From nobody Mon Apr  6 17:32:25 2026
Received: from mail-ot1-f69.google.com (mail-ot1-f69.google.com
 [209.85.210.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A2373DA5CF
	for <linux-kernel@vger.kernel.org>; Wed, 18 Mar 2026 14:57:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.69
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773845839; cv=none;
 b=mMACC4AGPG53oHsRLSciQnLxsIaYTjVx0DMGfQa8Z0FEzQByrN7Pn1AlYUc3RlO4TFOHoQrFNPOJxWYPmUQOm1R+ENuLxJYzgNjrN5yq+JGzC1wEROZBj4Mod5iFFXfuo0mvaQa5kWcod4PKNUdZ4dNZln/5SMd89908nrxv/4s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773845839; c=relaxed/simple;
	bh=Zc/hyEQSDtTEC1B8dsE02SEbNLp66QeNQutQV1+U34U=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=dWThsij7aPbp6PUp+oEngm/AtdwaIqiW4JRiQMrLvhi9SH2Z1E+Etmo0+AjuS0E64VdVzSlIka/+TJp+fskQPQBf/Hvu0QFN5QCTLTCtESMmyy38cCIIeoiDxEumxPQg6eDmvVUhazQSE0DU73AisBCUmbYwPuUtaxM76xJJbGU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.210.69
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-ot1-f69.google.com with SMTP id
 46e09a7af769-7d7438fc7f0so29402331a34.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 18 Mar 2026 07:57:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773845837; x=1774450637;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=lYvU7Lq+vnqD1rksKFgggsTgO1xPSwzAeFsyyxs536o=;
        b=UOK6U0nid4eBxP88zvw7WP5pNvEh1I/65c3m780LkXLk7BUkZspeN8kMYU1IgL81gD
         MLOUP0R4FADCcK3Fr2bWgpwRk9hAemGe4Dl6TImA3IbPAuuCB0flgSqY3TqoX5gyuly4
         4irBWavUs6oLpgd51TJWBCqQILwnHSZwjEcrzd724AjSnxfr0I6Pgw2rgddv31sxytQW
         vF0RKUkFzuOLOyM1WcCTdEdpePOX/rfnJBVW6zBG3cVEnrwdfnn0iLDbiMQ1R8+llRlG
         yfNlLi2+rkX7JAvXueanyjnO60cXUuOU9ttH2Xnwi1M41wcPSIbqPKJlOouLjrkO87PM
         HVuw==
X-Gm-Message-State: AOJu0YyZkLe3ek9agPBdCWnsBvaayFz9cenk4LbudCMib7N7mZ4j1p4i
	qXZihMKU+rBqlWMY+vQuA6lWbNOTvbMOmQTJLhudeEAeDpdDUymM2Tih2Vfao0UC1mOgbiGk60g
	LvE4jBBZEnvIu+hm/gX6KRX/uJs3vUXRHwKDpeH6eY/TAUhYZCy0ZnwO23mc=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:98a:b0:659:890b:3f9 with SMTP id
 006d021491bc7-67c0da9510dmr2242317eaf.4.1773845837227; Wed, 18 Mar 2026
 07:57:17 -0700 (PDT)
Date: Wed, 18 Mar 2026 07:57:17 -0700
In-Reply-To: <69a486ee.050a0220.3a55be.0067.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69babd4d.050a0220.227207.0005.GAE@google.com>
Subject: Forwarded: [PATCH] netdevsim: fib: replace flush_work() with
 cancel_work_sync() in nsim_fib_flush_work()
From: syzbot <syzbot+7c11975a7e4a2735d529@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netdevsim: fib: replace flush_work() with cancel_work_sync=
() in nsim_fib_flush_work()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master


nsim_fib_flush_work() calls flush_work() on fib_event_work before
acquiring fib_lock. However, fib_event_work also acquires fib_lock
while processing fib events. If fib_event_work is processing a large
number of events, flush_work() will wait indefinitely causing a hung
task splat.

Fix this by replacing flush_work() with cancel_work_sync() in
nsim_fib_flush_work() to cancel any pending fib_event_work instead
of waiting for it to complete.

Note that flush_work() is intentionally kept in nsim_fib_destroy()
since fib notifiers are already unregistered at that point, meaning
no new fib events can be queued and it is safe to flush the remaining
events.

The following call chain triggers the hang:
  nsim_fib_flush_work()
    flush_work(&data->fib_event_work)   <- waits forever
      nsim_fib_event_work()
        mutex_lock(&data->fib_lock)     <- held while processing

Reported-by: syzbot+7c11975a7e4a2735d529@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=3D7c11975a7e4a2735d529
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 drivers/net/netdevsim/fib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/netdevsim/fib.c b/drivers/net/netdevsim/fib.c
index 1a42bdbfaa41..bca190aa167e 100644
--- a/drivers/net/netdevsim/fib.c
+++ b/drivers/net/netdevsim/fib.c
@@ -1505,7 +1505,7 @@ static void nsim_fib_flush_work(struct work_struct *w=
ork)
 	struct nsim_fib_rt *fib_rt, *fib_rt_tmp;
=20
 	/* Process pending work. */
-	flush_work(&data->fib_event_work);
+	cancel_work_sync(&data->fib_event_work);
=20
 	mutex_lock(&data->fib_lock);
 	list_for_each_entry_safe(fib_rt, fib_rt_tmp, &data->fib_rt_list, list) {
--=20
2.43.0