1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2012, 2016 by Delphix. All rights reserved.
24 * Copyright (c) 2013 Martin Matuska. All rights reserved.
25 * Copyright (c) 2014 Joyent, Inc. All rights reserved.
26 * Copyright (c) 2014 Spectra Logic Corporation, All rights reserved.
27 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
28 */
29
30#include <sys/dmu.h>
31#include <sys/dmu_objset.h>
32#include <sys/dmu_tx.h>
33#include <sys/dsl_dataset.h>
34#include <sys/dsl_dir.h>
35#include <sys/dsl_prop.h>
36#include <sys/dsl_synctask.h>
37#include <sys/dsl_deleg.h>
38#include <sys/dmu_impl.h>
39#include <sys/spa.h>
40#include <sys/metaslab.h>
41#include <sys/zap.h>
42#include <sys/zio.h>
43#include <sys/arc.h>
44#include <sys/sunddi.h>
45#include <sys/zfeature.h>
46#include <sys/policy.h>
47#include <sys/zfs_znode.h>
48#include "zfs_namecheck.h"
49#include "zfs_prop.h"
50
51/*
52 * Filesystem and Snapshot Limits
53 * ------------------------------
54 *
55 * These limits are used to restrict the number of filesystems and/or snapshots
56 * that can be created at a given level in the tree or below. A typical
57 * use-case is with a delegated dataset where the administrator wants to ensure
58 * that a user within the zone is not creating too many additional filesystems
59 * or snapshots, even though they're not exceeding their space quota.
60 *
61 * The filesystem and snapshot counts are stored as extensible properties. This
62 * capability is controlled by a feature flag and must be enabled to be used.
63 * Once enabled, the feature is not active until the first limit is set. At
64 * that point, future operations to create/destroy filesystems or snapshots
65 * will validate and update the counts.
66 *
67 * Because the count properties will not exist before the feature is active,
68 * the counts are updated when a limit is first set on an uninitialized
69 * dsl_dir node in the tree (The filesystem/snapshot count on a node includes
70 * all of the nested filesystems/snapshots. Thus, a new leaf node has a
71 * filesystem count of 0 and a snapshot count of 0. Non-existent filesystem and
72 * snapshot count properties on a node indicate uninitialized counts on that
73 * node.) When first setting a limit on an uninitialized node, the code starts
74 * at the filesystem with the new limit and descends into all sub-filesystems
75 * to add the count properties.
76 *
77 * In practice this is lightweight since a limit is typically set when the
78 * filesystem is created and thus has no children. Once valid, changing the
79 * limit value won't require a re-traversal since the counts are already valid.
80 * When recursively fixing the counts, if a node with a limit is encountered
81 * during the descent, the counts are known to be valid and there is no need to
82 * descend into that filesystem's children. The counts on filesystems above the
83 * one with the new limit will still be uninitialized, unless a limit is
84 * eventually set on one of those filesystems. The counts are always recursively
85 * updated when a limit is set on a dataset, unless there is already a limit.
86 * When a new limit value is set on a filesystem with an existing limit, it is
87 * possible for the new limit to be less than the current count at that level
88 * since a user who can change the limit is also allowed to exceed the limit.
89 *
90 * Once the feature is active, then whenever a filesystem or snapshot is
91 * created, the code recurses up the tree, validating the new count against the
92 * limit at each initialized level. In practice, most levels will not have a
93 * limit set. If there is a limit at any initialized level up the tree, the
94 * check must pass or the creation will fail. Likewise, when a filesystem or
95 * snapshot is destroyed, the counts are recursively adjusted all the way up
96 * the initizized nodes in the tree. Renaming a filesystem into different point
97 * in the tree will first validate, then update the counts on each branch up to
98 * the common ancestor. A receive will also validate the counts and then update
99 * them.
100 *
101 * An exception to the above behavior is that the limit is not enforced if the
102 * user has permission to modify the limit. This is primarily so that
103 * recursive snapshots in the global zone always work. We want to prevent a
104 * denial-of-service in which a lower level delegated dataset could max out its
105 * limit and thus block recursive snapshots from being taken in the global zone.
106 * Because of this, it is possible for the snapshot count to be over the limit
107 * and snapshots taken in the global zone could cause a lower level dataset to
108 * hit or exceed its limit. The administrator taking the global zone recursive
109 * snapshot should be aware of this side-effect and behave accordingly.
110 * For consistency, the filesystem limit is also not enforced if the user can
111 * modify the limit.
112 *
113 * The filesystem and snapshot limits are validated by dsl_fs_ss_limit_check()
114 * and updated by dsl_fs_ss_count_adjust(). A new limit value is setup in
115 * dsl_dir_activate_fs_ss_limit() and the counts are adjusted, if necessary, by
116 * dsl_dir_init_fs_ss_count().
117 *
118 * There is a special case when we receive a filesystem that already exists. In
119 * this case a temporary clone name of %X is created (see dmu_recv_begin). We
120 * never update the filesystem counts for temporary clones.
121 *
122 * Likewise, we do not update the snapshot counts for temporary snapshots,
123 * such as those created by zfs diff.
124 */
125
126extern inline dsl_dir_phys_t *dsl_dir_phys(dsl_dir_t *dd);
127
128static uint64_t dsl_dir_space_towrite(dsl_dir_t *dd);
129
130typedef struct ddulrt_arg {
131	dsl_dir_t	*ddulrta_dd;
132	uint64_t	ddlrta_txg;
133} ddulrt_arg_t;
134
135static void
136dsl_dir_evict_async(void *dbu)
137{
138	dsl_dir_t *dd = dbu;
139	dsl_pool_t *dp = dd->dd_pool;
140	int t;
141
142	dd->dd_dbuf = NULL;
143
144	for (t = 0; t < TXG_SIZE; t++) {
145		ASSERT(!txg_list_member(&dp->dp_dirty_dirs, dd, t));
146		ASSERT(dd->dd_tempreserved[t] == 0);
147		ASSERT(dd->dd_space_towrite[t] == 0);
148	}
149
150	if (dd->dd_parent)
151		dsl_dir_async_rele(dd->dd_parent, dd);
152
153	spa_async_close(dd->dd_pool->dp_spa, dd);
154
155	dsl_prop_fini(dd);
156	mutex_destroy(&dd->dd_lock);
157	kmem_free(dd, sizeof (dsl_dir_t));
158}
159
160int
161dsl_dir_hold_obj(dsl_pool_t *dp, uint64_t ddobj,
162    const char *tail, void *tag, dsl_dir_t **ddp)
163{
164	dmu_buf_t *dbuf;
165	dsl_dir_t *dd;
166	int err;
167
168	ASSERT(dsl_pool_config_held(dp));
169
170	err = dmu_bonus_hold(dp->dp_meta_objset, ddobj, tag, &dbuf);
171	if (err != 0)
172		return (err);
173	dd = dmu_buf_get_user(dbuf);
174#ifdef ZFS_DEBUG
175	{
176		dmu_object_info_t doi;
177		dmu_object_info_from_db(dbuf, &doi);
178		ASSERT3U(doi.doi_bonus_type, ==, DMU_OT_DSL_DIR);
179		ASSERT3U(doi.doi_bonus_size, >=, sizeof (dsl_dir_phys_t));
180	}
181#endif
182	if (dd == NULL) {
183		dsl_dir_t *winner;
184
185		dd = kmem_zalloc(sizeof (dsl_dir_t), KM_SLEEP);
186		dd->dd_object = ddobj;
187		dd->dd_dbuf = dbuf;
188		dd->dd_pool = dp;
189		mutex_init(&dd->dd_lock, NULL, MUTEX_DEFAULT, NULL);
190		dsl_prop_init(dd);
191
192		dsl_dir_snap_cmtime_update(dd);
193
194		if (dsl_dir_phys(dd)->dd_parent_obj) {
195			err = dsl_dir_hold_obj(dp,
196			    dsl_dir_phys(dd)->dd_parent_obj, NULL, dd,
197			    &dd->dd_parent);
198			if (err != 0)
199				goto errout;
200			if (tail) {
201#ifdef ZFS_DEBUG
202				uint64_t foundobj;
203
204				err = zap_lookup(dp->dp_meta_objset,
205				    dsl_dir_phys(dd->dd_parent)->
206				    dd_child_dir_zapobj, tail,
207				    sizeof (foundobj), 1, &foundobj);
208				ASSERT(err || foundobj == ddobj);
209#endif
210				(void) strcpy(dd->dd_myname, tail);
211			} else {
212				err = zap_value_search(dp->dp_meta_objset,
213				    dsl_dir_phys(dd->dd_parent)->
214				    dd_child_dir_zapobj,
215				    ddobj, 0, dd->dd_myname);
216			}
217			if (err != 0)
218				goto errout;
219		} else {
220			(void) strcpy(dd->dd_myname, spa_name(dp->dp_spa));
221		}
222
223		if (dsl_dir_is_clone(dd)) {
224			dmu_buf_t *origin_bonus;
225			dsl_dataset_phys_t *origin_phys;
226
227			/*
228			 * We can't open the origin dataset, because
229			 * that would require opening this dsl_dir.
230			 * Just look at its phys directly instead.
231			 */
232			err = dmu_bonus_hold(dp->dp_meta_objset,
233			    dsl_dir_phys(dd)->dd_origin_obj, FTAG,
234			    &origin_bonus);
235			if (err != 0)
236				goto errout;
237			origin_phys = origin_bonus->db_data;
238			dd->dd_origin_txg =
239			    origin_phys->ds_creation_txg;
240			dmu_buf_rele(origin_bonus, FTAG);
241		}
242
243		dmu_buf_init_user(&dd->dd_dbu, NULL, dsl_dir_evict_async,
244		    &dd->dd_dbuf);
245		winner = dmu_buf_set_user_ie(dbuf, &dd->dd_dbu);
246		if (winner != NULL) {
247			if (dd->dd_parent)
248				dsl_dir_rele(dd->dd_parent, dd);
249			dsl_prop_fini(dd);
250			mutex_destroy(&dd->dd_lock);
251			kmem_free(dd, sizeof (dsl_dir_t));
252			dd = winner;
253		} else {
254			spa_open_ref(dp->dp_spa, dd);
255		}
256	}
257
258	/*
259	 * The dsl_dir_t has both open-to-close and instantiate-to-evict
260	 * holds on the spa.  We need the open-to-close holds because
261	 * otherwise the spa_refcnt wouldn't change when we open a
262	 * dir which the spa also has open, so we could incorrectly
263	 * think it was OK to unload/export/destroy the pool.  We need
264	 * the instantiate-to-evict hold because the dsl_dir_t has a
265	 * pointer to the dd_pool, which has a pointer to the spa_t.
266	 */
267	spa_open_ref(dp->dp_spa, tag);
268	ASSERT3P(dd->dd_pool, ==, dp);
269	ASSERT3U(dd->dd_object, ==, ddobj);
270	ASSERT3P(dd->dd_dbuf, ==, dbuf);
271	*ddp = dd;
272	return (0);
273
274errout:
275	if (dd->dd_parent)
276		dsl_dir_rele(dd->dd_parent, dd);
277	dsl_prop_fini(dd);
278	mutex_destroy(&dd->dd_lock);
279	kmem_free(dd, sizeof (dsl_dir_t));
280	dmu_buf_rele(dbuf, tag);
281	return (err);
282}
283
284void
285dsl_dir_rele(dsl_dir_t *dd, void *tag)
286{
287	dprintf_dd(dd, "%s\n", "");
288	spa_close(dd->dd_pool->dp_spa, tag);
289	dmu_buf_rele(dd->dd_dbuf, tag);
290}
291
292/*
293 * Remove a reference to the given dsl dir that is being asynchronously
294 * released.  Async releases occur from a taskq performing eviction of
295 * dsl datasets and dirs.  This process is identical to a normal release
296 * with the exception of using the async API for releasing the reference on
297 * the spa.
298 */
299void
300dsl_dir_async_rele(dsl_dir_t *dd, void *tag)
301{
302	dprintf_dd(dd, "%s\n", "");
303	spa_async_close(dd->dd_pool->dp_spa, tag);
304	dmu_buf_rele(dd->dd_dbuf, tag);
305}
306
307/* buf must be at least ZFS_MAX_DATASET_NAME_LEN bytes */
308void
309dsl_dir_name(dsl_dir_t *dd, char *buf)
310{
311	if (dd->dd_parent) {
312		dsl_dir_name(dd->dd_parent, buf);
313		VERIFY3U(strlcat(buf, "/", ZFS_MAX_DATASET_NAME_LEN), <,
314		    ZFS_MAX_DATASET_NAME_LEN);
315	} else {
316		buf[0] = '\0';
317	}
318	if (!MUTEX_HELD(&dd->dd_lock)) {
319		/*
320		 * recursive mutex so that we can use
321		 * dprintf_dd() with dd_lock held
322		 */
323		mutex_enter(&dd->dd_lock);
324		VERIFY3U(strlcat(buf, dd->dd_myname, ZFS_MAX_DATASET_NAME_LEN),
325		    <, ZFS_MAX_DATASET_NAME_LEN);
326		mutex_exit(&dd->dd_lock);
327	} else {
328		VERIFY3U(strlcat(buf, dd->dd_myname, ZFS_MAX_DATASET_NAME_LEN),
329		    <, ZFS_MAX_DATASET_NAME_LEN);
330	}
331}
332
333/* Calculate name length, avoiding all the strcat calls of dsl_dir_name */
334int
335dsl_dir_namelen(dsl_dir_t *dd)
336{
337	int result = 0;
338
339	if (dd->dd_parent) {
340		/* parent's name + 1 for the "/" */
341		result = dsl_dir_namelen(dd->dd_parent) + 1;
342	}
343
344	if (!MUTEX_HELD(&dd->dd_lock)) {
345		/* see dsl_dir_name */
346		mutex_enter(&dd->dd_lock);
347		result += strlen(dd->dd_myname);
348		mutex_exit(&dd->dd_lock);
349	} else {
350		result += strlen(dd->dd_myname);
351	}
352
353	return (result);
354}
355
356static int
357getcomponent(const char *path, char *component, const char **nextp)
358{
359	char *p;
360
361	if ((path == NULL) || (path[0] == '\0'))
362		return (SET_ERROR(ENOENT));
363	/* This would be a good place to reserve some namespace... */
364	p = strpbrk(path, "/@");
365	if (p && (p[1] == '/' || p[1] == '@')) {
366		/* two separators in a row */
367		return (SET_ERROR(EINVAL));
368	}
369	if (p == NULL || p == path) {
370		/*
371		 * if the first thing is an @ or /, it had better be an
372		 * @ and it had better not have any more ats or slashes,
373		 * and it had better have something after the @.
374		 */
375		if (p != NULL &&
376		    (p[0] != '@' || strpbrk(path+1, "/@") || p[1] == '\0'))
377			return (SET_ERROR(EINVAL));
378		if (strlen(path) >= ZFS_MAX_DATASET_NAME_LEN)
379			return (SET_ERROR(ENAMETOOLONG));
380		(void) strcpy(component, path);
381		p = NULL;
382	} else if (p[0] == '/') {
383		if (p - path >= ZFS_MAX_DATASET_NAME_LEN)
384			return (SET_ERROR(ENAMETOOLONG));
385		(void) strncpy(component, path, p - path);
386		component[p - path] = '\0';
387		p++;
388	} else if (p[0] == '@') {
389		/*
390		 * if the next separator is an @, there better not be
391		 * any more slashes.
392		 */
393		if (strchr(path, '/'))
394			return (SET_ERROR(EINVAL));
395		if (p - path >= ZFS_MAX_DATASET_NAME_LEN)
396			return (SET_ERROR(ENAMETOOLONG));
397		(void) strncpy(component, path, p - path);
398		component[p - path] = '\0';
399	} else {
400		panic("invalid p=%p", (void *)p);
401	}
402	*nextp = p;
403	return (0);
404}
405
406/*
407 * Return the dsl_dir_t, and possibly the last component which couldn't
408 * be found in *tail.  The name must be in the specified dsl_pool_t.  This
409 * thread must hold the dp_config_rwlock for the pool.  Returns NULL if the
410 * path is bogus, or if tail==NULL and we couldn't parse the whole name.
411 * (*tail)[0] == '@' means that the last component is a snapshot.
412 */
413int
414dsl_dir_hold(dsl_pool_t *dp, const char *name, void *tag,
415    dsl_dir_t **ddp, const char **tailp)
416{
417	char buf[ZFS_MAX_DATASET_NAME_LEN];
418	const char *spaname, *next, *nextnext = NULL;
419	int err;
420	dsl_dir_t *dd;
421	uint64_t ddobj;
422
423	err = getcomponent(name, buf, &next);
424	if (err != 0)
425		return (err);
426
427	/* Make sure the name is in the specified pool. */
428	spaname = spa_name(dp->dp_spa);
429	if (strcmp(buf, spaname) != 0)
430		return (SET_ERROR(EXDEV));
431
432	ASSERT(dsl_pool_config_held(dp));
433
434	err = dsl_dir_hold_obj(dp, dp->dp_root_dir_obj, NULL, tag, &dd);
435	if (err != 0) {
436		return (err);
437	}
438
439	while (next != NULL) {
440		dsl_dir_t *child_dd;
441		err = getcomponent(next, buf, &nextnext);
442		if (err != 0)
443			break;
444		ASSERT(next[0] != '\0');
445		if (next[0] == '@')
446			break;
447		dprintf("looking up %s in obj%lld\n",
448		    buf, dsl_dir_phys(dd)->dd_child_dir_zapobj);
449
450		err = zap_lookup(dp->dp_meta_objset,
451		    dsl_dir_phys(dd)->dd_child_dir_zapobj,
452		    buf, sizeof (ddobj), 1, &ddobj);
453		if (err != 0) {
454			if (err == ENOENT)
455				err = 0;
456			break;
457		}
458
459		err = dsl_dir_hold_obj(dp, ddobj, buf, tag, &child_dd);
460		if (err != 0)
461			break;
462		dsl_dir_rele(dd, tag);
463		dd = child_dd;
464		next = nextnext;
465	}
466
467	if (err != 0) {
468		dsl_dir_rele(dd, tag);
469		return (err);
470	}
471
472	/*
473	 * It's an error if there's more than one component left, or
474	 * tailp==NULL and there's any component left.
475	 */
476	if (next != NULL &&
477	    (tailp == NULL || (nextnext && nextnext[0] != '\0'))) {
478		/* bad path name */
479		dsl_dir_rele(dd, tag);
480		dprintf("next=%p (%s) tail=%p\n", next, next?next:"", tailp);
481		err = SET_ERROR(ENOENT);
482	}
483	if (tailp != NULL)
484		*tailp = next;
485	*ddp = dd;
486	return (err);
487}
488
489/*
490 * If the counts are already initialized for this filesystem and its
491 * descendants then do nothing, otherwise initialize the counts.
492 *
493 * The counts on this filesystem, and those below, may be uninitialized due to
494 * either the use of a pre-existing pool which did not support the
495 * filesystem/snapshot limit feature, or one in which the feature had not yet
496 * been enabled.
497 *
498 * Recursively descend the filesystem tree and update the filesystem/snapshot
499 * counts on each filesystem below, then update the cumulative count on the
500 * current filesystem. If the filesystem already has a count set on it,
501 * then we know that its counts, and the counts on the filesystems below it,
502 * are already correct, so we don't have to update this filesystem.
503 */
504static void
505dsl_dir_init_fs_ss_count(dsl_dir_t *dd, dmu_tx_t *tx)
506{
507	uint64_t my_fs_cnt = 0;
508	uint64_t my_ss_cnt = 0;
509	dsl_pool_t *dp = dd->dd_pool;
510	objset_t *os = dp->dp_meta_objset;
511	zap_cursor_t *zc;
512	zap_attribute_t *za;
513	dsl_dataset_t *ds;
514
515	ASSERT(spa_feature_is_active(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT));
516	ASSERT(dsl_pool_config_held(dp));
517	ASSERT(dmu_tx_is_syncing(tx));
518
519	dsl_dir_zapify(dd, tx);
520
521	/*
522	 * If the filesystem count has already been initialized then we
523	 * don't need to recurse down any further.
524	 */
525	if (zap_contains(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT) == 0)
526		return;
527
528	zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP);
529	za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP);
530
531	/* Iterate my child dirs */
532	for (zap_cursor_init(zc, os, dsl_dir_phys(dd)->dd_child_dir_zapobj);
533	    zap_cursor_retrieve(zc, za) == 0; zap_cursor_advance(zc)) {
534		dsl_dir_t *chld_dd;
535		uint64_t count;
536
537		VERIFY0(dsl_dir_hold_obj(dp, za->za_first_integer, NULL, FTAG,
538		    &chld_dd));
539
540		/*
541		 * Ignore hidden ($FREE, $MOS & $ORIGIN) objsets and
542		 * temporary datasets.
543		 */
544		if (chld_dd->dd_myname[0] == '$' ||
545		    chld_dd->dd_myname[0] == '%') {
546			dsl_dir_rele(chld_dd, FTAG);
547			continue;
548		}
549
550		my_fs_cnt++;	/* count this child */
551
552		dsl_dir_init_fs_ss_count(chld_dd, tx);
553
554		VERIFY0(zap_lookup(os, chld_dd->dd_object,
555		    DD_FIELD_FILESYSTEM_COUNT, sizeof (count), 1, &count));
556		my_fs_cnt += count;
557		VERIFY0(zap_lookup(os, chld_dd->dd_object,
558		    DD_FIELD_SNAPSHOT_COUNT, sizeof (count), 1, &count));
559		my_ss_cnt += count;
560
561		dsl_dir_rele(chld_dd, FTAG);
562	}
563	zap_cursor_fini(zc);
564	/* Count my snapshots (we counted children's snapshots above) */
565	VERIFY0(dsl_dataset_hold_obj(dd->dd_pool,
566	    dsl_dir_phys(dd)->dd_head_dataset_obj, FTAG, &ds));
567
568	for (zap_cursor_init(zc, os, dsl_dataset_phys(ds)->ds_snapnames_zapobj);
569	    zap_cursor_retrieve(zc, za) == 0;
570	    zap_cursor_advance(zc)) {
571		/* Don't count temporary snapshots */
572		if (za->za_name[0] != '%')
573			my_ss_cnt++;
574	}
575	zap_cursor_fini(zc);
576
577	dsl_dataset_rele(ds, FTAG);
578
579	kmem_free(zc, sizeof (zap_cursor_t));
580	kmem_free(za, sizeof (zap_attribute_t));
581
582	/* we're in a sync task, update counts */
583	dmu_buf_will_dirty(dd->dd_dbuf, tx);
584	VERIFY0(zap_add(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT,
585	    sizeof (my_fs_cnt), 1, &my_fs_cnt, tx));
586	VERIFY0(zap_add(os, dd->dd_object, DD_FIELD_SNAPSHOT_COUNT,
587	    sizeof (my_ss_cnt), 1, &my_ss_cnt, tx));
588}
589
590static int
591dsl_dir_actv_fs_ss_limit_check(void *arg, dmu_tx_t *tx)
592{
593	char *ddname = (char *)arg;
594	dsl_pool_t *dp = dmu_tx_pool(tx);
595	dsl_dataset_t *ds;
596	dsl_dir_t *dd;
597	int error;
598
599	error = dsl_dataset_hold(dp, ddname, FTAG, &ds);
600	if (error != 0)
601		return (error);
602
603	if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT)) {
604		dsl_dataset_rele(ds, FTAG);
605		return (SET_ERROR(ENOTSUP));
606	}
607
608	dd = ds->ds_dir;
609	if (spa_feature_is_active(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT) &&
610	    dsl_dir_is_zapified(dd) &&
611	    zap_contains(dp->dp_meta_objset, dd->dd_object,
612	    DD_FIELD_FILESYSTEM_COUNT) == 0) {
613		dsl_dataset_rele(ds, FTAG);
614		return (SET_ERROR(EALREADY));
615	}
616
617	dsl_dataset_rele(ds, FTAG);
618	return (0);
619}
620
621static void
622dsl_dir_actv_fs_ss_limit_sync(void *arg, dmu_tx_t *tx)
623{
624	char *ddname = (char *)arg;
625	dsl_pool_t *dp = dmu_tx_pool(tx);
626	dsl_dataset_t *ds;
627	spa_t *spa;
628
629	VERIFY0(dsl_dataset_hold(dp, ddname, FTAG, &ds));
630
631	spa = dsl_dataset_get_spa(ds);
632
633	if (!spa_feature_is_active(spa, SPA_FEATURE_FS_SS_LIMIT)) {
634		/*
635		 * Since the feature was not active and we're now setting a
636		 * limit, increment the feature-active counter so that the
637		 * feature becomes active for the first time.
638		 *
639		 * We are already in a sync task so we can update the MOS.
640		 */
641		spa_feature_incr(spa, SPA_FEATURE_FS_SS_LIMIT, tx);
642	}
643
644	/*
645	 * Since we are now setting a non-UINT64_MAX limit on the filesystem,
646	 * we need to ensure the counts are correct. Descend down the tree from
647	 * this point and update all of the counts to be accurate.
648	 */
649	dsl_dir_init_fs_ss_count(ds->ds_dir, tx);
650
651	dsl_dataset_rele(ds, FTAG);
652}
653
654/*
655 * Make sure the feature is enabled and activate it if necessary.
656 * Since we're setting a limit, ensure the on-disk counts are valid.
657 * This is only called by the ioctl path when setting a limit value.
658 *
659 * We do not need to validate the new limit, since users who can change the
660 * limit are also allowed to exceed the limit.
661 */
662int
663dsl_dir_activate_fs_ss_limit(const char *ddname)
664{
665	int error;
666
667	error = dsl_sync_task(ddname, dsl_dir_actv_fs_ss_limit_check,
668	    dsl_dir_actv_fs_ss_limit_sync, (void *)ddname, 0,
669	    ZFS_SPACE_CHECK_RESERVED);
670
671	if (error == EALREADY)
672		error = 0;
673
674	return (error);
675}
676
677/*
678 * Used to determine if the filesystem_limit or snapshot_limit should be
679 * enforced. We allow the limit to be exceeded if the user has permission to
680 * write the property value. We pass in the creds that we got in the open
681 * context since we will always be the GZ root in syncing context. We also have
682 * to handle the case where we are allowed to change the limit on the current
683 * dataset, but there may be another limit in the tree above.
684 *
685 * We can never modify these two properties within a non-global zone. In
686 * addition, the other checks are modeled on zfs_secpolicy_write_perms. We
687 * can't use that function since we are already holding the dp_config_rwlock.
688 * In addition, we already have the dd and dealing with snapshots is simplified
689 * in this code.
690 */
691
692typedef enum {
693	ENFORCE_ALWAYS,
694	ENFORCE_NEVER,
695	ENFORCE_ABOVE
696} enforce_res_t;
697
698static enforce_res_t
699dsl_enforce_ds_ss_limits(dsl_dir_t *dd, zfs_prop_t prop, cred_t *cr)
700{
701	enforce_res_t enforce = ENFORCE_ALWAYS;
702	uint64_t obj;
703	dsl_dataset_t *ds;
704	uint64_t zoned;
705
706	ASSERT(prop == ZFS_PROP_FILESYSTEM_LIMIT ||
707	    prop == ZFS_PROP_SNAPSHOT_LIMIT);
708
709#ifdef _KERNEL
710	if (crgetzoneid(cr) != GLOBAL_ZONEID)
711		return (ENFORCE_ALWAYS);
712
713	if (secpolicy_zfs(cr) == 0)
714		return (ENFORCE_NEVER);
715#endif
716
717	if ((obj = dsl_dir_phys(dd)->dd_head_dataset_obj) == 0)
718		return (ENFORCE_ALWAYS);
719
720	ASSERT(dsl_pool_config_held(dd->dd_pool));
721
722	if (dsl_dataset_hold_obj(dd->dd_pool, obj, FTAG, &ds) != 0)
723		return (ENFORCE_ALWAYS);
724
725	if (dsl_prop_get_ds(ds, "zoned", 8, 1, &zoned, NULL) || zoned) {
726		/* Only root can access zoned fs's from the GZ */
727		enforce = ENFORCE_ALWAYS;
728	} else {
729		if (dsl_deleg_access_impl(ds, zfs_prop_to_name(prop), cr) == 0)
730			enforce = ENFORCE_ABOVE;
731	}
732
733	dsl_dataset_rele(ds, FTAG);
734	return (enforce);
735}
736
737static void
738dsl_dir_update_last_remap_txg_sync(void *varg, dmu_tx_t *tx)
739{
740	ddulrt_arg_t *arg = varg;
741	uint64_t last_remap_txg;
742	dsl_dir_t *dd = arg->ddulrta_dd;
743	objset_t *mos = dd->dd_pool->dp_meta_objset;
744
745	dsl_dir_zapify(dd, tx);
746	if (zap_lookup(mos, dd->dd_object, DD_FIELD_LAST_REMAP_TXG,
747	    sizeof (last_remap_txg), 1, &last_remap_txg) != 0 ||
748	    last_remap_txg < arg->ddlrta_txg) {
749		VERIFY0(zap_update(mos, dd->dd_object, DD_FIELD_LAST_REMAP_TXG,
750		    sizeof (arg->ddlrta_txg), 1, &arg->ddlrta_txg, tx));
751	}
752}
753
754int
755dsl_dir_update_last_remap_txg(dsl_dir_t *dd, uint64_t txg)
756{
757	ddulrt_arg_t arg;
758	arg.ddulrta_dd = dd;
759	arg.ddlrta_txg = txg;
760
761	return (dsl_sync_task(spa_name(dd->dd_pool->dp_spa),
762	    NULL, dsl_dir_update_last_remap_txg_sync, &arg,
763	    1, ZFS_SPACE_CHECK_RESERVED));
764}
765
766/*
767 * Check if adding additional child filesystem(s) would exceed any filesystem
768 * limits or adding additional snapshot(s) would exceed any snapshot limits.
769 * The prop argument indicates which limit to check.
770 *
771 * Note that all filesystem limits up to the root (or the highest
772 * initialized) filesystem or the given ancestor must be satisfied.
773 */
774int
775dsl_fs_ss_limit_check(dsl_dir_t *dd, uint64_t delta, zfs_prop_t prop,
776    dsl_dir_t *ancestor, cred_t *cr)
777{
778	objset_t *os = dd->dd_pool->dp_meta_objset;
779	uint64_t limit, count;
780	char *count_prop;
781	enforce_res_t enforce;
782	int err = 0;
783
784	ASSERT(dsl_pool_config_held(dd->dd_pool));
785	ASSERT(prop == ZFS_PROP_FILESYSTEM_LIMIT ||
786	    prop == ZFS_PROP_SNAPSHOT_LIMIT);
787
788	/*
789	 * If we're allowed to change the limit, don't enforce the limit
790	 * e.g. this can happen if a snapshot is taken by an administrative
791	 * user in the global zone (i.e. a recursive snapshot by root).
792	 * However, we must handle the case of delegated permissions where we
793	 * are allowed to change the limit on the current dataset, but there
794	 * is another limit in the tree above.
795	 */
796	enforce = dsl_enforce_ds_ss_limits(dd, prop, cr);
797	if (enforce == ENFORCE_NEVER)
798		return (0);
799
800	/*
801	 * e.g. if renaming a dataset with no snapshots, count adjustment
802	 * is 0.
803	 */
804	if (delta == 0)
805		return (0);
806
807	if (prop == ZFS_PROP_SNAPSHOT_LIMIT) {
808		/*
809		 * We don't enforce the limit for temporary snapshots. This is
810		 * indicated by a NULL cred_t argument.
811		 */
812		if (cr == NULL)
813			return (0);
814
815		count_prop = DD_FIELD_SNAPSHOT_COUNT;
816	} else {
817		count_prop = DD_FIELD_FILESYSTEM_COUNT;
818	}
819
820	/*
821	 * If an ancestor has been provided, stop checking the limit once we
822	 * hit that dir. We need this during rename so that we don't overcount
823	 * the check once we recurse up to the common ancestor.
824	 */
825	if (ancestor == dd)
826		return (0);
827
828	/*
829	 * If we hit an uninitialized node while recursing up the tree, we can
830	 * stop since we know there is no limit here (or above). The counts are
831	 * not valid on this node and we know we won't touch this node's counts.
832	 */
833	if (!dsl_dir_is_zapified(dd) || zap_lookup(os, dd->dd_object,
834	    count_prop, sizeof (count), 1, &count) == ENOENT)
835		return (0);
836
837	err = dsl_prop_get_dd(dd, zfs_prop_to_name(prop), 8, 1, &limit, NULL,
838	    B_FALSE);
839	if (err != 0)
840		return (err);
841
842	/* Is there a limit which we've hit? */
843	if (enforce == ENFORCE_ALWAYS && (count + delta) > limit)
844		return (SET_ERROR(EDQUOT));
845
846	if (dd->dd_parent != NULL)
847		err = dsl_fs_ss_limit_check(dd->dd_parent, delta, prop,
848		    ancestor, cr);
849
850	return (err);
851}
852
853/*
854 * Adjust the filesystem or snapshot count for the specified dsl_dir_t and all
855 * parents. When a new filesystem/snapshot is created, increment the count on
856 * all parents, and when a filesystem/snapshot is destroyed, decrement the
857 * count.
858 */
859void
860dsl_fs_ss_count_adjust(dsl_dir_t *dd, int64_t delta, const char *prop,
861    dmu_tx_t *tx)
862{
863	int err;
864	objset_t *os = dd->dd_pool->dp_meta_objset;
865	uint64_t count;
866
867	ASSERT(dsl_pool_config_held(dd->dd_pool));
868	ASSERT(dmu_tx_is_syncing(tx));
869	ASSERT(strcmp(prop, DD_FIELD_FILESYSTEM_COUNT) == 0 ||
870	    strcmp(prop, DD_FIELD_SNAPSHOT_COUNT) == 0);
871
872	/*
873	 * When we receive an incremental stream into a filesystem that already
874	 * exists, a temporary clone is created.  We don't count this temporary
875	 * clone, whose name begins with a '%'. We also ignore hidden ($FREE,
876	 * $MOS & $ORIGIN) objsets.
877	 */
878	if ((dd->dd_myname[0] == '%' || dd->dd_myname[0] == '$') &&
879	    strcmp(prop, DD_FIELD_FILESYSTEM_COUNT) == 0)
880		return;
881
882	/*
883	 * e.g. if renaming a dataset with no snapshots, count adjustment is 0
884	 */
885	if (delta == 0)
886		return;
887
888	/*
889	 * If we hit an uninitialized node while recursing up the tree, we can
890	 * stop since we know the counts are not valid on this node and we
891	 * know we shouldn't touch this node's counts. An uninitialized count
892	 * on the node indicates that either the feature has not yet been
893	 * activated or there are no limits on this part of the tree.
894	 */
895	if (!dsl_dir_is_zapified(dd) || (err = zap_lookup(os, dd->dd_object,
896	    prop, sizeof (count), 1, &count)) == ENOENT)
897		return;
898	VERIFY0(err);
899
900	count += delta;
901	/* Use a signed verify to make sure we're not neg. */
902	VERIFY3S(count, >=, 0);
903
904	VERIFY0(zap_update(os, dd->dd_object, prop, sizeof (count), 1, &count,
905	    tx));
906
907	/* Roll up this additional count into our ancestors */
908	if (dd->dd_parent != NULL)
909		dsl_fs_ss_count_adjust(dd->dd_parent, delta, prop, tx);
910}
911
912uint64_t
913dsl_dir_create_sync(dsl_pool_t *dp, dsl_dir_t *pds, const char *name,
914    dmu_tx_t *tx)
915{
916	objset_t *mos = dp->dp_meta_objset;
917	uint64_t ddobj;
918	dsl_dir_phys_t *ddphys;
919	dmu_buf_t *dbuf;
920
921	ddobj = dmu_object_alloc(mos, DMU_OT_DSL_DIR, 0,
922	    DMU_OT_DSL_DIR, sizeof (dsl_dir_phys_t), tx);
923	if (pds) {
924		VERIFY(0 == zap_add(mos, dsl_dir_phys(pds)->dd_child_dir_zapobj,
925		    name, sizeof (uint64_t), 1, &ddobj, tx));
926	} else {
927		/* it's the root dir */
928		VERIFY(0 == zap_add(mos, DMU_POOL_DIRECTORY_OBJECT,
929		    DMU_POOL_ROOT_DATASET, sizeof (uint64_t), 1, &ddobj, tx));
930	}
931	VERIFY(0 == dmu_bonus_hold(mos, ddobj, FTAG, &dbuf));
932	dmu_buf_will_dirty(dbuf, tx);
933	ddphys = dbuf->db_data;
934
935	ddphys->dd_creation_time = gethrestime_sec();
936	if (pds) {
937		ddphys->dd_parent_obj = pds->dd_object;
938
939		/* update the filesystem counts */
940		dsl_fs_ss_count_adjust(pds, 1, DD_FIELD_FILESYSTEM_COUNT, tx);
941	}
942	ddphys->dd_props_zapobj = zap_create(mos,
943	    DMU_OT_DSL_PROPS, DMU_OT_NONE, 0, tx);
944	ddphys->dd_child_dir_zapobj = zap_create(mos,
945	    DMU_OT_DSL_DIR_CHILD_MAP, DMU_OT_NONE, 0, tx);
946	if (spa_version(dp->dp_spa) >= SPA_VERSION_USED_BREAKDOWN)
947		ddphys->dd_flags |= DD_FLAG_USED_BREAKDOWN;
948	dmu_buf_rele(dbuf, FTAG);
949
950	return (ddobj);
951}
952
953boolean_t
954dsl_dir_is_clone(dsl_dir_t *dd)
955{
956	return (dsl_dir_phys(dd)->dd_origin_obj &&
957	    (dd->dd_pool->dp_origin_snap == NULL ||
958	    dsl_dir_phys(dd)->dd_origin_obj !=
959	    dd->dd_pool->dp_origin_snap->ds_object));
960}
961
962
963uint64_t
964dsl_dir_get_used(dsl_dir_t *dd)
965{
966	return (dsl_dir_phys(dd)->dd_used_bytes);
967}
968
969uint64_t
970dsl_dir_get_quota(dsl_dir_t *dd)
971{
972	return (dsl_dir_phys(dd)->dd_quota);
973}
974
975uint64_t
976dsl_dir_get_reservation(dsl_dir_t *dd)
977{
978	return (dsl_dir_phys(dd)->dd_reserved);
979}
980
981uint64_t
982dsl_dir_get_compressratio(dsl_dir_t *dd)
983{
984	/* a fixed point number, 100x the ratio */
985	return (dsl_dir_phys(dd)->dd_compressed_bytes == 0 ? 100 :
986	    (dsl_dir_phys(dd)->dd_uncompressed_bytes * 100 /
987	    dsl_dir_phys(dd)->dd_compressed_bytes));
988}
989
990uint64_t
991dsl_dir_get_logicalused(dsl_dir_t *dd)
992{
993	return (dsl_dir_phys(dd)->dd_uncompressed_bytes);
994}
995
996uint64_t
997dsl_dir_get_usedsnap(dsl_dir_t *dd)
998{
999	return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_SNAP]);
1000}
1001
1002uint64_t
1003dsl_dir_get_usedds(dsl_dir_t *dd)
1004{
1005	return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_HEAD]);
1006}
1007
1008uint64_t
1009dsl_dir_get_usedrefreserv(dsl_dir_t *dd)
1010{
1011	return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_REFRSRV]);
1012}
1013
1014uint64_t
1015dsl_dir_get_usedchild(dsl_dir_t *dd)
1016{
1017	return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_CHILD] +
1018	    dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_CHILD_RSRV]);
1019}
1020
1021void
1022dsl_dir_get_origin(dsl_dir_t *dd, char *buf)
1023{
1024	dsl_dataset_t *ds;
1025	VERIFY0(dsl_dataset_hold_obj(dd->dd_pool,
1026	    dsl_dir_phys(dd)->dd_origin_obj, FTAG, &ds));
1027
1028	dsl_dataset_name(ds, buf);
1029
1030	dsl_dataset_rele(ds, FTAG);
1031}
1032
1033int
1034dsl_dir_get_filesystem_count(dsl_dir_t *dd, uint64_t *count)
1035{
1036	if (dsl_dir_is_zapified(dd)) {
1037		objset_t *os = dd->dd_pool->dp_meta_objset;
1038		return (zap_lookup(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT,
1039		    sizeof (*count), 1, count));
1040	} else {
1041		return (ENOENT);
1042	}
1043}
1044
1045int
1046dsl_dir_get_snapshot_count(dsl_dir_t *dd, uint64_t *count)
1047{
1048	if (dsl_dir_is_zapified(dd)) {
1049		objset_t *os = dd->dd_pool->dp_meta_objset;
1050		return (zap_lookup(os, dd->dd_object, DD_FIELD_SNAPSHOT_COUNT,
1051		    sizeof (*count), 1, count));
1052	} else {
1053		return (ENOENT);
1054	}
1055}
1056
1057int
1058dsl_dir_get_remaptxg(dsl_dir_t *dd, uint64_t *count)
1059{
1060	if (dsl_dir_is_zapified(dd)) {
1061		objset_t *os = dd->dd_pool->dp_meta_objset;
1062		return (zap_lookup(os, dd->dd_object, DD_FIELD_LAST_REMAP_TXG,
1063		    sizeof (*count), 1, count));
1064	} else {
1065		return (ENOENT);
1066	}
1067}
1068
1069void
1070dsl_dir_stats(dsl_dir_t *dd, nvlist_t *nv)
1071{
1072	mutex_enter(&dd->dd_lock);
1073	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_QUOTA,
1074	    dsl_dir_get_quota(dd));
1075	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_RESERVATION,
1076	    dsl_dir_get_reservation(dd));
1077	dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_LOGICALUSED,
1078	    dsl_dir_get_logicalused(dd));
1079	if (dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN) {
1080		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDSNAP,
1081		    dsl_dir_get_usedsnap(dd));
1082		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDDS,
1083		    dsl_dir_get_usedds(dd));
1084		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDREFRESERV,
1085		    dsl_dir_get_usedrefreserv(dd));
1086		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDCHILD,
1087		    dsl_dir_get_usedchild(dd));
1088	}
1089	mutex_exit(&dd->dd_lock);
1090
1091	uint64_t count;
1092	if (dsl_dir_get_filesystem_count(dd, &count) == 0) {
1093		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_FILESYSTEM_COUNT,
1094		    count);
1095	}
1096	if (dsl_dir_get_snapshot_count(dd, &count) == 0) {
1097		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_SNAPSHOT_COUNT,
1098		    count);
1099	}
1100	if (dsl_dir_get_remaptxg(dd, &count) == 0) {
1101		dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_REMAPTXG,
1102		    count);
1103	}
1104
1105	if (dsl_dir_is_clone(dd)) {
1106		char buf[ZFS_MAX_DATASET_NAME_LEN];
1107		dsl_dir_get_origin(dd, buf);
1108		dsl_prop_nvlist_add_string(nv, ZFS_PROP_ORIGIN, buf);
1109	}
1110
1111}
1112
1113void
1114dsl_dir_dirty(dsl_dir_t *dd, dmu_tx_t *tx)
1115{
1116	dsl_pool_t *dp = dd->dd_pool;
1117
1118	ASSERT(dsl_dir_phys(dd));
1119
1120	if (txg_list_add(&dp->dp_dirty_dirs, dd, tx->tx_txg)) {
1121		/* up the hold count until we can be written out */
1122		dmu_buf_add_ref(dd->dd_dbuf, dd);
1123	}
1124}
1125
1126static int64_t
1127parent_delta(dsl_dir_t *dd, uint64_t used, int64_t delta)
1128{
1129	uint64_t old_accounted = MAX(used, dsl_dir_phys(dd)->dd_reserved);
1130	uint64_t new_accounted =
1131	    MAX(used + delta, dsl_dir_phys(dd)->dd_reserved);
1132	return (new_accounted - old_accounted);
1133}
1134
1135void
1136dsl_dir_sync(dsl_dir_t *dd, dmu_tx_t *tx)
1137{
1138	ASSERT(dmu_tx_is_syncing(tx));
1139
1140	mutex_enter(&dd->dd_lock);
1141	ASSERT0(dd->dd_tempreserved[tx->tx_txg&TXG_MASK]);
1142	dprintf_dd(dd, "txg=%llu towrite=%lluK\n", tx->tx_txg,
1143	    dd->dd_space_towrite[tx->tx_txg&TXG_MASK] / 1024);
1144	dd->dd_space_towrite[tx->tx_txg&TXG_MASK] = 0;
1145	mutex_exit(&dd->dd_lock);
1146
1147	/* release the hold from dsl_dir_dirty */
1148	dmu_buf_rele(dd->dd_dbuf, dd);
1149}
1150
1151static uint64_t
1152dsl_dir_space_towrite(dsl_dir_t *dd)
1153{
1154	uint64_t space = 0;
1155
1156	ASSERT(MUTEX_HELD(&dd->dd_lock));
1157
1158	for (int i = 0; i < TXG_SIZE; i++) {
1159		space += dd->dd_space_towrite[i & TXG_MASK];
1160		ASSERT3U(dd->dd_space_towrite[i & TXG_MASK], >=, 0);
1161	}
1162	return (space);
1163}
1164
1165/*
1166 * How much space would dd have available if ancestor had delta applied
1167 * to it?  If ondiskonly is set, we're only interested in what's
1168 * on-disk, not estimated pending changes.
1169 */
1170uint64_t
1171dsl_dir_space_available(dsl_dir_t *dd,
1172    dsl_dir_t *ancestor, int64_t delta, int ondiskonly)
1173{
1174	uint64_t parentspace, myspace, quota, used;
1175
1176	/*
1177	 * If there are no restrictions otherwise, assume we have
1178	 * unlimited space available.
1179	 */
1180	quota = UINT64_MAX;
1181	parentspace = UINT64_MAX;
1182
1183	if (dd->dd_parent != NULL) {
1184		parentspace = dsl_dir_space_available(dd->dd_parent,
1185		    ancestor, delta, ondiskonly);
1186	}
1187
1188	mutex_enter(&dd->dd_lock);
1189	if (dsl_dir_phys(dd)->dd_quota != 0)
1190		quota = dsl_dir_phys(dd)->dd_quota;
1191	used = dsl_dir_phys(dd)->dd_used_bytes;
1192	if (!ondiskonly)
1193		used += dsl_dir_space_towrite(dd);
1194
1195	if (dd->dd_parent == NULL) {
1196		uint64_t poolsize = dsl_pool_adjustedsize(dd->dd_pool, FALSE);
1197		quota = MIN(quota, poolsize);
1198	}
1199
1200	if (dsl_dir_phys(dd)->dd_reserved > used && parentspace != UINT64_MAX) {
1201		/*
1202		 * We have some space reserved, in addition to what our
1203		 * parent gave us.
1204		 */
1205		parentspace += dsl_dir_phys(dd)->dd_reserved - used;
1206	}
1207
1208	if (dd == ancestor) {
1209		ASSERT(delta <= 0);
1210		ASSERT(used >= -delta);
1211		used += delta;
1212		if (parentspace != UINT64_MAX)
1213			parentspace -= delta;
1214	}
1215
1216	if (used > quota) {
1217		/* over quota */
1218		myspace = 0;
1219	} else {
1220		/*
1221		 * the lesser of the space provided by our parent and
1222		 * the space left in our quota
1223		 */
1224		myspace = MIN(parentspace, quota - used);
1225	}
1226
1227	mutex_exit(&dd->dd_lock);
1228
1229	return (myspace);
1230}
1231
1232struct tempreserve {
1233	list_node_t tr_node;
1234	dsl_dir_t *tr_ds;
1235	uint64_t tr_size;
1236};
1237
1238static int
1239dsl_dir_tempreserve_impl(dsl_dir_t *dd, uint64_t asize, boolean_t netfree,
1240    boolean_t ignorequota, list_t *tr_list,
1241    dmu_tx_t *tx, boolean_t first)
1242{
1243	uint64_t txg = tx->tx_txg;
1244	uint64_t quota;
1245	struct tempreserve *tr;
1246	int retval = EDQUOT;
1247	uint64_t ref_rsrv = 0;
1248
1249	ASSERT3U(txg, !=, 0);
1250	ASSERT3S(asize, >, 0);
1251
1252	mutex_enter(&dd->dd_lock);
1253
1254	/*
1255	 * Check against the dsl_dir's quota.  We don't add in the delta
1256	 * when checking for over-quota because they get one free hit.
1257	 */
1258	uint64_t est_inflight = dsl_dir_space_towrite(dd);
1259	for (int i = 0; i < TXG_SIZE; i++)
1260		est_inflight += dd->dd_tempreserved[i];
1261	uint64_t used_on_disk = dsl_dir_phys(dd)->dd_used_bytes;
1262
1263	/*
1264	 * On the first iteration, fetch the dataset's used-on-disk and
1265	 * refreservation values. Also, if checkrefquota is set, test if
1266	 * allocating this space would exceed the dataset's refquota.
1267	 */
1268	if (first && tx->tx_objset) {
1269		int error;
1270		dsl_dataset_t *ds = tx->tx_objset->os_dsl_dataset;
1271
1272		error = dsl_dataset_check_quota(ds, !netfree,
1273		    asize, est_inflight, &used_on_disk, &ref_rsrv);
1274		if (error != 0) {
1275			mutex_exit(&dd->dd_lock);
1276			return (error);
1277		}
1278	}
1279
1280	/*
1281	 * If this transaction will result in a net free of space,
1282	 * we want to let it through.
1283	 */
1284	if (ignorequota || netfree || dsl_dir_phys(dd)->dd_quota == 0)
1285		quota = UINT64_MAX;
1286	else
1287		quota = dsl_dir_phys(dd)->dd_quota;
1288
1289	/*
1290	 * Adjust the quota against the actual pool size at the root
1291	 * minus any outstanding deferred frees.
1292	 * To ensure that it's possible to remove files from a full
1293	 * pool without inducing transient overcommits, we throttle
1294	 * netfree transactions against a quota that is slightly larger,
1295	 * but still within the pool's allocation slop.  In cases where
1296	 * we're very close to full, this will allow a steady trickle of
1297	 * removes to get through.
1298	 */
1299	uint64_t deferred = 0;
1300	if (dd->dd_parent == NULL) {
1301		spa_t *spa = dd->dd_pool->dp_spa;
1302		uint64_t poolsize = dsl_pool_adjustedsize(dd->dd_pool, netfree);
1303		deferred = metaslab_class_get_deferred(spa_normal_class(spa));
1304		if (poolsize - deferred < quota) {
1305			quota = poolsize - deferred;
1306			retval = ENOSPC;
1307		}
1308	}
1309
1310	/*
1311	 * If they are requesting more space, and our current estimate
1312	 * is over quota, they get to try again unless the actual
1313	 * on-disk is over quota and there are no pending changes (which
1314	 * may free up space for us).
1315	 */
1316	if (used_on_disk + est_inflight >= quota) {
1317		if (est_inflight > 0 || used_on_disk < quota ||
1318		    (retval == ENOSPC && used_on_disk < quota + deferred))
1319			retval = ERESTART;
1320		dprintf_dd(dd, "failing: used=%lluK inflight = %lluK "
1321		    "quota=%lluK tr=%lluK err=%d\n",
1322		    used_on_disk>>10, est_inflight>>10,
1323		    quota>>10, asize>>10, retval);
1324		mutex_exit(&dd->dd_lock);
1325		return (SET_ERROR(retval));
1326	}
1327
1328	/* We need to up our estimated delta before dropping dd_lock */
1329	dd->dd_tempreserved[txg & TXG_MASK] += asize;
1330
1331	uint64_t parent_rsrv = parent_delta(dd, used_on_disk + est_inflight,
1332	    asize - ref_rsrv);
1333	mutex_exit(&dd->dd_lock);
1334
1335	tr = kmem_zalloc(sizeof (struct tempreserve), KM_SLEEP);
1336	tr->tr_ds = dd;
1337	tr->tr_size = asize;
1338	list_insert_tail(tr_list, tr);
1339
1340	/* see if it's OK with our parent */
1341	if (dd->dd_parent != NULL && parent_rsrv != 0) {
1342		boolean_t ismos = (dsl_dir_phys(dd)->dd_head_dataset_obj == 0);
1343
1344		return (dsl_dir_tempreserve_impl(dd->dd_parent,
1345		    parent_rsrv, netfree, ismos, tr_list, tx, B_FALSE));
1346	} else {
1347		return (0);
1348	}
1349}
1350
1351/*
1352 * Reserve space in this dsl_dir, to be used in this tx's txg.
1353 * After the space has been dirtied (and dsl_dir_willuse_space()
1354 * has been called), the reservation should be canceled, using
1355 * dsl_dir_tempreserve_clear().
1356 */
1357int
1358dsl_dir_tempreserve_space(dsl_dir_t *dd, uint64_t lsize, uint64_t asize,
1359    boolean_t netfree, void **tr_cookiep, dmu_tx_t *tx)
1360{
1361	int err;
1362	list_t *tr_list;
1363
1364	if (asize == 0) {
1365		*tr_cookiep = NULL;
1366		return (0);
1367	}
1368
1369	tr_list = kmem_alloc(sizeof (list_t), KM_SLEEP);
1370	list_create(tr_list, sizeof (struct tempreserve),
1371	    offsetof(struct tempreserve, tr_node));
1372	ASSERT3S(asize, >, 0);
1373
1374	err = arc_tempreserve_space(lsize, tx->tx_txg);
1375	if (err == 0) {
1376		struct tempreserve *tr;
1377
1378		tr = kmem_zalloc(sizeof (struct tempreserve), KM_SLEEP);
1379		tr->tr_size = lsize;
1380		list_insert_tail(tr_list, tr);
1381	} else {
1382		if (err == EAGAIN) {
1383			/*
1384			 * If arc_memory_throttle() detected that pageout
1385			 * is running and we are low on memory, we delay new
1386			 * non-pageout transactions to give pageout an
1387			 * advantage.
1388			 *
1389			 * It is unfortunate to be delaying while the caller's
1390			 * locks are held.
1391			 */
1392			txg_delay(dd->dd_pool, tx->tx_txg,
1393			    MSEC2NSEC(10), MSEC2NSEC(10));
1394			err = SET_ERROR(ERESTART);
1395		}
1396	}
1397
1398	if (err == 0) {
1399		err = dsl_dir_tempreserve_impl(dd, asize, netfree,
1400		    B_FALSE, tr_list, tx, B_TRUE);
1401	}
1402
1403	if (err != 0)
1404		dsl_dir_tempreserve_clear(tr_list, tx);
1405	else
1406		*tr_cookiep = tr_list;
1407
1408	return (err);
1409}
1410
1411/*
1412 * Clear a temporary reservation that we previously made with
1413 * dsl_dir_tempreserve_space().
1414 */
1415void
1416dsl_dir_tempreserve_clear(void *tr_cookie, dmu_tx_t *tx)
1417{
1418	int txgidx = tx->tx_txg & TXG_MASK;
1419	list_t *tr_list = tr_cookie;
1420	struct tempreserve *tr;
1421
1422	ASSERT3U(tx->tx_txg, !=, 0);
1423
1424	if (tr_cookie == NULL)
1425		return;
1426
1427	while ((tr = list_head(tr_list)) != NULL) {
1428		if (tr->tr_ds) {
1429			mutex_enter(&tr->tr_ds->dd_lock);
1430			ASSERT3U(tr->tr_ds->dd_tempreserved[txgidx], >=,
1431			    tr->tr_size);
1432			tr->tr_ds->dd_tempreserved[txgidx] -= tr->tr_size;
1433			mutex_exit(&tr->tr_ds->dd_lock);
1434		} else {
1435			arc_tempreserve_clear(tr->tr_size);
1436		}
1437		list_remove(tr_list, tr);
1438		kmem_free(tr, sizeof (struct tempreserve));
1439	}
1440
1441	kmem_free(tr_list, sizeof (list_t));
1442}
1443
1444/*
1445 * This should be called from open context when we think we're going to write
1446 * or free space, for example when dirtying data. Be conservative; it's okay
1447 * to write less space or free more, but we don't want to write more or free
1448 * less than the amount specified.
1449 */
1450void
1451dsl_dir_willuse_space(dsl_dir_t *dd, int64_t space, dmu_tx_t *tx)
1452{
1453	int64_t parent_space;
1454	uint64_t est_used;
1455
1456	mutex_enter(&dd->dd_lock);
1457	if (space > 0)
1458		dd->dd_space_towrite[tx->tx_txg & TXG_MASK] += space;
1459
1460	est_used = dsl_dir_space_towrite(dd) + dsl_dir_phys(dd)->dd_used_bytes;
1461	parent_space = parent_delta(dd, est_used, space);
1462	mutex_exit(&dd->dd_lock);
1463
1464	/* Make sure that we clean up dd_space_to* */
1465	dsl_dir_dirty(dd, tx);
1466
1467	/* XXX this is potentially expensive and unnecessary... */
1468	if (parent_space && dd->dd_parent)
1469		dsl_dir_willuse_space(dd->dd_parent, parent_space, tx);
1470}
1471
1472/* call from syncing context when we actually write/free space for this dd */
1473void
1474dsl_dir_diduse_space(dsl_dir_t *dd, dd_used_t type,
1475    int64_t used, int64_t compressed, int64_t uncompressed, dmu_tx_t *tx)
1476{
1477	int64_t accounted_delta;
1478
1479	/*
1480	 * dsl_dataset_set_refreservation_sync_impl() calls this with
1481	 * dd_lock held, so that it can atomically update
1482	 * ds->ds_reserved and the dsl_dir accounting, so that
1483	 * dsl_dataset_check_quota() can see dataset and dir accounting
1484	 * consistently.
1485	 */
1486	boolean_t needlock = !MUTEX_HELD(&dd->dd_lock);
1487
1488	ASSERT(dmu_tx_is_syncing(tx));
1489	ASSERT(type < DD_USED_NUM);
1490
1491	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1492
1493	if (needlock)
1494		mutex_enter(&dd->dd_lock);
1495	accounted_delta =
1496	    parent_delta(dd, dsl_dir_phys(dd)->dd_used_bytes, used);
1497	ASSERT(used >= 0 || dsl_dir_phys(dd)->dd_used_bytes >= -used);
1498	ASSERT(compressed >= 0 ||
1499	    dsl_dir_phys(dd)->dd_compressed_bytes >= -compressed);
1500	ASSERT(uncompressed >= 0 ||
1501	    dsl_dir_phys(dd)->dd_uncompressed_bytes >= -uncompressed);
1502	dsl_dir_phys(dd)->dd_used_bytes += used;
1503	dsl_dir_phys(dd)->dd_uncompressed_bytes += uncompressed;
1504	dsl_dir_phys(dd)->dd_compressed_bytes += compressed;
1505
1506	if (dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN) {
1507		ASSERT(used > 0 ||
1508		    dsl_dir_phys(dd)->dd_used_breakdown[type] >= -used);
1509		dsl_dir_phys(dd)->dd_used_breakdown[type] += used;
1510#ifdef DEBUG
1511		dd_used_t t;
1512		uint64_t u = 0;
1513		for (t = 0; t < DD_USED_NUM; t++)
1514			u += dsl_dir_phys(dd)->dd_used_breakdown[t];
1515		ASSERT3U(u, ==, dsl_dir_phys(dd)->dd_used_bytes);
1516#endif
1517	}
1518	if (needlock)
1519		mutex_exit(&dd->dd_lock);
1520
1521	if (dd->dd_parent != NULL) {
1522		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD,
1523		    accounted_delta, compressed, uncompressed, tx);
1524		dsl_dir_transfer_space(dd->dd_parent,
1525		    used - accounted_delta,
1526		    DD_USED_CHILD_RSRV, DD_USED_CHILD, tx);
1527	}
1528}
1529
1530void
1531dsl_dir_transfer_space(dsl_dir_t *dd, int64_t delta,
1532    dd_used_t oldtype, dd_used_t newtype, dmu_tx_t *tx)
1533{
1534	ASSERT(dmu_tx_is_syncing(tx));
1535	ASSERT(oldtype < DD_USED_NUM);
1536	ASSERT(newtype < DD_USED_NUM);
1537
1538	if (delta == 0 ||
1539	    !(dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN))
1540		return;
1541
1542	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1543	mutex_enter(&dd->dd_lock);
1544	ASSERT(delta > 0 ?
1545	    dsl_dir_phys(dd)->dd_used_breakdown[oldtype] >= delta :
1546	    dsl_dir_phys(dd)->dd_used_breakdown[newtype] >= -delta);
1547	ASSERT(dsl_dir_phys(dd)->dd_used_bytes >= ABS(delta));
1548	dsl_dir_phys(dd)->dd_used_breakdown[oldtype] -= delta;
1549	dsl_dir_phys(dd)->dd_used_breakdown[newtype] += delta;
1550	mutex_exit(&dd->dd_lock);
1551}
1552
1553typedef struct dsl_dir_set_qr_arg {
1554	const char *ddsqra_name;
1555	zprop_source_t ddsqra_source;
1556	uint64_t ddsqra_value;
1557} dsl_dir_set_qr_arg_t;
1558
1559static int
1560dsl_dir_set_quota_check(void *arg, dmu_tx_t *tx)
1561{
1562	dsl_dir_set_qr_arg_t *ddsqra = arg;
1563	dsl_pool_t *dp = dmu_tx_pool(tx);
1564	dsl_dataset_t *ds;
1565	int error;
1566	uint64_t towrite, newval;
1567
1568	error = dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds);
1569	if (error != 0)
1570		return (error);
1571
1572	error = dsl_prop_predict(ds->ds_dir, "quota",
1573	    ddsqra->ddsqra_source, ddsqra->ddsqra_value, &newval);
1574	if (error != 0) {
1575		dsl_dataset_rele(ds, FTAG);
1576		return (error);
1577	}
1578
1579	if (newval == 0) {
1580		dsl_dataset_rele(ds, FTAG);
1581		return (0);
1582	}
1583
1584	mutex_enter(&ds->ds_dir->dd_lock);
1585	/*
1586	 * If we are doing the preliminary check in open context, and
1587	 * there are pending changes, then don't fail it, since the
1588	 * pending changes could under-estimate the amount of space to be
1589	 * freed up.
1590	 */
1591	towrite = dsl_dir_space_towrite(ds->ds_dir);
1592	if ((dmu_tx_is_syncing(tx) || towrite == 0) &&
1593	    (newval < dsl_dir_phys(ds->ds_dir)->dd_reserved ||
1594	    newval < dsl_dir_phys(ds->ds_dir)->dd_used_bytes + towrite)) {
1595		error = SET_ERROR(ENOSPC);
1596	}
1597	mutex_exit(&ds->ds_dir->dd_lock);
1598	dsl_dataset_rele(ds, FTAG);
1599	return (error);
1600}
1601
1602static void
1603dsl_dir_set_quota_sync(void *arg, dmu_tx_t *tx)
1604{
1605	dsl_dir_set_qr_arg_t *ddsqra = arg;
1606	dsl_pool_t *dp = dmu_tx_pool(tx);
1607	dsl_dataset_t *ds;
1608	uint64_t newval;
1609
1610	VERIFY0(dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds));
1611
1612	if (spa_version(dp->dp_spa) >= SPA_VERSION_RECVD_PROPS) {
1613		dsl_prop_set_sync_impl(ds, zfs_prop_to_name(ZFS_PROP_QUOTA),
1614		    ddsqra->ddsqra_source, sizeof (ddsqra->ddsqra_value), 1,
1615		    &ddsqra->ddsqra_value, tx);
1616
1617		VERIFY0(dsl_prop_get_int_ds(ds,
1618		    zfs_prop_to_name(ZFS_PROP_QUOTA), &newval));
1619	} else {
1620		newval = ddsqra->ddsqra_value;
1621		spa_history_log_internal_ds(ds, "set", tx, "%s=%lld",
1622		    zfs_prop_to_name(ZFS_PROP_QUOTA), (longlong_t)newval);
1623	}
1624
1625	dmu_buf_will_dirty(ds->ds_dir->dd_dbuf, tx);
1626	mutex_enter(&ds->ds_dir->dd_lock);
1627	dsl_dir_phys(ds->ds_dir)->dd_quota = newval;
1628	mutex_exit(&ds->ds_dir->dd_lock);
1629	dsl_dataset_rele(ds, FTAG);
1630}
1631
1632int
1633dsl_dir_set_quota(const char *ddname, zprop_source_t source, uint64_t quota)
1634{
1635	dsl_dir_set_qr_arg_t ddsqra;
1636
1637	ddsqra.ddsqra_name = ddname;
1638	ddsqra.ddsqra_source = source;
1639	ddsqra.ddsqra_value = quota;
1640
1641	return (dsl_sync_task(ddname, dsl_dir_set_quota_check,
1642	    dsl_dir_set_quota_sync, &ddsqra, 0, ZFS_SPACE_CHECK_NONE));
1643}
1644
1645int
1646dsl_dir_set_reservation_check(void *arg, dmu_tx_t *tx)
1647{
1648	dsl_dir_set_qr_arg_t *ddsqra = arg;
1649	dsl_pool_t *dp = dmu_tx_pool(tx);
1650	dsl_dataset_t *ds;
1651	dsl_dir_t *dd;
1652	uint64_t newval, used, avail;
1653	int error;
1654
1655	error = dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds);
1656	if (error != 0)
1657		return (error);
1658	dd = ds->ds_dir;
1659
1660	/*
1661	 * If we are doing the preliminary check in open context, the
1662	 * space estimates may be inaccurate.
1663	 */
1664	if (!dmu_tx_is_syncing(tx)) {
1665		dsl_dataset_rele(ds, FTAG);
1666		return (0);
1667	}
1668
1669	error = dsl_prop_predict(ds->ds_dir,
1670	    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1671	    ddsqra->ddsqra_source, ddsqra->ddsqra_value, &newval);
1672	if (error != 0) {
1673		dsl_dataset_rele(ds, FTAG);
1674		return (error);
1675	}
1676
1677	mutex_enter(&dd->dd_lock);
1678	used = dsl_dir_phys(dd)->dd_used_bytes;
1679	mutex_exit(&dd->dd_lock);
1680
1681	if (dd->dd_parent) {
1682		avail = dsl_dir_space_available(dd->dd_parent,
1683		    NULL, 0, FALSE);
1684	} else {
1685		avail = dsl_pool_adjustedsize(dd->dd_pool, B_FALSE) - used;
1686	}
1687
1688	if (MAX(used, newval) > MAX(used, dsl_dir_phys(dd)->dd_reserved)) {
1689		uint64_t delta = MAX(used, newval) -
1690		    MAX(used, dsl_dir_phys(dd)->dd_reserved);
1691
1692		if (delta > avail ||
1693		    (dsl_dir_phys(dd)->dd_quota > 0 &&
1694		    newval > dsl_dir_phys(dd)->dd_quota))
1695			error = SET_ERROR(ENOSPC);
1696	}
1697
1698	dsl_dataset_rele(ds, FTAG);
1699	return (error);
1700}
1701
1702void
1703dsl_dir_set_reservation_sync_impl(dsl_dir_t *dd, uint64_t value, dmu_tx_t *tx)
1704{
1705	uint64_t used;
1706	int64_t delta;
1707
1708	dmu_buf_will_dirty(dd->dd_dbuf, tx);
1709
1710	mutex_enter(&dd->dd_lock);
1711	used = dsl_dir_phys(dd)->dd_used_bytes;
1712	delta = MAX(used, value) - MAX(used, dsl_dir_phys(dd)->dd_reserved);
1713	dsl_dir_phys(dd)->dd_reserved = value;
1714
1715	if (dd->dd_parent != NULL) {
1716		/* Roll up this additional usage into our ancestors */
1717		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD_RSRV,
1718		    delta, 0, 0, tx);
1719	}
1720	mutex_exit(&dd->dd_lock);
1721}
1722
1723
1724static void
1725dsl_dir_set_reservation_sync(void *arg, dmu_tx_t *tx)
1726{
1727	dsl_dir_set_qr_arg_t *ddsqra = arg;
1728	dsl_pool_t *dp = dmu_tx_pool(tx);
1729	dsl_dataset_t *ds;
1730	uint64_t newval;
1731
1732	VERIFY0(dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds));
1733
1734	if (spa_version(dp->dp_spa) >= SPA_VERSION_RECVD_PROPS) {
1735		dsl_prop_set_sync_impl(ds,
1736		    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1737		    ddsqra->ddsqra_source, sizeof (ddsqra->ddsqra_value), 1,
1738		    &ddsqra->ddsqra_value, tx);
1739
1740		VERIFY0(dsl_prop_get_int_ds(ds,
1741		    zfs_prop_to_name(ZFS_PROP_RESERVATION), &newval));
1742	} else {
1743		newval = ddsqra->ddsqra_value;
1744		spa_history_log_internal_ds(ds, "set", tx, "%s=%lld",
1745		    zfs_prop_to_name(ZFS_PROP_RESERVATION),
1746		    (longlong_t)newval);
1747	}
1748
1749	dsl_dir_set_reservation_sync_impl(ds->ds_dir, newval, tx);
1750	dsl_dataset_rele(ds, FTAG);
1751}
1752
1753int
1754dsl_dir_set_reservation(const char *ddname, zprop_source_t source,
1755    uint64_t reservation)
1756{
1757	dsl_dir_set_qr_arg_t ddsqra;
1758
1759	ddsqra.ddsqra_name = ddname;
1760	ddsqra.ddsqra_source = source;
1761	ddsqra.ddsqra_value = reservation;
1762
1763	return (dsl_sync_task(ddname, dsl_dir_set_reservation_check,
1764	    dsl_dir_set_reservation_sync, &ddsqra, 0, ZFS_SPACE_CHECK_NONE));
1765}
1766
1767static dsl_dir_t *
1768closest_common_ancestor(dsl_dir_t *ds1, dsl_dir_t *ds2)
1769{
1770	for (; ds1; ds1 = ds1->dd_parent) {
1771		dsl_dir_t *dd;
1772		for (dd = ds2; dd; dd = dd->dd_parent) {
1773			if (ds1 == dd)
1774				return (dd);
1775		}
1776	}
1777	return (NULL);
1778}
1779
1780/*
1781 * If delta is applied to dd, how much of that delta would be applied to
1782 * ancestor?  Syncing context only.
1783 */
1784static int64_t
1785would_change(dsl_dir_t *dd, int64_t delta, dsl_dir_t *ancestor)
1786{
1787	if (dd == ancestor)
1788		return (delta);
1789
1790	mutex_enter(&dd->dd_lock);
1791	delta = parent_delta(dd, dsl_dir_phys(dd)->dd_used_bytes, delta);
1792	mutex_exit(&dd->dd_lock);
1793	return (would_change(dd->dd_parent, delta, ancestor));
1794}
1795
1796typedef struct dsl_dir_rename_arg {
1797	const char *ddra_oldname;
1798	const char *ddra_newname;
1799	cred_t *ddra_cred;
1800} dsl_dir_rename_arg_t;
1801
1802/* ARGSUSED */
1803static int
1804dsl_valid_rename(dsl_pool_t *dp, dsl_dataset_t *ds, void *arg)
1805{
1806	int *deltap = arg;
1807	char namebuf[ZFS_MAX_DATASET_NAME_LEN];
1808
1809	dsl_dataset_name(ds, namebuf);
1810
1811	if (strlen(namebuf) + *deltap >= ZFS_MAX_DATASET_NAME_LEN)
1812		return (SET_ERROR(ENAMETOOLONG));
1813	return (0);
1814}
1815
1816static int
1817dsl_dir_rename_check(void *arg, dmu_tx_t *tx)
1818{
1819	dsl_dir_rename_arg_t *ddra = arg;
1820	dsl_pool_t *dp = dmu_tx_pool(tx);
1821	dsl_dir_t *dd, *newparent;
1822	const char *mynewname;
1823	int error;
1824	int delta = strlen(ddra->ddra_newname) - strlen(ddra->ddra_oldname);
1825
1826	/* target dir should exist */
1827	error = dsl_dir_hold(dp, ddra->ddra_oldname, FTAG, &dd, NULL);
1828	if (error != 0)
1829		return (error);
1830
1831	/* new parent should exist */
1832	error = dsl_dir_hold(dp, ddra->ddra_newname, FTAG,
1833	    &newparent, &mynewname);
1834	if (error != 0) {
1835		dsl_dir_rele(dd, FTAG);
1836		return (error);
1837	}
1838
1839	/* can't rename to different pool */
1840	if (dd->dd_pool != newparent->dd_pool) {
1841		dsl_dir_rele(newparent, FTAG);
1842		dsl_dir_rele(dd, FTAG);
1843		return (SET_ERROR(ENXIO));
1844	}
1845
1846	/* new name should not already exist */
1847	if (mynewname == NULL) {
1848		dsl_dir_rele(newparent, FTAG);
1849		dsl_dir_rele(dd, FTAG);
1850		return (SET_ERROR(EEXIST));
1851	}
1852
1853	/* if the name length is growing, validate child name lengths */
1854	if (delta > 0) {
1855		error = dmu_objset_find_dp(dp, dd->dd_object, dsl_valid_rename,
1856		    &delta, DS_FIND_CHILDREN | DS_FIND_SNAPSHOTS);
1857		if (error != 0) {
1858			dsl_dir_rele(newparent, FTAG);
1859			dsl_dir_rele(dd, FTAG);
1860			return (error);
1861		}
1862	}
1863
1864	if (dmu_tx_is_syncing(tx)) {
1865		if (spa_feature_is_active(dp->dp_spa,
1866		    SPA_FEATURE_FS_SS_LIMIT)) {
1867			/*
1868			 * Although this is the check function and we don't
1869			 * normally make on-disk changes in check functions,
1870			 * we need to do that here.
1871			 *
1872			 * Ensure this portion of the tree's counts have been
1873			 * initialized in case the new parent has limits set.
1874			 */
1875			dsl_dir_init_fs_ss_count(dd, tx);
1876		}
1877	}
1878
1879	if (newparent != dd->dd_parent) {
1880		/* is there enough space? */
1881		uint64_t myspace =
1882		    MAX(dsl_dir_phys(dd)->dd_used_bytes,
1883		    dsl_dir_phys(dd)->dd_reserved);
1884		objset_t *os = dd->dd_pool->dp_meta_objset;
1885		uint64_t fs_cnt = 0;
1886		uint64_t ss_cnt = 0;
1887
1888		if (dsl_dir_is_zapified(dd)) {
1889			int err;
1890
1891			err = zap_lookup(os, dd->dd_object,
1892			    DD_FIELD_FILESYSTEM_COUNT, sizeof (fs_cnt), 1,
1893			    &fs_cnt);
1894			if (err != ENOENT && err != 0) {
1895				dsl_dir_rele(newparent, FTAG);
1896				dsl_dir_rele(dd, FTAG);
1897				return (err);
1898			}
1899
1900			/*
1901			 * have to add 1 for the filesystem itself that we're
1902			 * moving
1903			 */
1904			fs_cnt++;
1905
1906			err = zap_lookup(os, dd->dd_object,
1907			    DD_FIELD_SNAPSHOT_COUNT, sizeof (ss_cnt), 1,
1908			    &ss_cnt);
1909			if (err != ENOENT && err != 0) {
1910				dsl_dir_rele(newparent, FTAG);
1911				dsl_dir_rele(dd, FTAG);
1912				return (err);
1913			}
1914		}
1915
1916		/* no rename into our descendant */
1917		if (closest_common_ancestor(dd, newparent) == dd) {
1918			dsl_dir_rele(newparent, FTAG);
1919			dsl_dir_rele(dd, FTAG);
1920			return (SET_ERROR(EINVAL));
1921		}
1922
1923		error = dsl_dir_transfer_possible(dd->dd_parent,
1924		    newparent, fs_cnt, ss_cnt, myspace, ddra->ddra_cred);
1925		if (error != 0) {
1926			dsl_dir_rele(newparent, FTAG);
1927			dsl_dir_rele(dd, FTAG);
1928			return (error);
1929		}
1930	}
1931
1932	dsl_dir_rele(newparent, FTAG);
1933	dsl_dir_rele(dd, FTAG);
1934	return (0);
1935}
1936
1937static void
1938dsl_dir_rename_sync(void *arg, dmu_tx_t *tx)
1939{
1940	dsl_dir_rename_arg_t *ddra = arg;
1941	dsl_pool_t *dp = dmu_tx_pool(tx);
1942	dsl_dir_t *dd, *newparent;
1943	const char *mynewname;
1944	int error;
1945	objset_t *mos = dp->dp_meta_objset;
1946
1947	VERIFY0(dsl_dir_hold(dp, ddra->ddra_oldname, FTAG, &dd, NULL));
1948	VERIFY0(dsl_dir_hold(dp, ddra->ddra_newname, FTAG, &newparent,
1949	    &mynewname));
1950
1951	/* Log this before we change the name. */
1952	spa_history_log_internal_dd(dd, "rename", tx,
1953	    "-> %s", ddra->ddra_newname);
1954
1955	if (newparent != dd->dd_parent) {
1956		objset_t *os = dd->dd_pool->dp_meta_objset;
1957		uint64_t fs_cnt = 0;
1958		uint64_t ss_cnt = 0;
1959
1960		/*
1961		 * We already made sure the dd counts were initialized in the
1962		 * check function.
1963		 */
1964		if (spa_feature_is_active(dp->dp_spa,
1965		    SPA_FEATURE_FS_SS_LIMIT)) {
1966			VERIFY0(zap_lookup(os, dd->dd_object,
1967			    DD_FIELD_FILESYSTEM_COUNT, sizeof (fs_cnt), 1,
1968			    &fs_cnt));
1969			/* add 1 for the filesystem itself that we're moving */
1970			fs_cnt++;
1971
1972			VERIFY0(zap_lookup(os, dd->dd_object,
1973			    DD_FIELD_SNAPSHOT_COUNT, sizeof (ss_cnt), 1,
1974			    &ss_cnt));
1975		}
1976
1977		dsl_fs_ss_count_adjust(dd->dd_parent, -fs_cnt,
1978		    DD_FIELD_FILESYSTEM_COUNT, tx);
1979		dsl_fs_ss_count_adjust(newparent, fs_cnt,
1980		    DD_FIELD_FILESYSTEM_COUNT, tx);
1981
1982		dsl_fs_ss_count_adjust(dd->dd_parent, -ss_cnt,
1983		    DD_FIELD_SNAPSHOT_COUNT, tx);
1984		dsl_fs_ss_count_adjust(newparent, ss_cnt,
1985		    DD_FIELD_SNAPSHOT_COUNT, tx);
1986
1987		dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD,
1988		    -dsl_dir_phys(dd)->dd_used_bytes,
1989		    -dsl_dir_phys(dd)->dd_compressed_bytes,
1990		    -dsl_dir_phys(dd)->dd_uncompressed_bytes, tx);
1991		dsl_dir_diduse_space(newparent, DD_USED_CHILD,
1992		    dsl_dir_phys(dd)->dd_used_bytes,
1993		    dsl_dir_phys(dd)->dd_compressed_bytes,
1994		    dsl_dir_phys(dd)->dd_uncompressed_bytes, tx);
1995
1996		if (dsl_dir_phys(dd)->dd_reserved >
1997		    dsl_dir_phys(dd)->dd_used_bytes) {
1998			uint64_t unused_rsrv = dsl_dir_phys(dd)->dd_reserved -
1999			    dsl_dir_phys(dd)->dd_used_bytes;
2000
2001			dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD_RSRV,
2002			    -unused_rsrv, 0, 0, tx);
2003			dsl_dir_diduse_space(newparent, DD_USED_CHILD_RSRV,
2004			    unused_rsrv, 0, 0, tx);
2005		}
2006	}
2007
2008	dmu_buf_will_dirty(dd->dd_dbuf, tx);
2009
2010	/* remove from old parent zapobj */
2011	error = zap_remove(mos,
2012	    dsl_dir_phys(dd->dd_parent)->dd_child_dir_zapobj,
2013	    dd->dd_myname, tx);
2014	ASSERT0(error);
2015
2016	(void) strcpy(dd->dd_myname, mynewname);
2017	dsl_dir_rele(dd->dd_parent, dd);
2018	dsl_dir_phys(dd)->dd_parent_obj = newparent->dd_object;
2019	VERIFY0(dsl_dir_hold_obj(dp,
2020	    newparent->dd_object, NULL, dd, &dd->dd_parent));
2021
2022	/* add to new parent zapobj */
2023	VERIFY0(zap_add(mos, dsl_dir_phys(newparent)->dd_child_dir_zapobj,
2024	    dd->dd_myname, 8, 1, &dd->dd_object, tx));
2025
2026	dsl_prop_notify_all(dd);
2027
2028	dsl_dir_rele(newparent, FTAG);
2029	dsl_dir_rele(dd, FTAG);
2030}
2031
2032int
2033dsl_dir_rename(const char *oldname, const char *newname)
2034{
2035	dsl_dir_rename_arg_t ddra;
2036
2037	ddra.ddra_oldname = oldname;
2038	ddra.ddra_newname = newname;
2039	ddra.ddra_cred = CRED();
2040
2041	return (dsl_sync_task(oldname,
2042	    dsl_dir_rename_check, dsl_dir_rename_sync, &ddra,
2043	    3, ZFS_SPACE_CHECK_RESERVED));
2044}
2045
2046int
2047dsl_dir_transfer_possible(dsl_dir_t *sdd, dsl_dir_t *tdd,
2048    uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space, cred_t *cr)
2049{
2050	dsl_dir_t *ancestor;
2051	int64_t adelta;
2052	uint64_t avail;
2053	int err;
2054
2055	ancestor = closest_common_ancestor(sdd, tdd);
2056	adelta = would_change(sdd, -space, ancestor);
2057	avail = dsl_dir_space_available(tdd, ancestor, adelta, FALSE);
2058	if (avail < space)
2059		return (SET_ERROR(ENOSPC));
2060
2061	err = dsl_fs_ss_limit_check(tdd, fs_cnt, ZFS_PROP_FILESYSTEM_LIMIT,
2062	    ancestor, cr);
2063	if (err != 0)
2064		return (err);
2065	err = dsl_fs_ss_limit_check(tdd, ss_cnt, ZFS_PROP_SNAPSHOT_LIMIT,
2066	    ancestor, cr);
2067	if (err != 0)
2068		return (err);
2069
2070	return (0);
2071}
2072
2073timestruc_t
2074dsl_dir_snap_cmtime(dsl_dir_t *dd)
2075{
2076	timestruc_t t;
2077
2078	mutex_enter(&dd->dd_lock);
2079	t = dd->dd_snap_cmtime;
2080	mutex_exit(&dd->dd_lock);
2081
2082	return (t);
2083}
2084
2085void
2086dsl_dir_snap_cmtime_update(dsl_dir_t *dd)
2087{
2088	timestruc_t t;
2089
2090	gethrestime(&t);
2091	mutex_enter(&dd->dd_lock);
2092	dd->dd_snap_cmtime = t;
2093	mutex_exit(&dd->dd_lock);
2094}
2095
2096void
2097dsl_dir_zapify(dsl_dir_t *dd, dmu_tx_t *tx)
2098{
2099	objset_t *mos = dd->dd_pool->dp_meta_objset;
2100	dmu_object_zapify(mos, dd->dd_object, DMU_OT_DSL_DIR, tx);
2101}
2102
2103boolean_t
2104dsl_dir_is_zapified(dsl_dir_t *dd)
2105{
2106	dmu_object_info_t doi;
2107
2108	dmu_object_info_from_db(dd->dd_dbuf, &doi);
2109	return (doi.doi_type == DMU_OTN_ZAP_METADATA);
2110}
2111