xfrm_state_fini() flushes the resize and GC work, destroys all states, and
then frees the state hash tables and the inbound percpu state cache.
Those objects can still be observed by concurrent RCU readers. We need
to wait for a RCU grace period before freeing the hash tables and the
percpu cache to avoid netns teardown racing with lockless lookups.

Fix this by adding synchronize_rcu() before freeing the state hash
tables and the inbound percpu state cache.

Fixes: c8406998b801 ("xfrm: state: use rcu_deref and assign_pointer helpers")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_state.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 1748d374abca..84fbf1591138 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3327,6 +3327,8 @@ void xfrm_state_fini(struct net *net)
 	xfrm_state_flush(net, 0, false);
 	flush_work(&xfrm_state_gc_work);
 
+	synchronize_rcu();
+
 	WARN_ON(!list_empty(&net->xfrm.state_all));
 
 	for (i = 0; i <= net->xfrm.state_hmask; i++) {
-- 
2.43.0