On Thu, Jan 27, 2022 at 7:46 AM Yonghong Song <yhs@xxxxxx> wrote:
>
> The __user attribute is currently mainly used by sparse for type checking.
> The attribute indicates whether a memory access is in user memory address
> space or not. Such information is important during tracing kernel
> internal functions or data structures as accessing user memory often
> has different mechanisms compared to accessing kernel memory. For example,
> the perf-probe needs explicit command line specification to indicate a
> particular argument or string in user-space memory ([1], [2], [3]).
> Currently, vmlinux BTF is available in kernel with many distributions.
> If __user attribute information is available in vmlinux BTF, the explicit
> user memory access information from users will not be necessary as
> the kernel can figure it out by itself with vmlinux BTF.
>
> Besides the above possible use for perf/probe, another use case is
> for bpf verifier. Currently, for bpf BPF_PROG_TYPE_TRACING type of bpf
> programs, users can write direct code like
> p->m1->m2
> and "p" could be a function parameter. Without __user information in BTF,
> the verifier will assume p->m1 accessing kernel memory and will generate
> normal loads. Let us say "p" actually tagged with __user in the source
> code. In such cases, p->m1 is actually accessing user memory and direct
> load is not right and may produce incorrect result. For such cases,
> bpf_probe_read_user() will be the correct way to read p->m1.
>
> To support encoding __user information in BTF, a new attribute
> __attribute__((btf_type_tag("<arbitrary_string>")))
> is implemented in clang ([4]). For example, if we have
> #define __user __attribute__((btf_type_tag("user")))
> during kernel compilation, the attribute "user" information will
> be preserved in dwarf. After pahole converting dwarf to BTF, __user
> information will be available in vmlinux BTF and such information
> can be used by bpf verifier, perf/probe or other use cases.
>
> Currently btf_type_tag is only supported in clang (>= clang14) and
> pahole (>= 1.23). gcc support is also proposed and under development ([5]).
>
> In the rest of patch set, Patch 1 added support of __user btf_type_tag
> during compilation. Patch 2 added bpf verifier support to utilize __user
> tag information to reject bpf programs not using proper helper to access
> user memories. Patches 3-5 are for bpf selftests which demonstrate verifier
> can reject direct user memory accesses.
>
> [1] http://lkml.kernel.org/r/155789874562.26965.10836126971405890891.stgit@devnote2
> [2] http://lkml.kernel.org/r/155789872187.26965.4468456816590888687.stgit@devnote2
> [3] http://lkml.kernel.org/r/155789871009.26965.14167558859557329331.stgit@devnote2
> [4] https://reviews.llvm.org/D111199
> [5] https://lore.kernel.org/bpf/0cbeb2fb-1a18-f690-e360-24b1c90c2a91@xxxxxx/
>
> Changelog:
> v2 -> v3:
> - remove FLAG_DONTCARE enumerator and just use 0 as dontcare flag.
> - explain how btf type_tag is encoded in btf type chain.
Applied. Thanks
