1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2012, 2016 by Delphix. All rights reserved.
24 * Copyright (c) 2013 Martin Matuska. All rights reserved.
25 * Copyright (c) 2014 Joyent, Inc. All rights reserved.
26 * Copyright (c) 2014 Spectra Logic Corporation, All rights reserved.
27 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
28 */
29
30#include <sys/dmu.h>
31#include <sys/dmu_objset.h>
32#include <sys/dmu_tx.h>
33#include <sys/dsl_dataset.h>
34#include <sys/dsl_dir.h>
35#include <sys/dsl_prop.h>
36#include <sys/dsl_synctask.h>
37#include <sys/dsl_deleg.h>
38#include <sys/dmu_impl.h>
39#include <sys/spa.h>
40#include <sys/metaslab.h>
41#include <sys/zap.h>
42#include <sys/zio.h>
43#include <sys/arc.h>
44#include <sys/sunddi.h>
45#include <sys/zfeature.h>
46#include <sys/policy.h>
47#include <sys/zfs_znode.h>
48#include "zfs_namecheck.h"
49#include "zfs_prop.h"
50
51/*
52 * Filesystem and Snapshot Limits
53 * ------------------------------
54 *
55 * These limits are used to restrict the number of filesystems and/or snapshots
56 * that can be created at a given level in the tree or below. A typical
57 * use-case is with a delegated dataset where the administrator wants to ensure
58 * that a user within the zone is not creating too many additional filesystems
59 * or snapshots, even though they're not exceeding their space quota.
60 *
61 * The filesystem and snapshot counts are stored as extensible properties. This
62 * capability is controlled by a feature flag and must be enabled to be used.
63 * Once enabled, the feature is not active until the first limit is set. At
64 * that point, future operations to create/destroy filesystems or snapshots
65 * will validate and update the counts.
66 *
67 * Because the count properties will not exist before the feature is active,
68 * the counts are updated when a limit is first set on an uninitialized
69 * dsl_dir node in the tree (The filesystem/snapshot count on a node includes
70 * all of the nested filesystems/snapshots. Thus, a new leaf node has a
71 * filesystem count of 0 and a snapshot count of 0. Non-existent filesystem and
72 * snapshot count properties on a node indicate uninitialized counts on that
73 * node.) When first setting a limit on an uninitialized node, the code starts
74 * at the filesystem with the new limit and descends into all sub-filesystems
75 * to add the count properties.
76 *
77 * In practice this is lightweight since a limit is typically set when the
78 * filesystem is created and thus has no children. Once valid, changing the
79 * limit value won't require a re-traversal since the counts are already valid.
80 * When recursively fixing the counts, if a node with a limit is encountered
81 * during the descent, the counts are known to be valid and there is no need to
82 * descend into that filesystem's children. The counts on filesystems above the
83 * one with the new limit will still be uninitialized, unless a limit is
84 * eventually set on one of those filesystems. The counts are always recursively
85 * updated when a limit is set on a dataset, unless there is already a limit.
86 * When a new limit value is set on a filesystem with an existing limit, it is
87 * possible for the new limit to be less than the current count at that level
88 * since a user who can change the limit is also allowed to exceed the limit.
89 *
90 * Once the feature is active, then whenever a filesystem or snapshot is
91 * created, the code recurses up the tree, validating the new count against the
92 * limit at each initialized level. In practice, most levels will not have a
93 * limit set. If there is a limit at any initialized level up the tree, the
94 * check must pass or the creation will fail. Likewise, when a filesystem or
95 * snapshot is destroyed, the counts are recursively adjusted all the way up
96 * the initizized nodes in the tree. Renaming a filesystem into different point
97 * in the tree will first validate, then update the counts on each branch up to
98 * the common ancestor. A receive will also validate the counts and then update
99 * them.
100 *
101 * An exception to the above behavior is that the limit is not enforced if the
102 * user has permission to modify the limit. This is primarily so that
103 * recursive snapshots in the global zone always work. We want to prevent a
104 * denial-of-service in which a lower level delegated dataset could max out its
105 * limit and thus block recursive snapshots from being taken in the global zone.
106 * Because of this, it is possible for the snapshot count to be over the limit
107 * and snapshots taken in the global zone could cause a lower level dataset to
108 * hit or exceed its limit. The administrator taking the global zone recursive
109 * snapshot should be aware of this side-effect and behave accordingly.
110 * For consistency, the filesystem limit is also not enforced if the user can
111 * modify the limit.
112 *
113 * The filesystem and snapshot limits are validated by dsl_fs_ss_limit_check()
114 * and updated by dsl_fs_ss_count_adjust(). A new limit value is setup in
115 * dsl_dir_activate_fs_ss_limit() and the counts are adjusted, if necessary, by
116 * dsl_dir_init_fs_ss_count().
117 *
118 * There is a special case when we receive a filesystem that already exists. In
119 * this case a temporary clone name of %X is created (see dmu_recv_begin). We
120 * never update the filesystem counts for temporary clones.
121 *
122 * Likewise, we do not update the snapshot counts for temporary snapshots,
123 * such as those created by zfs diff.
124 */
125
126extern inline dsl_dir_phys_t *dsl_dir_phys(dsl_dir_t *dd);
127
128static uint64_t dsl_dir_space_towrite(dsl_dir_t *dd);
129
130static void
131dsl_dir_evict_async(void *dbu)
132{
133	dsl_dir_t *dd = dbu;
134	dsl_pool_t *dp = dd->dd_pool;
135	int t;
136
137	dd->dd_dbuf = NULL;
138
139	for (t = 0; t < TXG_SIZE; t++) {
140		ASSERT(!txg_list_member(&dp->dp_dirty_dirs, dd, t));
141		ASSERT(dd->dd_tempreserved[t] == 0);
142		ASSERT(dd->dd_space_towrite[t] == 0);
143	}
144
145	if (dd->dd_parent)
146		dsl_dir_async_rele(dd->dd_parent, dd);
147
148	spa_async_close(dd->dd_pool->dp_spa, dd);
149
150	dsl_prop_fini(dd);
151	mutex_destroy(&dd->dd_lock);
152	kmem_free(dd, sizeof (dsl_dir_t));
153}
154
155int
156dsl_dir_hold_obj(dsl_pool_t *dp, uint64_t ddobj,
157    const char *tail, void *tag, dsl_dir_t **ddp)
158{
159	dmu_buf_t *dbuf;
160	dsl_dir_t *dd;
161	int err;
162
163	ASSERT(dsl_pool_config_held(dp));
164
165	err = dmu_bonus_hold(dp->dp_meta_objset, ddobj, tag, &dbuf);
166	if (err != 0)
167		return (err);
168	dd = dmu_buf_get_user(dbuf);
169#ifdef ZFS_DEBUG
170	{
171		dmu_object_info_t doi;
172		dmu_object_info_from_db(dbuf, &doi);
173		ASSERT3U(doi.doi_bonus_type, ==, DMU_OT_DSL_DIR);
174		ASSERT3U(doi.doi_bonus_size, >=, sizeof (dsl_dir_phys_t));
175	}
176#endif
177	if (dd == NULL) {
178		dsl_dir_t *winner;
179
180		dd = kmem_zalloc(sizeof (dsl_dir_t), KM_SLEEP);
181		dd->dd_object = ddobj;
182		dd->dd_dbuf = dbuf;
183		dd->dd_pool = dp;
184		mutex_init(&dd->dd_lock, NULL, MUTEX_DEFAULT, NULL);
185		dsl_prop_init(dd);
186
187		dsl_dir_snap_cmtime_update(dd);
188
189		if (dsl_dir_phys(dd)->dd_parent_obj) {
190			err = dsl_dir_hold_obj(dp,
191			    dsl_dir_phys(dd)->dd_parent_obj, NULL, dd,
192			    &dd->dd_parent);
193			if (err != 0)
194				goto errout;
195			if (tail) {
196#ifdef ZFS_DEBUG
197				uint64_t foundobj;
198
199				err = zap_lookup(dp->dp_meta_objset,
200				    dsl_dir_phys(dd->dd_parent)->
201				    dd_child_dir_zapobj, tail,
202				    sizeof (foundobj), 1, &foundobj);
203				ASSERT(err || foundobj == ddobj);
204#endif
205				(void) strcpy(dd->dd_myname, tail);
206			} else {
207				err = zap_value_search(dp->dp_meta_objset,
208				    dsl_dir_phys(dd->dd_parent)->
209				    dd_child_dir_zapobj,
210				    ddobj, 0, dd->dd_myname);
211			}
212			if (err != 0)
213				goto errout;
214		} else {
215			(void) strcpy(dd->dd_myname, spa_name(dp->dp_spa));
216		}
217
218		if (dsl_dir_is_clone(dd)) {
219			dmu_buf_t *origin_bonus;
220			dsl_dataset_phys_t *origin_phys;
221
222			/*
223			 * We can't open the origin dataset, because
224			 * that would require opening this dsl_dir.
225			 * Just look at its phys directly instead.
226			 */
227			err = dmu_bonus_hold(dp->dp_meta_objset,
228			    dsl_dir_phys(dd)->dd_origin_obj, FTAG,
229			    &origin_bonus);
230			if (err != 0)
231				goto errout;
232			origin_phys = origin_bonus->db_data;
233			dd->dd_origin_txg =
234			    origin_phys->ds_creation_txg;
235			dmu_buf_rele(origin_bonus, FTAG);
236		}
237
238		dmu_buf_init_user(&dd->dd_dbu, NULL, dsl_dir_evict_async,
239		    &dd->dd_dbuf);
240		winner = dmu_buf_set_user_ie(dbuf, &dd->dd_dbu);
241		if (winner != NULL) {
242			if (dd->dd_parent)
243				dsl_dir_rele(dd->dd_parent, dd);
244			dsl_prop_fini(dd);
245			mutex_destroy(&dd->dd_lock);
246			kmem_free(dd, sizeof (dsl_dir_t));
247			dd = winner;
248		} else {
249			spa_open_ref(dp->dp_spa, dd);
250		}
251	}
252
253	/*
254	 * The dsl_dir_t has both open-to-close and instantiate-to-evict
255	 * holds on the spa.  We need the open-to-close holds because
256	 * otherwise the spa_refcnt wouldn't change when we open a
257	 * dir which the spa also has open, so we could incorrectly
258	 * think it was OK to unload/export/destroy the pool.  We need
259	 * the instantiate-to-evict hold because the dsl_dir_t has a
260	 * pointer to the dd_pool, which has a pointer to the spa_t.
261	 */
262	spa_open_ref(dp->dp_spa, tag);
263	ASSERT3P(dd->dd_pool, ==, dp);
264	ASSERT3U(dd->dd_object, ==, ddobj);
265	ASSERT3P(dd->dd_dbuf, ==, dbuf);
266	*ddp = dd;
267	return (0);
268
269errout:
270	if (dd->dd_parent)
271		dsl_dir_rele(dd->dd_parent, dd);
272	dsl_prop_fini(dd);
273	mutex_destroy(&dd->dd_lock);
274	kmem_free(dd, sizeof (dsl_dir_t));
275	dmu_buf_rele(dbuf, tag);
276	return (err);
277}
278
279void
280dsl_dir_rele(dsl_dir_t *dd, void *tag)
281{
282	dprintf_dd(dd, "%s\n", "");
283	spa_close(dd->dd_pool->dp_spa, tag);
284	dmu_buf_rele(dd->dd_dbuf, tag);
285}
286
287/*
288 * Remove a reference to the given dsl dir that is being asynchronously
289 * released.  Async releases occur from a taskq performing eviction of
290 * dsl datasets and dirs.  This process is identical to a normal release
291 * with the exception of using the async API for releasing the reference on
292 * the spa.
293 */
294void
295dsl_dir_async_rele(dsl_dir_t *dd, void *tag)
296{
297	dprintf_dd(dd, "%s\n", "");
298	spa_async_close(dd->dd_pool->dp_spa, tag);
299	dmu_buf_rele(dd->dd_dbuf, tag);
300}
301
302/* buf must be at least ZFS_MAX_DATASET_NAME_LEN bytes */
303void
304dsl_dir_name(dsl_dir_t *dd, char *buf)
305{
306	if (dd->dd_parent) {
307		dsl_dir_name(dd->dd_parent, buf);
308		VERIFY3U(strlcat(buf, "/", ZFS_MAX_DATASET_NAME_LEN), <,
309		    ZFS_MAX_DATASET_NAME_LEN);
310	} else {
311		buf[0] = '\0';
312	}
313	if (!MUTEX_HELD(&dd->dd_lock)) {
314		/*
315		 * recursive mutex so that we can use
316		 * dprintf_dd() with dd_lock held
317		 */
318		mutex_enter(&dd->dd_lock);
319		VERIFY3U(strlcat(buf, dd->dd_myname, ZFS_MAX_DATASET_NAME_LEN),
320		    <, ZFS_MAX_DATASET_NAME_LEN);
321		mutex_exit(&dd->dd_lock);
322	} else {
323		VERIFY3U(strlcat(buf, dd->dd_myname, ZFS_MAX_DATASET_NAME_LEN),
324		    <, ZFS_MAX_DATASET_NAME_LEN);
325	}
326}
327
328/* Calculate name length, avoiding all the strcat calls of dsl_dir_name */
329int
330dsl_dir_namelen(dsl_dir_t *dd)
331{
332	int result = 0;
333
334	if (dd->dd_parent) {
335		/* parent's name + 1 for the "/" */
336		result = dsl_dir_namelen(dd->dd_parent) + 1;
337	}
338
339	if (!MUTEX_HELD(&dd->dd_lock)) {
340		/* see dsl_dir_name */
341		mutex_enter(&dd->dd_lock);
342		result += strlen(dd->dd_myname);
343		mutex_exit(&dd->dd_lock);
344	} else {
345		result += strlen(dd->dd_myname);
346	}
347
348	return (result);
349}
350
351static int
352getcomponent(const char *path, char *component, const char **nextp)
353{
354	char *p;
355
356	if ((path == NULL) || (path[0] == '\0'))
357		return (SET_ERROR(ENOENT));
358	/* This would be a good place to reserve some namespace... */
359	p = strpbrk(path, "/@");
360	if (p && (p[1] == '/' || p[1] == '@')) {
361		/* two separators in a row */
362		return (SET_ERROR(EINVAL));
363	}
364	if (p == NULL || p == path) {
365		/*
366		 * if the first thing is an @ or /, it had better be an
367		 * @ and it had better not have any more ats or slashes,
368		 * and it had better have something after the @.
369		 */
370		if (p != NULL &&
371		    (p[0] != '@' || strpbrk(path+1, "/@") || p[1] == '\0'))
372			return (SET_ERROR(EINVAL));
373		if (strlen(path) >= ZFS_MAX_DATASET_NAME_LEN)
374			return (SET_ERROR(ENAMETOOLONG));
375		(void) strcpy(component, path);
376		p = NULL;
377	} else if (p[0] == '/') {
378		if (p - path >= ZFS_MAX_DATASET_NAME_LEN)
379			return (SET_ERROR(ENAMETOOLONG));
380		(void) strncpy(component, path, p - path);
381		component[p - path] = '\0';
382		p++;
383	} else if (p[0] == '@') {
384		/*
385		 * if the next separator is an @, there better not be
386		 * any more slashes.
387		 */
388		if (strchr(path, '/'))
389			return (SET_ERROR(EINVAL));
390		if (p - path >= ZFS_MAX_DATASET_NAME_LEN)
391			return (SET_ERROR(ENAMETOOLONG));
392		(void) strncpy(component, path, p - path);
393		component[p - path] = '\0';
394	} else {
395		panic("invalid p=%p", (void *)p);
396	}
397	*nextp = p;
398	return (0);
399}
400
401/*
402 * Return the dsl_dir_t, and possibly the last component which couldn't
403 * be found in *tail.  The name must be in the specified dsl_pool_t.  This
404 * thread must hold the dp_config_rwlock for the pool.  Returns NULL if the
405 * path is bogus, or if tail==NULL and we couldn't parse the whole name.
406 * (*tail)[0] == '@' means that the last component is a snapshot.
407 */
408int
409dsl_dir_hold(dsl_pool_t *dp, const char *name, void *tag,
410    dsl_dir_t **ddp, const char **tailp)
411{
412	char buf[ZFS_MAX_DATASET_NAME_LEN];
413	const char *spaname, *next, *nextnext = NULL;
414	int err;
415	dsl_dir_t *dd;
416	uint64_t ddobj;
417
418	err = getcomponent(name, buf, &next);
419	if (err != 0)
420		return (err);
421
422	/* Make sure the name is in the specified pool. */
423	spaname = spa_name(dp->dp_spa);
424	if (strcmp(buf, spaname) != 0)
425		return (SET_ERROR(EXDEV));
426
427	ASSERT(dsl_pool_config_held(dp));
428
429	err = dsl_dir_hold_obj(dp, dp->dp_root_dir_obj, NULL, tag, &dd);
430	if (err != 0) {
431		return (err);
432	}
433
434	while (next != NULL) {
435		dsl_dir_t *child_dd;
436		err = getcomponent(next, buf, &nextnext);
437		if (err != 0)
438			break;
439		ASSERT(next[0] != '\0');
440		if (next[0] == '@')
441			break;
442		dprintf("looking up %s in obj%lld\n",
443		    buf, dsl_dir_phys(dd)->dd_child_dir_zapobj);
444
445		err = zap_lookup(dp->dp_meta_objset,
446		    dsl_dir_phys(dd)->dd_child_dir_zapobj,
447		    buf, sizeof (ddobj), 1, &ddobj);
448		if (err != 0) {
449			if (err == ENOENT)
450				err = 0;
451			break;
452		}
453
454		err = dsl_dir_hold_obj(dp, ddobj, buf, tag, &child_dd);
455		if (err != 0)
456			break;
457		dsl_dir_rele(dd, tag);
458		dd = child_dd;
459		next = nextnext;
460	}
461
462	if (err != 0) {
463		dsl_dir_rele(dd, tag);
464		return (err);
465	}
466
467	/*
468	 * It's an error if there's more than one component left, or
469	 * tailp==NULL and there's any component left.
470	 */
471	if (next != NULL &&
472	    (tailp == NULL || (nextnext && nextnext[0] != '\0'))) {
473		/* bad path name */
474		dsl_dir_rele(dd, tag);
475		dprintf("next=%p (%s) tail=%p\n", next, next?next:"", tailp);
476		err = SET_ERROR(ENOENT);
477	}
478	if (tailp != NULL)
479		*tailp = next;
480	*ddp = dd;
481	return (err);
482}
483
484/*
485 * If the counts are already initialized for this filesystem and its
486 * descendants then do nothing, otherwise initialize the counts.
487 *
488 * The counts on this filesystem, and those below, may be uninitialized due to
489 * either the use of a pre-existing pool which did not support the
490 * filesystem/snapshot limit feature, or one in which the feature had not yet
491 * been enabled.
492 *
493 * Recursively descend the filesystem tree and update the filesystem/snapshot
494 * counts on each filesystem below, then update the cumulative count on the
495 * current filesystem. If the filesystem already has a count set on it,
496 * then we know that its counts, and the counts on the filesystems below it,
497 * are already correct, so we don't have to update this filesystem.
498 */
499static void
500dsl_dir_init_fs_ss_count(dsl_dir_t *dd, dmu_tx_t *tx)
501{
502	uint64_t my_fs_cnt = 0;
503	uint64_t my_ss_cnt = 0;
504	dsl_pool_t *dp = dd->dd_pool;
505	objset_t *os = dp->dp_meta_objset;
506	zap_cursor_t *zc;
507	zap_attribute_t *za;
508	dsl_dataset_t *ds;
509
510	ASSERT(spa_feature_is_active(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT));
511	ASSERT(dsl_pool_config_held(dp));
512	ASSERT(dmu_tx_is_syncing(tx));
513
514	dsl_dir_zapify(dd, tx);
515
516	/*
517	 * If the filesystem count has already been initialized then we
518	 * don't need to recurse down any further.
519	 */
520	if (zap_contains(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT) == 0)
521		return;
522
523	zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP);
524	za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP);
525
526	/* Iterate my child dirs */
527	for (zap_cursor_init(zc, os, dsl_dir_phys(dd)->dd_child_dir_zapobj);
528	    zap_cursor_retrieve(zc, za) == 0; zap_cursor_advance(zc)) {
529		dsl_dir_t *chld_dd;
530		uint64_t count;
531
532		VERIFY0(dsl_dir_hold_obj(dp, za->za_first_integer, NULL, FTAG,
533		    &chld_dd));
534
535		/*
536		 * Ignore hidden ($FREE, $MOS & $ORIGIN) objsets and
537		 * temporary datasets.
538		 */
539		if (chld_dd->dd_myname[0] == '$' ||
540		    chld_dd->dd_myname[0] == '%') {
541			dsl_dir_rele(chld_dd, FTAG);
542			continue;
543		}
544
545		my_fs_cnt++;	/* count this child */
546
547		dsl_dir_init_fs_ss_count(chld_dd, tx);
548
549		VERIFY0(zap_lookup(os, chld_dd->dd_object,
550		    DD_FIELD_FILESYSTEM_COUNT, sizeof (count), 1, &count));
551		my_fs_cnt += count;
552		VERIFY0(zap_lookup(os, chld_dd->dd_object,
553		    DD_FIELD_SNAPSHOT_COUNT, sizeof (count), 1, &count));
554		my_ss_cnt += count;
555
556		dsl_dir_rele(chld_dd, FTAG);
557	}
558	zap_cursor_fini(zc);
559	/* Count my snapshots (we counted children's snapshots above) */
560	VERIFY0(dsl_dataset_hold_obj(dd->dd_pool,
561	    dsl_dir_phys(dd)->dd_head_dataset_obj, FTAG, &ds));
562
563	for (zap_cursor_init(zc, os, dsl_dataset_phys(ds)->ds_snapnames_zapobj);
564	    zap_cursor_retrieve(zc, za) == 0;
565	    zap_cursor_advance(zc)) {
566		/* Don't count temporary snapshots */
567		if (za->za_name[0] != '%')
568			my_ss_cnt++;
569	}
570	zap_cursor_fini(zc);
571
572	dsl_dataset_rele(ds, FTAG);
573
574	kmem_free(zc, sizeof (zap_cursor_t));
575	kmem_free(za, sizeof (zap_attribute_t));
576
577	/* we're in a sync task, update counts */
578	dmu_buf_will_dirty(dd->dd_dbuf, tx);
579	VERIFY0(zap_add(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT,
580	    sizeof (my_fs_cnt), 1, &my_fs_cnt, tx));
581	VERIFY0(zap_add(os, dd->dd_object, DD_FIELD_SNAPSHOT_COUNT,
582	    sizeof (my_ss_cnt), 1, &my_ss_cnt, tx));
583}
584
585static int
586dsl_dir_actv_fs_ss_limit_check(void *arg, dmu_tx_t *tx)
587{
588	char *ddname = (char *)arg;
589	dsl_pool_t *dp = dmu_tx_pool(tx);
590	dsl_dataset_t *ds;
591	dsl_dir_t *dd;
592	int error;
593
594	error = dsl_dataset_hold(dp, ddname, FTAG, &ds);
595	if (error != 0)
596		return (error);
597
598	if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT)) {
599		dsl_dataset_rele(ds, FTAG);
600		return (SET_ERROR(ENOTSUP));
601	}
602
603	dd = ds->ds_dir;
604	if (spa_feature_is_active(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT) &&
605	    dsl_dir_is_zapified(dd) &&
606	    zap_contains(dp->dp_meta_objset, dd->dd_object,
607	    DD_FIELD_FILESYSTEM_COUNT) == 0) {
608		dsl_dataset_rele(ds, FTAG);
609		return (SET_ERROR(EALREADY));
610	}
611
612	dsl_dataset_rele(ds, FTAG);
613	return (0);
614}
615
616static void
617dsl_dir_actv_fs_ss_limit_sync(void *arg, dmu_tx_t *tx)
618{
619	char *ddname = (char *)arg;
620	dsl_pool_t *dp = dmu_tx_pool(tx);
621	dsl_dataset_t *ds;
622	spa_t *spa;
623
624	VERIFY0(dsl_dataset_hold(dp, ddname, FTAG, &ds));
625
626	spa = dsl_dataset_get_spa(ds);
627
628	if (!spa_feature_is_active(spa, SPA_FEATURE_FS_SS_LIMIT)) {
629		/*
630		 * Since the feature was not active and we're now setting a
631		 * limit, increment the feature-active counter so that the
632		 * feature becomes active for the first time.
633		 *
634		 * We are already in a sync task so we can update the MOS.
635		 */
636		spa_feature_incr(spa, SPA_FEATURE_FS_SS_LIMIT, tx);
637	}
638
639	/*
640	 * Since we are now setting a non-UINT64_MAX limit on the filesystem,
641	 * we need to ensure the counts are correct. Descend down the tree from
642	 * this point and update all of the counts to be accurate.
643	 */
644	dsl_dir_init_fs_ss_count(ds->ds_dir, tx);
645
646	dsl_dataset_rele(ds, FTAG);
647}
648
649/*
650 * Make sure the feature is enabled and activate it if necessary.
651 * Since we're setting a limit, ensure the on-disk counts are valid.
652 * This is only called by the ioctl path when setting a limit value.
653 *
654 * We do not need to validate the new limit, since users who can change the
655 * limit are also allowed to exceed the limit.
656 */
657int
658dsl_dir_activate_fs_ss_limit(const char *ddname)
659{
660	int error;
661
662	error = dsl_sync_task(ddname, dsl_dir_actv_fs_ss_limit_check,
663	    dsl_dir_actv_fs_ss_limit_sync, (void *)ddname, 0,
664	    ZFS_SPACE_CHECK_RESERVED);
665
666	if (error == EALREADY)
667		error = 0;
668
669	return (error);
670}
671
672/*
673 * Used to determine if the filesystem_limit or snapshot_limit should be
674 * enforced. We allow the limit to be exceeded if the user has permission to
675 * write the property value. We pass in the creds that we got in the open
676 * context since we will always be the GZ root in syncing context. We also have
677 * to handle the case where we are allowed to change the limit on the current
678 * dataset, but there may be another limit in the tree above.
679 *
680 * We can never modify these two properties within a non-global zone. In
681 * addition, the other checks are modeled on zfs_secpolicy_write_perms. We
682 * can't use that function since we are already holding the dp_config_rwlock.
683 * In addition, we already have the dd and dealing with snapshots is simplified
684 * in this code.
685 */
686
687typedef enum {
688	ENFORCE_ALWAYS,
689	ENFORCE_NEVER,
690	ENFORCE_ABOVE
691} enforce_res_t;
692
693static enforce_res_t
694dsl_enforce_ds_ss_limits(dsl_dir_t *dd, zfs_prop_t prop, cred_t *cr)
695{
696	enforce_res_t enforce = ENFORCE_ALWAYS;
697	uint64_t obj;
698	dsl_dataset_t *ds;
699	uint64_t zoned;
700
701	ASSERT(prop == ZFS_PROP_FILESYSTEM_LIMIT ||
702	    prop == ZFS_PROP_SNAPSHOT_LIMIT);
703
704#ifdef _KERNEL
705	if (crgetzoneid(cr) != GLOBAL_ZONEID)
706		return (ENFORCE_ALWAYS);
707
708	if (secpolicy_zfs(cr) == 0)
709		return (ENFORCE_NEVER);
710#endif
711
712	if ((obj = dsl_dir_phys(dd)->dd_head_dataset_obj) == 0)
713		return (ENFORCE_ALWAYS);
714
715	ASSERT(dsl_pool_config_held(dd->dd_pool));
716
717	if (dsl_dataset_hold_obj(dd->dd_pool, obj, FTAG, &ds) != 0)
718		return (ENFORCE_ALWAYS);
719
720	if (dsl_prop_get_ds(ds, "zoned", 8, 1, &zoned, NULL) || zoned) {
721		/* Only root can access zoned fs's from the GZ */
722		enforce = ENFORCE_ALWAYS;
723	} else {
724		if (dsl_deleg_access_impl(ds, zfs_prop_to_name(prop), cr) == 0)
725			enforce = ENFORCE_ABOVE;
726	}
727
728	dsl_dataset_rele(ds, FTAG);
729	return (enforce);
730}
731
732/*
733 * Check if adding additional child filesystem(s) would exceed any filesystem
734 * limits or adding additional snapshot(s) would exceed any snapshot limits.
735 * The prop argument indicates which limit to check.
736 *
737 * Note that all filesystem limits up to the root (or the highest
738 * initialized) filesystem or the given ancestor must be satisfied.
739 */
740int
741dsl_fs_ss_limit_check(dsl_dir_t *dd, uint64_t delta, zfs_prop_t prop,
742    dsl_dir_t *ancestor, cred_t *cr)
743{
744	objset_t *os = dd->dd_pool->dp_meta_objset;
745	uint64_t limit, count;
746	char *count_prop;
747	enforce_res_t enforce;
748	int err = 0;
749
750	ASSERT(dsl_pool_config_held(dd->dd_pool));
751	ASSERT(prop == ZFS_PROP_FILESYSTEM_LIMIT ||
752	    prop == ZFS_PROP_SNAPSHOT_LIMIT);
753
754	/*
755	 * If we're allowed to change the limit, don't enforce the limit
756	 * e.g. this can happen if a snapshot is taken by an administrative
757	 * user in the global zone (i.e. a recursive snapshot by root).
758	 * However, we must handle the case of delegated permissions where we
759	 * are allowed to change the limit on the current dataset, but there
760	 * is another limit in the tree above.
761	 */
762	enforce = dsl_enforce_ds_ss_limits(dd, prop, cr);
763	if (enforce == ENFORCE_NEVER)
764		return (0);
765
766	/*
767	 * e.g. if renaming a dataset with no snapshots, count adjustment
768	 * is 0.
769	 */
770	if (delta == 0)
771		return (0);
772
773	if (prop == ZFS_PROP_SNAPSHOT_LIMIT) {
774		/*
775		 * We don't enforce the limit for temporary snapshots. This is
776		 * indicated by a NULL cred_t argument.
777		 */
778		if (cr == NULL)
779			return (0);
780
781		count_prop = DD_FIELD_SNAPSHOT_COUNT;
782	} else {
783		count_prop = DD_FIELD_FILESYSTEM_COUNT;
784	}
785
786	/*
787	 * If an ancestor has been provided, stop checking the limit once we
788	 * hit that dir. We need this during rename so that we don't overcount
789	 * the check once we recurse up to the common ancestor.
790	 */
791	if (ancestor == dd)
792		return (0);
793
794	/*
795	 * If we hit an uninitialized node while recursing up the tree, we can
796	 * stop since we know there is no limit here (or above). The counts are
797	 * not valid on this node and we know we won't touch this node's counts.
798	 */
799	if (!dsl_dir_is_zapified(dd) || zap_lookup(os, dd->dd_object,
800	    count_prop, sizeof (count), 1, &count) == ENOENT)
801		return (0);
802
803	err = dsl_prop_get_dd(dd, zfs_prop_to_name(prop), 8, 1, &limit, NULL,
804	    B_FALSE);
805	if (err != 0)
806		return (err);
807
808	/* Is there a limit which we've hit? */
809	if (enforce == ENFORCE_ALWAYS && (count + delta) > limit)
810		return (SET_ERROR(EDQUOT));
811
812	if (dd->dd_parent != NULL)
813		err = dsl_fs_ss_limit_check(dd->dd_parent, delta, prop,
814		    ancestor, cr);
815
816	return (err);
817}
818
819/*
820 * Adjust the filesystem or snapshot count for the specified dsl_dir_t and all
821 * parents. When a new filesystem/snapshot is created, increment the count on
822 * all parents, and when a filesystem/snapshot is destroyed, decrement the
823 * count.
824 */
825void
826dsl_fs_ss_count_adjust(dsl_dir_t *dd, int64_t delta, const char *prop,
827    dmu_tx_t *tx)
828{
829	int err;
830	objset_t *os = dd->dd_pool->dp_meta_objset;
831	uint64_t count;
832
833	ASSERT(dsl_pool_config_held(dd->dd_pool));
834	ASSERT(dmu_tx_is_syncing(tx));
835	ASSERT(strcmp(prop, DD_FIELD_FILESYSTEM_COUNT) == 0 ||
836	    strcmp(prop, DD_FIELD_SNAPSHOT_COUNT) == 0);
837
838	/*
839	 * When we receive an incremental stream into a filesystem that already
840	 * exists, a temporary clone is created.  We don't count this temporary
841	 * clone, whose name begins with a '%'. We also ignore hidden ($FREE,
842	 * $MOS & $ORIGIN) objsets.
843	 */
844	if ((dd->dd_myname[0] == '%' || dd->dd_myname[0] == '$') &&
845	    strcmp(prop, DD_FIELD_FILESYSTEM_COUNT) == 0)
846		return;
847
848	/*
849	 * e.g. if renaming a dataset with no snapshots, count adjustment is 0
850	 */
851	if (delta == 0)
852		return;
853
854	/*
855	 * If we hit an uninitialized node while recursing up the tree, we can
856	 * stop since we know the counts are not valid on this node and we
857	 * know we shouldn't touch this node's counts. An uninitialized count
858	 * on the node indicates that either the feature has not yet been
859	 * activated or there are no limits on this part of the tree.
860	 */
861	if (!dsl_dir_is_zapified(dd) || (err = zap_lookup(os, dd->dd_object,
862	    prop, sizeof (count), 1, &count)) == ENOENT)
863		return;
864	VERIFY0(err);
865
866	count += delta;
867	/* Use a signed verify to make sure we're not neg. */
868	VERIFY3S(count, >=, 0);
869
870	VERIFY0(zap_update(os, dd->dd_object, prop, sizeof (count), 1, &count,
871	    tx));
872
873	/* Roll up this additional count into our ancestors */
874	if (dd->dd_parent != NULL)
875		dsl_fs_ss_count_adjust(dd->dd_parent, delta, prop, tx);
876}
877
878uint64_t
879dsl_dir_create_sync(dsl_pool_t *dp, dsl_dir_t *pds, const char *name,
880    dmu_tx_t *tx)
881{
882	objset_t *mos = dp->dp_meta_objset;
883	uint64_t ddobj;
884	dsl_dir_phys_t *ddphys;
885	dmu_buf_t *dbuf;
886
887	ddobj = dmu_object_alloc(mos, DMU_OT_DSL_DIR, 0,
888	    DMU_OT_DSL_DIR, sizeof (dsl_dir_phys_t), tx);
889	if (pds) {
890		VERIFY(0 == zap_add(mos, dsl_dir_phys(pds)->dd_child_dir_zapobj,
891		    name, sizeof (uint64_t), 1, &ddobj, tx));
892	} else {
893		/* it's the root dir */
894		VERIFY(0 == zap_add(mos, DMU_POOL_DIRECTORY_OBJECT,
895		    DMU_POOL_ROOT_DATASET, sizeof (uint64_t), 1, &ddobj, tx));
896	}
897	VERIFY(0 == dmu_bonus_hold(mos, ddobj, FTAG, &dbuf));
898	dmu_buf_will_dirty(dbuf, tx);
899	ddphys = dbuf->db_data;
900
901	ddphys->dd_creation_time = gethrestime_sec();
902	if (pds) {
903		ddphys->dd_parent_obj = pds->dd_object;
904
905		/* update the filesystem counts */
906		dsl_fs_ss_count_adjust(pds, 1, DD_FIELD_FILESYSTEM_COUNT, tx);
907	}
908	ddphys->dd_props_zapobj = zap_create(mos,
909	    DMU_OT_DSL_PROPS, DMU_OT_NONE, 0, tx);
910	ddphys->dd_child_dir_zapobj = zap_create(mos,
911	    DMU_OT_DSL_DIR_CHILD_MAP, DMU_OT_NONE, 0, tx);
912	if (spa_version(dp->dp_spa) >= SPA_VERSION_USED_BREAKDOWN)
913		ddphys->dd_flags |= DD_FLAG_USED_BREAKDOWN;
914	dmu_buf_rele(dbuf, FTAG);
915
916	return (ddobj);
917}
918
919boolean_t
920dsl_dir_is_clone(dsl_dir_t *dd)
921{
922	return (dsl_dir_phys(dd)->dd_origin_obj &&
923	    (dd->dd_pool->dp_origin_snap == NULL ||
924	    dsl_dir_phys(dd)->dd_origin_obj !=
925	    dd->dd_pool->dp_origin_snap->ds_object));
926}
927
928
929uint64_t
930dsl_dir_get_used(dsl_dir_t *dd)
931{
932	return (dsl_dir_phys(dd)->dd_used_bytes);
933}
934
935uint64_t
936dsl_dir_get_quota(dsl_dir_t *dd)
937{
938	return (dsl_dir_phys(dd)->dd_quota);
939}
940
941uint64_t
942dsl_dir_get_reservation(dsl_dir_t *dd)
943{
944	return (dsl_dir_phys(dd)->dd_reserved);
945}
946
947uint64_t
948dsl_dir_get_compressratio(dsl_dir_t *dd)
949{
950	/* a fixed point number, 100x the ratio */
951	return (dsl_dir_phys(dd)->dd_compressed_bytes == 0 ? 100 :
952	    (dsl_dir_phys(dd)->dd_uncompressed_bytes * 100 /
953	    dsl_dir_phys(dd)->dd_compressed_bytes));
954}
955
956uint64_t
957dsl_dir_get_logicalused(dsl_dir_t *dd)
958{
959	return (dsl_dir_phys(dd)->dd_uncompressed_bytes);
960}
961
962uint64_t
963dsl_dir_get_usedsnap(dsl_dir_t *dd)
964{
965	return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_SNAP]);
966}
967
968uint64_t
969dsl_dir_get_usedds(dsl_dir_t *dd)
970{
971	return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_HEAD]);
972}
973
974uint64_t
975dsl_dir_get_usedrefreserv(dsl_dir_t *dd)
976{
977	return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_REFRSRV]);
978}
979
980uint64_t
981dsl_dir_get_usedchild(dsl_dir_t *dd)
982{
983	return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_CHILD] +
984	    dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_CHILD_RSRV]);
985}
986
987void
988dsl_dir_get_origin(dsl_dir_t *dd, char *buf)
989{
990	dsl_dataset_t *ds;
991	VERIFY0(dsl_dataset_hold_obj(dd->dd_pool,
992	    dsl_dir_phys(dd)->dd_origin_obj, FTAG, &ds));
993
994	dsl_dataset_name(ds, buf);
995
996	dsl_dataset_rele(ds, FTAG);
997}
998
999int
1000dsl_dir_get_filesystem_count(dsl_dir_t *dd, uint64_t *count)
1001{
1002	if (dsl_dir_is_zapified(dd)) {
1003		objset_t *os = dd->dd_pool->dp_meta_objset;
1004		return (zap_lookup(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT,
1005		    sizeof (*count), 1, count));
1006	} else {
1007		return (ENOENT);
1008	}
1009}
1010
1011int
1012dsl_dir_get_snapshot_count(dsl_dir_t *dd, uint64_t *count)
1013{
1014	if (dsl_dir_is_zapified(dd)) {
1015		objset_t *os = dd->dd_pool->dp_meta_objset;
1016		return (zap_lookup(os, dd->dd_object, DD_FIELD_SNAPSHOT_COUNT,
1017		    sizeof (*count), 1, count));
1018	} else {
1019		return (ENOENT);
1020	}
1021}
1022
1023void
1024dsl_dir_stats(dsl_dir_t *dd, nvlist_t *nv)
1025{
1026	mutex_enter(&dd->dd_lock);
1027	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_QUOTA,
1028	    dsl_dir_get_quota(dd));
1029	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_RESERVATION,
1030	    dsl_dir_get_reservation(dd));
1031	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_LOGICALUSED,
1032	    dsl_dir_get_logicalused(dd));
1033	if (dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN) {
1034		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDSNAP,
1035		    dsl_dir_get_usedsnap(dd));
1036		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDDS,
1037		    dsl_dir_get_usedds(dd));
1038		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDREFRESERV,
1039		    dsl_dir_get_usedrefreserv(dd));
1040		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDCHILD,
1041		    dsl_dir_get_usedchild(dd));
1042	}
1043	mutex_exit(&dd->dd_lock);
1044
1045	uint64_t count;
1046	if (dsl_dir_get_filesystem_count(dd, &count) == 0) {
1047		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_FILESYSTEM_COUNT,
1048		    count);
1049	}
1050	if (dsl_dir_get_snapshot_count(dd, &count) == 0) {
1051		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_SNAPSHOT_COUNT,
1052		    count);
1053	}
1054
1055	if (dsl_dir_is_clone(dd)) {
1056		char buf[ZFS_MAX_DATASET_NAME_LEN];
1057		dsl_dir_get_origin(dd, buf);
1058		dsl_prop_nvlist_add_string(nv, ZFS_PROP_ORIGIN, buf);
1059	}
1060
1061}
1062
1063void
1064dsl_dir_dirty(dsl_dir_t *dd, dmu_tx_t *tx)
1065{
1066	dsl_pool_t *dp = dd->dd_pool;
1067
1068	ASSERT(dsl_dir_phys(dd));
1069
1070	if (txg_list_add(&dp->dp_dirty_dirs, dd, tx->tx_txg)) {
1071		/* up the hold count until we can be written out */
1072		dmu_buf_add_ref(dd->dd_dbuf, dd);
1073	}
1074}
1075
1076static int64_t
1077parent_delta(dsl_dir_t *dd, uint64_t used, int64_t delta)
1078{
1079	uint64_t old_accounted = MAX(used, dsl_dir_phys(dd)->dd_reserved);
1080	uint64_t new_accounted =
1081	    MAX(used + delta, dsl_dir_phys(dd)->dd_reserved);
1082	return (new_accounted - old_accounted);
1083}
1084
1085void
1086dsl_dir_sync(dsl_dir_t *dd, dmu_tx_t *tx)
1087{
1088	ASSERT(dmu_tx_is_syncing(tx));
1089
1090	mutex_enter(&dd->dd_lock);
1091	ASSERT0(dd->dd_tempreserved[tx->tx_txg&TXG_MASK]);
1092	dprintf_dd(dd, "txg=%llu towrite=%lluK\n", tx->tx_txg,
1093	    dd->dd_space_towrite[tx->tx_txg&TXG_MASK] / 1024);
1094	dd->dd_space_towrite[tx->tx_txg&TXG_MASK] = 0;
1095	mutex_exit(&dd->dd_lock);
1096
1097	/* release the hold from dsl_dir_dirty */
1098	dmu_buf_rele(dd->dd_dbuf, dd);
1099}
1100
1101static uint64_t
1102dsl_dir_space_towrite(dsl_dir_t *dd)
1103{
1104	uint64_t space = 0;
1105
1106	ASSERT(MUTEX_HELD(&dd->dd_lock));
1107
1108	for (int i = 0; i < TXG_SIZE; i++) {
1109		space += dd->dd_space_towrite[i & TXG_MASK];
1110		ASSERT3U(dd->dd_space_towrite[i & TXG_MASK], >=, 0);
1111	}
1112	return (space);
1113}
1114
1115/*
1116 * How much space would dd have available if ancestor had delta applied
1117 * to it?  If ondiskonly is set, we're only interested in what's
1118 * on-disk, not estimated pending changes.
1119 */
1120uint64_t
1121dsl_dir_space_available(dsl_dir_t *dd,
1122    dsl_dir_t *ancestor, int64_t delta, int ondiskonly)
1123{
1124	uint64_t parentspace, myspace, quota, used;
1125
1126	/*
1127	 * If there are no restrictions otherwise, assume we have
1128	 * unlimited space available.
1129	 */
1130	quota = UINT64_MAX;
1131	parentspace = UINT64_MAX;
1132
1133	if (dd->dd_parent != NULL) {
1134		parentspace = dsl_dir_space_available(dd->dd_parent,
1135		    ancestor, delta, ondiskonly);
1136	}
1137
1138	mutex_enter(&dd->dd_lock);
1139	if (dsl_dir_phys(dd)->dd_quota != 0)
1140		quota = dsl_dir_phys(dd)->dd_quota;
1141	used = dsl_dir_phys(dd)->dd_used_bytes;
1142	if (!ondiskonly)
1143		used += dsl_dir_space_towrite(dd);
1144
1145	if (dd->dd_parent == NULL) {
1146		uint64_t poolsize = dsl_pool_adjustedsize(dd->dd_pool, FALSE);
1147		quota = MIN(quota, poolsize);
1148	}
1149
1150	if (dsl_dir_phys(dd)->dd_reserved > used && parentspace != UINT64_MAX) {
1151		/*
1152		 * We have some space reserved, in addition to what our
1153		 * parent gave us.
1154		 */
1155		parentspace += dsl_dir_phys(dd)->dd_reserved - used;
1156	}
1157
1158	if (dd == ancestor) {
1159		ASSERT(delta <= 0);
1160		ASSERT(used >= -delta);
1161		used += delta;
1162		if (parentspace != UINT64_MAX)
1163			parentspace -= delta;
1164	}
1165
1166	if (used > quota) {
1167		/* over quota */
1168		myspace = 0;
1169	} else {
1170		/*
1171		 * the lesser of the space provided by our parent and
1172		 * the space left in our quota
1173		 */
1174		myspace = MIN(parentspace, quota - used);
1175	}
1176
1177	mutex_exit(&dd->dd_lock);
1178
1179	return (myspace);
1180}
1181
1182struct tempreserve {
1183	list_node_t tr_node;
1184	dsl_dir_t *tr_ds;
1185	uint64_t tr_size;
1186};
1187
1188static int
1189dsl_dir_tempreserve_impl(dsl_dir_t *dd, uint64_t asize, boolean_t netfree,
1190    boolean_t ignorequota, list_t *tr_list,
1191    dmu_tx_t *tx, boolean_t first)
1192{
1193	uint64_t txg = tx->tx_txg;
1194	uint64_t quota;
1195	struct tempreserve *tr;
1196	int retval = EDQUOT;
1197	uint64_t ref_rsrv = 0;
1198
1199	ASSERT3U(txg, !=, 0);
1200	ASSERT3S(asize, >, 0);
1201
1202	mutex_enter(&dd->dd_lock);
1203
1204	/*
1205	 * Check against the dsl_dir's quota.  We don't add in the delta
1206	 * when checking for over-quota because they get one free hit.
1207	 */
1208	uint64_t est_inflight = dsl_dir_space_towrite(dd);
1209	for (int i = 0; i < TXG_SIZE; i++)
1210		est_inflight += dd->dd_tempreserved[i];
1211	uint64_t used_on_disk = dsl_dir_phys(dd)->dd_used_bytes;
1212
1213	/*
1214	 * On the first iteration, fetch the dataset's used-on-disk and
1215	 * refreservation values. Also, if checkrefquota is set, test if
1216	 * allocating this space would exceed the dataset's refquota.
1217	 */
1218	if (first && tx->tx_objset) {
1219		int error;
1220		dsl_dataset_t *ds = tx->tx_objset->os_dsl_dataset;
1221
1222		error = dsl_dataset_check_quota(ds, !netfree,
1223		    asize, est_inflight, &used_on_disk, &ref_rsrv);
1224		if (error != 0) {
1225			mutex_exit(&dd->dd_lock);
1226			return (error);
1227		}
1228	}
1229
1230	/*
1231	 * If this transaction will result in a net free of space,
1232	 * we want to let it through.
1233	 */
1234	if (ignorequota || netfree || dsl_dir_phys(dd)->dd_quota == 0)
1235		quota = UINT64_MAX;
1236	else
1237		quota = dsl_dir_phys(dd)->dd_quota;
1238
1239	/*
1240	 * Adjust the quota against the actual pool size at the root
1241	 * minus any outstanding deferred frees.
1242	 * To ensure that it's possible to remove files from a full
1243	 * pool without inducing transient overcommits, we throttle
1244	 * netfree transactions against a quota that is slightly larger,
1245	 * but still within the pool's allocation slop.  In cases where
1246	 * we're very close to full, this will allow a steady trickle of
1247	 * removes to get through.
1248	 */
1249	uint64_t deferred = 0;
1250	if (dd->dd_parent == NULL) {
1251		spa_t *spa = dd->dd_pool->dp_spa;
1252		uint64_t poolsize = dsl_pool_adjustedsize(dd->dd_pool, netfree);
1253		deferred = metaslab_class_get_deferred(spa_normal_class(spa));
1254		if (poolsize - deferred < quota) {
1255			quota = poolsize - deferred;
1256			retval = ENOSPC;
1257		}
1258	}
1259
1260	/*
1261	 * If they are requesting more space, and our current estimate
1262	 * is over quota, they get to try again unless the actual
1263	 * on-disk is over quota and there are no pending changes (which
1264	 * may free up space for us).
1265	 */
1266	if (used_on_disk + est_inflight >= quota) {
1267		if (est_inflight > 0 || used_on_disk < quota ||
1268		    (retval == ENOSPC && used_on_disk < quota + deferred))
1269			retval = ERESTART;
1270		dprintf_dd(dd, "failing: used=%lluK inflight = %lluK "
1271		    "quota=%lluK tr=%lluK err=%d\n",
1272		    used_on_disk>>10, est_inflight>>10,
1273		    quota>>10, asize>>10, retval);
1274		mutex_exit(&dd->dd_lock);
1275		return (SET_ERROR(retval));
1276	}
1277
1278	/* We need to up our estimated delta before dropping dd_lock */
1279	dd->dd_tempreserved[txg & TXG_MASK] += asize;
1280
1281	uint64_t parent_rsrv = parent_delta(dd, used_on_disk + est_inflight,
1282	    asize - ref_rsrv);
1283	mutex_exit(&dd->dd_lock);
1284
1285	tr = kmem_zalloc(sizeof (struct tempreserve), KM_SLEEP);
1286	tr->tr_ds = dd;
1287	tr->tr_size = asize;
1288	list_insert_tail(tr_list, tr);
1289
1290	/* see if it's OK with our parent */
1291	if (dd->dd_parent != NULL && parent_rsrv != 0) {
1292		boolean_t ismos = (dsl_dir_phys(dd)->dd_head_dataset_obj == 0);
1293
1294		return (dsl_dir_tempreserve_impl(dd->dd_parent,
1295		    parent_rsrv, netfree, ismos, tr_list, tx, B_FALSE));
1296	} else {
1297		return (0);
1298	}
1299}
1300
1301/*
1302 * Reserve space in this dsl_dir, to be used in this tx's txg.
1303 * After the space has been dirtied (and dsl_dir_willuse_space()
1304 * has been called), the reservation should be canceled, using
1305 * dsl_dir_tempreserve_clear().
1306 */
1307int
1308dsl_dir_tempreserve_space(dsl_dir_t *dd, uint64_t lsize, uint64_t asize,
1309    boolean_t netfree, void **tr_cookiep, dmu_tx_t *tx)
1310{
1311	int err;
1312	list_t *tr_list;
1313
1314	if (asize == 0) {
1315		*tr_cookiep = NULL;
1316		return (0);
1317	}
1318
1319	tr_list = kmem_alloc(sizeof (list_t), KM_SLEEP);
1320	list_create(tr_list, sizeof (struct tempreserve),
1321	    offsetof(struct tempreserve, tr_node));
1322	ASSERT3S(asize, >, 0);
1323
1324	err = arc_tempreserve_space(lsize, tx->tx_txg);
1325	if (err == 0) {
1326		struct tempreserve *tr;
1327
1328		tr = kmem_zalloc(sizeof (struct tempreserve), KM_SLEEP);
1329		tr->tr_size = lsize;
1330		list_insert_tail(tr_list, tr);
1331	} else {
1332		if (err == EAGAIN) {
1333			/*
1334			 * If arc_memory_throttle() detected that pageout
1335			 * is running and we are low on memory, we delay new
1336			 * non-pageout transactions to give pageout an
1337			 * advantage.
1338			 *
1339			 * It is unfortunate to be delaying while the caller's
1340			 * locks are held.
1341			 */
1342			txg_delay(dd->dd_pool, tx->tx_txg,
1343			    MSEC2NSEC(10), MSEC2NSEC(10));
1344			err = SET_ERROR(ERESTART);
1345		}
1346	}
1347
1348	if (err == 0) {
1349		err = dsl_dir_tempreserve_impl(dd, asize, netfree,
1350		    B_FALSE, tr_list, tx, B_TRUE);
1351	}
1352
1353	if (err != 0)
1354		dsl_dir_tempreserve_clear(tr_list, tx);
1355	else
1356		*tr_cookiep = tr_list;
1357
1358	return (err);
1359}
1360
1361/*
1362 * Clear a temporary reservation that we previously made with
1363 * dsl_dir_tempreserve_space().
1364 */
1365void
1366dsl_dir_tempreserve_clear(void *tr_cookie, dmu_tx_t *tx)
1367{
1368	int txgidx = tx->tx_txg & TXG_MASK;
1369	list_t *tr_list = tr_cookie;
1370	struct tempreserve *tr;
1371
1372	ASSERT3U(tx->tx_txg, !=, 0);
1373
1374	if (tr_cookie == NULL)
1375		return;
1376
1377	while ((tr = list_head(tr_list)) != NULL) {
1378		if (tr->tr_ds) {
1379			mutex_enter(&tr->tr_ds->dd_lock);
1380			ASSERT3U(tr->tr_ds->dd_tempreserved[txgidx], >=,
1381			    tr->tr_size);
1382			tr->tr_ds->dd_tempreserved[txgidx] -= tr->tr_size;
1383			mutex_exit(&tr->tr_ds->dd_lock);
1384		} else {
1385			arc_tempreserve_clear(tr->tr_size);
1386		}
1387		list_remove(tr_list, tr);
1388		kmem_free(tr, sizeof (struct tempreserve));
1389	}
1390
1391	kmem_free(tr_list, sizeof (list_t));
1392}
1393
1394/*
1395 * This should be called from open context when we think we're going to write
1396 * or free space, for example when dirtying data. Be conservative; it's okay
1397 * to write less space or free more, but we don't want to write more or free
1398 * less than the amount specified.
1399 */
1400void
1401dsl_dir_willuse_space(dsl_dir_t *dd, int64_t space, dmu_tx_t *tx)
1402{
1403	int64_t parent_space;
1404	uint64_t est_used;
1405
1406	mutex_enter(&dd->dd_lock);
1407	if (space > 0)
1408		dd->dd_space_towrite[tx->tx_txg & TXG_MASK] += space;
1409
1410	est_used = dsl_dir_space_towrite(dd) + dsl_dir_phys(dd)->dd_used_bytes;
1411	parent_space = parent_delta(dd, est_used, space);
1412	mutex_exit(&dd->dd_lock);
1413
1414	/* Make sure that we clean up dd_space_to* */
1415	dsl_dir_dirty(dd, tx);
1416
1417	/* XXX this is potentially expensive and unnecessary... */
1418	if (parent_space && dd->dd_parent)
1419		dsl_dir_willuse_space(dd->dd_parent, parent_space, tx);
1420}
1421
1422/* call from syncing context when we actually write/free space for this dd */
1423void
1424dsl_dir_diduse_space(dsl_dir_t *dd, dd_used_t type,
1425    int64_t used, int64_t compressed, int64_t uncompressed, dmu_tx_t *tx)
1426{
1427	int64_t accounted_delta;
1428
1429	/*
1430	 * dsl_dataset_set_refreservation_sync_impl() calls this with
1431	 * dd_lock held, so that it can atomically update
1432	 * ds->ds_reserved and the dsl_dir accounting, so that
1433	 * dsl_dataset_check_quota() can see dataset and dir accounting
1434	 * consistently.
1435	 */
1436	boolean_t needlock = !MUTEX_HELD(&dd->dd_lock);
1437
1438	ASSERT(dmu_tx_is_syncing(tx));
1439	ASSERT(type < DD_USED_NUM);
1440
1441	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1442
1443	if (needlock)
1444		mutex_enter(&dd->dd_lock);
1445	accounted_delta =
1446	    parent_delta(dd, dsl_dir_phys(dd)->dd_used_bytes, used);
1447	ASSERT(used >= 0 || dsl_dir_phys(dd)->dd_used_bytes >= -used);
1448	ASSERT(compressed >= 0 ||
1449	    dsl_dir_phys(dd)->dd_compressed_bytes >= -compressed);
1450	ASSERT(uncompressed >= 0 ||
1451	    dsl_dir_phys(dd)->dd_uncompressed_bytes >= -uncompressed);
1452	dsl_dir_phys(dd)->dd_used_bytes += used;
1453	dsl_dir_phys(dd)->dd_uncompressed_bytes += uncompressed;
1454	dsl_dir_phys(dd)->dd_compressed_bytes += compressed;
1455
1456	if (dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN) {
1457		ASSERT(used > 0 ||
1458		    dsl_dir_phys(dd)->dd_used_breakdown[type] >= -used);
1459		dsl_dir_phys(dd)->dd_used_breakdown[type] += used;
1460#ifdef DEBUG
1461		dd_used_t t;
1462		uint64_t u = 0;
1463		for (t = 0; t < DD_USED_NUM; t++)
1464			u += dsl_dir_phys(dd)->dd_used_breakdown[t];
1465		ASSERT3U(u, ==, dsl_dir_phys(dd)->dd_used_bytes);
1466#endif
1467	}
1468	if (needlock)
1469		mutex_exit(&dd->dd_lock);
1470
1471	if (dd->dd_parent != NULL) {
1472		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD,
1473		    accounted_delta, compressed, uncompressed, tx);
1474		dsl_dir_transfer_space(dd->dd_parent,
1475		    used - accounted_delta,
1476		    DD_USED_CHILD_RSRV, DD_USED_CHILD, tx);
1477	}
1478}
1479
1480void
1481dsl_dir_transfer_space(dsl_dir_t *dd, int64_t delta,
1482    dd_used_t oldtype, dd_used_t newtype, dmu_tx_t *tx)
1483{
1484	ASSERT(dmu_tx_is_syncing(tx));
1485	ASSERT(oldtype < DD_USED_NUM);
1486	ASSERT(newtype < DD_USED_NUM);
1487
1488	if (delta == 0 ||
1489	    !(dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN))
1490		return;
1491
1492	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1493	mutex_enter(&dd->dd_lock);
1494	ASSERT(delta > 0 ?
1495	    dsl_dir_phys(dd)->dd_used_breakdown[oldtype] >= delta :
1496	    dsl_dir_phys(dd)->dd_used_breakdown[newtype] >= -delta);
1497	ASSERT(dsl_dir_phys(dd)->dd_used_bytes >= ABS(delta));
1498	dsl_dir_phys(dd)->dd_used_breakdown[oldtype] -= delta;
1499	dsl_dir_phys(dd)->dd_used_breakdown[newtype] += delta;
1500	mutex_exit(&dd->dd_lock);
1501}
1502
1503typedef struct dsl_dir_set_qr_arg {
1504	const char *ddsqra_name;
1505	zprop_source_t ddsqra_source;
1506	uint64_t ddsqra_value;
1507} dsl_dir_set_qr_arg_t;
1508
1509static int
1510dsl_dir_set_quota_check(void *arg, dmu_tx_t *tx)
1511{
1512	dsl_dir_set_qr_arg_t *ddsqra = arg;
1513	dsl_pool_t *dp = dmu_tx_pool(tx);
1514	dsl_dataset_t *ds;
1515	int error;
1516	uint64_t towrite, newval;
1517
1518	error = dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds);
1519	if (error != 0)
1520		return (error);
1521
1522	error = dsl_prop_predict(ds->ds_dir, "quota",
1523	    ddsqra->ddsqra_source, ddsqra->ddsqra_value, &newval);
1524	if (error != 0) {
1525		dsl_dataset_rele(ds, FTAG);
1526		return (error);
1527	}
1528
1529	if (newval == 0) {
1530		dsl_dataset_rele(ds, FTAG);
1531		return (0);
1532	}
1533
1534	mutex_enter(&ds->ds_dir->dd_lock);
1535	/*
1536	 * If we are doing the preliminary check in open context, and
1537	 * there are pending changes, then don't fail it, since the
1538	 * pending changes could under-estimate the amount of space to be
1539	 * freed up.
1540	 */
1541	towrite = dsl_dir_space_towrite(ds->ds_dir);
1542	if ((dmu_tx_is_syncing(tx) || towrite == 0) &&
1543	    (newval < dsl_dir_phys(ds->ds_dir)->dd_reserved ||
1544	    newval < dsl_dir_phys(ds->ds_dir)->dd_used_bytes + towrite)) {
1545		error = SET_ERROR(ENOSPC);
1546	}
1547	mutex_exit(&ds->ds_dir->dd_lock);
1548	dsl_dataset_rele(ds, FTAG);
1549	return (error);
1550}
1551
1552static void
1553dsl_dir_set_quota_sync(void *arg, dmu_tx_t *tx)
1554{
1555	dsl_dir_set_qr_arg_t *ddsqra = arg;
1556	dsl_pool_t *dp = dmu_tx_pool(tx);
1557	dsl_dataset_t *ds;
1558	uint64_t newval;
1559
1560	VERIFY0(dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds));
1561
1562	if (spa_version(dp->dp_spa) >= SPA_VERSION_RECVD_PROPS) {
1563		dsl_prop_set_sync_impl(ds, zfs_prop_to_name(ZFS_PROP_QUOTA),
1564		    ddsqra->ddsqra_source, sizeof (ddsqra->ddsqra_value), 1,
1565		    &ddsqra->ddsqra_value, tx);
1566
1567		VERIFY0(dsl_prop_get_int_ds(ds,
1568		    zfs_prop_to_name(ZFS_PROP_QUOTA), &newval));
1569	} else {
1570		newval = ddsqra->ddsqra_value;
1571		spa_history_log_internal_ds(ds, "set", tx, "%s=%lld",
1572		    zfs_prop_to_name(ZFS_PROP_QUOTA), (longlong_t)newval);
1573	}
1574
1575	dmu_buf_will_dirty(ds->ds_dir->dd_dbuf, tx);
1576	mutex_enter(&ds->ds_dir->dd_lock);
1577	dsl_dir_phys(ds->ds_dir)->dd_quota = newval;
1578	mutex_exit(&ds->ds_dir->dd_lock);
1579	dsl_dataset_rele(ds, FTAG);
1580}
1581
1582int
1583dsl_dir_set_quota(const char *ddname, zprop_source_t source, uint64_t quota)
1584{
1585	dsl_dir_set_qr_arg_t ddsqra;
1586
1587	ddsqra.ddsqra_name = ddname;
1588	ddsqra.ddsqra_source = source;
1589	ddsqra.ddsqra_value = quota;
1590
1591	return (dsl_sync_task(ddname, dsl_dir_set_quota_check,
1592	    dsl_dir_set_quota_sync, &ddsqra, 0, ZFS_SPACE_CHECK_NONE));
1593}
1594
1595int
1596dsl_dir_set_reservation_check(void *arg, dmu_tx_t *tx)
1597{
1598	dsl_dir_set_qr_arg_t *ddsqra = arg;
1599	dsl_pool_t *dp = dmu_tx_pool(tx);
1600	dsl_dataset_t *ds;
1601	dsl_dir_t *dd;
1602	uint64_t newval, used, avail;
1603	int error;
1604
1605	error = dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds);
1606	if (error != 0)
1607		return (error);
1608	dd = ds->ds_dir;
1609
1610	/*
1611	 * If we are doing the preliminary check in open context, the
1612	 * space estimates may be inaccurate.
1613	 */
1614	if (!dmu_tx_is_syncing(tx)) {
1615		dsl_dataset_rele(ds, FTAG);
1616		return (0);
1617	}
1618
1619	error = dsl_prop_predict(ds->ds_dir,
1620	    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1621	    ddsqra->ddsqra_source, ddsqra->ddsqra_value, &newval);
1622	if (error != 0) {
1623		dsl_dataset_rele(ds, FTAG);
1624		return (error);
1625	}
1626
1627	mutex_enter(&dd->dd_lock);
1628	used = dsl_dir_phys(dd)->dd_used_bytes;
1629	mutex_exit(&dd->dd_lock);
1630
1631	if (dd->dd_parent) {
1632		avail = dsl_dir_space_available(dd->dd_parent,
1633		    NULL, 0, FALSE);
1634	} else {
1635		avail = dsl_pool_adjustedsize(dd->dd_pool, B_FALSE) - used;
1636	}
1637
1638	if (MAX(used, newval) > MAX(used, dsl_dir_phys(dd)->dd_reserved)) {
1639		uint64_t delta = MAX(used, newval) -
1640		    MAX(used, dsl_dir_phys(dd)->dd_reserved);
1641
1642		if (delta > avail ||
1643		    (dsl_dir_phys(dd)->dd_quota > 0 &&
1644		    newval > dsl_dir_phys(dd)->dd_quota))
1645			error = SET_ERROR(ENOSPC);
1646	}
1647
1648	dsl_dataset_rele(ds, FTAG);
1649	return (error);
1650}
1651
1652void
1653dsl_dir_set_reservation_sync_impl(dsl_dir_t *dd, uint64_t value, dmu_tx_t *tx)
1654{
1655	uint64_t used;
1656	int64_t delta;
1657
1658	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1659
1660	mutex_enter(&dd->dd_lock);
1661	used = dsl_dir_phys(dd)->dd_used_bytes;
1662	delta = MAX(used, value) - MAX(used, dsl_dir_phys(dd)->dd_reserved);
1663	dsl_dir_phys(dd)->dd_reserved = value;
1664
1665	if (dd->dd_parent != NULL) {
1666		/* Roll up this additional usage into our ancestors */
1667		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD_RSRV,
1668		    delta, 0, 0, tx);
1669	}
1670	mutex_exit(&dd->dd_lock);
1671}
1672
1673
1674static void
1675dsl_dir_set_reservation_sync(void *arg, dmu_tx_t *tx)
1676{
1677	dsl_dir_set_qr_arg_t *ddsqra = arg;
1678	dsl_pool_t *dp = dmu_tx_pool(tx);
1679	dsl_dataset_t *ds;
1680	uint64_t newval;
1681
1682	VERIFY0(dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds));
1683
1684	if (spa_version(dp->dp_spa) >= SPA_VERSION_RECVD_PROPS) {
1685		dsl_prop_set_sync_impl(ds,
1686		    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1687		    ddsqra->ddsqra_source, sizeof (ddsqra->ddsqra_value), 1,
1688		    &ddsqra->ddsqra_value, tx);
1689
1690		VERIFY0(dsl_prop_get_int_ds(ds,
1691		    zfs_prop_to_name(ZFS_PROP_RESERVATION), &newval));
1692	} else {
1693		newval = ddsqra->ddsqra_value;
1694		spa_history_log_internal_ds(ds, "set", tx, "%s=%lld",
1695		    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1696		    (longlong_t)newval);
1697	}
1698
1699	dsl_dir_set_reservation_sync_impl(ds->ds_dir, newval, tx);
1700	dsl_dataset_rele(ds, FTAG);
1701}
1702
1703int
1704dsl_dir_set_reservation(const char *ddname, zprop_source_t source,
1705    uint64_t reservation)
1706{
1707	dsl_dir_set_qr_arg_t ddsqra;
1708
1709	ddsqra.ddsqra_name = ddname;
1710	ddsqra.ddsqra_source = source;
1711	ddsqra.ddsqra_value = reservation;
1712
1713	return (dsl_sync_task(ddname, dsl_dir_set_reservation_check,
1714	    dsl_dir_set_reservation_sync, &ddsqra, 0, ZFS_SPACE_CHECK_NONE));
1715}
1716
1717static dsl_dir_t *
1718closest_common_ancestor(dsl_dir_t *ds1, dsl_dir_t *ds2)
1719{
1720	for (; ds1; ds1 = ds1->dd_parent) {
1721		dsl_dir_t *dd;
1722		for (dd = ds2; dd; dd = dd->dd_parent) {
1723			if (ds1 == dd)
1724				return (dd);
1725		}
1726	}
1727	return (NULL);
1728}
1729
1730/*
1731 * If delta is applied to dd, how much of that delta would be applied to
1732 * ancestor?  Syncing context only.
1733 */
1734static int64_t
1735would_change(dsl_dir_t *dd, int64_t delta, dsl_dir_t *ancestor)
1736{
1737	if (dd == ancestor)
1738		return (delta);
1739
1740	mutex_enter(&dd->dd_lock);
1741	delta = parent_delta(dd, dsl_dir_phys(dd)->dd_used_bytes, delta);
1742	mutex_exit(&dd->dd_lock);
1743	return (would_change(dd->dd_parent, delta, ancestor));
1744}
1745
1746typedef struct dsl_dir_rename_arg {
1747	const char *ddra_oldname;
1748	const char *ddra_newname;
1749	cred_t *ddra_cred;
1750} dsl_dir_rename_arg_t;
1751
1752/* ARGSUSED */
1753static int
1754dsl_valid_rename(dsl_pool_t *dp, dsl_dataset_t *ds, void *arg)
1755{
1756	int *deltap = arg;
1757	char namebuf[ZFS_MAX_DATASET_NAME_LEN];
1758
1759	dsl_dataset_name(ds, namebuf);
1760
1761	if (strlen(namebuf) + *deltap >= ZFS_MAX_DATASET_NAME_LEN)
1762		return (SET_ERROR(ENAMETOOLONG));
1763	return (0);
1764}
1765
1766static int
1767dsl_dir_rename_check(void *arg, dmu_tx_t *tx)
1768{
1769	dsl_dir_rename_arg_t *ddra = arg;
1770	dsl_pool_t *dp = dmu_tx_pool(tx);
1771	dsl_dir_t *dd, *newparent;
1772	const char *mynewname;
1773	int error;
1774	int delta = strlen(ddra->ddra_newname) - strlen(ddra->ddra_oldname);
1775
1776	/* target dir should exist */
1777	error = dsl_dir_hold(dp, ddra->ddra_oldname, FTAG, &dd, NULL);
1778	if (error != 0)
1779		return (error);
1780
1781	/* new parent should exist */
1782	error = dsl_dir_hold(dp, ddra->ddra_newname, FTAG,
1783	    &newparent, &mynewname);
1784	if (error != 0) {
1785		dsl_dir_rele(dd, FTAG);
1786		return (error);
1787	}
1788
1789	/* can't rename to different pool */
1790	if (dd->dd_pool != newparent->dd_pool) {
1791		dsl_dir_rele(newparent, FTAG);
1792		dsl_dir_rele(dd, FTAG);
1793		return (SET_ERROR(ENXIO));
1794	}
1795
1796	/* new name should not already exist */
1797	if (mynewname == NULL) {
1798		dsl_dir_rele(newparent, FTAG);
1799		dsl_dir_rele(dd, FTAG);
1800		return (SET_ERROR(EEXIST));
1801	}
1802
1803	/* if the name length is growing, validate child name lengths */
1804	if (delta > 0) {
1805		error = dmu_objset_find_dp(dp, dd->dd_object, dsl_valid_rename,
1806		    &delta, DS_FIND_CHILDREN | DS_FIND_SNAPSHOTS);
1807		if (error != 0) {
1808			dsl_dir_rele(newparent, FTAG);
1809			dsl_dir_rele(dd, FTAG);
1810			return (error);
1811		}
1812	}
1813
1814	if (dmu_tx_is_syncing(tx)) {
1815		if (spa_feature_is_active(dp->dp_spa,
1816		    SPA_FEATURE_FS_SS_LIMIT)) {
1817			/*
1818			 * Although this is the check function and we don't
1819			 * normally make on-disk changes in check functions,
1820			 * we need to do that here.
1821			 *
1822			 * Ensure this portion of the tree's counts have been
1823			 * initialized in case the new parent has limits set.
1824			 */
1825			dsl_dir_init_fs_ss_count(dd, tx);
1826		}
1827	}
1828
1829	if (newparent != dd->dd_parent) {
1830		/* is there enough space? */
1831		uint64_t myspace =
1832		    MAX(dsl_dir_phys(dd)->dd_used_bytes,
1833		    dsl_dir_phys(dd)->dd_reserved);
1834		objset_t *os = dd->dd_pool->dp_meta_objset;
1835		uint64_t fs_cnt = 0;
1836		uint64_t ss_cnt = 0;
1837
1838		if (dsl_dir_is_zapified(dd)) {
1839			int err;
1840
1841			err = zap_lookup(os, dd->dd_object,
1842			    DD_FIELD_FILESYSTEM_COUNT, sizeof (fs_cnt), 1,
1843			    &fs_cnt);
1844			if (err != ENOENT && err != 0) {
1845				dsl_dir_rele(newparent, FTAG);
1846				dsl_dir_rele(dd, FTAG);
1847				return (err);
1848			}
1849
1850			/*
1851			 * have to add 1 for the filesystem itself that we're
1852			 * moving
1853			 */
1854			fs_cnt++;
1855
1856			err = zap_lookup(os, dd->dd_object,
1857			    DD_FIELD_SNAPSHOT_COUNT, sizeof (ss_cnt), 1,
1858			    &ss_cnt);
1859			if (err != ENOENT && err != 0) {
1860				dsl_dir_rele(newparent, FTAG);
1861				dsl_dir_rele(dd, FTAG);
1862				return (err);
1863			}
1864		}
1865
1866		/* no rename into our descendant */
1867		if (closest_common_ancestor(dd, newparent) == dd) {
1868			dsl_dir_rele(newparent, FTAG);
1869			dsl_dir_rele(dd, FTAG);
1870			return (SET_ERROR(EINVAL));
1871		}
1872
1873		error = dsl_dir_transfer_possible(dd->dd_parent,
1874		    newparent, fs_cnt, ss_cnt, myspace, ddra->ddra_cred);
1875		if (error != 0) {
1876			dsl_dir_rele(newparent, FTAG);
1877			dsl_dir_rele(dd, FTAG);
1878			return (error);
1879		}
1880	}
1881
1882	dsl_dir_rele(newparent, FTAG);
1883	dsl_dir_rele(dd, FTAG);
1884	return (0);
1885}
1886
1887static void
1888dsl_dir_rename_sync(void *arg, dmu_tx_t *tx)
1889{
1890	dsl_dir_rename_arg_t *ddra = arg;
1891	dsl_pool_t *dp = dmu_tx_pool(tx);
1892	dsl_dir_t *dd, *newparent;
1893	const char *mynewname;
1894	int error;
1895	objset_t *mos = dp->dp_meta_objset;
1896
1897	VERIFY0(dsl_dir_hold(dp, ddra->ddra_oldname, FTAG, &dd, NULL));
1898	VERIFY0(dsl_dir_hold(dp, ddra->ddra_newname, FTAG, &newparent,
1899	    &mynewname));
1900
1901	/* Log this before we change the name. */
1902	spa_history_log_internal_dd(dd, "rename", tx,
1903	    "-> %s", ddra->ddra_newname);
1904
1905	if (newparent != dd->dd_parent) {
1906		objset_t *os = dd->dd_pool->dp_meta_objset;
1907		uint64_t fs_cnt = 0;
1908		uint64_t ss_cnt = 0;
1909
1910		/*
1911		 * We already made sure the dd counts were initialized in the
1912		 * check function.
1913		 */
1914		if (spa_feature_is_active(dp->dp_spa,
1915		    SPA_FEATURE_FS_SS_LIMIT)) {
1916			VERIFY0(zap_lookup(os, dd->dd_object,
1917			    DD_FIELD_FILESYSTEM_COUNT, sizeof (fs_cnt), 1,
1918			    &fs_cnt));
1919			/* add 1 for the filesystem itself that we're moving */
1920			fs_cnt++;
1921
1922			VERIFY0(zap_lookup(os, dd->dd_object,
1923			    DD_FIELD_SNAPSHOT_COUNT, sizeof (ss_cnt), 1,
1924			    &ss_cnt));
1925		}
1926
1927		dsl_fs_ss_count_adjust(dd->dd_parent, -fs_cnt,
1928		    DD_FIELD_FILESYSTEM_COUNT, tx);
1929		dsl_fs_ss_count_adjust(newparent, fs_cnt,
1930		    DD_FIELD_FILESYSTEM_COUNT, tx);
1931
1932		dsl_fs_ss_count_adjust(dd->dd_parent, -ss_cnt,
1933		    DD_FIELD_SNAPSHOT_COUNT, tx);
1934		dsl_fs_ss_count_adjust(newparent, ss_cnt,
1935		    DD_FIELD_SNAPSHOT_COUNT, tx);
1936
1937		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD,
1938		    -dsl_dir_phys(dd)->dd_used_bytes,
1939		    -dsl_dir_phys(dd)->dd_compressed_bytes,
1940		    -dsl_dir_phys(dd)->dd_uncompressed_bytes, tx);
1941		dsl_dir_diduse_space(newparent, DD_USED_CHILD,
1942		    dsl_dir_phys(dd)->dd_used_bytes,
1943		    dsl_dir_phys(dd)->dd_compressed_bytes,
1944		    dsl_dir_phys(dd)->dd_uncompressed_bytes, tx);
1945
1946		if (dsl_dir_phys(dd)->dd_reserved >
1947		    dsl_dir_phys(dd)->dd_used_bytes) {
1948			uint64_t unused_rsrv = dsl_dir_phys(dd)->dd_reserved -
1949			    dsl_dir_phys(dd)->dd_used_bytes;
1950
1951			dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD_RSRV,
1952			    -unused_rsrv, 0, 0, tx);
1953			dsl_dir_diduse_space(newparent, DD_USED_CHILD_RSRV,
1954			    unused_rsrv, 0, 0, tx);
1955		}
1956	}
1957
1958	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1959
1960	/* remove from old parent zapobj */
1961	error = zap_remove(mos,
1962	    dsl_dir_phys(dd->dd_parent)->dd_child_dir_zapobj,
1963	    dd->dd_myname, tx);
1964	ASSERT0(error);
1965
1966	(void) strcpy(dd->dd_myname, mynewname);
1967	dsl_dir_rele(dd->dd_parent, dd);
1968	dsl_dir_phys(dd)->dd_parent_obj = newparent->dd_object;
1969	VERIFY0(dsl_dir_hold_obj(dp,
1970	    newparent->dd_object, NULL, dd, &dd->dd_parent));
1971
1972	/* add to new parent zapobj */
1973	VERIFY0(zap_add(mos, dsl_dir_phys(newparent)->dd_child_dir_zapobj,
1974	    dd->dd_myname, 8, 1, &dd->dd_object, tx));
1975
1976	dsl_prop_notify_all(dd);
1977
1978	dsl_dir_rele(newparent, FTAG);
1979	dsl_dir_rele(dd, FTAG);
1980}
1981
1982int
1983dsl_dir_rename(const char *oldname, const char *newname)
1984{
1985	dsl_dir_rename_arg_t ddra;
1986
1987	ddra.ddra_oldname = oldname;
1988	ddra.ddra_newname = newname;
1989	ddra.ddra_cred = CRED();
1990
1991	return (dsl_sync_task(oldname,
1992	    dsl_dir_rename_check, dsl_dir_rename_sync, &ddra,
1993	    3, ZFS_SPACE_CHECK_RESERVED));
1994}
1995
1996int
1997dsl_dir_transfer_possible(dsl_dir_t *sdd, dsl_dir_t *tdd,
1998    uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space, cred_t *cr)
1999{
2000	dsl_dir_t *ancestor;
2001	int64_t adelta;
2002	uint64_t avail;
2003	int err;
2004
2005	ancestor = closest_common_ancestor(sdd, tdd);
2006	adelta = would_change(sdd, -space, ancestor);
2007	avail = dsl_dir_space_available(tdd, ancestor, adelta, FALSE);
2008	if (avail < space)
2009		return (SET_ERROR(ENOSPC));
2010
2011	err = dsl_fs_ss_limit_check(tdd, fs_cnt, ZFS_PROP_FILESYSTEM_LIMIT,
2012	    ancestor, cr);
2013	if (err != 0)
2014		return (err);
2015	err = dsl_fs_ss_limit_check(tdd, ss_cnt, ZFS_PROP_SNAPSHOT_LIMIT,
2016	    ancestor, cr);
2017	if (err != 0)
2018		return (err);
2019
2020	return (0);
2021}
2022
2023timestruc_t
2024dsl_dir_snap_cmtime(dsl_dir_t *dd)
2025{
2026	timestruc_t t;
2027
2028	mutex_enter(&dd->dd_lock);
2029	t = dd->dd_snap_cmtime;
2030	mutex_exit(&dd->dd_lock);
2031
2032	return (t);
2033}
2034
2035void
2036dsl_dir_snap_cmtime_update(dsl_dir_t *dd)
2037{
2038	timestruc_t t;
2039
2040	gethrestime(&t);
2041	mutex_enter(&dd->dd_lock);
2042	dd->dd_snap_cmtime = t;
2043	mutex_exit(&dd->dd_lock);
2044}
2045
2046void
2047dsl_dir_zapify(dsl_dir_t *dd, dmu_tx_t *tx)
2048{
2049	objset_t *mos = dd->dd_pool->dp_meta_objset;
2050	dmu_object_zapify(mos, dd->dd_object, DMU_OT_DSL_DIR, tx);
2051}
2052
2053boolean_t
2054dsl_dir_is_zapified(dsl_dir_t *dd)
2055{
2056	dmu_object_info_t doi;
2057
2058	dmu_object_info_from_db(dd->dd_dbuf, &doi);
2059	return (doi.doi_type == DMU_OTN_ZAP_METADATA);
2060}
2061