1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2012, 2014 by Delphix. All rights reserved.
24 * Copyright (c) 2013 Martin Matuska. All rights reserved.
25 * Copyright (c) 2014 Joyent, Inc. All rights reserved.
26 * Copyright (c) 2014 Spectra Logic Corporation, All rights reserved.
27 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
28 */
29
30#include <sys/dmu.h>
31#include <sys/dmu_objset.h>
32#include <sys/dmu_tx.h>
33#include <sys/dsl_dataset.h>
34#include <sys/dsl_dir.h>
35#include <sys/dsl_prop.h>
36#include <sys/dsl_synctask.h>
37#include <sys/dsl_deleg.h>
38#include <sys/dmu_impl.h>
39#include <sys/spa.h>
40#include <sys/metaslab.h>
41#include <sys/zap.h>
42#include <sys/zio.h>
43#include <sys/arc.h>
44#include <sys/sunddi.h>
45#include <sys/zfeature.h>
46#include <sys/policy.h>
47#include <sys/zfs_znode.h>
48#include "zfs_namecheck.h"
49#include "zfs_prop.h"
50
51/*
52 * Filesystem and Snapshot Limits
53 * ------------------------------
54 *
55 * These limits are used to restrict the number of filesystems and/or snapshots
56 * that can be created at a given level in the tree or below. A typical
57 * use-case is with a delegated dataset where the administrator wants to ensure
58 * that a user within the zone is not creating too many additional filesystems
59 * or snapshots, even though they're not exceeding their space quota.
60 *
61 * The filesystem and snapshot counts are stored as extensible properties. This
62 * capability is controlled by a feature flag and must be enabled to be used.
63 * Once enabled, the feature is not active until the first limit is set. At
64 * that point, future operations to create/destroy filesystems or snapshots
65 * will validate and update the counts.
66 *
67 * Because the count properties will not exist before the feature is active,
68 * the counts are updated when a limit is first set on an uninitialized
69 * dsl_dir node in the tree (The filesystem/snapshot count on a node includes
70 * all of the nested filesystems/snapshots. Thus, a new leaf node has a
71 * filesystem count of 0 and a snapshot count of 0. Non-existent filesystem and
72 * snapshot count properties on a node indicate uninitialized counts on that
73 * node.) When first setting a limit on an uninitialized node, the code starts
74 * at the filesystem with the new limit and descends into all sub-filesystems
75 * to add the count properties.
76 *
77 * In practice this is lightweight since a limit is typically set when the
78 * filesystem is created and thus has no children. Once valid, changing the
79 * limit value won't require a re-traversal since the counts are already valid.
80 * When recursively fixing the counts, if a node with a limit is encountered
81 * during the descent, the counts are known to be valid and there is no need to
82 * descend into that filesystem's children. The counts on filesystems above the
83 * one with the new limit will still be uninitialized, unless a limit is
84 * eventually set on one of those filesystems. The counts are always recursively
85 * updated when a limit is set on a dataset, unless there is already a limit.
86 * When a new limit value is set on a filesystem with an existing limit, it is
87 * possible for the new limit to be less than the current count at that level
88 * since a user who can change the limit is also allowed to exceed the limit.
89 *
90 * Once the feature is active, then whenever a filesystem or snapshot is
91 * created, the code recurses up the tree, validating the new count against the
92 * limit at each initialized level. In practice, most levels will not have a
93 * limit set. If there is a limit at any initialized level up the tree, the
94 * check must pass or the creation will fail. Likewise, when a filesystem or
95 * snapshot is destroyed, the counts are recursively adjusted all the way up
96 * the initizized nodes in the tree. Renaming a filesystem into different point
97 * in the tree will first validate, then update the counts on each branch up to
98 * the common ancestor. A receive will also validate the counts and then update
99 * them.
100 *
101 * An exception to the above behavior is that the limit is not enforced if the
102 * user has permission to modify the limit. This is primarily so that
103 * recursive snapshots in the global zone always work. We want to prevent a
104 * denial-of-service in which a lower level delegated dataset could max out its
105 * limit and thus block recursive snapshots from being taken in the global zone.
106 * Because of this, it is possible for the snapshot count to be over the limit
107 * and snapshots taken in the global zone could cause a lower level dataset to
108 * hit or exceed its limit. The administrator taking the global zone recursive
109 * snapshot should be aware of this side-effect and behave accordingly.
110 * For consistency, the filesystem limit is also not enforced if the user can
111 * modify the limit.
112 *
113 * The filesystem and snapshot limits are validated by dsl_fs_ss_limit_check()
114 * and updated by dsl_fs_ss_count_adjust(). A new limit value is setup in
115 * dsl_dir_activate_fs_ss_limit() and the counts are adjusted, if necessary, by
116 * dsl_dir_init_fs_ss_count().
117 *
118 * There is a special case when we receive a filesystem that already exists. In
119 * this case a temporary clone name of %X is created (see dmu_recv_begin). We
120 * never update the filesystem counts for temporary clones.
121 *
122 * Likewise, we do not update the snapshot counts for temporary snapshots,
123 * such as those created by zfs diff.
124 */
125
126extern inline dsl_dir_phys_t *dsl_dir_phys(dsl_dir_t *dd);
127
128static uint64_t dsl_dir_space_towrite(dsl_dir_t *dd);
129
130static void
131dsl_dir_evict(void *dbu)
132{
133	dsl_dir_t *dd = dbu;
134	dsl_pool_t *dp = dd->dd_pool;
135	int t;
136
137	dd->dd_dbuf = NULL;
138
139	for (t = 0; t < TXG_SIZE; t++) {
140		ASSERT(!txg_list_member(&dp->dp_dirty_dirs, dd, t));
141		ASSERT(dd->dd_tempreserved[t] == 0);
142		ASSERT(dd->dd_space_towrite[t] == 0);
143	}
144
145	if (dd->dd_parent)
146		dsl_dir_async_rele(dd->dd_parent, dd);
147
148	spa_async_close(dd->dd_pool->dp_spa, dd);
149
150	dsl_prop_fini(dd);
151	mutex_destroy(&dd->dd_lock);
152	kmem_free(dd, sizeof (dsl_dir_t));
153}
154
155int
156dsl_dir_hold_obj(dsl_pool_t *dp, uint64_t ddobj,
157    const char *tail, void *tag, dsl_dir_t **ddp)
158{
159	dmu_buf_t *dbuf;
160	dsl_dir_t *dd;
161	int err;
162
163	ASSERT(dsl_pool_config_held(dp));
164
165	err = dmu_bonus_hold(dp->dp_meta_objset, ddobj, tag, &dbuf);
166	if (err != 0)
167		return (err);
168	dd = dmu_buf_get_user(dbuf);
169#ifdef ZFS_DEBUG
170	{
171		dmu_object_info_t doi;
172		dmu_object_info_from_db(dbuf, &doi);
173		ASSERT3U(doi.doi_bonus_type, ==, DMU_OT_DSL_DIR);
174		ASSERT3U(doi.doi_bonus_size, >=, sizeof (dsl_dir_phys_t));
175	}
176#endif
177	if (dd == NULL) {
178		dsl_dir_t *winner;
179
180		dd = kmem_zalloc(sizeof (dsl_dir_t), KM_SLEEP);
181		dd->dd_object = ddobj;
182		dd->dd_dbuf = dbuf;
183		dd->dd_pool = dp;
184		mutex_init(&dd->dd_lock, NULL, MUTEX_DEFAULT, NULL);
185		dsl_prop_init(dd);
186
187		dsl_dir_snap_cmtime_update(dd);
188
189		if (dsl_dir_phys(dd)->dd_parent_obj) {
190			err = dsl_dir_hold_obj(dp,
191			    dsl_dir_phys(dd)->dd_parent_obj, NULL, dd,
192			    &dd->dd_parent);
193			if (err != 0)
194				goto errout;
195			if (tail) {
196#ifdef ZFS_DEBUG
197				uint64_t foundobj;
198
199				err = zap_lookup(dp->dp_meta_objset,
200				    dsl_dir_phys(dd->dd_parent)->
201				    dd_child_dir_zapobj, tail,
202				    sizeof (foundobj), 1, &foundobj);
203				ASSERT(err || foundobj == ddobj);
204#endif
205				(void) strcpy(dd->dd_myname, tail);
206			} else {
207				err = zap_value_search(dp->dp_meta_objset,
208				    dsl_dir_phys(dd->dd_parent)->
209				    dd_child_dir_zapobj,
210				    ddobj, 0, dd->dd_myname);
211			}
212			if (err != 0)
213				goto errout;
214		} else {
215			(void) strcpy(dd->dd_myname, spa_name(dp->dp_spa));
216		}
217
218		if (dsl_dir_is_clone(dd)) {
219			dmu_buf_t *origin_bonus;
220			dsl_dataset_phys_t *origin_phys;
221
222			/*
223			 * We can't open the origin dataset, because
224			 * that would require opening this dsl_dir.
225			 * Just look at its phys directly instead.
226			 */
227			err = dmu_bonus_hold(dp->dp_meta_objset,
228			    dsl_dir_phys(dd)->dd_origin_obj, FTAG,
229			    &origin_bonus);
230			if (err != 0)
231				goto errout;
232			origin_phys = origin_bonus->db_data;
233			dd->dd_origin_txg =
234			    origin_phys->ds_creation_txg;
235			dmu_buf_rele(origin_bonus, FTAG);
236		}
237
238		dmu_buf_init_user(&dd->dd_dbu, dsl_dir_evict, &dd->dd_dbuf);
239		winner = dmu_buf_set_user_ie(dbuf, &dd->dd_dbu);
240		if (winner != NULL) {
241			if (dd->dd_parent)
242				dsl_dir_rele(dd->dd_parent, dd);
243			dsl_prop_fini(dd);
244			mutex_destroy(&dd->dd_lock);
245			kmem_free(dd, sizeof (dsl_dir_t));
246			dd = winner;
247		} else {
248			spa_open_ref(dp->dp_spa, dd);
249		}
250	}
251
252	/*
253	 * The dsl_dir_t has both open-to-close and instantiate-to-evict
254	 * holds on the spa.  We need the open-to-close holds because
255	 * otherwise the spa_refcnt wouldn't change when we open a
256	 * dir which the spa also has open, so we could incorrectly
257	 * think it was OK to unload/export/destroy the pool.  We need
258	 * the instantiate-to-evict hold because the dsl_dir_t has a
259	 * pointer to the dd_pool, which has a pointer to the spa_t.
260	 */
261	spa_open_ref(dp->dp_spa, tag);
262	ASSERT3P(dd->dd_pool, ==, dp);
263	ASSERT3U(dd->dd_object, ==, ddobj);
264	ASSERT3P(dd->dd_dbuf, ==, dbuf);
265	*ddp = dd;
266	return (0);
267
268errout:
269	if (dd->dd_parent)
270		dsl_dir_rele(dd->dd_parent, dd);
271	dsl_prop_fini(dd);
272	mutex_destroy(&dd->dd_lock);
273	kmem_free(dd, sizeof (dsl_dir_t));
274	dmu_buf_rele(dbuf, tag);
275	return (err);
276}
277
278void
279dsl_dir_rele(dsl_dir_t *dd, void *tag)
280{
281	dprintf_dd(dd, "%s\n", "");
282	spa_close(dd->dd_pool->dp_spa, tag);
283	dmu_buf_rele(dd->dd_dbuf, tag);
284}
285
286/*
287 * Remove a reference to the given dsl dir that is being asynchronously
288 * released.  Async releases occur from a taskq performing eviction of
289 * dsl datasets and dirs.  This process is identical to a normal release
290 * with the exception of using the async API for releasing the reference on
291 * the spa.
292 */
293void
294dsl_dir_async_rele(dsl_dir_t *dd, void *tag)
295{
296	dprintf_dd(dd, "%s\n", "");
297	spa_async_close(dd->dd_pool->dp_spa, tag);
298	dmu_buf_rele(dd->dd_dbuf, tag);
299}
300
301/* buf must be long enough (MAXNAMELEN + strlen(MOS_DIR_NAME) + 1 should do) */
302void
303dsl_dir_name(dsl_dir_t *dd, char *buf)
304{
305	if (dd->dd_parent) {
306		dsl_dir_name(dd->dd_parent, buf);
307		(void) strcat(buf, "/");
308	} else {
309		buf[0] = '\0';
310	}
311	if (!MUTEX_HELD(&dd->dd_lock)) {
312		/*
313		 * recursive mutex so that we can use
314		 * dprintf_dd() with dd_lock held
315		 */
316		mutex_enter(&dd->dd_lock);
317		(void) strcat(buf, dd->dd_myname);
318		mutex_exit(&dd->dd_lock);
319	} else {
320		(void) strcat(buf, dd->dd_myname);
321	}
322}
323
324/* Calculate name length, avoiding all the strcat calls of dsl_dir_name */
325int
326dsl_dir_namelen(dsl_dir_t *dd)
327{
328	int result = 0;
329
330	if (dd->dd_parent) {
331		/* parent's name + 1 for the "/" */
332		result = dsl_dir_namelen(dd->dd_parent) + 1;
333	}
334
335	if (!MUTEX_HELD(&dd->dd_lock)) {
336		/* see dsl_dir_name */
337		mutex_enter(&dd->dd_lock);
338		result += strlen(dd->dd_myname);
339		mutex_exit(&dd->dd_lock);
340	} else {
341		result += strlen(dd->dd_myname);
342	}
343
344	return (result);
345}
346
347static int
348getcomponent(const char *path, char *component, const char **nextp)
349{
350	char *p;
351
352	if ((path == NULL) || (path[0] == '\0'))
353		return (SET_ERROR(ENOENT));
354	/* This would be a good place to reserve some namespace... */
355	p = strpbrk(path, "/@");
356	if (p && (p[1] == '/' || p[1] == '@')) {
357		/* two separators in a row */
358		return (SET_ERROR(EINVAL));
359	}
360	if (p == NULL || p == path) {
361		/*
362		 * if the first thing is an @ or /, it had better be an
363		 * @ and it had better not have any more ats or slashes,
364		 * and it had better have something after the @.
365		 */
366		if (p != NULL &&
367		    (p[0] != '@' || strpbrk(path+1, "/@") || p[1] == '\0'))
368			return (SET_ERROR(EINVAL));
369		if (strlen(path) >= MAXNAMELEN)
370			return (SET_ERROR(ENAMETOOLONG));
371		(void) strcpy(component, path);
372		p = NULL;
373	} else if (p[0] == '/') {
374		if (p - path >= MAXNAMELEN)
375			return (SET_ERROR(ENAMETOOLONG));
376		(void) strncpy(component, path, p - path);
377		component[p - path] = '\0';
378		p++;
379	} else if (p[0] == '@') {
380		/*
381		 * if the next separator is an @, there better not be
382		 * any more slashes.
383		 */
384		if (strchr(path, '/'))
385			return (SET_ERROR(EINVAL));
386		if (p - path >= MAXNAMELEN)
387			return (SET_ERROR(ENAMETOOLONG));
388		(void) strncpy(component, path, p - path);
389		component[p - path] = '\0';
390	} else {
391		panic("invalid p=%p", (void *)p);
392	}
393	*nextp = p;
394	return (0);
395}
396
397/*
398 * Return the dsl_dir_t, and possibly the last component which couldn't
399 * be found in *tail.  The name must be in the specified dsl_pool_t.  This
400 * thread must hold the dp_config_rwlock for the pool.  Returns NULL if the
401 * path is bogus, or if tail==NULL and we couldn't parse the whole name.
402 * (*tail)[0] == '@' means that the last component is a snapshot.
403 */
404int
405dsl_dir_hold(dsl_pool_t *dp, const char *name, void *tag,
406    dsl_dir_t **ddp, const char **tailp)
407{
408	char buf[MAXNAMELEN];
409	const char *spaname, *next, *nextnext = NULL;
410	int err;
411	dsl_dir_t *dd;
412	uint64_t ddobj;
413
414	err = getcomponent(name, buf, &next);
415	if (err != 0)
416		return (err);
417
418	/* Make sure the name is in the specified pool. */
419	spaname = spa_name(dp->dp_spa);
420	if (strcmp(buf, spaname) != 0)
421		return (SET_ERROR(EXDEV));
422
423	ASSERT(dsl_pool_config_held(dp));
424
425	err = dsl_dir_hold_obj(dp, dp->dp_root_dir_obj, NULL, tag, &dd);
426	if (err != 0) {
427		return (err);
428	}
429
430	while (next != NULL) {
431		dsl_dir_t *child_dd;
432		err = getcomponent(next, buf, &nextnext);
433		if (err != 0)
434			break;
435		ASSERT(next[0] != '\0');
436		if (next[0] == '@')
437			break;
438		dprintf("looking up %s in obj%lld\n",
439		    buf, dsl_dir_phys(dd)->dd_child_dir_zapobj);
440
441		err = zap_lookup(dp->dp_meta_objset,
442		    dsl_dir_phys(dd)->dd_child_dir_zapobj,
443		    buf, sizeof (ddobj), 1, &ddobj);
444		if (err != 0) {
445			if (err == ENOENT)
446				err = 0;
447			break;
448		}
449
450		err = dsl_dir_hold_obj(dp, ddobj, buf, tag, &child_dd);
451		if (err != 0)
452			break;
453		dsl_dir_rele(dd, tag);
454		dd = child_dd;
455		next = nextnext;
456	}
457
458	if (err != 0) {
459		dsl_dir_rele(dd, tag);
460		return (err);
461	}
462
463	/*
464	 * It's an error if there's more than one component left, or
465	 * tailp==NULL and there's any component left.
466	 */
467	if (next != NULL &&
468	    (tailp == NULL || (nextnext && nextnext[0] != '\0'))) {
469		/* bad path name */
470		dsl_dir_rele(dd, tag);
471		dprintf("next=%p (%s) tail=%p\n", next, next?next:"", tailp);
472		err = SET_ERROR(ENOENT);
473	}
474	if (tailp != NULL)
475		*tailp = next;
476	*ddp = dd;
477	return (err);
478}
479
480/*
481 * If the counts are already initialized for this filesystem and its
482 * descendants then do nothing, otherwise initialize the counts.
483 *
484 * The counts on this filesystem, and those below, may be uninitialized due to
485 * either the use of a pre-existing pool which did not support the
486 * filesystem/snapshot limit feature, or one in which the feature had not yet
487 * been enabled.
488 *
489 * Recursively descend the filesystem tree and update the filesystem/snapshot
490 * counts on each filesystem below, then update the cumulative count on the
491 * current filesystem. If the filesystem already has a count set on it,
492 * then we know that its counts, and the counts on the filesystems below it,
493 * are already correct, so we don't have to update this filesystem.
494 */
495static void
496dsl_dir_init_fs_ss_count(dsl_dir_t *dd, dmu_tx_t *tx)
497{
498	uint64_t my_fs_cnt = 0;
499	uint64_t my_ss_cnt = 0;
500	dsl_pool_t *dp = dd->dd_pool;
501	objset_t *os = dp->dp_meta_objset;
502	zap_cursor_t *zc;
503	zap_attribute_t *za;
504	dsl_dataset_t *ds;
505
506	ASSERT(spa_feature_is_active(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT));
507	ASSERT(dsl_pool_config_held(dp));
508	ASSERT(dmu_tx_is_syncing(tx));
509
510	dsl_dir_zapify(dd, tx);
511
512	/*
513	 * If the filesystem count has already been initialized then we
514	 * don't need to recurse down any further.
515	 */
516	if (zap_contains(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT) == 0)
517		return;
518
519	zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP);
520	za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP);
521
522	/* Iterate my child dirs */
523	for (zap_cursor_init(zc, os, dsl_dir_phys(dd)->dd_child_dir_zapobj);
524	    zap_cursor_retrieve(zc, za) == 0; zap_cursor_advance(zc)) {
525		dsl_dir_t *chld_dd;
526		uint64_t count;
527
528		VERIFY0(dsl_dir_hold_obj(dp, za->za_first_integer, NULL, FTAG,
529		    &chld_dd));
530
531		/*
532		 * Ignore hidden ($FREE, $MOS & $ORIGIN) objsets and
533		 * temporary datasets.
534		 */
535		if (chld_dd->dd_myname[0] == '$' ||
536		    chld_dd->dd_myname[0] == '%') {
537			dsl_dir_rele(chld_dd, FTAG);
538			continue;
539		}
540
541		my_fs_cnt++;	/* count this child */
542
543		dsl_dir_init_fs_ss_count(chld_dd, tx);
544
545		VERIFY0(zap_lookup(os, chld_dd->dd_object,
546		    DD_FIELD_FILESYSTEM_COUNT, sizeof (count), 1, &count));
547		my_fs_cnt += count;
548		VERIFY0(zap_lookup(os, chld_dd->dd_object,
549		    DD_FIELD_SNAPSHOT_COUNT, sizeof (count), 1, &count));
550		my_ss_cnt += count;
551
552		dsl_dir_rele(chld_dd, FTAG);
553	}
554	zap_cursor_fini(zc);
555	/* Count my snapshots (we counted children's snapshots above) */
556	VERIFY0(dsl_dataset_hold_obj(dd->dd_pool,
557	    dsl_dir_phys(dd)->dd_head_dataset_obj, FTAG, &ds));
558
559	for (zap_cursor_init(zc, os, dsl_dataset_phys(ds)->ds_snapnames_zapobj);
560	    zap_cursor_retrieve(zc, za) == 0;
561	    zap_cursor_advance(zc)) {
562		/* Don't count temporary snapshots */
563		if (za->za_name[0] != '%')
564			my_ss_cnt++;
565	}
566	zap_cursor_fini(zc);
567
568	dsl_dataset_rele(ds, FTAG);
569
570	kmem_free(zc, sizeof (zap_cursor_t));
571	kmem_free(za, sizeof (zap_attribute_t));
572
573	/* we're in a sync task, update counts */
574	dmu_buf_will_dirty(dd->dd_dbuf, tx);
575	VERIFY0(zap_add(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT,
576	    sizeof (my_fs_cnt), 1, &my_fs_cnt, tx));
577	VERIFY0(zap_add(os, dd->dd_object, DD_FIELD_SNAPSHOT_COUNT,
578	    sizeof (my_ss_cnt), 1, &my_ss_cnt, tx));
579}
580
581static int
582dsl_dir_actv_fs_ss_limit_check(void *arg, dmu_tx_t *tx)
583{
584	char *ddname = (char *)arg;
585	dsl_pool_t *dp = dmu_tx_pool(tx);
586	dsl_dataset_t *ds;
587	dsl_dir_t *dd;
588	int error;
589
590	error = dsl_dataset_hold(dp, ddname, FTAG, &ds);
591	if (error != 0)
592		return (error);
593
594	if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT)) {
595		dsl_dataset_rele(ds, FTAG);
596		return (SET_ERROR(ENOTSUP));
597	}
598
599	dd = ds->ds_dir;
600	if (spa_feature_is_active(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT) &&
601	    dsl_dir_is_zapified(dd) &&
602	    zap_contains(dp->dp_meta_objset, dd->dd_object,
603	    DD_FIELD_FILESYSTEM_COUNT) == 0) {
604		dsl_dataset_rele(ds, FTAG);
605		return (SET_ERROR(EALREADY));
606	}
607
608	dsl_dataset_rele(ds, FTAG);
609	return (0);
610}
611
612static void
613dsl_dir_actv_fs_ss_limit_sync(void *arg, dmu_tx_t *tx)
614{
615	char *ddname = (char *)arg;
616	dsl_pool_t *dp = dmu_tx_pool(tx);
617	dsl_dataset_t *ds;
618	spa_t *spa;
619
620	VERIFY0(dsl_dataset_hold(dp, ddname, FTAG, &ds));
621
622	spa = dsl_dataset_get_spa(ds);
623
624	if (!spa_feature_is_active(spa, SPA_FEATURE_FS_SS_LIMIT)) {
625		/*
626		 * Since the feature was not active and we're now setting a
627		 * limit, increment the feature-active counter so that the
628		 * feature becomes active for the first time.
629		 *
630		 * We are already in a sync task so we can update the MOS.
631		 */
632		spa_feature_incr(spa, SPA_FEATURE_FS_SS_LIMIT, tx);
633	}
634
635	/*
636	 * Since we are now setting a non-UINT64_MAX limit on the filesystem,
637	 * we need to ensure the counts are correct. Descend down the tree from
638	 * this point and update all of the counts to be accurate.
639	 */
640	dsl_dir_init_fs_ss_count(ds->ds_dir, tx);
641
642	dsl_dataset_rele(ds, FTAG);
643}
644
645/*
646 * Make sure the feature is enabled and activate it if necessary.
647 * Since we're setting a limit, ensure the on-disk counts are valid.
648 * This is only called by the ioctl path when setting a limit value.
649 *
650 * We do not need to validate the new limit, since users who can change the
651 * limit are also allowed to exceed the limit.
652 */
653int
654dsl_dir_activate_fs_ss_limit(const char *ddname)
655{
656	int error;
657
658	error = dsl_sync_task(ddname, dsl_dir_actv_fs_ss_limit_check,
659	    dsl_dir_actv_fs_ss_limit_sync, (void *)ddname, 0,
660	    ZFS_SPACE_CHECK_RESERVED);
661
662	if (error == EALREADY)
663		error = 0;
664
665	return (error);
666}
667
668/*
669 * Used to determine if the filesystem_limit or snapshot_limit should be
670 * enforced. We allow the limit to be exceeded if the user has permission to
671 * write the property value. We pass in the creds that we got in the open
672 * context since we will always be the GZ root in syncing context. We also have
673 * to handle the case where we are allowed to change the limit on the current
674 * dataset, but there may be another limit in the tree above.
675 *
676 * We can never modify these two properties within a non-global zone. In
677 * addition, the other checks are modeled on zfs_secpolicy_write_perms. We
678 * can't use that function since we are already holding the dp_config_rwlock.
679 * In addition, we already have the dd and dealing with snapshots is simplified
680 * in this code.
681 */
682
683typedef enum {
684	ENFORCE_ALWAYS,
685	ENFORCE_NEVER,
686	ENFORCE_ABOVE
687} enforce_res_t;
688
689static enforce_res_t
690dsl_enforce_ds_ss_limits(dsl_dir_t *dd, zfs_prop_t prop, cred_t *cr)
691{
692	enforce_res_t enforce = ENFORCE_ALWAYS;
693	uint64_t obj;
694	dsl_dataset_t *ds;
695	uint64_t zoned;
696
697	ASSERT(prop == ZFS_PROP_FILESYSTEM_LIMIT ||
698	    prop == ZFS_PROP_SNAPSHOT_LIMIT);
699
700#ifdef _KERNEL
701	if (crgetzoneid(cr) != GLOBAL_ZONEID)
702		return (ENFORCE_ALWAYS);
703
704	if (secpolicy_zfs(cr) == 0)
705		return (ENFORCE_NEVER);
706#endif
707
708	if ((obj = dsl_dir_phys(dd)->dd_head_dataset_obj) == 0)
709		return (ENFORCE_ALWAYS);
710
711	ASSERT(dsl_pool_config_held(dd->dd_pool));
712
713	if (dsl_dataset_hold_obj(dd->dd_pool, obj, FTAG, &ds) != 0)
714		return (ENFORCE_ALWAYS);
715
716	if (dsl_prop_get_ds(ds, "zoned", 8, 1, &zoned, NULL) || zoned) {
717		/* Only root can access zoned fs's from the GZ */
718		enforce = ENFORCE_ALWAYS;
719	} else {
720		if (dsl_deleg_access_impl(ds, zfs_prop_to_name(prop), cr) == 0)
721			enforce = ENFORCE_ABOVE;
722	}
723
724	dsl_dataset_rele(ds, FTAG);
725	return (enforce);
726}
727
728/*
729 * Check if adding additional child filesystem(s) would exceed any filesystem
730 * limits or adding additional snapshot(s) would exceed any snapshot limits.
731 * The prop argument indicates which limit to check.
732 *
733 * Note that all filesystem limits up to the root (or the highest
734 * initialized) filesystem or the given ancestor must be satisfied.
735 */
736int
737dsl_fs_ss_limit_check(dsl_dir_t *dd, uint64_t delta, zfs_prop_t prop,
738    dsl_dir_t *ancestor, cred_t *cr)
739{
740	objset_t *os = dd->dd_pool->dp_meta_objset;
741	uint64_t limit, count;
742	char *count_prop;
743	enforce_res_t enforce;
744	int err = 0;
745
746	ASSERT(dsl_pool_config_held(dd->dd_pool));
747	ASSERT(prop == ZFS_PROP_FILESYSTEM_LIMIT ||
748	    prop == ZFS_PROP_SNAPSHOT_LIMIT);
749
750	/*
751	 * If we're allowed to change the limit, don't enforce the limit
752	 * e.g. this can happen if a snapshot is taken by an administrative
753	 * user in the global zone (i.e. a recursive snapshot by root).
754	 * However, we must handle the case of delegated permissions where we
755	 * are allowed to change the limit on the current dataset, but there
756	 * is another limit in the tree above.
757	 */
758	enforce = dsl_enforce_ds_ss_limits(dd, prop, cr);
759	if (enforce == ENFORCE_NEVER)
760		return (0);
761
762	/*
763	 * e.g. if renaming a dataset with no snapshots, count adjustment
764	 * is 0.
765	 */
766	if (delta == 0)
767		return (0);
768
769	if (prop == ZFS_PROP_SNAPSHOT_LIMIT) {
770		/*
771		 * We don't enforce the limit for temporary snapshots. This is
772		 * indicated by a NULL cred_t argument.
773		 */
774		if (cr == NULL)
775			return (0);
776
777		count_prop = DD_FIELD_SNAPSHOT_COUNT;
778	} else {
779		count_prop = DD_FIELD_FILESYSTEM_COUNT;
780	}
781
782	/*
783	 * If an ancestor has been provided, stop checking the limit once we
784	 * hit that dir. We need this during rename so that we don't overcount
785	 * the check once we recurse up to the common ancestor.
786	 */
787	if (ancestor == dd)
788		return (0);
789
790	/*
791	 * If we hit an uninitialized node while recursing up the tree, we can
792	 * stop since we know there is no limit here (or above). The counts are
793	 * not valid on this node and we know we won't touch this node's counts.
794	 */
795	if (!dsl_dir_is_zapified(dd) || zap_lookup(os, dd->dd_object,
796	    count_prop, sizeof (count), 1, &count) == ENOENT)
797		return (0);
798
799	err = dsl_prop_get_dd(dd, zfs_prop_to_name(prop), 8, 1, &limit, NULL,
800	    B_FALSE);
801	if (err != 0)
802		return (err);
803
804	/* Is there a limit which we've hit? */
805	if (enforce == ENFORCE_ALWAYS && (count + delta) > limit)
806		return (SET_ERROR(EDQUOT));
807
808	if (dd->dd_parent != NULL)
809		err = dsl_fs_ss_limit_check(dd->dd_parent, delta, prop,
810		    ancestor, cr);
811
812	return (err);
813}
814
815/*
816 * Adjust the filesystem or snapshot count for the specified dsl_dir_t and all
817 * parents. When a new filesystem/snapshot is created, increment the count on
818 * all parents, and when a filesystem/snapshot is destroyed, decrement the
819 * count.
820 */
821void
822dsl_fs_ss_count_adjust(dsl_dir_t *dd, int64_t delta, const char *prop,
823    dmu_tx_t *tx)
824{
825	int err;
826	objset_t *os = dd->dd_pool->dp_meta_objset;
827	uint64_t count;
828
829	ASSERT(dsl_pool_config_held(dd->dd_pool));
830	ASSERT(dmu_tx_is_syncing(tx));
831	ASSERT(strcmp(prop, DD_FIELD_FILESYSTEM_COUNT) == 0 ||
832	    strcmp(prop, DD_FIELD_SNAPSHOT_COUNT) == 0);
833
834	/*
835	 * When we receive an incremental stream into a filesystem that already
836	 * exists, a temporary clone is created.  We don't count this temporary
837	 * clone, whose name begins with a '%'. We also ignore hidden ($FREE,
838	 * $MOS & $ORIGIN) objsets.
839	 */
840	if ((dd->dd_myname[0] == '%' || dd->dd_myname[0] == '$') &&
841	    strcmp(prop, DD_FIELD_FILESYSTEM_COUNT) == 0)
842		return;
843
844	/*
845	 * e.g. if renaming a dataset with no snapshots, count adjustment is 0
846	 */
847	if (delta == 0)
848		return;
849
850	/*
851	 * If we hit an uninitialized node while recursing up the tree, we can
852	 * stop since we know the counts are not valid on this node and we
853	 * know we shouldn't touch this node's counts. An uninitialized count
854	 * on the node indicates that either the feature has not yet been
855	 * activated or there are no limits on this part of the tree.
856	 */
857	if (!dsl_dir_is_zapified(dd) || (err = zap_lookup(os, dd->dd_object,
858	    prop, sizeof (count), 1, &count)) == ENOENT)
859		return;
860	VERIFY0(err);
861
862	count += delta;
863	/* Use a signed verify to make sure we're not neg. */
864	VERIFY3S(count, >=, 0);
865
866	VERIFY0(zap_update(os, dd->dd_object, prop, sizeof (count), 1, &count,
867	    tx));
868
869	/* Roll up this additional count into our ancestors */
870	if (dd->dd_parent != NULL)
871		dsl_fs_ss_count_adjust(dd->dd_parent, delta, prop, tx);
872}
873
874uint64_t
875dsl_dir_create_sync(dsl_pool_t *dp, dsl_dir_t *pds, const char *name,
876    dmu_tx_t *tx)
877{
878	objset_t *mos = dp->dp_meta_objset;
879	uint64_t ddobj;
880	dsl_dir_phys_t *ddphys;
881	dmu_buf_t *dbuf;
882
883	ddobj = dmu_object_alloc(mos, DMU_OT_DSL_DIR, 0,
884	    DMU_OT_DSL_DIR, sizeof (dsl_dir_phys_t), tx);
885	if (pds) {
886		VERIFY(0 == zap_add(mos, dsl_dir_phys(pds)->dd_child_dir_zapobj,
887		    name, sizeof (uint64_t), 1, &ddobj, tx));
888	} else {
889		/* it's the root dir */
890		VERIFY(0 == zap_add(mos, DMU_POOL_DIRECTORY_OBJECT,
891		    DMU_POOL_ROOT_DATASET, sizeof (uint64_t), 1, &ddobj, tx));
892	}
893	VERIFY(0 == dmu_bonus_hold(mos, ddobj, FTAG, &dbuf));
894	dmu_buf_will_dirty(dbuf, tx);
895	ddphys = dbuf->db_data;
896
897	ddphys->dd_creation_time = gethrestime_sec();
898	if (pds) {
899		ddphys->dd_parent_obj = pds->dd_object;
900
901		/* update the filesystem counts */
902		dsl_fs_ss_count_adjust(pds, 1, DD_FIELD_FILESYSTEM_COUNT, tx);
903	}
904	ddphys->dd_props_zapobj = zap_create(mos,
905	    DMU_OT_DSL_PROPS, DMU_OT_NONE, 0, tx);
906	ddphys->dd_child_dir_zapobj = zap_create(mos,
907	    DMU_OT_DSL_DIR_CHILD_MAP, DMU_OT_NONE, 0, tx);
908	if (spa_version(dp->dp_spa) >= SPA_VERSION_USED_BREAKDOWN)
909		ddphys->dd_flags |= DD_FLAG_USED_BREAKDOWN;
910	dmu_buf_rele(dbuf, FTAG);
911
912	return (ddobj);
913}
914
915boolean_t
916dsl_dir_is_clone(dsl_dir_t *dd)
917{
918	return (dsl_dir_phys(dd)->dd_origin_obj &&
919	    (dd->dd_pool->dp_origin_snap == NULL ||
920	    dsl_dir_phys(dd)->dd_origin_obj !=
921	    dd->dd_pool->dp_origin_snap->ds_object));
922}
923
924void
925dsl_dir_stats(dsl_dir_t *dd, nvlist_t *nv)
926{
927	mutex_enter(&dd->dd_lock);
928	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USED,
929	    dsl_dir_phys(dd)->dd_used_bytes);
930	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_QUOTA,
931	    dsl_dir_phys(dd)->dd_quota);
932	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_RESERVATION,
933	    dsl_dir_phys(dd)->dd_reserved);
934	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_COMPRESSRATIO,
935	    dsl_dir_phys(dd)->dd_compressed_bytes == 0 ? 100 :
936	    (dsl_dir_phys(dd)->dd_uncompressed_bytes * 100 /
937	    dsl_dir_phys(dd)->dd_compressed_bytes));
938	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_LOGICALUSED,
939	    dsl_dir_phys(dd)->dd_uncompressed_bytes);
940	if (dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN) {
941		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDSNAP,
942		    dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_SNAP]);
943		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDDS,
944		    dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_HEAD]);
945		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDREFRESERV,
946		    dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_REFRSRV]);
947		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDCHILD,
948		    dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_CHILD] +
949		    dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_CHILD_RSRV]);
950	}
951	mutex_exit(&dd->dd_lock);
952
953	if (dsl_dir_is_zapified(dd)) {
954		uint64_t count;
955		objset_t *os = dd->dd_pool->dp_meta_objset;
956
957		if (zap_lookup(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT,
958		    sizeof (count), 1, &count) == 0) {
959			dsl_prop_nvlist_add_uint64(nv,
960			    ZFS_PROP_FILESYSTEM_COUNT, count);
961		}
962		if (zap_lookup(os, dd->dd_object, DD_FIELD_SNAPSHOT_COUNT,
963		    sizeof (count), 1, &count) == 0) {
964			dsl_prop_nvlist_add_uint64(nv,
965			    ZFS_PROP_SNAPSHOT_COUNT, count);
966		}
967	}
968
969	if (dsl_dir_is_clone(dd)) {
970		dsl_dataset_t *ds;
971		char buf[MAXNAMELEN];
972
973		VERIFY0(dsl_dataset_hold_obj(dd->dd_pool,
974		    dsl_dir_phys(dd)->dd_origin_obj, FTAG, &ds));
975		dsl_dataset_name(ds, buf);
976		dsl_dataset_rele(ds, FTAG);
977		dsl_prop_nvlist_add_string(nv, ZFS_PROP_ORIGIN, buf);
978	}
979}
980
981void
982dsl_dir_dirty(dsl_dir_t *dd, dmu_tx_t *tx)
983{
984	dsl_pool_t *dp = dd->dd_pool;
985
986	ASSERT(dsl_dir_phys(dd));
987
988	if (txg_list_add(&dp->dp_dirty_dirs, dd, tx->tx_txg)) {
989		/* up the hold count until we can be written out */
990		dmu_buf_add_ref(dd->dd_dbuf, dd);
991	}
992}
993
994static int64_t
995parent_delta(dsl_dir_t *dd, uint64_t used, int64_t delta)
996{
997	uint64_t old_accounted = MAX(used, dsl_dir_phys(dd)->dd_reserved);
998	uint64_t new_accounted =
999	    MAX(used + delta, dsl_dir_phys(dd)->dd_reserved);
1000	return (new_accounted - old_accounted);
1001}
1002
1003void
1004dsl_dir_sync(dsl_dir_t *dd, dmu_tx_t *tx)
1005{
1006	ASSERT(dmu_tx_is_syncing(tx));
1007
1008	mutex_enter(&dd->dd_lock);
1009	ASSERT0(dd->dd_tempreserved[tx->tx_txg&TXG_MASK]);
1010	dprintf_dd(dd, "txg=%llu towrite=%lluK\n", tx->tx_txg,
1011	    dd->dd_space_towrite[tx->tx_txg&TXG_MASK] / 1024);
1012	dd->dd_space_towrite[tx->tx_txg&TXG_MASK] = 0;
1013	mutex_exit(&dd->dd_lock);
1014
1015	/* release the hold from dsl_dir_dirty */
1016	dmu_buf_rele(dd->dd_dbuf, dd);
1017}
1018
1019static uint64_t
1020dsl_dir_space_towrite(dsl_dir_t *dd)
1021{
1022	uint64_t space = 0;
1023	int i;
1024
1025	ASSERT(MUTEX_HELD(&dd->dd_lock));
1026
1027	for (i = 0; i < TXG_SIZE; i++) {
1028		space += dd->dd_space_towrite[i&TXG_MASK];
1029		ASSERT3U(dd->dd_space_towrite[i&TXG_MASK], >=, 0);
1030	}
1031	return (space);
1032}
1033
1034/*
1035 * How much space would dd have available if ancestor had delta applied
1036 * to it?  If ondiskonly is set, we're only interested in what's
1037 * on-disk, not estimated pending changes.
1038 */
1039uint64_t
1040dsl_dir_space_available(dsl_dir_t *dd,
1041    dsl_dir_t *ancestor, int64_t delta, int ondiskonly)
1042{
1043	uint64_t parentspace, myspace, quota, used;
1044
1045	/*
1046	 * If there are no restrictions otherwise, assume we have
1047	 * unlimited space available.
1048	 */
1049	quota = UINT64_MAX;
1050	parentspace = UINT64_MAX;
1051
1052	if (dd->dd_parent != NULL) {
1053		parentspace = dsl_dir_space_available(dd->dd_parent,
1054		    ancestor, delta, ondiskonly);
1055	}
1056
1057	mutex_enter(&dd->dd_lock);
1058	if (dsl_dir_phys(dd)->dd_quota != 0)
1059		quota = dsl_dir_phys(dd)->dd_quota;
1060	used = dsl_dir_phys(dd)->dd_used_bytes;
1061	if (!ondiskonly)
1062		used += dsl_dir_space_towrite(dd);
1063
1064	if (dd->dd_parent == NULL) {
1065		uint64_t poolsize = dsl_pool_adjustedsize(dd->dd_pool, FALSE);
1066		quota = MIN(quota, poolsize);
1067	}
1068
1069	if (dsl_dir_phys(dd)->dd_reserved > used && parentspace != UINT64_MAX) {
1070		/*
1071		 * We have some space reserved, in addition to what our
1072		 * parent gave us.
1073		 */
1074		parentspace += dsl_dir_phys(dd)->dd_reserved - used;
1075	}
1076
1077	if (dd == ancestor) {
1078		ASSERT(delta <= 0);
1079		ASSERT(used >= -delta);
1080		used += delta;
1081		if (parentspace != UINT64_MAX)
1082			parentspace -= delta;
1083	}
1084
1085	if (used > quota) {
1086		/* over quota */
1087		myspace = 0;
1088	} else {
1089		/*
1090		 * the lesser of the space provided by our parent and
1091		 * the space left in our quota
1092		 */
1093		myspace = MIN(parentspace, quota - used);
1094	}
1095
1096	mutex_exit(&dd->dd_lock);
1097
1098	return (myspace);
1099}
1100
1101struct tempreserve {
1102	list_node_t tr_node;
1103	dsl_dir_t *tr_ds;
1104	uint64_t tr_size;
1105};
1106
1107static int
1108dsl_dir_tempreserve_impl(dsl_dir_t *dd, uint64_t asize, boolean_t netfree,
1109    boolean_t ignorequota, boolean_t checkrefquota, list_t *tr_list,
1110    dmu_tx_t *tx, boolean_t first)
1111{
1112	uint64_t txg = tx->tx_txg;
1113	uint64_t est_inflight, used_on_disk, quota, parent_rsrv;
1114	uint64_t deferred = 0;
1115	struct tempreserve *tr;
1116	int retval = EDQUOT;
1117	int txgidx = txg & TXG_MASK;
1118	int i;
1119	uint64_t ref_rsrv = 0;
1120
1121	ASSERT3U(txg, !=, 0);
1122	ASSERT3S(asize, >, 0);
1123
1124	mutex_enter(&dd->dd_lock);
1125
1126	/*
1127	 * Check against the dsl_dir's quota.  We don't add in the delta
1128	 * when checking for over-quota because they get one free hit.
1129	 */
1130	est_inflight = dsl_dir_space_towrite(dd);
1131	for (i = 0; i < TXG_SIZE; i++)
1132		est_inflight += dd->dd_tempreserved[i];
1133	used_on_disk = dsl_dir_phys(dd)->dd_used_bytes;
1134
1135	/*
1136	 * On the first iteration, fetch the dataset's used-on-disk and
1137	 * refreservation values. Also, if checkrefquota is set, test if
1138	 * allocating this space would exceed the dataset's refquota.
1139	 */
1140	if (first && tx->tx_objset) {
1141		int error;
1142		dsl_dataset_t *ds = tx->tx_objset->os_dsl_dataset;
1143
1144		error = dsl_dataset_check_quota(ds, checkrefquota,
1145		    asize, est_inflight, &used_on_disk, &ref_rsrv);
1146		if (error) {
1147			mutex_exit(&dd->dd_lock);
1148			return (error);
1149		}
1150	}
1151
1152	/*
1153	 * If this transaction will result in a net free of space,
1154	 * we want to let it through.
1155	 */
1156	if (ignorequota || netfree || dsl_dir_phys(dd)->dd_quota == 0)
1157		quota = UINT64_MAX;
1158	else
1159		quota = dsl_dir_phys(dd)->dd_quota;
1160
1161	/*
1162	 * Adjust the quota against the actual pool size at the root
1163	 * minus any outstanding deferred frees.
1164	 * To ensure that it's possible to remove files from a full
1165	 * pool without inducing transient overcommits, we throttle
1166	 * netfree transactions against a quota that is slightly larger,
1167	 * but still within the pool's allocation slop.  In cases where
1168	 * we're very close to full, this will allow a steady trickle of
1169	 * removes to get through.
1170	 */
1171	if (dd->dd_parent == NULL) {
1172		spa_t *spa = dd->dd_pool->dp_spa;
1173		uint64_t poolsize = dsl_pool_adjustedsize(dd->dd_pool, netfree);
1174		deferred = metaslab_class_get_deferred(spa_normal_class(spa));
1175		if (poolsize - deferred < quota) {
1176			quota = poolsize - deferred;
1177			retval = ENOSPC;
1178		}
1179	}
1180
1181	/*
1182	 * If they are requesting more space, and our current estimate
1183	 * is over quota, they get to try again unless the actual
1184	 * on-disk is over quota and there are no pending changes (which
1185	 * may free up space for us).
1186	 */
1187	if (used_on_disk + est_inflight >= quota) {
1188		if (est_inflight > 0 || used_on_disk < quota ||
1189		    (retval == ENOSPC && used_on_disk < quota + deferred))
1190			retval = ERESTART;
1191		dprintf_dd(dd, "failing: used=%lluK inflight = %lluK "
1192		    "quota=%lluK tr=%lluK err=%d\n",
1193		    used_on_disk>>10, est_inflight>>10,
1194		    quota>>10, asize>>10, retval);
1195		mutex_exit(&dd->dd_lock);
1196		return (SET_ERROR(retval));
1197	}
1198
1199	/* We need to up our estimated delta before dropping dd_lock */
1200	dd->dd_tempreserved[txgidx] += asize;
1201
1202	parent_rsrv = parent_delta(dd, used_on_disk + est_inflight,
1203	    asize - ref_rsrv);
1204	mutex_exit(&dd->dd_lock);
1205
1206	tr = kmem_zalloc(sizeof (struct tempreserve), KM_SLEEP);
1207	tr->tr_ds = dd;
1208	tr->tr_size = asize;
1209	list_insert_tail(tr_list, tr);
1210
1211	/* see if it's OK with our parent */
1212	if (dd->dd_parent && parent_rsrv) {
1213		boolean_t ismos = (dsl_dir_phys(dd)->dd_head_dataset_obj == 0);
1214
1215		return (dsl_dir_tempreserve_impl(dd->dd_parent,
1216		    parent_rsrv, netfree, ismos, TRUE, tr_list, tx, FALSE));
1217	} else {
1218		return (0);
1219	}
1220}
1221
1222/*
1223 * Reserve space in this dsl_dir, to be used in this tx's txg.
1224 * After the space has been dirtied (and dsl_dir_willuse_space()
1225 * has been called), the reservation should be canceled, using
1226 * dsl_dir_tempreserve_clear().
1227 */
1228int
1229dsl_dir_tempreserve_space(dsl_dir_t *dd, uint64_t lsize, uint64_t asize,
1230    uint64_t fsize, uint64_t usize, void **tr_cookiep, dmu_tx_t *tx)
1231{
1232	int err;
1233	list_t *tr_list;
1234
1235	if (asize == 0) {
1236		*tr_cookiep = NULL;
1237		return (0);
1238	}
1239
1240	tr_list = kmem_alloc(sizeof (list_t), KM_SLEEP);
1241	list_create(tr_list, sizeof (struct tempreserve),
1242	    offsetof(struct tempreserve, tr_node));
1243	ASSERT3S(asize, >, 0);
1244	ASSERT3S(fsize, >=, 0);
1245
1246	err = arc_tempreserve_space(lsize, tx->tx_txg);
1247	if (err == 0) {
1248		struct tempreserve *tr;
1249
1250		tr = kmem_zalloc(sizeof (struct tempreserve), KM_SLEEP);
1251		tr->tr_size = lsize;
1252		list_insert_tail(tr_list, tr);
1253	} else {
1254		if (err == EAGAIN) {
1255			/*
1256			 * If arc_memory_throttle() detected that pageout
1257			 * is running and we are low on memory, we delay new
1258			 * non-pageout transactions to give pageout an
1259			 * advantage.
1260			 *
1261			 * It is unfortunate to be delaying while the caller's
1262			 * locks are held.
1263			 */
1264			txg_delay(dd->dd_pool, tx->tx_txg,
1265			    MSEC2NSEC(10), MSEC2NSEC(10));
1266			err = SET_ERROR(ERESTART);
1267		}
1268	}
1269
1270	if (err == 0) {
1271		err = dsl_dir_tempreserve_impl(dd, asize, fsize >= asize,
1272		    FALSE, asize > usize, tr_list, tx, TRUE);
1273	}
1274
1275	if (err != 0)
1276		dsl_dir_tempreserve_clear(tr_list, tx);
1277	else
1278		*tr_cookiep = tr_list;
1279
1280	return (err);
1281}
1282
1283/*
1284 * Clear a temporary reservation that we previously made with
1285 * dsl_dir_tempreserve_space().
1286 */
1287void
1288dsl_dir_tempreserve_clear(void *tr_cookie, dmu_tx_t *tx)
1289{
1290	int txgidx = tx->tx_txg & TXG_MASK;
1291	list_t *tr_list = tr_cookie;
1292	struct tempreserve *tr;
1293
1294	ASSERT3U(tx->tx_txg, !=, 0);
1295
1296	if (tr_cookie == NULL)
1297		return;
1298
1299	while ((tr = list_head(tr_list)) != NULL) {
1300		if (tr->tr_ds) {
1301			mutex_enter(&tr->tr_ds->dd_lock);
1302			ASSERT3U(tr->tr_ds->dd_tempreserved[txgidx], >=,
1303			    tr->tr_size);
1304			tr->tr_ds->dd_tempreserved[txgidx] -= tr->tr_size;
1305			mutex_exit(&tr->tr_ds->dd_lock);
1306		} else {
1307			arc_tempreserve_clear(tr->tr_size);
1308		}
1309		list_remove(tr_list, tr);
1310		kmem_free(tr, sizeof (struct tempreserve));
1311	}
1312
1313	kmem_free(tr_list, sizeof (list_t));
1314}
1315
1316/*
1317 * This should be called from open context when we think we're going to write
1318 * or free space, for example when dirtying data. Be conservative; it's okay
1319 * to write less space or free more, but we don't want to write more or free
1320 * less than the amount specified.
1321 */
1322void
1323dsl_dir_willuse_space(dsl_dir_t *dd, int64_t space, dmu_tx_t *tx)
1324{
1325	int64_t parent_space;
1326	uint64_t est_used;
1327
1328	mutex_enter(&dd->dd_lock);
1329	if (space > 0)
1330		dd->dd_space_towrite[tx->tx_txg & TXG_MASK] += space;
1331
1332	est_used = dsl_dir_space_towrite(dd) + dsl_dir_phys(dd)->dd_used_bytes;
1333	parent_space = parent_delta(dd, est_used, space);
1334	mutex_exit(&dd->dd_lock);
1335
1336	/* Make sure that we clean up dd_space_to* */
1337	dsl_dir_dirty(dd, tx);
1338
1339	/* XXX this is potentially expensive and unnecessary... */
1340	if (parent_space && dd->dd_parent)
1341		dsl_dir_willuse_space(dd->dd_parent, parent_space, tx);
1342}
1343
1344/* call from syncing context when we actually write/free space for this dd */
1345void
1346dsl_dir_diduse_space(dsl_dir_t *dd, dd_used_t type,
1347    int64_t used, int64_t compressed, int64_t uncompressed, dmu_tx_t *tx)
1348{
1349	int64_t accounted_delta;
1350
1351	/*
1352	 * dsl_dataset_set_refreservation_sync_impl() calls this with
1353	 * dd_lock held, so that it can atomically update
1354	 * ds->ds_reserved and the dsl_dir accounting, so that
1355	 * dsl_dataset_check_quota() can see dataset and dir accounting
1356	 * consistently.
1357	 */
1358	boolean_t needlock = !MUTEX_HELD(&dd->dd_lock);
1359
1360	ASSERT(dmu_tx_is_syncing(tx));
1361	ASSERT(type < DD_USED_NUM);
1362
1363	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1364
1365	if (needlock)
1366		mutex_enter(&dd->dd_lock);
1367	accounted_delta =
1368	    parent_delta(dd, dsl_dir_phys(dd)->dd_used_bytes, used);
1369	ASSERT(used >= 0 || dsl_dir_phys(dd)->dd_used_bytes >= -used);
1370	ASSERT(compressed >= 0 ||
1371	    dsl_dir_phys(dd)->dd_compressed_bytes >= -compressed);
1372	ASSERT(uncompressed >= 0 ||
1373	    dsl_dir_phys(dd)->dd_uncompressed_bytes >= -uncompressed);
1374	dsl_dir_phys(dd)->dd_used_bytes += used;
1375	dsl_dir_phys(dd)->dd_uncompressed_bytes += uncompressed;
1376	dsl_dir_phys(dd)->dd_compressed_bytes += compressed;
1377
1378	if (dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN) {
1379		ASSERT(used > 0 ||
1380		    dsl_dir_phys(dd)->dd_used_breakdown[type] >= -used);
1381		dsl_dir_phys(dd)->dd_used_breakdown[type] += used;
1382#ifdef DEBUG
1383		dd_used_t t;
1384		uint64_t u = 0;
1385		for (t = 0; t < DD_USED_NUM; t++)
1386			u += dsl_dir_phys(dd)->dd_used_breakdown[t];
1387		ASSERT3U(u, ==, dsl_dir_phys(dd)->dd_used_bytes);
1388#endif
1389	}
1390	if (needlock)
1391		mutex_exit(&dd->dd_lock);
1392
1393	if (dd->dd_parent != NULL) {
1394		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD,
1395		    accounted_delta, compressed, uncompressed, tx);
1396		dsl_dir_transfer_space(dd->dd_parent,
1397		    used - accounted_delta,
1398		    DD_USED_CHILD_RSRV, DD_USED_CHILD, tx);
1399	}
1400}
1401
1402void
1403dsl_dir_transfer_space(dsl_dir_t *dd, int64_t delta,
1404    dd_used_t oldtype, dd_used_t newtype, dmu_tx_t *tx)
1405{
1406	ASSERT(dmu_tx_is_syncing(tx));
1407	ASSERT(oldtype < DD_USED_NUM);
1408	ASSERT(newtype < DD_USED_NUM);
1409
1410	if (delta == 0 ||
1411	    !(dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN))
1412		return;
1413
1414	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1415	mutex_enter(&dd->dd_lock);
1416	ASSERT(delta > 0 ?
1417	    dsl_dir_phys(dd)->dd_used_breakdown[oldtype] >= delta :
1418	    dsl_dir_phys(dd)->dd_used_breakdown[newtype] >= -delta);
1419	ASSERT(dsl_dir_phys(dd)->dd_used_bytes >= ABS(delta));
1420	dsl_dir_phys(dd)->dd_used_breakdown[oldtype] -= delta;
1421	dsl_dir_phys(dd)->dd_used_breakdown[newtype] += delta;
1422	mutex_exit(&dd->dd_lock);
1423}
1424
1425typedef struct dsl_dir_set_qr_arg {
1426	const char *ddsqra_name;
1427	zprop_source_t ddsqra_source;
1428	uint64_t ddsqra_value;
1429} dsl_dir_set_qr_arg_t;
1430
1431static int
1432dsl_dir_set_quota_check(void *arg, dmu_tx_t *tx)
1433{
1434	dsl_dir_set_qr_arg_t *ddsqra = arg;
1435	dsl_pool_t *dp = dmu_tx_pool(tx);
1436	dsl_dataset_t *ds;
1437	int error;
1438	uint64_t towrite, newval;
1439
1440	error = dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds);
1441	if (error != 0)
1442		return (error);
1443
1444	error = dsl_prop_predict(ds->ds_dir, "quota",
1445	    ddsqra->ddsqra_source, ddsqra->ddsqra_value, &newval);
1446	if (error != 0) {
1447		dsl_dataset_rele(ds, FTAG);
1448		return (error);
1449	}
1450
1451	if (newval == 0) {
1452		dsl_dataset_rele(ds, FTAG);
1453		return (0);
1454	}
1455
1456	mutex_enter(&ds->ds_dir->dd_lock);
1457	/*
1458	 * If we are doing the preliminary check in open context, and
1459	 * there are pending changes, then don't fail it, since the
1460	 * pending changes could under-estimate the amount of space to be
1461	 * freed up.
1462	 */
1463	towrite = dsl_dir_space_towrite(ds->ds_dir);
1464	if ((dmu_tx_is_syncing(tx) || towrite == 0) &&
1465	    (newval < dsl_dir_phys(ds->ds_dir)->dd_reserved ||
1466	    newval < dsl_dir_phys(ds->ds_dir)->dd_used_bytes + towrite)) {
1467		error = SET_ERROR(ENOSPC);
1468	}
1469	mutex_exit(&ds->ds_dir->dd_lock);
1470	dsl_dataset_rele(ds, FTAG);
1471	return (error);
1472}
1473
1474static void
1475dsl_dir_set_quota_sync(void *arg, dmu_tx_t *tx)
1476{
1477	dsl_dir_set_qr_arg_t *ddsqra = arg;
1478	dsl_pool_t *dp = dmu_tx_pool(tx);
1479	dsl_dataset_t *ds;
1480	uint64_t newval;
1481
1482	VERIFY0(dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds));
1483
1484	if (spa_version(dp->dp_spa) >= SPA_VERSION_RECVD_PROPS) {
1485		dsl_prop_set_sync_impl(ds, zfs_prop_to_name(ZFS_PROP_QUOTA),
1486		    ddsqra->ddsqra_source, sizeof (ddsqra->ddsqra_value), 1,
1487		    &ddsqra->ddsqra_value, tx);
1488
1489		VERIFY0(dsl_prop_get_int_ds(ds,
1490		    zfs_prop_to_name(ZFS_PROP_QUOTA), &newval));
1491	} else {
1492		newval = ddsqra->ddsqra_value;
1493		spa_history_log_internal_ds(ds, "set", tx, "%s=%lld",
1494		    zfs_prop_to_name(ZFS_PROP_QUOTA), (longlong_t)newval);
1495	}
1496
1497	dmu_buf_will_dirty(ds->ds_dir->dd_dbuf, tx);
1498	mutex_enter(&ds->ds_dir->dd_lock);
1499	dsl_dir_phys(ds->ds_dir)->dd_quota = newval;
1500	mutex_exit(&ds->ds_dir->dd_lock);
1501	dsl_dataset_rele(ds, FTAG);
1502}
1503
1504int
1505dsl_dir_set_quota(const char *ddname, zprop_source_t source, uint64_t quota)
1506{
1507	dsl_dir_set_qr_arg_t ddsqra;
1508
1509	ddsqra.ddsqra_name = ddname;
1510	ddsqra.ddsqra_source = source;
1511	ddsqra.ddsqra_value = quota;
1512
1513	return (dsl_sync_task(ddname, dsl_dir_set_quota_check,
1514	    dsl_dir_set_quota_sync, &ddsqra, 0, ZFS_SPACE_CHECK_NONE));
1515}
1516
1517int
1518dsl_dir_set_reservation_check(void *arg, dmu_tx_t *tx)
1519{
1520	dsl_dir_set_qr_arg_t *ddsqra = arg;
1521	dsl_pool_t *dp = dmu_tx_pool(tx);
1522	dsl_dataset_t *ds;
1523	dsl_dir_t *dd;
1524	uint64_t newval, used, avail;
1525	int error;
1526
1527	error = dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds);
1528	if (error != 0)
1529		return (error);
1530	dd = ds->ds_dir;
1531
1532	/*
1533	 * If we are doing the preliminary check in open context, the
1534	 * space estimates may be inaccurate.
1535	 */
1536	if (!dmu_tx_is_syncing(tx)) {
1537		dsl_dataset_rele(ds, FTAG);
1538		return (0);
1539	}
1540
1541	error = dsl_prop_predict(ds->ds_dir,
1542	    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1543	    ddsqra->ddsqra_source, ddsqra->ddsqra_value, &newval);
1544	if (error != 0) {
1545		dsl_dataset_rele(ds, FTAG);
1546		return (error);
1547	}
1548
1549	mutex_enter(&dd->dd_lock);
1550	used = dsl_dir_phys(dd)->dd_used_bytes;
1551	mutex_exit(&dd->dd_lock);
1552
1553	if (dd->dd_parent) {
1554		avail = dsl_dir_space_available(dd->dd_parent,
1555		    NULL, 0, FALSE);
1556	} else {
1557		avail = dsl_pool_adjustedsize(dd->dd_pool, B_FALSE) - used;
1558	}
1559
1560	if (MAX(used, newval) > MAX(used, dsl_dir_phys(dd)->dd_reserved)) {
1561		uint64_t delta = MAX(used, newval) -
1562		    MAX(used, dsl_dir_phys(dd)->dd_reserved);
1563
1564		if (delta > avail ||
1565		    (dsl_dir_phys(dd)->dd_quota > 0 &&
1566		    newval > dsl_dir_phys(dd)->dd_quota))
1567			error = SET_ERROR(ENOSPC);
1568	}
1569
1570	dsl_dataset_rele(ds, FTAG);
1571	return (error);
1572}
1573
1574void
1575dsl_dir_set_reservation_sync_impl(dsl_dir_t *dd, uint64_t value, dmu_tx_t *tx)
1576{
1577	uint64_t used;
1578	int64_t delta;
1579
1580	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1581
1582	mutex_enter(&dd->dd_lock);
1583	used = dsl_dir_phys(dd)->dd_used_bytes;
1584	delta = MAX(used, value) - MAX(used, dsl_dir_phys(dd)->dd_reserved);
1585	dsl_dir_phys(dd)->dd_reserved = value;
1586
1587	if (dd->dd_parent != NULL) {
1588		/* Roll up this additional usage into our ancestors */
1589		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD_RSRV,
1590		    delta, 0, 0, tx);
1591	}
1592	mutex_exit(&dd->dd_lock);
1593}
1594
1595
1596static void
1597dsl_dir_set_reservation_sync(void *arg, dmu_tx_t *tx)
1598{
1599	dsl_dir_set_qr_arg_t *ddsqra = arg;
1600	dsl_pool_t *dp = dmu_tx_pool(tx);
1601	dsl_dataset_t *ds;
1602	uint64_t newval;
1603
1604	VERIFY0(dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds));
1605
1606	if (spa_version(dp->dp_spa) >= SPA_VERSION_RECVD_PROPS) {
1607		dsl_prop_set_sync_impl(ds,
1608		    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1609		    ddsqra->ddsqra_source, sizeof (ddsqra->ddsqra_value), 1,
1610		    &ddsqra->ddsqra_value, tx);
1611
1612		VERIFY0(dsl_prop_get_int_ds(ds,
1613		    zfs_prop_to_name(ZFS_PROP_RESERVATION), &newval));
1614	} else {
1615		newval = ddsqra->ddsqra_value;
1616		spa_history_log_internal_ds(ds, "set", tx, "%s=%lld",
1617		    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1618		    (longlong_t)newval);
1619	}
1620
1621	dsl_dir_set_reservation_sync_impl(ds->ds_dir, newval, tx);
1622	dsl_dataset_rele(ds, FTAG);
1623}
1624
1625int
1626dsl_dir_set_reservation(const char *ddname, zprop_source_t source,
1627    uint64_t reservation)
1628{
1629	dsl_dir_set_qr_arg_t ddsqra;
1630
1631	ddsqra.ddsqra_name = ddname;
1632	ddsqra.ddsqra_source = source;
1633	ddsqra.ddsqra_value = reservation;
1634
1635	return (dsl_sync_task(ddname, dsl_dir_set_reservation_check,
1636	    dsl_dir_set_reservation_sync, &ddsqra, 0, ZFS_SPACE_CHECK_NONE));
1637}
1638
1639static dsl_dir_t *
1640closest_common_ancestor(dsl_dir_t *ds1, dsl_dir_t *ds2)
1641{
1642	for (; ds1; ds1 = ds1->dd_parent) {
1643		dsl_dir_t *dd;
1644		for (dd = ds2; dd; dd = dd->dd_parent) {
1645			if (ds1 == dd)
1646				return (dd);
1647		}
1648	}
1649	return (NULL);
1650}
1651
1652/*
1653 * If delta is applied to dd, how much of that delta would be applied to
1654 * ancestor?  Syncing context only.
1655 */
1656static int64_t
1657would_change(dsl_dir_t *dd, int64_t delta, dsl_dir_t *ancestor)
1658{
1659	if (dd == ancestor)
1660		return (delta);
1661
1662	mutex_enter(&dd->dd_lock);
1663	delta = parent_delta(dd, dsl_dir_phys(dd)->dd_used_bytes, delta);
1664	mutex_exit(&dd->dd_lock);
1665	return (would_change(dd->dd_parent, delta, ancestor));
1666}
1667
1668typedef struct dsl_dir_rename_arg {
1669	const char *ddra_oldname;
1670	const char *ddra_newname;
1671	cred_t *ddra_cred;
1672} dsl_dir_rename_arg_t;
1673
1674/* ARGSUSED */
1675static int
1676dsl_valid_rename(dsl_pool_t *dp, dsl_dataset_t *ds, void *arg)
1677{
1678	int *deltap = arg;
1679	char namebuf[MAXNAMELEN];
1680
1681	dsl_dataset_name(ds, namebuf);
1682
1683	if (strlen(namebuf) + *deltap >= MAXNAMELEN)
1684		return (SET_ERROR(ENAMETOOLONG));
1685	return (0);
1686}
1687
1688static int
1689dsl_dir_rename_check(void *arg, dmu_tx_t *tx)
1690{
1691	dsl_dir_rename_arg_t *ddra = arg;
1692	dsl_pool_t *dp = dmu_tx_pool(tx);
1693	dsl_dir_t *dd, *newparent;
1694	const char *mynewname;
1695	int error;
1696	int delta = strlen(ddra->ddra_newname) - strlen(ddra->ddra_oldname);
1697
1698	/* target dir should exist */
1699	error = dsl_dir_hold(dp, ddra->ddra_oldname, FTAG, &dd, NULL);
1700	if (error != 0)
1701		return (error);
1702
1703	/* new parent should exist */
1704	error = dsl_dir_hold(dp, ddra->ddra_newname, FTAG,
1705	    &newparent, &mynewname);
1706	if (error != 0) {
1707		dsl_dir_rele(dd, FTAG);
1708		return (error);
1709	}
1710
1711	/* can't rename to different pool */
1712	if (dd->dd_pool != newparent->dd_pool) {
1713		dsl_dir_rele(newparent, FTAG);
1714		dsl_dir_rele(dd, FTAG);
1715		return (SET_ERROR(ENXIO));
1716	}
1717
1718	/* new name should not already exist */
1719	if (mynewname == NULL) {
1720		dsl_dir_rele(newparent, FTAG);
1721		dsl_dir_rele(dd, FTAG);
1722		return (SET_ERROR(EEXIST));
1723	}
1724
1725	/* if the name length is growing, validate child name lengths */
1726	if (delta > 0) {
1727		error = dmu_objset_find_dp(dp, dd->dd_object, dsl_valid_rename,
1728		    &delta, DS_FIND_CHILDREN | DS_FIND_SNAPSHOTS);
1729		if (error != 0) {
1730			dsl_dir_rele(newparent, FTAG);
1731			dsl_dir_rele(dd, FTAG);
1732			return (error);
1733		}
1734	}
1735
1736	if (dmu_tx_is_syncing(tx)) {
1737		if (spa_feature_is_active(dp->dp_spa,
1738		    SPA_FEATURE_FS_SS_LIMIT)) {
1739			/*
1740			 * Although this is the check function and we don't
1741			 * normally make on-disk changes in check functions,
1742			 * we need to do that here.
1743			 *
1744			 * Ensure this portion of the tree's counts have been
1745			 * initialized in case the new parent has limits set.
1746			 */
1747			dsl_dir_init_fs_ss_count(dd, tx);
1748		}
1749	}
1750
1751	if (newparent != dd->dd_parent) {
1752		/* is there enough space? */
1753		uint64_t myspace =
1754		    MAX(dsl_dir_phys(dd)->dd_used_bytes,
1755		    dsl_dir_phys(dd)->dd_reserved);
1756		objset_t *os = dd->dd_pool->dp_meta_objset;
1757		uint64_t fs_cnt = 0;
1758		uint64_t ss_cnt = 0;
1759
1760		if (dsl_dir_is_zapified(dd)) {
1761			int err;
1762
1763			err = zap_lookup(os, dd->dd_object,
1764			    DD_FIELD_FILESYSTEM_COUNT, sizeof (fs_cnt), 1,
1765			    &fs_cnt);
1766			if (err != ENOENT && err != 0) {
1767				dsl_dir_rele(newparent, FTAG);
1768				dsl_dir_rele(dd, FTAG);
1769				return (err);
1770			}
1771
1772			/*
1773			 * have to add 1 for the filesystem itself that we're
1774			 * moving
1775			 */
1776			fs_cnt++;
1777
1778			err = zap_lookup(os, dd->dd_object,
1779			    DD_FIELD_SNAPSHOT_COUNT, sizeof (ss_cnt), 1,
1780			    &ss_cnt);
1781			if (err != ENOENT && err != 0) {
1782				dsl_dir_rele(newparent, FTAG);
1783				dsl_dir_rele(dd, FTAG);
1784				return (err);
1785			}
1786		}
1787
1788		/* no rename into our descendant */
1789		if (closest_common_ancestor(dd, newparent) == dd) {
1790			dsl_dir_rele(newparent, FTAG);
1791			dsl_dir_rele(dd, FTAG);
1792			return (SET_ERROR(EINVAL));
1793		}
1794
1795		error = dsl_dir_transfer_possible(dd->dd_parent,
1796		    newparent, fs_cnt, ss_cnt, myspace, ddra->ddra_cred);
1797		if (error != 0) {
1798			dsl_dir_rele(newparent, FTAG);
1799			dsl_dir_rele(dd, FTAG);
1800			return (error);
1801		}
1802	}
1803
1804	dsl_dir_rele(newparent, FTAG);
1805	dsl_dir_rele(dd, FTAG);
1806	return (0);
1807}
1808
1809static void
1810dsl_dir_rename_sync(void *arg, dmu_tx_t *tx)
1811{
1812	dsl_dir_rename_arg_t *ddra = arg;
1813	dsl_pool_t *dp = dmu_tx_pool(tx);
1814	dsl_dir_t *dd, *newparent;
1815	const char *mynewname;
1816	int error;
1817	objset_t *mos = dp->dp_meta_objset;
1818
1819	VERIFY0(dsl_dir_hold(dp, ddra->ddra_oldname, FTAG, &dd, NULL));
1820	VERIFY0(dsl_dir_hold(dp, ddra->ddra_newname, FTAG, &newparent,
1821	    &mynewname));
1822
1823	/* Log this before we change the name. */
1824	spa_history_log_internal_dd(dd, "rename", tx,
1825	    "-> %s", ddra->ddra_newname);
1826
1827	if (newparent != dd->dd_parent) {
1828		objset_t *os = dd->dd_pool->dp_meta_objset;
1829		uint64_t fs_cnt = 0;
1830		uint64_t ss_cnt = 0;
1831
1832		/*
1833		 * We already made sure the dd counts were initialized in the
1834		 * check function.
1835		 */
1836		if (spa_feature_is_active(dp->dp_spa,
1837		    SPA_FEATURE_FS_SS_LIMIT)) {
1838			VERIFY0(zap_lookup(os, dd->dd_object,
1839			    DD_FIELD_FILESYSTEM_COUNT, sizeof (fs_cnt), 1,
1840			    &fs_cnt));
1841			/* add 1 for the filesystem itself that we're moving */
1842			fs_cnt++;
1843
1844			VERIFY0(zap_lookup(os, dd->dd_object,
1845			    DD_FIELD_SNAPSHOT_COUNT, sizeof (ss_cnt), 1,
1846			    &ss_cnt));
1847		}
1848
1849		dsl_fs_ss_count_adjust(dd->dd_parent, -fs_cnt,
1850		    DD_FIELD_FILESYSTEM_COUNT, tx);
1851		dsl_fs_ss_count_adjust(newparent, fs_cnt,
1852		    DD_FIELD_FILESYSTEM_COUNT, tx);
1853
1854		dsl_fs_ss_count_adjust(dd->dd_parent, -ss_cnt,
1855		    DD_FIELD_SNAPSHOT_COUNT, tx);
1856		dsl_fs_ss_count_adjust(newparent, ss_cnt,
1857		    DD_FIELD_SNAPSHOT_COUNT, tx);
1858
1859		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD,
1860		    -dsl_dir_phys(dd)->dd_used_bytes,
1861		    -dsl_dir_phys(dd)->dd_compressed_bytes,
1862		    -dsl_dir_phys(dd)->dd_uncompressed_bytes, tx);
1863		dsl_dir_diduse_space(newparent, DD_USED_CHILD,
1864		    dsl_dir_phys(dd)->dd_used_bytes,
1865		    dsl_dir_phys(dd)->dd_compressed_bytes,
1866		    dsl_dir_phys(dd)->dd_uncompressed_bytes, tx);
1867
1868		if (dsl_dir_phys(dd)->dd_reserved >
1869		    dsl_dir_phys(dd)->dd_used_bytes) {
1870			uint64_t unused_rsrv = dsl_dir_phys(dd)->dd_reserved -
1871			    dsl_dir_phys(dd)->dd_used_bytes;
1872
1873			dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD_RSRV,
1874			    -unused_rsrv, 0, 0, tx);
1875			dsl_dir_diduse_space(newparent, DD_USED_CHILD_RSRV,
1876			    unused_rsrv, 0, 0, tx);
1877		}
1878	}
1879
1880	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1881
1882	/* remove from old parent zapobj */
1883	error = zap_remove(mos,
1884	    dsl_dir_phys(dd->dd_parent)->dd_child_dir_zapobj,
1885	    dd->dd_myname, tx);
1886	ASSERT0(error);
1887
1888	(void) strcpy(dd->dd_myname, mynewname);
1889	dsl_dir_rele(dd->dd_parent, dd);
1890	dsl_dir_phys(dd)->dd_parent_obj = newparent->dd_object;
1891	VERIFY0(dsl_dir_hold_obj(dp,
1892	    newparent->dd_object, NULL, dd, &dd->dd_parent));
1893
1894	/* add to new parent zapobj */
1895	VERIFY0(zap_add(mos, dsl_dir_phys(newparent)->dd_child_dir_zapobj,
1896	    dd->dd_myname, 8, 1, &dd->dd_object, tx));
1897
1898	dsl_prop_notify_all(dd);
1899
1900	dsl_dir_rele(newparent, FTAG);
1901	dsl_dir_rele(dd, FTAG);
1902}
1903
1904int
1905dsl_dir_rename(const char *oldname, const char *newname)
1906{
1907	dsl_dir_rename_arg_t ddra;
1908
1909	ddra.ddra_oldname = oldname;
1910	ddra.ddra_newname = newname;
1911	ddra.ddra_cred = CRED();
1912
1913	return (dsl_sync_task(oldname,
1914	    dsl_dir_rename_check, dsl_dir_rename_sync, &ddra,
1915	    3, ZFS_SPACE_CHECK_RESERVED));
1916}
1917
1918int
1919dsl_dir_transfer_possible(dsl_dir_t *sdd, dsl_dir_t *tdd,
1920    uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space, cred_t *cr)
1921{
1922	dsl_dir_t *ancestor;
1923	int64_t adelta;
1924	uint64_t avail;
1925	int err;
1926
1927	ancestor = closest_common_ancestor(sdd, tdd);
1928	adelta = would_change(sdd, -space, ancestor);
1929	avail = dsl_dir_space_available(tdd, ancestor, adelta, FALSE);
1930	if (avail < space)
1931		return (SET_ERROR(ENOSPC));
1932
1933	err = dsl_fs_ss_limit_check(tdd, fs_cnt, ZFS_PROP_FILESYSTEM_LIMIT,
1934	    ancestor, cr);
1935	if (err != 0)
1936		return (err);
1937	err = dsl_fs_ss_limit_check(tdd, ss_cnt, ZFS_PROP_SNAPSHOT_LIMIT,
1938	    ancestor, cr);
1939	if (err != 0)
1940		return (err);
1941
1942	return (0);
1943}
1944
1945timestruc_t
1946dsl_dir_snap_cmtime(dsl_dir_t *dd)
1947{
1948	timestruc_t t;
1949
1950	mutex_enter(&dd->dd_lock);
1951	t = dd->dd_snap_cmtime;
1952	mutex_exit(&dd->dd_lock);
1953
1954	return (t);
1955}
1956
1957void
1958dsl_dir_snap_cmtime_update(dsl_dir_t *dd)
1959{
1960	timestruc_t t;
1961
1962	gethrestime(&t);
1963	mutex_enter(&dd->dd_lock);
1964	dd->dd_snap_cmtime = t;
1965	mutex_exit(&dd->dd_lock);
1966}
1967
1968void
1969dsl_dir_zapify(dsl_dir_t *dd, dmu_tx_t *tx)
1970{
1971	objset_t *mos = dd->dd_pool->dp_meta_objset;
1972	dmu_object_zapify(mos, dd->dd_object, DMU_OT_DSL_DIR, tx);
1973}
1974
1975boolean_t
1976dsl_dir_is_zapified(dsl_dir_t *dd)
1977{
1978	dmu_object_info_t doi;
1979
1980	dmu_object_info_from_db(dd->dd_dbuf, &doi);
1981	return (doi.doi_type == DMU_OTN_ZAP_METADATA);
1982}
1983