> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
> index 6d0d73bf0dd1..4d9d7d909f6c 100644
> --- a/mm/bpf_memcontrol.c
> +++ b/mm/bpf_memcontrol.c

[ ... ]

> +/**
> + * bpf_mem_cgroup_vm_events - Read memory cgroup's vm event counter
> + * @memcg: memory cgroup
> + * @event: event id
> + *
> + * Allows to read memory cgroup event counters.
> + */
> +__bpf_kfunc unsigned long bpf_mem_cgroup_vm_events(struct mem_cgroup *memcg,
> +						enum vm_event_item event)
> +{
> +	return memcg_events(memcg, event);
> +}

Should bpf_mem_cgroup_vm_events() validate the event parameter before
passing it to memcg_events()? The call chain is:

  bpf_mem_cgroup_vm_events() -> memcg_events() -> memcg_events_index()

And memcg_events_index() does:

  return mem_cgroup_events_index[idx];

where mem_cgroup_events_index is an array of size NR_VM_EVENT_ITEMS. If a
BPF program passes event >= NR_VM_EVENT_ITEMS, this would be an
out-of-bounds array read.

The sister function bpf_mem_cgroup_page_state() below validates its idx
parameter before calling its callee:

> +/**
> + * bpf_mem_cgroup_page_state - Read memory cgroup's page state counter
> + * @memcg: memory cgroup
> + * @idx: counter idx
> + *
> + * Allows to read memory cgroup statistics. The output is in bytes.
> + */
> +__bpf_kfunc unsigned long bpf_mem_cgroup_page_state(struct mem_cgroup *memcg, int idx)
> +{
> +	if (idx < 0 || idx >= MEMCG_NR_STAT)
> +		return (unsigned long)-1;
> +
> +	return memcg_page_state_output(memcg, idx);
> +}

Should bpf_mem_cgroup_vm_events() have a similar bounds check, perhaps:

  if (event >= NR_VM_EVENT_ITEMS)
      return (unsigned long)-1;

before calling memcg_events()?

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20357445962