Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond_the_Limits_of_eBPF__A_Journey_Through_OS...

Avatar for Kenta Tada Kenta Tada
June 16, 2025
Programming
0
29

 Beyond_the_Limits_of_eBPF__A_Journey_Through_OS_Technologies.pdf

Avatar for Kenta Tada

Kenta Tada

June 16, 2025
Tweet

More Decks by Kenta Tada

See All by Kenta Tada
eBPF Updates (March 2025)
Avatar for Kenta Tada kentatada
0
200
CNCJ で考える OSPO ステージ2
Avatar for Kenta Tada kentatada
0
72
Security_for_introducing_eBPF
Avatar for Kenta Tada kentatada
0
250
cgroup v2 support in Kubeadm
Avatar for Kenta Tada kentatada
0
360
Keynote_ The State of eBPF in Japan
Avatar for Kenta Tada kentatada
0
95
eBPF Japan Meetup のご紹介
Avatar for Kenta Tada kentatada
0
460
eBPF_technologies_with_container
Avatar for Kenta Tada kentatada
0
670
Linux Tracing Technologies for Rust
Avatar for Kenta Tada kentatada
4
1.1k
seccomp: Whereabouts of Light and Darkness
Avatar for Kenta Tada kentatada
0
790

Other Decks in Programming

See All in Programming
Cursor AI Agentと伴走する アプリケーションの高速リプレイス
Avatar for どすこい daisuketakeda
1
130
WindowInsetsだってテストしたい
Avatar for RyuNen344 ryunen344
1
230
20250628_非エンジニアがバイブコーディングしてみた
Avatar for ponponmikan ponponmikankan
0
650
Porting a visionOS App to Android XR
Avatar for Akio Itaya akkeylab
0
260
LT 2025-06-30: プロダクトエンジニアの役割
Avatar for Keisuke Yamamoto yamamotok
0
700
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
Avatar for r-kagaya rkaga
50
32k
Blazing Fast UI Development with Compose Hot Reload (droidcon New York 2025)
Avatar for Márton Braun zsmb
1
280
dbt民主化とLLMによる開発ブースト ~ AI Readyな分析サイクルを目指して ~
Avatar for yosh_yumyum yoshyum
3
670
High-Level Programming Languages in AI Era -Human Thought and Mind-
Avatar for Hayato Ishida hayat01sh1da
PRO
0
720
Discover Metal 4
Avatar for rei rei315
2
120
NPOでのDevinの活用
Avatar for みんなのコード codeforeveryone
0
760
AIと”コードの評価関数”を共有する / Share the "code evaluation function" with AI
Avatar for Shintani Teppei euglena1215
1
130

Featured

See All Featured
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
42
7.4k
KATA
Avatar for Megan Lloyd mclloyd
30
14k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
48
2.9k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
134
9.4k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
35
6.7k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
39
1.9k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
54
6.4k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
48
5.4k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.3k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
694
190k

Transcript

  1. None

  2. Kenta Tada, CNCJ Organizer CNCF End User TAB Beyond the

    Limits of eBPF A Journey Through OS Innovations

  3. Introduction • Can't read a string with eBPF? • A

    bug? A limitation? Or kernel design? • Today, we'll dive into the OS internals behind this mystery. bpf_probe_read_user_str helper

  4. What is bpf_probe_read_user_str()? • Standard method in eBPF to read

    strings from user space • Safe, but with conditions: ◦ The page must be resident in physical memory

  5. bpf_probe_read_user_str() returns -EFAULT • Reproduction conditions: ◦ Areas mapped by

    an application but never accessed ◦ Pages swapped out • Result: ◦ bpf_probe_read_user_str() returns -EFAULT

  6. What is Page-Out? • Mechanism of virtual memory ◦ Not

    all pages are always in physical memory • Unused pages are evicted to disk (swap) • A user-space pointer might "exist," but its data may not be physically present

  7. Constraints of Non-Sleepable Context • Most BPF hooks (e.g., kprobe,

    tracepoint) run in non- sleepable contexts • Page faults (which require sleeping) are not allowed • Therefore, bpf_probe_read_user_str() cannot fault in a page, resulting in -EFAULT

  8. Leveraging mincore() and madvise() • mincore() ◦ Allows checking whether

    a given virtual memory page is resident in physical memory ◦ In our demo, we use it to visualize “whether the data is here now • madvise() ◦ A way to give hints to the kernel about memory usage patterns ◦ With MADV_DONTNEED, we can explicitly trigger page eviction • These syscalls enable experimental control over page-in and page-out behavior

  9. Demo • Use mincore() to confirm page-in status • After

    touching a page to bring it into memory, BPF read succeeds • Same address, but outcome changes based on timing • Whether data is "there right now" is the deciding factor

  10. Summary • Behind strange eBPF errors lie kernel-level mechanisms •

    The true lesson isn't that a read failed, but understanding why it failed