Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events

Next message: Menglong Dong: " Re: [PATCH bpf-next v3 3/6] bpf: fix the usage of BPF_TRAMP_F_SKIP_FRAME"
Previous message: Xu Yang: "Re: [PATCH v2] phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it"
In reply to: Roman Gushchin: "[PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events"
Next in thread: Roman Gushchin: "Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: bot+bpf-ci

Date: Thu Dec 18 2025 - 21:21:41 EST

> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
> index 4d9d7d909f6c..75076d682f75 100644
> --- a/mm/bpf_memcontrol.c
> +++ b/mm/bpf_memcontrol.c

[ ... ]

> +__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
> + enum memcg_memory_event event)
> +{
> + if (event >= MEMCG_NR_MEMORY_EVENTS)
> + return (unsigned long)-1;
> +
> + return atomic_long_read(&memcg->memory_events[event]);
> +}

Could this cause an out-of-bounds access if a BPF program passes a negative
value for event? The enum type is signed, so if event is -1, the check
"event >= MEMCG_NR_MEMORY_EVENTS" would evaluate to false (-1 >= 10 is
false), allowing access to memcg->memory_events[-1].

The existing bpf_mem_cgroup_page_state() in the same file uses both lower
and upper bound checks:

if (idx < 0 || idx >= MEMCG_NR_STAT)
return (unsigned long)-1;

Should bpf_mem_cgroup_memory_events() follow the same pattern with:

if (event < 0 || event >= MEMCG_NR_MEMORY_EVENTS)

[ ... ]

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20357445962