The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [BUG] bpf: Tracing progs on the stack save subtree can result in OOM
@ 2026-06-09 17:04 Mahnur A
  2026-06-09 22:01 ` Alexei Starovoitov
  0 siblings, 1 reply; 2+ messages in thread
From: Mahnur A @ 2026-06-09 17:04 UTC (permalink / raw)
  To: bpf; +Cc: ast, daniel, andrii, rostedt, linux-kernel

Hi,

I hit the following case on the current mainline kernel (7.1-rc7)

BPF tracing programs that allocate something and have a deferred-free for it:
Attached to any function in the stack save / unwind result in OOM.


KASAN, slub_debug etc. all save a stack on every alloc/free.
An example bpf program updates a map element,
before lookup and retrieval of the timer object.
It then calls bpf_timer_init().
If this happens at every alloc/free event,
a new timer object gets allocated with every map element update,
while the previous one is deferred-free (via kfree_rcu).

All these alloc/free cause cascading probes to fire which in turn trigger more.
The timer objects accumulate without bound.
kfree_rcu()'d timer objects are reclaimed at a slower rate (or RCU stalls).
This results in OOM which eventually kills init.

Please find the reproducer, config files and the full backtrace here:
https://gist.github.com/MahnurA/622d0cd44df686e241a4b043023871a2

A possible patch could be to not allow BPF programs to attach to such
points at all,
but I'm not sure how that would scale.
I’m happy to test debug patches or provide additional information.

Best regards,
Mahnur

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-09 22:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-09 17:04 [BUG] bpf: Tracing progs on the stack save subtree can result in OOM Mahnur A
2026-06-09 22:01 ` Alexei Starovoitov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox