[Devel] [PATCH VZ10 1/2] ve/bpf: Limit number of BPF programs loadable per-VE

Vladimir Riabchun vladimir.riabchun at virtuozzo.com
Fri May 29 17:15:33 MSK 2026



On 5/29/26 14:20, Pavel Tikhomirov wrote:
> Without a per-VE cap a single container could exhaust the system-wide
> bpf JIT memory budget by loading excessive numbers of CGROUP_DEVICE
> ...
>   	struct btf *attach_btf = NULL;
>   	struct bpf_token *token = NULL;
> +	struct ve_struct *load_ve = NULL;

All other code in this function is hidden by #ifdef CONFIG_VE. This
variable should be hidden as well or marked __maybe_unused to make
compiler happy with !CONFIG_VE.

>   	bool bpf_cap;
>   	int err;

-- 
Best regards, Riabchun Vladimir
Linux Kernel Developer, Virtuozzo


More information about the Devel mailing list