Tracing Linux Soft Interrupts with eBPF: Measuring Processing Time

We learn to use an eBPF program to trace Linux soft interrupts (softirqs) and record their processing time. The eBPF program is attached at the entry and exit of the interrupt handler, captures timing information, and stores it in eBPF maps for later retrieval.

What is a Linux soft interrupt

Softirqs are a kernel subsystem that run in kernel context to finish work that hard interrupts cannot handle immediately. Each CPU creates a ksoftirqd kernel thread responsible for processing various softirq events.

Typical softirq scenario

When a network card receives a packet, the ksoftirqd thread invokes the driver’s poll function, reads the packet from a ring buffer, and performs further processing.

eBPF program structure

(1) Define a per‑CPU array map to store the start timestamp of a softirq handling.

struct{ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); __uint(max_entries,1); __type(key, u32); __type(value, u64); } startSEC(".maps");

(2) Define global arrays for statistics.

__u64 counts[NR_SOFTIRQS] = {};
__u64 time[NR_SOFTIRQS] = {};
struct hist hists[NR_SOFTIRQS] = {};

The counts array stores the number of occurrences, time stores total handling time, and hists stores a latency histogram.

(3) Entry handler: capture the current time ts (the start of processing) and store it in the map.

(4) Exit handler: verify the interrupt number vec_nr, read the start time from the map, compute the duration (current time minus start time, converting to µs if nanosecond mode is disabled), and update the statistics. If histogram mode is enabled, compute the logarithmic slot and update hists.

Attaching the eBPF program

SEC("raw_tp/softirq_entry")
int BPF_PROG(softirq_entry, unsigned int vec_nr)
{ return handle_entry(vec_nr); }

SEC("raw_tp/softirq_exit")
int BPF_PROG(softirq_exit, unsigned int vec_nr)
{ return handle_exit(vec_nr); }

The program is mounted on the raw tracepoint events softirq_entry and softirq_exit. When a softirq occurs—e.g., a network packet arrives—the eBPF program runs automatically.

User‑space consumption

A user‑space program reads the eBPF maps and prints the collected softirq information in various formats (the video demonstration is referenced in the original article).

Details of the user‑space part are omitted; interested readers can contact the author.