[Devel] [PATCH VZ10 1/2] ve/bpf: Limit number of BPF programs loadable per-VE

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Fri May 29 17:21:46 MSK 2026



On 5/29/26 16:15, Vladimir Riabchun wrote:
> 
> 
> On 5/29/26 14:20, Pavel Tikhomirov wrote:
>> Without a per-VE cap a single container could exhaust the system-wide
>> bpf JIT memory budget by loading excessive numbers of CGROUP_DEVICE
>> ...
>>       struct btf *attach_btf = NULL;
>>       struct bpf_token *token = NULL;
>> +    struct ve_struct *load_ve = NULL;
> 
> All other code in this function is hidden by #ifdef CONFIG_VE. This
> variable should be hidden as well or marked __maybe_unused to make
> compiler happy with !CONFIG_VE.

Will fix. Thanks!

> 
>>       bool bpf_cap;
>>       int err;
> 

-- 
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.



More information about the Devel mailing list