Commit f72eed9b authored May 27, 2026 by Yuqi Xu Committed by Jakub Kicinski May 29, 2026

bpf: sockmap: fix tail fragment offset in bpf_msg_push_data



When bpf_msg_push_data() inserts data in the middle of a scatterlist
entry, it splits the original entry into a left fragment and a right
fragment.

The right fragment offset is page-local, but the code advances it with
`start`, which is the message-global insertion point. For inserts into a
non-first SG entry, this over-advances the offset and leaves the split
layout inconsistent.

Advance the right fragment offset by the fragment-local delta,
`start - offset`, which matches the length removed from the front of the
original entry.

Fixes: 6fff607e ("bpf: sk_msg program helper bpf_msg_push_data")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 1e584c30

net/core/filter.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2869,7 +2869,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,

		psge->length = start - offset;
		rsge.length -= psge->length;
		rsge.offset += start;
		rsge.offset += start - offset;

		sk_msg_iter_var_next(i);
		sg_unmark_end(psge);