Correct: this patch only applies to the ice driver before its conversion. The patch applies to versions 6.18.27 and 6.12.86. I believe the bug may also be present in 6.6.137, but the code has a slightly different structure there (the function ice_put_rx_mbuf doesn't yet exist in that version) so the patch would need to be reworked a bit.
This situation isn't all that rare. It isn't a zero-length packet that triggers it; it seems to happen if a packet uses every available byte in a buffer, ending precisely at the end of the buffer. When this happens, the NIC seems to generate an extra zero-length "buffer". This happens quite frequently (thousands of times per second in some of my workloads). What keeps corruption from happening constantly is that there is only a problem if the "other half" of the buffer page is still active when the 0-length buffer is received from the NIC. I suspect that with TCP this is pretty unlikely: packet buffers get recycled quickly. If the other half is not in use, then it doesn't matter whether the page gets "flipped" while processing the 0-length buffer. I ran into this problem because I was testing Homa under conditions that caused some packet buffers to stay alive for longer periods of time. -John- On Thu, May 7, 2026 at 3:11 PM Jacob Keller <[email protected]> wrote: > > On 5/7/2026 11:38 AM, John Ousterhout wrote: > > Note: major revisions to the ice driver make this patch irrelevant > > for recent versions. It applies to longterm stable versions > > 6.18.27 and 6.12.86; it also seems relevant for 6.6.137, but would > > need modifications for that version. I have not examined earlier > > versions > > > > From this description I take it this only applies to the ice driver > prior to its conversion to page pool? > > In that case, I think you need to Cc: [email protected] and include > the relevant versions you intend to target. > > I think this case is "unique" since there would not be an upstream > equivalent patch. But that is merely because we removed the faulty code > before it could be fixed. > > I'm not 100% sure whta method to follow since typical stable rules don't > really like taking patches that don't apply to mainline... > > Even with it being somewhat rare to get 0 size packet, it is not > impossible and packet corruption is a Big(TM) deal. > > Thanks, > Jake > > > Signed-off-by: John Ousterhout <[email protected]> > > --- > > drivers/net/ethernet/intel/ice/ice_txrx.c | 23 ++++++++++++++++++++--- > > 1 file changed, 20 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c > > b/drivers/net/ethernet/intel/ice/ice_txrx.c > > index 51c459a3e722..081c7a7392b7 100644 > > --- a/drivers/net/ethernet/intel/ice/ice_txrx.c > > +++ b/drivers/net/ethernet/intel/ice/ice_txrx.c > > @@ -1215,6 +1215,13 @@ static void ice_put_rx_mbuf(struct ice_rx_ring > > *rx_ring, struct xdp_buff *xdp, > > xdp_frags = xdp_get_shared_info_from_buff(xdp)->nr_frags; > > > > while (idx != ntc) { > > + union ice_32b_rx_flex_desc *rx_desc; > > + unsigned int size; > > + > > + rx_desc = ICE_RX_DESC(rx_ring, idx); > > + size = le16_to_cpu(rx_desc->wb.pkt_len) & > > + ICE_RX_FLX_DESC_PKT_LEN_M; > > + > > buf = &rx_ring->rx_buf[idx]; > > if (++idx == cnt) > > idx = 0; > > @@ -1224,10 +1231,20 @@ static void ice_put_rx_mbuf(struct ice_rx_ring > > *rx_ring, struct xdp_buff *xdp, > > * To do this, only adjust pagecnt_bias for fragments up to > > * the total remaining after the XDP program has run. > > */ > > - if (verdict != ICE_XDP_CONSUMED) > > - ice_rx_buf_adjust_pg_offset(buf, xdp->frame_sz); > > - else if (i++ <= xdp_frags) > > + if (verdict != ICE_XDP_CONSUMED) { > > + /* Don't "flip" the page if size is 0: in this case > > + * the data in the current half will not be used so > > + * it's OK to reuse that half. And, since the bias > > + * didn't get decremented for this half, the page can > > + * be returned to the NIC even if the other half is > > + * still in use, so flipping the page could cause > > + * live packet data to be overwritten. > > + */ > > + if (size != 0) > > + ice_rx_buf_adjust_pg_offset(buf, > > xdp->frame_sz); > > + } else if (i++ <= xdp_frags) { > > buf->pagecnt_bias++; > > + } > > > > ice_put_rx_buf(rx_ring, buf); > > } >
