{"id":"CVE-2026-31691","summary":"igb: remove napi_synchronize() in igb_down()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nigb: remove napi_synchronize() in igb_down()\n\nWhen an AF_XDP zero-copy application terminates abruptly (e.g., kill -9),\nthe XSK buffer pool is destroyed but NAPI polling continues.\nigb_clean_rx_irq_zc() repeatedly returns the full budget, preventing\nnapi_complete_done() from clearing NAPI_STATE_SCHED.\n\nigb_down() calls napi_synchronize() before napi_disable() for each queue\nvector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clear,\nwhich never happens. igb_down() blocks indefinitely, the TX watchdog\nfires, and the TX queue remains permanently stalled.\n\nnapi_disable() already handles this correctly: it sets NAPI_STATE_DISABLE.\nAfter a full-budget poll, __napi_poll() checks napi_disable_pending(). If\nset, it forces completion and clears NAPI_STATE_SCHED, breaking the loop\nthat napi_synchronize() cannot.\n\nnapi_synchronize() was added in commit 41f149a285da (\"igb: Fix possible\npanic caused by Rx traffic arrival while interface is down\").\nnapi_disable() provides stronger guarantees: it prevents further\nscheduling and waits for any active poll to exit.\nOther Intel drivers (ixgbe, ice, i40e) use napi_disable() without a\npreceding napi_synchronize() in their down paths.\n\nRemove redundant napi_synchronize() call and reorder napi_disable()\nbefore igb_set_queue_napi() so the queue-to-NAPI mapping is only\ncleared after polling has fully stopped.","modified":"2026-06-02T18:29:08.460156646Z","published":"2026-04-27T17:34:29.738Z","related":["SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","openSUSE-SU-2026:20826-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31691.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/27f5997686ee7fb7ac01be72b2010f168a3409fc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4700471775746058c962ded6e659bf908fd76e13"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b1e067240379f950a0022208e0685f3465c211cb"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31691.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31691"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2c6196013f84651772388a86dfd4bb033d0c0d45"},{"fixed":"4700471775746058c962ded6e659bf908fd76e13"},{"fixed":"27f5997686ee7fb7ac01be72b2010f168a3409fc"},{"fixed":"b1e067240379f950a0022208e0685f3465c211cb"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31691.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.14.0"},{"fixed":"6.18.23"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31691.json"}}],"schema_version":"1.7.5"}