zfs/cmd/zinject/translate.c

399 lines
9.2 KiB
C
Raw Permalink Normal View History

2008-11-20 20:01:55 +00:00
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or https://opensource.org/licenses/CDDL-1.0.
2008-11-20 20:01:55 +00:00
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
Add support for boot environment data to be stored in the label Modern bootloaders leverage data stored in the root filesystem to enable some of their powerful features. GRUB specifically has a grubenv file which can store large amounts of configuration data that can be read and written at boot time and during normal operation. This allows sysadmins to configure useful features like automated failover after failed boot attempts. Unfortunately, due to the Copy-on-Write nature of ZFS, the standard behavior of these tools cannot handle writing to ZFS files safely at boot time. We need an alternative way to store data that allows the bootloader to make changes to the data. This work is very similar to work that was done on Illumos to enable similar functionality in the FreeBSD bootloader. This patch is different in that the data being stored is a raw grubenv file; this file can store arbitrary variables and values, and the scripting provided by grub is powerful enough that special structures are not required to implement advanced behavior. We repurpose the second padding area in each label to store the grubenv file, protected by an embedded checksum. We add two ioctls to get and set this data, and libzfs_core and libzfs functions to access them more easily. There are no direct command line interfaces to these functions; these will be added directly to the bootloader utilities. Reviewed-by: Pavel Zakharov <pavel.zakharov@delphix.com> Reviewed-by: Matthew Ahrens <mahrens@delphix.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Paul Dagnelie <pcd@delphix.com> Closes #10009
2020-05-07 16:36:33 +00:00
* Copyright (c) 2012, 2020 by Delphix. All rights reserved.
2008-11-20 20:01:55 +00:00
*/
#include <libzfs.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
2008-11-20 20:01:55 +00:00
#include <sys/file.h>
#include <sys/mntent.h>
#include <sys/mnttab.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/dmu.h>
#include <sys/dmu_objset.h>
#include <sys/dnode.h>
#include <sys/vdev_impl.h>
2008-11-20 20:01:55 +00:00
#include <sys/mkdev.h>
#include "zinject.h"
static int debug;
static void
ziprintf(const char *fmt, ...)
{
va_list ap;
if (!debug)
return;
va_start(ap, fmt);
(void) vprintf(fmt, ap);
va_end(ap);
}
static void
compress_slashes(const char *src, char *dest)
{
while (*src != '\0') {
*dest = *src++;
while (*dest == '/' && *src == '/')
++src;
++dest;
}
*dest = '\0';
}
2008-11-20 20:01:55 +00:00
/*
* Given a full path to a file, translate into a dataset name and a relative
* path within the dataset. 'dataset' must be at least MAXNAMELEN characters,
* and 'relpath' must be at least MAXPATHLEN characters. We also pass a stat64
* buffer, which we need later to get the object ID.
*/
static int
parse_pathname(const char *inpath, char *dataset, char *relpath,
2008-11-20 20:01:55 +00:00
struct stat64 *statbuf)
{
struct extmnttab mp;
const char *rel;
char fullpath[MAXPATHLEN];
compress_slashes(inpath, fullpath);
2008-11-20 20:01:55 +00:00
if (fullpath[0] != '/') {
(void) fprintf(stderr, "invalid object '%s': must be full "
"path\n", fullpath);
usage();
return (-1);
}
if (getextmntent(fullpath, &mp, statbuf) != 0) {
2008-11-20 20:01:55 +00:00
(void) fprintf(stderr, "cannot find mountpoint for '%s'\n",
fullpath);
return (-1);
}
if (strcmp(mp.mnt_fstype, MNTTYPE_ZFS) != 0) {
(void) fprintf(stderr, "invalid path '%s': not a ZFS "
"filesystem\n", fullpath);
return (-1);
}
if (strncmp(fullpath, mp.mnt_mountp, strlen(mp.mnt_mountp)) != 0) {
(void) fprintf(stderr, "invalid path '%s': mountpoint "
"doesn't match path\n", fullpath);
return (-1);
}
Fix unsafe string operations Coverity caught unsafe use of `strcpy()` in `ztest_dmu_objset_own()`, `nfs_init_tmpfile()` and `dump_snapshot()`. It also caught an unsafe use of `strlcat()` in `nfs_init_tmpfile()`. Inspired by this, I did an audit of every single usage of `strcpy()` and `strcat()` in the code. If I could not prove that the usage was safe, I changed the code to use either `strlcpy()` or `strlcat()`, depending on which function was originally used. In some cases, `snprintf()` was used to replace multiple uses of `strcat` because it was cleaner. Whenever I changed a function, I preferred to use `sizeof(dst)` when the compiler is able to provide the string size via that. When it could not because the string was passed by a caller, I checked the entire call tree of the function to find out how big the buffer was and hard coded it. Hardcoding is less than ideal, but it is safe unless someone shrinks the buffer sizes being passed. Additionally, Coverity reported three more string related issues: * It caught a case where we do an overlapping memory copy in a call to `snprintf()`. We fix that via `kmem_strdup()` and `kmem_strfree()`. * It caught `sizeof (buf)` being used instead of `buflen` in `zdb_nicenum()`'s call to `zfs_nicenum()`, which is passed to `snprintf()`. We change that to pass `buflen`. * It caught a theoretical unterminated string passed to `strcmp()`. This one is likely a false positive, but we have the information needed to do this more safely, so we change this to silence the false positive not just in coverity, but potentially other static analysis tools too. We switch to `strncmp()`. * There was a false positive in tests/zfs-tests/cmd/dir_rd_update.c. We suppress it by switching to `snprintf()` since other static analysis tools might complain about it too. Interestingly, there is a possible real bug there too, since it assumes that the passed directory path ends with '/'. We add a '/' to fix that potential bug. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #13913
2022-09-27 23:47:24 +00:00
(void) strlcpy(dataset, mp.mnt_special, MAXNAMELEN);
2008-11-20 20:01:55 +00:00
rel = fullpath + strlen(mp.mnt_mountp);
if (rel[0] == '/')
rel++;
Fix unsafe string operations Coverity caught unsafe use of `strcpy()` in `ztest_dmu_objset_own()`, `nfs_init_tmpfile()` and `dump_snapshot()`. It also caught an unsafe use of `strlcat()` in `nfs_init_tmpfile()`. Inspired by this, I did an audit of every single usage of `strcpy()` and `strcat()` in the code. If I could not prove that the usage was safe, I changed the code to use either `strlcpy()` or `strlcat()`, depending on which function was originally used. In some cases, `snprintf()` was used to replace multiple uses of `strcat` because it was cleaner. Whenever I changed a function, I preferred to use `sizeof(dst)` when the compiler is able to provide the string size via that. When it could not because the string was passed by a caller, I checked the entire call tree of the function to find out how big the buffer was and hard coded it. Hardcoding is less than ideal, but it is safe unless someone shrinks the buffer sizes being passed. Additionally, Coverity reported three more string related issues: * It caught a case where we do an overlapping memory copy in a call to `snprintf()`. We fix that via `kmem_strdup()` and `kmem_strfree()`. * It caught `sizeof (buf)` being used instead of `buflen` in `zdb_nicenum()`'s call to `zfs_nicenum()`, which is passed to `snprintf()`. We change that to pass `buflen`. * It caught a theoretical unterminated string passed to `strcmp()`. This one is likely a false positive, but we have the information needed to do this more safely, so we change this to silence the false positive not just in coverity, but potentially other static analysis tools too. We switch to `strncmp()`. * There was a false positive in tests/zfs-tests/cmd/dir_rd_update.c. We suppress it by switching to `snprintf()` since other static analysis tools might complain about it too. Interestingly, there is a possible real bug there too, since it assumes that the passed directory path ends with '/'. We add a '/' to fix that potential bug. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #13913
2022-09-27 23:47:24 +00:00
(void) strlcpy(relpath, rel, MAXPATHLEN);
2008-11-20 20:01:55 +00:00
return (0);
}
/*
* Convert from a dataset to a objset id. Note that
* we grab the object number from the inode number.
2008-11-20 20:01:55 +00:00
*/
static int
object_from_path(const char *dataset, uint64_t object, zinject_record_t *record)
2008-11-20 20:01:55 +00:00
{
zfs_handle_t *zhp;
2008-11-20 20:01:55 +00:00
if ((zhp = zfs_open(g_zfs, dataset, ZFS_TYPE_DATASET)) == NULL)
2008-11-20 20:01:55 +00:00
return (-1);
record->zi_objset = zfs_prop_get_int(zhp, ZFS_PROP_OBJSETID);
record->zi_object = object;
2008-11-20 20:01:55 +00:00
zfs_close(zhp);
2008-11-20 20:01:55 +00:00
return (0);
}
/*
* Initialize the range based on the type, level, and range given.
2008-11-20 20:01:55 +00:00
*/
static int
initialize_range(err_type_t type, int level, char *range,
2008-11-20 20:01:55 +00:00
zinject_record_t *record)
{
/*
* Determine the numeric range from the string.
*/
if (range == NULL) {
/*
* If range is unspecified, set the range to [0,-1], which
* indicates that the whole object should be treated as an
* error.
*/
record->zi_start = 0;
record->zi_end = -1ULL;
} else {
char *end;
/* XXX add support for suffixes */
record->zi_start = strtoull(range, &end, 10);
if (*end == '\0')
record->zi_end = record->zi_start + 1;
else if (*end == ',')
record->zi_end = strtoull(end + 1, &end, 10);
if (*end != '\0') {
(void) fprintf(stderr, "invalid range '%s': must be "
"a numeric range of the form 'start[,end]'\n",
range);
return (-1);
2008-11-20 20:01:55 +00:00
}
}
switch (type) {
default:
break;
2008-11-20 20:01:55 +00:00
case TYPE_DATA:
break;
case TYPE_DNODE:
/*
* If this is a request to inject faults into the dnode, then we
* must translate the current (objset,object) pair into an
* offset within the metadnode for the objset. Specifying any
* kind of range with type 'dnode' is illegal.
*/
if (range != NULL) {
(void) fprintf(stderr, "range cannot be specified when "
"type is 'dnode'\n");
return (-1);
2008-11-20 20:01:55 +00:00
}
record->zi_start = record->zi_object * sizeof (dnode_phys_t);
record->zi_end = record->zi_start + sizeof (dnode_phys_t);
record->zi_object = 0;
break;
}
record->zi_level = level;
return (0);
2008-11-20 20:01:55 +00:00
}
int
translate_record(err_type_t type, const char *object, const char *range,
int level, zinject_record_t *record, char *poolname, char *dataset)
{
char path[MAXPATHLEN];
char *slash;
struct stat64 statbuf;
int ret = -1;
debug = (getenv("ZINJECT_DEBUG") != NULL);
ziprintf("translating: %s\n", object);
if (MOS_TYPE(type)) {
/*
* MOS objects are treated specially.
*/
switch (type) {
default:
break;
2008-11-20 20:01:55 +00:00
case TYPE_MOS:
record->zi_type = 0;
break;
case TYPE_MOSDIR:
record->zi_type = DMU_OT_OBJECT_DIRECTORY;
break;
case TYPE_METASLAB:
record->zi_type = DMU_OT_OBJECT_ARRAY;
break;
case TYPE_CONFIG:
record->zi_type = DMU_OT_PACKED_NVLIST;
break;
case TYPE_BPOBJ:
record->zi_type = DMU_OT_BPOBJ;
2008-11-20 20:01:55 +00:00
break;
case TYPE_SPACEMAP:
record->zi_type = DMU_OT_SPACE_MAP;
break;
case TYPE_ERRLOG:
record->zi_type = DMU_OT_ERROR_LOG;
break;
}
dataset[0] = '\0';
Fix unsafe string operations Coverity caught unsafe use of `strcpy()` in `ztest_dmu_objset_own()`, `nfs_init_tmpfile()` and `dump_snapshot()`. It also caught an unsafe use of `strlcat()` in `nfs_init_tmpfile()`. Inspired by this, I did an audit of every single usage of `strcpy()` and `strcat()` in the code. If I could not prove that the usage was safe, I changed the code to use either `strlcpy()` or `strlcat()`, depending on which function was originally used. In some cases, `snprintf()` was used to replace multiple uses of `strcat` because it was cleaner. Whenever I changed a function, I preferred to use `sizeof(dst)` when the compiler is able to provide the string size via that. When it could not because the string was passed by a caller, I checked the entire call tree of the function to find out how big the buffer was and hard coded it. Hardcoding is less than ideal, but it is safe unless someone shrinks the buffer sizes being passed. Additionally, Coverity reported three more string related issues: * It caught a case where we do an overlapping memory copy in a call to `snprintf()`. We fix that via `kmem_strdup()` and `kmem_strfree()`. * It caught `sizeof (buf)` being used instead of `buflen` in `zdb_nicenum()`'s call to `zfs_nicenum()`, which is passed to `snprintf()`. We change that to pass `buflen`. * It caught a theoretical unterminated string passed to `strcmp()`. This one is likely a false positive, but we have the information needed to do this more safely, so we change this to silence the false positive not just in coverity, but potentially other static analysis tools too. We switch to `strncmp()`. * There was a false positive in tests/zfs-tests/cmd/dir_rd_update.c. We suppress it by switching to `snprintf()` since other static analysis tools might complain about it too. Interestingly, there is a possible real bug there too, since it assumes that the passed directory path ends with '/'. We add a '/' to fix that potential bug. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #13913
2022-09-27 23:47:24 +00:00
(void) strlcpy(poolname, object, MAXNAMELEN);
2008-11-20 20:01:55 +00:00
return (0);
}
/*
* Convert a full path into a (dataset, file) pair.
*/
if (parse_pathname(object, dataset, path, &statbuf) != 0)
goto err;
ziprintf(" dataset: %s\n", dataset);
ziprintf(" path: %s\n", path);
/*
* Convert (dataset, file) into (objset, object)
*/
if (object_from_path(dataset, statbuf.st_ino, record) != 0)
2008-11-20 20:01:55 +00:00
goto err;
ziprintf("raw objset: %llu\n", record->zi_objset);
ziprintf("raw object: %llu\n", record->zi_object);
/*
* For the given object, initialize the range in bytes
2008-11-20 20:01:55 +00:00
*/
if (initialize_range(type, level, (char *)range, record) != 0)
2008-11-20 20:01:55 +00:00
goto err;
ziprintf(" objset: %llu\n", record->zi_objset);
ziprintf(" object: %llu\n", record->zi_object);
if (record->zi_start == 0 &&
record->zi_end == -1ULL)
ziprintf(" range: all\n");
else
ziprintf(" range: [%llu, %llu]\n", record->zi_start,
record->zi_end);
/*
* Copy the pool name
*/
Fix unsafe string operations Coverity caught unsafe use of `strcpy()` in `ztest_dmu_objset_own()`, `nfs_init_tmpfile()` and `dump_snapshot()`. It also caught an unsafe use of `strlcat()` in `nfs_init_tmpfile()`. Inspired by this, I did an audit of every single usage of `strcpy()` and `strcat()` in the code. If I could not prove that the usage was safe, I changed the code to use either `strlcpy()` or `strlcat()`, depending on which function was originally used. In some cases, `snprintf()` was used to replace multiple uses of `strcat` because it was cleaner. Whenever I changed a function, I preferred to use `sizeof(dst)` when the compiler is able to provide the string size via that. When it could not because the string was passed by a caller, I checked the entire call tree of the function to find out how big the buffer was and hard coded it. Hardcoding is less than ideal, but it is safe unless someone shrinks the buffer sizes being passed. Additionally, Coverity reported three more string related issues: * It caught a case where we do an overlapping memory copy in a call to `snprintf()`. We fix that via `kmem_strdup()` and `kmem_strfree()`. * It caught `sizeof (buf)` being used instead of `buflen` in `zdb_nicenum()`'s call to `zfs_nicenum()`, which is passed to `snprintf()`. We change that to pass `buflen`. * It caught a theoretical unterminated string passed to `strcmp()`. This one is likely a false positive, but we have the information needed to do this more safely, so we change this to silence the false positive not just in coverity, but potentially other static analysis tools too. We switch to `strncmp()`. * There was a false positive in tests/zfs-tests/cmd/dir_rd_update.c. We suppress it by switching to `snprintf()` since other static analysis tools might complain about it too. Interestingly, there is a possible real bug there too, since it assumes that the passed directory path ends with '/'. We add a '/' to fix that potential bug. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #13913
2022-09-27 23:47:24 +00:00
(void) strlcpy(poolname, dataset, MAXNAMELEN);
2008-11-20 20:01:55 +00:00
if ((slash = strchr(poolname, '/')) != NULL)
*slash = '\0';
ret = 0;
err:
return (ret);
}
int
translate_raw(const char *str, zinject_record_t *record)
{
/*
* A raw bookmark of the form objset:object:level:blkid, where each
* number is a hexadecimal value.
2008-11-20 20:01:55 +00:00
*/
if (sscanf(str, "%llx:%llx:%x:%llx", (u_longlong_t *)&record->zi_objset,
(u_longlong_t *)&record->zi_object, &record->zi_level,
(u_longlong_t *)&record->zi_start) != 4) {
(void) fprintf(stderr, "bad raw spec '%s': must be of the form "
"'objset:object:level:blkid'\n", str);
return (-1);
}
record->zi_end = record->zi_start;
return (0);
}
int
translate_device(const char *pool, const char *device, err_type_t label_type,
zinject_record_t *record)
2008-11-20 20:01:55 +00:00
{
char *end;
zpool_handle_t *zhp;
nvlist_t *tgt;
boolean_t isspare, iscache;
/*
* Given a device name or GUID, create an appropriate injection record
* with zi_guid set.
*/
if ((zhp = zpool_open(g_zfs, pool)) == NULL)
return (-1);
record->zi_guid = strtoull(device, &end, 0);
2008-11-20 20:01:55 +00:00
if (record->zi_guid == 0 || *end != '\0') {
tgt = zpool_find_vdev(zhp, device, &isspare, &iscache, NULL);
2008-11-20 20:01:55 +00:00
if (tgt == NULL) {
(void) fprintf(stderr, "cannot find device '%s' in "
"pool '%s'\n", device, pool);
zpool_close(zhp);
2008-11-20 20:01:55 +00:00
return (-1);
}
verify(nvlist_lookup_uint64(tgt, ZPOOL_CONFIG_GUID,
&record->zi_guid) == 0);
}
/*
* Device faults can take on three different forms:
* 1). delayed or hanging I/O
* 2). zfs label faults
* 3). generic disk faults
*/
if (record->zi_timer != 0) {
record->zi_cmd = ZINJECT_DELAY_IO;
} else if (label_type != TYPE_INVAL) {
record->zi_cmd = ZINJECT_LABEL_FAULT;
} else {
record->zi_cmd = ZINJECT_DEVICE_FAULT;
}
switch (label_type) {
default:
break;
case TYPE_LABEL_UBERBLOCK:
record->zi_start = offsetof(vdev_label_t, vl_uberblock[0]);
record->zi_end = record->zi_start + VDEV_UBERBLOCK_RING - 1;
break;
case TYPE_LABEL_NVLIST:
record->zi_start = offsetof(vdev_label_t, vl_vdev_phys);
record->zi_end = record->zi_start + VDEV_PHYS_SIZE - 1;
break;
case TYPE_LABEL_PAD1:
record->zi_start = offsetof(vdev_label_t, vl_pad1);
record->zi_end = record->zi_start + VDEV_PAD_SIZE - 1;
break;
case TYPE_LABEL_PAD2:
Add support for boot environment data to be stored in the label Modern bootloaders leverage data stored in the root filesystem to enable some of their powerful features. GRUB specifically has a grubenv file which can store large amounts of configuration data that can be read and written at boot time and during normal operation. This allows sysadmins to configure useful features like automated failover after failed boot attempts. Unfortunately, due to the Copy-on-Write nature of ZFS, the standard behavior of these tools cannot handle writing to ZFS files safely at boot time. We need an alternative way to store data that allows the bootloader to make changes to the data. This work is very similar to work that was done on Illumos to enable similar functionality in the FreeBSD bootloader. This patch is different in that the data being stored is a raw grubenv file; this file can store arbitrary variables and values, and the scripting provided by grub is powerful enough that special structures are not required to implement advanced behavior. We repurpose the second padding area in each label to store the grubenv file, protected by an embedded checksum. We add two ioctls to get and set this data, and libzfs_core and libzfs functions to access them more easily. There are no direct command line interfaces to these functions; these will be added directly to the bootloader utilities. Reviewed-by: Pavel Zakharov <pavel.zakharov@delphix.com> Reviewed-by: Matthew Ahrens <mahrens@delphix.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Paul Dagnelie <pcd@delphix.com> Closes #10009
2020-05-07 16:36:33 +00:00
record->zi_start = offsetof(vdev_label_t, vl_be);
record->zi_end = record->zi_start + VDEV_PAD_SIZE - 1;
break;
}
zpool_close(zhp);
2008-11-20 20:01:55 +00:00
return (0);
}