1. Patchew
  2. linux
  3. [PATCH bpf-next v1 0/6] mm: bpf kfuncs to access memcg data
  4. View patch

[PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events

Roman Gushchin posted 6 patches 1 month, 3 weeks ago
There is a newer version of this series
[PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events
Posted by Roman Gushchin 1 month, 3 weeks ago 
From: JP Kobryn <inwardvessel@gmail.com>

Introduce BPF kfunc to access memory events, e.g.:
MEMCG_LOW, MEMCG_MAX, MEMCG_OOM, MEMCG_OOM_KILL etc.

Signed-off-by: JP Kobryn <inwardvessel@gmail.com>
---
 mm/bpf_memcontrol.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
index 4d9d7d909f6c..75076d682f75 100644
--- a/mm/bpf_memcontrol.c
+++ b/mm/bpf_memcontrol.c
@@ -99,6 +99,22 @@ __bpf_kfunc unsigned long bpf_mem_cgroup_usage(struct mem_cgroup *memcg)
 	return page_counter_read(&memcg->memory) * PAGE_SIZE;
 }
 
+/**
+ * bpf_mem_cgroup_memory_events - Read memory cgroup's memory event value
+ * @memcg: memory cgroup
+ * @event: memory event id
+ *
+ * Returns current memory event count.
+ */
+__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
+						enum memcg_memory_event event)
+{
+	if (event >= MEMCG_NR_MEMORY_EVENTS)
+		return (unsigned long)-1;
+
+	return atomic_long_read(&memcg->memory_events[event]);
+}
+
 /**
  * bpf_mem_cgroup_page_state - Read memory cgroup's page state counter
  * @memcg: memory cgroup
@@ -133,6 +149,7 @@ BTF_ID_FLAGS(func, bpf_get_mem_cgroup, KF_TRUSTED_ARGS | KF_ACQUIRE | KF_RET_NUL
 BTF_ID_FLAGS(func, bpf_put_mem_cgroup, KF_TRUSTED_ARGS | KF_RELEASE)
 
 BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events, KF_TRUSTED_ARGS)
 BTF_ID_FLAGS(func, bpf_mem_cgroup_usage, KF_TRUSTED_ARGS)
 BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state, KF_TRUSTED_ARGS)
 BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_TRUSTED_ARGS | KF_SLEEPABLE)
-- 
2.52.0
Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events
Posted by Shakeel Butt 1 month, 2 weeks ago 
On Thu, Dec 18, 2025 at 05:57:49PM -0800, Roman Gushchin wrote:
> From: JP Kobryn <inwardvessel@gmail.com>
> 
> Introduce BPF kfunc to access memory events, e.g.:
> MEMCG_LOW, MEMCG_MAX, MEMCG_OOM, MEMCG_OOM_KILL etc.
> 
> Signed-off-by: JP Kobryn <inwardvessel@gmail.com>

Roman, you need to add your signoff as well.

Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events
Posted by bot+bpf-ci@kernel.org 1 month, 3 weeks ago 
> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
> index 4d9d7d909f6c..75076d682f75 100644
> --- a/mm/bpf_memcontrol.c
> +++ b/mm/bpf_memcontrol.c

[ ... ]

> +__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
> +						enum memcg_memory_event event)
> +{
> +	if (event >= MEMCG_NR_MEMORY_EVENTS)
> +		return (unsigned long)-1;
> +
> +	return atomic_long_read(&memcg->memory_events[event]);
> +}

Could this cause an out-of-bounds access if a BPF program passes a negative
value for event? The enum type is signed, so if event is -1, the check
"event >= MEMCG_NR_MEMORY_EVENTS" would evaluate to false (-1 >= 10 is
false), allowing access to memcg->memory_events[-1].

The existing bpf_mem_cgroup_page_state() in the same file uses both lower
and upper bound checks:

    if (idx < 0 || idx >= MEMCG_NR_STAT)
        return (unsigned long)-1;

Should bpf_mem_cgroup_memory_events() follow the same pattern with:

    if (event < 0 || event >= MEMCG_NR_MEMORY_EVENTS)

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20357445962
Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events
Posted by Roman Gushchin 1 month, 3 weeks ago 
bot+bpf-ci@kernel.org writes:

>> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
>> index 4d9d7d909f6c..75076d682f75 100644
>> --- a/mm/bpf_memcontrol.c
>> +++ b/mm/bpf_memcontrol.c
>
> [ ... ]
>
>> +__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
>> +						enum memcg_memory_event event)
>> +{
>> +	if (event >= MEMCG_NR_MEMORY_EVENTS)
>> +		return (unsigned long)-1;
>> +
>> +	return atomic_long_read(&memcg->memory_events[event]);
>> +}
>
> Could this cause an out-of-bounds access if a BPF program passes a negative
> value for event? The enum type is signed, so if event is -1, the check
> "event >= MEMCG_NR_MEMORY_EVENTS" would evaluate to false (-1 >= 10 is
> false), allowing access to memcg->memory_events[-1].
>
> The existing bpf_mem_cgroup_page_state() in the same file uses both lower
> and upper bound checks:
>
>     if (idx < 0 || idx >= MEMCG_NR_STAT)
>         return (unsigned long)-1;
>
> Should bpf_mem_cgroup_memory_events() follow the same pattern with:
>
>     if (event < 0 || event >= MEMCG_NR_MEMORY_EVENTS)

Same here: the check is enforced by the bpf verifier based on the type
information. Not a real issue.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.