+0x49a/0x990 net/core/net_namespace.c:253
> >  cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
> >  process_one_work kernel/workqueue.c:3238 [inline]
> >  process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
> >  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
> >  kthread+0x711/0x8a0 kernel/kthread.c:464
> >  ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
> >  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> >  </TASK>
> 
> Hi Sabrina, your recent ipcomp patches seem to trigger this issue.
> At least reverting them make it go away. Can you please look
> into this?

I haven't looked at the other reports yet, but this one seems to be a
stupid mistake in my revert patch. With these changes, the syzbot
repro stops splatting here:


#syz test

diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 5120a763da0d..0a0eeaed0591 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
 	struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
 	unsigned int i;
 
-	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+	xfrm_state_flush(net, 0, false);
 	xfrm_flush_gc();
 
 	for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 97ff756191ba..5f1da305eea8 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3278,7 +3278,7 @@ void xfrm_state_fini(struct net *net)
 	unsigned int sz;
 
 	flush_work(&net->xfrm.state_hash_work);
-	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+	xfrm_state_flush(net, 0, false);
 	flush_work(&xfrm_state_gc_work);
 
 	WARN_ON(!list_empty(&net->xfrm.state_all));


-- 
Sabrina

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Tested-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com

Tested on:

commit:         86aa7218 Merge tag 'chrome-platform-v6.17' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16eb74a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6aef71a615d0cdf2
dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14b29782580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[Tetsuo Handa]

syzbot is still hitting this problem. Please check.

On 2025/07/29 20:09, Sabrina Dubroca wrote:
>> Hi Sabrina, your recent ipcomp patches seem to trigger this issue.
>> At least reverting them make it go away. Can you please look
>> into this?
> 
> I haven't looked at the other reports yet, but this one seems to be a
> stupid mistake in my revert patch. With these changes, the syzbot
> repro stops splatting here:

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[Sabrina Dubroca]

2025-08-28, 20:06:29 +0900, Tetsuo Handa wrote:
> syzbot is still hitting this problem. Please check.

Thanks for the ping.

syzbot has found 2 different bugs that need separate fixes (but with
the same symptoms, hitting that WARNING, and coming from the same
patch series). I fixed one (syzbot confirmed the fix), I'm working on
the other one now.

> On 2025/07/29 20:09, Sabrina Dubroca wrote:
> >> Hi Sabrina, your recent ipcomp patches seem to trigger this issue.
> >> At least reverting them make it go away. Can you please look
> >> into this?
> > 
> > I haven't looked at the other reports yet, but this one seems to be a
> > stupid mistake in my revert patch. With these changes, the syzbot
> > repro stops splatting here:

-- 
Sabrina

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[syzbot]

syzbot has bisected this issue to:

commit 2a198bbec6913ae1c90ec963750003c6213668c7
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Fri Jul 4 14:54:34 2025 +0000

    Revert "xfrm: destroy xfrm_state synchronously on net exit path"

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1714d2a2580000
start commit:   038d61fd6422 Linux 6.16
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1494d2a2580000
console output: https://syzkaller.appspot.com/x/log.txt?x=1094d2a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140194a2580000

Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Fixes: 2a198bbec691 ("Revert "xfrm: destroy xfrm_state synchronously on net exit path"")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[syzbot]

> On Tue, Jul 29, 2025 at 12:08:31AM -0700, syzbot wrote:
>> Hello,
>> 
>> syzbot found the following issue on:
>> 
>> HEAD commit:    038d61fd6422 Linux 6.16
>> git tree:       upstream
>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
>> dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
>> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140194a2580000
>> 
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/6505c612be11/disk-038d61fd.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/e466ef29c1ca/vmlinux-038d61fd.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/b6d3d8fc5cbb/bzImage-038d61fd.xz
>> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
>
>
> #syz test:

want either no args or 2 args (repo, branch), got 7

>
> From 2e9d56e8788104715de30b6eb91b30e321735f41 Mon Sep 17 00:00:00 2001
> From: Steffen Klassert <steffen.klassert@secunet.com>
> Date: Tue, 29 Jul 2025 11:41:07 +0200
> Subject: [PATCH] Reapply "xfrm: destroy xfrm_state synchronously on net exit
>  path"
>
> This reverts commit 2a198bbec6913ae1c90ec963750003c6213668c7.
> ---
>  include/net/xfrm.h      | 12 +++++++++---
>  net/ipv6/xfrm6_tunnel.c |  2 +-
>  net/key/af_key.c        |  2 +-
>  net/xfrm/xfrm_state.c   | 23 ++++++++++++++---------
>  net/xfrm/xfrm_user.c    |  2 +-
>  5 files changed, 26 insertions(+), 15 deletions(-)
>
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index f3014e4f54fc..91d52a380e37 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -915,7 +915,7 @@ static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
>  		xfrm_pol_put(pols[i]);
>  }
>  
> -void __xfrm_state_destroy(struct xfrm_state *);
> +void __xfrm_state_destroy(struct xfrm_state *, bool);
>  
>  static inline void __xfrm_state_put(struct xfrm_state *x)
>  {
> @@ -925,7 +925,13 @@ static inline void __xfrm_state_put(struct xfrm_state *x)
>  static inline void xfrm_state_put(struct xfrm_state *x)
>  {
>  	if (refcount_dec_and_test(&x->refcnt))
> -		__xfrm_state_destroy(x);
> +		__xfrm_state_destroy(x, false);
> +}
> +
> +static inline void xfrm_state_put_sync(struct xfrm_state *x)
> +{
> +	if (refcount_dec_and_test(&x->refcnt))
> +		__xfrm_state_destroy(x, true);
>  }
>  
>  static inline void xfrm_state_hold(struct xfrm_state *x)
> @@ -1763,7 +1769,7 @@ struct xfrmk_spdinfo {
>  
>  struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq, u32 pcpu_num);
>  int xfrm_state_delete(struct xfrm_state *x);
> -int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
> +int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
>  int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
>  int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
>  			  bool task_valid);
> diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
> index 5120a763da0d..7fd8bc08e6eb 100644
> --- a/net/ipv6/xfrm6_tunnel.c
> +++ b/net/ipv6/xfrm6_tunnel.c
> @@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
>  	struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
>  	unsigned int i;
>  
> -	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
> +	xfrm_state_flush(net, 0, false, true);
>  	xfrm_flush_gc();
>  
>  	for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
> diff --git a/net/key/af_key.c b/net/key/af_key.c
> index b5d761700776..efc2a91f4c48 100644
> --- a/net/key/af_key.c
> +++ b/net/key/af_key.c
> @@ -1766,7 +1766,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
>  	if (proto == 0)
>  		return -EINVAL;
>  
> -	err = xfrm_state_flush(net, proto, true);
> +	err = xfrm_state_flush(net, proto, true, false);
>  	err2 = unicast_flush_resp(sk, hdr);
>  	if (err || err2) {
>  		if (err == -ESRCH) /* empty table - go quietly */
> diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
> index 97ff756191ba..0ec7d22aaff3 100644
> --- a/net/xfrm/xfrm_state.c
> +++ b/net/xfrm/xfrm_state.c
> @@ -592,7 +592,7 @@ void xfrm_state_free(struct xfrm_state *x)
>  }
>  EXPORT_SYMBOL(xfrm_state_free);
>  
> -static void xfrm_state_gc_destroy(struct xfrm_state *x)
> +static void ___xfrm_state_destroy(struct xfrm_state *x)
>  {
>  	if (x->mode_cbs && x->mode_cbs->destroy_state)
>  		x->mode_cbs->destroy_state(x);
> @@ -631,7 +631,7 @@ static void xfrm_state_gc_task(struct work_struct *work)
>  	synchronize_rcu();
>  
>  	hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
> -		xfrm_state_gc_destroy(x);
> +		___xfrm_state_destroy(x);
>  }
>  
>  static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
> @@ -795,14 +795,19 @@ void xfrm_dev_state_free(struct xfrm_state *x)
>  }
>  #endif
>  
> -void __xfrm_state_destroy(struct xfrm_state *x)
> +void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
>  {
>  	WARN_ON(x->km.state != XFRM_STATE_DEAD);
>  
> -	spin_lock_bh(&xfrm_state_gc_lock);
> -	hlist_add_head(&x->gclist, &xfrm_state_gc_list);
> -	spin_unlock_bh(&xfrm_state_gc_lock);
> -	schedule_work(&xfrm_state_gc_work);
> +	if (sync) {
> +		synchronize_rcu();
> +		___xfrm_state_destroy(x);
> +	} else {
> +		spin_lock_bh(&xfrm_state_gc_lock);
> +		hlist_add_head(&x->gclist, &xfrm_state_gc_list);
> +		spin_unlock_bh(&xfrm_state_gc_lock);
> +		schedule_work(&xfrm_state_gc_work);
> +	}
>  }
>  EXPORT_SYMBOL(__xfrm_state_destroy);
>  
> @@ -917,7 +922,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool
>  }
>  #endif
>  
> -int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
> +int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
>  {
>  	int i, err = 0, cnt = 0;
>  
> @@ -3278,7 +3283,7 @@ void xfrm_state_fini(struct net *net)
>  	unsigned int sz;
>  
>  	flush_work(&net->xfrm.state_hash_work);
> -	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
> +	xfrm_state_flush(net, 0, false, true);
>  	flush_work(&xfrm_state_gc_work);
>  
>  	WARN_ON(!list_empty(&net->xfrm.state_all));
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index 684239018bec..1db18f470f42 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -2635,7 +2635,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
>  	struct xfrm_usersa_flush *p = nlmsg_data(nlh);
>  	int err;
>  
> -	err = xfrm_state_flush(net, p->proto, true);
> +	err = xfrm_state_flush(net, p->proto, true, false);
>  	if (err) {
>  		if (err == -ESRCH) /* empty table */
>  			return 0;
> -- 
> 2.43.0
>

Re: [syzbot] [net?] WARNING in xfrm_state_fini (3)

[syzbot]

> On Tue, Jul 29, 2025 at 12:08:31AM -0700, syzbot wrote:
>> Hello,
>> 
>> syzbot found the following issue on:
>> 
>> HEAD commit:    038d61fd6422 Linux 6.16
>> git tree:       upstream
>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b88cf0580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=4066f1c76cfbc4fe
>> dashboard link: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
>> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ca1782580000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140194a2580000
>> 
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/6505c612be11/disk-038d61fd.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/e466ef29c1ca/vmlinux-038d61fd.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/b6d3d8fc5cbb/bzImage-038d61fd.xz
>> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
>
> #syz test:

want either no args or 2 args (repo, branch), got 4

>
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index f3014e4f54fc..91d52a380e37 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -915,7 +915,7 @@ static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
>  		xfrm_pol_put(pols[i]);
>  }
>  
> -void __xfrm_state_destroy(struct xfrm_state *);
> +void __xfrm_state_destroy(struct xfrm_state *, bool);
>  
>  static inline void __xfrm_state_put(struct xfrm_state *x)
>  {
> @@ -925,7 +925,13 @@ static inline void __xfrm_state_put(struct xfrm_state *x)
>  static inline void xfrm_state_put(struct xfrm_state *x)
>  {
>  	if (refcount_dec_and_test(&x->refcnt))
> -		__xfrm_state_destroy(x);
> +		__xfrm_state_destroy(x, false);
> +}
> +
> +static inline void xfrm_state_put_sync(struct xfrm_state *x)
> +{
> +	if (refcount_dec_and_test(&x->refcnt))
> +		__xfrm_state_destroy(x, true);
>  }
>  
>  static inline void xfrm_state_hold(struct xfrm_state *x)
> @@ -1763,7 +1769,7 @@ struct xfrmk_spdinfo {
>  
>  struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq, u32 pcpu_num);
>  int xfrm_state_delete(struct xfrm_state *x);
> -int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
> +int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
>  int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
>  int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
>  			  bool task_valid);
> diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
> index 5120a763da0d..7fd8bc08e6eb 100644
> --- a/net/ipv6/xfrm6_tunnel.c
> +++ b/net/ipv6/xfrm6_tunnel.c
> @@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
>  	struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
>  	unsigned int i;
>  
> -	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
> +	xfrm_state_flush(net, 0, false, true);
>  	xfrm_flush_gc();
>  
>  	for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
> diff --git a/net/key/af_key.c b/net/key/af_key.c
> index b5d761700776..efc2a91f4c48 100644
> --- a/net/key/af_key.c
> +++ b/net/key/af_key.c
> @@ -1766,7 +1766,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
>  	if (proto == 0)
>  		return -EINVAL;
>  
> -	err = xfrm_state_flush(net, proto, true);
> +	err = xfrm_state_flush(net, proto, true, false);
>  	err2 = unicast_flush_resp(sk, hdr);
>  	if (err || err2) {
>  		if (err == -ESRCH) /* empty table - go quietly */
> diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
> index 97ff756191ba..0ec7d22aaff3 100644
> --- a/net/xfrm/xfrm_state.c
> +++ b/net/xfrm/xfrm_state.c
> @@ -592,7 +592,7 @@ void xfrm_state_free(struct xfrm_state *x)
>  }
>  EXPORT_SYMBOL(xfrm_state_free);
>  
> -static void xfrm_state_gc_destroy(struct xfrm_state *x)
> +static void ___xfrm_state_destroy(struct xfrm_state *x)
>  {
>  	if (x->mode_cbs && x->mode_cbs->destroy_state)
>  		x->mode_cbs->destroy_state(x);
> @@ -631,7 +631,7 @@ static void xfrm_state_gc_task(struct work_struct *work)
>  	synchronize_rcu();
>  
>  	hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
> -		xfrm_state_gc_destroy(x);
> +		___xfrm_state_destroy(x);
>  }
>  
>  static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
> @@ -795,14 +795,19 @@ void xfrm_dev_state_free(struct xfrm_state *x)
>  }
>  #endif
>  
> -void __xfrm_state_destroy(struct xfrm_state *x)
> +void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
>  {
>  	WARN_ON(x->km.state != XFRM_STATE_DEAD);
>  
> -	spin_lock_bh(&xfrm_state_gc_lock);
> -	hlist_add_head(&x->gclist, &xfrm_state_gc_list);
> -	spin_unlock_bh(&xfrm_state_gc_lock);
> -	schedule_work(&xfrm_state_gc_work);
> +	if (sync) {
> +		synchronize_rcu();
> +		___xfrm_state_destroy(x);
> +	} else {
> +		spin_lock_bh(&xfrm_state_gc_lock);
> +		hlist_add_head(&x->gclist, &xfrm_state_gc_list);
> +		spin_unlock_bh(&xfrm_state_gc_lock);
> +		schedule_work(&xfrm_state_gc_work);
> +	}
>  }
>  EXPORT_SYMBOL(__xfrm_state_destroy);
>  
> @@ -917,7 +922,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool
>  }
>  #endif
>  
> -int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
> +int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
>  {
>  	int i, err = 0, cnt = 0;
>  
> @@ -3278,7 +3283,7 @@ void xfrm_state_fini(struct net *net)
>  	unsigned int sz;
>  
>  	flush_work(&net->xfrm.state_hash_work);
> -	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
> +	xfrm_state_flush(net, 0, false, true);
>  	flush_work(&xfrm_state_gc_work);
>  
>  	WARN_ON(!list_empty(&net->xfrm.state_all));
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index 684239018bec..1db18f470f42 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -2635,7 +2635,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
>  	struct xfrm_usersa_flush *p = nlmsg_data(nlh);
>  	int err;
>  
> -	err = xfrm_state_flush(net, p->proto, true);
> +	err = xfrm_state_flush(net, p->proto, true, false);
>  	if (err) {
>  		if (err == -ESRCH) /* empty table */
>  			return 0;
> -- 
> 2.43.0
>