CVE-2026-31691

In the Linux kernel, the following vulnerability has been resolved:

igb: remove napisynchronize() in igbdown()

When an AFXDP zero-copy application terminates abruptly (e.g., kill -9), the XSK buffer pool is destroyed but NAPI polling continues. igbcleanrxirqzc() repeatedly returns the full budget, preventing napicompletedone() from clearing NAPISTATE_SCHED.

igbdown() calls napisynchronize() before napidisable() for each queue vector. napisynchronize() spins waiting for NAPISTATESCHED to clear, which never happens. igb_down() blocks indefinitely, the TX watchdog fires, and the TX queue remains permanently stalled.

napidisable() already handles this correctly: it sets NAPISTATE_DISABLE. After a full-budget poll, __napipoll() checks napidisablepending(). If set, it forces completion and clears NAPISTATESCHED, breaking the loop that napisynchronize() cannot.

napisynchronize() was added in commit 41f149a285da ("igb: Fix possible panic caused by Rx traffic arrival while interface is down"). napidisable() provides stronger guarantees: it prevents further scheduling and waits for any active poll to exit. Other Intel drivers (ixgbe, ice, i40e) use napidisable() without a preceding napisynchronize() in their down paths.

Remove redundant napisynchronize() call and reorder napidisable() before igbsetqueue_napi() so the queue-to-NAPI mapping is only cleared after polling has fully stopped.