CVE-2025-40256

In the Linux kernel, the following vulnerability has been resolved:

xfrm: also call xfrmstatedelete_tunnel at destroy time for states that were never added

In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists.

In this situation, ->initstate has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through _xfrmstatedelete, so we don't call xfrmstatedelete_tunnel for those states, and we end up leaking the FB tunnel.

There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrmmigrate, xfrmstatemigrate). A "proper" rollback of the initstate work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved.

At some point, the new (not-inserted) state will be destroyed, so call xfrmstatedeletetunnel during xfrmstategcdestroy. Most states will have their fallback tunnel cleaned up during _xfrmstatedelete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrmstatefini has called flushwork(&xfrmstategc_work).