| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220810171702.74932-1-flaniel@linux.microsoft.com>
Date: Wed, 10 Aug 2022 19:16:51 +0200
From: Francis Laniel <flaniel@...ux.microsoft.com>
To: bpf@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
Francis Laniel <flaniel@...ux.microsoft.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Song Liu <song@...nel.org>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...gle.com>,
Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
Joanne Koong <joannelkoong@...il.com>,
Dave Marchevsky <davemarchevsky@...com>,
Lorenzo Bianconi <lorenzo@...nel.org>,
Geliang Tang <geliang.tang@...e.com>,
Hengqi Chen <hengqi.chen@...il.com>
Subject: [RFC PATCH v1 0/3] Make BPF ring buffer over writable
Hi.
First, I hope you are fine and the same for your relatives.
Normally, when BPF ring buffer are full, producers cannot write anymore and
need to wait for consumer to get some data.
As a consequence, calling bpf_ringbuf_reserve() from eBPF code returns NULL.
This contribution adds a new flag to make BPF ring buffer over writable.
When the buffer is full, the producer will over write the oldest data.
So, calling bpf_ringbuf_reserve() on an over writable BPF ring buffer never
returns NULL but consumer will loose some data.
This flag can be used to monitor lots of events, like all the syscalls done on
a given machine.
I tested it within a VM with the fourth patch which creates a "toy" eBPF
program:
you@...e$ cd /path/to/iovisor/bcc
you@...e$ git apply 0001-for-test-purpose-only-Add-toy-to-play-with-BPF-ring-.patch
you@...e$ cd /path/to/linux/tools/lib/bpf
you@...e$ make -j$(nproc)
you@...e$ cp libbpf.a /path/to/iovisor/bcc/libbpf-tools/.output
you@...e$ cd /path/to/iovisor/bcc/libbpf-tools/
you@...e$ make -j toy
# Start your VM and copy toy executable inside it.
you@vm# ./share/toy
Press any key to begin consuming!
^Z
you@vm# for i in {1..16}; do true; done
you@vm# fg # Please press any key
8
9
10
11
12
13
14
15
16
^Z
you@vm# true && true
you@vm# fg
17
18
As you can see, the first eight events are overwritten.
If you any way to improve this contribution, feel free to share.
Francis Laniel (3):
bpf: Make ring buffer overwritable.
do not merge: Temporary fix for is_power_of_2.
libbpf: Make bpf ring buffer overwritable.
include/uapi/linux/bpf.h | 3 ++
kernel/bpf/ringbuf.c | 51 ++++++++++++++++++++++++++--------
tools/include/uapi/linux/bpf.h | 3 ++
tools/lib/bpf/libbpf.c | 2 +-
tools/lib/bpf/ringbuf.c | 35 ++++++++++++++++++++++-
5 files changed, 81 insertions(+), 13 deletions(-)
Best regards and thank you in advance.
--
2.25.1
Powered by blists - more mailing lists