Re: [PATCH v2 0/2] net/netvsc: runtime queue reconfiguration and fixes

[Stephen Hemminger <stephen@networkplumber.org>]

On Wed, 25 Feb 2026 20:24:12 -0800
Long Li <longli@microsoft.com> wrote:

> This series adds support for runtime queue count reconfiguration in the
> netvsc PMD, along with a prerequisite bug fix.
> 
> Patch 1 fixes a pre-existing subchannel resource leak in
> eth_hn_dev_uninit() where subchannels are never closed before the
> primary channel.
> 
> Patch 2 adds runtime queue count reconfiguration via port
> stop/configure/start, with full NVS/RNDIS session teardown and reinit
> when the queue count changes.
> 
> v2:
> - Split subchannel leak fix into separate patch with Fixes tag (patch 1)
> - Fix reinit_failed recovery: re-map device before chan_open when device
>   is unmapped to prevent undefined behavior on unmapped ring buffers
> - Move hn_rndis_conf_offload() to after reinit block so offload config
>   targets the final RNDIS session instead of being lost on teardown
> - Use write lock in hn_vf_tx/rx_queue_release() to prevent race with
>   concurrent fast-path readers holding read lock
> - Reset RSS indirection table to queue 0 in subchan_cleanup error path
> - Fix multi-line comment style to follow DPDK convention
> 
> Long Li (2):
>   net/netvsc: fix subchannel leak on device removal
>   net/netvsc: support runtime queue count reconfiguration
> 
>  drivers/net/netvsc/hn_ethdev.c | 181 +++++++++++++++++++++++++++++++--
>  drivers/net/netvsc/hn_vf.c     |  16 +--
>  2 files changed, 181 insertions(+), 16 deletions(-)
> 

After a couple of cycles with Claude, reduced the issues to more concise summary.
Work is still needed.

---



## Patch 1: "fix subchannel leak on device removal"

Adds a loop in `eth_hn_dev_uninit` to close subchannels before closing the primary channel. This fixes a real resource leak I didn't explicitly call out (subchannels allocated in `hn_subchan_configure` were never closed on removal).

## Patch 2: "support runtime queue count reconfiguration"

Major rework of `hn_dev_configure` to support changing queue counts at runtime, plus TX drain in `hn_dev_stop`, plus write-lock fix in VF queue release.

---

## Re-evaluation of my original findings

### Finding #1: Double-free of `hv->primary` — STILL PRESENT

Neither patch changes this. The flow is still:

1. `eth_hn_dev_uninit` → `hn_dev_close` → `hn_dev_free_queues` which calls `hn_rx_queue_free(rxq, false)` — this frees `hv->primary` via `hn_rx_queue_free_common`
2. `eth_hn_dev_uninit` then does `rte_free(hv->primary)` at line 1448 — double-free

### Finding #2: Init error path leaks `hv->primary` and `channels[0]` — STILL PRESENT

The `failed:` label in `eth_hn_dev_init` still only calls `hn_chim_uninit` and `hn_detach`. It never frees `hv->primary` or closes `hv->channels[0]`.

### Finding #3: `hv->primary` alloc failure leaks `channels[0]` — STILL PRESENT

Lines 1376-1380 are untouched.

### Finding #4: `max_chan <= 0` jumps to `failed` with `err` possibly zero — STILL PRESENT

Lines 1406-1407 are untouched. `err` is 0 from the successful `hn_rndis_get_eaddr` call, so the `failed:` path tears down the device and returns success.

### Finding #5: `hn_dev_start` leaks event callback on rxfilter failure — STILL PRESENT

Lines 1035-1047 are untouched.

---

## New issues introduced by Patch 2

### New Issue A: `hn_dev_configure` reinit path doesn't update `hv->primary->chan`

When the reinit path closes the primary channel and opens a new one (lines in the patch around `rte_vmbus_chan_close(hv->channels[0])` ... `rte_vmbus_chan_open(hv->vmbus, &hv->channels[0])`), the `hv->primary` rx queue struct still holds a stale `chan` pointer from the old channel. `hv->primary->chan` was set during `hn_rx_queue_alloc` at init time and is never updated here. The next control operation using `hv->primary` (which uses `hn_primary_chan(hv)` indirectly through `hn_nvs_execute` → `rxq->ring_lock`) would operate on the new channel correctly because `hn_primary_chan()` reads from `hv->channels[0]`, but `hv->primary->chan` is stale. This matters if anything uses `rxq->chan` directly for the primary queue.

### New Issue B: `hn_chim_uninit`/`hn_chim_init` not called during reinit

The reinit path in `hn_dev_configure` calls `hn_detach` (which calls `hn_nvs_detach` → `hn_nvs_disconn_rxbuf` + `hn_nvs_disconn_chim`) and then `hn_attach` (which calls `hn_nvs_attach` → `hn_nvs_conn_chim`). After reinit, `hv->chim_cnt` and `hv->chim_szmax` get updated by `hn_nvs_conn_chim`, but the chimney bitmap (`hv->chim_bmap`) still reflects the old allocation state. If `chim_cnt` changes across the reinit, the bitmap is the wrong size. This could lead to out-of-bounds bitmap access.

### New Issue C: `reinit_failed` recovery doesn't restore `hv->primary->rxbuf_info`

When `hn_attach` succeeds in the reinit path, `hn_nvs_conn_rxbuf` allocates a *new* `rxbuf_info` for `hv->primary`. But `hn_detach` (called earlier) doesn't free the old `rxbuf_info`. So the old one leaks, and the pointer is overwritten. In the recovery path, if `hn_attach` succeeds there too, another `rxbuf_info` is allocated, leaking the previous one.

### New Issue D: VF queue release NULL-sets VF queues but VF setup doesn't re-set them

In `hn_vf_tx_queue_release`, the patch adds `vf_dev->data->tx_queues[queue_id] = NULL`. This is good for preventing use-after-free. However, the corresponding `hn_vf_tx_queue_setup` calls `rte_eth_tx_queue_setup` on the VF which internally sets the VF's queue pointer. So this should be fine on re-setup — not a bug, just noting the asymmetry is intentional.

---

## Summary

All five original findings remain unfixed by these patches. The patches address different (legitimate) problems: subchannel leaks and runtime queue reconfig. The most critical outstanding issue is still the double-free of `hv->primary` (#1), and the new reinit path in Patch 2 introduces potential concerns around stale chimney bitmap state (#B) and leaked `rxbuf_info` (#C).