Re: [PATCH bpf-next v2 5/7] mm: introduce BPF kfunc to access memory events

Next message: Ajay Garg: "Re: A lingering doubt on PCI-MMIO region of PCI-passthrough-device"
Previous message: Michal Pecio: "Re: [PATCH] usb: xhci: check Null pointer in segment alloc"
In reply to: Roman Gushchin: "Re: [PATCH bpf-next v2 5/7] mm: introduce BPF kfunc to access memory events"
Next in thread: Roman Gushchin: "Re: [PATCH bpf-next v2 5/7] mm: introduce BPF kfunc to access memory events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chris Mason

Date: Sat Dec 20 2025 - 08:20:52 EST

On 12/19/25 11:41 PM, Roman Gushchin wrote:
> bot+bpf-ci@xxxxxxxxxx writes:
>
>>> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
>>> index d84fe6f3ed43..858eb43766ce 100644
>>> --- a/mm/bpf_memcontrol.c
>>> +++ b/mm/bpf_memcontrol.c
>>> @@ -103,6 +103,22 @@ __bpf_kfunc unsigned long bpf_mem_cgroup_usage(struct mem_cgroup *memcg)
>>> return mem_cgroup_usage(memcg, false) * PAGE_SIZE;
>>> }
>>>
>>> +/**
>>> + * bpf_mem_cgroup_memory_events - Read memory cgroup's memory event value
>>> + * @memcg: memory cgroup
>>> + * @event: memory event id
>>> + *
>>> + * Returns current memory event count.
>>> + */
>>> +__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
>>> + enum memcg_memory_event event)
>>> +{
>>> + if (event >= MEMCG_NR_MEMORY_EVENTS)
>>> + return (unsigned long)-1;
>>
>> Should this also check for negative values? The enum type is typically
>> signed, so a BPF program passing a negative event value would pass this
>> check but cause an out-of-bounds read from memcg->memory_events[].
>>
>> The similar bpf_mem_cgroup_page_state() in this same file uses:
>>
>> if (idx < 0 || idx >= MEMCG_NR_STAT)
>>
>> which checks both bounds. Could the check here be changed to:
>>
>> if (event < 0 || event >= MEMCG_NR_MEMORY_EVENTS)
>>
>> to match that pattern?
>
> No, the bpf verifier enforces event > 0.
> It's a false positive.

I'll add some words here to the bpf prompts, thanks Roman.

-chris