Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events

Next message: Gustavo A. R. Silva: "Re: [PATCH][next] RDMA/rxe: Avoid -Wflex-array-member-not-at-end warnings"
Previous message: Troy Mitchell: "Re: [PATCH v8 2/3] clock: eswin: Add eic7700 clock driver"
In reply to: bot+bpf-ci: "Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events"
Next in thread: Shakeel Butt: "Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Roman Gushchin

Date: Thu Dec 18 2025 - 21:51:35 EST

bot+bpf-ci@xxxxxxxxxx writes:

>> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
>> index 4d9d7d909f6c..75076d682f75 100644
>> --- a/mm/bpf_memcontrol.c
>> +++ b/mm/bpf_memcontrol.c
>
> [ ... ]
>
>> +__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
>> + enum memcg_memory_event event)
>> +{
>> + if (event >= MEMCG_NR_MEMORY_EVENTS)
>> + return (unsigned long)-1;
>> +
>> + return atomic_long_read(&memcg->memory_events[event]);
>> +}
>
> Could this cause an out-of-bounds access if a BPF program passes a negative
> value for event? The enum type is signed, so if event is -1, the check
> "event >= MEMCG_NR_MEMORY_EVENTS" would evaluate to false (-1 >= 10 is
> false), allowing access to memcg->memory_events[-1].
>
> The existing bpf_mem_cgroup_page_state() in the same file uses both lower
> and upper bound checks:
>
> if (idx < 0 || idx >= MEMCG_NR_STAT)
> return (unsigned long)-1;
>
> Should bpf_mem_cgroup_memory_events() follow the same pattern with:
>
> if (event < 0 || event >= MEMCG_NR_MEMORY_EVENTS)

Same here: the check is enforced by the bpf verifier based on the type
information. Not a real issue.