* [PATCH net 1/1] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
[not found] <cover.1779636774.git.xuyq21@lenovo.com>
@ 2026-05-27 3:48 ` Ren Wei
2026-05-27 14:47 ` John Fastabend
0 siblings, 1 reply; 2+ messages in thread
From: Ren Wei @ 2026-05-27 3:48 UTC (permalink / raw)
To: bpf, netdev
Cc: martin.lau, daniel, john.fastabend, sdf, ast, andrii, eddyz87,
memxor, song, yonghong.song, jolsa, yuantan098, zcliangcn, bird,
xuyq21, n05ec
From: Yuqi Xu <xuyq21@lenovo.com>
When bpf_msg_push_data() inserts data in the middle of a scatterlist
entry, it splits the original entry into a left fragment and a right
fragment.
The right fragment offset is page-local, but the code advances it with
`start`, which is the message-global insertion point. For inserts into a
non-first SG entry, this over-advances the offset and leaves the split
layout inconsistent.
Advance the right fragment offset by the fragment-local delta,
`start - offset`, which matches the length removed from the front of the
original entry.
Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 80a3b702a2d4..d8e637f35f68 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2860,7 +2860,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,
psge->length = start - offset;
rsge.length -= psge->length;
- rsge.offset += start;
+ rsge.offset += start - offset;
sk_msg_iter_var_next(i);
sg_unmark_end(psge);
--
2.54.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net 1/1] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
2026-05-27 3:48 ` [PATCH net 1/1] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Ren Wei
@ 2026-05-27 14:47 ` John Fastabend
0 siblings, 0 replies; 2+ messages in thread
From: John Fastabend @ 2026-05-27 14:47 UTC (permalink / raw)
To: Ren Wei
Cc: bpf, netdev, martin.lau, daniel, sdf, ast, andrii, eddyz87,
memxor, song, yonghong.song, jolsa, yuantan098, zcliangcn, bird,
xuyq21
On Wed, May 27, 2026 at 11:48:15AM +0800, Ren Wei wrote:
>From: Yuqi Xu <xuyq21@lenovo.com>
>
>When bpf_msg_push_data() inserts data in the middle of a scatterlist
>entry, it splits the original entry into a left fragment and a right
>fragment.
>
>The right fragment offset is page-local, but the code advances it with
>`start`, which is the message-global insertion point. For inserts into a
>non-first SG entry, this over-advances the offset and leaves the split
>layout inconsistent.
>
>Advance the right fragment offset by the fragment-local delta,
>`start - offset`, which matches the length removed from the front of the
>original entry.
>
>Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
>Cc: stable@kernel.org
>Reported-by: Yuan Tan <yuantan098@gmail.com>
>Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
>Reported-by: Xin Liu <bird@lzu.edu.cn>
>Assisted-by: Codex:GPT-5.4
>Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
>Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
>---
> net/core/filter.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks.
eviewed-by: John Fastabend <john.fastabend@gmail.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-27 14:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1779636774.git.xuyq21@lenovo.com>
2026-05-27 3:48 ` [PATCH net 1/1] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Ren Wei
2026-05-27 14:47 ` John Fastabend
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox