1
// SPDX-License-Identifier: CDDL-1.0
2
/*
3
 * CDDL HEADER START
4
 *
5
 * The contents of this file are subject to the terms of the
6
 * Common Development and Distribution License (the "License").
7
 * You may not use this file except in compliance with the License.
8
 *
9
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10
 * or https://opensource.org/licenses/CDDL-1.0.
11
 * See the License for the specific language governing permissions
12
 * and limitations under the License.
13
 *
14
 * When distributing Covered Code, include this CDDL HEADER in each
15
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16
 * If applicable, add the following below this CDDL HEADER, with the
17
 * fields enclosed by brackets "[]" replaced with your own identifying
18
 * information: Portions Copyright [yyyy] [name of copyright owner]
19
 *
20
 * CDDL HEADER END
21
 */
22
/*
23
 * Copyright (c) 2017, 2018 by Delphix. All rights reserved.
24
 */
25

26
#include <sys/zfs_context.h>
27
#include <sys/txg.h>
28
#include <sys/dmu_objset.h>
29
#include <sys/dmu_traverse.h>
30
#include <sys/dmu_redact.h>
31
#include <sys/bqueue.h>
32
#include <sys/objlist.h>
33
#include <sys/dmu_tx.h>
34
#ifdef _KERNEL
35
#include <sys/zfs_vfsops.h>
36
#include <sys/zap.h>
37
#include <sys/zfs_znode.h>
38
#endif
39

40
/*
41
 * This controls the number of entries in the buffer the redaction_list_update
42
 * synctask uses to buffer writes to the redaction list.
43
 */
44
static const int redact_sync_bufsize = 1024;
45

46
/*
47
 * Controls how often to update the redaction list when creating a redaction
48
 * list.
49
 */
50
static const uint64_t redaction_list_update_interval_ns =
51
    1000 * 1000 * 1000ULL; /* 1s */
52

53
/*
54
 * This tunable controls the length of the queues that zfs redact worker threads
55
 * use to communicate.  If the dmu_redact_snap thread is blocking on these
56
 * queues, this variable may need to be increased.  If there is a significant
57
 * slowdown at the start of a redact operation as these threads consume all the
58
 * available IO resources, or the queues are consuming too much memory, this
59
 * variable may need to be decreased.
60
 */
61
static const int zfs_redact_queue_length = 1024 * 1024;
62

63
/*
64
 * These tunables control the fill fraction of the queues by zfs redact. The
65
 * fill fraction controls the frequency with which threads have to be
66
 * cv_signaled. If a lot of cpu time is being spent on cv_signal, then these
67
 * should be tuned down.  If the queues empty before the signalled thread can
68
 * catch up, then these should be tuned up.
69
 */
70
static const uint64_t zfs_redact_queue_ff = 20;
71

72
struct redact_record {
73
	bqueue_node_t		ln;
74
	boolean_t		eos_marker; /* Marks the end of the stream */
75
	uint64_t		start_object;
76
	uint64_t		start_blkid;
77
	uint64_t		end_object;
78
	uint64_t		end_blkid;
79
	uint8_t			indblkshift;
80
	uint32_t		datablksz;
81
};
82

83
struct redact_thread_arg {
84
	bqueue_t	q;
85
	objset_t	*os;		/* Objset to traverse */
86
	dsl_dataset_t	*ds;		/* Dataset to traverse */
87
	struct redact_record *current_record;
88
	int		error_code;
89
	boolean_t	cancel;
90
	zbookmark_phys_t resume;
91
	objlist_t	*deleted_objs;
92
	uint64_t	*num_blocks_visited;
93
	uint64_t	ignore_object;	/* ignore further callbacks on this */
94
	uint64_t	txg; /* txg to traverse since */
95
};
96

97
/*
98
 * The redaction node is a wrapper around the redaction record that is used
99
 * by the redaction merging thread to sort the records and determine overlaps.
100
 *
101
 * It contains two nodes; one sorts the records by their start_zb, and the other
102
 * sorts the records by their end_zb.
103
 */
104
struct redact_node {
105
	avl_node_t			avl_node_start;
106
	avl_node_t			avl_node_end;
107
	struct redact_record		*record;
108
	struct redact_thread_arg	*rt_arg;
109
	uint32_t			thread_num;
110
};
111

112
struct merge_data {
113
	list_t				md_redact_block_pending;
114
	redact_block_phys_t		md_coalesce_block;
115
	uint64_t			md_last_time;
116
	redact_block_phys_t		md_furthest[TXG_SIZE];
117
	/* Lists of struct redact_block_list_node. */
118
	list_t				md_blocks[TXG_SIZE];
119
	boolean_t			md_synctask_txg[TXG_SIZE];
120
	uint64_t			md_latest_synctask_txg;
121
	redaction_list_t		*md_redaction_list;
122
};
123

124
/*
125
 * A wrapper around struct redact_block so it can be stored in a list_t.
126
 */
127
struct redact_block_list_node {
128
	redact_block_phys_t	block;
129
	list_node_t		node;
130
};
131

132
/*
133
 * We've found a new redaction candidate.  In order to improve performance, we
134
 * coalesce these blocks when they're adjacent to each other.  This function
135
 * handles that.  If the new candidate block range is immediately after the
136
 * range we're building, coalesce it into the range we're building.  Otherwise,
137
 * put the record we're building on the queue, and update the build pointer to
138
 * point to the new record.
139
 */
140
static void
141
record_merge_enqueue(bqueue_t *q, struct redact_record **build,
142
    struct redact_record *new)
143
{
144
	if (new->eos_marker) {
145
		if (*build != NULL)
146
			bqueue_enqueue(q, *build, sizeof (**build));
147
		bqueue_enqueue_flush(q, new, sizeof (*new));
148
		return;
149
	}
150
	if (*build == NULL) {
151
		*build = new;
152
		return;
153
	}
154
	struct redact_record *curbuild = *build;
155
	if ((curbuild->end_object == new->start_object &&
156
	    curbuild->end_blkid + 1 == new->start_blkid &&
157
	    curbuild->end_blkid != UINT64_MAX) ||
158
	    (curbuild->end_object + 1 == new->start_object &&
159
	    curbuild->end_blkid == UINT64_MAX && new->start_blkid == 0)) {
160
		curbuild->end_object = new->end_object;
161
		curbuild->end_blkid = new->end_blkid;
162
		kmem_free(new, sizeof (*new));
163
	} else {
164
		bqueue_enqueue(q, curbuild, sizeof (*curbuild));
165
		*build = new;
166
	}
167
}
168
#ifdef _KERNEL
169
struct objnode {
170
	avl_node_t node;
171
	uint64_t obj;
172
};
173

174
static int
175
objnode_compare(const void *o1, const void *o2)
176
{
177
	const struct objnode *obj1 = o1;
178
	const struct objnode *obj2 = o2;
179
	if (obj1->obj < obj2->obj)
180
		return (-1);
181
	if (obj1->obj > obj2->obj)
182
		return (1);
183
	return (0);
184
}
185

186

187
static objlist_t *
188
zfs_get_deleteq(objset_t *os)
189
{
190
	objlist_t *deleteq_objlist = objlist_create();
191
	uint64_t deleteq_obj;
192
	zap_cursor_t zc;
193
	zap_attribute_t *za;
194
	dmu_object_info_t doi;
195

196
	ASSERT3U(os->os_phys->os_type, ==, DMU_OST_ZFS);
197
	VERIFY0(dmu_object_info(os, MASTER_NODE_OBJ, &doi));
198
	ASSERT3U(doi.doi_type, ==, DMU_OT_MASTER_NODE);
199

200
	VERIFY0(zap_lookup(os, MASTER_NODE_OBJ,
201
	    ZFS_UNLINKED_SET, sizeof (uint64_t), 1, &deleteq_obj));
202

203
	/*
204
	 * In order to insert objects into the objlist, they must be in sorted
205
	 * order. We don't know what order we'll get them out of the ZAP in, so
206
	 * we insert them into and remove them from an avl_tree_t to sort them.
207
	 */
208
	avl_tree_t at;
209
	avl_create(&at, objnode_compare, sizeof (struct objnode),
210
	    offsetof(struct objnode, node));
211

212
	za = zap_attribute_alloc();
213
	for (zap_cursor_init(&zc, os, deleteq_obj);
214
	    zap_cursor_retrieve(&zc, za) == 0; zap_cursor_advance(&zc)) {
215
		struct objnode *obj = kmem_zalloc(sizeof (*obj), KM_SLEEP);
216
		obj->obj = za->za_first_integer;
217
		avl_add(&at, obj);
218
	}
219
	zap_cursor_fini(&zc);
220
	zap_attribute_free(za);
221

222
	struct objnode *next, *found = avl_first(&at);
223
	while (found != NULL) {
224
		next = AVL_NEXT(&at, found);
225
		objlist_insert(deleteq_objlist, found->obj);
226
		found = next;
227
	}
228

229
	void *cookie = NULL;
230
	while ((found = avl_destroy_nodes(&at, &cookie)) != NULL)
231
		kmem_free(found, sizeof (*found));
232
	avl_destroy(&at);
233
	return (deleteq_objlist);
234
}
235
#endif
236

237
/*
238
 * This is the callback function to traverse_dataset for the redaction threads
239
 * for dmu_redact_snap.  This thread is responsible for creating redaction
240
 * records for all the data that is modified by the snapshots we're redacting
241
 * with respect to.  Redaction records represent ranges of data that have been
242
 * modified by one of the redaction snapshots, and are stored in the
243
 * redact_record struct. We need to create redaction records for three
244
 * cases:
245
 *
246
 * First, if there's a normal write, we need to create a redaction record for
247
 * that block.
248
 *
249
 * Second, if there's a hole, we need to create a redaction record that covers
250
 * the whole range of the hole.  If the hole is in the meta-dnode, it must cover
251
 * every block in all of the objects in the hole.
252
 *
253
 * Third, if there is a deleted object, we need to create a redaction record for
254
 * all of the blocks in that object.
255
 */
256
static int
257
redact_cb(spa_t *spa, zilog_t *zilog, const blkptr_t *bp,
258
    const zbookmark_phys_t *zb, const struct dnode_phys *dnp, void *arg)
259
{
260
	(void) spa, (void) zilog;
261
	struct redact_thread_arg *rta = arg;
262
	struct redact_record *record;
263

264
	ASSERT(zb->zb_object == DMU_META_DNODE_OBJECT ||
265
	    zb->zb_object >= rta->resume.zb_object);
266

267
	if (rta->cancel)
268
		return (SET_ERROR(EINTR));
269

270
	if (rta->ignore_object == zb->zb_object)
271
		return (0);
272

273
	/*
274
	 * If we're visiting a dnode, we need to handle the case where the
275
	 * object has been deleted.
276
	 */
277
	if (zb->zb_level == ZB_DNODE_LEVEL) {
278
		ASSERT3U(zb->zb_level, ==, ZB_DNODE_LEVEL);
279

280
		if (zb->zb_object == 0)
281
			return (0);
282

283
		/*
284
		 * If the object has been deleted, redact all of the blocks in
285
		 * it.
286
		 */
287
		if (dnp->dn_type == DMU_OT_NONE ||
288
		    objlist_exists(rta->deleted_objs, zb->zb_object)) {
289
			rta->ignore_object = zb->zb_object;
290
			record = kmem_zalloc(sizeof (struct redact_record),
291
			    KM_SLEEP);
292

293
			record->eos_marker = B_FALSE;
294
			record->start_object = record->end_object =
295
			    zb->zb_object;
296
			record->start_blkid = 0;
297
			record->end_blkid = UINT64_MAX;
298
			record_merge_enqueue(&rta->q,
299
			    &rta->current_record, record);
300
		}
301
		return (0);
302
	} else if (zb->zb_level < 0) {
303
		return (0);
304
	} else if (zb->zb_level > 0 && !BP_IS_HOLE(bp)) {
305
		/*
306
		 * If this is an indirect block, but not a hole, it doesn't
307
		 * provide any useful information for redaction, so ignore it.
308
		 */
309
		return (0);
310
	}
311

312
	/*
313
	 * At this point, there are two options left for the type of block we're
314
	 * looking at.  Either this is a hole (which could be in the dnode or
315
	 * the meta-dnode), or it's a level 0 block of some sort.  If it's a
316
	 * hole, we create a redaction record that covers the whole range.  If
317
	 * the hole is in a dnode, we need to redact all the blocks in that
318
	 * hole.  If the hole is in the meta-dnode, we instead need to redact
319
	 * all blocks in every object covered by that hole.  If it's a level 0
320
	 * block, we only need to redact that single block.
321
	 */
322
	record = kmem_zalloc(sizeof (struct redact_record), KM_SLEEP);
323
	record->eos_marker = B_FALSE;
324

325
	record->start_object = record->end_object = zb->zb_object;
326
	if (BP_IS_HOLE(bp)) {
327
		record->start_blkid = zb->zb_blkid *
328
		    bp_span_in_blocks(dnp->dn_indblkshift, zb->zb_level);
329

330
		record->end_blkid = ((zb->zb_blkid + 1) *
331
		    bp_span_in_blocks(dnp->dn_indblkshift, zb->zb_level)) - 1;
332

333
		if (zb->zb_object == DMU_META_DNODE_OBJECT) {
334
			record->start_object = record->start_blkid *
335
			    ((SPA_MINBLOCKSIZE * dnp->dn_datablkszsec) /
336
			    sizeof (dnode_phys_t));
337
			record->start_blkid = 0;
338
			record->end_object = ((record->end_blkid +
339
			    1) * ((SPA_MINBLOCKSIZE * dnp->dn_datablkszsec) /
340
			    sizeof (dnode_phys_t))) - 1;
341
			record->end_blkid = UINT64_MAX;
342
		}
343
	} else if (zb->zb_level != 0 ||
344
	    zb->zb_object == DMU_META_DNODE_OBJECT) {
345
		kmem_free(record, sizeof (*record));
346
		return (0);
347
	} else {
348
		record->start_blkid = record->end_blkid = zb->zb_blkid;
349
	}
350
	record->indblkshift = dnp->dn_indblkshift;
351
	record->datablksz = dnp->dn_datablkszsec << SPA_MINBLOCKSHIFT;
352
	record_merge_enqueue(&rta->q, &rta->current_record, record);
353

354
	return (0);
355
}
356

357
static __attribute__((noreturn)) void
358
redact_traverse_thread(void *arg)
359
{
360
	struct redact_thread_arg *rt_arg = arg;
361
	int err;
362
	struct redact_record *data;
363
#ifdef _KERNEL
364
	if (rt_arg->os->os_phys->os_type == DMU_OST_ZFS)
365
		rt_arg->deleted_objs = zfs_get_deleteq(rt_arg->os);
366
	else
367
		rt_arg->deleted_objs = objlist_create();
368
#else
369
	rt_arg->deleted_objs = objlist_create();
370
#endif
371

372
	err = traverse_dataset_resume(rt_arg->ds, rt_arg->txg,
373
	    &rt_arg->resume, TRAVERSE_PRE | TRAVERSE_PREFETCH_METADATA |
374
	    TRAVERSE_LOGICAL, redact_cb, rt_arg);
375

376
	if (err != EINTR)
377
		rt_arg->error_code = err;
378
	objlist_destroy(rt_arg->deleted_objs);
379
	data = kmem_zalloc(sizeof (*data), KM_SLEEP);
380
	data->eos_marker = B_TRUE;
381
	record_merge_enqueue(&rt_arg->q, &rt_arg->current_record, data);
382
	thread_exit();
383
}
384

385
static inline void
386
create_zbookmark_from_obj_off(zbookmark_phys_t *zb, uint64_t object,
387
    uint64_t blkid)
388
{
389
	zb->zb_object = object;
390
	zb->zb_level = 0;
391
	zb->zb_blkid = blkid;
392
}
393

394
/*
395
 * This is a utility function that can do the comparison for the start or ends
396
 * of the ranges in a redact_record.
397
 */
398
static int
399
redact_range_compare(uint64_t obj1, uint64_t off1, uint32_t dbss1,
400
    uint64_t obj2, uint64_t off2, uint32_t dbss2)
401
{
402
	zbookmark_phys_t z1, z2;
403
	create_zbookmark_from_obj_off(&z1, obj1, off1);
404
	create_zbookmark_from_obj_off(&z2, obj2, off2);
405

406
	return (zbookmark_compare(dbss1 >> SPA_MINBLOCKSHIFT, 0,
407
	    dbss2 >> SPA_MINBLOCKSHIFT, 0, &z1, &z2));
408
}
409

410
/*
411
 * Compare two redaction records by their range's start location.  Also makes
412
 * eos records always compare last.  We use the thread number in the redact_node
413
 * to ensure that records do not compare equal (which is not allowed in our avl
414
 * trees).
415
 */
416
static int
417
redact_node_compare_start(const void *arg1, const void *arg2)
418
{
419
	const struct redact_node *rn1 = arg1;
420
	const struct redact_node *rn2 = arg2;
421
	const struct redact_record *rr1 = rn1->record;
422
	const struct redact_record *rr2 = rn2->record;
423
	if (rr1->eos_marker)
424
		return (1);
425
	if (rr2->eos_marker)
426
		return (-1);
427

428
	int cmp = redact_range_compare(rr1->start_object, rr1->start_blkid,
429
	    rr1->datablksz, rr2->start_object, rr2->start_blkid,
430
	    rr2->datablksz);
431
	if (cmp == 0)
432
		cmp = (rn1->thread_num < rn2->thread_num ? -1 : 1);
433
	return (cmp);
434
}
435

436
/*
437
 * Compare two redaction records by their range's end location.  Also makes
438
 * eos records always compare last.  We use the thread number in the redact_node
439
 * to ensure that records do not compare equal (which is not allowed in our avl
440
 * trees).
441
 */
442
static int
443
redact_node_compare_end(const void *arg1, const void *arg2)
444
{
445
	const struct redact_node *rn1 = arg1;
446
	const struct redact_node *rn2 = arg2;
447
	const struct redact_record *srr1 = rn1->record;
448
	const struct redact_record *srr2 = rn2->record;
449
	if (srr1->eos_marker)
450
		return (1);
451
	if (srr2->eos_marker)
452
		return (-1);
453

454
	int cmp = redact_range_compare(srr1->end_object, srr1->end_blkid,
455
	    srr1->datablksz, srr2->end_object, srr2->end_blkid,
456
	    srr2->datablksz);
457
	if (cmp == 0)
458
		cmp = (rn1->thread_num < rn2->thread_num ? -1 : 1);
459
	return (cmp);
460
}
461

462
/*
463
 * Utility function that compares two redaction records to determine if any part
464
 * of the "from" record is before any part of the "to" record. Also causes End
465
 * of Stream redaction records to compare after all others, so that the
466
 * redaction merging logic can stay simple.
467
 */
468
static boolean_t
469
redact_record_before(const struct redact_record *from,
470
    const struct redact_record *to)
471
{
472
	if (from->eos_marker == B_TRUE)
473
		return (B_FALSE);
474
	else if (to->eos_marker == B_TRUE)
475
		return (B_TRUE);
476
	return (redact_range_compare(from->start_object, from->start_blkid,
477
	    from->datablksz, to->end_object, to->end_blkid,
478
	    to->datablksz) <= 0);
479
}
480

481
/*
482
 * Pop a new redaction record off the queue, check that the records are in the
483
 * right order, and free the old data.
484
 */
485
static struct redact_record *
486
get_next_redact_record(bqueue_t *bq, struct redact_record *prev)
487
{
488
	struct redact_record *next = bqueue_dequeue(bq);
489
	ASSERT(redact_record_before(prev, next));
490
	kmem_free(prev, sizeof (*prev));
491
	return (next);
492
}
493

494
/*
495
 * Remove the given redaction node from both trees, pull a new redaction record
496
 * off the queue, free the old redaction record, update the redaction node, and
497
 * reinsert the node into the trees.
498
 */
499
static int
500
update_avl_trees(avl_tree_t *start_tree, avl_tree_t *end_tree,
501
    struct redact_node *redact_node)
502
{
503
	avl_remove(start_tree, redact_node);
504
	avl_remove(end_tree, redact_node);
505
	redact_node->record = get_next_redact_record(&redact_node->rt_arg->q,
506
	    redact_node->record);
507
	avl_add(end_tree, redact_node);
508
	avl_add(start_tree, redact_node);
509
	return (redact_node->rt_arg->error_code);
510
}
511

512
/*
513
 * Synctask for updating redaction lists.  We first take this txg's list of
514
 * redacted blocks and append those to the redaction list.  We then update the
515
 * redaction list's bonus buffer.  We store the furthest blocks we visited and
516
 * the list of snapshots that we're redacting with respect to.  We need these so
517
 * that redacted sends and receives can be correctly resumed.
518
 */
519
static void
520
redaction_list_update_sync(void *arg, dmu_tx_t *tx)
521
{
522
	struct merge_data *md = arg;
523
	uint64_t txg = dmu_tx_get_txg(tx);
524
	list_t *list = &md->md_blocks[txg & TXG_MASK];
525
	redact_block_phys_t *furthest_visited =
526
	    &md->md_furthest[txg & TXG_MASK];
527
	objset_t *mos = tx->tx_pool->dp_meta_objset;
528
	redaction_list_t *rl = md->md_redaction_list;
529
	int bufsize = redact_sync_bufsize;
530
	redact_block_phys_t *buf = kmem_alloc(bufsize * sizeof (*buf),
531
	    KM_SLEEP);
532
	int index = 0;
533

534
	dmu_buf_will_dirty(rl->rl_dbuf, tx);
535

536
	for (struct redact_block_list_node *rbln = list_remove_head(list);
537
	    rbln != NULL; rbln = list_remove_head(list)) {
538
		ASSERT3U(rbln->block.rbp_object, <=,
539
		    furthest_visited->rbp_object);
540
		ASSERT(rbln->block.rbp_object < furthest_visited->rbp_object ||
541
		    rbln->block.rbp_blkid <= furthest_visited->rbp_blkid);
542
		buf[index] = rbln->block;
543
		index++;
544
		if (index == bufsize) {
545
			dmu_write(mos, rl->rl_object,
546
			    rl->rl_phys->rlp_num_entries * sizeof (*buf),
547
			    bufsize * sizeof (*buf), buf, tx,
548
			    DMU_READ_NO_PREFETCH);
549
			rl->rl_phys->rlp_num_entries += bufsize;
550
			index = 0;
551
		}
552
		kmem_free(rbln, sizeof (*rbln));
553
	}
554
	if (index > 0) {
555
		dmu_write(mos, rl->rl_object, rl->rl_phys->rlp_num_entries *
556
		    sizeof (*buf), index * sizeof (*buf), buf, tx,
557
		    DMU_READ_NO_PREFETCH);
558
		rl->rl_phys->rlp_num_entries += index;
559
	}
560
	kmem_free(buf, bufsize * sizeof (*buf));
561

562
	md->md_synctask_txg[txg & TXG_MASK] = B_FALSE;
563
	rl->rl_phys->rlp_last_object = furthest_visited->rbp_object;
564
	rl->rl_phys->rlp_last_blkid = furthest_visited->rbp_blkid;
565
}
566

567
static void
568
commit_rl_updates(objset_t *os, struct merge_data *md, uint64_t object,
569
    uint64_t blkid)
570
{
571
	dmu_tx_t *tx = dmu_tx_create_dd(spa_get_dsl(os->os_spa)->dp_mos_dir);
572
	dmu_tx_hold_space(tx, sizeof (struct redact_block_list_node));
573
	VERIFY0(dmu_tx_assign(tx, DMU_TX_WAIT | DMU_TX_SUSPEND));
574
	uint64_t txg = dmu_tx_get_txg(tx);
575
	if (!md->md_synctask_txg[txg & TXG_MASK]) {
576
		dsl_sync_task_nowait(dmu_tx_pool(tx),
577
		    redaction_list_update_sync, md, tx);
578
		md->md_synctask_txg[txg & TXG_MASK] = B_TRUE;
579
		md->md_latest_synctask_txg = txg;
580
	}
581
	md->md_furthest[txg & TXG_MASK].rbp_object = object;
582
	md->md_furthest[txg & TXG_MASK].rbp_blkid = blkid;
583
	list_move_tail(&md->md_blocks[txg & TXG_MASK],
584
	    &md->md_redact_block_pending);
585
	dmu_tx_commit(tx);
586
	md->md_last_time = gethrtime();
587
}
588

589
/*
590
 * We want to store the list of blocks that we're redacting in the bookmark's
591
 * redaction list.  However, this list is stored in the MOS, which means it can
592
 * only be written to in syncing context.  To get around this, we create a
593
 * synctask that will write to the mos for us.  We tell it what to write by
594
 * a linked list for each current transaction group; every time we decide to
595
 * redact a block, we append it to the transaction group that is currently in
596
 * open context.  We also update some progress information that the synctask
597
 * will store to enable resumable redacted sends.
598
 */
599
static void
600
update_redaction_list(struct merge_data *md, objset_t *os,
601
    uint64_t object, uint64_t blkid, uint64_t endblkid, uint32_t blksz)
602
{
603
	boolean_t enqueue = B_FALSE;
604
	redact_block_phys_t cur = {0};
605
	uint64_t count = endblkid - blkid + 1;
606
	while (count > REDACT_BLOCK_MAX_COUNT) {
607
		update_redaction_list(md, os, object, blkid,
608
		    blkid + REDACT_BLOCK_MAX_COUNT - 1, blksz);
609
		blkid += REDACT_BLOCK_MAX_COUNT;
610
		count -= REDACT_BLOCK_MAX_COUNT;
611
	}
612
	redact_block_phys_t *coalesce = &md->md_coalesce_block;
613
	boolean_t new;
614
	if (coalesce->rbp_size_count == 0) {
615
		new = B_TRUE;
616
		enqueue = B_FALSE;
617
	} else  {
618
		uint64_t old_count = redact_block_get_count(coalesce);
619
		if (coalesce->rbp_object == object &&
620
		    coalesce->rbp_blkid + old_count == blkid &&
621
		    old_count + count <= REDACT_BLOCK_MAX_COUNT) {
622
			ASSERT3U(redact_block_get_size(coalesce), ==, blksz);
623
			redact_block_set_count(coalesce, old_count + count);
624
			new = B_FALSE;
625
			enqueue = B_FALSE;
626
		} else {
627
			new = B_TRUE;
628
			enqueue = B_TRUE;
629
		}
630
	}
631

632
	if (new) {
633
		cur = *coalesce;
634
		coalesce->rbp_blkid = blkid;
635
		coalesce->rbp_object = object;
636

637
		redact_block_set_count(coalesce, count);
638
		redact_block_set_size(coalesce, blksz);
639
	}
640

641
	if (enqueue && redact_block_get_size(&cur) != 0) {
642
		struct redact_block_list_node *rbln =
643
		    kmem_alloc(sizeof (struct redact_block_list_node),
644
		    KM_SLEEP);
645
		rbln->block = cur;
646
		list_insert_tail(&md->md_redact_block_pending, rbln);
647
	}
648

649
	if (gethrtime() > md->md_last_time +
650
	    redaction_list_update_interval_ns) {
651
		commit_rl_updates(os, md, object, blkid);
652
	}
653
}
654

655
/*
656
 * This thread merges all the redaction records provided by the worker threads,
657
 * and determines which blocks are redacted by all the snapshots.  The algorithm
658
 * for doing so is similar to performing a merge in mergesort with n sub-lists
659
 * instead of 2, with some added complexity due to the fact that the entries are
660
 * ranges, not just single blocks.  This algorithm relies on the fact that the
661
 * queues are sorted, which is ensured by the fact that traverse_dataset
662
 * traverses the dataset in a consistent order.  We pull one entry off the front
663
 * of the queues of each secure dataset traversal thread.  Then we repeat the
664
 * following: each record represents a range of blocks modified by one of the
665
 * redaction snapshots, and each block in that range may need to be redacted in
666
 * the send stream.  Find the record with the latest start of its range, and the
667
 * record with the earliest end of its range. If the last start is before the
668
 * first end, then we know that the blocks in the range [last_start, first_end]
669
 * are covered by all of the ranges at the front of the queues, which means
670
 * every thread redacts that whole range.  For example, let's say the ranges on
671
 * each queue look like this:
672
 *
673
 * Block Id   1  2  3  4  5  6  7  8  9 10 11
674
 * Thread 1 |    [====================]
675
 * Thread 2 |       [========]
676
 * Thread 3 |             [=================]
677
 *
678
 * Thread 3 has the last start (5), and the thread 2 has the last end (6).  All
679
 * three threads modified the range [5,6], so that data should not be sent over
680
 * the wire.  After we've determined whether or not to redact anything, we take
681
 * the record with the first end.  We discard that record, and pull a new one
682
 * off the front of the queue it came from.  In the above example, we would
683
 * discard Thread 2's record, and pull a new one.  Let's say the next record we
684
 * pulled from Thread 2 covered range [10,11].  The new layout would look like
685
 * this:
686
 *
687
 * Block Id   1  2  3  4  5  6  7  8  9 10 11
688
 * Thread 1 |    [====================]
689
 * Thread 2 |                            [==]
690
 * Thread 3 |             [=================]
691
 *
692
 * When we compare the last start (10, from Thread 2) and the first end (9, from
693
 * Thread 1), we see that the last start is greater than the first end.
694
 * Therefore, we do not redact anything from these records.  We'll iterate by
695
 * replacing the record from Thread 1.
696
 *
697
 * We iterate by replacing the record with the lowest end because we know
698
 * that the record with the lowest end has helped us as much as it can.  All the
699
 * ranges before it that we will ever redact have been redacted.  In addition,
700
 * by replacing the one with the lowest end, we guarantee we catch all ranges
701
 * that need to be redacted.  For example, if in the case above we had replaced
702
 * the record from Thread 1 instead, we might have ended up with the following:
703
 *
704
 * Block Id   1  2  3  4  5  6  7  8  9 10 11 12
705
 * Thread 1 |                               [==]
706
 * Thread 2 |       [========]
707
 * Thread 3 |             [=================]
708
 *
709
 * If the next record from Thread 2 had been [8,10], for example, we should have
710
 * redacted part of that range, but because we updated Thread 1's record, we
711
 * missed it.
712
 *
713
 * We implement this algorithm by using two trees.  The first sorts the
714
 * redaction records by their start_zb, and the second sorts them by their
715
 * end_zb.  We use these to find the record with the last start and the record
716
 * with the first end.  We create a record with that start and end, and send it
717
 * on.  The overall runtime of this implementation is O(n log m), where n is the
718
 * total number of redaction records from all the different redaction snapshots,
719
 * and m is the number of redaction snapshots.
720
 *
721
 * If we redact with respect to zero snapshots, we create a redaction
722
 * record with the start object and blkid to 0, and the end object and blkid to
723
 * UINT64_MAX.  This will result in us redacting every block.
724
 */
725
static int
726
perform_thread_merge(bqueue_t *q, uint32_t num_threads,
727
    struct redact_thread_arg *thread_args, boolean_t *cancel)
728
{
729
	struct redact_node *redact_nodes = NULL;
730
	avl_tree_t start_tree, end_tree;
731
	struct redact_record *record;
732
	struct redact_record *current_record = NULL;
733
	int err = 0;
734
	struct merge_data md = { {0} };
735
	list_create(&md.md_redact_block_pending,
736
	    sizeof (struct redact_block_list_node),
737
	    offsetof(struct redact_block_list_node, node));
738

739
	/*
740
	 * If we're redacting with respect to zero snapshots, then no data is
741
	 * permitted to be sent.  We enqueue a record that redacts all blocks,
742
	 * and an eos marker.
743
	 */
744
	if (num_threads == 0) {
745
		record = kmem_zalloc(sizeof (struct redact_record),
746
		    KM_SLEEP);
747
		// We can't redact object 0, so don't try.
748
		record->start_object = 1;
749
		record->start_blkid = 0;
750
		record->end_object = record->end_blkid = UINT64_MAX;
751
		bqueue_enqueue(q, record, sizeof (*record));
752
		return (0);
753
	}
754
	redact_nodes = vmem_zalloc(num_threads *
755
	    sizeof (*redact_nodes), KM_SLEEP);
756

757
	avl_create(&start_tree, redact_node_compare_start,
758
	    sizeof (struct redact_node),
759
	    offsetof(struct redact_node, avl_node_start));
760
	avl_create(&end_tree, redact_node_compare_end,
761
	    sizeof (struct redact_node),
762
	    offsetof(struct redact_node, avl_node_end));
763

764
	for (int i = 0; i < num_threads; i++) {
765
		struct redact_node *node = &redact_nodes[i];
766
		struct redact_thread_arg *targ = &thread_args[i];
767
		node->record = bqueue_dequeue(&targ->q);
768
		node->rt_arg = targ;
769
		node->thread_num = i;
770
		avl_add(&start_tree, node);
771
		avl_add(&end_tree, node);
772
	}
773

774
	/*
775
	 * Once the first record in the end tree has returned EOS, every record
776
	 * must be an EOS record, so we should stop.
777
	 */
778
	while (err == 0 && !((struct redact_node *)avl_first(&end_tree))->
779
	    record->eos_marker) {
780
		if (*cancel) {
781
			err = EINTR;
782
			break;
783
		}
784
		struct redact_node *last_start = avl_last(&start_tree);
785
		struct redact_node *first_end = avl_first(&end_tree);
786

787
		/*
788
		 * If the last start record is before the first end record,
789
		 * then we have blocks that are redacted by all threads.
790
		 * Therefore, we should redact them.  Copy the record, and send
791
		 * it to the main thread.
792
		 */
793
		if (redact_record_before(last_start->record,
794
		    first_end->record)) {
795
			record = kmem_zalloc(sizeof (struct redact_record),
796
			    KM_SLEEP);
797
			*record = *first_end->record;
798
			record->start_object = last_start->record->start_object;
799
			record->start_blkid = last_start->record->start_blkid;
800
			record_merge_enqueue(q, &current_record,
801
			    record);
802
		}
803
		err = update_avl_trees(&start_tree, &end_tree, first_end);
804
	}
805

806
	/*
807
	 * We're done; if we were cancelled, we need to cancel our workers and
808
	 * clear out their queues.  Either way, we need to remove every thread's
809
	 * redact_node struct from the avl trees.
810
	 */
811
	for (int i = 0; i < num_threads; i++) {
812
		if (err != 0) {
813
			thread_args[i].cancel = B_TRUE;
814
			while (!redact_nodes[i].record->eos_marker) {
815
				(void) update_avl_trees(&start_tree, &end_tree,
816
				    &redact_nodes[i]);
817
			}
818
		}
819
		avl_remove(&start_tree, &redact_nodes[i]);
820
		avl_remove(&end_tree, &redact_nodes[i]);
821
		kmem_free(redact_nodes[i].record,
822
		    sizeof (struct redact_record));
823
		bqueue_destroy(&thread_args[i].q);
824
	}
825

826
	avl_destroy(&start_tree);
827
	avl_destroy(&end_tree);
828
	vmem_free(redact_nodes, num_threads * sizeof (*redact_nodes));
829
	if (current_record != NULL)
830
		bqueue_enqueue(q, current_record, sizeof (*current_record));
831
	return (err);
832
}
833

834
struct redact_merge_thread_arg {
835
	bqueue_t q;
836
	spa_t *spa;
837
	int numsnaps;
838
	struct redact_thread_arg *thr_args;
839
	boolean_t cancel;
840
	int error_code;
841
};
842

843
static __attribute__((noreturn)) void
844
redact_merge_thread(void *arg)
845
{
846
	struct redact_merge_thread_arg *rmta = arg;
847
	rmta->error_code = perform_thread_merge(&rmta->q,
848
	    rmta->numsnaps, rmta->thr_args, &rmta->cancel);
849
	struct redact_record *rec = kmem_zalloc(sizeof (*rec), KM_SLEEP);
850
	rec->eos_marker = B_TRUE;
851
	bqueue_enqueue_flush(&rmta->q, rec, 1);
852
	thread_exit();
853
}
854

855
/*
856
 * Find the next object in or after the redaction range passed in, and hold
857
 * its dnode with the provided tag.  Also update *object to contain the new
858
 * object number.
859
 */
860
static int
861
hold_next_object(objset_t *os, struct redact_record *rec, const void *tag,
862
    uint64_t *object, dnode_t **dn)
863
{
864
	int err = 0;
865
	if (*dn != NULL)
866
		dnode_rele(*dn, tag);
867
	*dn = NULL;
868
	if (*object < rec->start_object) {
869
		*object = rec->start_object - 1;
870
	}
871
	err = dmu_object_next(os, object, B_FALSE, 0);
872
	if (err != 0)
873
		return (err);
874

875
	err = dnode_hold(os, *object, tag, dn);
876
	while (err == 0 && (*object < rec->start_object ||
877
	    DMU_OT_IS_METADATA((*dn)->dn_type))) {
878
		dnode_rele(*dn, tag);
879
		*dn = NULL;
880
		err = dmu_object_next(os, object, B_FALSE, 0);
881
		if (err != 0)
882
			break;
883
		err = dnode_hold(os, *object, tag, dn);
884
	}
885
	return (err);
886
}
887

888
static int
889
perform_redaction(objset_t *os, redaction_list_t *rl,
890
    struct redact_merge_thread_arg *rmta)
891
{
892
	int err = 0;
893
	bqueue_t *q = &rmta->q;
894
	struct redact_record *rec = NULL;
895
	struct merge_data md = { {0} };
896

897
	list_create(&md.md_redact_block_pending,
898
	    sizeof (struct redact_block_list_node),
899
	    offsetof(struct redact_block_list_node, node));
900
	md.md_redaction_list = rl;
901

902
	for (int i = 0; i < TXG_SIZE; i++) {
903
		list_create(&md.md_blocks[i],
904
		    sizeof (struct redact_block_list_node),
905
		    offsetof(struct redact_block_list_node, node));
906
	}
907
	dnode_t *dn = NULL;
908
	uint64_t prev_obj = 0;
909
	for (rec = bqueue_dequeue(q); !rec->eos_marker && err == 0;
910
	    rec = get_next_redact_record(q, rec)) {
911
		ASSERT3U(rec->start_object, !=, 0);
912
		uint64_t object;
913
		if (prev_obj != rec->start_object) {
914
			object = rec->start_object - 1;
915
			err = hold_next_object(os, rec, FTAG, &object, &dn);
916
		} else {
917
			object = prev_obj;
918
		}
919
		while (err == 0 && object <= rec->end_object) {
920
			if (issig()) {
921
				err = EINTR;
922
				break;
923
			}
924
			/*
925
			 * Part of the current object is contained somewhere in
926
			 * the range covered by rec.
927
			 */
928
			uint64_t startblkid;
929
			uint64_t endblkid;
930
			uint64_t maxblkid = dn->dn_phys->dn_maxblkid;
931

932
			if (rec->start_object < object)
933
				startblkid = 0;
934
			else if (rec->start_blkid > maxblkid)
935
				break;
936
			else
937
				startblkid = rec->start_blkid;
938

939
			if (rec->end_object > object || rec->end_blkid >
940
			    maxblkid) {
941
				endblkid = maxblkid;
942
			} else {
943
				endblkid = rec->end_blkid;
944
			}
945
			update_redaction_list(&md, os, object, startblkid,
946
			    endblkid, dn->dn_datablksz);
947

948
			if (object == rec->end_object)
949
				break;
950
			err = hold_next_object(os, rec, FTAG, &object, &dn);
951
		}
952
		if (err == ESRCH)
953
			err = 0;
954
		if (dn != NULL)
955
			prev_obj = object;
956
	}
957
	if (err == 0 && dn != NULL)
958
		dnode_rele(dn, FTAG);
959

960
	if (err == ESRCH)
961
		err = 0;
962
	rmta->cancel = B_TRUE;
963
	while (!rec->eos_marker)
964
		rec = get_next_redact_record(q, rec);
965
	kmem_free(rec, sizeof (*rec));
966

967
	/*
968
	 * There may be a block that's being coalesced, sync that out before we
969
	 * return.
970
	 */
971
	if (err == 0 && md.md_coalesce_block.rbp_size_count != 0) {
972
		struct redact_block_list_node *rbln =
973
		    kmem_alloc(sizeof (struct redact_block_list_node),
974
		    KM_SLEEP);
975
		rbln->block = md.md_coalesce_block;
976
		list_insert_tail(&md.md_redact_block_pending, rbln);
977
	}
978
	commit_rl_updates(os, &md, UINT64_MAX, UINT64_MAX);
979

980
	/*
981
	 * Wait for all the redaction info to sync out before we return, so that
982
	 * anyone who attempts to resume this redaction will have all the data
983
	 * they need.
984
	 */
985
	dsl_pool_t *dp = spa_get_dsl(os->os_spa);
986
	if (md.md_latest_synctask_txg != 0)
987
		txg_wait_synced(dp, md.md_latest_synctask_txg);
988
	for (int i = 0; i < TXG_SIZE; i++)
989
		list_destroy(&md.md_blocks[i]);
990
	return (err);
991
}
992

993
static boolean_t
994
redact_snaps_contains(uint64_t *snaps, uint64_t num_snaps, uint64_t guid)
995
{
996
	for (int i = 0; i < num_snaps; i++) {
997
		if (snaps[i] == guid)
998
			return (B_TRUE);
999
	}
1000
	return (B_FALSE);
1001
}
1002

1003
int
1004
dmu_redact_snap(const char *snapname, nvlist_t *redactnvl,
1005
    const char *redactbook)
1006
{
1007
	int err = 0;
1008
	dsl_pool_t *dp = NULL;
1009
	dsl_dataset_t *ds = NULL;
1010
	int numsnaps = 0;
1011
	objset_t *os;
1012
	struct redact_thread_arg *args = NULL;
1013
	redaction_list_t *new_rl = NULL;
1014
	char *newredactbook;
1015

1016
	if ((err = dsl_pool_hold(snapname, FTAG, &dp)) != 0)
1017
		return (err);
1018

1019
	newredactbook = kmem_zalloc(sizeof (char) * ZFS_MAX_DATASET_NAME_LEN,
1020
	    KM_SLEEP);
1021

1022
	if ((err = dsl_dataset_hold_flags(dp, snapname, DS_HOLD_FLAG_DECRYPT,
1023
	    FTAG, &ds)) != 0) {
1024
		goto out;
1025
	}
1026
	dsl_dataset_long_hold(ds, FTAG);
1027
	if (!ds->ds_is_snapshot || dmu_objset_from_ds(ds, &os) != 0) {
1028
		err = EINVAL;
1029
		goto out;
1030
	}
1031
	if (dsl_dataset_feature_is_active(ds, SPA_FEATURE_REDACTED_DATASETS)) {
1032
		err = EALREADY;
1033
		goto out;
1034
	}
1035

1036
	numsnaps = fnvlist_num_pairs(redactnvl);
1037
	if (numsnaps > 0)
1038
		args = vmem_zalloc(numsnaps * sizeof (*args), KM_SLEEP);
1039

1040
	nvpair_t *pair = NULL;
1041
	for (int i = 0; i < numsnaps; i++) {
1042
		pair = nvlist_next_nvpair(redactnvl, pair);
1043
		const char *name = nvpair_name(pair);
1044
		struct redact_thread_arg *rta = &args[i];
1045
		err = dsl_dataset_hold_flags(dp, name, DS_HOLD_FLAG_DECRYPT,
1046
		    FTAG, &rta->ds);
1047
		if (err != 0)
1048
			break;
1049
		/*
1050
		 * We want to do the long hold before we can get any other
1051
		 * errors, because the cleanup code will release the long
1052
		 * hold if rta->ds is filled in.
1053
		 */
1054
		dsl_dataset_long_hold(rta->ds, FTAG);
1055

1056
		err = dmu_objset_from_ds(rta->ds, &rta->os);
1057
		if (err != 0)
1058
			break;
1059
		if (!dsl_dataset_is_before(rta->ds, ds, 0)) {
1060
			err = EINVAL;
1061
			break;
1062
		}
1063
		if (dsl_dataset_feature_is_active(rta->ds,
1064
		    SPA_FEATURE_REDACTED_DATASETS)) {
1065
			err = EALREADY;
1066
			break;
1067

1068
		}
1069
	}
1070
	if (err != 0)
1071
		goto out;
1072
	VERIFY0P(nvlist_next_nvpair(redactnvl, pair));
1073

1074
	boolean_t resuming = B_FALSE;
1075
	zfs_bookmark_phys_t bookmark;
1076

1077
	(void) strlcpy(newredactbook, snapname, ZFS_MAX_DATASET_NAME_LEN);
1078
	char *c = strchr(newredactbook, '@');
1079
	ASSERT3P(c, !=, NULL);
1080
	int n = snprintf(c, ZFS_MAX_DATASET_NAME_LEN - (c - newredactbook),
1081
	    "#%s", redactbook);
1082
	if (n >= ZFS_MAX_DATASET_NAME_LEN - (c - newredactbook)) {
1083
		dsl_pool_rele(dp, FTAG);
1084
		kmem_free(newredactbook,
1085
		    sizeof (char) * ZFS_MAX_DATASET_NAME_LEN);
1086
		if (args != NULL)
1087
			vmem_free(args, numsnaps * sizeof (*args));
1088
		return (SET_ERROR(ENAMETOOLONG));
1089
	}
1090
	err = dsl_bookmark_lookup(dp, newredactbook, NULL, &bookmark);
1091
	if (err == 0) {
1092
		resuming = B_TRUE;
1093
		if (bookmark.zbm_redaction_obj == 0) {
1094
			err = EEXIST;
1095
			goto out;
1096
		}
1097
		err = dsl_redaction_list_hold_obj(dp,
1098
		    bookmark.zbm_redaction_obj, FTAG, &new_rl);
1099
		if (err != 0) {
1100
			err = EIO;
1101
			goto out;
1102
		}
1103
		dsl_redaction_list_long_hold(dp, new_rl, FTAG);
1104
		if (new_rl->rl_phys->rlp_num_snaps != numsnaps) {
1105
			err = ESRCH;
1106
			goto out;
1107
		}
1108
		for (int i = 0; i < numsnaps; i++) {
1109
			struct redact_thread_arg *rta = &args[i];
1110
			if (!redact_snaps_contains(new_rl->rl_phys->rlp_snaps,
1111
			    new_rl->rl_phys->rlp_num_snaps,
1112
			    dsl_dataset_phys(rta->ds)->ds_guid)) {
1113
				err = ESRCH;
1114
				goto out;
1115
			}
1116
		}
1117
		if (new_rl->rl_phys->rlp_last_blkid == UINT64_MAX &&
1118
		    new_rl->rl_phys->rlp_last_object == UINT64_MAX) {
1119
			err = EEXIST;
1120
			goto out;
1121
		}
1122
		dsl_pool_rele(dp, FTAG);
1123
		dp = NULL;
1124
	} else {
1125
		uint64_t *guids = NULL;
1126
		if (numsnaps > 0) {
1127
			guids = vmem_zalloc(numsnaps * sizeof (uint64_t),
1128
			    KM_SLEEP);
1129
		}
1130
		for (int i = 0; i < numsnaps; i++) {
1131
			struct redact_thread_arg *rta = &args[i];
1132
			guids[i] = dsl_dataset_phys(rta->ds)->ds_guid;
1133
		}
1134

1135
		dsl_pool_rele(dp, FTAG);
1136
		dp = NULL;
1137
		err = dsl_bookmark_create_redacted(newredactbook, snapname,
1138
		    numsnaps, guids, FTAG, &new_rl);
1139
		vmem_free(guids, numsnaps * sizeof (uint64_t));
1140
		if (err != 0)
1141
			goto out;
1142
	}
1143

1144
	for (int i = 0; i < numsnaps; i++) {
1145
		struct redact_thread_arg *rta = &args[i];
1146
		(void) bqueue_init(&rta->q, zfs_redact_queue_ff,
1147
		    zfs_redact_queue_length,
1148
		    offsetof(struct redact_record, ln));
1149
		if (resuming) {
1150
			rta->resume.zb_blkid =
1151
			    new_rl->rl_phys->rlp_last_blkid;
1152
			rta->resume.zb_object =
1153
			    new_rl->rl_phys->rlp_last_object;
1154
		}
1155
		rta->txg = dsl_dataset_phys(ds)->ds_creation_txg;
1156
		(void) thread_create(NULL, 0, redact_traverse_thread, rta,
1157
		    0, curproc, TS_RUN, minclsyspri);
1158
	}
1159

1160
	struct redact_merge_thread_arg *rmta;
1161
	rmta = kmem_zalloc(sizeof (struct redact_merge_thread_arg), KM_SLEEP);
1162

1163
	(void) bqueue_init(&rmta->q, zfs_redact_queue_ff,
1164
	    zfs_redact_queue_length, offsetof(struct redact_record, ln));
1165
	rmta->numsnaps = numsnaps;
1166
	rmta->spa = os->os_spa;
1167
	rmta->thr_args = args;
1168
	(void) thread_create(NULL, 0, redact_merge_thread, rmta, 0, curproc,
1169
	    TS_RUN, minclsyspri);
1170
	err = perform_redaction(os, new_rl, rmta);
1171
	bqueue_destroy(&rmta->q);
1172
	kmem_free(rmta, sizeof (struct redact_merge_thread_arg));
1173

1174
out:
1175
	kmem_free(newredactbook, sizeof (char) * ZFS_MAX_DATASET_NAME_LEN);
1176

1177
	if (new_rl != NULL) {
1178
		dsl_redaction_list_long_rele(new_rl, FTAG);
1179
		dsl_redaction_list_rele(new_rl, FTAG);
1180
	}
1181
	for (int i = 0; i < numsnaps; i++) {
1182
		struct redact_thread_arg *rta = &args[i];
1183
		/*
1184
		 * rta->ds may be NULL if we got an error while filling
1185
		 * it in.
1186
		 */
1187
		if (rta->ds != NULL) {
1188
			dsl_dataset_long_rele(rta->ds, FTAG);
1189
			dsl_dataset_rele_flags(rta->ds,
1190
			    DS_HOLD_FLAG_DECRYPT, FTAG);
1191
		}
1192
	}
1193

1194
	if (args != NULL)
1195
		vmem_free(args, numsnaps * sizeof (*args));
1196
	if (dp != NULL)
1197
		dsl_pool_rele(dp, FTAG);
1198
	if (ds != NULL) {
1199
		dsl_dataset_long_rele(ds, FTAG);
1200
		dsl_dataset_rele_flags(ds, DS_HOLD_FLAG_DECRYPT, FTAG);
1201
	}
1202
	return (SET_ERROR(err));
1203

1204
}
1205

1206