[PATCH net-next] net: Stop leased rxq before uninstalling its memory provider

[PATCH net-next] net: Stop leased rxq before uninstalling its memory provider

[Daniel Borkmann]

netif_rxq_cleanup_unlease() tears down the memory provider that was
installed on a physical RX queue through a netkit queue lease. It
currently revokes the provider's DMA mappings before stopping the
physical queue:

  __netif_mp_uninstall_rxq(virt_rxq, p);            /* DMA unmap */
  __netif_mp_close_rxq(phys_rxq->dev, rxq_idx, p);  /* queue stop */

This inverts the ordering used by the regular teardown paths (normal
device unregister and the io_uring zcrx close path), which stop the
queue before revoking the provider's mappings.

With the physical queue still live, its NAPI can keep consuming
net_iov entries from the page_pool alloc cache after the
__netif_mp_uninstall_rxq() has already cleared their dma_addr,
opening a window for the device to DMA to a stale or zero address.

Fix it by swapping the two calls so the queue is stopped (and its
NAPI quiesced) before the provider is uninstalled. No functional
regression was observed across repeated runs of the nk_qlease.py
HW selftest, which exercises the lease teardown path; this was
tested against fbnic QEMU emulation.

Fixes: 5602ad61ebee ("net: Proxy netif_mp_{open,close}_rxq for leased queues")
Reported-by: Ahmed Abdelmoemen <ahmedabdelmoumen05@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Bobby Eshleman <bobbyeshleman@meta.com>
Cc: David Wei <dw@davidwei.uk>
---
 net/core/netdev_rx_queue.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/core/netdev_rx_queue.c b/net/core/netdev_rx_queue.c
index de4dac4c88b3..00a7011eb4d5 100644
--- a/net/core/netdev_rx_queue.c
+++ b/net/core/netdev_rx_queue.c
@@ -338,12 +338,12 @@ void __netif_mp_uninstall_rxq(struct netdev_rx_queue *rxq,
 void netif_rxq_cleanup_unlease(struct netdev_rx_queue *phys_rxq,
 			       struct netdev_rx_queue *virt_rxq)
 {
-	struct pp_memory_provider_params *p = &phys_rxq->mp_params;
 	unsigned int rxq_idx = get_netdev_rx_queue_index(phys_rxq);
+	struct pp_memory_provider_params p = phys_rxq->mp_params;
 
-	if (!p->mp_ops)
+	if (!p.mp_ops)
 		return;
 
-	__netif_mp_uninstall_rxq(virt_rxq, p);
-	__netif_mp_close_rxq(phys_rxq->dev, rxq_idx, p);
+	__netif_mp_close_rxq(phys_rxq->dev, rxq_idx, &p);
+	__netif_mp_uninstall_rxq(virt_rxq, &p);
 }
-- 
2.43.0

Re: [PATCH net-next] net: Stop leased rxq before uninstalling its memory provider

[Bobby Eshleman]

On Tue, Jun 09, 2026 at 11:22:40PM +0200, Daniel Borkmann wrote:
> netif_rxq_cleanup_unlease() tears down the memory provider that was
> installed on a physical RX queue through a netkit queue lease. It
> currently revokes the provider's DMA mappings before stopping the
> physical queue:
> 
>   __netif_mp_uninstall_rxq(virt_rxq, p);            /* DMA unmap */
>   __netif_mp_close_rxq(phys_rxq->dev, rxq_idx, p);  /* queue stop */
> 
> This inverts the ordering used by the regular teardown paths (normal
> device unregister and the io_uring zcrx close path), which stop the
> queue before revoking the provider's mappings.
> 
> With the physical queue still live, its NAPI can keep consuming
> net_iov entries from the page_pool alloc cache after the
> __netif_mp_uninstall_rxq() has already cleared their dma_addr,
> opening a window for the device to DMA to a stale or zero address.
> 
> Fix it by swapping the two calls so the queue is stopped (and its
> NAPI quiesced) before the provider is uninstalled. No functional
> regression was observed across repeated runs of the nk_qlease.py
> HW selftest, which exercises the lease teardown path; this was
> tested against fbnic QEMU emulation.
> 
> Fixes: 5602ad61ebee ("net: Proxy netif_mp_{open,close}_rxq for leased queues")
> Reported-by: Ahmed Abdelmoemen <ahmedabdelmoumen05@gmail.com>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Bobby Eshleman <bobbyeshleman@meta.com>
> Cc: David Wei <dw@davidwei.uk>
> ---
>  net/core/netdev_rx_queue.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/core/netdev_rx_queue.c b/net/core/netdev_rx_queue.c
> index de4dac4c88b3..00a7011eb4d5 100644
> --- a/net/core/netdev_rx_queue.c
> +++ b/net/core/netdev_rx_queue.c
> @@ -338,12 +338,12 @@ void __netif_mp_uninstall_rxq(struct netdev_rx_queue *rxq,
>  void netif_rxq_cleanup_unlease(struct netdev_rx_queue *phys_rxq,
>  			       struct netdev_rx_queue *virt_rxq)
>  {
> -	struct pp_memory_provider_params *p = &phys_rxq->mp_params;
>  	unsigned int rxq_idx = get_netdev_rx_queue_index(phys_rxq);
> +	struct pp_memory_provider_params p = phys_rxq->mp_params;
>  
> -	if (!p->mp_ops)
> +	if (!p.mp_ops)
>  		return;
>  
> -	__netif_mp_uninstall_rxq(virt_rxq, p);
> -	__netif_mp_close_rxq(phys_rxq->dev, rxq_idx, p);
> +	__netif_mp_close_rxq(phys_rxq->dev, rxq_idx, &p);
> +	__netif_mp_uninstall_rxq(virt_rxq, &p);
>  }
> -- 
> 2.43.0
> 

Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>

Re: [PATCH net-next] net: Stop leased rxq before uninstalling its memory provider

[Nikolay Aleksandrov]

On 10/06/2026 00:22, Daniel Borkmann wrote:
> netif_rxq_cleanup_unlease() tears down the memory provider that was
> installed on a physical RX queue through a netkit queue lease. It
> currently revokes the provider's DMA mappings before stopping the
> physical queue:
> 
>    __netif_mp_uninstall_rxq(virt_rxq, p);            /* DMA unmap */
>    __netif_mp_close_rxq(phys_rxq->dev, rxq_idx, p);  /* queue stop */
> 
> This inverts the ordering used by the regular teardown paths (normal
> device unregister and the io_uring zcrx close path), which stop the
> queue before revoking the provider's mappings.
> 
> With the physical queue still live, its NAPI can keep consuming
> net_iov entries from the page_pool alloc cache after the
> __netif_mp_uninstall_rxq() has already cleared their dma_addr,
> opening a window for the device to DMA to a stale or zero address.
> 
> Fix it by swapping the two calls so the queue is stopped (and its
> NAPI quiesced) before the provider is uninstalled. No functional
> regression was observed across repeated runs of the nk_qlease.py
> HW selftest, which exercises the lease teardown path; this was
> tested against fbnic QEMU emulation.
> 
> Fixes: 5602ad61ebee ("net: Proxy netif_mp_{open,close}_rxq for leased queues")
> Reported-by: Ahmed Abdelmoemen <ahmedabdelmoumen05@gmail.com>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Bobby Eshleman <bobbyeshleman@meta.com>
> Cc: David Wei <dw@davidwei.uk>
> ---
>   net/core/netdev_rx_queue.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/core/netdev_rx_queue.c b/net/core/netdev_rx_queue.c
> index de4dac4c88b3..00a7011eb4d5 100644
> --- a/net/core/netdev_rx_queue.c
> +++ b/net/core/netdev_rx_queue.c
> @@ -338,12 +338,12 @@ void __netif_mp_uninstall_rxq(struct netdev_rx_queue *rxq,
>   void netif_rxq_cleanup_unlease(struct netdev_rx_queue *phys_rxq,
>   			       struct netdev_rx_queue *virt_rxq)
>   {
> -	struct pp_memory_provider_params *p = &phys_rxq->mp_params;
>   	unsigned int rxq_idx = get_netdev_rx_queue_index(phys_rxq);
> +	struct pp_memory_provider_params p = phys_rxq->mp_params;
>   
> -	if (!p->mp_ops)
> +	if (!p.mp_ops)
>   		return;
>   
> -	__netif_mp_uninstall_rxq(virt_rxq, p);
> -	__netif_mp_close_rxq(phys_rxq->dev, rxq_idx, p);
> +	__netif_mp_close_rxq(phys_rxq->dev, rxq_idx, &p);
> +	__netif_mp_uninstall_rxq(virt_rxq, &p);
>   }

Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>