* [BUG] bpf: Tracing progs on the stack save subtree can result in OOM
@ 2026-06-09 17:04 Mahnur A
2026-06-09 22:01 ` Alexei Starovoitov
0 siblings, 1 reply; 2+ messages in thread
From: Mahnur A @ 2026-06-09 17:04 UTC (permalink / raw)
To: bpf; +Cc: ast, daniel, andrii, rostedt, linux-kernel
Hi,
I hit the following case on the current mainline kernel (7.1-rc7)
BPF tracing programs that allocate something and have a deferred-free for it:
Attached to any function in the stack save / unwind result in OOM.
KASAN, slub_debug etc. all save a stack on every alloc/free.
An example bpf program updates a map element,
before lookup and retrieval of the timer object.
It then calls bpf_timer_init().
If this happens at every alloc/free event,
a new timer object gets allocated with every map element update,
while the previous one is deferred-free (via kfree_rcu).
All these alloc/free cause cascading probes to fire which in turn trigger more.
The timer objects accumulate without bound.
kfree_rcu()'d timer objects are reclaimed at a slower rate (or RCU stalls).
This results in OOM which eventually kills init.
Please find the reproducer, config files and the full backtrace here:
https://gist.github.com/MahnurA/622d0cd44df686e241a4b043023871a2
A possible patch could be to not allow BPF programs to attach to such
points at all,
but I'm not sure how that would scale.
I’m happy to test debug patches or provide additional information.
Best regards,
Mahnur
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [BUG] bpf: Tracing progs on the stack save subtree can result in OOM
2026-06-09 17:04 [BUG] bpf: Tracing progs on the stack save subtree can result in OOM Mahnur A
@ 2026-06-09 22:01 ` Alexei Starovoitov
0 siblings, 0 replies; 2+ messages in thread
From: Alexei Starovoitov @ 2026-06-09 22:01 UTC (permalink / raw)
To: Mahnur A, bpf; +Cc: ast, daniel, andrii, rostedt, linux-kernel
On Tue Jun 9, 2026 at 10:04 AM PDT, Mahnur A wrote:
> Hi,
>
> I hit the following case on the current mainline kernel (7.1-rc7)
>
> BPF tracing programs that allocate something and have a deferred-free for it:
> Attached to any function in the stack save / unwind result in OOM.
>
>
> KASAN, slub_debug etc. all save a stack on every alloc/free.
> An example bpf program updates a map element,
> before lookup and retrieval of the timer object.
> It then calls bpf_timer_init().
> If this happens at every alloc/free event,
> a new timer object gets allocated with every map element update,
> while the previous one is deferred-free (via kfree_rcu).
It's a known design constraint.
A bunch of things in the kernel need call_rcu().
bpf is not immune to such requirements.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-09 22:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-09 17:04 [BUG] bpf: Tracing progs on the stack save subtree can result in OOM Mahnur A
2026-06-09 22:01 ` Alexei Starovoitov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.