#syz test

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index f3014e4f54fc..2e7ab56db152 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -441,6 +441,7 @@ int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
 
 void xfrm_flush_gc(void);
+void xfrm_state_delete_tunnel(struct xfrm_state *x);
 
 struct xfrm_type {
 	struct module		*owner;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index d213ca3653a8..5d982e4e6526 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -806,7 +806,6 @@ void __xfrm_state_destroy(struct xfrm_state *x)
 }
 EXPORT_SYMBOL(__xfrm_state_destroy);
 
-static void xfrm_state_delete_tunnel(struct xfrm_state *x);
 int __xfrm_state_delete(struct xfrm_state *x)
 {
 	struct net *net = xs_net(x);
@@ -3085,7 +3084,7 @@ void xfrm_flush_gc(void)
 }
 EXPORT_SYMBOL(xfrm_flush_gc);
 
-static void xfrm_state_delete_tunnel(struct xfrm_state *x)
+void xfrm_state_delete_tunnel(struct xfrm_state *x)
 {
 	if (x->tunnel) {
 		struct xfrm_state *t = x->tunnel;
@@ -3096,6 +3095,7 @@ static void xfrm_state_delete_tunnel(struct xfrm_state *x)
 		x->tunnel = NULL;
 	}
 }
+EXPORT_SYMBOL(xfrm_state_delete_tunnel);
 
 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
 {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 010c9e6638c0..7f769617882c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1031,6 +1031,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
 	if (err < 0) {
 		x->km.state = XFRM_STATE_DEAD;
 		xfrm_dev_state_delete(x);
+		xfrm_state_delete_tunnel(x);
 		__xfrm_state_put(x);
 		goto out;
 	}
-- 
2.34.1

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+999eb23467f83f9bf9bf@syzkaller.appspotmail.com
Tested-by: syzbot+999eb23467f83f9bf9bf@syzkaller.appspotmail.com

Tested on:

commit:         ffff5c8f net: phy: realtek: fix rtl8221b-vm-cg name
git tree:       net
console output: https://syzkaller.appspot.com/x/log.txt?x=11573c58580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15159734580000

Note: testing is done by a robot and is best-effort only.

2025-10-20, 19:25:53 +0800, Wang Liang wrote:
> #syz test

I've already sent
https://lore.kernel.org/all/15c383b3491b6ecedc98380e9db5b23f826a4857.1760610268.git.sd@queasysnail.net/
which should address this issue (and the other report in
xfrm6_tunnel_net_exit).

-- 
Sabrina

在 2025/10/20 20:20, Sabrina Dubroca 写道:
> 2025-10-20, 19:25:53 +0800, Wang Liang wrote:
>> #syz test
> I've already sent
> https://lore.kernel.org/all/15c383b3491b6ecedc98380e9db5b23f826a4857.1760610268.git.sd@queasysnail.net/
> which should address this issue (and the other report in
> xfrm6_tunnel_net_exit).


Sorry! Yesterday I worked in the issue 'WARNING in xfrm6_tunnel_net_exit'
and I didn't find any patchs that Reported-by/Tested-by its syzbot link in
mail list, or syz test patchs, so I send the test patch.

Please ignore my test patchs. Thanks.