Add Windows support to OpenZFS

[lundman]

Motivation and Context

This PR contains the required changed to add Windows as a platform, if that
is desirable.

Description

Windows uses CMake environment, and does not touch any of the Unix build system.

How Has This Been Tested?

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New "feature" (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[rkitover]

Hey this is amazing, I was just thinking a few hours ago how awesome it would be if openzfs for windows started integrating with this repo.

I was also thinking looking at this PR, have you heard of cccl?

I've tried this with autotools and it works amazingly well. I could work on adding this support to the existing autotools system once this PR stabilizes. Would you be in favor of that? Not as a replacement for cmake, but as an extension to the existing config system.

[lundman]

cccl does look interesting, and could be worth looking into. There are still advantages in using visual studio projects, especially with remote kernel debugging, but as we can't expect Unix developers add source files to VS project files, it needed to be something more easily edited, hence cmake. But these things have evolved in the past, in this project, so it certainly could change again.

[ryao]

This made me realize that the amount of code duplication we have between platforms is ridiculous. That should be cleaned up (although it does not block this PR).

I know this is a draft, but I could not help peek at it and made a few comments on things that stood out to me.

[lundman]

It's amusing, I'm pleased how little code duplication there is, now. Compared to when we did the first mac port :)

Thanks for glancing at it. The death after bookmark/setup test is suspicious, so that is next to look into.

[lundman]

the "remove strings.h" missed a few, which could be its own PR

[lundman]

PROPs must always be defined on all platforms, remove #ifdef

[mcmilk]

Hello,

I just found some things - maybe you can review these?
But the main thing looks okay - great work.

[mcmilk]

Can we add here a new line again. I think, it was there because of: <system-stuff.h> and "own-stuff.h"

[mcmilk]

There should be a new line ?

[ryao]

I had originally looked at this from my ipad and could not see the context due to the iPad being slow, so I made a (now deleted) remark that I now see was wrong.

Anyway, the reason that CodeQL complains here is that command injection is possible by altering the arguments passed to the installer and in general, command injection is something to be avoided whenever possible. Here are some references:

https://codeql.github.com/codeql-query-help/cpp/cpp-command-line-injection/
https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems

That said, I do not know the right way to sanitize this offhand, but the whitelist example by Wietse Venema at the second URL looks like a sane solution.

[ryao]

I would prefer it if we put these into zio_abd_checksum_data_t and put boolean_t call_kfpu; into fletcher_4_ops_t. The thing that I dislike about changing fletcher_4_ctx to a struct and passing it to kfpu_begin_ctx() and kfpu_end_ctx(). ties those functions to fletcher_4_ctx, when they are general purpose functions that should be usable for far more than fletcher4.

I guess another way would be to put these members before the anonymous union, make a structure for these members and use a void pointer to do casting, but I like your boolean_t call_kfpu; idea from the other day.

[lundman]

This is just a stop-gap until, hopefully, the new implementation @AttilaFueloep is working on merges. It is a separate commit, so I can easily drop it when that time comes.

[AttilaFueloep]

So there seems to be agreement that the refactoring I suggested yesterday is a good idea? If so, I'll prepare a PR tomorrow.

[lundman]

If my vote counts, I'm all for it.

[ryao]

It looks good to me.

[AttilaFueloep]

#14600

[lundman]

sprintf_s(command, MAX_PATH_LEN,
This argument to an OS command is derived from , dangerously concatenated into , and then passed to system(_Command).

Starting to think it doesn't know sprintf_s() is the windows "_safe" variants, ie, snprintf().

[ryao]

I notice that time_t is 64-bit on 64-bit UNIX systems because long is 64-bit on them, but due to Windows' memory model, long is 32-bit while time_t is 64-bit. The standard has a hole here, since inttypes.h, which should give a way to print this in a sane way, does not. Something like this would probably work:

#ifdef _ILP32
#define PRI_TIME PRId32
#else
#define PRI_TIME PRId64
#endif

(void) printf("%s\t%s\t" PRI_TIME "\n", zname, tagname, time);

We have a similar, but subtly different issue with uid_t, where Linux and presumably other UNIX systems use unsigned int, while Windows appears to use unsigned long long. Interestingly, this reveals a case where the type is not quite right, because %d is used instead of %u.

That said, doing a 64-bit uid_t with the works fine on little endian systems as long as the uid_t being passed is the last argument passed and the top 32-bits are not actually used. If it is not, then the next argument will be considered to start in the upper half of the passed uid_t. On a big endian system, this will pass the top 32-bits of the uid_t, which is wrong, although Windows has not supported big endian in years, so that is less of a concern than the former.

We could solve this similarly to how we can solve the time_t issue, by doing:

#if defined(_ILP32) || !defined(_WIN32)
#define PRI_UID PRIu32
#else
#define PRI_UID PRIu64
#endif
#endif

(void) sprintf(id, PRI_UID, rid);

[ryao]

This is a false alarm because memset() is not being used here for security reasons, but it would be nice not to have an alert. While github code scanning will not show this on future PRs after this is merged, it will still appear in the security tab in repositories where we have write access. It is possible to mark it as a false positive there, but it needs to be done for each individual repository and I would rather not have people get into the habit of marking alerts as false positives if it is not necessary. In this case, we could add an #ifdef NLS to suppress the alert from memset().

[ryao]

I had originally looked at this from my ipad and could not see the context due to the iPad being slow, so I made a (now deleted) remark that I now see was wrong.

Anyway, the reason that CodeQL complains here is that command injection is possible by altering the arguments passed to the installer and in general, command injection is something to be avoided whenever possible. Here are some references:

https://codeql.github.com/codeql-query-help/cpp/cpp-command-line-injection/
https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems

That said, I do not know the right way to sanitize this offhand, but the whitelist example by Wietse Venema at the second URL looks like a sane solution.

[ryao]

A typecast to (size_t) is needed on size. Otherwise, you can under-allocate memory.

In practice, this probably does not happen at the sizes we allocate, but it is better to be safe than sorry. A patch fixing this is likely needed by upstream zlib, since there is a clear memory safety issue here.

[ryao]

Although we should not be doing allocations that are >=4GB in size, if we ever do, this will underallocate. It should be given a typecast to (size_t) as a defensive measure to harden against future changes that will try to allocate big things.

[ryao]

size_t should change size based on the machine word size, but I am not aware of a printf specifier that does on Windows. We probably will need this in a header somewhere:

#ifdef _ILP32
#define PRI_SIZE "%lu"
#define PRI_SSIZE "%ld"
#else
#define PRI_SIZE "%llu"
#define PRI_SSIZE "%lld"
#endif

Then we could make this:

kmem_dumppr(&p, e, "used bytes," PRI_SIZE "\n", used);

[ryao]

This will cause incorrect numbers to be printed whenever bit 32 or greater is used.

[ryao]

The same for this.

[ryao]

If the types of these are not widened, we need a defensive (size_t) cast.

[ryao]

Provided that you take my previous suggestion to make PRI_SIZE, we can use that here.

[ryao]

There are many failures in the Linux ZTS tests that need to be diagnosed and fixed. A normal run gives:

Percent passed: 98.4%

The runs being done on this PR give:

Percent passed: 35.3%

[lundman]

Percent passed: 35.3%

I will at very least look at the 7

 507234: Memory fault(coredump)

//

./zfs "set"
missing arguments

Segmentation fault

Pfft, cosmetics.

[ryao]

This is interesting. CentOS 7:

Percent passed: 97.0%

CentOS 8:

Percent passed: 36.0%

[lundman]

Oh yeah, promoted PR, now all grown up.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.