[Devel] [PATCH VZ10 1/2] ve/bpf: Limit number of BPF programs loadable per-VE
Vladimir Riabchun
vladimir.riabchun at virtuozzo.com
Fri May 29 17:15:33 MSK 2026
On 5/29/26 14:20, Pavel Tikhomirov wrote:
> Without a per-VE cap a single container could exhaust the system-wide
> bpf JIT memory budget by loading excessive numbers of CGROUP_DEVICE
> ...
> struct btf *attach_btf = NULL;
> struct bpf_token *token = NULL;
> + struct ve_struct *load_ve = NULL;
All other code in this function is hidden by #ifdef CONFIG_VE. This
variable should be hidden as well or marked __maybe_unused to make
compiler happy with !CONFIG_VE.
> bool bpf_cap;
> int err;
--
Best regards, Riabchun Vladimir
Linux Kernel Developer, Virtuozzo
More information about the Devel
mailing list