Re: [PATCH bpf-next v3 0/6] bpf: add __user tagging support in vmlinux BTF

From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Yonghong Song <yhs@fb.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>, bpf <bpf@vger.kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>,
	"Jose E . Marchesi" <jose.marchesi@oracle.com>,
	Kernel Team <kernel-team@fb.com>,
	Masami Hiramatsu <mhiramat@kernel.org>
Subject: Re: [PATCH bpf-next v3 0/6] bpf: add __user tagging support in vmlinux BTF
Date: Thu, 27 Jan 2022 12:17:59 -0800	[thread overview]
Message-ID: <CAADnVQLWL5Dx00FJGdQ6BgsAYW1p4bJ=juLNk4-uk+oe-f9Mcg@mail.gmail.com> (raw)
In-Reply-To: <20220127154555.650886-1-yhs@fb.com>

On Thu, Jan 27, 2022 at 7:46 AM Yonghong Song <yhs@fb.com> wrote:
>
> The __user attribute is currently mainly used by sparse for type checking.
> The attribute indicates whether a memory access is in user memory address
> space or not. Such information is important during tracing kernel
> internal functions or data structures as accessing user memory often
> has different mechanisms compared to accessing kernel memory. For example,
> the perf-probe needs explicit command line specification to indicate a
> particular argument or string in user-space memory ([1], [2], [3]).
> Currently, vmlinux BTF is available in kernel with many distributions.
> If __user attribute information is available in vmlinux BTF, the explicit
> user memory access information from users will not be necessary as
> the kernel can figure it out by itself with vmlinux BTF.
>
> Besides the above possible use for perf/probe, another use case is
> for bpf verifier. Currently, for bpf BPF_PROG_TYPE_TRACING type of bpf
> programs, users can write direct code like
>   p->m1->m2
> and "p" could be a function parameter. Without __user information in BTF,
> the verifier will assume p->m1 accessing kernel memory and will generate
> normal loads. Let us say "p" actually tagged with __user in the source
> code.  In such cases, p->m1 is actually accessing user memory and direct
> load is not right and may produce incorrect result. For such cases,
> bpf_probe_read_user() will be the correct way to read p->m1.
>
> To support encoding __user information in BTF, a new attribute
>   __attribute__((btf_type_tag("<arbitrary_string>")))
> is implemented in clang ([4]). For example, if we have
>   #define __user __attribute__((btf_type_tag("user")))
> during kernel compilation, the attribute "user" information will
> be preserved in dwarf. After pahole converting dwarf to BTF, __user
> information will be available in vmlinux BTF and such information
> can be used by bpf verifier, perf/probe or other use cases.
>
> Currently btf_type_tag is only supported in clang (>= clang14) and
> pahole (>= 1.23). gcc support is also proposed and under development ([5]).
>
> In the rest of patch set, Patch 1 added support of __user btf_type_tag
> during compilation. Patch 2 added bpf verifier support to utilize __user
> tag information to reject bpf programs not using proper helper to access
> user memories. Patches 3-5 are for bpf selftests which demonstrate verifier
> can reject direct user memory accesses.
>
>   [1] http://lkml.kernel.org/r/155789874562.26965.10836126971405890891.stgit@devnote2
>   [2] http://lkml.kernel.org/r/155789872187.26965.4468456816590888687.stgit@devnote2
>   [3] http://lkml.kernel.org/r/155789871009.26965.14167558859557329331.stgit@devnote2
>   [4] https://reviews.llvm.org/D111199
>   [5] https://lore.kernel.org/bpf/0cbeb2fb-1a18-f690-e360-24b1c90c2a91@fb.com/
>
> Changelog:
>   v2 -> v3:
>     - remove FLAG_DONTCARE enumerator and just use 0 as dontcare flag.
>     - explain how btf type_tag is encoded in btf type chain.

Applied. Thanks