Re: bpftool generated jited has unpreventable jump addresses

[Quentin Monnet <qmo@kernel.org>]

2026-03-05 14:54 UTC+0100 ~ Farbod Shahinfar <fshahinfar1@gmail.com>
> Hi,
> 
> I want to prepare a CFG for a jited eBPF program. The output of
> `bpftool prog dump jited id xx` reports jumps with kernel memory
> address (e.g., `ja      0xffffffffc013ad2a`) and it seems impossible
> to infer where the destination of the jump is. I thought maybe by
> knowing the base address of the program, I can manually convert jump
> destinations to relative addresses, but the base address is not known
> by bpftool (As far as I understood looking at the code).


Hi, if I remember correctly you may be able to get the base address for
the image from /proc/kallsyms, depending on your privileges and your
sysctl configuration, see:

https://docs.kernel.org/admin-guide/sysctl/net.html#bpf-jit-kallsyms


> My questions are:
> 1. Is this a real problem or am I missing something (I might be
> because the bpftool already reports CFG for xlated version)


As far as I'm aware, there hasn't been much interest so far in
generating the CFG for the JITed program, knowing that it's already
available for xlated instructions indeed.


> 2. If it is a limitation, how do you suggest to address the problem
> (if it is of interest to others of course). My initial guess is to
> return the load address of the program in the `bpf_prog_info` when
> doing `bpf_prog_get_info_by_fd`


If the sysctl knob is turned off, I'm not sure allowing the extraction
of image addresses through bpftool is a good idea.

Quentin