> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
> index 4d9d7d909f6c..75076d682f75 100644
> --- a/mm/bpf_memcontrol.c
> +++ b/mm/bpf_memcontrol.c

[ ... ]

> +__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
> +						enum memcg_memory_event event)
> +{
> +	if (event >= MEMCG_NR_MEMORY_EVENTS)
> +		return (unsigned long)-1;
> +
> +	return atomic_long_read(&memcg->memory_events[event]);
> +}

Could this cause an out-of-bounds access if a BPF program passes a negative
value for event? The enum type is signed, so if event is -1, the check
"event >= MEMCG_NR_MEMORY_EVENTS" would evaluate to false (-1 >= 10 is
false), allowing access to memcg->memory_events[-1].

The existing bpf_mem_cgroup_page_state() in the same file uses both lower
and upper bound checks:

    if (idx < 0 || idx >= MEMCG_NR_STAT)
        return (unsigned long)-1;

Should bpf_mem_cgroup_memory_events() follow the same pattern with:

    if (event < 0 || event >= MEMCG_NR_MEMORY_EVENTS)

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20357445962