1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2011, 2015 by Delphix. All rights reserved.
25 * Copyright 2019 Joyent, Inc.
26 * Copyright (c) 2012 Pawel Jakub Dawidek. All rights reserved.
27 * Copyright (c) 2013 Steven Hartland. All rights reserved.
28 * Copyright 2015, OmniTI Computer Consulting, Inc. All rights reserved.
29 * Copyright (c) 2014 Integros [integros.com]
30 * Copyright 2016 Igor Kozhukhov <ikozhukhov@gmail.com>
31 * Copyright (c) 2017, loli10K <ezomori.nozomu@gmail.com>. All rights reserved.
32 * Copyright (c) 2018 Datto Inc.
33 */
34
35#include <assert.h>
36#include <ctype.h>
37#include <errno.h>
38#include <libintl.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <strings.h>
42#include <unistd.h>
43#include <stddef.h>
44#include <fcntl.h>
45#include <sys/mount.h>
46#include <pthread.h>
47#include <umem.h>
48#include <time.h>
49
50#include <libzfs.h>
51#include <libzfs_core.h>
52#include <libzutil.h>
53
54#include "zfs_namecheck.h"
55#include "zfs_prop.h"
56#include "zfs_fletcher.h"
57#include "libzfs_impl.h"
58#include <zlib.h>
59#include <sha2.h>
60#include <sys/zio_checksum.h>
61#include <sys/dsl_crypt.h>
62#include <sys/ddt.h>
63
64/* in libzfs_dataset.c */
65extern void zfs_setprop_error(libzfs_handle_t *, zfs_prop_t, int, char *);
66
67static int zfs_receive_impl(libzfs_handle_t *, const char *, const char *,
68    recvflags_t *, int, const char *, nvlist_t *, avl_tree_t *, char **, int,
69    uint64_t *, const char *, nvlist_t *);
70static int guid_to_name(libzfs_handle_t *, const char *,
71    uint64_t, boolean_t, char *);
72
73static const zio_cksum_t zero_cksum = { 0 };
74
75typedef struct dedup_arg {
76	int	inputfd;
77	int	outputfd;
78	libzfs_handle_t  *dedup_hdl;
79} dedup_arg_t;
80
81typedef struct progress_arg {
82	zfs_handle_t *pa_zhp;
83	int pa_fd;
84	boolean_t pa_parsable;
85} progress_arg_t;
86
87typedef struct dataref {
88	uint64_t ref_guid;
89	uint64_t ref_object;
90	uint64_t ref_offset;
91} dataref_t;
92
93typedef struct dedup_entry {
94	struct dedup_entry	*dde_next;
95	zio_cksum_t dde_chksum;
96	uint64_t dde_prop;
97	dataref_t dde_ref;
98} dedup_entry_t;
99
100#define	MAX_DDT_PHYSMEM_PERCENT		20
101#define	SMALLEST_POSSIBLE_MAX_DDT_MB		128
102
103typedef struct dedup_table {
104	dedup_entry_t	**dedup_hash_array;
105	umem_cache_t	*ddecache;
106	uint64_t	max_ddt_size;  /* max dedup table size in bytes */
107	uint64_t	cur_ddt_size;  /* current dedup table size in bytes */
108	uint64_t	ddt_count;
109	int		numhashbits;
110	boolean_t	ddt_full;
111} dedup_table_t;
112
113static int
114high_order_bit(uint64_t n)
115{
116	int count;
117
118	for (count = 0; n != 0; count++)
119		n >>= 1;
120	return (count);
121}
122
123static size_t
124ssread(void *buf, size_t len, FILE *stream)
125{
126	size_t outlen;
127
128	if ((outlen = fread(buf, len, 1, stream)) == 0)
129		return (0);
130
131	return (outlen);
132}
133
134static void
135ddt_hash_append(libzfs_handle_t *hdl, dedup_table_t *ddt, dedup_entry_t **ddepp,
136    zio_cksum_t *cs, uint64_t prop, dataref_t *dr)
137{
138	dedup_entry_t	*dde;
139
140	if (ddt->cur_ddt_size >= ddt->max_ddt_size) {
141		if (ddt->ddt_full == B_FALSE) {
142			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
143			    "Dedup table full.  Deduplication will continue "
144			    "with existing table entries"));
145			ddt->ddt_full = B_TRUE;
146		}
147		return;
148	}
149
150	if ((dde = umem_cache_alloc(ddt->ddecache, UMEM_DEFAULT))
151	    != NULL) {
152		assert(*ddepp == NULL);
153		dde->dde_next = NULL;
154		dde->dde_chksum = *cs;
155		dde->dde_prop = prop;
156		dde->dde_ref = *dr;
157		*ddepp = dde;
158		ddt->cur_ddt_size += sizeof (dedup_entry_t);
159		ddt->ddt_count++;
160	}
161}
162
163/*
164 * Using the specified dedup table, do a lookup for an entry with
165 * the checksum cs.  If found, return the block's reference info
166 * in *dr. Otherwise, insert a new entry in the dedup table, using
167 * the reference information specified by *dr.
168 *
169 * return value:  true - entry was found
170 *		  false - entry was not found
171 */
172static boolean_t
173ddt_update(libzfs_handle_t *hdl, dedup_table_t *ddt, zio_cksum_t *cs,
174    uint64_t prop, dataref_t *dr)
175{
176	uint32_t hashcode;
177	dedup_entry_t **ddepp;
178
179	hashcode = BF64_GET(cs->zc_word[0], 0, ddt->numhashbits);
180
181	for (ddepp = &(ddt->dedup_hash_array[hashcode]); *ddepp != NULL;
182	    ddepp = &((*ddepp)->dde_next)) {
183		if (ZIO_CHECKSUM_EQUAL(((*ddepp)->dde_chksum), *cs) &&
184		    (*ddepp)->dde_prop == prop) {
185			*dr = (*ddepp)->dde_ref;
186			return (B_TRUE);
187		}
188	}
189	ddt_hash_append(hdl, ddt, ddepp, cs, prop, dr);
190	return (B_FALSE);
191}
192
193static int
194dump_record(dmu_replay_record_t *drr, void *payload, int payload_len,
195    zio_cksum_t *zc, int outfd)
196{
197	ASSERT3U(offsetof(dmu_replay_record_t, drr_u.drr_checksum.drr_checksum),
198	    ==, sizeof (dmu_replay_record_t) - sizeof (zio_cksum_t));
199	(void) fletcher_4_incremental_native(drr,
200	    offsetof(dmu_replay_record_t, drr_u.drr_checksum.drr_checksum), zc);
201	if (drr->drr_type != DRR_BEGIN) {
202		ASSERT(ZIO_CHECKSUM_IS_ZERO(&drr->drr_u.
203		    drr_checksum.drr_checksum));
204		drr->drr_u.drr_checksum.drr_checksum = *zc;
205	}
206	(void) fletcher_4_incremental_native(
207	    &drr->drr_u.drr_checksum.drr_checksum, sizeof (zio_cksum_t), zc);
208	if (write(outfd, drr, sizeof (*drr)) == -1)
209		return (errno);
210	if (payload_len != 0) {
211		(void) fletcher_4_incremental_native(payload, payload_len, zc);
212		if (write(outfd, payload, payload_len) == -1)
213			return (errno);
214	}
215	return (0);
216}
217
218/*
219 * This function is started in a separate thread when the dedup option
220 * has been requested.  The main send thread determines the list of
221 * snapshots to be included in the send stream and makes the ioctl calls
222 * for each one.  But instead of having the ioctl send the output to the
223 * the output fd specified by the caller of zfs_send()), the
224 * ioctl is told to direct the output to a pipe, which is read by the
225 * alternate thread running THIS function.  This function does the
226 * dedup'ing by:
227 *  1. building a dedup table (the DDT)
228 *  2. doing checksums on each data block and inserting a record in the DDT
229 *  3. looking for matching checksums, and
230 *  4.  sending a DRR_WRITE_BYREF record instead of a write record whenever
231 *      a duplicate block is found.
232 * The output of this function then goes to the output fd requested
233 * by the caller of zfs_send().
234 */
235static void *
236cksummer(void *arg)
237{
238	dedup_arg_t *dda = arg;
239	char *buf = zfs_alloc(dda->dedup_hdl, SPA_MAXBLOCKSIZE);
240	dmu_replay_record_t thedrr;
241	dmu_replay_record_t *drr = &thedrr;
242	FILE *ofp;
243	int outfd;
244	dedup_table_t ddt;
245	zio_cksum_t stream_cksum;
246	uint64_t physmem = sysconf(_SC_PHYS_PAGES) * sysconf(_SC_PAGESIZE);
247	uint64_t numbuckets;
248
249	ddt.max_ddt_size =
250	    MAX((physmem * MAX_DDT_PHYSMEM_PERCENT) / 100,
251	    SMALLEST_POSSIBLE_MAX_DDT_MB << 20);
252
253	numbuckets = ddt.max_ddt_size / (sizeof (dedup_entry_t));
254
255	/*
256	 * numbuckets must be a power of 2.  Increase number to
257	 * a power of 2 if necessary.
258	 */
259	if (!ISP2(numbuckets))
260		numbuckets = 1 << high_order_bit(numbuckets);
261
262	ddt.dedup_hash_array = calloc(numbuckets, sizeof (dedup_entry_t *));
263	ddt.ddecache = umem_cache_create("dde", sizeof (dedup_entry_t), 0,
264	    NULL, NULL, NULL, NULL, NULL, 0);
265	ddt.cur_ddt_size = numbuckets * sizeof (dedup_entry_t *);
266	ddt.numhashbits = high_order_bit(numbuckets) - 1;
267	ddt.ddt_full = B_FALSE;
268
269	outfd = dda->outputfd;
270	ofp = fdopen(dda->inputfd, "r");
271	while (ssread(drr, sizeof (*drr), ofp) != 0) {
272
273		/*
274		 * kernel filled in checksum, we are going to write same
275		 * record, but need to regenerate checksum.
276		 */
277		if (drr->drr_type != DRR_BEGIN) {
278			bzero(&drr->drr_u.drr_checksum.drr_checksum,
279			    sizeof (drr->drr_u.drr_checksum.drr_checksum));
280		}
281
282		switch (drr->drr_type) {
283		case DRR_BEGIN:
284		{
285			struct drr_begin *drrb = &drr->drr_u.drr_begin;
286			int fflags;
287			int sz = 0;
288			ZIO_SET_CHECKSUM(&stream_cksum, 0, 0, 0, 0);
289
290			ASSERT3U(drrb->drr_magic, ==, DMU_BACKUP_MAGIC);
291
292			/* set the DEDUP feature flag for this stream */
293			fflags = DMU_GET_FEATUREFLAGS(drrb->drr_versioninfo);
294			fflags |= (DMU_BACKUP_FEATURE_DEDUP |
295			    DMU_BACKUP_FEATURE_DEDUPPROPS);
296			DMU_SET_FEATUREFLAGS(drrb->drr_versioninfo, fflags);
297
298			if (drr->drr_payloadlen != 0) {
299				sz = drr->drr_payloadlen;
300
301				if (sz > SPA_MAXBLOCKSIZE) {
302					buf = zfs_realloc(dda->dedup_hdl, buf,
303					    SPA_MAXBLOCKSIZE, sz);
304				}
305				(void) ssread(buf, sz, ofp);
306				if (ferror(stdin))
307					perror("fread");
308			}
309			if (dump_record(drr, buf, sz, &stream_cksum,
310			    outfd) != 0)
311				goto out;
312			break;
313		}
314
315		case DRR_END:
316		{
317			struct drr_end *drre = &drr->drr_u.drr_end;
318			/* use the recalculated checksum */
319			drre->drr_checksum = stream_cksum;
320			if (dump_record(drr, NULL, 0, &stream_cksum,
321			    outfd) != 0)
322				goto out;
323			break;
324		}
325
326		case DRR_OBJECT:
327		{
328			struct drr_object *drro = &drr->drr_u.drr_object;
329			if (drro->drr_bonuslen > 0) {
330				(void) ssread(buf,
331				    DRR_OBJECT_PAYLOAD_SIZE(drro), ofp);
332			}
333			if (dump_record(drr, buf, DRR_OBJECT_PAYLOAD_SIZE(drro),
334			    &stream_cksum, outfd) != 0)
335				goto out;
336			break;
337		}
338
339		case DRR_SPILL:
340		{
341			struct drr_spill *drrs = &drr->drr_u.drr_spill;
342			(void) ssread(buf, DRR_SPILL_PAYLOAD_SIZE(drrs), ofp);
343			if (dump_record(drr, buf, DRR_SPILL_PAYLOAD_SIZE(drrs),
344			    &stream_cksum, outfd) != 0)
345				goto out;
346			break;
347		}
348
349		case DRR_FREEOBJECTS:
350		{
351			if (dump_record(drr, NULL, 0, &stream_cksum,
352			    outfd) != 0)
353				goto out;
354			break;
355		}
356
357		case DRR_WRITE:
358		{
359			struct drr_write *drrw = &drr->drr_u.drr_write;
360			dataref_t	dataref;
361			uint64_t	payload_size;
362
363			payload_size = DRR_WRITE_PAYLOAD_SIZE(drrw);
364			(void) ssread(buf, payload_size, ofp);
365
366			/*
367			 * Use the existing checksum if it's dedup-capable,
368			 * else calculate a SHA256 checksum for it.
369			 */
370
371			if (ZIO_CHECKSUM_EQUAL(drrw->drr_key.ddk_cksum,
372			    zero_cksum) ||
373			    !DRR_IS_DEDUP_CAPABLE(drrw->drr_flags)) {
374				SHA256_CTX	ctx;
375				zio_cksum_t	tmpsha256;
376
377				SHA256Init(&ctx);
378				SHA256Update(&ctx, buf, payload_size);
379				SHA256Final(&tmpsha256, &ctx);
380				drrw->drr_key.ddk_cksum.zc_word[0] =
381				    BE_64(tmpsha256.zc_word[0]);
382				drrw->drr_key.ddk_cksum.zc_word[1] =
383				    BE_64(tmpsha256.zc_word[1]);
384				drrw->drr_key.ddk_cksum.zc_word[2] =
385				    BE_64(tmpsha256.zc_word[2]);
386				drrw->drr_key.ddk_cksum.zc_word[3] =
387				    BE_64(tmpsha256.zc_word[3]);
388				drrw->drr_checksumtype = ZIO_CHECKSUM_SHA256;
389				drrw->drr_flags |= DRR_CHECKSUM_DEDUP;
390			}
391
392			dataref.ref_guid = drrw->drr_toguid;
393			dataref.ref_object = drrw->drr_object;
394			dataref.ref_offset = drrw->drr_offset;
395
396			if (ddt_update(dda->dedup_hdl, &ddt,
397			    &drrw->drr_key.ddk_cksum, drrw->drr_key.ddk_prop,
398			    &dataref)) {
399				dmu_replay_record_t wbr_drr = {0};
400				struct drr_write_byref *wbr_drrr =
401				    &wbr_drr.drr_u.drr_write_byref;
402
403				/* block already present in stream */
404				wbr_drr.drr_type = DRR_WRITE_BYREF;
405
406				wbr_drrr->drr_object = drrw->drr_object;
407				wbr_drrr->drr_offset = drrw->drr_offset;
408				wbr_drrr->drr_length = drrw->drr_logical_size;
409				wbr_drrr->drr_toguid = drrw->drr_toguid;
410				wbr_drrr->drr_refguid = dataref.ref_guid;
411				wbr_drrr->drr_refobject =
412				    dataref.ref_object;
413				wbr_drrr->drr_refoffset =
414				    dataref.ref_offset;
415
416				wbr_drrr->drr_checksumtype =
417				    drrw->drr_checksumtype;
418				wbr_drrr->drr_flags = drrw->drr_flags;
419				wbr_drrr->drr_key.ddk_cksum =
420				    drrw->drr_key.ddk_cksum;
421				wbr_drrr->drr_key.ddk_prop =
422				    drrw->drr_key.ddk_prop;
423
424				if (dump_record(&wbr_drr, NULL, 0,
425				    &stream_cksum, outfd) != 0)
426					goto out;
427			} else {
428				/* block not previously seen */
429				if (dump_record(drr, buf, payload_size,
430				    &stream_cksum, outfd) != 0)
431					goto out;
432			}
433			break;
434		}
435
436		case DRR_WRITE_EMBEDDED:
437		{
438			struct drr_write_embedded *drrwe =
439			    &drr->drr_u.drr_write_embedded;
440			(void) ssread(buf,
441			    P2ROUNDUP((uint64_t)drrwe->drr_psize, 8), ofp);
442			if (dump_record(drr, buf,
443			    P2ROUNDUP((uint64_t)drrwe->drr_psize, 8),
444			    &stream_cksum, outfd) != 0)
445				goto out;
446			break;
447		}
448
449		case DRR_FREE:
450		{
451			if (dump_record(drr, NULL, 0, &stream_cksum,
452			    outfd) != 0)
453				goto out;
454			break;
455		}
456
457		case DRR_OBJECT_RANGE:
458		{
459			if (dump_record(drr, NULL, 0, &stream_cksum,
460			    outfd) != 0)
461				goto out;
462			break;
463		}
464
465		default:
466			(void) fprintf(stderr, "INVALID record type 0x%x\n",
467			    drr->drr_type);
468			/* should never happen, so assert */
469			assert(B_FALSE);
470		}
471	}
472out:
473	umem_cache_destroy(ddt.ddecache);
474	free(ddt.dedup_hash_array);
475	free(buf);
476	(void) fclose(ofp);
477
478	return (NULL);
479}
480
481/*
482 * Routines for dealing with the AVL tree of fs-nvlists
483 */
484typedef struct fsavl_node {
485	avl_node_t fn_node;
486	nvlist_t *fn_nvfs;
487	char *fn_snapname;
488	uint64_t fn_guid;
489} fsavl_node_t;
490
491static int
492fsavl_compare(const void *arg1, const void *arg2)
493{
494	const fsavl_node_t *fn1 = (const fsavl_node_t *)arg1;
495	const fsavl_node_t *fn2 = (const fsavl_node_t *)arg2;
496
497	if (fn1->fn_guid > fn2->fn_guid)
498		return (+1);
499	if (fn1->fn_guid < fn2->fn_guid)
500		return (-1);
501	return (0);
502}
503
504/*
505 * Given the GUID of a snapshot, find its containing filesystem and
506 * (optionally) name.
507 */
508static nvlist_t *
509fsavl_find(avl_tree_t *avl, uint64_t snapguid, char **snapname)
510{
511	fsavl_node_t fn_find;
512	fsavl_node_t *fn;
513
514	fn_find.fn_guid = snapguid;
515
516	fn = avl_find(avl, &fn_find, NULL);
517	if (fn) {
518		if (snapname)
519			*snapname = fn->fn_snapname;
520		return (fn->fn_nvfs);
521	}
522	return (NULL);
523}
524
525static void
526fsavl_destroy(avl_tree_t *avl)
527{
528	fsavl_node_t *fn;
529	void *cookie;
530
531	if (avl == NULL)
532		return;
533
534	cookie = NULL;
535	while ((fn = avl_destroy_nodes(avl, &cookie)) != NULL)
536		free(fn);
537	avl_destroy(avl);
538	free(avl);
539}
540
541/*
542 * Given an nvlist, produce an avl tree of snapshots, ordered by guid
543 */
544static avl_tree_t *
545fsavl_create(nvlist_t *fss)
546{
547	avl_tree_t *fsavl;
548	nvpair_t *fselem = NULL;
549
550	if ((fsavl = malloc(sizeof (avl_tree_t))) == NULL)
551		return (NULL);
552
553	avl_create(fsavl, fsavl_compare, sizeof (fsavl_node_t),
554	    offsetof(fsavl_node_t, fn_node));
555
556	while ((fselem = nvlist_next_nvpair(fss, fselem)) != NULL) {
557		nvlist_t *nvfs, *snaps;
558		nvpair_t *snapelem = NULL;
559
560		VERIFY(0 == nvpair_value_nvlist(fselem, &nvfs));
561		VERIFY(0 == nvlist_lookup_nvlist(nvfs, "snaps", &snaps));
562
563		while ((snapelem =
564		    nvlist_next_nvpair(snaps, snapelem)) != NULL) {
565			fsavl_node_t *fn;
566			uint64_t guid;
567
568			VERIFY(0 == nvpair_value_uint64(snapelem, &guid));
569			if ((fn = malloc(sizeof (fsavl_node_t))) == NULL) {
570				fsavl_destroy(fsavl);
571				return (NULL);
572			}
573			fn->fn_nvfs = nvfs;
574			fn->fn_snapname = nvpair_name(snapelem);
575			fn->fn_guid = guid;
576
577			/*
578			 * Note: if there are multiple snaps with the
579			 * same GUID, we ignore all but one.
580			 */
581			if (avl_find(fsavl, fn, NULL) == NULL)
582				avl_add(fsavl, fn);
583			else
584				free(fn);
585		}
586	}
587
588	return (fsavl);
589}
590
591/*
592 * Routines for dealing with the giant nvlist of fs-nvlists, etc.
593 */
594typedef struct send_data {
595	/*
596	 * assigned inside every recursive call,
597	 * restored from *_save on return:
598	 *
599	 * guid of fromsnap snapshot in parent dataset
600	 * txg of fromsnap snapshot in current dataset
601	 * txg of tosnap snapshot in current dataset
602	 */
603
604	uint64_t parent_fromsnap_guid;
605	uint64_t fromsnap_txg;
606	uint64_t tosnap_txg;
607
608	/* the nvlists get accumulated during depth-first traversal */
609	nvlist_t *parent_snaps;
610	nvlist_t *fss;
611	nvlist_t *snapprops;
612	nvlist_t *snapholds;	/* user holds */
613
614	/* send-receive configuration, does not change during traversal */
615	const char *fsname;
616	const char *fromsnap;
617	const char *tosnap;
618	boolean_t recursive;
619	boolean_t raw;
620	boolean_t verbose;
621	boolean_t backup;
622	boolean_t holds;	/* were holds requested with send -h */
623	boolean_t props;
624
625	/*
626	 * The header nvlist is of the following format:
627	 * {
628	 *   "tosnap" -> string
629	 *   "fromsnap" -> string (if incremental)
630	 *   "fss" -> {
631	 *	id -> {
632	 *
633	 *	 "name" -> string (full name; for debugging)
634	 *	 "parentfromsnap" -> number (guid of fromsnap in parent)
635	 *
636	 *	 "props" -> { name -> value (only if set here) }
637	 *	 "snaps" -> { name (lastname) -> number (guid) }
638	 *	 "snapprops" -> { name (lastname) -> { name -> value } }
639	 *	 "snapholds" -> { name (lastname) -> { holdname -> crtime } }
640	 *
641	 *	 "origin" -> number (guid) (if clone)
642	 *	 "is_encroot" -> boolean
643	 *	 "sent" -> boolean (not on-disk)
644	 *	}
645	 *   }
646	 * }
647	 *
648	 */
649} send_data_t;
650
651static void
652send_iterate_prop(zfs_handle_t *zhp, boolean_t received_only, nvlist_t *nv);
653
654static int
655send_iterate_snap(zfs_handle_t *zhp, void *arg)
656{
657	send_data_t *sd = arg;
658	uint64_t guid = zhp->zfs_dmustats.dds_guid;
659	uint64_t txg = zhp->zfs_dmustats.dds_creation_txg;
660	char *snapname;
661	nvlist_t *nv;
662
663	snapname = strrchr(zhp->zfs_name, '@')+1;
664
665	if (sd->tosnap_txg != 0 && txg > sd->tosnap_txg) {
666		if (sd->verbose) {
667			(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
668			    "skipping snapshot %s because it was created "
669			    "after the destination snapshot (%s)\n"),
670			    zhp->zfs_name, sd->tosnap);
671		}
672		zfs_close(zhp);
673		return (0);
674	}
675
676	VERIFY(0 == nvlist_add_uint64(sd->parent_snaps, snapname, guid));
677	/*
678	 * NB: if there is no fromsnap here (it's a newly created fs in
679	 * an incremental replication), we will substitute the tosnap.
680	 */
681	if ((sd->fromsnap && strcmp(snapname, sd->fromsnap) == 0) ||
682	    (sd->parent_fromsnap_guid == 0 && sd->tosnap &&
683	    strcmp(snapname, sd->tosnap) == 0)) {
684		sd->parent_fromsnap_guid = guid;
685	}
686
687	VERIFY(0 == nvlist_alloc(&nv, NV_UNIQUE_NAME, 0));
688	send_iterate_prop(zhp, sd->backup, nv);
689	VERIFY(0 == nvlist_add_nvlist(sd->snapprops, snapname, nv));
690	nvlist_free(nv);
691	if (sd->holds) {
692		nvlist_t *holds = fnvlist_alloc();
693		int err = lzc_get_holds(zhp->zfs_name, &holds);
694		if (err == 0) {
695			VERIFY(0 == nvlist_add_nvlist(sd->snapholds,
696			    snapname, holds));
697		}
698		fnvlist_free(holds);
699	}
700
701	zfs_close(zhp);
702	return (0);
703}
704
705static void
706send_iterate_prop(zfs_handle_t *zhp, boolean_t received_only, nvlist_t *nv)
707{
708	nvlist_t *props = NULL;
709	nvpair_t *elem = NULL;
710
711	if (received_only)
712		props = zfs_get_recvd_props(zhp);
713	else
714		props = zhp->zfs_props;
715
716	while ((elem = nvlist_next_nvpair(props, elem)) != NULL) {
717		char *propname = nvpair_name(elem);
718		zfs_prop_t prop = zfs_name_to_prop(propname);
719		nvlist_t *propnv;
720
721		if (!zfs_prop_user(propname)) {
722			/*
723			 * Realistically, this should never happen.  However,
724			 * we want the ability to add DSL properties without
725			 * needing to make incompatible version changes.  We
726			 * need to ignore unknown properties to allow older
727			 * software to still send datasets containing these
728			 * properties, with the unknown properties elided.
729			 */
730			if (prop == ZPROP_INVAL)
731				continue;
732
733			if (zfs_prop_readonly(prop))
734				continue;
735		}
736
737		verify(nvpair_value_nvlist(elem, &propnv) == 0);
738		if (prop == ZFS_PROP_QUOTA || prop == ZFS_PROP_RESERVATION ||
739		    prop == ZFS_PROP_REFQUOTA ||
740		    prop == ZFS_PROP_REFRESERVATION) {
741			char *source;
742			uint64_t value;
743			verify(nvlist_lookup_uint64(propnv,
744			    ZPROP_VALUE, &value) == 0);
745			if (zhp->zfs_type == ZFS_TYPE_SNAPSHOT)
746				continue;
747			/*
748			 * May have no source before SPA_VERSION_RECVD_PROPS,
749			 * but is still modifiable.
750			 */
751			if (nvlist_lookup_string(propnv,
752			    ZPROP_SOURCE, &source) == 0) {
753				if ((strcmp(source, zhp->zfs_name) != 0) &&
754				    (strcmp(source,
755				    ZPROP_SOURCE_VAL_RECVD) != 0))
756					continue;
757			}
758		} else {
759			char *source;
760			if (nvlist_lookup_string(propnv,
761			    ZPROP_SOURCE, &source) != 0)
762				continue;
763			if ((strcmp(source, zhp->zfs_name) != 0) &&
764			    (strcmp(source, ZPROP_SOURCE_VAL_RECVD) != 0))
765				continue;
766		}
767
768		if (zfs_prop_user(propname) ||
769		    zfs_prop_get_type(prop) == PROP_TYPE_STRING) {
770			char *value;
771			verify(nvlist_lookup_string(propnv,
772			    ZPROP_VALUE, &value) == 0);
773			VERIFY(0 == nvlist_add_string(nv, propname, value));
774		} else {
775			uint64_t value;
776			verify(nvlist_lookup_uint64(propnv,
777			    ZPROP_VALUE, &value) == 0);
778			VERIFY(0 == nvlist_add_uint64(nv, propname, value));
779		}
780	}
781}
782
783/*
784 * returns snapshot creation txg
785 * and returns 0 if the snapshot does not exist
786 */
787static uint64_t
788get_snap_txg(libzfs_handle_t *hdl, const char *fs, const char *snap)
789{
790	char name[ZFS_MAX_DATASET_NAME_LEN];
791	uint64_t txg = 0;
792
793	if (fs == NULL || fs[0] == '\0' || snap == NULL || snap[0] == '\0')
794		return (txg);
795
796	(void) snprintf(name, sizeof (name), "%s@%s", fs, snap);
797	if (zfs_dataset_exists(hdl, name, ZFS_TYPE_SNAPSHOT)) {
798		zfs_handle_t *zhp = zfs_open(hdl, name, ZFS_TYPE_SNAPSHOT);
799		if (zhp != NULL) {
800			txg = zfs_prop_get_int(zhp, ZFS_PROP_CREATETXG);
801			zfs_close(zhp);
802		}
803	}
804
805	return (txg);
806}
807
808/*
809 * recursively generate nvlists describing datasets.  See comment
810 * for the data structure send_data_t above for description of contents
811 * of the nvlist.
812 */
813static int
814send_iterate_fs(zfs_handle_t *zhp, void *arg)
815{
816	send_data_t *sd = arg;
817	nvlist_t *nvfs = NULL, *nv = NULL;
818	int rv = 0;
819	uint64_t parent_fromsnap_guid_save = sd->parent_fromsnap_guid;
820	uint64_t fromsnap_txg_save = sd->fromsnap_txg;
821	uint64_t tosnap_txg_save = sd->tosnap_txg;
822	uint64_t txg = zhp->zfs_dmustats.dds_creation_txg;
823	uint64_t guid = zhp->zfs_dmustats.dds_guid;
824	uint64_t fromsnap_txg, tosnap_txg;
825	char guidstring[64];
826
827	fromsnap_txg = get_snap_txg(zhp->zfs_hdl, zhp->zfs_name, sd->fromsnap);
828	if (fromsnap_txg != 0)
829		sd->fromsnap_txg = fromsnap_txg;
830
831	tosnap_txg = get_snap_txg(zhp->zfs_hdl, zhp->zfs_name, sd->tosnap);
832	if (tosnap_txg != 0)
833		sd->tosnap_txg = tosnap_txg;
834
835	/*
836	 * on the send side, if the current dataset does not have tosnap,
837	 * perform two additional checks:
838	 *
839	 * - skip sending the current dataset if it was created later than
840	 *   the parent tosnap
841	 * - return error if the current dataset was created earlier than
842	 *   the parent tosnap
843	 */
844	if (sd->tosnap != NULL && tosnap_txg == 0) {
845		if (sd->tosnap_txg != 0 && txg > sd->tosnap_txg) {
846			if (sd->verbose) {
847				(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
848				    "skipping dataset %s: snapshot %s does "
849				    "not exist\n"), zhp->zfs_name, sd->tosnap);
850			}
851		} else {
852			(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
853			    "cannot send %s@%s%s: snapshot %s@%s does not "
854			    "exist\n"), sd->fsname, sd->tosnap, sd->recursive ?
855			    dgettext(TEXT_DOMAIN, " recursively") : "",
856			    zhp->zfs_name, sd->tosnap);
857			rv = -1;
858		}
859		goto out;
860	}
861
862	VERIFY(0 == nvlist_alloc(&nvfs, NV_UNIQUE_NAME, 0));
863	VERIFY(0 == nvlist_add_string(nvfs, "name", zhp->zfs_name));
864	VERIFY(0 == nvlist_add_uint64(nvfs, "parentfromsnap",
865	    sd->parent_fromsnap_guid));
866
867	if (zhp->zfs_dmustats.dds_origin[0]) {
868		zfs_handle_t *origin = zfs_open(zhp->zfs_hdl,
869		    zhp->zfs_dmustats.dds_origin, ZFS_TYPE_SNAPSHOT);
870		if (origin == NULL) {
871			rv = -1;
872			goto out;
873		}
874		VERIFY(0 == nvlist_add_uint64(nvfs, "origin",
875		    origin->zfs_dmustats.dds_guid));
876	}
877
878	/* iterate over props */
879	if (sd->props || sd->backup || sd->recursive) {
880		VERIFY(0 == nvlist_alloc(&nv, NV_UNIQUE_NAME, 0));
881		send_iterate_prop(zhp, sd->backup, nv);
882	}
883
884	if (zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION) != ZIO_CRYPT_OFF) {
885		boolean_t encroot;
886
887		/* determine if this dataset is an encryption root */
888		if (zfs_crypto_get_encryption_root(zhp, &encroot, NULL) != 0) {
889			rv = -1;
890			goto out;
891		}
892
893		if (encroot)
894			VERIFY(0 == nvlist_add_boolean(nvfs, "is_encroot"));
895
896		/*
897		 * Encrypted datasets can only be sent with properties if
898		 * the raw flag is specified because the receive side doesn't
899		 * currently have a mechanism for recursively asking the user
900		 * for new encryption parameters.
901		 */
902		if (!sd->raw) {
903			(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
904			    "cannot send %s@%s: encrypted dataset %s may not "
905			    "be sent with properties without the raw flag\n"),
906			    sd->fsname, sd->tosnap, zhp->zfs_name);
907			rv = -1;
908			goto out;
909		}
910
911	}
912
913	if (nv != NULL)
914		VERIFY(0 == nvlist_add_nvlist(nvfs, "props", nv));
915
916	/* iterate over snaps, and set sd->parent_fromsnap_guid */
917	sd->parent_fromsnap_guid = 0;
918	VERIFY(0 == nvlist_alloc(&sd->parent_snaps, NV_UNIQUE_NAME, 0));
919	VERIFY(0 == nvlist_alloc(&sd->snapprops, NV_UNIQUE_NAME, 0));
920	if (sd->holds)
921		VERIFY(0 == nvlist_alloc(&sd->snapholds, NV_UNIQUE_NAME, 0));
922	(void) zfs_iter_snapshots(zhp, B_FALSE, send_iterate_snap, sd);
923	VERIFY(0 == nvlist_add_nvlist(nvfs, "snaps", sd->parent_snaps));
924	VERIFY(0 == nvlist_add_nvlist(nvfs, "snapprops", sd->snapprops));
925	if (sd->holds)
926		VERIFY(0 == nvlist_add_nvlist(nvfs, "snapholds",
927		    sd->snapholds));
928	nvlist_free(sd->parent_snaps);
929	nvlist_free(sd->snapprops);
930	nvlist_free(sd->snapholds);
931
932	/* add this fs to nvlist */
933	(void) snprintf(guidstring, sizeof (guidstring),
934	    "0x%llx", (longlong_t)guid);
935	VERIFY(0 == nvlist_add_nvlist(sd->fss, guidstring, nvfs));
936
937	/* iterate over children */
938	if (sd->recursive)
939		rv = zfs_iter_filesystems(zhp, send_iterate_fs, sd);
940
941out:
942	sd->parent_fromsnap_guid = parent_fromsnap_guid_save;
943	sd->fromsnap_txg = fromsnap_txg_save;
944	sd->tosnap_txg = tosnap_txg_save;
945	nvlist_free(nv);
946	nvlist_free(nvfs);
947
948	zfs_close(zhp);
949	return (rv);
950}
951
952static int
953gather_nvlist(libzfs_handle_t *hdl, const char *fsname, const char *fromsnap,
954    const char *tosnap, boolean_t recursive, boolean_t raw,
955    boolean_t verbose, boolean_t backup, boolean_t holds,
956    boolean_t props, nvlist_t **nvlp, avl_tree_t **avlp)
957{
958	zfs_handle_t *zhp;
959	send_data_t sd = { 0 };
960	int error;
961
962	zhp = zfs_open(hdl, fsname, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
963	if (zhp == NULL)
964		return (EZFS_BADTYPE);
965
966	VERIFY(0 == nvlist_alloc(&sd.fss, NV_UNIQUE_NAME, 0));
967	sd.fsname = fsname;
968	sd.fromsnap = fromsnap;
969	sd.tosnap = tosnap;
970	sd.recursive = recursive;
971	sd.raw = raw;
972	sd.verbose = verbose;
973	sd.backup = backup;
974	sd.holds = holds;
975	sd.props = props;
976
977	if ((error = send_iterate_fs(zhp, &sd)) != 0) {
978		nvlist_free(sd.fss);
979		if (avlp != NULL)
980			*avlp = NULL;
981		*nvlp = NULL;
982		return (error);
983	}
984
985	if (avlp != NULL && (*avlp = fsavl_create(sd.fss)) == NULL) {
986		nvlist_free(sd.fss);
987		*nvlp = NULL;
988		return (EZFS_NOMEM);
989	}
990
991	*nvlp = sd.fss;
992	return (0);
993}
994
995/*
996 * Routines specific to "zfs send"
997 */
998typedef struct send_dump_data {
999	/* these are all just the short snapname (the part after the @) */
1000	const char *fromsnap;
1001	const char *tosnap;
1002	char prevsnap[ZFS_MAX_DATASET_NAME_LEN];
1003	uint64_t prevsnap_obj;
1004	boolean_t seenfrom, seento, replicate, doall, fromorigin;
1005	boolean_t verbose, dryrun, parsable, progress, embed_data, std_out;
1006	boolean_t large_block, compress, raw, holds;
1007	int outfd;
1008	boolean_t err;
1009	nvlist_t *fss;
1010	nvlist_t *snapholds;
1011	avl_tree_t *fsavl;
1012	snapfilter_cb_t *filter_cb;
1013	void *filter_cb_arg;
1014	nvlist_t *debugnv;
1015	char holdtag[ZFS_MAX_DATASET_NAME_LEN];
1016	int cleanup_fd;
1017	uint64_t size;
1018} send_dump_data_t;
1019
1020static int
1021estimate_ioctl(zfs_handle_t *zhp, uint64_t fromsnap_obj,
1022    boolean_t fromorigin, enum lzc_send_flags flags, uint64_t *sizep)
1023{
1024	zfs_cmd_t zc = { 0 };
1025	libzfs_handle_t *hdl = zhp->zfs_hdl;
1026
1027	assert(zhp->zfs_type == ZFS_TYPE_SNAPSHOT);
1028	assert(fromsnap_obj == 0 || !fromorigin);
1029
1030	(void) strlcpy(zc.zc_name, zhp->zfs_name, sizeof (zc.zc_name));
1031	zc.zc_obj = fromorigin;
1032	zc.zc_sendobj = zfs_prop_get_int(zhp, ZFS_PROP_OBJSETID);
1033	zc.zc_fromobj = fromsnap_obj;
1034	zc.zc_guid = 1;  /* estimate flag */
1035	zc.zc_flags = flags;
1036
1037	if (zfs_ioctl(zhp->zfs_hdl, ZFS_IOC_SEND, &zc) != 0) {
1038		char errbuf[1024];
1039		(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
1040		    "warning: cannot estimate space for '%s'"), zhp->zfs_name);
1041
1042		switch (errno) {
1043		case EXDEV:
1044			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1045			    "not an earlier snapshot from the same fs"));
1046			return (zfs_error(hdl, EZFS_CROSSTARGET, errbuf));
1047
1048		case EACCES:
1049			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1050			    "source key must be loaded"));
1051			return (zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf));
1052
1053		case ENOENT:
1054			if (zfs_dataset_exists(hdl, zc.zc_name,
1055			    ZFS_TYPE_SNAPSHOT)) {
1056				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1057				    "incremental source (@%s) does not exist"),
1058				    zc.zc_value);
1059			}
1060			return (zfs_error(hdl, EZFS_NOENT, errbuf));
1061
1062		case EDQUOT:
1063		case EFBIG:
1064		case EIO:
1065		case ENOLINK:
1066		case ENOSPC:
1067		case ENOSTR:
1068		case ENXIO:
1069		case EPIPE:
1070		case ERANGE:
1071		case EFAULT:
1072		case EROFS:
1073			zfs_error_aux(hdl, strerror(errno));
1074			return (zfs_error(hdl, EZFS_BADBACKUP, errbuf));
1075
1076		default:
1077			return (zfs_standard_error(hdl, errno, errbuf));
1078		}
1079	}
1080
1081	*sizep = zc.zc_objset_type;
1082
1083	return (0);
1084}
1085
1086/*
1087 * Dumps a backup of the given snapshot (incremental from fromsnap if it's not
1088 * NULL) to the file descriptor specified by outfd.
1089 */
1090static int
1091dump_ioctl(zfs_handle_t *zhp, const char *fromsnap, uint64_t fromsnap_obj,
1092    boolean_t fromorigin, int outfd, enum lzc_send_flags flags,
1093    nvlist_t *debugnv)
1094{
1095	zfs_cmd_t zc = { 0 };
1096	libzfs_handle_t *hdl = zhp->zfs_hdl;
1097	nvlist_t *thisdbg;
1098
1099	assert(zhp->zfs_type == ZFS_TYPE_SNAPSHOT);
1100	assert(fromsnap_obj == 0 || !fromorigin);
1101
1102	(void) strlcpy(zc.zc_name, zhp->zfs_name, sizeof (zc.zc_name));
1103	zc.zc_cookie = outfd;
1104	zc.zc_obj = fromorigin;
1105	zc.zc_sendobj = zfs_prop_get_int(zhp, ZFS_PROP_OBJSETID);
1106	zc.zc_fromobj = fromsnap_obj;
1107	zc.zc_flags = flags;
1108
1109	VERIFY(0 == nvlist_alloc(&thisdbg, NV_UNIQUE_NAME, 0));
1110	if (fromsnap && fromsnap[0] != '\0') {
1111		VERIFY(0 == nvlist_add_string(thisdbg,
1112		    "fromsnap", fromsnap));
1113	}
1114
1115	if (zfs_ioctl(zhp->zfs_hdl, ZFS_IOC_SEND, &zc) != 0) {
1116		char errbuf[1024];
1117		(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
1118		    "warning: cannot send '%s'"), zhp->zfs_name);
1119
1120		VERIFY(0 == nvlist_add_uint64(thisdbg, "error", errno));
1121		if (debugnv) {
1122			VERIFY(0 == nvlist_add_nvlist(debugnv,
1123			    zhp->zfs_name, thisdbg));
1124		}
1125		nvlist_free(thisdbg);
1126
1127		switch (errno) {
1128		case EXDEV:
1129			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1130			    "not an earlier snapshot from the same fs"));
1131			return (zfs_error(hdl, EZFS_CROSSTARGET, errbuf));
1132
1133		case EACCES:
1134			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1135			    "source key must be loaded"));
1136			return (zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf));
1137
1138		case ENOENT:
1139			if (zfs_dataset_exists(hdl, zc.zc_name,
1140			    ZFS_TYPE_SNAPSHOT)) {
1141				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1142				    "incremental source (@%s) does not exist"),
1143				    zc.zc_value);
1144			}
1145			return (zfs_error(hdl, EZFS_NOENT, errbuf));
1146
1147		case EDQUOT:
1148		case EFBIG:
1149		case EIO:
1150		case ENOLINK:
1151		case ENOSPC:
1152		case ENOSTR:
1153		case ENXIO:
1154		case EPIPE:
1155		case ERANGE:
1156		case EFAULT:
1157		case EROFS:
1158			zfs_error_aux(hdl, strerror(errno));
1159			return (zfs_error(hdl, EZFS_BADBACKUP, errbuf));
1160
1161		default:
1162			return (zfs_standard_error(hdl, errno, errbuf));
1163		}
1164	}
1165
1166	if (debugnv)
1167		VERIFY(0 == nvlist_add_nvlist(debugnv, zhp->zfs_name, thisdbg));
1168	nvlist_free(thisdbg);
1169
1170	return (0);
1171}
1172
1173static void
1174gather_holds(zfs_handle_t *zhp, send_dump_data_t *sdd)
1175{
1176	assert(zhp->zfs_type == ZFS_TYPE_SNAPSHOT);
1177
1178	/*
1179	 * zfs_send() only sets snapholds for sends that need them,
1180	 * e.g. replication and doall.
1181	 */
1182	if (sdd->snapholds == NULL)
1183		return;
1184
1185	fnvlist_add_string(sdd->snapholds, zhp->zfs_name, sdd->holdtag);
1186}
1187
1188static void *
1189send_progress_thread(void *arg)
1190{
1191	progress_arg_t *pa = arg;
1192	zfs_cmd_t zc = { 0 };
1193	zfs_handle_t *zhp = pa->pa_zhp;
1194	libzfs_handle_t *hdl = zhp->zfs_hdl;
1195	unsigned long long bytes;
1196	char buf[16];
1197	time_t t;
1198	struct tm *tm;
1199
1200	(void) strlcpy(zc.zc_name, zhp->zfs_name, sizeof (zc.zc_name));
1201
1202	if (!pa->pa_parsable)
1203		(void) fprintf(stderr, "TIME        SENT   SNAPSHOT\n");
1204
1205	/*
1206	 * Print the progress from ZFS_IOC_SEND_PROGRESS every second.
1207	 */
1208	for (;;) {
1209		(void) sleep(1);
1210
1211		zc.zc_cookie = pa->pa_fd;
1212		if (zfs_ioctl(hdl, ZFS_IOC_SEND_PROGRESS, &zc) != 0)
1213			return ((void *)-1);
1214
1215		(void) time(&t);
1216		tm = localtime(&t);
1217		bytes = zc.zc_cookie;
1218
1219		if (pa->pa_parsable) {
1220			(void) fprintf(stderr, "%02d:%02d:%02d\t%llu\t%s\n",
1221			    tm->tm_hour, tm->tm_min, tm->tm_sec,
1222			    bytes, zhp->zfs_name);
1223		} else {
1224			zfs_nicenum(bytes, buf, sizeof (buf));
1225			(void) fprintf(stderr, "%02d:%02d:%02d   %5s   %s\n",
1226			    tm->tm_hour, tm->tm_min, tm->tm_sec,
1227			    buf, zhp->zfs_name);
1228		}
1229	}
1230}
1231
1232static void
1233send_print_verbose(FILE *fout, const char *tosnap, const char *fromsnap,
1234    uint64_t size, boolean_t parsable)
1235{
1236	if (parsable) {
1237		if (fromsnap != NULL) {
1238			(void) fprintf(fout, "incremental\t%s\t%s",
1239			    fromsnap, tosnap);
1240		} else {
1241			(void) fprintf(fout, "full\t%s",
1242			    tosnap);
1243		}
1244	} else {
1245		if (fromsnap != NULL) {
1246			if (strchr(fromsnap, '@') == NULL &&
1247			    strchr(fromsnap, '#') == NULL) {
1248				(void) fprintf(fout, dgettext(TEXT_DOMAIN,
1249				    "send from @%s to %s"),
1250				    fromsnap, tosnap);
1251			} else {
1252				(void) fprintf(fout, dgettext(TEXT_DOMAIN,
1253				    "send from %s to %s"),
1254				    fromsnap, tosnap);
1255			}
1256		} else {
1257			(void) fprintf(fout, dgettext(TEXT_DOMAIN,
1258			    "full send of %s"),
1259			    tosnap);
1260		}
1261	}
1262
1263	if (size != 0) {
1264		if (parsable) {
1265			(void) fprintf(fout, "\t%llu",
1266			    (longlong_t)size);
1267		} else {
1268			char buf[16];
1269			zfs_nicenum(size, buf, sizeof (buf));
1270			(void) fprintf(fout, dgettext(TEXT_DOMAIN,
1271			    " estimated size is %s"), buf);
1272		}
1273	}
1274	(void) fprintf(fout, "\n");
1275}
1276
1277static int
1278dump_snapshot(zfs_handle_t *zhp, void *arg)
1279{
1280	send_dump_data_t *sdd = arg;
1281	progress_arg_t pa = { 0 };
1282	pthread_t tid;
1283	char *thissnap;
1284	enum lzc_send_flags flags = 0;
1285	int err;
1286	boolean_t isfromsnap, istosnap, fromorigin;
1287	boolean_t exclude = B_FALSE;
1288	FILE *fout = sdd->std_out ? stdout : stderr;
1289
1290	err = 0;
1291	thissnap = strchr(zhp->zfs_name, '@') + 1;
1292	isfromsnap = (sdd->fromsnap != NULL &&
1293	    strcmp(sdd->fromsnap, thissnap) == 0);
1294
1295	if (!sdd->seenfrom && isfromsnap) {
1296		gather_holds(zhp, sdd);
1297		sdd->seenfrom = B_TRUE;
1298		(void) strcpy(sdd->prevsnap, thissnap);
1299		sdd->prevsnap_obj = zfs_prop_get_int(zhp, ZFS_PROP_OBJSETID);
1300		zfs_close(zhp);
1301		return (0);
1302	}
1303
1304	if (sdd->seento || !sdd->seenfrom) {
1305		zfs_close(zhp);
1306		return (0);
1307	}
1308
1309	istosnap = (strcmp(sdd->tosnap, thissnap) == 0);
1310	if (istosnap)
1311		sdd->seento = B_TRUE;
1312
1313	if (sdd->large_block)
1314		flags |= LZC_SEND_FLAG_LARGE_BLOCK;
1315	if (sdd->embed_data)
1316		flags |= LZC_SEND_FLAG_EMBED_DATA;
1317	if (sdd->compress)
1318		flags |= LZC_SEND_FLAG_COMPRESS;
1319	if (sdd->raw)
1320		flags |= LZC_SEND_FLAG_RAW;
1321
1322	if (!sdd->doall && !isfromsnap && !istosnap) {
1323		if (sdd->replicate) {
1324			char *snapname;
1325			nvlist_t *snapprops;
1326			/*
1327			 * Filter out all intermediate snapshots except origin
1328			 * snapshots needed to replicate clones.
1329			 */
1330			nvlist_t *nvfs = fsavl_find(sdd->fsavl,
1331			    zhp->zfs_dmustats.dds_guid, &snapname);
1332
1333			VERIFY(0 == nvlist_lookup_nvlist(nvfs,
1334			    "snapprops", &snapprops));
1335			VERIFY(0 == nvlist_lookup_nvlist(snapprops,
1336			    thissnap, &snapprops));
1337			exclude = !nvlist_exists(snapprops, "is_clone_origin");
1338		} else {
1339			exclude = B_TRUE;
1340		}
1341	}
1342
1343	/*
1344	 * If a filter function exists, call it to determine whether
1345	 * this snapshot will be sent.
1346	 */
1347	if (exclude || (sdd->filter_cb != NULL &&
1348	    sdd->filter_cb(zhp, sdd->filter_cb_arg) == B_FALSE)) {
1349		/*
1350		 * This snapshot is filtered out.  Don't send it, and don't
1351		 * set prevsnap_obj, so it will be as if this snapshot didn't
1352		 * exist, and the next accepted snapshot will be sent as
1353		 * an incremental from the last accepted one, or as the
1354		 * first (and full) snapshot in the case of a replication,
1355		 * non-incremental send.
1356		 */
1357		zfs_close(zhp);
1358		return (0);
1359	}
1360
1361	gather_holds(zhp, sdd);
1362	fromorigin = sdd->prevsnap[0] == '\0' &&
1363	    (sdd->fromorigin || sdd->replicate);
1364
1365	if (sdd->verbose) {
1366		uint64_t size = 0;
1367		(void) estimate_ioctl(zhp, sdd->prevsnap_obj,
1368		    fromorigin, flags, &size);
1369
1370		send_print_verbose(fout, zhp->zfs_name,
1371		    sdd->prevsnap[0] ? sdd->prevsnap : NULL,
1372		    size, sdd->parsable);
1373		sdd->size += size;
1374	}
1375
1376	if (!sdd->dryrun) {
1377		/*
1378		 * If progress reporting is requested, spawn a new thread to
1379		 * poll ZFS_IOC_SEND_PROGRESS at a regular interval.
1380		 */
1381		if (sdd->progress) {
1382			pa.pa_zhp = zhp;
1383			pa.pa_fd = sdd->outfd;
1384			pa.pa_parsable = sdd->parsable;
1385
1386			if ((err = pthread_create(&tid, NULL,
1387			    send_progress_thread, &pa)) != 0) {
1388				zfs_close(zhp);
1389				return (err);
1390			}
1391		}
1392
1393		err = dump_ioctl(zhp, sdd->prevsnap, sdd->prevsnap_obj,
1394		    fromorigin, sdd->outfd, flags, sdd->debugnv);
1395
1396		if (sdd->progress) {
1397			(void) pthread_cancel(tid);
1398			(void) pthread_join(tid, NULL);
1399		}
1400	}
1401
1402	(void) strcpy(sdd->prevsnap, thissnap);
1403	sdd->prevsnap_obj = zfs_prop_get_int(zhp, ZFS_PROP_OBJSETID);
1404	zfs_close(zhp);
1405	return (err);
1406}
1407
1408static int
1409dump_filesystem(zfs_handle_t *zhp, void *arg)
1410{
1411	int rv = 0;
1412	send_dump_data_t *sdd = arg;
1413	boolean_t missingfrom = B_FALSE;
1414	zfs_cmd_t zc = { 0 };
1415
1416	(void) snprintf(zc.zc_name, sizeof (zc.zc_name), "%s@%s",
1417	    zhp->zfs_name, sdd->tosnap);
1418	if (ioctl(zhp->zfs_hdl->libzfs_fd, ZFS_IOC_OBJSET_STATS, &zc) != 0) {
1419		(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
1420		    "WARNING: could not send %s@%s: does not exist\n"),
1421		    zhp->zfs_name, sdd->tosnap);
1422		sdd->err = B_TRUE;
1423		return (0);
1424	}
1425
1426	if (sdd->replicate && sdd->fromsnap) {
1427		/*
1428		 * If this fs does not have fromsnap, and we're doing
1429		 * recursive, we need to send a full stream from the
1430		 * beginning (or an incremental from the origin if this
1431		 * is a clone).  If we're doing non-recursive, then let
1432		 * them get the error.
1433		 */
1434		(void) snprintf(zc.zc_name, sizeof (zc.zc_name), "%s@%s",
1435		    zhp->zfs_name, sdd->fromsnap);
1436		if (ioctl(zhp->zfs_hdl->libzfs_fd,
1437		    ZFS_IOC_OBJSET_STATS, &zc) != 0) {
1438			missingfrom = B_TRUE;
1439		}
1440	}
1441
1442	sdd->seenfrom = sdd->seento = sdd->prevsnap[0] = 0;
1443	sdd->prevsnap_obj = 0;
1444	if (sdd->fromsnap == NULL || missingfrom)
1445		sdd->seenfrom = B_TRUE;
1446
1447	rv = zfs_iter_snapshots_sorted(zhp, dump_snapshot, arg);
1448	if (!sdd->seenfrom) {
1449		(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
1450		    "WARNING: could not send %s@%s:\n"
1451		    "incremental source (%s@%s) does not exist\n"),
1452		    zhp->zfs_name, sdd->tosnap,
1453		    zhp->zfs_name, sdd->fromsnap);
1454		sdd->err = B_TRUE;
1455	} else if (!sdd->seento) {
1456		if (sdd->fromsnap) {
1457			(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
1458			    "WARNING: could not send %s@%s:\n"
1459			    "incremental source (%s@%s) "
1460			    "is not earlier than it\n"),
1461			    zhp->zfs_name, sdd->tosnap,
1462			    zhp->zfs_name, sdd->fromsnap);
1463		} else {
1464			(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
1465			    "WARNING: "
1466			    "could not send %s@%s: does not exist\n"),
1467			    zhp->zfs_name, sdd->tosnap);
1468		}
1469		sdd->err = B_TRUE;
1470	}
1471
1472	return (rv);
1473}
1474
1475static int
1476dump_filesystems(zfs_handle_t *rzhp, void *arg)
1477{
1478	send_dump_data_t *sdd = arg;
1479	nvpair_t *fspair;
1480	boolean_t needagain, progress;
1481
1482	if (!sdd->replicate)
1483		return (dump_filesystem(rzhp, sdd));
1484
1485	/* Mark the clone origin snapshots. */
1486	for (fspair = nvlist_next_nvpair(sdd->fss, NULL); fspair;
1487	    fspair = nvlist_next_nvpair(sdd->fss, fspair)) {
1488		nvlist_t *nvfs;
1489		uint64_t origin_guid = 0;
1490
1491		VERIFY(0 == nvpair_value_nvlist(fspair, &nvfs));
1492		(void) nvlist_lookup_uint64(nvfs, "origin", &origin_guid);
1493		if (origin_guid != 0) {
1494			char *snapname;
1495			nvlist_t *origin_nv = fsavl_find(sdd->fsavl,
1496			    origin_guid, &snapname);
1497			if (origin_nv != NULL) {
1498				nvlist_t *snapprops;
1499				VERIFY(0 == nvlist_lookup_nvlist(origin_nv,
1500				    "snapprops", &snapprops));
1501				VERIFY(0 == nvlist_lookup_nvlist(snapprops,
1502				    snapname, &snapprops));
1503				VERIFY(0 == nvlist_add_boolean(
1504				    snapprops, "is_clone_origin"));
1505			}
1506		}
1507	}
1508again:
1509	needagain = progress = B_FALSE;
1510	for (fspair = nvlist_next_nvpair(sdd->fss, NULL); fspair;
1511	    fspair = nvlist_next_nvpair(sdd->fss, fspair)) {
1512		nvlist_t *fslist, *parent_nv;
1513		char *fsname;
1514		zfs_handle_t *zhp;
1515		int err;
1516		uint64_t origin_guid = 0;
1517		uint64_t parent_guid = 0;
1518
1519		VERIFY(nvpair_value_nvlist(fspair, &fslist) == 0);
1520		if (nvlist_lookup_boolean(fslist, "sent") == 0)
1521			continue;
1522
1523		VERIFY(nvlist_lookup_string(fslist, "name", &fsname) == 0);
1524		(void) nvlist_lookup_uint64(fslist, "origin", &origin_guid);
1525		(void) nvlist_lookup_uint64(fslist, "parentfromsnap",
1526		    &parent_guid);
1527
1528		if (parent_guid != 0) {
1529			parent_nv = fsavl_find(sdd->fsavl, parent_guid, NULL);
1530			if (!nvlist_exists(parent_nv, "sent")) {
1531				/* parent has not been sent; skip this one */
1532				needagain = B_TRUE;
1533				continue;
1534			}
1535		}
1536
1537		if (origin_guid != 0) {
1538			nvlist_t *origin_nv = fsavl_find(sdd->fsavl,
1539			    origin_guid, NULL);
1540			if (origin_nv != NULL &&
1541			    !nvlist_exists(origin_nv, "sent")) {
1542				/*
1543				 * origin has not been sent yet;
1544				 * skip this clone.
1545				 */
1546				needagain = B_TRUE;
1547				continue;
1548			}
1549		}
1550
1551		zhp = zfs_open(rzhp->zfs_hdl, fsname, ZFS_TYPE_DATASET);
1552		if (zhp == NULL)
1553			return (-1);
1554		err = dump_filesystem(zhp, sdd);
1555		VERIFY(nvlist_add_boolean(fslist, "sent") == 0);
1556		progress = B_TRUE;
1557		zfs_close(zhp);
1558		if (err)
1559			return (err);
1560	}
1561	if (needagain) {
1562		assert(progress);
1563		goto again;
1564	}
1565
1566	/* clean out the sent flags in case we reuse this fss */
1567	for (fspair = nvlist_next_nvpair(sdd->fss, NULL); fspair;
1568	    fspair = nvlist_next_nvpair(sdd->fss, fspair)) {
1569		nvlist_t *fslist;
1570
1571		VERIFY(nvpair_value_nvlist(fspair, &fslist) == 0);
1572		(void) nvlist_remove_all(fslist, "sent");
1573	}
1574
1575	return (0);
1576}
1577
1578nvlist_t *
1579zfs_send_resume_token_to_nvlist(libzfs_handle_t *hdl, const char *token)
1580{
1581	unsigned int version;
1582	int nread;
1583	unsigned long long checksum, packed_len;
1584
1585	/*
1586	 * Decode token header, which is:
1587	 *   <token version>-<checksum of payload>-<uncompressed payload length>
1588	 * Note that the only supported token version is 1.
1589	 */
1590	nread = sscanf(token, "%u-%llx-%llx-",
1591	    &version, &checksum, &packed_len);
1592	if (nread != 3) {
1593		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1594		    "resume token is corrupt (invalid format)"));
1595		return (NULL);
1596	}
1597
1598	if (version != ZFS_SEND_RESUME_TOKEN_VERSION) {
1599		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1600		    "resume token is corrupt (invalid version %u)"),
1601		    version);
1602		return (NULL);
1603	}
1604
1605	/* convert hexadecimal representation to binary */
1606	token = strrchr(token, '-') + 1;
1607	int len = strlen(token) / 2;
1608	unsigned char *compressed = zfs_alloc(hdl, len);
1609	for (int i = 0; i < len; i++) {
1610		nread = sscanf(token + i * 2, "%2hhx", compressed + i);
1611		if (nread != 1) {
1612			free(compressed);
1613			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1614			    "resume token is corrupt "
1615			    "(payload is not hex-encoded)"));
1616			return (NULL);
1617		}
1618	}
1619
1620	/* verify checksum */
1621	zio_cksum_t cksum;
1622	fletcher_4_native(compressed, len, NULL, &cksum);
1623	if (cksum.zc_word[0] != checksum) {
1624		free(compressed);
1625		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1626		    "resume token is corrupt (incorrect checksum)"));
1627		return (NULL);
1628	}
1629
1630	/* uncompress */
1631	void *packed = zfs_alloc(hdl, packed_len);
1632	uLongf packed_len_long = packed_len;
1633	if (uncompress(packed, &packed_len_long, compressed, len) != Z_OK ||
1634	    packed_len_long != packed_len) {
1635		free(packed);
1636		free(compressed);
1637		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1638		    "resume token is corrupt (decompression failed)"));
1639		return (NULL);
1640	}
1641
1642	/* unpack nvlist */
1643	nvlist_t *nv;
1644	int error = nvlist_unpack(packed, packed_len, &nv, KM_SLEEP);
1645	free(packed);
1646	free(compressed);
1647	if (error != 0) {
1648		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1649		    "resume token is corrupt (nvlist_unpack failed)"));
1650		return (NULL);
1651	}
1652	return (nv);
1653}
1654
1655int
1656zfs_send_resume(libzfs_handle_t *hdl, sendflags_t *flags, int outfd,
1657    const char *resume_token)
1658{
1659	char errbuf[1024];
1660	char *toname;
1661	char *fromname = NULL;
1662	uint64_t resumeobj, resumeoff, toguid, fromguid, bytes;
1663	zfs_handle_t *zhp;
1664	int error = 0;
1665	char name[ZFS_MAX_DATASET_NAME_LEN];
1666	enum lzc_send_flags lzc_flags = 0;
1667	FILE *fout = (flags->verbose && flags->dryrun) ? stdout : stderr;
1668
1669	(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
1670	    "cannot resume send"));
1671
1672	nvlist_t *resume_nvl =
1673	    zfs_send_resume_token_to_nvlist(hdl, resume_token);
1674	if (resume_nvl == NULL) {
1675		/*
1676		 * zfs_error_aux has already been set by
1677		 * zfs_send_resume_token_to_nvlist
1678		 */
1679		return (zfs_error(hdl, EZFS_FAULT, errbuf));
1680	}
1681	if (flags->verbose) {
1682		(void) fprintf(fout, dgettext(TEXT_DOMAIN,
1683		    "resume token contents:\n"));
1684		nvlist_print(fout, resume_nvl);
1685	}
1686
1687	if (nvlist_lookup_string(resume_nvl, "toname", &toname) != 0 ||
1688	    nvlist_lookup_uint64(resume_nvl, "object", &resumeobj) != 0 ||
1689	    nvlist_lookup_uint64(resume_nvl, "offset", &resumeoff) != 0 ||
1690	    nvlist_lookup_uint64(resume_nvl, "bytes", &bytes) != 0 ||
1691	    nvlist_lookup_uint64(resume_nvl, "toguid", &toguid) != 0) {
1692		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1693		    "resume token is corrupt"));
1694		return (zfs_error(hdl, EZFS_FAULT, errbuf));
1695	}
1696	fromguid = 0;
1697	(void) nvlist_lookup_uint64(resume_nvl, "fromguid", &fromguid);
1698
1699	if (flags->largeblock || nvlist_exists(resume_nvl, "largeblockok"))
1700		lzc_flags |= LZC_SEND_FLAG_LARGE_BLOCK;
1701	if (flags->embed_data || nvlist_exists(resume_nvl, "embedok"))
1702		lzc_flags |= LZC_SEND_FLAG_EMBED_DATA;
1703	if (flags->compress || nvlist_exists(resume_nvl, "compressok"))
1704		lzc_flags |= LZC_SEND_FLAG_COMPRESS;
1705	if (flags->raw || nvlist_exists(resume_nvl, "rawok"))
1706		lzc_flags |= LZC_SEND_FLAG_RAW;
1707
1708	if (guid_to_name(hdl, toname, toguid, B_FALSE, name) != 0) {
1709		if (zfs_dataset_exists(hdl, toname, ZFS_TYPE_DATASET)) {
1710			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1711			    "'%s' is no longer the same snapshot used in "
1712			    "the initial send"), toname);
1713		} else {
1714			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1715			    "'%s' used in the initial send no longer exists"),
1716			    toname);
1717		}
1718		return (zfs_error(hdl, EZFS_BADPATH, errbuf));
1719	}
1720	zhp = zfs_open(hdl, name, ZFS_TYPE_DATASET);
1721	if (zhp == NULL) {
1722		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1723		    "unable to access '%s'"), name);
1724		return (zfs_error(hdl, EZFS_BADPATH, errbuf));
1725	}
1726
1727	if (fromguid != 0) {
1728		if (guid_to_name(hdl, toname, fromguid, B_TRUE, name) != 0) {
1729			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1730			    "incremental source %#llx no longer exists"),
1731			    (longlong_t)fromguid);
1732			return (zfs_error(hdl, EZFS_BADPATH, errbuf));
1733		}
1734		fromname = name;
1735	}
1736
1737	if (flags->verbose) {
1738		uint64_t size = 0;
1739		error = lzc_send_space(zhp->zfs_name, fromname,
1740		    lzc_flags, &size);
1741		if (error == 0)
1742			size = MAX(0, (int64_t)(size - bytes));
1743		send_print_verbose(fout, zhp->zfs_name, fromname,
1744		    size, flags->parsable);
1745	}
1746
1747	if (!flags->dryrun) {
1748		progress_arg_t pa = { 0 };
1749		pthread_t tid;
1750		/*
1751		 * If progress reporting is requested, spawn a new thread to
1752		 * poll ZFS_IOC_SEND_PROGRESS at a regular interval.
1753		 */
1754		if (flags->progress) {
1755			pa.pa_zhp = zhp;
1756			pa.pa_fd = outfd;
1757			pa.pa_parsable = flags->parsable;
1758
1759			error = pthread_create(&tid, NULL,
1760			    send_progress_thread, &pa);
1761			if (error != 0) {
1762				zfs_close(zhp);
1763				return (error);
1764			}
1765		}
1766
1767		error = lzc_send_resume(zhp->zfs_name, fromname, outfd,
1768		    lzc_flags, resumeobj, resumeoff);
1769
1770		if (flags->progress) {
1771			(void) pthread_cancel(tid);
1772			(void) pthread_join(tid, NULL);
1773		}
1774
1775		char errbuf[1024];
1776		(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
1777		    "warning: cannot send '%s'"), zhp->zfs_name);
1778
1779		zfs_close(zhp);
1780
1781		switch (error) {
1782		case 0:
1783			return (0);
1784		case EACCES:
1785			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1786			    "source key must be loaded"));
1787			return (zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf));
1788
1789		case EXDEV:
1790		case ENOENT:
1791		case EDQUOT:
1792		case EFBIG:
1793		case EIO:
1794		case ENOLINK:
1795		case ENOSPC:
1796		case ENOSTR:
1797		case ENXIO:
1798		case EPIPE:
1799		case ERANGE:
1800		case EFAULT:
1801		case EROFS:
1802			zfs_error_aux(hdl, strerror(errno));
1803			return (zfs_error(hdl, EZFS_BADBACKUP, errbuf));
1804
1805		default:
1806			return (zfs_standard_error(hdl, errno, errbuf));
1807		}
1808	}
1809
1810
1811	zfs_close(zhp);
1812
1813	return (error);
1814}
1815
1816/*
1817 * Generate a send stream for the dataset identified by the argument zhp.
1818 *
1819 * The content of the send stream is the snapshot identified by
1820 * 'tosnap'.  Incremental streams are requested in two ways:
1821 *     - from the snapshot identified by "fromsnap" (if non-null) or
1822 *     - from the origin of the dataset identified by zhp, which must
1823 *	 be a clone.  In this case, "fromsnap" is null and "fromorigin"
1824 *	 is TRUE.
1825 *
1826 * The send stream is recursive (i.e. dumps a hierarchy of snapshots) and
1827 * uses a special header (with a hdrtype field of DMU_COMPOUNDSTREAM)
1828 * if "replicate" is set.  If "doall" is set, dump all the intermediate
1829 * snapshots. The DMU_COMPOUNDSTREAM header is used in the "doall"
1830 * case too. If "props" is set, send properties.
1831 */
1832int
1833zfs_send(zfs_handle_t *zhp, const char *fromsnap, const char *tosnap,
1834    sendflags_t *flags, int outfd, snapfilter_cb_t filter_func,
1835    void *cb_arg, nvlist_t **debugnvp)
1836{
1837	char errbuf[1024];
1838	send_dump_data_t sdd = { 0 };
1839	int err = 0;
1840	nvlist_t *fss = NULL;
1841	avl_tree_t *fsavl = NULL;
1842	static uint64_t holdseq;
1843	int spa_version;
1844	pthread_t tid = 0;
1845	int pipefd[2];
1846	dedup_arg_t dda = { 0 };
1847	int featureflags = 0;
1848	FILE *fout;
1849
1850	(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
1851	    "cannot send '%s'"), zhp->zfs_name);
1852
1853	if (fromsnap && fromsnap[0] == '\0') {
1854		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1855		    "zero-length incremental source"));
1856		return (zfs_error(zhp->zfs_hdl, EZFS_NOENT, errbuf));
1857	}
1858
1859	if (zhp->zfs_type == ZFS_TYPE_FILESYSTEM) {
1860		uint64_t version;
1861		version = zfs_prop_get_int(zhp, ZFS_PROP_VERSION);
1862		if (version >= ZPL_VERSION_SA) {
1863			featureflags |= DMU_BACKUP_FEATURE_SA_SPILL;
1864		}
1865	}
1866
1867	if (flags->holds)
1868		featureflags |= DMU_BACKUP_FEATURE_HOLDS;
1869
1870	/*
1871	 * Start the dedup thread if this is a dedup stream. We do not bother
1872	 * doing this if this a raw send of an encrypted dataset with dedup off
1873	 * because normal encrypted blocks won't dedup.
1874	 */
1875	if (flags->dedup && !flags->dryrun && !(flags->raw &&
1876	    zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION) != ZIO_CRYPT_OFF &&
1877	    zfs_prop_get_int(zhp, ZFS_PROP_DEDUP) == ZIO_CHECKSUM_OFF)) {
1878		featureflags |= (DMU_BACKUP_FEATURE_DEDUP |
1879		    DMU_BACKUP_FEATURE_DEDUPPROPS);
1880		if ((err = pipe(pipefd)) != 0) {
1881			zfs_error_aux(zhp->zfs_hdl, strerror(errno));
1882			return (zfs_error(zhp->zfs_hdl, EZFS_PIPEFAILED,
1883			    errbuf));
1884		}
1885		dda.outputfd = outfd;
1886		dda.inputfd = pipefd[1];
1887		dda.dedup_hdl = zhp->zfs_hdl;
1888		if ((err = pthread_create(&tid, NULL, cksummer, &dda)) != 0) {
1889			(void) close(pipefd[0]);
1890			(void) close(pipefd[1]);
1891			zfs_error_aux(zhp->zfs_hdl, strerror(errno));
1892			return (zfs_error(zhp->zfs_hdl,
1893			    EZFS_THREADCREATEFAILED, errbuf));
1894		}
1895	}
1896
1897	if (flags->replicate || flags->doall || flags->props ||
1898	    flags->holds || flags->backup) {
1899		dmu_replay_record_t drr = { 0 };
1900		char *packbuf = NULL;
1901		size_t buflen = 0;
1902		zio_cksum_t zc;
1903
1904		ZIO_SET_CHECKSUM(&zc, 0, 0, 0, 0);
1905
1906		if (flags->replicate || flags->props || flags->backup ||
1907		    flags->holds) {
1908			nvlist_t *hdrnv;
1909
1910			VERIFY(0 == nvlist_alloc(&hdrnv, NV_UNIQUE_NAME, 0));
1911			if (fromsnap) {
1912				VERIFY(0 == nvlist_add_string(hdrnv,
1913				    "fromsnap", fromsnap));
1914			}
1915			VERIFY(0 == nvlist_add_string(hdrnv, "tosnap", tosnap));
1916			if (!flags->replicate) {
1917				VERIFY(0 == nvlist_add_boolean(hdrnv,
1918				    "not_recursive"));
1919			}
1920			if (flags->raw) {
1921				VERIFY(0 == nvlist_add_boolean(hdrnv, "raw"));
1922			}
1923
1924			err = gather_nvlist(zhp->zfs_hdl, zhp->zfs_name,
1925			    fromsnap, tosnap, flags->replicate, flags->raw,
1926			    flags->verbose, flags->backup,
1927			    flags->holds, flags->props, &fss,
1928			    &fsavl);
1929			if (err)
1930				goto err_out;
1931			VERIFY(0 == nvlist_add_nvlist(hdrnv, "fss", fss));
1932			err = nvlist_pack(hdrnv, &packbuf, &buflen,
1933			    NV_ENCODE_XDR, 0);
1934			if (debugnvp)
1935				*debugnvp = hdrnv;
1936			else
1937				nvlist_free(hdrnv);
1938			if (err)
1939				goto stderr_out;
1940		}
1941
1942		if (!flags->dryrun) {
1943			/* write first begin record */
1944			drr.drr_type = DRR_BEGIN;
1945			drr.drr_u.drr_begin.drr_magic = DMU_BACKUP_MAGIC;
1946			DMU_SET_STREAM_HDRTYPE(drr.drr_u.drr_begin.
1947			    drr_versioninfo, DMU_COMPOUNDSTREAM);
1948			DMU_SET_FEATUREFLAGS(drr.drr_u.drr_begin.
1949			    drr_versioninfo, featureflags);
1950			(void) snprintf(drr.drr_u.drr_begin.drr_toname,
1951			    sizeof (drr.drr_u.drr_begin.drr_toname),
1952			    "%s@%s", zhp->zfs_name, tosnap);
1953			drr.drr_payloadlen = buflen;
1954
1955			err = dump_record(&drr, packbuf, buflen, &zc, outfd);
1956			free(packbuf);
1957			if (err != 0)
1958				goto stderr_out;
1959
1960			/* write end record */
1961			bzero(&drr, sizeof (drr));
1962			drr.drr_type = DRR_END;
1963			drr.drr_u.drr_end.drr_checksum = zc;
1964			err = write(outfd, &drr, sizeof (drr));
1965			if (err == -1) {
1966				err = errno;
1967				goto stderr_out;
1968			}
1969
1970			err = 0;
1971		}
1972	}
1973
1974	/* dump each stream */
1975	sdd.fromsnap = fromsnap;
1976	sdd.tosnap = tosnap;
1977	if (tid != 0)
1978		sdd.outfd = pipefd[0];
1979	else
1980		sdd.outfd = outfd;
1981	sdd.replicate = flags->replicate;
1982	sdd.doall = flags->doall;
1983	sdd.fromorigin = flags->fromorigin;
1984	sdd.fss = fss;
1985	sdd.fsavl = fsavl;
1986	sdd.verbose = flags->verbose;
1987	sdd.parsable = flags->parsable;
1988	sdd.progress = flags->progress;
1989	sdd.dryrun = flags->dryrun;
1990	sdd.large_block = flags->largeblock;
1991	sdd.embed_data = flags->embed_data;
1992	sdd.compress = flags->compress;
1993	sdd.raw = flags->raw;
1994	sdd.holds = flags->holds;
1995	sdd.filter_cb = filter_func;
1996	sdd.filter_cb_arg = cb_arg;
1997	if (debugnvp)
1998		sdd.debugnv = *debugnvp;
1999	if (sdd.verbose && sdd.dryrun)
2000		sdd.std_out = B_TRUE;
2001	fout = sdd.std_out ? stdout : stderr;
2002
2003	/*
2004	 * Some flags require that we place user holds on the datasets that are
2005	 * being sent so they don't get destroyed during the send. We can skip
2006	 * this step if the pool is imported read-only since the datasets cannot
2007	 * be destroyed.
2008	 */
2009	if (!flags->dryrun && !zpool_get_prop_int(zfs_get_pool_handle(zhp),
2010	    ZPOOL_PROP_READONLY, NULL) &&
2011	    zfs_spa_version(zhp, &spa_version) == 0 &&
2012	    spa_version >= SPA_VERSION_USERREFS &&
2013	    (flags->doall || flags->replicate)) {
2014		++holdseq;
2015		(void) snprintf(sdd.holdtag, sizeof (sdd.holdtag),
2016		    ".send-%d-%llu", getpid(), (u_longlong_t)holdseq);
2017		sdd.cleanup_fd = open(ZFS_DEV, O_RDWR|O_EXCL);
2018		if (sdd.cleanup_fd < 0) {
2019			err = errno;
2020			goto stderr_out;
2021		}
2022		sdd.snapholds = fnvlist_alloc();
2023	} else {
2024		sdd.cleanup_fd = -1;
2025		sdd.snapholds = NULL;
2026	}
2027
2028	if (flags->verbose || sdd.snapholds != NULL) {
2029		/*
2030		 * Do a verbose no-op dry run to get all the verbose output
2031		 * or to gather snapshot hold's before generating any data,
2032		 * then do a non-verbose real run to generate the streams.
2033		 */
2034		sdd.dryrun = B_TRUE;
2035		err = dump_filesystems(zhp, &sdd);
2036
2037		if (err != 0)
2038			goto stderr_out;
2039
2040		if (flags->verbose) {
2041			if (flags->parsable) {
2042				(void) fprintf(fout, "size\t%llu\n",
2043				    (longlong_t)sdd.size);
2044			} else {
2045				char buf[16];
2046				zfs_nicenum(sdd.size, buf, sizeof (buf));
2047				(void) fprintf(fout, dgettext(TEXT_DOMAIN,
2048				    "total estimated size is %s\n"), buf);
2049			}
2050		}
2051
2052		/* Ensure no snaps found is treated as an error. */
2053		if (!sdd.seento) {
2054			err = ENOENT;
2055			goto err_out;
2056		}
2057
2058		/* Skip the second run if dryrun was requested. */
2059		if (flags->dryrun)
2060			goto err_out;
2061
2062		if (sdd.snapholds != NULL) {
2063			err = zfs_hold_nvl(zhp, sdd.cleanup_fd, sdd.snapholds);
2064			if (err != 0)
2065				goto stderr_out;
2066
2067			fnvlist_free(sdd.snapholds);
2068			sdd.snapholds = NULL;
2069		}
2070
2071		sdd.dryrun = B_FALSE;
2072		sdd.verbose = B_FALSE;
2073	}
2074
2075	err = dump_filesystems(zhp, &sdd);
2076	fsavl_destroy(fsavl);
2077	nvlist_free(fss);
2078
2079	/* Ensure no snaps found is treated as an error. */
2080	if (err == 0 && !sdd.seento)
2081		err = ENOENT;
2082
2083	if (tid != 0) {
2084		if (err != 0)
2085			(void) pthread_cancel(tid);
2086		(void) close(pipefd[0]);
2087		(void) pthread_join(tid, NULL);
2088	}
2089
2090	if (sdd.cleanup_fd != -1) {
2091		VERIFY(0 == close(sdd.cleanup_fd));
2092		sdd.cleanup_fd = -1;
2093	}
2094
2095	if (!flags->dryrun && (flags->replicate || flags->doall ||
2096	    flags->props || flags->backup || flags->holds)) {
2097		/*
2098		 * write final end record.  NB: want to do this even if
2099		 * there was some error, because it might not be totally
2100		 * failed.
2101		 */
2102		dmu_replay_record_t drr = { 0 };
2103		drr.drr_type = DRR_END;
2104		if (write(outfd, &drr, sizeof (drr)) == -1) {
2105			return (zfs_standard_error(zhp->zfs_hdl,
2106			    errno, errbuf));
2107		}
2108	}
2109
2110	return (err || sdd.err);
2111
2112stderr_out:
2113	err = zfs_standard_error(zhp->zfs_hdl, err, errbuf);
2114err_out:
2115	fsavl_destroy(fsavl);
2116	nvlist_free(fss);
2117	fnvlist_free(sdd.snapholds);
2118
2119	if (sdd.cleanup_fd != -1)
2120		VERIFY(0 == close(sdd.cleanup_fd));
2121	if (tid != 0) {
2122		(void) pthread_cancel(tid);
2123		(void) close(pipefd[0]);
2124		(void) pthread_join(tid, NULL);
2125	}
2126	return (err);
2127}
2128
2129int
2130zfs_send_one(zfs_handle_t *zhp, const char *from, int fd,
2131    enum lzc_send_flags flags)
2132{
2133	int err;
2134	libzfs_handle_t *hdl = zhp->zfs_hdl;
2135
2136	char errbuf[1024];
2137	(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
2138	    "warning: cannot send '%s'"), zhp->zfs_name);
2139
2140	err = lzc_send(zhp->zfs_name, from, fd, flags);
2141	if (err != 0) {
2142		switch (errno) {
2143		case EXDEV:
2144			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
2145			    "not an earlier snapshot from the same fs"));
2146			return (zfs_error(hdl, EZFS_CROSSTARGET, errbuf));
2147
2148		case ENOENT:
2149		case ESRCH:
2150			if (lzc_exists(zhp->zfs_name)) {
2151				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
2152				    "incremental source (%s) does not exist"),
2153				    from);
2154			}
2155			return (zfs_error(hdl, EZFS_NOENT, errbuf));
2156
2157		case EACCES:
2158			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
2159			    "dataset key must be loaded"));
2160			return (zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf));
2161
2162		case EBUSY:
2163			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
2164			    "target is busy; if a filesystem, "
2165			    "it must not be mounted"));
2166			return (zfs_error(hdl, EZFS_BUSY, errbuf));
2167
2168		case EDQUOT:
2169		case EFBIG:
2170		case EIO:
2171		case ENOLINK:
2172		case ENOSPC:
2173		case ENOSTR:
2174		case ENXIO:
2175		case EPIPE:
2176		case ERANGE:
2177		case EFAULT:
2178		case EROFS:
2179			zfs_error_aux(hdl, strerror(errno));
2180			return (zfs_error(hdl, EZFS_BADBACKUP, errbuf));
2181
2182		default:
2183			return (zfs_standard_error(hdl, errno, errbuf));
2184		}
2185	}
2186	return (err != 0);
2187}
2188
2189/*
2190 * Routines specific to "zfs recv"
2191 */
2192
2193static int
2194recv_read(libzfs_handle_t *hdl, int fd, void *buf, int ilen,
2195    boolean_t byteswap, zio_cksum_t *zc)
2196{
2197	char *cp = buf;
2198	int rv;
2199	int len = ilen;
2200
2201	assert(ilen <= SPA_MAXBLOCKSIZE);
2202
2203	do {
2204		rv = read(fd, cp, len);
2205		cp += rv;
2206		len -= rv;
2207	} while (rv > 0);
2208
2209	if (rv < 0 || len != 0) {
2210		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
2211		    "failed to read from stream"));
2212		return (zfs_error(hdl, EZFS_BADSTREAM, dgettext(TEXT_DOMAIN,
2213		    "cannot receive")));
2214	}
2215
2216	if (zc) {
2217		if (byteswap)
2218			(void) fletcher_4_incremental_byteswap(buf, ilen, zc);
2219		else
2220			(void) fletcher_4_incremental_native(buf, ilen, zc);
2221	}
2222	return (0);
2223}
2224
2225static int
2226recv_read_nvlist(libzfs_handle_t *hdl, int fd, int len, nvlist_t **nvp,
2227    boolean_t byteswap, zio_cksum_t *zc)
2228{
2229	char *buf;
2230	int err;
2231
2232	buf = zfs_alloc(hdl, len);
2233	if (buf == NULL)
2234		return (ENOMEM);
2235
2236	err = recv_read(hdl, fd, buf, len, byteswap, zc);
2237	if (err != 0) {
2238		free(buf);
2239		return (err);
2240	}
2241
2242	err = nvlist_unpack(buf, len, nvp, 0);
2243	free(buf);
2244	if (err != 0) {
2245		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "invalid "
2246		    "stream (malformed nvlist)"));
2247		return (EINVAL);
2248	}
2249	return (0);
2250}
2251
2252/*
2253 * Returns the grand origin (origin of origin of origin...) of a given handle.
2254 * If this dataset is not a clone, it simply returns a copy of the original
2255 * handle.
2256 */
2257static zfs_handle_t *
2258recv_open_grand_origin(zfs_handle_t *zhp)
2259{
2260	char origin[ZFS_MAX_DATASET_NAME_LEN];
2261	zprop_source_t src;
2262	zfs_handle_t *ozhp = zfs_handle_dup(zhp);
2263
2264	while (ozhp != NULL) {
2265		if (zfs_prop_get(ozhp, ZFS_PROP_ORIGIN, origin,
2266		    sizeof (origin), &src, NULL, 0, B_FALSE) != 0)
2267			break;
2268
2269		(void) zfs_close(ozhp);
2270		ozhp = zfs_open(zhp->zfs_hdl, origin, ZFS_TYPE_FILESYSTEM);
2271	}
2272
2273	return (ozhp);
2274}
2275
2276static int
2277recv_rename_impl(zfs_handle_t *zhp, const char *source, const char *target)
2278{
2279	int err;
2280	zfs_handle_t *ozhp = NULL;
2281
2282	/*
2283	 * Attempt to rename the dataset. If it fails with EACCES we have
2284	 * attempted to rename the dataset outside of its encryption root.
2285	 * Force the dataset to become an encryption root and try again.
2286	 */
2287	err = lzc_rename(source, target);
2288	if (err == EACCES) {
2289		ozhp = recv_open_grand_origin(zhp);
2290		if (ozhp == NULL) {
2291			err = ENOENT;
2292			goto out;
2293		}
2294
2295		err = lzc_change_key(ozhp->zfs_name, DCP_CMD_FORCE_NEW_KEY,
2296		    NULL, NULL, 0);
2297		if (err != 0)
2298			goto out;
2299
2300		err = lzc_rename(source, target);
2301	}
2302
2303out:
2304	if (ozhp != NULL)
2305		zfs_close(ozhp);
2306	return (err);
2307}
2308
2309static int
2310recv_rename(libzfs_handle_t *hdl, const char *name, const char *tryname,
2311    int baselen, char *newname, recvflags_t *flags)
2312{
2313	static int seq;
2314	int err;
2315	prop_changelist_t *clp = NULL;
2316	zfs_handle_t *zhp = NULL;
2317
2318	zhp = zfs_open(hdl, name, ZFS_TYPE_DATASET);
2319	if (zhp == NULL) {
2320		err = -1;
2321		goto out;
2322	}
2323	clp = changelist_gather(zhp, ZFS_PROP_NAME, 0,
2324	    flags->force ? MS_FORCE : 0);
2325	if (clp == NULL) {
2326		err = -1;
2327		goto out;
2328	}
2329	err = changelist_prefix(clp);
2330	if (err)
2331		goto out;
2332
2333	if (tryname) {
2334		(void) strcpy(newname, tryname);
2335		if (flags->verbose) {
2336			(void) printf("attempting rename %s to %s\n",
2337			    name, newname);
2338		}
2339		err = recv_rename_impl(zhp, name, newname);
2340		if (err == 0)
2341			changelist_rename(clp, name, tryname);
2342	} else {
2343		err = ENOENT;
2344	}
2345
2346	if (err != 0 && strncmp(name + baselen, "recv-", 5) != 0) {
2347		seq++;
2348
2349		(void) snprintf(newname, ZFS_MAX_DATASET_NAME_LEN,
2350		    "%.*srecv-%u-%u", baselen, name, getpid(), seq);
2351		if (flags->verbose) {
2352			(void) printf("failed - trying rename %s to %s\n",
2353			    name, newname);
2354		}
2355		err = recv_rename_impl(zhp, name, newname);
2356		if (err == 0)
2357			changelist_rename(clp, name, newname);
2358		if (err && flags->verbose) {
2359			(void) printf("failed (%u) - "
2360			    "will try again on next pass\n", errno);
2361		}
2362		err = EAGAIN;
2363	} else if (flags->verbose) {
2364		if (err == 0)
2365			(void) printf("success\n");
2366		else
2367			(void) printf("failed (%u)\n", errno);
2368	}
2369
2370	(void) changelist_postfix(clp);
2371
2372out:
2373	if (clp != NULL)
2374		changelist_free(clp);
2375	if (zhp != NULL)
2376		zfs_close(zhp);
2377
2378	return (err);
2379}
2380
2381static int
2382recv_promote(libzfs_handle_t *hdl, const char *fsname,
2383    const char *origin_fsname, recvflags_t *flags)
2384{
2385	int err;
2386	zfs_cmd_t zc = {"\0"};
2387	zfs_handle_t *zhp = NULL, *ozhp = NULL;
2388
2389	if (flags->verbose)
2390		(void) printf("promoting %s\n", fsname);
2391
2392	(void) strlcpy(zc.zc_value, origin_fsname, sizeof (zc.zc_value));
2393	(void) strlcpy(zc.zc_name, fsname, sizeof (zc.zc_name));
2394
2395	/*
2396	 * Attempt to promote the dataset. If it fails with EACCES the
2397	 * promotion would cause this dataset to leave its encryption root.
2398	 * Force the origin to become an encryption root and try again.
2399	 */
2400	err = zfs_ioctl(hdl, ZFS_IOC_PROMOTE, &zc);
2401	if (err == EACCES) {
2402		zhp = zfs_open(hdl, fsname, ZFS_TYPE_DATASET);
2403		if (zhp == NULL) {
2404			err = -1;
2405			goto out;
2406		}
2407
2408		ozhp = recv_open_grand_origin(zhp);
2409		if (ozhp == NULL) {
2410			err = -1;
2411			goto out;
2412		}
2413
2414		err = lzc_change_key(ozhp->zfs_name, DCP_CMD_FORCE_NEW_KEY,
2415		    NULL, NULL, 0);
2416		if (err != 0)
2417			goto out;
2418
2419		err = zfs_ioctl(hdl, ZFS_IOC_PROMOTE, &zc);
2420	}
2421
2422out:
2423	if (zhp != NULL)
2424		zfs_close(zhp);
2425	if (ozhp != NULL)
2426		zfs_close(ozhp);
2427
2428	return (err);
2429}
2430
2431static int
2432recv_destroy(libzfs_handle_t *hdl, const char *name, int baselen,
2433    char *newname, recvflags_t *flags)
2434{
2435	int err = 0;
2436	prop_changelist_t *clp;
2437	zfs_handle_t *zhp;
2438	boolean_t defer = B_FALSE;
2439	int spa_version;
2440
2441	zhp = zfs_open(hdl, name, ZFS_TYPE_DATASET);
2442	if (zhp == NULL)
2443		return (-1);
2444	clp = changelist_gather(zhp, ZFS_PROP_NAME, 0,
2445	    flags->force ? MS_FORCE : 0);
2446	if (zfs_get_type(zhp) == ZFS_TYPE_SNAPSHOT &&
2447	    zfs_spa_version(zhp, &spa_version) == 0 &&
2448	    spa_version >= SPA_VERSION_USERREFS)
2449		defer = B_TRUE;
2450	zfs_close(zhp);
2451	if (clp == NULL)
2452		return (-1);
2453	err = changelist_prefix(clp);
2454	if (err)
2455		return (err);
2456
2457	if (flags->verbose)
2458		(void) printf("attempting destroy %s\n", name);
2459	if (zhp->zfs_type == ZFS_TYPE_SNAPSHOT) {
2460		nvlist_t *nv = fnvlist_alloc();
2461		fnvlist_add_boolean(nv, name);
2462		err = lzc_destroy_snaps(nv, defer, NULL);
2463		fnvlist_free(nv);
2464	} else {
2465		err = lzc_destroy(name);
2466	}
2467	if (err == 0) {
2468		if (flags->verbose)
2469			(void) printf("success\n");
2470		changelist_remove(clp, name);
2471	}
2472
2473	(void) changelist_postfix(clp);
2474	changelist_free(clp);
2475
2476	/*
2477	 * Deferred destroy might destroy the snapshot or only mark it to be
2478	 * destroyed later, and it returns success in either case.
2479	 */
2480	if (err != 0 || (defer && zfs_dataset_exists(hdl, name,
2481	    ZFS_TYPE_SNAPSHOT))) {
2482		err = recv_rename(hdl, name, NULL, baselen, newname, flags);
2483	}
2484
2485	return (err);
2486}
2487
2488typedef struct guid_to_name_data {
2489	uint64_t guid;
2490	boolean_t bookmark_ok;
2491	char *name;
2492	char *skip;
2493} guid_to_name_data_t;
2494
2495static int
2496guid_to_name_cb(zfs_handle_t *zhp, void *arg)
2497{
2498	guid_to_name_data_t *gtnd = arg;
2499	const char *slash;
2500	int err;
2501
2502	if (gtnd->skip != NULL &&
2503	    (slash = strrchr(zhp->zfs_name, '/')) != NULL &&
2504	    strcmp(slash + 1, gtnd->skip) == 0) {
2505		zfs_close(zhp);
2506		return (0);
2507	}
2508
2509	if (zfs_prop_get_int(zhp, ZFS_PROP_GUID) == gtnd->guid) {
2510		(void) strcpy(gtnd->name, zhp->zfs_name);
2511		zfs_close(zhp);
2512		return (EEXIST);
2513	}
2514
2515	err = zfs_iter_children(zhp, guid_to_name_cb, gtnd);
2516	if (err != EEXIST && gtnd->bookmark_ok)
2517		err = zfs_iter_bookmarks(zhp, guid_to_name_cb, gtnd);
2518	zfs_close(zhp);
2519	return (err);
2520}
2521
2522/*
2523 * Attempt to find the local dataset associated with this guid.  In the case of
2524 * multiple matches, we attempt to find the "best" match by searching
2525 * progressively larger portions of the hierarchy.  This allows one to send a
2526 * tree of datasets individually and guarantee that we will find the source
2527 * guid within that hierarchy, even if there are multiple matches elsewhere.
2528 */
2529static int
2530guid_to_name(libzfs_handle_t *hdl, const char *parent, uint64_t guid,
2531    boolean_t bookmark_ok, char *name)
2532{
2533	char pname[ZFS_MAX_DATASET_NAME_LEN];
2534	guid_to_name_data_t gtnd;
2535
2536	gtnd.guid = guid;
2537	gtnd.bookmark_ok = bookmark_ok;
2538	gtnd.name = name;
2539	gtnd.skip = NULL;
2540
2541	/*
2542	 * Search progressively larger portions of the hierarchy, starting
2543	 * with the filesystem specified by 'parent'.  This will
2544	 * select the "most local" version of the origin snapshot in the case
2545	 * that there are multiple matching snapshots in the system.
2546	 */
2547	(void) strlcpy(pname, parent, sizeof (pname));
2548	char *cp = strrchr(pname, '@');
2549	if (cp == NULL)
2550		cp = strchr(pname, '\0');
2551	for (; cp != NULL; cp = strrchr(pname, '/')) {
2552		/* Chop off the last component and open the parent */
2553		*cp = '\0';
2554		zfs_handle_t *zhp = make_dataset_handle(hdl, pname);
2555
2556		if (zhp == NULL)
2557			continue;
2558		int err = guid_to_name_cb(zfs_handle_dup(zhp), &gtnd);
2559		if (err != EEXIST)
2560			err = zfs_iter_children(zhp, guid_to_name_cb, &gtnd);
2561		if (err != EEXIST && bookmark_ok)
2562			err = zfs_iter_bookmarks(zhp, guid_to_name_cb, &gtnd);
2563		zfs_close(zhp);
2564		if (err == EEXIST)
2565			return (0);
2566
2567		/*
2568		 * Remember the last portion of the dataset so we skip it next
2569		 * time through (as we've already searched that portion of the
2570		 * hierarchy).
2571		 */
2572		gtnd.skip = strrchr(pname, '/') + 1;
2573	}
2574
2575	return (ENOENT);
2576}
2577
2578/*
2579 * Return +1 if guid1 is before guid2, 0 if they are the same, and -1 if
2580 * guid1 is after guid2.
2581 */
2582static int
2583created_before(libzfs_handle_t *hdl, avl_tree_t *avl,
2584    uint64_t guid1, uint64_t guid2)
2585{
2586	nvlist_t *nvfs;
2587	char *fsname, *snapname;
2588	char buf[ZFS_MAX_DATASET_NAME_LEN];
2589	int rv;
2590	zfs_handle_t *guid1hdl, *guid2hdl;
2591	uint64_t create1, create2;
2592
2593	if (guid2 == 0)
2594		return (0);
2595	if (guid1 == 0)
2596		return (1);
2597
2598	nvfs = fsavl_find(avl, guid1, &snapname);
2599	VERIFY(0 == nvlist_lookup_string(nvfs, "name", &fsname));
2600	(void) snprintf(buf, sizeof (buf), "%s@%s", fsname, snapname);
2601	guid1hdl = zfs_open(hdl, buf, ZFS_TYPE_SNAPSHOT);
2602	if (guid1hdl == NULL)
2603		return (-1);
2604
2605	nvfs = fsavl_find(avl, guid2, &snapname);
2606	VERIFY(0 == nvlist_lookup_string(nvfs, "name", &fsname));
2607	(void) snprintf(buf, sizeof (buf), "%s@%s", fsname, snapname);
2608	guid2hdl = zfs_open(hdl, buf, ZFS_TYPE_SNAPSHOT);
2609	if (guid2hdl == NULL) {
2610		zfs_close(guid1hdl);
2611		return (-1);
2612	}
2613
2614	create1 = zfs_prop_get_int(guid1hdl, ZFS_PROP_CREATETXG);
2615	create2 = zfs_prop_get_int(guid2hdl, ZFS_PROP_CREATETXG);
2616
2617	if (create1 < create2)
2618		rv = -1;
2619	else if (create1 > create2)
2620		rv = +1;
2621	else
2622		rv = 0;
2623
2624	zfs_close(guid1hdl);
2625	zfs_close(guid2hdl);
2626
2627	return (rv);
2628}
2629
2630/*
2631 * This function reestablishes the heirarchy of encryption roots after a
2632 * recursive incremental receive has completed. This must be done after the
2633 * second call to recv_incremental_replication() has renamed and promoted all
2634 * sent datasets to their final locations in the dataset heriarchy.
2635 */
2636/* ARGSUSED */
2637static int
2638recv_fix_encryption_hierarchy(libzfs_handle_t *hdl, const char *destname,
2639    nvlist_t *stream_nv, avl_tree_t *stream_avl)
2640{
2641	int err;
2642	nvpair_t *fselem = NULL;
2643	nvlist_t *stream_fss;
2644	char *cp;
2645	char top_zfs[ZFS_MAX_DATASET_NAME_LEN];
2646
2647	(void) strcpy(top_zfs, destname);
2648	cp = strrchr(top_zfs, '@');
2649	if (cp != NULL)
2650		*cp = '\0';
2651
2652	VERIFY(0 == nvlist_lookup_nvlist(stream_nv, "fss", &stream_fss));
2653
2654	while ((fselem = nvlist_next_nvpair(stream_fss, fselem)) != NULL) {
2655		zfs_handle_t *zhp = NULL;
2656		uint64_t crypt;
2657		nvlist_t *snaps, *props, *stream_nvfs = NULL;
2658		nvpair_t *snapel = NULL;
2659		boolean_t is_encroot, is_clone, stream_encroot;
2660		char *cp;
2661		char *stream_keylocation = NULL;
2662		char keylocation[MAXNAMELEN];
2663		char fsname[ZFS_MAX_DATASET_NAME_LEN];
2664
2665		keylocation[0] = '\0';
2666		VERIFY(0 == nvpair_value_nvlist(fselem, &stream_nvfs));
2667		VERIFY(0 == nvlist_lookup_nvlist(stream_nvfs, "snaps", &snaps));
2668		VERIFY(0 == nvlist_lookup_nvlist(stream_nvfs, "props", &props));
2669		stream_encroot = nvlist_exists(stream_nvfs, "is_encroot");
2670
2671		/* find a snapshot from the stream that exists locally */
2672		err = ENOENT;
2673		while ((snapel = nvlist_next_nvpair(snaps, snapel)) != NULL) {
2674			uint64_t guid;
2675
2676			VERIFY(0 == nvpair_value_uint64(snapel, &guid));
2677			err = guid_to_name(hdl, destname, guid, B_FALSE,
2678			    fsname);
2679			if (err == 0)
2680				break;
2681		}
2682
2683		if (err != 0)
2684			continue;
2685
2686		cp = strchr(fsname, '@');
2687		if (cp != NULL)
2688			*cp = '\0';
2689
2690		zhp = zfs_open(hdl, fsname, ZFS_TYPE_DATASET);
2691		if (zhp == NULL) {
2692			err = ENOENT;
2693			goto error;
2694		}
2695
2696		crypt = zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION);
2697		is_clone = zhp->zfs_dmustats.dds_origin[0] != '\0';
2698		(void) zfs_crypto_get_encryption_root(zhp, &is_encroot, NULL);
2699
2700		/* we don't need to do anything for unencrypted datasets */
2701		if (crypt == ZIO_CRYPT_OFF) {
2702			zfs_close(zhp);
2703			continue;
2704		}
2705
2706		/*
2707		 * If the dataset is flagged as an encryption root, was not
2708		 * received as a clone and is not currently an encryption root,
2709		 * force it to become one. Fixup the keylocation if necessary.
2710		 */
2711		if (stream_encroot) {
2712			if (!is_clone && !is_encroot) {
2713				err = lzc_change_key(fsname,
2714				    DCP_CMD_FORCE_NEW_KEY, NULL, NULL, 0);
2715				if (err != 0) {
2716					zfs_close(zhp);
2717					goto error;
2718				}
2719			}
2720
2721			VERIFY(0 == nvlist_lookup_string(props,
2722			    zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
2723			    &stream_keylocation));
2724
2725			/*
2726			 * Refresh the properties in case the call to
2727			 * lzc_change_key() changed the value.
2728			 */
2729			zfs_refresh_properties(zhp);
2730			err = zfs_prop_get(zhp, ZFS_PROP_KEYLOCATION,
2731			    keylocation, sizeof (keylocation), NULL, NULL,
2732			    0, B_TRUE);
2733			if (err != 0) {
2734				zfs_close(zhp);
2735				goto error;
2736			}
2737
2738			if (strcmp(keylocation, stream_keylocation) != 0) {
2739				err = zfs_prop_set(zhp,
2740				    zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
2741				    stream_keylocation);
2742				if (err != 0) {
2743					zfs_close(zhp);
2744					goto error;
2745				}
2746			}
2747		}
2748
2749		/*
2750		 * If the dataset is not flagged as an encryption root and is
2751		 * currently an encryption root, force it to inherit from its
2752		 * parent. The root of a raw send should never be
2753		 * force-inherited.
2754		 */
2755		if (!stream_encroot && is_encroot &&
2756		    strcmp(top_zfs, fsname) != 0) {
2757			err = lzc_change_key(fsname, DCP_CMD_FORCE_INHERIT,
2758			    NULL, NULL, 0);
2759			if (err != 0) {
2760				zfs_close(zhp);
2761				goto error;
2762			}
2763		}
2764
2765		zfs_close(zhp);
2766	}
2767
2768	return (0);
2769
2770error:
2771	return (err);
2772}
2773
2774static int
2775recv_incremental_replication(libzfs_handle_t *hdl, const char *tofs,
2776    recvflags_t *flags, nvlist_t *stream_nv, avl_tree_t *stream_avl,
2777    nvlist_t *renamed)
2778{
2779	nvlist_t *local_nv;
2780	avl_tree_t *local_avl;
2781	nvpair_t *fselem, *nextfselem;
2782	char *fromsnap;
2783	char newname[ZFS_MAX_DATASET_NAME_LEN];
2784	int error;
2785	boolean_t needagain, progress, recursive;
2786	char *s1, *s2;
2787
2788	VERIFY(0 == nvlist_lookup_string(stream_nv, "fromsnap", &fromsnap));
2789
2790	recursive = (nvlist_lookup_boolean(stream_nv, "not_recursive") ==
2791	    ENOENT);
2792
2793	if (flags->dryrun)
2794		return (0);
2795
2796again:
2797	needagain = progress = B_FALSE;
2798
2799	if ((error = gather_nvlist(hdl, tofs, fromsnap, NULL,
2800	    recursive, B_TRUE, B_FALSE,
2801	    B_FALSE, B_FALSE, B_TRUE, &local_nv, &local_avl)) != 0)
2802		return (error);
2803
2804	/*
2805	 * Process deletes and renames
2806	 */
2807	for (fselem = nvlist_next_nvpair(local_nv, NULL);
2808	    fselem; fselem = nextfselem) {
2809		nvlist_t *nvfs, *snaps;
2810		nvlist_t *stream_nvfs = NULL;
2811		nvpair_t *snapelem, *nextsnapelem;
2812		uint64_t fromguid = 0;
2813		uint64_t originguid = 0;
2814		uint64_t stream_originguid = 0;
2815		uint64_t parent_fromsnap_guid, stream_parent_fromsnap_guid;
2816		char *fsname, *stream_fsname;
2817
2818		nextfselem = nvlist_next_nvpair(local_nv, fselem);
2819
2820		VERIFY(0 == nvpair_value_nvlist(fselem, &nvfs));
2821		VERIFY(0 == nvlist_lookup_nvlist(nvfs, "snaps", &snaps));
2822		VERIFY(0 == nvlist_lookup_string(nvfs, "name", &fsname));
2823		VERIFY(0 == nvlist_lookup_uint64(nvfs, "parentfromsnap",
2824		    &parent_fromsnap_guid));
2825		(void) nvlist_lookup_uint64(nvfs, "origin", &originguid);
2826
2827		/*
2828		 * First find the stream's fs, so we can check for
2829		 * a different origin (due to "zfs promote")
2830		 */
2831		for (snapelem = nvlist_next_nvpair(snaps, NULL);
2832		    snapelem; snapelem = nvlist_next_nvpair(snaps, snapelem)) {
2833			uint64_t thisguid;
2834
2835			VERIFY(0 == nvpair_value_uint64(snapelem, &thisguid));
2836			stream_nvfs = fsavl_find(stream_avl, thisguid, NULL);
2837
2838			if (stream_nvfs != NULL)
2839				break;
2840		}
2841
2842		/* check for promote */
2843		(void) nvlist_lookup_uint64(stream_nvfs, "origin",
2844		    &stream_originguid);
2845		if (stream_nvfs && originguid != stream_originguid) {
2846			switch (created_before(hdl, local_avl,
2847			    stream_originguid, originguid)) {
2848			case 1: {
2849				/* promote it! */
2850				nvlist_t *origin_nvfs;
2851				char *origin_fsname;
2852
2853				origin_nvfs = fsavl_find(local_avl, originguid,
2854				    NULL);
2855				VERIFY(0 == nvlist_lookup_string(origin_nvfs,
2856				    "name", &origin_fsname));
2857				error = recv_promote(hdl, fsname, origin_fsname,
2858				    flags);
2859				if (error == 0)
2860					progress = B_TRUE;
2861				break;
2862			}
2863			default:
2864				break;
2865			case -1:
2866				fsavl_destroy(local_avl);
2867				nvlist_free(local_nv);
2868				return (-1);
2869			}
2870			/*
2871			 * We had/have the wrong origin, therefore our
2872			 * list of snapshots is wrong.  Need to handle
2873			 * them on the next pass.
2874			 */
2875			needagain = B_TRUE;
2876			continue;
2877		}
2878
2879		for (snapelem = nvlist_next_nvpair(snaps, NULL);
2880		    snapelem; snapelem = nextsnapelem) {
2881			uint64_t thisguid;
2882			char *stream_snapname;
2883			nvlist_t *found, *props;
2884
2885			nextsnapelem = nvlist_next_nvpair(snaps, snapelem);
2886
2887			VERIFY(0 == nvpair_value_uint64(snapelem, &thisguid));
2888			found = fsavl_find(stream_avl, thisguid,
2889			    &stream_snapname);
2890
2891			/* check for delete */
2892			if (found == NULL) {
2893				char name[ZFS_MAX_DATASET_NAME_LEN];
2894
2895				if (!flags->force)
2896					continue;
2897
2898				(void) snprintf(name, sizeof (name), "%s@%s",
2899				    fsname, nvpair_name(snapelem));
2900
2901				error = recv_destroy(hdl, name,
2902				    strlen(fsname)+1, newname, flags);
2903				if (error)
2904					needagain = B_TRUE;
2905				else
2906					progress = B_TRUE;
2907				continue;
2908			}
2909
2910			stream_nvfs = found;
2911
2912			if (0 == nvlist_lookup_nvlist(stream_nvfs, "snapprops",
2913			    &props) && 0 == nvlist_lookup_nvlist(props,
2914			    stream_snapname, &props)) {
2915				zfs_cmd_t zc = { 0 };
2916
2917				zc.zc_cookie = B_TRUE; /* received */
2918				(void) snprintf(zc.zc_name, sizeof (zc.zc_name),
2919				    "%s@%s", fsname, nvpair_name(snapelem));
2920				if (zcmd_write_src_nvlist(hdl, &zc,
2921				    props) == 0) {
2922					(void) zfs_ioctl(hdl,
2923					    ZFS_IOC_SET_PROP, &zc);
2924					zcmd_free_nvlists(&zc);
2925				}
2926			}
2927
2928			/* check for different snapname */
2929			if (strcmp(nvpair_name(snapelem),
2930			    stream_snapname) != 0) {
2931				char name[ZFS_MAX_DATASET_NAME_LEN];
2932				char tryname[ZFS_MAX_DATASET_NAME_LEN];
2933
2934				(void) snprintf(name, sizeof (name), "%s@%s",
2935				    fsname, nvpair_name(snapelem));
2936				(void) snprintf(tryname, sizeof (name), "%s@%s",
2937				    fsname, stream_snapname);
2938
2939				error = recv_rename(hdl, name, tryname,
2940				    strlen(fsname)+1, newname, flags);
2941				if (error)
2942					needagain = B_TRUE;
2943				else
2944					progress = B_TRUE;
2945			}
2946
2947			if (strcmp(stream_snapname, fromsnap) == 0)
2948				fromguid = thisguid;
2949		}
2950
2951		/* check for delete */
2952		if (stream_nvfs == NULL) {
2953			if (!flags->force)
2954				continue;
2955
2956			error = recv_destroy(hdl, fsname, strlen(tofs)+1,
2957			    newname, flags);
2958			if (error)
2959				needagain = B_TRUE;
2960			else
2961				progress = B_TRUE;
2962			continue;
2963		}
2964
2965		if (fromguid == 0) {
2966			if (flags->verbose) {
2967				(void) printf("local fs %s does not have "
2968				    "fromsnap (%s in stream); must have "
2969				    "been deleted locally; ignoring\n",
2970				    fsname, fromsnap);
2971			}
2972			continue;
2973		}
2974
2975		VERIFY(0 == nvlist_lookup_string(stream_nvfs,
2976		    "name", &stream_fsname));
2977		VERIFY(0 == nvlist_lookup_uint64(stream_nvfs,
2978		    "parentfromsnap", &stream_parent_fromsnap_guid));
2979
2980		s1 = strrchr(fsname, '/');
2981		s2 = strrchr(stream_fsname, '/');
2982
2983		/*
2984		 * Check for rename. If the exact receive path is specified, it
2985		 * does not count as a rename, but we still need to check the
2986		 * datasets beneath it.
2987		 */
2988		if ((stream_parent_fromsnap_guid != 0 &&
2989		    parent_fromsnap_guid != 0 &&
2990		    stream_parent_fromsnap_guid != parent_fromsnap_guid) ||
2991		    ((flags->isprefix || strcmp(tofs, fsname) != 0) &&
2992		    (s1 != NULL) && (s2 != NULL) && strcmp(s1, s2) != 0)) {
2993			nvlist_t *parent;
2994			char tryname[ZFS_MAX_DATASET_NAME_LEN];
2995
2996			parent = fsavl_find(local_avl,
2997			    stream_parent_fromsnap_guid, NULL);
2998			/*
2999			 * NB: parent might not be found if we used the
3000			 * tosnap for stream_parent_fromsnap_guid,
3001			 * because the parent is a newly-created fs;
3002			 * we'll be able to rename it after we recv the
3003			 * new fs.
3004			 */
3005			if (parent != NULL) {
3006				char *pname;
3007
3008				VERIFY(0 == nvlist_lookup_string(parent, "name",
3009				    &pname));
3010				(void) snprintf(tryname, sizeof (tryname),
3011				    "%s%s", pname, strrchr(stream_fsname, '/'));
3012			} else {
3013				tryname[0] = '\0';
3014				if (flags->verbose) {
3015					(void) printf("local fs %s new parent "
3016					    "not found\n", fsname);
3017				}
3018			}
3019
3020			newname[0] = '\0';
3021
3022			error = recv_rename(hdl, fsname, tryname,
3023			    strlen(tofs)+1, newname, flags);
3024
3025			if (renamed != NULL && newname[0] != '\0') {
3026				VERIFY(0 == nvlist_add_boolean(renamed,
3027				    newname));
3028			}
3029
3030			if (error)
3031				needagain = B_TRUE;
3032			else
3033				progress = B_TRUE;
3034		}
3035	}
3036
3037	fsavl_destroy(local_avl);
3038	nvlist_free(local_nv);
3039
3040	if (needagain && progress) {
3041		/* do another pass to fix up temporary names */
3042		if (flags->verbose)
3043			(void) printf("another pass:\n");
3044		goto again;
3045	}
3046
3047	return (needagain || error != 0);
3048}
3049
3050static int
3051zfs_receive_package(libzfs_handle_t *hdl, int fd, const char *destname,
3052    recvflags_t *flags, dmu_replay_record_t *drr, zio_cksum_t *zc,
3053    char **top_zfs, int cleanup_fd, uint64_t *action_handlep,
3054    nvlist_t *cmdprops)
3055{
3056	nvlist_t *stream_nv = NULL;
3057	avl_tree_t *stream_avl = NULL;
3058	char *fromsnap = NULL;
3059	char *sendsnap = NULL;
3060	char *cp;
3061	char tofs[ZFS_MAX_DATASET_NAME_LEN];
3062	char sendfs[ZFS_MAX_DATASET_NAME_LEN];
3063	char errbuf[1024];
3064	dmu_replay_record_t drre;
3065	int error;
3066	boolean_t anyerr = B_FALSE;
3067	boolean_t softerr = B_FALSE;
3068	boolean_t recursive, raw;
3069
3070	(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
3071	    "cannot receive"));
3072
3073	assert(drr->drr_type == DRR_BEGIN);
3074	assert(drr->drr_u.drr_begin.drr_magic == DMU_BACKUP_MAGIC);
3075	assert(DMU_GET_STREAM_HDRTYPE(drr->drr_u.drr_begin.drr_versioninfo) ==
3076	    DMU_COMPOUNDSTREAM);
3077
3078	/*
3079	 * Read in the nvlist from the stream.
3080	 */
3081	if (drr->drr_payloadlen != 0) {
3082		error = recv_read_nvlist(hdl, fd, drr->drr_payloadlen,
3083		    &stream_nv, flags->byteswap, zc);
3084		if (error) {
3085			error = zfs_error(hdl, EZFS_BADSTREAM, errbuf);
3086			goto out;
3087		}
3088	}
3089
3090	recursive = (nvlist_lookup_boolean(stream_nv, "not_recursive") ==
3091	    ENOENT);
3092	raw = (nvlist_lookup_boolean(stream_nv, "raw") == 0);
3093
3094	if (recursive && strchr(destname, '@')) {
3095		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3096		    "cannot specify snapshot name for multi-snapshot stream"));
3097		error = zfs_error(hdl, EZFS_BADSTREAM, errbuf);
3098		goto out;
3099	}
3100
3101	/*
3102	 * Read in the end record and verify checksum.
3103	 */
3104	if (0 != (error = recv_read(hdl, fd, &drre, sizeof (drre),
3105	    flags->byteswap, NULL)))
3106		goto out;
3107	if (flags->byteswap) {
3108		drre.drr_type = BSWAP_32(drre.drr_type);
3109		drre.drr_u.drr_end.drr_checksum.zc_word[0] =
3110		    BSWAP_64(drre.drr_u.drr_end.drr_checksum.zc_word[0]);
3111		drre.drr_u.drr_end.drr_checksum.zc_word[1] =
3112		    BSWAP_64(drre.drr_u.drr_end.drr_checksum.zc_word[1]);
3113		drre.drr_u.drr_end.drr_checksum.zc_word[2] =
3114		    BSWAP_64(drre.drr_u.drr_end.drr_checksum.zc_word[2]);
3115		drre.drr_u.drr_end.drr_checksum.zc_word[3] =
3116		    BSWAP_64(drre.drr_u.drr_end.drr_checksum.zc_word[3]);
3117	}
3118	if (drre.drr_type != DRR_END) {
3119		error = zfs_error(hdl, EZFS_BADSTREAM, errbuf);
3120		goto out;
3121	}
3122	if (!ZIO_CHECKSUM_EQUAL(drre.drr_u.drr_end.drr_checksum, *zc)) {
3123		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3124		    "incorrect header checksum"));
3125		error = zfs_error(hdl, EZFS_BADSTREAM, errbuf);
3126		goto out;
3127	}
3128
3129	(void) nvlist_lookup_string(stream_nv, "fromsnap", &fromsnap);
3130
3131	if (drr->drr_payloadlen != 0) {
3132		nvlist_t *stream_fss;
3133
3134		VERIFY(0 == nvlist_lookup_nvlist(stream_nv, "fss",
3135		    &stream_fss));
3136		if ((stream_avl = fsavl_create(stream_fss)) == NULL) {
3137			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3138			    "couldn't allocate avl tree"));
3139			error = zfs_error(hdl, EZFS_NOMEM, errbuf);
3140			goto out;
3141		}
3142
3143		if (fromsnap != NULL && recursive) {
3144			nvlist_t *renamed = NULL;
3145			nvpair_t *pair = NULL;
3146
3147			(void) strlcpy(tofs, destname, sizeof (tofs));
3148			if (flags->isprefix) {
3149				struct drr_begin *drrb = &drr->drr_u.drr_begin;
3150				int i;
3151
3152				if (flags->istail) {
3153					cp = strrchr(drrb->drr_toname, '/');
3154					if (cp == NULL) {
3155						(void) strlcat(tofs, "/",
3156						    sizeof (tofs));
3157						i = 0;
3158					} else {
3159						i = (cp - drrb->drr_toname);
3160					}
3161				} else {
3162					i = strcspn(drrb->drr_toname, "/@");
3163				}
3164				/* zfs_receive_one() will create_parents() */
3165				(void) strlcat(tofs, &drrb->drr_toname[i],
3166				    sizeof (tofs));
3167				*strchr(tofs, '@') = '\0';
3168			}
3169
3170			if (!flags->dryrun && !flags->nomount) {
3171				VERIFY(0 == nvlist_alloc(&renamed,
3172				    NV_UNIQUE_NAME, 0));
3173			}
3174
3175			softerr = recv_incremental_replication(hdl, tofs, flags,
3176			    stream_nv, stream_avl, renamed);
3177
3178			/* Unmount renamed filesystems before receiving. */
3179			while ((pair = nvlist_next_nvpair(renamed,
3180			    pair)) != NULL) {
3181				zfs_handle_t *zhp;
3182				prop_changelist_t *clp = NULL;
3183
3184				zhp = zfs_open(hdl, nvpair_name(pair),
3185				    ZFS_TYPE_FILESYSTEM);
3186				if (zhp != NULL) {
3187					clp = changelist_gather(zhp,
3188					    ZFS_PROP_MOUNTPOINT, 0, 0);
3189					zfs_close(zhp);
3190					if (clp != NULL) {
3191						softerr |=
3192						    changelist_prefix(clp);
3193						changelist_free(clp);
3194					}
3195				}
3196			}
3197
3198			nvlist_free(renamed);
3199		}
3200	}
3201
3202	/*
3203	 * Get the fs specified by the first path in the stream (the top level
3204	 * specified by 'zfs send') and pass it to each invocation of
3205	 * zfs_receive_one().
3206	 */
3207	(void) strlcpy(sendfs, drr->drr_u.drr_begin.drr_toname,
3208	    sizeof (sendfs));
3209	if ((cp = strchr(sendfs, '@')) != NULL) {
3210		*cp = '\0';
3211		/*
3212		 * Find the "sendsnap", the final snapshot in a replication
3213		 * stream.  zfs_receive_one() handles certain errors
3214		 * differently, depending on if the contained stream is the
3215		 * last one or not.
3216		 */
3217		sendsnap = (cp + 1);
3218	}
3219
3220	/* Finally, receive each contained stream */
3221	do {
3222		/*
3223		 * we should figure out if it has a recoverable
3224		 * error, in which case do a recv_skip() and drive on.
3225		 * Note, if we fail due to already having this guid,
3226		 * zfs_receive_one() will take care of it (ie,
3227		 * recv_skip() and return 0).
3228		 */
3229		error = zfs_receive_impl(hdl, destname, NULL, flags, fd,
3230		    sendfs, stream_nv, stream_avl, top_zfs, cleanup_fd,
3231		    action_handlep, sendsnap, cmdprops);
3232		if (error == ENODATA) {
3233			error = 0;
3234			break;
3235		}
3236		anyerr |= error;
3237	} while (error == 0);
3238
3239	if (drr->drr_payloadlen != 0 && recursive && fromsnap != NULL) {
3240		/*
3241		 * Now that we have the fs's they sent us, try the
3242		 * renames again.
3243		 */
3244		softerr = recv_incremental_replication(hdl, tofs, flags,
3245		    stream_nv, stream_avl, NULL);
3246	}
3247
3248	if (raw && softerr == 0) {
3249		softerr = recv_fix_encryption_hierarchy(hdl, destname,
3250		    stream_nv, stream_avl);
3251	}
3252
3253out:
3254	fsavl_destroy(stream_avl);
3255	nvlist_free(stream_nv);
3256	if (softerr)
3257		error = -2;
3258	if (anyerr)
3259		error = -1;
3260	return (error);
3261}
3262
3263static void
3264trunc_prop_errs(int truncated)
3265{
3266	ASSERT(truncated != 0);
3267
3268	if (truncated == 1)
3269		(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
3270		    "1 more property could not be set\n"));
3271	else
3272		(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
3273		    "%d more properties could not be set\n"), truncated);
3274}
3275
3276static int
3277recv_skip(libzfs_handle_t *hdl, int fd, boolean_t byteswap)
3278{
3279	dmu_replay_record_t *drr;
3280	void *buf = zfs_alloc(hdl, SPA_MAXBLOCKSIZE);
3281	char errbuf[1024];
3282
3283	(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
3284	    "cannot receive:"));
3285
3286	/* XXX would be great to use lseek if possible... */
3287	drr = buf;
3288
3289	while (recv_read(hdl, fd, drr, sizeof (dmu_replay_record_t),
3290	    byteswap, NULL) == 0) {
3291		if (byteswap)
3292			drr->drr_type = BSWAP_32(drr->drr_type);
3293
3294		switch (drr->drr_type) {
3295		case DRR_BEGIN:
3296			if (drr->drr_payloadlen != 0) {
3297				(void) recv_read(hdl, fd, buf,
3298				    drr->drr_payloadlen, B_FALSE, NULL);
3299			}
3300			break;
3301
3302		case DRR_END:
3303			free(buf);
3304			return (0);
3305
3306		case DRR_OBJECT:
3307			if (byteswap) {
3308				drr->drr_u.drr_object.drr_bonuslen =
3309				    BSWAP_32(drr->drr_u.drr_object.
3310				    drr_bonuslen);
3311			}
3312			(void) recv_read(hdl, fd, buf,
3313			    P2ROUNDUP(drr->drr_u.drr_object.drr_bonuslen, 8),
3314			    B_FALSE, NULL);
3315			break;
3316
3317		case DRR_WRITE:
3318			if (byteswap) {
3319				drr->drr_u.drr_write.drr_logical_size =
3320				    BSWAP_64(
3321				    drr->drr_u.drr_write.drr_logical_size);
3322				drr->drr_u.drr_write.drr_compressed_size =
3323				    BSWAP_64(
3324				    drr->drr_u.drr_write.drr_compressed_size);
3325			}
3326			uint64_t payload_size =
3327			    DRR_WRITE_PAYLOAD_SIZE(&drr->drr_u.drr_write);
3328			(void) recv_read(hdl, fd, buf,
3329			    payload_size, B_FALSE, NULL);
3330			break;
3331		case DRR_SPILL:
3332			if (byteswap) {
3333				drr->drr_u.drr_spill.drr_length =
3334				    BSWAP_64(drr->drr_u.drr_spill.drr_length);
3335			}
3336			(void) recv_read(hdl, fd, buf,
3337			    drr->drr_u.drr_spill.drr_length, B_FALSE, NULL);
3338			break;
3339		case DRR_WRITE_EMBEDDED:
3340			if (byteswap) {
3341				drr->drr_u.drr_write_embedded.drr_psize =
3342				    BSWAP_32(drr->drr_u.drr_write_embedded.
3343				    drr_psize);
3344			}
3345			(void) recv_read(hdl, fd, buf,
3346			    P2ROUNDUP(drr->drr_u.drr_write_embedded.drr_psize,
3347			    8), B_FALSE, NULL);
3348			break;
3349		case DRR_WRITE_BYREF:
3350		case DRR_FREEOBJECTS:
3351		case DRR_FREE:
3352			break;
3353
3354		default:
3355			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3356			    "invalid record type"));
3357			return (zfs_error(hdl, EZFS_BADSTREAM, errbuf));
3358		}
3359	}
3360
3361	free(buf);
3362	return (-1);
3363}
3364
3365static void
3366recv_ecksum_set_aux(libzfs_handle_t *hdl, const char *target_snap,
3367    boolean_t resumable)
3368{
3369	char target_fs[ZFS_MAX_DATASET_NAME_LEN];
3370
3371	zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3372	    "checksum mismatch or incomplete stream"));
3373
3374	if (!resumable)
3375		return;
3376	(void) strlcpy(target_fs, target_snap, sizeof (target_fs));
3377	*strchr(target_fs, '@') = '\0';
3378	zfs_handle_t *zhp = zfs_open(hdl, target_fs,
3379	    ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
3380	if (zhp == NULL)
3381		return;
3382
3383	char token_buf[ZFS_MAXPROPLEN];
3384	int error = zfs_prop_get(zhp, ZFS_PROP_RECEIVE_RESUME_TOKEN,
3385	    token_buf, sizeof (token_buf),
3386	    NULL, NULL, 0, B_TRUE);
3387	if (error == 0) {
3388		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3389		    "checksum mismatch or incomplete stream.\n"
3390		    "Partially received snapshot is saved.\n"
3391		    "A resuming stream can be generated on the sending "
3392		    "system by running:\n"
3393		    "    zfs send -t %s"),
3394		    token_buf);
3395	}
3396	zfs_close(zhp);
3397}
3398
3399/*
3400 * Prepare a new nvlist of properties that are to override (-o) or be excluded
3401 * (-x) from the received dataset
3402 * recvprops: received properties from the send stream
3403 * cmdprops: raw input properties from command line
3404 * origprops: properties, both locally-set and received, currently set on the
3405 *            target dataset if it exists, NULL otherwise.
3406 * oxprops: valid output override (-o) and excluded (-x) properties
3407 */
3408static int
3409zfs_setup_cmdline_props(libzfs_handle_t *hdl, zfs_type_t type,
3410    char *fsname, boolean_t zoned, boolean_t recursive, boolean_t newfs,
3411    boolean_t raw, boolean_t toplevel, nvlist_t *recvprops, nvlist_t *cmdprops,
3412    nvlist_t *origprops, nvlist_t **oxprops, uint8_t **wkeydata_out,
3413    uint_t *wkeylen_out, const char *errbuf)
3414{
3415	nvpair_t *nvp;
3416	nvlist_t *oprops, *voprops;
3417	zfs_handle_t *zhp = NULL;
3418	zpool_handle_t *zpool_hdl = NULL;
3419	char *cp;
3420	int ret = 0;
3421	char namebuf[ZFS_MAX_DATASET_NAME_LEN];
3422
3423	if (nvlist_empty(cmdprops))
3424		return (0); /* No properties to override or exclude */
3425
3426	*oxprops = fnvlist_alloc();
3427	oprops = fnvlist_alloc();
3428
3429	strlcpy(namebuf, fsname, ZFS_MAX_DATASET_NAME_LEN);
3430
3431	/*
3432	 * Get our dataset handle. The target dataset may not exist yet.
3433	 */
3434	if (zfs_dataset_exists(hdl, namebuf, ZFS_TYPE_DATASET)) {
3435		zhp = zfs_open(hdl, namebuf, ZFS_TYPE_DATASET);
3436		if (zhp == NULL) {
3437			ret = -1;
3438			goto error;
3439		}
3440	}
3441
3442	/* open the zpool handle */
3443	cp = strchr(namebuf, '/');
3444	if (cp != NULL)
3445		*cp = '\0';
3446	zpool_hdl = zpool_open(hdl, namebuf);
3447	if (zpool_hdl == NULL) {
3448		ret = -1;
3449		goto error;
3450	}
3451
3452	/* restore namebuf to match fsname for later use */
3453	if (cp != NULL)
3454		*cp = '/';
3455
3456	/*
3457	 * first iteration: process excluded (-x) properties now and gather
3458	 * added (-o) properties to be later processed by zfs_valid_proplist()
3459	 */
3460	nvp = NULL;
3461	while ((nvp = nvlist_next_nvpair(cmdprops, nvp)) != NULL) {
3462		const char *name = nvpair_name(nvp);
3463		zfs_prop_t prop = zfs_name_to_prop(name);
3464
3465		/* "origin" is processed separately, don't handle it here */
3466		if (prop == ZFS_PROP_ORIGIN)
3467			continue;
3468
3469		/*
3470		 * we're trying to override or exclude a property that does not
3471		 * make sense for this type of dataset, but we don't want to
3472		 * fail if the receive is recursive: this comes in handy when
3473		 * the send stream contains, for instance, a child ZVOL and
3474		 * we're trying to receive it with "-o atime=on"
3475		 */
3476		if (!zfs_prop_valid_for_type(prop, type) &&
3477		    !zfs_prop_user(name)) {
3478			if (recursive)
3479				continue;
3480			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3481			    "property '%s' does not apply to datasets of this "
3482			    "type"), name);
3483			ret = zfs_error(hdl, EZFS_BADPROP, errbuf);
3484			goto error;
3485		}
3486
3487		/* raw streams can't override encryption properties */
3488		if ((zfs_prop_encryption_key_param(prop) ||
3489		    prop == ZFS_PROP_ENCRYPTION) && raw) {
3490			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3491			    "encryption property '%s' cannot "
3492			    "be set or excluded for raw streams."), name);
3493			ret = zfs_error(hdl, EZFS_BADPROP, errbuf);
3494			goto error;
3495		}
3496
3497		/* incremental streams can only exclude encryption properties */
3498		if ((zfs_prop_encryption_key_param(prop) ||
3499		    prop == ZFS_PROP_ENCRYPTION) && !newfs &&
3500		    nvpair_type(nvp) != DATA_TYPE_BOOLEAN) {
3501			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3502			    "encryption property '%s' cannot "
3503			    "be set for incremental streams."), name);
3504			ret = zfs_error(hdl, EZFS_BADPROP, errbuf);
3505			goto error;
3506		}
3507
3508		switch (nvpair_type(nvp)) {
3509		case DATA_TYPE_BOOLEAN: /* -x property */
3510			/*
3511			 * DATA_TYPE_BOOLEAN is the way we're asked to "exclude"
3512			 * a property: this is done by forcing an explicit
3513			 * inherit on the destination so the effective value is
3514			 * not the one we received from the send stream.
3515			 * We do this only if the property is not already
3516			 * locally-set, in which case its value will take
3517			 * priority over the received anyway.
3518			 */
3519			if (nvlist_exists(origprops, name)) {
3520				nvlist_t *attrs;
3521				char  *source = NULL;
3522
3523				attrs = fnvlist_lookup_nvlist(origprops, name);
3524				if (nvlist_lookup_string(attrs,
3525				    ZPROP_SOURCE, &source) == 0 &&
3526				    strcmp(source, ZPROP_SOURCE_VAL_RECVD) != 0)
3527					continue;
3528			}
3529			/*
3530			 * We can't force an explicit inherit on non-inheritable
3531			 * properties: if we're asked to exclude this kind of
3532			 * values we remove them from "recvprops" input nvlist.
3533			 */
3534			if (!zfs_prop_inheritable(prop) &&
3535			    !zfs_prop_user(name) && /* can be inherited too */
3536			    nvlist_exists(recvprops, name))
3537				fnvlist_remove(recvprops, name);
3538			else
3539				fnvlist_add_nvpair(*oxprops, nvp);
3540			break;
3541		case DATA_TYPE_STRING: /* -o property=value */
3542			fnvlist_add_nvpair(oprops, nvp);
3543			break;
3544		default:
3545			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3546			    "property '%s' must be a string or boolean"), name);
3547			ret = zfs_error(hdl, EZFS_BADPROP, errbuf);
3548			goto error;
3549		}
3550	}
3551
3552	if (toplevel) {
3553		/* convert override strings properties to native */
3554		if ((voprops = zfs_valid_proplist(hdl, ZFS_TYPE_DATASET,
3555		    oprops, zoned, zhp, zpool_hdl, B_FALSE, errbuf)) == NULL) {
3556			ret = zfs_error(hdl, EZFS_BADPROP, errbuf);
3557			goto error;
3558		}
3559
3560		/*
3561		 * zfs_crypto_create() requires the parent name. Get it
3562		 * by truncating the fsname copy stored in namebuf.
3563		 */
3564		cp = strrchr(namebuf, '/');
3565		if (cp != NULL)
3566			*cp = '\0';
3567
3568		if (!raw && zfs_crypto_create(hdl, namebuf, voprops, NULL,
3569		    B_FALSE, wkeydata_out, wkeylen_out) != 0) {
3570			fnvlist_free(voprops);
3571			ret = zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf);
3572			goto error;
3573		}
3574
3575		/* second pass: process "-o" properties */
3576		fnvlist_merge(*oxprops, voprops);
3577		fnvlist_free(voprops);
3578	} else {
3579		/* override props on child dataset are inherited */
3580		nvp = NULL;
3581		while ((nvp = nvlist_next_nvpair(oprops, nvp)) != NULL) {
3582			const char *name = nvpair_name(nvp);
3583			fnvlist_add_boolean(*oxprops, name);
3584		}
3585	}
3586
3587error:
3588	if (zhp != NULL)
3589		zfs_close(zhp);
3590	if (zpool_hdl != NULL)
3591		zpool_close(zpool_hdl);
3592	fnvlist_free(oprops);
3593	return (ret);
3594}
3595
3596/*
3597 * Restores a backup of tosnap from the file descriptor specified by infd.
3598 */
3599static int
3600zfs_receive_one(libzfs_handle_t *hdl, int infd, const char *tosnap,
3601    const char *originsnap, recvflags_t *flags, dmu_replay_record_t *drr,
3602    dmu_replay_record_t *drr_noswap, const char *sendfs, nvlist_t *stream_nv,
3603    avl_tree_t *stream_avl, char **top_zfs, int cleanup_fd,
3604    uint64_t *action_handlep, const char *finalsnap, nvlist_t *cmdprops)
3605{
3606	time_t begin_time;
3607	int ioctl_err, ioctl_errno, err;
3608	char *cp;
3609	struct drr_begin *drrb = &drr->drr_u.drr_begin;
3610	char errbuf[1024];
3611	const char *chopprefix;
3612	boolean_t newfs = B_FALSE;
3613	boolean_t stream_wantsnewfs;
3614	boolean_t newprops = B_FALSE;
3615	uint64_t read_bytes = 0;
3616	uint64_t errflags = 0;
3617	uint64_t parent_snapguid = 0;
3618	prop_changelist_t *clp = NULL;
3619	nvlist_t *snapprops_nvlist = NULL;
3620	nvlist_t *snapholds_nvlist = NULL;
3621	zprop_errflags_t prop_errflags;
3622	nvlist_t *prop_errors = NULL;
3623	boolean_t recursive;
3624	char *snapname = NULL;
3625	char destsnap[MAXPATHLEN * 2];
3626	char origin[MAXNAMELEN];
3627	char name[MAXPATHLEN];
3628	char tmp_keylocation[MAXNAMELEN];
3629	nvlist_t *rcvprops = NULL; /* props received from the send stream */
3630	nvlist_t *oxprops = NULL; /* override (-o) and exclude (-x) props */
3631	nvlist_t *origprops = NULL; /* original props (if destination exists) */
3632	zfs_type_t type;
3633	boolean_t toplevel = B_FALSE;
3634	boolean_t zoned = B_FALSE;
3635	boolean_t hastoken = B_FALSE;
3636	uint8_t *wkeydata = NULL;
3637	uint_t wkeylen = 0;
3638
3639	begin_time = time(NULL);
3640	bzero(origin, MAXNAMELEN);
3641	bzero(tmp_keylocation, MAXNAMELEN);
3642
3643	(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
3644	    "cannot receive"));
3645
3646	recursive = (nvlist_lookup_boolean(stream_nv, "not_recursive") ==
3647	    ENOENT);
3648
3649	/* Did the user request holds be skipped via zfs recv -k? */
3650	boolean_t holds = flags->holds && !flags->skipholds;
3651
3652	if (stream_avl != NULL) {
3653		char *keylocation = NULL;
3654		nvlist_t *lookup = NULL;
3655		nvlist_t *fs = fsavl_find(stream_avl, drrb->drr_toguid,
3656		    &snapname);
3657
3658		(void) nvlist_lookup_uint64(fs, "parentfromsnap",
3659		    &parent_snapguid);
3660		err = nvlist_lookup_nvlist(fs, "props", &rcvprops);
3661		if (err) {
3662			VERIFY(0 == nvlist_alloc(&rcvprops, NV_UNIQUE_NAME, 0));
3663			newprops = B_TRUE;
3664		}
3665		/*
3666		 * The keylocation property may only be set on encryption roots,
3667		 * but this dataset might not become an encryption root until
3668		 * recv_fix_encryption_hierarchy() is called. That function
3669		 * will fixup the keylocation anyway, so we temporarily unset
3670		 * the keylocation for now to avoid any errors from the receive
3671		 * ioctl.
3672		 */
3673		err = nvlist_lookup_string(rcvprops,
3674		    zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation);
3675		if (err == 0) {
3676			(void) strcpy(tmp_keylocation, keylocation);
3677			(void) nvlist_remove_all(rcvprops,
3678			    zfs_prop_to_name(ZFS_PROP_KEYLOCATION));
3679		}
3680
3681		if (flags->canmountoff) {
3682			VERIFY(0 == nvlist_add_uint64(rcvprops,
3683			    zfs_prop_to_name(ZFS_PROP_CANMOUNT), 0));
3684		} else if (newprops) {  /* nothing in rcvprops, eliminate it */
3685			nvlist_free(rcvprops);
3686			rcvprops = NULL;
3687			newprops = B_FALSE;
3688		}
3689		if (0 == nvlist_lookup_nvlist(fs, "snapprops", &lookup)) {
3690			VERIFY(0 == nvlist_lookup_nvlist(lookup,
3691			    snapname, &snapprops_nvlist));
3692		}
3693		if (holds) {
3694			if (0 == nvlist_lookup_nvlist(fs, "snapholds",
3695			    &lookup)) {
3696				VERIFY(0 == nvlist_lookup_nvlist(lookup,
3697				    snapname, &snapholds_nvlist));
3698			}
3699		}
3700	}
3701
3702	cp = NULL;
3703
3704	/*
3705	 * Determine how much of the snapshot name stored in the stream
3706	 * we are going to tack on to the name they specified on the
3707	 * command line, and how much we are going to chop off.
3708	 *
3709	 * If they specified a snapshot, chop the entire name stored in
3710	 * the stream.
3711	 */
3712	if (flags->istail) {
3713		/*
3714		 * A filesystem was specified with -e. We want to tack on only
3715		 * the tail of the sent snapshot path.
3716		 */
3717		if (strchr(tosnap, '@')) {
3718			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "invalid "
3719			    "argument - snapshot not allowed with -e"));
3720			err = zfs_error(hdl, EZFS_INVALIDNAME, errbuf);
3721			goto out;
3722		}
3723
3724		chopprefix = strrchr(sendfs, '/');
3725
3726		if (chopprefix == NULL) {
3727			/*
3728			 * The tail is the poolname, so we need to
3729			 * prepend a path separator.
3730			 */
3731			int len = strlen(drrb->drr_toname);
3732			cp = malloc(len + 2);
3733			cp[0] = '/';
3734			(void) strcpy(&cp[1], drrb->drr_toname);
3735			chopprefix = cp;
3736		} else {
3737			chopprefix = drrb->drr_toname + (chopprefix - sendfs);
3738		}
3739	} else if (flags->isprefix) {
3740		/*
3741		 * A filesystem was specified with -d. We want to tack on
3742		 * everything but the first element of the sent snapshot path
3743		 * (all but the pool name).
3744		 */
3745		if (strchr(tosnap, '@')) {
3746			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "invalid "
3747			    "argument - snapshot not allowed with -d"));
3748			err = zfs_error(hdl, EZFS_INVALIDNAME, errbuf);
3749			goto out;
3750		}
3751
3752		chopprefix = strchr(drrb->drr_toname, '/');
3753		if (chopprefix == NULL)
3754			chopprefix = strchr(drrb->drr_toname, '@');
3755	} else if (strchr(tosnap, '@') == NULL) {
3756		/*
3757		 * If a filesystem was specified without -d or -e, we want to
3758		 * tack on everything after the fs specified by 'zfs send'.
3759		 */
3760		chopprefix = drrb->drr_toname + strlen(sendfs);
3761	} else {
3762		/* A snapshot was specified as an exact path (no -d or -e). */
3763		if (recursive) {
3764			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3765			    "cannot specify snapshot name for multi-snapshot "
3766			    "stream"));
3767			err = zfs_error(hdl, EZFS_BADSTREAM, errbuf);
3768			goto out;
3769		}
3770		chopprefix = drrb->drr_toname + strlen(drrb->drr_toname);
3771	}
3772
3773	ASSERT(strstr(drrb->drr_toname, sendfs) == drrb->drr_toname);
3774	ASSERT(chopprefix > drrb->drr_toname);
3775	ASSERT(chopprefix <= drrb->drr_toname + strlen(drrb->drr_toname));
3776	ASSERT(chopprefix[0] == '/' || chopprefix[0] == '@' ||
3777	    chopprefix[0] == '\0');
3778
3779	/*
3780	 * Determine name of destination snapshot, store in zc_value.
3781	 */
3782	(void) strlcpy(destsnap, tosnap, sizeof (destsnap));
3783	(void) strlcat(destsnap, chopprefix, sizeof (destsnap));
3784	free(cp);
3785	if (!zfs_name_valid(destsnap, ZFS_TYPE_SNAPSHOT)) {
3786		err = zfs_error(hdl, EZFS_INVALIDNAME, errbuf);
3787		goto out;
3788	}
3789
3790	/*
3791	 * Determine the name of the origin snapshot, store in zc_string.
3792	 */
3793	if (originsnap) {
3794		(void) strlcpy(origin, originsnap, sizeof (origin));
3795		if (flags->verbose)
3796			(void) printf("using provided clone origin %s\n",
3797			    origin);
3798	} else if (drrb->drr_flags & DRR_FLAG_CLONE) {
3799		if (guid_to_name(hdl, destsnap,
3800		    drrb->drr_fromguid, B_FALSE, origin) != 0) {
3801			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3802			    "local origin for clone %s does not exist"),
3803			    destsnap);
3804			err = zfs_error(hdl, EZFS_NOENT, errbuf);
3805			goto out;
3806		}
3807		if (flags->verbose)
3808			(void) printf("found clone origin %s\n", origin);
3809	}
3810
3811	boolean_t resuming = DMU_GET_FEATUREFLAGS(drrb->drr_versioninfo) &
3812	    DMU_BACKUP_FEATURE_RESUMING;
3813	boolean_t raw = DMU_GET_FEATUREFLAGS(drrb->drr_versioninfo) &
3814	    DMU_BACKUP_FEATURE_RAW;
3815	boolean_t embedded = DMU_GET_FEATUREFLAGS(drrb->drr_versioninfo) &
3816	    DMU_BACKUP_FEATURE_EMBED_DATA;
3817	stream_wantsnewfs = (drrb->drr_fromguid == 0 ||
3818	    (drrb->drr_flags & DRR_FLAG_CLONE) || originsnap) && !resuming;
3819
3820	if (stream_wantsnewfs) {
3821		/*
3822		 * if the parent fs does not exist, look for it based on
3823		 * the parent snap GUID
3824		 */
3825		(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
3826		    "cannot receive new filesystem stream"));
3827
3828		(void) strcpy(name, destsnap);
3829		cp = strrchr(name, '/');
3830		if (cp)
3831			*cp = '\0';
3832		if (cp &&
3833		    !zfs_dataset_exists(hdl, name, ZFS_TYPE_DATASET)) {
3834			char suffix[ZFS_MAX_DATASET_NAME_LEN];
3835			(void) strcpy(suffix, strrchr(destsnap, '/'));
3836			if (guid_to_name(hdl, name, parent_snapguid,
3837			    B_FALSE, destsnap) == 0) {
3838				*strchr(destsnap, '@') = '\0';
3839				(void) strcat(destsnap, suffix);
3840			}
3841		}
3842	} else {
3843		/*
3844		 * if the fs does not exist, look for it based on the
3845		 * fromsnap GUID
3846		 */
3847		(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
3848		    "cannot receive incremental stream"));
3849
3850		(void) strcpy(name, destsnap);
3851		*strchr(name, '@') = '\0';
3852
3853		/*
3854		 * If the exact receive path was specified and this is the
3855		 * topmost path in the stream, then if the fs does not exist we
3856		 * should look no further.
3857		 */
3858		if ((flags->isprefix || (*(chopprefix = drrb->drr_toname +
3859		    strlen(sendfs)) != '\0' && *chopprefix != '@')) &&
3860		    !zfs_dataset_exists(hdl, name, ZFS_TYPE_DATASET)) {
3861			char snap[ZFS_MAX_DATASET_NAME_LEN];
3862			(void) strcpy(snap, strchr(destsnap, '@'));
3863			if (guid_to_name(hdl, name, drrb->drr_fromguid,
3864			    B_FALSE, destsnap) == 0) {
3865				*strchr(destsnap, '@') = '\0';
3866				(void) strcat(destsnap, snap);
3867			}
3868		}
3869	}
3870
3871	(void) strcpy(name, destsnap);
3872	*strchr(name, '@') = '\0';
3873
3874	if (zfs_dataset_exists(hdl, name, ZFS_TYPE_DATASET)) {
3875		zfs_cmd_t zc = { 0 };
3876		zfs_handle_t *zhp;
3877		boolean_t encrypted;
3878
3879		(void) strcpy(zc.zc_name, name);
3880
3881		/*
3882		 * Destination fs exists.  It must be one of these cases:
3883		 *  - an incremental send stream
3884		 *  - the stream specifies a new fs (full stream or clone)
3885		 *    and they want us to blow away the existing fs (and
3886		 *    have therefore specified -F and removed any snapshots)
3887		 *  - we are resuming a failed receive.
3888		 */
3889		if (stream_wantsnewfs) {
3890			if (!flags->force) {
3891				zcmd_free_nvlists(&zc);
3892				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3893				    "destination '%s' exists\n"
3894				    "must specify -F to overwrite it"), name);
3895				err = zfs_error(hdl, EZFS_EXISTS, errbuf);
3896				goto out;
3897			}
3898			if (ioctl(hdl->libzfs_fd, ZFS_IOC_SNAPSHOT_LIST_NEXT,
3899			    &zc) == 0) {
3900				zcmd_free_nvlists(&zc);
3901				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3902				    "destination has snapshots (eg. %s)\n"
3903				    "must destroy them to overwrite it"),
3904				    zc.zc_name);
3905				err = zfs_error(hdl, EZFS_EXISTS, errbuf);
3906				goto out;
3907			}
3908		}
3909
3910		if ((zhp = zfs_open(hdl, name,
3911		    ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME)) == NULL) {
3912			zcmd_free_nvlists(&zc);
3913			err = -1;
3914			goto out;
3915		}
3916
3917		if (stream_wantsnewfs &&
3918		    zhp->zfs_dmustats.dds_origin[0]) {
3919			zcmd_free_nvlists(&zc);
3920			zfs_close(zhp);
3921			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3922			    "destination '%s' is a clone\n"
3923			    "must destroy it to overwrite it"), name);
3924			err = zfs_error(hdl, EZFS_EXISTS, errbuf);
3925			goto out;
3926		}
3927
3928		/*
3929		 * Raw sends can not be performed as an incremental on top
3930		 * of existing unencrypted datasets. zfs recv -F cant be
3931		 * used to blow away an existing encrypted filesystem. This
3932		 * is because it would require the dsl dir to point to the
3933		 * new key (or lack of a key) and the old key at the same
3934		 * time. The -F flag may still be used for deleting
3935		 * intermediate snapshots that would otherwise prevent the
3936		 * receive from working.
3937		 */
3938		encrypted = zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION) !=
3939		    ZIO_CRYPT_OFF;
3940		if (!stream_wantsnewfs && !encrypted && raw) {
3941			zfs_close(zhp);
3942			zcmd_free_nvlists(&zc);
3943			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3944			    "cannot perform raw receive on top of "
3945			    "existing unencrypted dataset"));
3946			err = zfs_error(hdl, EZFS_BADRESTORE, errbuf);
3947			goto out;
3948		}
3949
3950		if (stream_wantsnewfs && flags->force &&
3951		    ((raw && !encrypted) || encrypted)) {
3952			zfs_close(zhp);
3953			zcmd_free_nvlists(&zc);
3954			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
3955			    "zfs receive -F cannot be used to destroy an "
3956			    "encrypted filesystem or overwrite an "
3957			    "unencrypted one with an encrypted one"));
3958			err = zfs_error(hdl, EZFS_BADRESTORE, errbuf);
3959			goto out;
3960		}
3961
3962		if (!flags->dryrun && zhp->zfs_type == ZFS_TYPE_FILESYSTEM &&
3963		    stream_wantsnewfs) {
3964			/* We can't do online recv in this case */
3965			clp = changelist_gather(zhp, ZFS_PROP_NAME, 0, 0);
3966			if (clp == NULL) {
3967				zfs_close(zhp);
3968				err = -1;
3969				goto out;
3970			}
3971			if (changelist_prefix(clp) != 0) {
3972				changelist_free(clp);
3973				zfs_close(zhp);
3974				err = -1;
3975				goto out;
3976			}
3977		}
3978
3979		/*
3980		 * If we are resuming a newfs, set newfs here so that we will
3981		 * mount it if the recv succeeds this time.  We can tell
3982		 * that it was a newfs on the first recv because the fs
3983		 * itself will be inconsistent (if the fs existed when we
3984		 * did the first recv, we would have received it into
3985		 * .../%recv).
3986		 */
3987		if (resuming && zfs_prop_get_int(zhp, ZFS_PROP_INCONSISTENT))
3988			newfs = B_TRUE;
3989
3990		/* we want to know if we're zoned when validating -o|-x props */
3991		zoned = zfs_prop_get_int(zhp, ZFS_PROP_ZONED);
3992
3993		/* may need this info later, get it now we have zhp around */
3994		if (zfs_prop_get(zhp, ZFS_PROP_RECEIVE_RESUME_TOKEN, NULL, 0,
3995		    NULL, NULL, 0, B_TRUE) == 0)
3996			hastoken = B_TRUE;
3997
3998		/* gather existing properties on destination */
3999		origprops = fnvlist_alloc();
4000		fnvlist_merge(origprops, zhp->zfs_props);
4001		fnvlist_merge(origprops, zhp->zfs_user_props);
4002
4003		zfs_close(zhp);
4004		cp = NULL;
4005	} else {
4006		zfs_handle_t *zhp;
4007
4008		/*
4009		 * Destination filesystem does not exist.  Therefore we better
4010		 * be creating a new filesystem (either from a full backup, or
4011		 * a clone).  It would therefore be invalid if the user
4012		 * specified only the pool name (i.e. if the destination name
4013		 * contained no slash character).
4014		 */
4015		cp = strrchr(name, '/');
4016
4017		if (!stream_wantsnewfs || cp == NULL) {
4018			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4019			    "destination '%s' does not exist"), name);
4020			err = zfs_error(hdl, EZFS_NOENT, errbuf);
4021			goto out;
4022		}
4023
4024		/*
4025		 * Trim off the final dataset component so we perform the
4026		 * recvbackup ioctl to the filesystems's parent.
4027		 */
4028		*cp = '\0';
4029
4030		if (flags->isprefix && !flags->istail && !flags->dryrun &&
4031		    create_parents(hdl, destsnap, strlen(tosnap)) != 0) {
4032			err = zfs_error(hdl, EZFS_BADRESTORE, errbuf);
4033			goto out;
4034		}
4035
4036		/* validate parent */
4037		zhp = zfs_open(hdl, name, ZFS_TYPE_DATASET);
4038		if (zhp == NULL) {
4039			err = zfs_error(hdl, EZFS_BADRESTORE, errbuf);
4040			goto out;
4041		}
4042		if (zfs_get_type(zhp) != ZFS_TYPE_FILESYSTEM) {
4043			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4044			    "parent '%s' is not a filesystem"), name);
4045			err = zfs_error(hdl, EZFS_WRONG_PARENT, errbuf);
4046			zfs_close(zhp);
4047			goto out;
4048		}
4049
4050		/*
4051		 * It is invalid to receive a properties stream that was
4052		 * unencrypted on the send side as a child of an encrypted
4053		 * parent. Technically there is nothing preventing this, but
4054		 * it would mean that the encryption=off property which is
4055		 * locally set on the send side would not be received correctly.
4056		 * We can infer encryption=off if the stream is not raw and
4057		 * properties were included since the send side will only ever
4058		 * send the encryption property in a raw nvlist header. This
4059		 * check will be avoided if the user specifically overrides
4060		 * the encryption property on the command line.
4061		 */
4062		if (!raw && rcvprops != NULL &&
4063		    !nvlist_exists(cmdprops,
4064		    zfs_prop_to_name(ZFS_PROP_ENCRYPTION))) {
4065			uint64_t crypt;
4066
4067			crypt = zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION);
4068
4069			if (crypt != ZIO_CRYPT_OFF) {
4070				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4071				    "parent '%s' must not be encrypted to "
4072				    "receive unenecrypted property"), name);
4073				err = zfs_error(hdl, EZFS_BADPROP, errbuf);
4074				zfs_close(zhp);
4075				goto out;
4076			}
4077		}
4078		zfs_close(zhp);
4079
4080		newfs = B_TRUE;
4081		*cp = '/';
4082	}
4083
4084	if (flags->verbose) {
4085		(void) printf("%s %s stream of %s into %s\n",
4086		    flags->dryrun ? "would receive" : "receiving",
4087		    drrb->drr_fromguid ? "incremental" : "full",
4088		    drrb->drr_toname, destsnap);
4089		(void) fflush(stdout);
4090	}
4091
4092	if (flags->dryrun) {
4093		err = recv_skip(hdl, infd, flags->byteswap);
4094		goto out;
4095	}
4096
4097	if (top_zfs && (*top_zfs == NULL || strcmp(*top_zfs, name) == 0))
4098		toplevel = B_TRUE;
4099	if (drrb->drr_type == DMU_OST_ZVOL) {
4100		type = ZFS_TYPE_VOLUME;
4101	} else if (drrb->drr_type == DMU_OST_ZFS) {
4102		type = ZFS_TYPE_FILESYSTEM;
4103	} else {
4104		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4105		    "invalid record type: 0x%d"), drrb->drr_type);
4106		err = zfs_error(hdl, EZFS_BADSTREAM, errbuf);
4107		goto out;
4108	}
4109	if ((err = zfs_setup_cmdline_props(hdl, type, name, zoned, recursive,
4110	    stream_wantsnewfs, raw, toplevel, rcvprops, cmdprops, origprops,
4111	    &oxprops, &wkeydata, &wkeylen, errbuf)) != 0)
4112		goto out;
4113
4114	/*
4115	 * The following is a difference between ZoL and illumos.
4116	 *
4117	 * On illumos, we must trim the last component of the dataset name
4118	 * that is passed via the ioctl so that we can properly validate
4119	 * zfs_secpolicy_recv() when receiving to a delegated dataset within
4120	 * zone. This matches the historical behavior of the receive ioctl.
4121	 * However,  we can't do this until after zfs_setup_cmdline_props()
4122	 * has finished with the full name.
4123	 */
4124	if (cp != NULL)
4125		*cp = '\0';
4126
4127	err = ioctl_err = lzc_receive_with_cmdprops(destsnap, rcvprops,
4128	    oxprops, wkeydata, wkeylen, origin, flags->force, flags->resumable,
4129	    raw, infd, drr_noswap, cleanup_fd, &read_bytes, &errflags,
4130	    action_handlep, &prop_errors);
4131	ioctl_errno = errno;
4132	prop_errflags = errflags;
4133
4134	if (err == 0) {
4135		nvpair_t *prop_err = NULL;
4136
4137		while ((prop_err = nvlist_next_nvpair(prop_errors,
4138		    prop_err)) != NULL) {
4139			char tbuf[1024];
4140			zfs_prop_t prop;
4141			int intval;
4142
4143			prop = zfs_name_to_prop(nvpair_name(prop_err));
4144			(void) nvpair_value_int32(prop_err, &intval);
4145			if (strcmp(nvpair_name(prop_err),
4146			    ZPROP_N_MORE_ERRORS) == 0) {
4147				trunc_prop_errs(intval);
4148				break;
4149			} else if (snapname == NULL || finalsnap == NULL ||
4150			    strcmp(finalsnap, snapname) == 0 ||
4151			    strcmp(nvpair_name(prop_err),
4152			    zfs_prop_to_name(ZFS_PROP_REFQUOTA)) != 0) {
4153				/*
4154				 * Skip the special case of, for example,
4155				 * "refquota", errors on intermediate
4156				 * snapshots leading up to a final one.
4157				 * That's why we have all of the checks above.
4158				 *
4159				 * See zfs_ioctl.c's extract_delay_props() for
4160				 * a list of props which can fail on
4161				 * intermediate snapshots, but shouldn't
4162				 * affect the overall receive.
4163				 */
4164				(void) snprintf(tbuf, sizeof (tbuf),
4165				    dgettext(TEXT_DOMAIN,
4166				    "cannot receive %s property on %s"),
4167				    nvpair_name(prop_err), name);
4168				zfs_setprop_error(hdl, prop, intval, tbuf);
4169			}
4170		}
4171		nvlist_free(prop_errors);
4172	}
4173
4174	if (err == 0 && snapprops_nvlist) {
4175		zfs_cmd_t zc = { 0 };
4176
4177		(void) strcpy(zc.zc_name, destsnap);
4178		zc.zc_cookie = B_TRUE; /* received */
4179		if (zcmd_write_src_nvlist(hdl, &zc, snapprops_nvlist) == 0) {
4180			(void) zfs_ioctl(hdl, ZFS_IOC_SET_PROP, &zc);
4181			zcmd_free_nvlists(&zc);
4182		}
4183	}
4184	if (err == 0 && snapholds_nvlist) {
4185		nvpair_t *pair;
4186		nvlist_t *holds, *errors = NULL;
4187		int cleanup_fd = -1;
4188
4189		VERIFY(0 == nvlist_alloc(&holds, 0, KM_SLEEP));
4190		for (pair = nvlist_next_nvpair(snapholds_nvlist, NULL);
4191		    pair != NULL;
4192		    pair = nvlist_next_nvpair(snapholds_nvlist, pair)) {
4193			VERIFY(0 == nvlist_add_string(holds, destsnap,
4194			    nvpair_name(pair)));
4195		}
4196		(void) lzc_hold(holds, cleanup_fd, &errors);
4197		nvlist_free(snapholds_nvlist);
4198		nvlist_free(holds);
4199	}
4200
4201	if (err && (ioctl_errno == ENOENT || ioctl_errno == EEXIST)) {
4202		/*
4203		 * It may be that this snapshot already exists,
4204		 * in which case we want to consume & ignore it
4205		 * rather than failing.
4206		 */
4207		avl_tree_t *local_avl;
4208		nvlist_t *local_nv, *fs;
4209		cp = strchr(destsnap, '@');
4210
4211		/*
4212		 * XXX Do this faster by just iterating over snaps in
4213		 * this fs.  Also if zc_value does not exist, we will
4214		 * get a strange "does not exist" error message.
4215		 */
4216		*cp = '\0';
4217		if (gather_nvlist(hdl, destsnap, NULL, NULL, B_FALSE, B_TRUE,
4218		    B_FALSE, B_FALSE, B_FALSE, B_TRUE,
4219		    &local_nv, &local_avl) == 0) {
4220			*cp = '@';
4221			fs = fsavl_find(local_avl, drrb->drr_toguid, NULL);
4222			fsavl_destroy(local_avl);
4223			nvlist_free(local_nv);
4224
4225			if (fs != NULL) {
4226				if (flags->verbose) {
4227					(void) printf("snap %s already exists; "
4228					    "ignoring\n", destsnap);
4229				}
4230				err = ioctl_err = recv_skip(hdl, infd,
4231				    flags->byteswap);
4232			}
4233		}
4234		*cp = '@';
4235	}
4236
4237	if (ioctl_err != 0) {
4238		switch (ioctl_errno) {
4239		case ENODEV:
4240			cp = strchr(destsnap, '@');
4241			*cp = '\0';
4242			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4243			    "most recent snapshot of %s does not\n"
4244			    "match incremental source"), destsnap);
4245			(void) zfs_error(hdl, EZFS_BADRESTORE, errbuf);
4246			*cp = '@';
4247			break;
4248		case ETXTBSY:
4249			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4250			    "destination %s has been modified\n"
4251			    "since most recent snapshot"), name);
4252			(void) zfs_error(hdl, EZFS_BADRESTORE, errbuf);
4253			break;
4254		case EACCES:
4255			if (raw && stream_wantsnewfs) {
4256				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4257				    "failed to create encryption key"));
4258			} else if (raw && !stream_wantsnewfs) {
4259				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4260				    "encryption key does not match "
4261				    "existing key"));
4262			} else {
4263				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4264				    "inherited key must be loaded"));
4265			}
4266			(void) zfs_error(hdl, EZFS_CRYPTOFAILED, errbuf);
4267			break;
4268		case EEXIST:
4269			cp = strchr(destsnap, '@');
4270			if (newfs) {
4271				/* it's the containing fs that exists */
4272				*cp = '\0';
4273			}
4274			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4275			    "destination already exists"));
4276			(void) zfs_error_fmt(hdl, EZFS_EXISTS,
4277			    dgettext(TEXT_DOMAIN, "cannot restore to %s"),
4278			    destsnap);
4279			*cp = '@';
4280			break;
4281		case EINVAL:
4282			if (embedded && !raw)
4283				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4284				    "incompatible embedded data stream "
4285				    "feature with encrypted receive."));
4286			(void) zfs_error(hdl, EZFS_BADSTREAM, errbuf);
4287			break;
4288		case ECKSUM:
4289			recv_ecksum_set_aux(hdl, destsnap, flags->resumable);
4290			(void) zfs_error(hdl, EZFS_BADSTREAM, errbuf);
4291			break;
4292		case ENOTSUP:
4293			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4294			    "pool must be upgraded to receive this stream."));
4295			(void) zfs_error(hdl, EZFS_BADVERSION, errbuf);
4296			break;
4297		case EDQUOT:
4298			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4299			    "destination %s space quota exceeded."), name);
4300			(void) zfs_error(hdl, EZFS_NOSPC, errbuf);
4301			break;
4302		case ZFS_ERR_FROM_IVSET_GUID_MISSING:
4303			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4304			    "IV set guid missing. See errata %u at"
4305			    "http://zfsonlinux.org/msg/ZFS-8000-ER"),
4306			    ZPOOL_ERRATA_ZOL_8308_ENCRYPTION);
4307			(void) zfs_error(hdl, EZFS_BADSTREAM, errbuf);
4308			break;
4309		case ZFS_ERR_FROM_IVSET_GUID_MISMATCH:
4310			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4311			    "IV set guid mismatch. See the 'zfs receive' "
4312			    "man page section\n discussing the limitations "
4313			    "of raw encrypted send streams."));
4314			(void) zfs_error(hdl, EZFS_BADSTREAM, errbuf);
4315			break;
4316		case ZFS_ERR_SPILL_BLOCK_FLAG_MISSING:
4317			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4318			    "Spill block flag missing for raw send.\n"
4319			    "The zfs software on the sending system must "
4320			    "be updated."));
4321			(void) zfs_error(hdl, EZFS_BADSTREAM, errbuf);
4322			break;
4323		case EBUSY:
4324			if (hastoken) {
4325				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4326				    "destination %s contains "
4327				    "partially-complete state from "
4328				    "\"zfs receive -s\"."), name);
4329				(void) zfs_error(hdl, EZFS_BUSY, errbuf);
4330				break;
4331			}
4332			/* fallthru */
4333		default:
4334			(void) zfs_standard_error(hdl, ioctl_errno, errbuf);
4335		}
4336	}
4337
4338	/*
4339	 * Mount the target filesystem (if created).  Also mount any
4340	 * children of the target filesystem if we did a replication
4341	 * receive (indicated by stream_avl being non-NULL).
4342	 */
4343	cp = strchr(destsnap, '@');
4344	if (cp && (ioctl_err == 0 || !newfs)) {
4345		zfs_handle_t *h;
4346
4347		*cp = '\0';
4348		h = zfs_open(hdl, destsnap,
4349		    ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
4350		if (h != NULL) {
4351			if (h->zfs_type == ZFS_TYPE_VOLUME) {
4352				*cp = '@';
4353			} else if (newfs || stream_avl) {
4354				/*
4355				 * Track the first/top of hierarchy fs,
4356				 * for mounting and sharing later.
4357				 */
4358				if (top_zfs && *top_zfs == NULL)
4359					*top_zfs = zfs_strdup(hdl, destsnap);
4360			}
4361			zfs_close(h);
4362		}
4363		*cp = '@';
4364	}
4365
4366	if (clp) {
4367		if (!flags->nomount)
4368			err |= changelist_postfix(clp);
4369		changelist_free(clp);
4370	}
4371
4372	if (prop_errflags & ZPROP_ERR_NOCLEAR) {
4373		(void) fprintf(stderr, dgettext(TEXT_DOMAIN, "Warning: "
4374		    "failed to clear unreceived properties on %s"), name);
4375		(void) fprintf(stderr, "\n");
4376	}
4377	if (prop_errflags & ZPROP_ERR_NORESTORE) {
4378		(void) fprintf(stderr, dgettext(TEXT_DOMAIN, "Warning: "
4379		    "failed to restore original properties on %s"), name);
4380		(void) fprintf(stderr, "\n");
4381	}
4382
4383	if (err || ioctl_err) {
4384		err = -1;
4385		goto out;
4386	}
4387
4388	if (flags->verbose) {
4389		char buf1[64];
4390		char buf2[64];
4391		uint64_t bytes = read_bytes;
4392		time_t delta = time(NULL) - begin_time;
4393		if (delta == 0)
4394			delta = 1;
4395		zfs_nicenum(bytes, buf1, sizeof (buf1));
4396		zfs_nicenum(bytes/delta, buf2, sizeof (buf1));
4397
4398		(void) printf("received %sB stream in %lu seconds (%sB/sec)\n",
4399		    buf1, delta, buf2);
4400	}
4401
4402	err = 0;
4403out:
4404
4405	if (tmp_keylocation[0] != '\0') {
4406		VERIFY(0 == nvlist_add_string(rcvprops,
4407		    zfs_prop_to_name(ZFS_PROP_KEYLOCATION), tmp_keylocation));
4408	}
4409
4410	if (newprops)
4411		nvlist_free(rcvprops);
4412
4413	nvlist_free(oxprops);
4414	nvlist_free(origprops);
4415
4416	return (err);
4417}
4418
4419/*
4420 * Check properties we were asked to override (both -o|-x)
4421 */
4422static boolean_t
4423zfs_receive_checkprops(libzfs_handle_t *hdl, nvlist_t *props,
4424    const char *errbuf)
4425{
4426	nvpair_t *nvp;
4427	zfs_prop_t prop;
4428	const char *name;
4429
4430	nvp = NULL;
4431	while ((nvp = nvlist_next_nvpair(props, nvp)) != NULL) {
4432		name = nvpair_name(nvp);
4433		prop = zfs_name_to_prop(name);
4434
4435		if (prop == ZPROP_INVAL) {
4436			if (!zfs_prop_user(name)) {
4437				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4438				    "invalid property '%s'"), name);
4439				return (B_FALSE);
4440			}
4441			continue;
4442		}
4443		/*
4444		 * "origin" is readonly but is used to receive datasets as
4445		 * clones so we don't raise an error here
4446		 */
4447		if (prop == ZFS_PROP_ORIGIN)
4448			continue;
4449
4450		/* encryption params have their own verification later */
4451		if (prop == ZFS_PROP_ENCRYPTION ||
4452		    zfs_prop_encryption_key_param(prop))
4453			continue;
4454
4455		/*
4456		 * cannot override readonly, set-once and other specific
4457		 * settable properties
4458		 */
4459		if (zfs_prop_readonly(prop) || prop == ZFS_PROP_VERSION ||
4460		    prop == ZFS_PROP_VOLSIZE) {
4461			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4462			    "invalid property '%s'"), name);
4463			return (B_FALSE);
4464		}
4465	}
4466
4467	return (B_TRUE);
4468}
4469
4470static int
4471zfs_receive_impl(libzfs_handle_t *hdl, const char *tosnap,
4472    const char *originsnap, recvflags_t *flags, int infd, const char *sendfs,
4473    nvlist_t *stream_nv, avl_tree_t *stream_avl, char **top_zfs, int cleanup_fd,
4474    uint64_t *action_handlep, const char *finalsnap, nvlist_t *cmdprops)
4475{
4476	int err;
4477	dmu_replay_record_t drr, drr_noswap;
4478	struct drr_begin *drrb = &drr.drr_u.drr_begin;
4479	char errbuf[1024];
4480	zio_cksum_t zcksum = { 0 };
4481	uint64_t featureflags;
4482	int hdrtype;
4483
4484	(void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN,
4485	    "cannot receive"));
4486
4487	/* check cmdline props, raise an error if they cannot be received */
4488	if (!zfs_receive_checkprops(hdl, cmdprops, errbuf)) {
4489		return (zfs_error(hdl, EZFS_BADPROP, errbuf));
4490	}
4491
4492	if (flags->isprefix &&
4493	    !zfs_dataset_exists(hdl, tosnap, ZFS_TYPE_DATASET)) {
4494		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "specified fs "
4495		    "(%s) does not exist"), tosnap);
4496		return (zfs_error(hdl, EZFS_NOENT, errbuf));
4497	}
4498	if (originsnap &&
4499	    !zfs_dataset_exists(hdl, originsnap, ZFS_TYPE_DATASET)) {
4500		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "specified origin fs "
4501		    "(%s) does not exist"), originsnap);
4502		return (zfs_error(hdl, EZFS_NOENT, errbuf));
4503	}
4504
4505	/* read in the BEGIN record */
4506	if (0 != (err = recv_read(hdl, infd, &drr, sizeof (drr), B_FALSE,
4507	    &zcksum)))
4508		return (err);
4509
4510	if (drr.drr_type == DRR_END || drr.drr_type == BSWAP_32(DRR_END)) {
4511		/* It's the double end record at the end of a package */
4512		return (ENODATA);
4513	}
4514
4515	/* the kernel needs the non-byteswapped begin record */
4516	drr_noswap = drr;
4517
4518	flags->byteswap = B_FALSE;
4519	if (drrb->drr_magic == BSWAP_64(DMU_BACKUP_MAGIC)) {
4520		/*
4521		 * We computed the checksum in the wrong byteorder in
4522		 * recv_read() above; do it again correctly.
4523		 */
4524		bzero(&zcksum, sizeof (zio_cksum_t));
4525		(void) fletcher_4_incremental_byteswap(&drr,
4526		    sizeof (drr), &zcksum);
4527		flags->byteswap = B_TRUE;
4528
4529		drr.drr_type = BSWAP_32(drr.drr_type);
4530		drr.drr_payloadlen = BSWAP_32(drr.drr_payloadlen);
4531		drrb->drr_magic = BSWAP_64(drrb->drr_magic);
4532		drrb->drr_versioninfo = BSWAP_64(drrb->drr_versioninfo);
4533		drrb->drr_creation_time = BSWAP_64(drrb->drr_creation_time);
4534		drrb->drr_type = BSWAP_32(drrb->drr_type);
4535		drrb->drr_flags = BSWAP_32(drrb->drr_flags);
4536		drrb->drr_toguid = BSWAP_64(drrb->drr_toguid);
4537		drrb->drr_fromguid = BSWAP_64(drrb->drr_fromguid);
4538	}
4539
4540	if (drrb->drr_magic != DMU_BACKUP_MAGIC || drr.drr_type != DRR_BEGIN) {
4541		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "invalid "
4542		    "stream (bad magic number)"));
4543		return (zfs_error(hdl, EZFS_BADSTREAM, errbuf));
4544	}
4545
4546	featureflags = DMU_GET_FEATUREFLAGS(drrb->drr_versioninfo);
4547	hdrtype = DMU_GET_STREAM_HDRTYPE(drrb->drr_versioninfo);
4548
4549	if (!DMU_STREAM_SUPPORTED(featureflags) ||
4550	    (hdrtype != DMU_SUBSTREAM && hdrtype != DMU_COMPOUNDSTREAM)) {
4551		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
4552		    "stream has unsupported feature, feature flags = %lx"),
4553		    featureflags);
4554		return (zfs_error(hdl, EZFS_BADSTREAM, errbuf));
4555	}
4556
4557	/* Holds feature is set once in the compound stream header. */
4558	boolean_t holds = (DMU_GET_FEATUREFLAGS(drrb->drr_versioninfo) &
4559	    DMU_BACKUP_FEATURE_HOLDS);
4560	if (holds)
4561		flags->holds = B_TRUE;
4562
4563	if (strchr(drrb->drr_toname, '@') == NULL) {
4564		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "invalid "
4565		    "stream (bad snapshot name)"));
4566		return (zfs_error(hdl, EZFS_BADSTREAM, errbuf));
4567	}
4568
4569	if (DMU_GET_STREAM_HDRTYPE(drrb->drr_versioninfo) == DMU_SUBSTREAM) {
4570		char nonpackage_sendfs[ZFS_MAX_DATASET_NAME_LEN];
4571		if (sendfs == NULL) {
4572			/*
4573			 * We were not called from zfs_receive_package(). Get
4574			 * the fs specified by 'zfs send'.
4575			 */
4576			char *cp;
4577			(void) strlcpy(nonpackage_sendfs,
4578			    drr.drr_u.drr_begin.drr_toname,
4579			    sizeof (nonpackage_sendfs));
4580			if ((cp = strchr(nonpackage_sendfs, '@')) != NULL)
4581				*cp = '\0';
4582			sendfs = nonpackage_sendfs;
4583			VERIFY(finalsnap == NULL);
4584		}
4585		return (zfs_receive_one(hdl, infd, tosnap, originsnap, flags,
4586		    &drr, &drr_noswap, sendfs, stream_nv, stream_avl, top_zfs,
4587		    cleanup_fd, action_handlep, finalsnap, cmdprops));
4588	} else {
4589		assert(DMU_GET_STREAM_HDRTYPE(drrb->drr_versioninfo) ==
4590		    DMU_COMPOUNDSTREAM);
4591		return (zfs_receive_package(hdl, infd, tosnap, flags, &drr,
4592		    &zcksum, top_zfs, cleanup_fd, action_handlep, cmdprops));
4593	}
4594}
4595
4596/*
4597 * Restores a backup of tosnap from the file descriptor specified by infd.
4598 * Return 0 on total success, -2 if some things couldn't be
4599 * destroyed/renamed/promoted, -1 if some things couldn't be received.
4600 * (-1 will override -2, if -1 and the resumable flag was specified the
4601 * transfer can be resumed if the sending side supports it).
4602 */
4603int
4604zfs_receive(libzfs_handle_t *hdl, const char *tosnap, nvlist_t *props,
4605    recvflags_t *flags, int infd, avl_tree_t *stream_avl)
4606{
4607	char *top_zfs = NULL;
4608	int err;
4609	int cleanup_fd;
4610	uint64_t action_handle = 0;
4611	char *originsnap = NULL;
4612	if (props) {
4613		err = nvlist_lookup_string(props, "origin", &originsnap);
4614		if (err && err != ENOENT)
4615			return (err);
4616	}
4617
4618	cleanup_fd = open(ZFS_DEV, O_RDWR|O_EXCL);
4619	VERIFY(cleanup_fd >= 0);
4620
4621	err = zfs_receive_impl(hdl, tosnap, originsnap, flags, infd, NULL, NULL,
4622	    stream_avl, &top_zfs, cleanup_fd, &action_handle, NULL, props);
4623
4624	VERIFY(0 == close(cleanup_fd));
4625
4626	if (err == 0 && !flags->nomount && top_zfs) {
4627		zfs_handle_t *zhp;
4628		prop_changelist_t *clp;
4629
4630		zhp = zfs_open(hdl, top_zfs, ZFS_TYPE_FILESYSTEM);
4631		if (zhp != NULL) {
4632			clp = changelist_gather(zhp, ZFS_PROP_MOUNTPOINT,
4633			    CL_GATHER_MOUNT_ALWAYS, 0);
4634			zfs_close(zhp);
4635			if (clp != NULL) {
4636				/* mount and share received datasets */
4637				err = changelist_postfix(clp);
4638				changelist_free(clp);
4639			}
4640		}
4641		if (zhp == NULL || clp == NULL || err)
4642			err = -1;
4643	}
4644	if (top_zfs)
4645		free(top_zfs);
4646
4647	return (err);
4648}
4649