Linux Plumbers Conference 2025

Session

eBPF Track

11 Dec 2025, 10:00

402. Challenges with implementing in-kernel FQDN policies using eBPF

Hemanth Malla (Microsoft)

Container networking plugins for Kubernetes like Cilium currently implement Fully Qualified Domain Name (FQDN) based DNS network policies using a user-space DNS proxy to intercept the DNS to IP mappings and plumb CIDR based policy into bpf maps.

This architecture introduces some challenges since any downtime with the the userspace proxy would result in DNS resolution failure for all...

397. Python-BPF: Writing eBPF programs in pure Python

Pragyansh Chaturvedi, Mr Varun Mallya (Indian Institute of Technology, Roorkee)

This talk aims to introduce the audience to Python-BPF, a project that enables developers to write eBPF programs in pure Python. We allow a reduced Python grammar to be used for the eBPF-specific parts of code.

This improves the following things in the eBPF ecosystem

• Both eBPF logic and userspace code is written in Python (and can
  be in...

389. BpfJailer: eBPF based Mandatory Access Control

Liam Wisehart (Meta)

At Meta, due to the proliferation of AI workloads, increased security was needed around key services. In particular, two use cases were jailing untrusted code, and preventing insider and attacker tampering with user data.

AI training and execution of prompts involves executing untrusted code. Meta's network is flat, leading to untrusted workloads operating in the same space as sensitive...

381. Loops handling by BPF verifier and what should we do about it?

Eduard Zingerman

The BPF verifier has troubles when verifying loops,
and we are slowly moving to address these.
In the talk I want to cover:
- historical evolution of loops handling by verifier;
- problems with current state of things (too crude widening,
no bounds for induction variables);
- describe DFA based liveness analysis that landed recently;
- describe further steps adding DFA-based value...

380. Implement simple local DNS server with BPF

Raman Shukhau

This talk explores the idea of capturing and identifying DNS requests with BPF and responding to them "in-place" with BPF.

DNS is a relatively simple UDP protocol, and a typical DNS query over UDP usually involves just one packet for the query and one packet for the response. If BPF parses structure of the packet and is able to resolve address from the request, e.g. from the hash map...

371. Making Sense of State Pruning

Mahé Tardy, Paul Chaignon (Isovalent)

State pruning allows the BPF verifier to mitigate the path explosion problem and scale to large programs. With its underlying algorithms, precision tracking, strongly connected components computation, and liveness analysis, state pruning accounts for around 15% of the verifier. Its many heuristics have been tuned over a decade of trial and error.

While state pruning inefficiencies can lead...

367. Introduction to eBPF Load-Acquire and Store-Release Instructions

Peilin Ye (Google LLC)

The growing demand for sophisticated, high-performance eBPF programs on weakly-ordered architectures like arm64 necessitates finer-grained control over memory ordering, instead of relying on the default of full memory barriers. To that end, the eBPF ISA has been expanded by two new BPF_ATOMIC instructions that provide load-acquire and store-release semantics.

This talk introduces these new...

366. Fuzzing the Verifier with a Test Oracle

Paul Chaignon (Isovalent)

Several fuzzers are able to target the BPF verifier, some achieving high coverage. They are fairly efficient at uncovering deadlocks, unnecessary warnings, and memory errors, but struggle to uncover false negatives: cases where the verifier incorrectly accepts a program. Without a test oracle for these false negatives, fuzzers remain silent.

This talk proposes a new test oracle for the...

344. cache_ext: Customizing the Page Cache with eBPF

Tal Zussman (Columbia University)

The page cache is central to the performance of many applications. However, its one-size-fits-all eviction policy may perform poorly for many workloads. While the systems community has experimented with new and adaptive eviction policies in non-kernel settings (e.g., key-value stores, CDNs), it is very difficult to implement such policies in the kernel. We design a flexible eBPF-based...

341. uprobe optimization and override

Jiri Olsa

I'd like to discuss two uprobe related topics:

uprobe optimization - I'd like to update on what's been pushed/accepted and what are the leftovers for backward compatibility with old kernels and discuss if it makes sense to continue with further optimizations.

uprobe override - We had several requests for ebpf being able to force user space function override in a similar way the kprobe...

318. Discussion: What's next for BPF Signing

Mr KP Singh

With the initial implementation for BPF signing nearly merged, more advanced signing use-cases can be discussed. There are three key cases for signed BPF programs:

1. Applications that use light skeletons and a BPF loader program and a light skeleton.
2. Applications that generate eBPF programs during their runtime (e.g. Cilium)
3. Debugging tools that use a scripting language or command...

317. Extending eBPF to GPU Device Contexts

YUSHENG ZHENG, Tong Yu (PLCT)

Widely used for ML workloads, GPUs are typically SIMT accelerators with threads in warps on SMs, organized into blocks, launched as kernels, using multi-level memory hierarchies (registers, shared/LDS, L2, device memory) and limited preemption. This complexity creates rich but challenging behavior patterns for observability and customization. Today, many tracing tools for GPU workloads sit at...

316. Supply true signatures to vmlinux BTF

Yonghong Song

I would like to discuss my ongoing work to supply true
signatures for available functions in kallsyms. The
change will be in clang, pahole, libbpf and kernel.

For clang, the goal is to add additional functions to
dwarf where these functions are not in current dwarf or
their signatures have changed. The example includes like
- original func 'void foo(int a, int b)' becomes
'void...

302. Task local data: sharing thread-specific data between user space and BPF

Amery Hung (Meta)

This talk will introduce task local data, an abstract storage type built on top of task local storage map for sharing thread-specific data between user space and BPF programs. A motivational use case is allowing user space programs to pass hints to sched_ext scheduler for better scheduling decisions.

Task local storage map supports a special field, UPTR, to allow sharing user memory...

269. Tracking Files across the operating system using eBPF

Carl El Khoury

Given the increasing concerns around user data and AI model theft, we prioritized developing robust mechanisms to monitor critical files throughout the file system. Leveraging eBPF, we implemented real-time detection for the creation of sensitive files and established comprehensive tracking of their lifecycle events, including renames, moves, deletions, compression, decompression, and uploads....

237. Advanced BPF profiling techniques: how to escape the curse of NMI and fetch ELF contents at runtime

Andrii Nakryiko (Meta)

Writing basic BPF-based profilers nowadays isn't too hard. The challenges start when one needs to go a step further beyond just capturing a bunch of stack traces. When profiler needs to capture user data reliably bypassing restrictions of NMI and/or non-sleepable context, that's when the real fun begins.

This talk will describe recent advancements in BPF tracing domain which now allow BPF...

194. Fingeprinting GPU workloads with eBPF

Jiri Gogela (Trend Micro)

Bridging the Observability Gap: Using eBPF for GPU Workload Identification
Modern computing workloads are increasingly offloaded to GPUs, yet our ability to observe and understand the specific tasks running on these accelerators from the host kernel remains limited. This fundamental lack of visibility hinders system administrators, security engineers, and resource schedulers. While...

184. Kernel-Resident Regex and Jails: DFA-powered eBPF filtering and certificate-safe agent isolation at fleet scale

Justin Ngai (Meta)

Abstract: At Meta’s scale, high-signal telemetry competes with overwhelming noise. We present a pragmatic approach that pushes policy into the kernel to eliminate noise at the source and enforce controls before user space is involved. First, we show how we compile regex patterns into deterministic finite automata (DFAs) and execute them in eBPF at Linux Security Module (LSM) and fentry attach...

182. Lessons from scaling BPF to detect RDMA Device Drivers Bugs in real time

Prankur Gupta (Meta)

Training large models requires significant resources and failure of any GPU or Host can significantly prolong training times. At Meta, we observed that 17% of our jobs fail due to RDMA-related syscall errors which arise due to bugs in the RDMA driver code. Unlike other parts of the Kernel RDMA-related syscalls are opaque and the errors create a mismatched application/kernel view of hardware...

135. ePass: A Framework for Enhancing Flexibility and Runtime Safety of eBPF Programs

Yiming Xiang (University of Michigan)

eBPF enables safely extending kernel functionality for various applications,
but its static verifier is overly restrictive, preventing many useful and
valid programs in practice from running. It can also miss safety violations
in complex conditions. Recent work proposes adding runtime checks to mitigate
these limitations, but they narrowly target specific cases. Their
instrumentations...

134. BPF Verifier Visualizer

Ihor Solodrai (Meta Platforms, Inc.), Jordan Rome

Writing non-trivial BPF programs presents a unique challenge because of the constraints enforced by the BPF verifier. If a program fails to load, the verifier emits a log containing a complete trace of its evaluation with various debugging information. Interpreting such a log to track down the root cause of a failure can be difficult, especially for developers new to BPF.

BPF Verifier...

107. From Projects to Ecosystems: Lessons from the eBPF Foundation

Mr Bill Mulligan

The eBPF Foundation is rethinking what an open source foundation can be by shifting from simply stewarding projects to actively building an ecosystem around a powerful enabling technology like eBPF.

This session will highlight investments like security audits, research grants, funding for directed development, face to face meeting sponsorship, and documenting the ecosystem’s evolution like...

65. “Is Upstream Really Enough?” — Practical Realities of Using eBPF in Long-Term Supported Systems

Kenta Tada

eBPF has emerged as a foundational technology for building observability, networking, and security tooling across modern Linux systems. However, in long-term supported (LTS) and embedded environments—such as automotive or industrial platforms—the deployment of eBPF-based software remains fraught with challenges. These range from kernel version divergence and verifier incompatibilities to...

281. bpf tracing multi-link supporting

Mr Menglong Dong (ChinaTelecom)

For now, tracing-type BPF programs and BPF trampolines adopt a per-function design, requiring the creation of independent instances for each kernel function to be traced. This leads to significant inefficiencies in large-scale tracing scenarios (e.g., monitoring hundreds or thousands of kernel functions): not only do redundant instances consume substantial additional memory, but the program...