--- x/net/xfrm/xfrm_state.c
+++ y/net/xfrm/xfrm_state.c
@@ -618,6 +618,8 @@ static void xfrm_state_gc_destroy(struct
 	xfrm_state_free(x);
 }
 
+static DEFINE_MUTEX(notify_mutex);
+
 static void xfrm_state_gc_task(struct work_struct *work)
 {
 	struct xfrm_state *x;
@@ -630,8 +632,10 @@ static void xfrm_state_gc_task(struct wo
 
 	synchronize_rcu();
 
+	mutex_lock(&notify_mutex);
 	hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
 		xfrm_state_gc_destroy(x);
+	mutex_unlock(&notify_mutex);
 }
 
 static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
@@ -921,6 +925,7 @@ int xfrm_state_flush(struct net *net, u8
 {
 	int i, err = 0, cnt = 0;
 
+	mutex_lock(&notify_mutex);
 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
 	err = xfrm_state_flush_secctx_check(net, proto, task_valid);
 	if (err)
@@ -950,6 +955,7 @@ restart:
 	}
 out:
 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
+	mutex_unlock(&notify_mutex);
 	if (cnt)
 		err = 0;
 
@@ -2569,6 +2575,8 @@ int xfrm_alloc_spi(struct xfrm_state *x,
 	u32 range = high - low + 1;
 	__be32 newspi = 0;
 
+	if (!mutex_trylock(&notify_mutex))
+		return err;
 	spin_lock_bh(&x->lock);
 	if (x->km.state == XFRM_STATE_DEAD) {
 		NL_SET_ERR_MSG(extack, "Target ACQUIRE is in DEAD state");
@@ -2612,6 +2620,7 @@ int xfrm_alloc_spi(struct xfrm_state *x,
 
 unlock:
 	spin_unlock_bh(&x->lock);
+	mutex_unlock(&notify_mutex);
 
 	return err;
 }