[Devel] [PATCH VZ10 1/2] ve/bpf: Limit number of BPF programs loadable per-VE
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Fri May 29 17:21:46 MSK 2026
On 5/29/26 16:15, Vladimir Riabchun wrote:
>
>
> On 5/29/26 14:20, Pavel Tikhomirov wrote:
>> Without a per-VE cap a single container could exhaust the system-wide
>> bpf JIT memory budget by loading excessive numbers of CGROUP_DEVICE
>> ...
>> struct btf *attach_btf = NULL;
>> struct bpf_token *token = NULL;
>> + struct ve_struct *load_ve = NULL;
>
> All other code in this function is hidden by #ifdef CONFIG_VE. This
> variable should be hidden as well or marked __maybe_unused to make
> compiler happy with !CONFIG_VE.
Will fix. Thanks!
>
>> bool bpf_cap;
>> int err;
>
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list