lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 30 Mar 2022 11:22:32 -0700
From:   Alexei Starovoitov <>
To:     Beau Belgrave <>
Cc:     Song Liu <>, Steven Rostedt <>,
        Masami Hiramatsu <>,
        linux-trace-devel <>,
        LKML <>, bpf <>,
        Network Development <>,
        linux-arch <>,
        Mathieu Desnoyers <>
Subject: Re: [PATCH] tracing/user_events: Add eBPF interface for user_event
 created events

On Wed, Mar 30, 2022 at 9:34 AM Beau Belgrave <> wrote:
> > >
> > > But you are fine with uprobe costs? uprobes appear to be much more costly
> > > than a syscall approach on the hardware I've run on.

Care to share the numbers?
uprobe over USDT is a single trap.
Not much slower compared to syscall with kpti.

> >
> > Can we achieve the same/similar performance with sys_bpf(BPF_PROG_RUN)?
> >
> I think so, the tough part is how do you let the user-space know which
> program is attached to run? In the current code this is done by the BPF
> program attaching to the event via perf and we run the one there if
> any when data is emitted out via write calls.
> I would want to make sure that operators can decide where the user-space
> data goes (perf/ftrace/eBPF) after the code has been written. With the
> current code this is done via the tracepoint callbacks that perf/ftrace
> hook up when operators enable recording via perf, tracefs, libbpf, etc.
> We have managed code (C#/Java) where we cannot utilize stubs or traps
> easily due to code movement. So we are limited in how we can approach
> this problem. Having the interface be mmap/write has enabled this
> for us, since it's easy to interact with in most languages and gives us
> lifetime management of the trace objects between user-space and the
> kernel.

Then you should probably invest into making USDT work inside
java applications instead of reinventing the wheel.

As an alternative you can do a dummy write or any other syscall
and attach bpf on the kernel side.
No kernel changes are necessary.

Powered by blists - more mailing lists