--- x/net/xfrm/xfrm_state.c
+++ y/net/xfrm/xfrm_state.c
@@ -615,6 +615,15 @@ static void xfrm_state_gc_destroy(struct
 		put_page(x->xfrag.page);
 	xfrm_dev_state_free(x);
 	security_xfrm_state_free(x);
+	spin_lock_bh(&x->lock);
+	do {
+		struct net *net = xs_net(x);
+
+		spin_lock(&net->xfrm.xfrm_state_lock);
+		list_del_init(&x->km.all);
+		spin_unlock(&net->xfrm.xfrm_state_lock);
+	} while (0);
+	spin_unlock_bh(&x->lock);
 	xfrm_state_free(x);
 }
 
@@ -816,7 +825,7 @@ int __xfrm_state_delete(struct xfrm_stat
 		x->km.state = XFRM_STATE_DEAD;
 
 		spin_lock(&net->xfrm.xfrm_state_lock);
-		list_del(&x->km.all);
+		list_del_init(&x->km.all);
 		hlist_del_rcu(&x->bydst);
 		hlist_del_rcu(&x->bysrc);
 		if (x->km.seq)