In‑Depth Walkthrough of libbpf vfsstat BPF Program Opening and Initialization

This document provides a step‑by‑step analysis of how the libbpf framework loads the vfsstat.bpf.o object and prepares the eBPF program for kernel attachment.

1. Questions that motivate the study

Why can a BPF program affect the kernel? How does libbpf inject code? What is the ELF format of vfsstat.bpf.o ? What can BPF be used for?

2. vfsstat_bpf__open – opening the BPF object

The function creates a bpf_object_open_opts structure (size and object name), calls bpf_object__open_mem to build a bpf_object from the ELF data, and assigns the maps[0].mmaped field.

2.1 bpf_object__open_skeleton

Initialises skel_opts with default values and forwards to bpf_object__open_mem .

2.2 bpf_object__open_mem / bpf_object_open

Validates the input buffer, then calls bpf_object_open , which performs:

OPTS_VALID macro checks the size and zeroes any fields beyond the last defined one.

bpf_object__new allocates a new bpf_object .

bpf_object__elf_init parses the ELF header.

bpf_object__elf_collect gathers section information.

bpf_object__init_maps creates BPF maps.

bpf_object_init_progs initialises BPF programs.

2.3 OPTS_VALID – parameter validation macro

The macro expands to checks that the sz field is at least sizeof(size_t) and that any bytes beyond the last defined field are zero.

2.4 bpf_object__new – creating a new bpf_object

Allocates memory for the object and initialises the internal elf_state with the raw ELF buffer and its size.

2.5 bpf_object__elf_init – ELF initialisation

Ensures the ELF pointer is NULL, reads the ELF image from memory, validates that it is an ELF64 relocatable file for the BPF machine (e_type = 1, e_machine = 247), and loads the section header string table.

2.5.1 elf_memory / __libelf_read_mmaped_file

Delegates to libelf to map the ELF image and read its header.

2.5.2 file_read_elf

Allocates the ELF structure, reads the ELF header, section headers, and builds an array of Elf_Scn objects.

2.5.3 elf_rawdata

Provides raw section data on demand, using __libelf_set_rawdata_wrlock to fill the buffer.

2.6 bpf_object__elf_collect – collecting sections

Iterates over sections, skips irrelevant ones, and processes symbol tables, string tables, and program sections. It also initialises BTF data.

2.6.1 elf_sec_data – obtaining section data

Calls elf_getdata , which may invoke __libelf_set_rawdata_wrlock and convert_data to produce a usable data buffer.

2.6.2 elf_sec_str – resolving section names

Uses the offset stored in sh_name together with the string‑table section to retrieve human‑readable names such as ".strtab".

2.6.3 elf_sec_str – example of name resolution

Shows how the offset 574 in the string‑table yields the name ".strtab".

2.6.4 bpf_object__add_programs – initialising programs

Scans the symbol table for function symbols (type STT_FUNC ) whose section index matches a program section, extracts the function name, instruction offset and size, and creates a bpf_program object.

The instruction bytes (48 bytes for kprobe/vfs_read ) are displayed and decoded, illustrating BPF opcodes such as BPF_ALU64|BPF_K|BPF_MOV , BPF_LD|BPF_DW|BPF_IMM , BPF_STX|BPF_DW|BPF_XADD , and the final BPF_JMP|BPF_K|BPF_EXIT .

2.7 bpf_object__init_maps – map initialisation

Creates user maps from the symbol table, BTF‑based maps, global data maps (SEC_DATA, SEC_RODATA, SEC_BSS), kconfig maps, and struct‑ops maps.

2.8 bpf_object_init_progs – program initialisation

Matches each program section with a bpf_sec_def (e.g., kprobe sections use attach_kprobe ) and registers the program type.

2.9 Summary of the open phase

The open phase prepares the BPF object, maps, and programs but does not yet communicate with the kernel. The next chapter will cover loading and attaching the program.