From 0c125b4fcef40ea2c876496f0e3b9b6e74dcebde Mon Sep 17 00:00:00 2001
From: pr-hung <bkedx0000@gmail.com>
Date: Thu, 18 Dec 2025 01:04:08 +0800
Subject: [PATCH] Fix potential vulnerability in cloned code
 (drivers/net/netdevsim/fib.c)

---
 drivers/net/netdevsim/fib.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/drivers/net/netdevsim/fib.c b/drivers/net/netdevsim/fib.c
index 16c382c42227..1236071d6af1 100644
--- a/drivers/net/netdevsim/fib.c
+++ b/drivers/net/netdevsim/fib.c
@@ -55,6 +55,7 @@ struct nsim_fib_data {
 	struct devlink *devlink;
 	struct work_struct fib_event_work;
 	struct work_struct fib_flush_work;
+	struct work_struct fib_flush_work;
 	struct list_head fib_event_queue;
 	spinlock_t fib_event_queue_lock; /* Protects fib event queue list */
 	struct mutex nh_lock; /* Protects NH HT */
@@ -1499,23 +1500,41 @@ static void nsim_fib_event_work(struct work_struct *work)
 }
 
 static void nsim_fib_flush_work(struct work_struct *work)
+static void nsim_fib_flush_work(struct work_struct *work)
+{
 {
 	struct nsim_fib_data *data = container_of(work, struct nsim_fib_data,
+	struct nsim_fib_data *data = container_of(work, struct nsim_fib_data,
+						  fib_flush_work);
 						  fib_flush_work);
 	struct nsim_fib_rt *fib_rt, *fib_rt_tmp;
+	struct nsim_fib_rt *fib_rt, *fib_rt_tmp;
 
+
+	/* Process pending work. */
 	/* Process pending work. */
 	flush_work(&data->fib_event_work);
+	flush_work(&data->fib_event_work);
 
+
+	mutex_lock(&data->fib_lock);
 	mutex_lock(&data->fib_lock);
 	list_for_each_entry_safe(fib_rt, fib_rt_tmp, &data->fib_rt_list, list) {
+	list_for_each_entry_safe(fib_rt, fib_rt_tmp, &data->fib_rt_list, list) {
+		rhashtable_remove_fast(&data->fib_rt_ht, &fib_rt->ht_node,
 		rhashtable_remove_fast(&data->fib_rt_ht, &fib_rt->ht_node,
 				       nsim_fib_rt_ht_params);
+				       nsim_fib_rt_ht_params);
 		nsim_fib_rt_free(fib_rt, data);
+		nsim_fib_rt_free(fib_rt, data);
+	}
 	}
 	mutex_unlock(&data->fib_lock);
+	mutex_unlock(&data->fib_lock);
+}
 }
 
+
 static int
 nsim_fib_debugfs_init(struct nsim_fib_data *data, struct nsim_dev *nsim_dev)
 {
@@ -1625,6 +1644,7 @@ struct nsim_fib_data *nsim_fib_create(struct devlink *devlink,
 err_nexthop_nb_unregister:
 	unregister_nexthop_notifier(devlink_net(devlink), &data->nexthop_nb);
 err_rhashtable_fib_destroy:
+	cancel_work_sync(&data->fib_flush_work);
 	cancel_work_sync(&data->fib_flush_work);
 	flush_work(&data->fib_event_work);
 	rhashtable_free_and_destroy(&data->fib_rt_ht, nsim_fib_rt_free,
@@ -1656,6 +1676,7 @@ void nsim_fib_destroy(struct devlink *devlink, struct nsim_fib_data *data)
 	unregister_fib_notifier(devlink_net(devlink), &data->fib_nb);
 	unregister_nexthop_notifier(devlink_net(devlink), &data->nexthop_nb);
 	cancel_work_sync(&data->fib_flush_work);
+	cancel_work_sync(&data->fib_flush_work);
 	flush_work(&data->fib_event_work);
 	rhashtable_free_and_destroy(&data->fib_rt_ht, nsim_fib_rt_free,
 				    data);