Commit f72eed9b84fb for kernel

commit f72eed9b84fb771019a955908132410a9ba9ea3f
Author: Yuqi Xu <xuyq21@lenovo.com>
Date:   Wed May 27 11:48:15 2026 +0800

    bpf: sockmap: fix tail fragment offset in bpf_msg_push_data

    When bpf_msg_push_data() inserts data in the middle of a scatterlist
    entry, it splits the original entry into a left fragment and a right
    fragment.

    The right fragment offset is page-local, but the code advances it with
    `start`, which is the message-global insertion point. For inserts into a
    non-first SG entry, this over-advances the offset and leaves the split
    layout inconsistent.

    Advance the right fragment offset by the fragment-local delta,
    `start - offset`, which matches the length removed from the front of the
    original entry.

    Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
    Cc: stable@kernel.org
    Reported-by: Yuan Tan <yuantan098@gmail.com>
    Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
    Reported-by: Xin Liu <bird@lzu.edu.cn>
    Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
    Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
    Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/core/filter.c b/net/core/filter.c
index 9590877b0714..80439767e0ee 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2869,7 +2869,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,

 		psge->length = start - offset;
 		rsge.length -= psge->length;
-		rsge.offset += start;
+		rsge.offset += start - offset;

 		sk_msg_iter_var_next(i);
 		sg_unmark_end(psge);