Questions about current eBPF usages
Hello BPF community,
I am looking for a way to move a user space program's disk I/O scheduling related logic down to kernel space, and then have the new kernel logic communicate with the user space program to make better I/O scheduling decisions. The reason that the user space program itself has I/O scheduling logic is because it needs to prioritize certain read or write requests.
I started looking at eBPF for that purpose. After doing some research, I learned that eBPF is very good at kernel profiling and tracing, but I didn't find much information about modifying kernel functions / data-structure using eBPF.
I am wondering:
1. Instead of calling eBPF function before / after calling a kernel function and then returning back to that kernel function, is it possible for eBPF programs to totally replace a kernel function or module logic?
2. Is it possible for eBPF programs to tamper the parameter and return value of a kernel function, or eBPF program can only read kernel data-structure but can not modify them? (some search indicates that it can not few years ago, but I am not sure if it is changed recently)
On Thu, Oct 15, 2020 at 4:06 PM Jiada Tu via lists.iovisor.org
Currently, no. Kernel has support to replace a bpf program, but not
kernel function. Replacing kernel functions may easily causing kernel
mishehave. There are some proposals to explicitly specify functions
which can be replaced. This work is not done yet.
No for input parameters.
Yes for return values in certain cases. For any kernel functions
annotated with ALLOW_ERROR_INJECTION, you can attach a bpf program to
that function to change its return values.
all tracing programs can read kernel data structures as of today with
direct memory access similar to bpf_probe_read in later kernels.
writing to kernel data structure has to be extremely careful as it can
easily crash the kernel or cause kernel to misbehavior. This has to be
done in a controlled way, e.g., in networking, through specific
In your case, the bpf program is to influence io scheduling decisions.
You could implement in a way to do kernel data structure write in
kernel but have a hook to a bpf program to make decision and based on
bpf program return value, kernel can decide what to schedule.