From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp1.cs.Stanford.EDU (smtp1.cs.stanford.edu [171.64.64.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 880F21DF75B for ; Tue, 12 May 2026 18:20:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=171.64.64.25 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778610004; cv=none; b=hz52MfGw3U8g6w8ARp/ZzUVh/9VWRi1X3byrxFF6qBnWIx304LM+UkRjRLkdNLZAcjvh5DSWgrFFXgKqvtBDbwNA5r7FYmz7QxUeEo/j1e43y6nOB8yysNTP05IoG4tPPNOxjSZQ9DjpkI5Hmi6bq67CQRjFenIthLC/M5FKGhc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778610004; c=relaxed/simple; bh=tfNpXWH9erqxskPprmbwJkZT05sswvIzxHbqpsZhTbQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=d8YST5/XlyyPSpbMr2fdk5BfnXkF3Nu6DsLa5n42qVgF6hDOiDvqTNuy2tT3NmJjgy5tufJMZirGacJ5hQgMBtg02s4iLt/dgvWhHqpqI1OO/5ctm/hANuczNH8FwM+ROtd689CFj+sTpYKsBbZRy8vBzj+9NavWtTPIB7c5JPI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cs.stanford.edu; spf=pass smtp.mailfrom=cs.stanford.edu; dkim=pass (2048-bit key) header.d=cs.stanford.edu header.i=@cs.stanford.edu header.b=WSu1buYe; arc=none smtp.client-ip=171.64.64.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cs.stanford.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cs.stanford.edu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cs.stanford.edu header.i=@cs.stanford.edu header.b="WSu1buYe" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cs.stanford.edu; s=cs2308; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9EMCSMOi07l+ZnuteFa+6ZsS8B0SIfV/WFo73CXQMS4=; t=1778610003; x=1779474003; b=WSu1buYeXDAYSsLSPMpKrokRAg58bMO/0mOJWhMU5XN/Zhw7BGkqTpdYC/oNvp6lKzwrAM/cwOS NWMSF1elmeLrE+Yn+DW6jbTzq8Kh2rvQDllxzMebltcPjFY//L60ID23hrgX+eaqsS3H5uEysdu6+ +QDORwmVhAnAZhTYVjlpfFrXypoRQJ54hvejetlpvsqFTnUl1VqPEFMslaCkVgi/y8EYMiwxrrG9I ZpKQ59INJeH/C3k4ekDRcPDSFCe65T7ylsEz2DNBrod0+V5SdeWJD7ZAejT68NkwhC70a9f2SD4b1 Viv1GYIe5Zjk3UFCA3axuKYVnxn9f+nvDTHA==; Received: from ouster448.stanford.edu ([172.24.72.71]:57789 helo=cs.stanford.edu) by smtp1.cs.Stanford.EDU with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1wMri5-0004dE-T7; Tue, 12 May 2026 11:20:02 -0700 From: John Ousterhout To: stable@vger.kernel.org Cc: anthony.l.nguyen@intel.com, intel-wired-lan@lists.osuosl.org, przemyslaw.kitszel@intel.com, netdev@vger.kernel.org, jacob.e.keller@intel.com, John Ousterhout Subject: [PATCH net v3] ice: fix packet corruption due to extraneous page flip Date: Tue, 12 May 2026 11:19:53 -0700 Message-ID: <20260512181953.1689-1-ouster@cs.stanford.edu> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -101.1 X-Scan-Signature: 0858a923cc4ba3562bb802375c61c59b Consider the following sequence of events: * The bottom half of a buffer page is filled with data from packet A. The page has a net reference count (reference count - bias) of 1. The page is returned to the NIC, flipped to use the top half. * Before the reference on the page is released, the NIC returns the page with no data in it ('size' is zero in ice_clean_rx_irq). In this case the bias does not get decremented. The page still has a net reference count of 1, so it gets returned to the NIC. However, ice_put_rx_mbuf flipped the page so that the bottom half is active. * If the NIC stores another packet in the page before packet A has released its reference, the data in packet A will be overwritten with data from the new packet. * Unfortunately zero-length buffers occur frequently: they seem to occur whenever a packet uses every available byte in a buffer, ending precisely at the end of the buffer. When this happens the NIC seems to generate an extra zero-length buffer. The fix is for ice_put_rx_mbuf not to flip pages that have a size of 0. This patch applies directly to longterm stable versions 6.18.27 and 6.12.86; it also seems relevant for 6.6.137 but would need modifcations for that version. I have not examined earlier versions. Unfortunately there is no upstream commit id for this patch because the ICE driver has undergone a major revision (libeth refactor and pagepool conversion) that eliminated the buggy code. Thus the problem no longer exists in the main line. Cc: stable@vger.kernel.org # 6.12+ Signed-off-by: John Ousterhout --- drivers/net/ethernet/intel/ice/ice_txrx.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c index 51c459a3e722..081c7a7392b7 100644 --- a/drivers/net/ethernet/intel/ice/ice_txrx.c +++ b/drivers/net/ethernet/intel/ice/ice_txrx.c @@ -1215,6 +1215,13 @@ static void ice_put_rx_mbuf(struct ice_rx_ring *rx_ring, struct xdp_buff *xdp, xdp_frags = xdp_get_shared_info_from_buff(xdp)->nr_frags; while (idx != ntc) { + union ice_32b_rx_flex_desc *rx_desc; + unsigned int size; + + rx_desc = ICE_RX_DESC(rx_ring, idx); + size = le16_to_cpu(rx_desc->wb.pkt_len) & + ICE_RX_FLX_DESC_PKT_LEN_M; + buf = &rx_ring->rx_buf[idx]; if (++idx == cnt) idx = 0; @@ -1224,10 +1231,20 @@ static void ice_put_rx_mbuf(struct ice_rx_ring *rx_ring, struct xdp_buff *xdp, * To do this, only adjust pagecnt_bias for fragments up to * the total remaining after the XDP program has run. */ - if (verdict != ICE_XDP_CONSUMED) - ice_rx_buf_adjust_pg_offset(buf, xdp->frame_sz); - else if (i++ <= xdp_frags) + if (verdict != ICE_XDP_CONSUMED) { + /* Don't "flip" the page if size is 0: in this case + * the data in the current half will not be used so + * it's OK to reuse that half. And, since the bias + * didn't get decremented for this half, the page can + * be returned to the NIC even if the other half is + * still in use, so flipping the page could cause + * live packet data to be overwritten. + */ + if (size != 0) + ice_rx_buf_adjust_pg_offset(buf, xdp->frame_sz); + } else if (i++ <= xdp_frags) { buf->pagecnt_bias++; + } ice_put_rx_buf(rx_ring, buf); } -- 2.43.0