From: syzbot <syzbot+7c11975a7e4a2735d529@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] netdevsim: fib: replace flush_work() with cancel_work_sync() in nsim_fib_flush_work()
Date: Wed, 18 Mar 2026 07:57:17 -0700 [thread overview]
Message-ID: <69babd4d.050a0220.227207.0005.GAE@google.com> (raw)
In-Reply-To: <69a486ee.050a0220.3a55be.0067.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] netdevsim: fib: replace flush_work() with cancel_work_sync() in nsim_fib_flush_work()
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
nsim_fib_flush_work() calls flush_work() on fib_event_work before
acquiring fib_lock. However, fib_event_work also acquires fib_lock
while processing fib events. If fib_event_work is processing a large
number of events, flush_work() will wait indefinitely causing a hung
task splat.
Fix this by replacing flush_work() with cancel_work_sync() in
nsim_fib_flush_work() to cancel any pending fib_event_work instead
of waiting for it to complete.
Note that flush_work() is intentionally kept in nsim_fib_destroy()
since fib notifiers are already unregistered at that point, meaning
no new fib events can be queued and it is safe to flush the remaining
events.
The following call chain triggers the hang:
nsim_fib_flush_work()
flush_work(&data->fib_event_work) <- waits forever
nsim_fib_event_work()
mutex_lock(&data->fib_lock) <- held while processing
Reported-by: syzbot+7c11975a7e4a2735d529@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=7c11975a7e4a2735d529
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
drivers/net/netdevsim/fib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/netdevsim/fib.c b/drivers/net/netdevsim/fib.c
index 1a42bdbfaa41..bca190aa167e 100644
--- a/drivers/net/netdevsim/fib.c
+++ b/drivers/net/netdevsim/fib.c
@@ -1505,7 +1505,7 @@ static void nsim_fib_flush_work(struct work_struct *work)
struct nsim_fib_rt *fib_rt, *fib_rt_tmp;
/* Process pending work. */
- flush_work(&data->fib_event_work);
+ cancel_work_sync(&data->fib_event_work);
mutex_lock(&data->fib_lock);
list_for_each_entry_safe(fib_rt, fib_rt_tmp, &data->fib_rt_list, list) {
--
2.43.0
prev parent reply other threads:[~2026-03-18 14:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-01 18:35 [syzbot] [kernel?] INFO: task hung in ret_from_fork (4) syzbot
2026-03-18 12:04 ` Forwarded: [PATCH] netdevsim: fib: replace flush_work() with cancel_work_sync() for fib_event_work syzbot
2026-03-18 14:57 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69babd4d.050a0220.227207.0005.GAE@google.com \
--to=syzbot+7c11975a7e4a2735d529@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox