In low kernel versions, the instruction count of a single eBPF program is limited within 4096 while I want to load an eBPF program with more than 4096 instructions. I wonder if it is possible to just binary patch the compare instruction of /boot/vmlinuz which is used to check the instruction count of the eBPF program being loaded, relax the limitation and make the kernel run as normal.
In principle, you can do anything with a binary patch. Binary patching the kernel is mostly the same as patching any other program, although you will need to first decompress the kernel (e.g. with extract-vmlinux) before patching it. (Recompressing the kernel is left as an exercise for the reader - it’s doable, but tricky as you need to glue together a decompression stub with the compressed kernel).
In the specific example of patching out the 4096 limit, it may or may not be trivial. The limit BPF_MAXINSNS is set to 4096 and is used in several places in the kernel, including as the size of some static arrays, so patching those will be very non-trivial. On the other hand, the patch which lifted the insn count for privileged processes was very simple (https://github.com/torvalds/linux/commit/c04c0d2b968ac45d6ef020316808ef6c82325a82) and would be an easy binary patch to apply. So, depending on the code path you need to trigger, it might be quite easy or quite hard to make this change.