[Devel] [PATCH RHEL10 COMMIT] ve: Add bpf_prog_max_nr/bpf_prog_avail_nr cgroup files

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 18 19:58:27 MSK 2026


The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.12.3.vz10
------>
commit 52c8700582bfe02a62f61f21451a63bbb3869495
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Fri May 29 16:42:12 2026 +0200

    ve: Add bpf_prog_max_nr/bpf_prog_avail_nr cgroup files
    
    Expose the per-VE BPF program load limit via two ve cgroup files:
    
      bpf_prog_max_nr   - rw, writable only from ve0, restricts loads
      bpf_prog_avail_nr - ro, remaining quota
    
    Writes adjust the avail counter by the delta so that already-loaded
    programs are not retroactively rejected when the cap is lowered.
    
    https://virtuozzo.atlassian.net/browse/VSTOR-131947
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Feature: ve: allow BPF in Containers
---
 kernel/ve/ve.c | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 9938d87c8462c..4c7a8649ac42d 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1076,6 +1076,35 @@ static s64 ve_netif_avail_nr_read(struct cgroup_subsys_state *css, struct cftype
 	return atomic_read(&css_to_ve(css)->netif_avail_nr);
 }
 
+static u64 ve_bpf_prog_max_nr_read(struct cgroup_subsys_state *css, struct cftype *cft)
+{
+	return css_to_ve(css)->bpf_prog_max_nr;
+}
+
+static int ve_bpf_prog_max_nr_write(struct cgroup_subsys_state *css, struct cftype *cft, u64 val)
+{
+	struct ve_struct *ve = css_to_ve(css);
+	int delta;
+
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
+	if (val > INT_MAX)
+		return -EOVERFLOW;
+
+	down_write(&ve->op_sem);
+	delta = val - ve->bpf_prog_max_nr;
+	ve->bpf_prog_max_nr = val;
+	atomic_add(delta, &ve->bpf_prog_avail_nr);
+	up_write(&ve->op_sem);
+	return 0;
+}
+
+static s64 ve_bpf_prog_avail_nr_read(struct cgroup_subsys_state *css, struct cftype *cft)
+{
+	return atomic_read(&css_to_ve(css)->bpf_prog_avail_nr);
+}
+
 static int ve_os_release_read(struct seq_file *sf, void *v)
 {
 	struct cgroup_subsys_state *css = seq_css(sf);
@@ -1588,6 +1617,16 @@ static struct cftype ve_cftypes[] = {
 		.name			= "netif_avail_nr",
 		.read_s64		= ve_netif_avail_nr_read,
 	},
+	{
+		.name			= "bpf_prog_max_nr",
+		.flags			= CFTYPE_NOT_ON_ROOT,
+		.read_u64		= ve_bpf_prog_max_nr_read,
+		.write_u64		= ve_bpf_prog_max_nr_write,
+	},
+	{
+		.name			= "bpf_prog_avail_nr",
+		.read_s64		= ve_bpf_prog_avail_nr_read,
+	},
 	{
 		.name			= "os_release",
 		.max_write_len		= __NEW_UTS_LEN + 1,


More information about the Devel mailing list