lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 21 Jul 2014 20:45:20 -0700
From:	Alexei Starovoitov <>
To:	"David S. Miller" <>
Cc:	Ingo Molnar <>,
	Linus Torvalds <>,
	Andy Lutomirski <>,
	Steven Rostedt <>,
	Daniel Borkmann <>,
	Chema Gonzalez <>,
	Eric Dumazet <>,
	Peter Zijlstra <>,
	Arnaldo Carvalho de Melo <>,
	Jiri Olsa <>,
	Thomas Gleixner <>,
	"H. Peter Anvin" <>,
	Andrew Morton <>,
	Kees Cook <>,,,
Subject: [PATCH RFC v3 net-next 0/3] eBPF examples in C


I've been asked to repost LLVM eBPF backend and examples in C, so here they are.
LLVM backend is 99% the same as it was in Feb. Not resending it to the list,
since I only fixed minor things there. See it in my tree.

ex1 - is the same example I showed in Feb, but now it works through BPF syscall
  and Ctrl-C does auto cleanup. This is patch 2/3

ex2 - is a new example that demonstrates key feature of eBPF programs
  for kernel debugging/tracing. This is patch 3/3

dtrace/systemtap/ktap approach is to use one script file that should provide
all desired functionality. That architectural decision overcomplicated their
eBPF follows split model: everything that needs to process millions of events
per second needs to run in kernel and needs to be short and deterministic,
all other things like aggregation and nice graphs should run in user space.

In the patch 3/3, kfree_skb events are counted by a program written in C,
compiled into eBPF and attached to the event. That's ex2_kern.c file.
The corresponding user space part is ex2_user.c which walks in-kernel map
every second and prints its contents. So user space and kernel are
accessing BPF maps in parallel. Kernel is counting events, user space
prints them.

Patch 1/3 is a parser of .o file generated by LLVM. It looks for pre-defined
ELF sections like 'license', 'maps', 'events' and loads bpf maps/programs
via BPF syscall that I posted earlier.

Alexei Starovoitov (3):
  samples: bpf: elf file loader
  samples: bpf: eBPF example in C
  samples: bpf: eBPF dropmon example in C

 samples/bpf/Makefile      |   17 +++-
 samples/bpf/bpf_helpers.h |   21 +++++
 samples/bpf/bpf_load.c    |  228 +++++++++++++++++++++++++++++++++++++++++++++
 samples/bpf/bpf_load.h    |   18 ++++
 samples/bpf/ex1_kern.c    |   27 ++++++
 samples/bpf/ex1_user.c    |   11 +++
 samples/bpf/ex2_kern.c    |   29 ++++++
 samples/bpf/ex2_user.c    |   28 ++++++
 8 files changed, 377 insertions(+), 2 deletions(-)
 create mode 100644 samples/bpf/bpf_helpers.h
 create mode 100644 samples/bpf/bpf_load.c
 create mode 100644 samples/bpf/bpf_load.h
 create mode 100644 samples/bpf/ex1_kern.c
 create mode 100644 samples/bpf/ex1_user.c
 create mode 100644 samples/bpf/ex2_kern.c
 create mode 100644 samples/bpf/ex2_user.c


The following changes since commit 240524089d7a5c0396656574e299beb3a55461e3:

  net: bcmgenet: only update UMAC_CMD if something changed (2014-07-21 19:49:11 -0700)

are available in the git repository at:

  git:// master

for you to fetch changes up to 27ae0cec12d0aac6f0705b0269ee705a0c599571:

  samples: bpf: eBPF dropmon example in C (2014-07-21 20:01:29 -0700)

Alexei Starovoitov (20):
      net: filter: split filter.c into two files
      bpf: update MAINTAINERS entry
      net: filter: rename struct sock_filter_int into bpf_insn
      net: filter: split filter.h and expose eBPF to user space
      bpf: introduce syscall(BPF, ...) and BPF maps
      bpf: enable bpf syscall on x64
      bpf: add lookup/update/delete/iterate methods to BPF maps
      bpf: add hashtable type of BPF maps
      bpf: expand BPF syscall with program load/unload
      bpf: add eBPF verifier
      bpf: allow eBPF programs to use maps
      net: sock: allow eBPF programs to be attached to sockets
      tracing: allow eBPF programs to be attached to events
      samples: bpf: add mini eBPF library to manipulate maps and programs
      samples: bpf: example of stateful socket filtering
      samples: bpf: example of tracing filters with eBPF
      bpf: llvm backend
      samples: bpf: elf file loader
      samples: bpf: eBPF example in C
      samples: bpf: eBPF dropmon example in C
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists