[BUG] bpf: Tracing progs on the stack save subtree can result in OOM

Next message: Stefan D&#xF6;singer: "Re: [PATCH RFC v3 0/5] ZTE zx297520v3 clock bindings and driver"
Previous message: Manivannan Sadhasivam: "Re: (subset) [PATCH 2/2] PCI: meson: Add missing remove callback"
Next in thread: Alexei Starovoitov: "Re: [BUG] bpf: Tracing progs on the stack save subtree can result in OOM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mahnur A

Date: Tue Jun 09 2026 - 13:14:07 EST

Hi,

I hit the following case on the current mainline kernel (7.1-rc7)

BPF tracing programs that allocate something and have a deferred-free for it:
Attached to any function in the stack save / unwind result in OOM.

KASAN, slub_debug etc. all save a stack on every alloc/free.
An example bpf program updates a map element,
before lookup and retrieval of the timer object.
It then calls bpf_timer_init().
If this happens at every alloc/free event,
a new timer object gets allocated with every map element update,
while the previous one is deferred-free (via kfree_rcu).

All these alloc/free cause cascading probes to fire which in turn trigger more.
The timer objects accumulate without bound.
kfree_rcu()'d timer objects are reclaimed at a slower rate (or RCU stalls).
This results in OOM which eventually kills init.

Please find the reproducer, config files and the full backtrace here:
https://gist.github.com/MahnurA/622d0cd44df686e241a4b043023871a2

A possible patch could be to not allow BPF programs to attach to such
points at all,
but I'm not sure how that would scale.
I’m happy to test debug patches or provide additional information.

Best regards,
Mahnur