During migration, a state/SA may have been deleted or become invalid.
Since skb(s) may still hold a reference to this deleted state, it could
be reused inadvertently. Using a migrated SA could result in reusing
the same IV for AES-GCM, which must be avoided for an output SA.

Add a check to ensure the state is in XFRM_STATE_VALID before use.
This check is useful for both output and input data paths.

Call chain:
  xfrm_output_one()
    xfrm_state_check_expire()
      if (x->km.state != XFRM_STATE_VALID) ---> new check
         return -EINVAL;
      encapsulate the packet

Signed-off-by: Antony Antony <antony.antony@secunet.com>
---
 net/xfrm/xfrm_state.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 91e0898c458f..c9c5a2daa86f 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2265,6 +2265,9 @@ EXPORT_SYMBOL(xfrm_state_update);
 
 int xfrm_state_check_expire(struct xfrm_state *x)
 {
+	if (x->km.state != XFRM_STATE_VALID)
+		return -EINVAL;
+
 	/* All counters which are needed to decide if state is expired
 	 * are handled by SW for non-packet offload modes. Simply skip
 	 * the following update and save extra boilerplate in drivers.
-- 
2.39.5