How to Quickly Find Linux Kernel Function Addresses Using System.map, vmlinux, /proc/kallsyms, and Kernel APIs
This guide explains four practical techniques—parsing System.map, using vmlinux with nm/objdump/readelf, reading /proc/kallsyms, and calling kernel lookup APIs—to locate the exact address of any Linux kernel function for deeper debugging.
When debugging the Linux kernel you often need to translate a function name to its runtime address or reverse‑lookup an address to the corresponding symbol. The following four techniques cover offline analysis using build artifacts and online inspection of a running kernel.
1. System.map
The kernel build generates a System.map file that is the kernel’s symbol table. Each line consists of three whitespace‑separated fields:
Address – the virtual address of the symbol in kernel memory.
Type – a one‑letter code (e.g., T for a global function, t for a local function, A for absolute, etc.).
Name – the symbol name (function or variable).
To find the address of do_fork: grep 'do_fork' System.map Typical output: c0105020 T do_fork Here c0105020 is the address and T indicates a global function.
2. vmlinux
The uncompressed kernel image vmlinux contains the same symbol information and can be queried with standard ELF utilities.
2.1 nm
nmlists symbols from an object file. Example to locate do_fork: nm vmlinux | grep "do_fork" Or to find a symbol by address (e.g., c0105020): nm vmlinux | grep c0105020 Output format matches System.map (address, type, name).
2.2 objdump
objdump -d vmlinuxdisassembles the kernel. Grep for a function name to obtain its address: objdump -d vmlinux | grep "do_fork" To dump the entire kernel for offline browsing:
objdump -D vmlinux > vmlinux_dump.txt2.3 readelf
readelf -s vmlinuxprints the symbol table. Filter with grep: readelf -s vmlinux | grep "do_fork" Sample line:
56481: c10601e0 96 FUNC GLOBAL DEFAULT 1 do_forkThe address is c10601e0.
3. /proc/kallsyms
If the kernel is built with CONFIG_KALLSYMS=y, the virtual file /proc/kallsyms lists all symbols of the running kernel. Use standard text tools to search: cat /proc/kallsyms | grep " do_fork" Example output: ffffffff810b57b0 T do_fork The address is the 64‑bit kernel virtual address shown.
4. Kernel API
Kernel code can query the symbol table at runtime when CONFIG_KALLSYMS=y is enabled.
kallsyms_lookup_name
unsigned long addr = kallsyms_lookup_name("do_fork");Returns the address of the named symbol (or 0 if not found).
sprint_symbol
#include <linux/kallsyms.h>
int sprint_symbol(char *buf, unsigned long address);Fills buf with the symbol name that corresponds to address. Useful for printing symbolic information inside the kernel.
These four approaches—static System.map, offline inspection of vmlinux with nm / objdump / readelf, the live /proc/kallsyms view, and the in‑kernel API—provide flexible ways to obtain kernel function addresses for debugging and analysis.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.