1 // SPDX-License-Identifier: CDDL-1.0
2 /*
3 * CDDL HEADER START
4 *
5 * The contents of this file are subject to the terms of the
6 * Common Development and Distribution License (the "License").
7 * You may not use this file except in compliance with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or https://opensource.org/licenses/CDDL-1.0.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright (c) 2017, 2018 by Delphix. All rights reserved.
24 */
25
26 #include <sys/zfs_context.h>
27 #include <sys/txg.h>
28 #include <sys/dmu_objset.h>
29 #include <sys/dmu_traverse.h>
30 #include <sys/dmu_redact.h>
31 #include <sys/bqueue.h>
32 #include <sys/objlist.h>
33 #include <sys/dmu_tx.h>
34 #ifdef _KERNEL
35 #include <sys/zfs_vfsops.h>
36 #include <sys/zap.h>
37 #include <sys/zfs_znode.h>
38 #endif
39
40 /*
41 * This controls the number of entries in the buffer the redaction_list_update
42 * synctask uses to buffer writes to the redaction list.
43 */
44 static const int redact_sync_bufsize = 1024;
45
46 /*
47 * Controls how often to update the redaction list when creating a redaction
48 * list.
49 */
50 static const uint64_t redaction_list_update_interval_ns =
51 1000 * 1000 * 1000ULL; /* 1s */
52
53 /*
54 * This tunable controls the length of the queues that zfs redact worker threads
55 * use to communicate. If the dmu_redact_snap thread is blocking on these
56 * queues, this variable may need to be increased. If there is a significant
57 * slowdown at the start of a redact operation as these threads consume all the
58 * available IO resources, or the queues are consuming too much memory, this
59 * variable may need to be decreased.
60 */
61 static const int zfs_redact_queue_length = 1024 * 1024;
62
63 /*
64 * These tunables control the fill fraction of the queues by zfs redact. The
65 * fill fraction controls the frequency with which threads have to be
66 * cv_signaled. If a lot of cpu time is being spent on cv_signal, then these
67 * should be tuned down. If the queues empty before the signalled thread can
68 * catch up, then these should be tuned up.
69 */
70 static const uint64_t zfs_redact_queue_ff = 20;
71
72 struct redact_record {
73 bqueue_node_t ln;
74 boolean_t eos_marker; /* Marks the end of the stream */
75 uint64_t start_object;
76 uint64_t start_blkid;
77 uint64_t end_object;
78 uint64_t end_blkid;
79 uint8_t indblkshift;
80 uint32_t datablksz;
81 };
82
83 struct redact_thread_arg {
84 bqueue_t q;
85 objset_t *os; /* Objset to traverse */
86 dsl_dataset_t *ds; /* Dataset to traverse */
87 struct redact_record *current_record;
88 int error_code;
89 boolean_t cancel;
90 zbookmark_phys_t resume;
91 objlist_t *deleted_objs;
92 uint64_t *num_blocks_visited;
93 uint64_t ignore_object; /* ignore further callbacks on this */
94 uint64_t txg; /* txg to traverse since */
95 };
96
97 /*
98 * The redaction node is a wrapper around the redaction record that is used
99 * by the redaction merging thread to sort the records and determine overlaps.
100 *
101 * It contains two nodes; one sorts the records by their start_zb, and the other
102 * sorts the records by their end_zb.
103 */
104 struct redact_node {
105 avl_node_t avl_node_start;
106 avl_node_t avl_node_end;
107 struct redact_record *record;
108 struct redact_thread_arg *rt_arg;
109 uint32_t thread_num;
110 };
111
112 struct merge_data {
113 list_t md_redact_block_pending;
114 redact_block_phys_t md_coalesce_block;
115 uint64_t md_last_time;
116 redact_block_phys_t md_furthest[TXG_SIZE];
117 /* Lists of struct redact_block_list_node. */
118 list_t md_blocks[TXG_SIZE];
119 boolean_t md_synctask_txg[TXG_SIZE];
120 uint64_t md_latest_synctask_txg;
121 redaction_list_t *md_redaction_list;
122 };
123
124 /*
125 * A wrapper around struct redact_block so it can be stored in a list_t.
126 */
127 struct redact_block_list_node {
128 redact_block_phys_t block;
129 list_node_t node;
130 };
131
132 /*
133 * We've found a new redaction candidate. In order to improve performance, we
134 * coalesce these blocks when they're adjacent to each other. This function
135 * handles that. If the new candidate block range is immediately after the
136 * range we're building, coalesce it into the range we're building. Otherwise,
137 * put the record we're building on the queue, and update the build pointer to
138 * point to the new record.
139 */
140 static void
record_merge_enqueue(bqueue_t * q,struct redact_record ** build,struct redact_record * new)141 record_merge_enqueue(bqueue_t *q, struct redact_record **build,
142 struct redact_record *new)
143 {
144 if (new->eos_marker) {
145 if (*build != NULL)
146 bqueue_enqueue(q, *build, sizeof (**build));
147 bqueue_enqueue_flush(q, new, sizeof (*new));
148 return;
149 }
150 if (*build == NULL) {
151 *build = new;
152 return;
153 }
154 struct redact_record *curbuild = *build;
155 if ((curbuild->end_object == new->start_object &&
156 curbuild->end_blkid + 1 == new->start_blkid &&
157 curbuild->end_blkid != UINT64_MAX) ||
158 (curbuild->end_object + 1 == new->start_object &&
159 curbuild->end_blkid == UINT64_MAX && new->start_blkid == 0)) {
160 curbuild->end_object = new->end_object;
161 curbuild->end_blkid = new->end_blkid;
162 kmem_free(new, sizeof (*new));
163 } else {
164 bqueue_enqueue(q, curbuild, sizeof (*curbuild));
165 *build = new;
166 }
167 }
168 #ifdef _KERNEL
169 struct objnode {
170 avl_node_t node;
171 uint64_t obj;
172 };
173
174 static int
objnode_compare(const void * o1,const void * o2)175 objnode_compare(const void *o1, const void *o2)
176 {
177 const struct objnode *obj1 = o1;
178 const struct objnode *obj2 = o2;
179 if (obj1->obj < obj2->obj)
180 return (-1);
181 if (obj1->obj > obj2->obj)
182 return (1);
183 return (0);
184 }
185
186
187 static objlist_t *
zfs_get_deleteq(objset_t * os)188 zfs_get_deleteq(objset_t *os)
189 {
190 objlist_t *deleteq_objlist = objlist_create();
191 uint64_t deleteq_obj;
192 zap_cursor_t zc;
193 zap_attribute_t *za;
194 dmu_object_info_t doi;
195
196 ASSERT3U(os->os_phys->os_type, ==, DMU_OST_ZFS);
197 VERIFY0(dmu_object_info(os, MASTER_NODE_OBJ, &doi));
198 ASSERT3U(doi.doi_type, ==, DMU_OT_MASTER_NODE);
199
200 VERIFY0(zap_lookup(os, MASTER_NODE_OBJ,
201 ZFS_UNLINKED_SET, sizeof (uint64_t), 1, &deleteq_obj));
202
203 /*
204 * In order to insert objects into the objlist, they must be in sorted
205 * order. We don't know what order we'll get them out of the ZAP in, so
206 * we insert them into and remove them from an avl_tree_t to sort them.
207 */
208 avl_tree_t at;
209 avl_create(&at, objnode_compare, sizeof (struct objnode),
210 offsetof(struct objnode, node));
211
212 za = zap_attribute_alloc();
213 for (zap_cursor_init(&zc, os, deleteq_obj);
214 zap_cursor_retrieve(&zc, za) == 0; zap_cursor_advance(&zc)) {
215 struct objnode *obj = kmem_zalloc(sizeof (*obj), KM_SLEEP);
216 obj->obj = za->za_first_integer;
217 avl_add(&at, obj);
218 }
219 zap_cursor_fini(&zc);
220 zap_attribute_free(za);
221
222 struct objnode *next, *found = avl_first(&at);
223 while (found != NULL) {
224 next = AVL_NEXT(&at, found);
225 objlist_insert(deleteq_objlist, found->obj);
226 found = next;
227 }
228
229 void *cookie = NULL;
230 while ((found = avl_destroy_nodes(&at, &cookie)) != NULL)
231 kmem_free(found, sizeof (*found));
232 avl_destroy(&at);
233 return (deleteq_objlist);
234 }
235 #endif
236
237 /*
238 * This is the callback function to traverse_dataset for the redaction threads
239 * for dmu_redact_snap. This thread is responsible for creating redaction
240 * records for all the data that is modified by the snapshots we're redacting
241 * with respect to. Redaction records represent ranges of data that have been
242 * modified by one of the redaction snapshots, and are stored in the
243 * redact_record struct. We need to create redaction records for three
244 * cases:
245 *
246 * First, if there's a normal write, we need to create a redaction record for
247 * that block.
248 *
249 * Second, if there's a hole, we need to create a redaction record that covers
250 * the whole range of the hole. If the hole is in the meta-dnode, it must cover
251 * every block in all of the objects in the hole.
252 *
253 * Third, if there is a deleted object, we need to create a redaction record for
254 * all of the blocks in that object.
255 */
256 static int
redact_cb(spa_t * spa,zilog_t * zilog,const blkptr_t * bp,const zbookmark_phys_t * zb,const struct dnode_phys * dnp,void * arg)257 redact_cb(spa_t *spa, zilog_t *zilog, const blkptr_t *bp,
258 const zbookmark_phys_t *zb, const struct dnode_phys *dnp, void *arg)
259 {
260 (void) spa, (void) zilog;
261 struct redact_thread_arg *rta = arg;
262 struct redact_record *record;
263
264 ASSERT(zb->zb_object == DMU_META_DNODE_OBJECT ||
265 zb->zb_object >= rta->resume.zb_object);
266
267 if (rta->cancel)
268 return (SET_ERROR(EINTR));
269
270 if (rta->ignore_object == zb->zb_object)
271 return (0);
272
273 /*
274 * If we're visiting a dnode, we need to handle the case where the
275 * object has been deleted.
276 */
277 if (zb->zb_level == ZB_DNODE_LEVEL) {
278 ASSERT3U(zb->zb_level, ==, ZB_DNODE_LEVEL);
279
280 if (zb->zb_object == 0)
281 return (0);
282
283 /*
284 * If the object has been deleted, redact all of the blocks in
285 * it.
286 */
287 if (dnp->dn_type == DMU_OT_NONE ||
288 objlist_exists(rta->deleted_objs, zb->zb_object)) {
289 rta->ignore_object = zb->zb_object;
290 record = kmem_zalloc(sizeof (struct redact_record),
291 KM_SLEEP);
292
293 record->eos_marker = B_FALSE;
294 record->start_object = record->end_object =
295 zb->zb_object;
296 record->start_blkid = 0;
297 record->end_blkid = UINT64_MAX;
298 record_merge_enqueue(&rta->q,
299 &rta->current_record, record);
300 }
301 return (0);
302 } else if (zb->zb_level < 0) {
303 return (0);
304 } else if (zb->zb_level > 0 && !BP_IS_HOLE(bp)) {
305 /*
306 * If this is an indirect block, but not a hole, it doesn't
307 * provide any useful information for redaction, so ignore it.
308 */
309 return (0);
310 }
311
312 /*
313 * At this point, there are two options left for the type of block we're
314 * looking at. Either this is a hole (which could be in the dnode or
315 * the meta-dnode), or it's a level 0 block of some sort. If it's a
316 * hole, we create a redaction record that covers the whole range. If
317 * the hole is in a dnode, we need to redact all the blocks in that
318 * hole. If the hole is in the meta-dnode, we instead need to redact
319 * all blocks in every object covered by that hole. If it's a level 0
320 * block, we only need to redact that single block.
321 */
322 record = kmem_zalloc(sizeof (struct redact_record), KM_SLEEP);
323 record->eos_marker = B_FALSE;
324
325 record->start_object = record->end_object = zb->zb_object;
326 if (BP_IS_HOLE(bp)) {
327 record->start_blkid = zb->zb_blkid *
328 bp_span_in_blocks(dnp->dn_indblkshift, zb->zb_level);
329
330 record->end_blkid = ((zb->zb_blkid + 1) *
331 bp_span_in_blocks(dnp->dn_indblkshift, zb->zb_level)) - 1;
332
333 if (zb->zb_object == DMU_META_DNODE_OBJECT) {
334 record->start_object = record->start_blkid *
335 ((SPA_MINBLOCKSIZE * dnp->dn_datablkszsec) /
336 sizeof (dnode_phys_t));
337 record->start_blkid = 0;
338 record->end_object = ((record->end_blkid +
339 1) * ((SPA_MINBLOCKSIZE * dnp->dn_datablkszsec) /
340 sizeof (dnode_phys_t))) - 1;
341 record->end_blkid = UINT64_MAX;
342 }
343 } else if (zb->zb_level != 0 ||
344 zb->zb_object == DMU_META_DNODE_OBJECT) {
345 kmem_free(record, sizeof (*record));
346 return (0);
347 } else {
348 record->start_blkid = record->end_blkid = zb->zb_blkid;
349 }
350 record->indblkshift = dnp->dn_indblkshift;
351 record->datablksz = dnp->dn_datablkszsec << SPA_MINBLOCKSHIFT;
352 record_merge_enqueue(&rta->q, &rta->current_record, record);
353
354 return (0);
355 }
356
357 static __attribute__((noreturn)) void
redact_traverse_thread(void * arg)358 redact_traverse_thread(void *arg)
359 {
360 struct redact_thread_arg *rt_arg = arg;
361 int err;
362 struct redact_record *data;
363 #ifdef _KERNEL
364 if (rt_arg->os->os_phys->os_type == DMU_OST_ZFS)
365 rt_arg->deleted_objs = zfs_get_deleteq(rt_arg->os);
366 else
367 rt_arg->deleted_objs = objlist_create();
368 #else
369 rt_arg->deleted_objs = objlist_create();
370 #endif
371
372 err = traverse_dataset_resume(rt_arg->ds, rt_arg->txg,
373 &rt_arg->resume, TRAVERSE_PRE | TRAVERSE_PREFETCH_METADATA |
374 TRAVERSE_LOGICAL, redact_cb, rt_arg);
375
376 if (err != EINTR)
377 rt_arg->error_code = err;
378 objlist_destroy(rt_arg->deleted_objs);
379 data = kmem_zalloc(sizeof (*data), KM_SLEEP);
380 data->eos_marker = B_TRUE;
381 record_merge_enqueue(&rt_arg->q, &rt_arg->current_record, data);
382 thread_exit();
383 }
384
385 static inline void
create_zbookmark_from_obj_off(zbookmark_phys_t * zb,uint64_t object,uint64_t blkid)386 create_zbookmark_from_obj_off(zbookmark_phys_t *zb, uint64_t object,
387 uint64_t blkid)
388 {
389 zb->zb_object = object;
390 zb->zb_level = 0;
391 zb->zb_blkid = blkid;
392 }
393
394 /*
395 * This is a utility function that can do the comparison for the start or ends
396 * of the ranges in a redact_record.
397 */
398 static int
redact_range_compare(uint64_t obj1,uint64_t off1,uint32_t dbss1,uint64_t obj2,uint64_t off2,uint32_t dbss2)399 redact_range_compare(uint64_t obj1, uint64_t off1, uint32_t dbss1,
400 uint64_t obj2, uint64_t off2, uint32_t dbss2)
401 {
402 zbookmark_phys_t z1, z2;
403 create_zbookmark_from_obj_off(&z1, obj1, off1);
404 create_zbookmark_from_obj_off(&z2, obj2, off2);
405
406 return (zbookmark_compare(dbss1 >> SPA_MINBLOCKSHIFT, 0,
407 dbss2 >> SPA_MINBLOCKSHIFT, 0, &z1, &z2));
408 }
409
410 /*
411 * Compare two redaction records by their range's start location. Also makes
412 * eos records always compare last. We use the thread number in the redact_node
413 * to ensure that records do not compare equal (which is not allowed in our avl
414 * trees).
415 */
416 static int
redact_node_compare_start(const void * arg1,const void * arg2)417 redact_node_compare_start(const void *arg1, const void *arg2)
418 {
419 const struct redact_node *rn1 = arg1;
420 const struct redact_node *rn2 = arg2;
421 const struct redact_record *rr1 = rn1->record;
422 const struct redact_record *rr2 = rn2->record;
423 if (rr1->eos_marker)
424 return (1);
425 if (rr2->eos_marker)
426 return (-1);
427
428 int cmp = redact_range_compare(rr1->start_object, rr1->start_blkid,
429 rr1->datablksz, rr2->start_object, rr2->start_blkid,
430 rr2->datablksz);
431 if (cmp == 0)
432 cmp = (rn1->thread_num < rn2->thread_num ? -1 : 1);
433 return (cmp);
434 }
435
436 /*
437 * Compare two redaction records by their range's end location. Also makes
438 * eos records always compare last. We use the thread number in the redact_node
439 * to ensure that records do not compare equal (which is not allowed in our avl
440 * trees).
441 */
442 static int
redact_node_compare_end(const void * arg1,const void * arg2)443 redact_node_compare_end(const void *arg1, const void *arg2)
444 {
445 const struct redact_node *rn1 = arg1;
446 const struct redact_node *rn2 = arg2;
447 const struct redact_record *srr1 = rn1->record;
448 const struct redact_record *srr2 = rn2->record;
449 if (srr1->eos_marker)
450 return (1);
451 if (srr2->eos_marker)
452 return (-1);
453
454 int cmp = redact_range_compare(srr1->end_object, srr1->end_blkid,
455 srr1->datablksz, srr2->end_object, srr2->end_blkid,
456 srr2->datablksz);
457 if (cmp == 0)
458 cmp = (rn1->thread_num < rn2->thread_num ? -1 : 1);
459 return (cmp);
460 }
461
462 /*
463 * Utility function that compares two redaction records to determine if any part
464 * of the "from" record is before any part of the "to" record. Also causes End
465 * of Stream redaction records to compare after all others, so that the
466 * redaction merging logic can stay simple.
467 */
468 static boolean_t
redact_record_before(const struct redact_record * from,const struct redact_record * to)469 redact_record_before(const struct redact_record *from,
470 const struct redact_record *to)
471 {
472 if (from->eos_marker == B_TRUE)
473 return (B_FALSE);
474 else if (to->eos_marker == B_TRUE)
475 return (B_TRUE);
476 return (redact_range_compare(from->start_object, from->start_blkid,
477 from->datablksz, to->end_object, to->end_blkid,
478 to->datablksz) <= 0);
479 }
480
481 /*
482 * Pop a new redaction record off the queue, check that the records are in the
483 * right order, and free the old data.
484 */
485 static struct redact_record *
get_next_redact_record(bqueue_t * bq,struct redact_record * prev)486 get_next_redact_record(bqueue_t *bq, struct redact_record *prev)
487 {
488 struct redact_record *next = bqueue_dequeue(bq);
489 ASSERT(redact_record_before(prev, next));
490 kmem_free(prev, sizeof (*prev));
491 return (next);
492 }
493
494 /*
495 * Remove the given redaction node from both trees, pull a new redaction record
496 * off the queue, free the old redaction record, update the redaction node, and
497 * reinsert the node into the trees.
498 */
499 static int
update_avl_trees(avl_tree_t * start_tree,avl_tree_t * end_tree,struct redact_node * redact_node)500 update_avl_trees(avl_tree_t *start_tree, avl_tree_t *end_tree,
501 struct redact_node *redact_node)
502 {
503 avl_remove(start_tree, redact_node);
504 avl_remove(end_tree, redact_node);
505 redact_node->record = get_next_redact_record(&redact_node->rt_arg->q,
506 redact_node->record);
507 avl_add(end_tree, redact_node);
508 avl_add(start_tree, redact_node);
509 return (redact_node->rt_arg->error_code);
510 }
511
512 /*
513 * Synctask for updating redaction lists. We first take this txg's list of
514 * redacted blocks and append those to the redaction list. We then update the
515 * redaction list's bonus buffer. We store the furthest blocks we visited and
516 * the list of snapshots that we're redacting with respect to. We need these so
517 * that redacted sends and receives can be correctly resumed.
518 */
519 static void
redaction_list_update_sync(void * arg,dmu_tx_t * tx)520 redaction_list_update_sync(void *arg, dmu_tx_t *tx)
521 {
522 struct merge_data *md = arg;
523 uint64_t txg = dmu_tx_get_txg(tx);
524 list_t *list = &md->md_blocks[txg & TXG_MASK];
525 redact_block_phys_t *furthest_visited =
526 &md->md_furthest[txg & TXG_MASK];
527 objset_t *mos = tx->tx_pool->dp_meta_objset;
528 redaction_list_t *rl = md->md_redaction_list;
529 int bufsize = redact_sync_bufsize;
530 redact_block_phys_t *buf = kmem_alloc(bufsize * sizeof (*buf),
531 KM_SLEEP);
532 int index = 0;
533
534 dmu_buf_will_dirty(rl->rl_dbuf, tx);
535
536 for (struct redact_block_list_node *rbln = list_remove_head(list);
537 rbln != NULL; rbln = list_remove_head(list)) {
538 ASSERT3U(rbln->block.rbp_object, <=,
539 furthest_visited->rbp_object);
540 ASSERT(rbln->block.rbp_object < furthest_visited->rbp_object ||
541 rbln->block.rbp_blkid <= furthest_visited->rbp_blkid);
542 buf[index] = rbln->block;
543 index++;
544 if (index == bufsize) {
545 dmu_write(mos, rl->rl_object,
546 rl->rl_phys->rlp_num_entries * sizeof (*buf),
547 bufsize * sizeof (*buf), buf, tx,
548 DMU_READ_NO_PREFETCH);
549 rl->rl_phys->rlp_num_entries += bufsize;
550 index = 0;
551 }
552 kmem_free(rbln, sizeof (*rbln));
553 }
554 if (index > 0) {
555 dmu_write(mos, rl->rl_object, rl->rl_phys->rlp_num_entries *
556 sizeof (*buf), index * sizeof (*buf), buf, tx,
557 DMU_READ_NO_PREFETCH);
558 rl->rl_phys->rlp_num_entries += index;
559 }
560 kmem_free(buf, bufsize * sizeof (*buf));
561
562 md->md_synctask_txg[txg & TXG_MASK] = B_FALSE;
563 rl->rl_phys->rlp_last_object = furthest_visited->rbp_object;
564 rl->rl_phys->rlp_last_blkid = furthest_visited->rbp_blkid;
565 }
566
567 static void
commit_rl_updates(objset_t * os,struct merge_data * md,uint64_t object,uint64_t blkid)568 commit_rl_updates(objset_t *os, struct merge_data *md, uint64_t object,
569 uint64_t blkid)
570 {
571 dmu_tx_t *tx = dmu_tx_create_dd(spa_get_dsl(os->os_spa)->dp_mos_dir);
572 dmu_tx_hold_space(tx, sizeof (struct redact_block_list_node));
573 VERIFY0(dmu_tx_assign(tx, DMU_TX_WAIT | DMU_TX_SUSPEND));
574 uint64_t txg = dmu_tx_get_txg(tx);
575 if (!md->md_synctask_txg[txg & TXG_MASK]) {
576 dsl_sync_task_nowait(dmu_tx_pool(tx),
577 redaction_list_update_sync, md, tx);
578 md->md_synctask_txg[txg & TXG_MASK] = B_TRUE;
579 md->md_latest_synctask_txg = txg;
580 }
581 md->md_furthest[txg & TXG_MASK].rbp_object = object;
582 md->md_furthest[txg & TXG_MASK].rbp_blkid = blkid;
583 list_move_tail(&md->md_blocks[txg & TXG_MASK],
584 &md->md_redact_block_pending);
585 dmu_tx_commit(tx);
586 md->md_last_time = gethrtime();
587 }
588
589 /*
590 * We want to store the list of blocks that we're redacting in the bookmark's
591 * redaction list. However, this list is stored in the MOS, which means it can
592 * only be written to in syncing context. To get around this, we create a
593 * synctask that will write to the mos for us. We tell it what to write by
594 * a linked list for each current transaction group; every time we decide to
595 * redact a block, we append it to the transaction group that is currently in
596 * open context. We also update some progress information that the synctask
597 * will store to enable resumable redacted sends.
598 */
599 static void
update_redaction_list(struct merge_data * md,objset_t * os,uint64_t object,uint64_t blkid,uint64_t endblkid,uint32_t blksz)600 update_redaction_list(struct merge_data *md, objset_t *os,
601 uint64_t object, uint64_t blkid, uint64_t endblkid, uint32_t blksz)
602 {
603 boolean_t enqueue = B_FALSE;
604 redact_block_phys_t cur = {0};
605 uint64_t count = endblkid - blkid + 1;
606 while (count > REDACT_BLOCK_MAX_COUNT) {
607 update_redaction_list(md, os, object, blkid,
608 blkid + REDACT_BLOCK_MAX_COUNT - 1, blksz);
609 blkid += REDACT_BLOCK_MAX_COUNT;
610 count -= REDACT_BLOCK_MAX_COUNT;
611 }
612 redact_block_phys_t *coalesce = &md->md_coalesce_block;
613 boolean_t new;
614 if (coalesce->rbp_size_count == 0) {
615 new = B_TRUE;
616 enqueue = B_FALSE;
617 } else {
618 uint64_t old_count = redact_block_get_count(coalesce);
619 if (coalesce->rbp_object == object &&
620 coalesce->rbp_blkid + old_count == blkid &&
621 old_count + count <= REDACT_BLOCK_MAX_COUNT) {
622 ASSERT3U(redact_block_get_size(coalesce), ==, blksz);
623 redact_block_set_count(coalesce, old_count + count);
624 new = B_FALSE;
625 enqueue = B_FALSE;
626 } else {
627 new = B_TRUE;
628 enqueue = B_TRUE;
629 }
630 }
631
632 if (new) {
633 cur = *coalesce;
634 coalesce->rbp_blkid = blkid;
635 coalesce->rbp_object = object;
636
637 redact_block_set_count(coalesce, count);
638 redact_block_set_size(coalesce, blksz);
639 }
640
641 if (enqueue && redact_block_get_size(&cur) != 0) {
642 struct redact_block_list_node *rbln =
643 kmem_alloc(sizeof (struct redact_block_list_node),
644 KM_SLEEP);
645 rbln->block = cur;
646 list_insert_tail(&md->md_redact_block_pending, rbln);
647 }
648
649 if (gethrtime() > md->md_last_time +
650 redaction_list_update_interval_ns) {
651 commit_rl_updates(os, md, object, blkid);
652 }
653 }
654
655 /*
656 * This thread merges all the redaction records provided by the worker threads,
657 * and determines which blocks are redacted by all the snapshots. The algorithm
658 * for doing so is similar to performing a merge in mergesort with n sub-lists
659 * instead of 2, with some added complexity due to the fact that the entries are
660 * ranges, not just single blocks. This algorithm relies on the fact that the
661 * queues are sorted, which is ensured by the fact that traverse_dataset
662 * traverses the dataset in a consistent order. We pull one entry off the front
663 * of the queues of each secure dataset traversal thread. Then we repeat the
664 * following: each record represents a range of blocks modified by one of the
665 * redaction snapshots, and each block in that range may need to be redacted in
666 * the send stream. Find the record with the latest start of its range, and the
667 * record with the earliest end of its range. If the last start is before the
668 * first end, then we know that the blocks in the range [last_start, first_end]
669 * are covered by all of the ranges at the front of the queues, which means
670 * every thread redacts that whole range. For example, let's say the ranges on
671 * each queue look like this:
672 *
673 * Block Id 1 2 3 4 5 6 7 8 9 10 11
674 * Thread 1 | [====================]
675 * Thread 2 | [========]
676 * Thread 3 | [=================]
677 *
678 * Thread 3 has the last start (5), and the thread 2 has the last end (6). All
679 * three threads modified the range [5,6], so that data should not be sent over
680 * the wire. After we've determined whether or not to redact anything, we take
681 * the record with the first end. We discard that record, and pull a new one
682 * off the front of the queue it came from. In the above example, we would
683 * discard Thread 2's record, and pull a new one. Let's say the next record we
684 * pulled from Thread 2 covered range [10,11]. The new layout would look like
685 * this:
686 *
687 * Block Id 1 2 3 4 5 6 7 8 9 10 11
688 * Thread 1 | [====================]
689 * Thread 2 | [==]
690 * Thread 3 | [=================]
691 *
692 * When we compare the last start (10, from Thread 2) and the first end (9, from
693 * Thread 1), we see that the last start is greater than the first end.
694 * Therefore, we do not redact anything from these records. We'll iterate by
695 * replacing the record from Thread 1.
696 *
697 * We iterate by replacing the record with the lowest end because we know
698 * that the record with the lowest end has helped us as much as it can. All the
699 * ranges before it that we will ever redact have been redacted. In addition,
700 * by replacing the one with the lowest end, we guarantee we catch all ranges
701 * that need to be redacted. For example, if in the case above we had replaced
702 * the record from Thread 1 instead, we might have ended up with the following:
703 *
704 * Block Id 1 2 3 4 5 6 7 8 9 10 11 12
705 * Thread 1 | [==]
706 * Thread 2 | [========]
707 * Thread 3 | [=================]
708 *
709 * If the next record from Thread 2 had been [8,10], for example, we should have
710 * redacted part of that range, but because we updated Thread 1's record, we
711 * missed it.
712 *
713 * We implement this algorithm by using two trees. The first sorts the
714 * redaction records by their start_zb, and the second sorts them by their
715 * end_zb. We use these to find the record with the last start and the record
716 * with the first end. We create a record with that start and end, and send it
717 * on. The overall runtime of this implementation is O(n log m), where n is the
718 * total number of redaction records from all the different redaction snapshots,
719 * and m is the number of redaction snapshots.
720 *
721 * If we redact with respect to zero snapshots, we create a redaction
722 * record with the start object and blkid to 0, and the end object and blkid to
723 * UINT64_MAX. This will result in us redacting every block.
724 */
725 static int
perform_thread_merge(bqueue_t * q,uint32_t num_threads,struct redact_thread_arg * thread_args,boolean_t * cancel)726 perform_thread_merge(bqueue_t *q, uint32_t num_threads,
727 struct redact_thread_arg *thread_args, boolean_t *cancel)
728 {
729 struct redact_node *redact_nodes = NULL;
730 avl_tree_t start_tree, end_tree;
731 struct redact_record *record;
732 struct redact_record *current_record = NULL;
733 int err = 0;
734 struct merge_data md = { {0} };
735 list_create(&md.md_redact_block_pending,
736 sizeof (struct redact_block_list_node),
737 offsetof(struct redact_block_list_node, node));
738
739 /*
740 * If we're redacting with respect to zero snapshots, then no data is
741 * permitted to be sent. We enqueue a record that redacts all blocks,
742 * and an eos marker.
743 */
744 if (num_threads == 0) {
745 record = kmem_zalloc(sizeof (struct redact_record),
746 KM_SLEEP);
747 // We can't redact object 0, so don't try.
748 record->start_object = 1;
749 record->start_blkid = 0;
750 record->end_object = record->end_blkid = UINT64_MAX;
751 bqueue_enqueue(q, record, sizeof (*record));
752 return (0);
753 }
754 redact_nodes = vmem_zalloc(num_threads *
755 sizeof (*redact_nodes), KM_SLEEP);
756
757 avl_create(&start_tree, redact_node_compare_start,
758 sizeof (struct redact_node),
759 offsetof(struct redact_node, avl_node_start));
760 avl_create(&end_tree, redact_node_compare_end,
761 sizeof (struct redact_node),
762 offsetof(struct redact_node, avl_node_end));
763
764 for (int i = 0; i < num_threads; i++) {
765 struct redact_node *node = &redact_nodes[i];
766 struct redact_thread_arg *targ = &thread_args[i];
767 node->record = bqueue_dequeue(&targ->q);
768 node->rt_arg = targ;
769 node->thread_num = i;
770 avl_add(&start_tree, node);
771 avl_add(&end_tree, node);
772 }
773
774 /*
775 * Once the first record in the end tree has returned EOS, every record
776 * must be an EOS record, so we should stop.
777 */
778 while (err == 0 && !((struct redact_node *)avl_first(&end_tree))->
779 record->eos_marker) {
780 if (*cancel) {
781 err = EINTR;
782 break;
783 }
784 struct redact_node *last_start = avl_last(&start_tree);
785 struct redact_node *first_end = avl_first(&end_tree);
786
787 /*
788 * If the last start record is before the first end record,
789 * then we have blocks that are redacted by all threads.
790 * Therefore, we should redact them. Copy the record, and send
791 * it to the main thread.
792 */
793 if (redact_record_before(last_start->record,
794 first_end->record)) {
795 record = kmem_zalloc(sizeof (struct redact_record),
796 KM_SLEEP);
797 *record = *first_end->record;
798 record->start_object = last_start->record->start_object;
799 record->start_blkid = last_start->record->start_blkid;
800 record_merge_enqueue(q, ¤t_record,
801 record);
802 }
803 err = update_avl_trees(&start_tree, &end_tree, first_end);
804 }
805
806 /*
807 * We're done; if we were cancelled, we need to cancel our workers and
808 * clear out their queues. Either way, we need to remove every thread's
809 * redact_node struct from the avl trees.
810 */
811 for (int i = 0; i < num_threads; i++) {
812 if (err != 0) {
813 thread_args[i].cancel = B_TRUE;
814 while (!redact_nodes[i].record->eos_marker) {
815 (void) update_avl_trees(&start_tree, &end_tree,
816 &redact_nodes[i]);
817 }
818 }
819 avl_remove(&start_tree, &redact_nodes[i]);
820 avl_remove(&end_tree, &redact_nodes[i]);
821 kmem_free(redact_nodes[i].record,
822 sizeof (struct redact_record));
823 bqueue_destroy(&thread_args[i].q);
824 }
825
826 avl_destroy(&start_tree);
827 avl_destroy(&end_tree);
828 vmem_free(redact_nodes, num_threads * sizeof (*redact_nodes));
829 if (current_record != NULL)
830 bqueue_enqueue(q, current_record, sizeof (*current_record));
831 return (err);
832 }
833
834 struct redact_merge_thread_arg {
835 bqueue_t q;
836 spa_t *spa;
837 int numsnaps;
838 struct redact_thread_arg *thr_args;
839 boolean_t cancel;
840 int error_code;
841 };
842
843 static __attribute__((noreturn)) void
redact_merge_thread(void * arg)844 redact_merge_thread(void *arg)
845 {
846 struct redact_merge_thread_arg *rmta = arg;
847 rmta->error_code = perform_thread_merge(&rmta->q,
848 rmta->numsnaps, rmta->thr_args, &rmta->cancel);
849 struct redact_record *rec = kmem_zalloc(sizeof (*rec), KM_SLEEP);
850 rec->eos_marker = B_TRUE;
851 bqueue_enqueue_flush(&rmta->q, rec, 1);
852 thread_exit();
853 }
854
855 /*
856 * Find the next object in or after the redaction range passed in, and hold
857 * its dnode with the provided tag. Also update *object to contain the new
858 * object number.
859 */
860 static int
hold_next_object(objset_t * os,struct redact_record * rec,const void * tag,uint64_t * object,dnode_t ** dn)861 hold_next_object(objset_t *os, struct redact_record *rec, const void *tag,
862 uint64_t *object, dnode_t **dn)
863 {
864 int err = 0;
865 if (*dn != NULL)
866 dnode_rele(*dn, tag);
867 *dn = NULL;
868 if (*object < rec->start_object) {
869 *object = rec->start_object - 1;
870 }
871 err = dmu_object_next(os, object, B_FALSE, 0);
872 if (err != 0)
873 return (err);
874
875 err = dnode_hold(os, *object, tag, dn);
876 while (err == 0 && (*object < rec->start_object ||
877 DMU_OT_IS_METADATA((*dn)->dn_type))) {
878 dnode_rele(*dn, tag);
879 *dn = NULL;
880 err = dmu_object_next(os, object, B_FALSE, 0);
881 if (err != 0)
882 break;
883 err = dnode_hold(os, *object, tag, dn);
884 }
885 return (err);
886 }
887
888 static int
perform_redaction(objset_t * os,redaction_list_t * rl,struct redact_merge_thread_arg * rmta)889 perform_redaction(objset_t *os, redaction_list_t *rl,
890 struct redact_merge_thread_arg *rmta)
891 {
892 int err = 0;
893 bqueue_t *q = &rmta->q;
894 struct redact_record *rec = NULL;
895 struct merge_data md = { {0} };
896
897 list_create(&md.md_redact_block_pending,
898 sizeof (struct redact_block_list_node),
899 offsetof(struct redact_block_list_node, node));
900 md.md_redaction_list = rl;
901
902 for (int i = 0; i < TXG_SIZE; i++) {
903 list_create(&md.md_blocks[i],
904 sizeof (struct redact_block_list_node),
905 offsetof(struct redact_block_list_node, node));
906 }
907 dnode_t *dn = NULL;
908 uint64_t prev_obj = 0;
909 for (rec = bqueue_dequeue(q); !rec->eos_marker && err == 0;
910 rec = get_next_redact_record(q, rec)) {
911 ASSERT3U(rec->start_object, !=, 0);
912 uint64_t object;
913 if (prev_obj != rec->start_object) {
914 object = rec->start_object - 1;
915 err = hold_next_object(os, rec, FTAG, &object, &dn);
916 } else {
917 object = prev_obj;
918 }
919 while (err == 0 && object <= rec->end_object) {
920 if (issig()) {
921 err = EINTR;
922 break;
923 }
924 /*
925 * Part of the current object is contained somewhere in
926 * the range covered by rec.
927 */
928 uint64_t startblkid;
929 uint64_t endblkid;
930 uint64_t maxblkid = dn->dn_phys->dn_maxblkid;
931
932 if (rec->start_object < object)
933 startblkid = 0;
934 else if (rec->start_blkid > maxblkid)
935 break;
936 else
937 startblkid = rec->start_blkid;
938
939 if (rec->end_object > object || rec->end_blkid >
940 maxblkid) {
941 endblkid = maxblkid;
942 } else {
943 endblkid = rec->end_blkid;
944 }
945 update_redaction_list(&md, os, object, startblkid,
946 endblkid, dn->dn_datablksz);
947
948 if (object == rec->end_object)
949 break;
950 err = hold_next_object(os, rec, FTAG, &object, &dn);
951 }
952 if (err == ESRCH)
953 err = 0;
954 if (dn != NULL)
955 prev_obj = object;
956 }
957 if (err == 0 && dn != NULL)
958 dnode_rele(dn, FTAG);
959
960 if (err == ESRCH)
961 err = 0;
962 rmta->cancel = B_TRUE;
963 while (!rec->eos_marker)
964 rec = get_next_redact_record(q, rec);
965 kmem_free(rec, sizeof (*rec));
966
967 /*
968 * There may be a block that's being coalesced, sync that out before we
969 * return.
970 */
971 if (err == 0 && md.md_coalesce_block.rbp_size_count != 0) {
972 struct redact_block_list_node *rbln =
973 kmem_alloc(sizeof (struct redact_block_list_node),
974 KM_SLEEP);
975 rbln->block = md.md_coalesce_block;
976 list_insert_tail(&md.md_redact_block_pending, rbln);
977 }
978 commit_rl_updates(os, &md, UINT64_MAX, UINT64_MAX);
979
980 /*
981 * Wait for all the redaction info to sync out before we return, so that
982 * anyone who attempts to resume this redaction will have all the data
983 * they need.
984 */
985 dsl_pool_t *dp = spa_get_dsl(os->os_spa);
986 if (md.md_latest_synctask_txg != 0)
987 txg_wait_synced(dp, md.md_latest_synctask_txg);
988 for (int i = 0; i < TXG_SIZE; i++)
989 list_destroy(&md.md_blocks[i]);
990 return (err);
991 }
992
993 static boolean_t
redact_snaps_contains(uint64_t * snaps,uint64_t num_snaps,uint64_t guid)994 redact_snaps_contains(uint64_t *snaps, uint64_t num_snaps, uint64_t guid)
995 {
996 for (int i = 0; i < num_snaps; i++) {
997 if (snaps[i] == guid)
998 return (B_TRUE);
999 }
1000 return (B_FALSE);
1001 }
1002
1003 int
dmu_redact_snap(const char * snapname,nvlist_t * redactnvl,const char * redactbook)1004 dmu_redact_snap(const char *snapname, nvlist_t *redactnvl,
1005 const char *redactbook)
1006 {
1007 int err = 0;
1008 dsl_pool_t *dp = NULL;
1009 dsl_dataset_t *ds = NULL;
1010 int numsnaps = 0;
1011 objset_t *os;
1012 struct redact_thread_arg *args = NULL;
1013 redaction_list_t *new_rl = NULL;
1014 char *newredactbook;
1015
1016 if ((err = dsl_pool_hold(snapname, FTAG, &dp)) != 0)
1017 return (err);
1018
1019 newredactbook = kmem_zalloc(sizeof (char) * ZFS_MAX_DATASET_NAME_LEN,
1020 KM_SLEEP);
1021
1022 if ((err = dsl_dataset_hold_flags(dp, snapname, DS_HOLD_FLAG_DECRYPT,
1023 FTAG, &ds)) != 0) {
1024 goto out;
1025 }
1026 dsl_dataset_long_hold(ds, FTAG);
1027 if (!ds->ds_is_snapshot || dmu_objset_from_ds(ds, &os) != 0) {
1028 err = EINVAL;
1029 goto out;
1030 }
1031 if (dsl_dataset_feature_is_active(ds, SPA_FEATURE_REDACTED_DATASETS)) {
1032 err = EALREADY;
1033 goto out;
1034 }
1035
1036 numsnaps = fnvlist_num_pairs(redactnvl);
1037 if (numsnaps > 0)
1038 args = vmem_zalloc(numsnaps * sizeof (*args), KM_SLEEP);
1039
1040 nvpair_t *pair = NULL;
1041 for (int i = 0; i < numsnaps; i++) {
1042 pair = nvlist_next_nvpair(redactnvl, pair);
1043 const char *name = nvpair_name(pair);
1044 struct redact_thread_arg *rta = &args[i];
1045 err = dsl_dataset_hold_flags(dp, name, DS_HOLD_FLAG_DECRYPT,
1046 FTAG, &rta->ds);
1047 if (err != 0)
1048 break;
1049 /*
1050 * We want to do the long hold before we can get any other
1051 * errors, because the cleanup code will release the long
1052 * hold if rta->ds is filled in.
1053 */
1054 dsl_dataset_long_hold(rta->ds, FTAG);
1055
1056 err = dmu_objset_from_ds(rta->ds, &rta->os);
1057 if (err != 0)
1058 break;
1059 if (!dsl_dataset_is_before(rta->ds, ds, 0)) {
1060 err = EINVAL;
1061 break;
1062 }
1063 if (dsl_dataset_feature_is_active(rta->ds,
1064 SPA_FEATURE_REDACTED_DATASETS)) {
1065 err = EALREADY;
1066 break;
1067
1068 }
1069 }
1070 if (err != 0)
1071 goto out;
1072 VERIFY0P(nvlist_next_nvpair(redactnvl, pair));
1073
1074 boolean_t resuming = B_FALSE;
1075 zfs_bookmark_phys_t bookmark;
1076
1077 (void) strlcpy(newredactbook, snapname, ZFS_MAX_DATASET_NAME_LEN);
1078 char *c = strchr(newredactbook, '@');
1079 ASSERT3P(c, !=, NULL);
1080 int n = snprintf(c, ZFS_MAX_DATASET_NAME_LEN - (c - newredactbook),
1081 "#%s", redactbook);
1082 if (n >= ZFS_MAX_DATASET_NAME_LEN - (c - newredactbook)) {
1083 dsl_pool_rele(dp, FTAG);
1084 kmem_free(newredactbook,
1085 sizeof (char) * ZFS_MAX_DATASET_NAME_LEN);
1086 if (args != NULL)
1087 vmem_free(args, numsnaps * sizeof (*args));
1088 return (SET_ERROR(ENAMETOOLONG));
1089 }
1090 err = dsl_bookmark_lookup(dp, newredactbook, NULL, &bookmark);
1091 if (err == 0) {
1092 resuming = B_TRUE;
1093 if (bookmark.zbm_redaction_obj == 0) {
1094 err = EEXIST;
1095 goto out;
1096 }
1097 err = dsl_redaction_list_hold_obj(dp,
1098 bookmark.zbm_redaction_obj, FTAG, &new_rl);
1099 if (err != 0) {
1100 err = EIO;
1101 goto out;
1102 }
1103 dsl_redaction_list_long_hold(dp, new_rl, FTAG);
1104 if (new_rl->rl_phys->rlp_num_snaps != numsnaps) {
1105 err = ESRCH;
1106 goto out;
1107 }
1108 for (int i = 0; i < numsnaps; i++) {
1109 struct redact_thread_arg *rta = &args[i];
1110 if (!redact_snaps_contains(new_rl->rl_phys->rlp_snaps,
1111 new_rl->rl_phys->rlp_num_snaps,
1112 dsl_dataset_phys(rta->ds)->ds_guid)) {
1113 err = ESRCH;
1114 goto out;
1115 }
1116 }
1117 if (new_rl->rl_phys->rlp_last_blkid == UINT64_MAX &&
1118 new_rl->rl_phys->rlp_last_object == UINT64_MAX) {
1119 err = EEXIST;
1120 goto out;
1121 }
1122 dsl_pool_rele(dp, FTAG);
1123 dp = NULL;
1124 } else {
1125 uint64_t *guids = NULL;
1126 if (numsnaps > 0) {
1127 guids = vmem_zalloc(numsnaps * sizeof (uint64_t),
1128 KM_SLEEP);
1129 }
1130 for (int i = 0; i < numsnaps; i++) {
1131 struct redact_thread_arg *rta = &args[i];
1132 guids[i] = dsl_dataset_phys(rta->ds)->ds_guid;
1133 }
1134
1135 dsl_pool_rele(dp, FTAG);
1136 dp = NULL;
1137 err = dsl_bookmark_create_redacted(newredactbook, snapname,
1138 numsnaps, guids, FTAG, &new_rl);
1139 vmem_free(guids, numsnaps * sizeof (uint64_t));
1140 if (err != 0)
1141 goto out;
1142 }
1143
1144 for (int i = 0; i < numsnaps; i++) {
1145 struct redact_thread_arg *rta = &args[i];
1146 (void) bqueue_init(&rta->q, zfs_redact_queue_ff,
1147 zfs_redact_queue_length,
1148 offsetof(struct redact_record, ln));
1149 if (resuming) {
1150 rta->resume.zb_blkid =
1151 new_rl->rl_phys->rlp_last_blkid;
1152 rta->resume.zb_object =
1153 new_rl->rl_phys->rlp_last_object;
1154 }
1155 rta->txg = dsl_dataset_phys(ds)->ds_creation_txg;
1156 (void) thread_create(NULL, 0, redact_traverse_thread, rta,
1157 0, curproc, TS_RUN, minclsyspri);
1158 }
1159
1160 struct redact_merge_thread_arg *rmta;
1161 rmta = kmem_zalloc(sizeof (struct redact_merge_thread_arg), KM_SLEEP);
1162
1163 (void) bqueue_init(&rmta->q, zfs_redact_queue_ff,
1164 zfs_redact_queue_length, offsetof(struct redact_record, ln));
1165 rmta->numsnaps = numsnaps;
1166 rmta->spa = os->os_spa;
1167 rmta->thr_args = args;
1168 (void) thread_create(NULL, 0, redact_merge_thread, rmta, 0, curproc,
1169 TS_RUN, minclsyspri);
1170 err = perform_redaction(os, new_rl, rmta);
1171 bqueue_destroy(&rmta->q);
1172 kmem_free(rmta, sizeof (struct redact_merge_thread_arg));
1173
1174 out:
1175 kmem_free(newredactbook, sizeof (char) * ZFS_MAX_DATASET_NAME_LEN);
1176
1177 if (new_rl != NULL) {
1178 dsl_redaction_list_long_rele(new_rl, FTAG);
1179 dsl_redaction_list_rele(new_rl, FTAG);
1180 }
1181 for (int i = 0; i < numsnaps; i++) {
1182 struct redact_thread_arg *rta = &args[i];
1183 /*
1184 * rta->ds may be NULL if we got an error while filling
1185 * it in.
1186 */
1187 if (rta->ds != NULL) {
1188 dsl_dataset_long_rele(rta->ds, FTAG);
1189 dsl_dataset_rele_flags(rta->ds,
1190 DS_HOLD_FLAG_DECRYPT, FTAG);
1191 }
1192 }
1193
1194 if (args != NULL)
1195 vmem_free(args, numsnaps * sizeof (*args));
1196 if (dp != NULL)
1197 dsl_pool_rele(dp, FTAG);
1198 if (ds != NULL) {
1199 dsl_dataset_long_rele(ds, FTAG);
1200 dsl_dataset_rele_flags(ds, DS_HOLD_FLAG_DECRYPT, FTAG);
1201 }
1202 return (SET_ERROR(err));
1203
1204 }
1205