Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond_the_Limits_of_eBPF__A_Journey_Through_OS...

Avatar for Kenta Tada Kenta Tada
June 16, 2025
Programming
0
35

 Beyond_the_Limits_of_eBPF__A_Journey_Through_OS_Technologies.pdf

Avatar for Kenta Tada

Kenta Tada

June 16, 2025
Tweet

More Decks by Kenta Tada

See All by Kenta Tada
eBPF Updates (March 2025)
Avatar for Kenta Tada kentatada
0
210
CNCJ で考える OSPO ステージ2
Avatar for Kenta Tada kentatada
0
77
Security_for_introducing_eBPF
Avatar for Kenta Tada kentatada
0
260
cgroup v2 support in Kubeadm
Avatar for Kenta Tada kentatada
0
360
Keynote_ The State of eBPF in Japan
Avatar for Kenta Tada kentatada
0
100
eBPF Japan Meetup のご紹介
Avatar for Kenta Tada kentatada
0
470
eBPF_technologies_with_container
Avatar for Kenta Tada kentatada
0
670
Linux Tracing Technologies for Rust
Avatar for Kenta Tada kentatada
4
1.1k
seccomp: Whereabouts of Light and Darkness
Avatar for Kenta Tada kentatada
0
790

Other Decks in Programming

See All in Programming
0から始めるモジュラーモノリス-クリーンなモノリスを目指して
Avatar for sushi-cat sushi0120
0
160
フロントエンドのパフォーマンスチューニング
Avatar for kouki.miura koukimiura
6
2.3k
商品比較サービス「マイベスト」における パーソナライズレコメンドの第一歩
Avatar for Ucchiii ucchiii43
0
210
リバースエンジニアリング新時代へ!
GhidraとClaude DesktopをMCPで繋ぐ/findy202507
Avatar for @tkmru tkmru
4
1.3k
バイブコーディング超えてバイブデプロイ〜CloudflareMCPで実現する、未来のアプリケーションデリバリー〜
Avatar for azukiazusa azukiazusa1
2
730
AI Agent 時代のソフトウェア開発を支える AWS Cloud Development Kit (CDK)
Avatar for Kenji Kono konokenj
6
1k
AIともっと楽するE2Eテスト
Avatar for Yohei Maeda myohei
9
3.1k
Quality Gates in the Age of Agentic Coding
Avatar for Hélio Medeiros helmedeiros
PRO
1
110
AI Ramen Fight
Avatar for Yusuke Wada yusukebe
0
120
QA x AIエコシステム段階構築作戦
Avatar for Osu osu
0
210
Prompt Engineeringの再定義「Context Engineering」とは
Avatar for ツルオカ htsuruo
0
110
AIのメモリー
Avatar for watany watany
11
1k

Featured

See All Featured
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
Code Review Best Practice
Avatar for Trisha Gee trishagee
69
19k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.9k
Navigating Team Friction
Avatar for Lara Hogan lara
187
15k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
35
2.5k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
181
54k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
189
11k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
33
2.4k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
3.9k

Transcript

  1. None

  2. Kenta Tada, CNCJ Organizer CNCF End User TAB Beyond the

    Limits of eBPF A Journey Through OS Innovations

  3. Introduction • Can't read a string with eBPF? • A

    bug? A limitation? Or kernel design? • Today, we'll dive into the OS internals behind this mystery. bpf_probe_read_user_str helper

  4. What is bpf_probe_read_user_str()? • Standard method in eBPF to read

    strings from user space • Safe, but with conditions: ◦ The page must be resident in physical memory

  5. bpf_probe_read_user_str() returns -EFAULT • Reproduction conditions: ◦ Areas mapped by

    an application but never accessed ◦ Pages swapped out • Result: ◦ bpf_probe_read_user_str() returns -EFAULT

  6. What is Page-Out? • Mechanism of virtual memory ◦ Not

    all pages are always in physical memory • Unused pages are evicted to disk (swap) • A user-space pointer might "exist," but its data may not be physically present

  7. Constraints of Non-Sleepable Context • Most BPF hooks (e.g., kprobe,

    tracepoint) run in non- sleepable contexts • Page faults (which require sleeping) are not allowed • Therefore, bpf_probe_read_user_str() cannot fault in a page, resulting in -EFAULT

  8. Leveraging mincore() and madvise() • mincore() ◦ Allows checking whether

    a given virtual memory page is resident in physical memory ◦ In our demo, we use it to visualize “whether the data is here now • madvise() ◦ A way to give hints to the kernel about memory usage patterns ◦ With MADV_DONTNEED, we can explicitly trigger page eviction • These syscalls enable experimental control over page-in and page-out behavior

  9. Demo • Use mincore() to confirm page-in status • After

    touching a page to bring it into memory, BPF read succeeds • Same address, but outcome changes based on timing • Whether data is "there right now" is the deciding factor

  10. Summary • Behind strange eBPF errors lie kernel-level mechanisms •

    The true lesson isn't that a read failed, but understanding why it failed