Commit Graph

110 Commits

Author SHA1 Message Date
Kyle Evans
9892cc9ad4 stand: zfs: Free bouncebuf on error path in vdev_read
r344226 inadvertently added this path in which we return from failure on an
lseek and do not free bouncebuf on the way out.

MFC after:	3 days
2019-05-31 17:44:22 +00:00
Xin LI
12d62cc2d7 Unexpand be32dec().
MFC after:	2 weeks
2019-05-30 02:23:57 +00:00
Toomas Soome
93a2d4c92f loader: malloc+memset is calloc in spa_create
Replace malloc + memset pair with calloc.
2019-05-29 07:33:51 +00:00
Toomas Soome
51e5c6b89e loader: zfs_alloc and zfs_free should use panic
The zfs alloc and free code print out the error and get stuck in infinite loop; use panic() instead.
2019-05-29 07:24:10 +00:00
Simon J. Gerraty
2ef9ff7dd3 ficl pfopen: verify file
If the file is verified - do not allow write
otherwise do not allow read.

Add O_ACCMODE to stand.h

Reviewed by:	stevek, mindal_semihalf.com
MFC after:	3 days
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D20387
2019-05-24 19:43:38 +00:00
Xin LI
c9083b850a Move contrib/zlib to sys/contrib/zlib so that we can use it in kernel.
This is a prerequisite of unifying kernel zlib instances.

Submitted by:	Yoshihiro Ota <ota at j.email.ne.jp>
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D20191
2019-05-08 08:43:15 +00:00
Ian Lepore
14243f8de7 Distinguish between "no partition" and "choose best partition" with a constant.
The values of the d_slice and d_partition fields of a disk_devdesc have a
few values with special meanings in the disk_open() routine. Through various
evolutions of the loader code over time, a d_partition value of -1 has
meant both "use the first ufs partition found in the bsd label" and "don't
open a bsd partition at all, open the raw slice."

This defines a new special value of -2 to mean open the raw slice, and it
gives symbolic names to all the special values used in d_slice and
d_partition, and adjusts all existing uses of those fields to use the new
constants.

The phab review for this timed out without being accepted, but I'm still
citing it below because there is useful commentary there.

Differential Revision:	https://reviews.freebsd.org/D19262
2019-03-24 18:51:52 +00:00
Simon J. Gerraty
8df8b2d3e5 Enable veriexec for loader
This relies on libbearssl and libsecureboot
to verify files read by loader in a maner equivalent
to how mac_veriexec

Note: disabled by default.
Use is initially expected to be by embeded vendors

Reviewed by:	emaste, imp
Sponsored by:	Juniper Networks
Differential Revision:	D16336
2019-02-26 06:22:10 +00:00
Toomas Soome
6cea60aef5 loader: really fix cd9660 dirmatch
The cd9660_open() does pass whole path to dirmatch() and we need to
compare only the current path component, not full path.

Additinally, skip over duplicate / (if any) and check if the last component
in the path was meant to be directory (having trailing /). If it is in fact
a file, error out.
2019-02-20 21:07:09 +00:00
Toomas Soome
61250f78c4 cd9660: dirmatch fails to unmatch when name is prefix for directory record
Loader does fail to properly match the file name in directory record and
does open file based on prefix match.

For fix, we check the name lengths first.

Reviewed by:	allanjude
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D19213
2019-02-18 08:26:18 +00:00
Patrick Kelsey
a070559721 It turns out r344226 narrowed the overrun bug but did not eliminate it entirely
This commit fixes a remaining output buffer overrun in the
single-sector case when there is a non-zero tail.

Reviewed by:	allanjude, tsoome
MFC after:	3 months
MFC with:	r344226
Differential Revision:	https://reviews.freebsd.org/D19220
2019-02-17 17:47:08 +00:00
Patrick Kelsey
07362361e0 Fix memory corruption bug introduced in r325310
The bug occurred when a bounce buffer was used and the requested read
size was greater than the size of the bounce buffer.  This commit also
rewrites the read logic so that it is easier to systematically verify
all alignment and size cases.

Reviewed by:	allanjude, tsoome
MFC after:	3 months
Differential Revision:	https://reviews.freebsd.org/D19140
2019-02-17 03:35:15 +00:00
Warner Losh
52467047aa Regularize the Netflix copyright
Use recent best practices for Copyright form at the top of
the license:
1. Remove all the All Rights Reserved clauses on our stuff. Where we
   piggybacked others, use a separate line to make things clear.
2. Use "Netflix, Inc." everywhere.
3. Use a single line for the copyright for grep friendliness.
4. Use date ranges in all places for our stuff.

Approved by: Netflix Legal (who gave me the form), adrian@ (pmc files)
2019-02-04 21:28:25 +00:00
Toomas Soome
5e84b57828 libsa: add asprintf()
asprintf() is a nice tool for string processing.

MFC after:	2 weeks
2019-01-17 22:00:02 +00:00
Toomas Soome
7c52f914db loader should ignore active multi_vdev_crash_dump feature on zpool
Since the loader zfs reader does not need to read the dump zvol, we can
just enable the feature.

illumos issue #9051 https://www.illumos.org/issues/9051

MFC after:	2 weeks
2019-01-17 21:52:41 +00:00
Matt Macy
fbeb31a26b MK_ZFS -> {MK_ZFS|MK_LOADER_ZFS}, this is so we can diable userland / kernel
ZFS but keep the boot-loaders when using ZoL port.

MFC after: 1 week
Reviewed by: rgrimes
Differential Revision: https://reviews.freebsd.org/D18739
2019-01-05 22:45:20 +00:00
Rebecca Cran
d5cee48f3e Wait a maximum of 300 seconds for network send/recv in libsa
The reason for this change is that currently, a send/recv
takes many hours to time out.
This is suboptimal in the bootloader because it means for example
that NFS will take hours to fail before allowing subsequent access
methods such as gzip to be tried.

Setting MAXWAIT to 300 seconds (5 minutes) still allows slow
connections of 1Mb to be used to download a 30MB kernel file.

Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D18544
2018-12-20 19:27:46 +00:00
Toomas Soome
4f22b40a32 loader: zfs reader should not probe partitionless disks (UEFI case)
With r342151 I did fix the BIOS version of zfs_probe_dev() from accessing
the whole disk, but the fix was not complete - we actually did not check
if the device name was really for whole disk. Since UEFI version
is only calling the zfs_probe_dev() with partitions and not with whole
disk, the UEFI loader was not able to find the zfs pools.

This update does correct the issue by calling archsw.arch_getdev() to
translate the device name back to dev_desc, and we have whole disk when both
partition and slice values are -1.

Reported by:	alvisen_gmail.com
Differential Revision:	https://reviews.freebsd.org/D18558
2018-12-17 07:43:29 +00:00
Toomas Soome
1309bed839 loader: zfs reader should not probe partitionless disks
First of all, normal setups can not boot such pools as the tools
do not support installing boot programs.

Secondly, for proper pool configuration detection, we need to checks all
four label copies on disk, 2 from front and 2 from the end of the disk,
but zfs label does not contain the size of the disk - so we depend on
firmware to report the correct disk size or use information from the
partition table.

Without partition table, we only can rely on firmware to report and support
disk IO properly.

There is a specific case: 8TB disks are reported by BIOS to have 4294967295
sectors (0x00000000ffffffff), the sectors reported by OS is 15628053168
(0x00000003a3812ab0), so the reported size is less than actual but is hitting
32-bit max. Unfortuantely the real limit must be even lower because probing
this disk in this system will wnd up with hung system.

UEFI boot of this system seems not to be affected.

Reviewed by:	imp
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D18558
2018-12-16 08:58:14 +00:00
Kirk McKusick
fb14e73cb4 Normally when an attempt is made to mount a UFS/FFS filesystem whose
superblock has a check-hash error, an error message noting the
superblock check-hash failure is printed and the mount fails. The
administrator then runs fsck to repair the filesystem and when
successful, the filesystem can once again be mounted.

This approach fails if the filesystem in question is a root filesystem
from which you are trying to boot. Here, the loader fails when trying
to access the filesystem to get the kernel to boot. So it is necessary
to allow the loader to ignore the superblock check-hash error and make
a best effort to read the kernel. The filesystem may be suffiently
corrupted that the read attempt fails, but there is no harm in trying
since the loader makes no attempt to write to the filesystem.

Once the kernel is loaded and starts to run, it attempts to mount its
root filesystem. Once again, failure means that it breaks to its prompt
to ask where to get its root filesystem. Unless you have an alternate
root filesystem, you are stuck.

Since the root filesystem is initially mounted read-only, it is
safe to make an attempt to mount the root filesystem with the failed
superblock check-hash. Thus, when asked to mount a root filesystem
with a failed superblock check-hash, the kernel prints a warning
message that the root filesystem superblock check-hash needs repair,
but notes that it is ignoring the error and proceeding. It does
mark the filesystem as needing an fsck which prevents it from being
enabled for writing until fsck has been run on it. The net effect
is that the reboot fails to single user, but at least at that point
the administrator has the tools at hand to fix the problem.

Reported by:    Rick Macklem (rmacklem@)
Discussed with: Warner Losh (imp@)
Sponsored by:   Netflix
2018-12-06 00:09:39 +00:00
Ian Lepore
df108aafe9 Eliminate duplicated code and struct member definitions in the handoff
of args data between gptboot/zfsboot and loader(8).

Despite what seems like a lot of changes here, there are no actual
changes in behavior, or in the data layout in the structures involved.
This is just eliminating identical code pasted into multiple locations.

In detail, the changes are...

- Move struct zfs_boot_args definition from libsa/zfs/libzfs.h to
  i386/common/bootargs.h because it is specific to x86 booting and the
  handoff between zfsboot and loader, and has no relation to the zfs
  library code in general.

- The geli_boot_args and zfs_boot_args structs both contain an identical
  set of member variables containing geli information.  Extract this out
  to a new geli_boot_data struct, and embed it in the arg-passing structs.

- Provide new routines geli_import_boot_data() and geli_export_boot_data()
  that can be shared between gptboot, zfsboot, and loader instead of
  pasting identical code into several different .c files.

- Remove some checks for a NULL pointer that can never be true because the
  pointer being tested was set using pointer math (kargs + 1) and that can
  never result in NULL in this code.
2018-12-03 03:58:30 +00:00
Maxim Sobolev
55d5c94943 The libstand's panic() appends its own '\n' to the message, so that users of the API
don't need to supply one.

MFC after:	2 weeks
2018-11-29 18:37:48 +00:00
Toomas Soome
3c3779dc20 libsa: cstyle cleanup tftp.c
No functinal changes intended.
2018-11-01 22:13:18 +00:00
Toomas Soome
c658866914 libsa: tftp should use calloc
instead of malloc() memset(), use calloc().
2018-11-01 13:29:55 +00:00
Toomas Soome
f442898fe7 libsa: tftp should not read past file end
When we have the file size via tsize option, use it to make sure we
will not attempt to read past file end.
2018-11-01 13:12:05 +00:00
Gleb Smirnoff
9319dded3d Remove unnecessary include from libstand. 2018-10-31 19:59:20 +00:00
Konstantin Belousov
ad6f5f9ab5 Fix stand/ build after r339671.
ffs_subr.c requires calculate_crc32c() from libkern.  Unfortunately we
cannot just add libkern/crc32.c to libstand because crc32.o is already
compiled from contrib/zlib/crc32.c. Use the include trick to rename
the source.

Note that libstand also provides crc32.c which seems to be unused.

Reviewed by:	imp
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D17677
2018-10-23 23:11:38 +00:00
Toomas Soome
bb489cd7ad libsa: re-send ACK for older data packets in tftp
In current tftp code we drop out-of-order packets; however, we should play
nice and re-send ACK for older data packets we are receiving. This will
hopefully stop server repeating those packets we already have received.
Note we do not answer duplicates from "previous" session (that is, session
with different port number), those will eventually time out.

Differential Revision:	https://reviews.freebsd.org/D17087
2018-10-23 13:38:39 +00:00
Toomas Soome
7e63e808d7 libsa: validate tftp_makereq() after we did reset the read
The name check referred in the comment is not the only possible error source,
we need to validate the result.

Reviewed by:	allanjude
Approved by:	re (kib)
Differential Revision:	https://reviews.freebsd.org/D17081
2018-09-09 06:30:15 +00:00
Toomas Soome
7ee96df3b3 libsa: memory leak in tftp_open()
tftpfile is allocated just above and needs to be freed.

Reviewed by:	imp
Approved by:	re (kib)
Differential Revision:	https://reviews.freebsd.org/D17058
2018-09-08 19:17:22 +00:00
Kyle Evans
63d8b6ea21 libsa: Add lshrdi3.c for powerpc* and mips 2018-08-19 14:48:32 +00:00
Warner Losh
bd7c104abf Add ashldi3 and ashrdi3 to mips.
Now that we're using -Os, mips needs these routines.
2018-08-16 19:39:02 +00:00
Toomas Soome
5257ddd31b libsa: zfs_probe() needs to set spa to NULL
Silence the warning about possibly uninitialized use of spa.
2018-08-15 21:38:06 +00:00
Kyle Evans
99a9cf5164 pkgfs_init: Initialize pkg
new_package may not set *pp if it errors out, leaving pkg uninitialized.

Reported by:	GCC
2018-08-15 21:13:10 +00:00
Kyle Evans
77a52e3f15 libsa: exit on EOF in ngets
It was possible in some rare circumstances for ngets to behave terribly with
bhyveload and some form of redirecting user input over a pipe.

PR:		198706
Submitted by:	Ivan Krivonos <int0dster@gmail.com>
MFC after:	1 week
2018-08-09 02:55:48 +00:00
Toomas Soome
6938805f41 libsa: gzipfs.c converts pointers to integer types with different sign
Signed versus unsigned char.
2018-08-07 10:53:51 +00:00
Toomas Soome
513f7db592 libsa: dos_checksum() should take unsigned chars
Fix pointers to integers with different sign issue.
2018-08-07 10:48:36 +00:00
Toomas Soome
17e2c2661b libsa: dereferencing type-punned pointer in cd9660
The warning is given by gcc build, but it is good to fix anyhow.
use bcopy instead of direct assignment.
2018-08-02 06:22:10 +00:00
Toomas Soome
8696ce6e29 libsa: assignment to char * from u_char *
Cast to char * instead of u_char *
2018-08-01 12:14:10 +00:00
Toomas Soome
d07ea92f55 libsa: bootp is using pointers with different sign
Just change bp_file to char and same for variable s.
2018-08-01 12:06:39 +00:00
Toomas Soome
eba1bc411b libsa: pointer differs in signedness
A small cleanup, fix the argument type and while there, replace (char *)0 with
NULL.
2018-08-01 11:40:52 +00:00
Warner Losh
47bec71dd0 Use if rather than case for a simple boolean. gcc thinks blks is
undefined sometimes with the case, but enc is always 0 or 1, so
and if / else is better anyway.
2018-07-13 18:19:33 +00:00
Ian Lepore
c1418270b2 Extend loader(8) geli support to all architectures and all disk-like devices.
This moves the bulk of the geli support from lib386/biosdisk.c into a new
geli/gelidev.c which implements a devsw-type device whose dv_strategy()
function handles geli decryption. Support for all arches comes from moving
the taste-and-attach code to the devopen() function in libsa.

After opening any DEVT_DISK device, devopen() calls the new function
geli_probe_and_attach(), which will "attach" the geli code to the open_file
struct by creating a geli_devdesc instance to replace the disk_devdesc
instance in the open_file. That routes all IO for the device through the
geli code.

A new public geli_add_key() function is added, to allow arch/vendor-specific
code to add keys obtained from custom hardware or other sources.

With these changes, geli support will be compiled into all variations of
loader(8) on all arches because the default is WITH_LOADER_GELI.

Relnotes:	yes
Sponsored by:	Microchip Technology Inc
Differential Revision:	https://reviews.freebsd.org/D15743
2018-07-13 17:50:25 +00:00
Warner Losh
25bc561e68 There's two files in the sys tree named inflate.c, in addition
to it being a common name elsewhere. Rename the old kzip one
to subr_inflate.c.

This actually fixes the build issues on sparc64 that my inclusion of
.PATH ${SYSDIR}/kern created in r336244, so also revert the broken
workaround I committed in r336249.

This slipped passed me because apparently, I never did a clean build.
2018-07-13 17:41:28 +00:00
Warner Losh
623810105e Fix sparc64 builds
gcc is complaining about struct infate being defined in a parameter
list. It's inclear how long this has been broken, but the fix is
simple enough.
2018-07-13 17:15:14 +00:00
Warner Losh
52379d36a9 Create helper functions for parsing boot args.
boot_parse_arg		to parse a single arg
boot_parse_cmdline	to parse a command line string
boot_parse_args		to parse all the args in a vector
boot_howto_to_env	Convert howto bits to env vars
boot_env_to_howto	Return howto mask mased on what's set in the environment.

All these routines return an int that's the bitmask of the args
translated to RB_* flags. As a special case, the 'S' flag sets the
comconsole_speed env var. Any arg that looks like a=b will set the env
key 'a' to value 'b'. If =b is omitted, 'a' is set to '1'.  This
should help us reduce the number of redundant copies of these routines
in the tree.  It should also give a more uniform experience between
platforms.

Also, invent a new flag RB_PROBE that's set when 'P' is parsed.  On
x86 + BIOS, this means 'probe for the keyboard, and if it's not there
set both RB_MULTIPLE and RB_SERIAL (which means show the output on
both video and serial consoles, but make serial primary).  Others it
may be some similar concept of probing, but it's loader dependent
what, exactly, it means.

These routines are suitable for /boot/loader and/or the kernel,
though they may not be suitable for the tightly hand-rolled-for-space
environments like boot2.

Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D16205
2018-07-13 16:43:05 +00:00
Warner Losh
b8902de147 Move ZFS files into libsa
Move the libzfs stuff into libsa. There's no need for it to be a
separate library. The separate library adds to the issues of build
ordering that we see from time to time. Move the filesystem support
into libsa, like all the other filesystem support rather than making
zfs the odd-duck out.

Discussed with: allanjude@
2018-07-08 07:42:49 +00:00
Warner Losh
52666d3675 Remove stray debugging line.
Noticed by: ian@
2018-06-18 19:53:11 +00:00
Warner Losh
62bd02cee5 stand: move libgeliboot into libsa.
Reduce by 1 the number of crazy libraries we need in stand by moving
geli into libsa (where architecturally it belonged all along). This
just moves things around without any code changes.
2018-06-18 16:24:42 +00:00
Toomas Soome
3557869e5f libsa: open() should use NULL instead of typecasted 0 2018-06-14 16:11:50 +00:00