Re: [PATCH bpf-next v2 1/2] libbpf: allow address-based single kprobe attach

[Hoyeon Lee]

On Tue, Mar 31, 2026 at 9:33 AM Andrii Nakryiko
<andrii.nakryiko@xxxxxxxxx> wrote:
>
> On Sun, Mar 29, 2026 at 5:44 AM Hoyeon Lee <hoyeon.lee@xxxxxxxx> wrote:
> >
> > bpf_program__attach_kprobe_opts() currently attaches a single kprobe only
> > by func_name, with an optional offset. This covers only the symbol-
>
> have you tried passing NULL for func_name and specifying absolute
> address in opts.offset? Looking at the code I don't see why that won't
> work, we don't enforce func_name to be non-NULL
>
> This NULL will turn into config1 = 0, and offset will be config 2,
> which I think is what you want to attach by address, according to
> perf_event_open documentation
>
>                union {
>                    __u64 bp_addr;          /* breakpoint address */
>                    __u64 kprobe_func;      /* for perf_kprobe */
>                    __u64 uprobe_path;      /* for perf_uprobe */
>                    __u64 config1;          /* extension of config */
>                };
>
>                union {
>                    __u64 bp_len;           /* breakpoint size */
>                    __u64 kprobe_addr;      /* with kprobe_func == NULL */
>                    __u64 probe_offset;     /* for perf_[k,u]probe */
>                    __u64 config2;          /* extension of config1 */
>                };
>
> This is the same approach as with uprobes, btw.
>
>

I tested this after your comment, and you are right. For PMU-based
non-legacy attach, func_name = NULL with opts.offset = <raw-address>
already works today.

However, this does not work for legacy tracefs/debugfs kprobes, because
the tracefs event string formatting still expects symbol-based input.

So for v3, instead of adding new field to bpf_kprobe_opts(), I'll document
that offset can be treated as an absolute address when func_name = NULL,
and make legacy path support the same raw-address form as well.

> > based form, not the raw-address form that the kernel already supports
> > for both kprobe PMU events and legacy tracefs/debugfs kprobes. Callers
> > that already have a target IP still have to drop down to
> > perf_event_open() or direct tracefs writes.
> >
> > libbpf already exposes address-based attach for kprobe_multi through
> > bpf_kprobe_multi_opts.addrs. This commit adds bpf_kprobe_opts.addr so
> > that single kprobes can be attached either by func_name + offset or by
> > raw address.
> >
> > Signed-off-by: Hoyeon Lee <hoyeon.lee@xxxxxxxx>
> > ---
> >  tools/lib/bpf/libbpf.c | 88 +++++++++++++++++++++++++++++-------------
> >  tools/lib/bpf/libbpf.h |  5 ++-
> >  2 files changed, 65 insertions(+), 28 deletions(-)
> >
>
> [...]