1 // SPDX-License-Identifier: CDDL-1.0 2 /* 3 * CDDL HEADER START 4 * 5 * The contents of this file are subject to the terms of the 6 * Common Development and Distribution License (the "License"). 7 * You may not use this file except in compliance with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or https://opensource.org/licenses/CDDL-1.0. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright (c) 2017, 2018 by Delphix. All rights reserved. 24 */ 25 26 #include <sys/zfs_context.h> 27 #include <sys/txg.h> 28 #include <sys/dmu_objset.h> 29 #include <sys/dmu_traverse.h> 30 #include <sys/dmu_redact.h> 31 #include <sys/bqueue.h> 32 #include <sys/objlist.h> 33 #include <sys/dmu_tx.h> 34 #ifdef _KERNEL 35 #include <sys/zfs_vfsops.h> 36 #include <sys/zap.h> 37 #include <sys/zfs_znode.h> 38 #endif 39 40 /* 41 * This controls the number of entries in the buffer the redaction_list_update 42 * synctask uses to buffer writes to the redaction list. 43 */ 44 static const int redact_sync_bufsize = 1024; 45 46 /* 47 * Controls how often to update the redaction list when creating a redaction 48 * list. 49 */ 50 static const uint64_t redaction_list_update_interval_ns = 51 1000 * 1000 * 1000ULL; /* 1s */ 52 53 /* 54 * This tunable controls the length of the queues that zfs redact worker threads 55 * use to communicate. If the dmu_redact_snap thread is blocking on these 56 * queues, this variable may need to be increased. If there is a significant 57 * slowdown at the start of a redact operation as these threads consume all the 58 * available IO resources, or the queues are consuming too much memory, this 59 * variable may need to be decreased. 60 */ 61 static const int zfs_redact_queue_length = 1024 * 1024; 62 63 /* 64 * These tunables control the fill fraction of the queues by zfs redact. The 65 * fill fraction controls the frequency with which threads have to be 66 * cv_signaled. If a lot of cpu time is being spent on cv_signal, then these 67 * should be tuned down. If the queues empty before the signalled thread can 68 * catch up, then these should be tuned up. 69 */ 70 static const uint64_t zfs_redact_queue_ff = 20; 71 72 struct redact_record { 73 bqueue_node_t ln; 74 boolean_t eos_marker; /* Marks the end of the stream */ 75 uint64_t start_object; 76 uint64_t start_blkid; 77 uint64_t end_object; 78 uint64_t end_blkid; 79 uint8_t indblkshift; 80 uint32_t datablksz; 81 }; 82 83 struct redact_thread_arg { 84 bqueue_t q; 85 objset_t *os; /* Objset to traverse */ 86 dsl_dataset_t *ds; /* Dataset to traverse */ 87 struct redact_record *current_record; 88 int error_code; 89 boolean_t cancel; 90 zbookmark_phys_t resume; 91 objlist_t *deleted_objs; 92 uint64_t *num_blocks_visited; 93 uint64_t ignore_object; /* ignore further callbacks on this */ 94 uint64_t txg; /* txg to traverse since */ 95 }; 96 97 /* 98 * The redaction node is a wrapper around the redaction record that is used 99 * by the redaction merging thread to sort the records and determine overlaps. 100 * 101 * It contains two nodes; one sorts the records by their start_zb, and the other 102 * sorts the records by their end_zb. 103 */ 104 struct redact_node { 105 avl_node_t avl_node_start; 106 avl_node_t avl_node_end; 107 struct redact_record *record; 108 struct redact_thread_arg *rt_arg; 109 uint32_t thread_num; 110 }; 111 112 struct merge_data { 113 list_t md_redact_block_pending; 114 redact_block_phys_t md_coalesce_block; 115 uint64_t md_last_time; 116 redact_block_phys_t md_furthest[TXG_SIZE]; 117 /* Lists of struct redact_block_list_node. */ 118 list_t md_blocks[TXG_SIZE]; 119 boolean_t md_synctask_txg[TXG_SIZE]; 120 uint64_t md_latest_synctask_txg; 121 redaction_list_t *md_redaction_list; 122 }; 123 124 /* 125 * A wrapper around struct redact_block so it can be stored in a list_t. 126 */ 127 struct redact_block_list_node { 128 redact_block_phys_t block; 129 list_node_t node; 130 }; 131 132 /* 133 * We've found a new redaction candidate. In order to improve performance, we 134 * coalesce these blocks when they're adjacent to each other. This function 135 * handles that. If the new candidate block range is immediately after the 136 * range we're building, coalesce it into the range we're building. Otherwise, 137 * put the record we're building on the queue, and update the build pointer to 138 * point to the new record. 139 */ 140 static void 141 record_merge_enqueue(bqueue_t *q, struct redact_record **build, 142 struct redact_record *new) 143 { 144 if (new->eos_marker) { 145 if (*build != NULL) 146 bqueue_enqueue(q, *build, sizeof (**build)); 147 bqueue_enqueue_flush(q, new, sizeof (*new)); 148 return; 149 } 150 if (*build == NULL) { 151 *build = new; 152 return; 153 } 154 struct redact_record *curbuild = *build; 155 if ((curbuild->end_object == new->start_object && 156 curbuild->end_blkid + 1 == new->start_blkid && 157 curbuild->end_blkid != UINT64_MAX) || 158 (curbuild->end_object + 1 == new->start_object && 159 curbuild->end_blkid == UINT64_MAX && new->start_blkid == 0)) { 160 curbuild->end_object = new->end_object; 161 curbuild->end_blkid = new->end_blkid; 162 kmem_free(new, sizeof (*new)); 163 } else { 164 bqueue_enqueue(q, curbuild, sizeof (*curbuild)); 165 *build = new; 166 } 167 } 168 #ifdef _KERNEL 169 struct objnode { 170 avl_node_t node; 171 uint64_t obj; 172 }; 173 174 static int 175 objnode_compare(const void *o1, const void *o2) 176 { 177 const struct objnode *obj1 = o1; 178 const struct objnode *obj2 = o2; 179 if (obj1->obj < obj2->obj) 180 return (-1); 181 if (obj1->obj > obj2->obj) 182 return (1); 183 return (0); 184 } 185 186 187 static objlist_t * 188 zfs_get_deleteq(objset_t *os) 189 { 190 objlist_t *deleteq_objlist = objlist_create(); 191 uint64_t deleteq_obj; 192 zap_cursor_t zc; 193 zap_attribute_t *za; 194 dmu_object_info_t doi; 195 196 ASSERT3U(os->os_phys->os_type, ==, DMU_OST_ZFS); 197 VERIFY0(dmu_object_info(os, MASTER_NODE_OBJ, &doi)); 198 ASSERT3U(doi.doi_type, ==, DMU_OT_MASTER_NODE); 199 200 VERIFY0(zap_lookup(os, MASTER_NODE_OBJ, 201 ZFS_UNLINKED_SET, sizeof (uint64_t), 1, &deleteq_obj)); 202 203 /* 204 * In order to insert objects into the objlist, they must be in sorted 205 * order. We don't know what order we'll get them out of the ZAP in, so 206 * we insert them into and remove them from an avl_tree_t to sort them. 207 */ 208 avl_tree_t at; 209 avl_create(&at, objnode_compare, sizeof (struct objnode), 210 offsetof(struct objnode, node)); 211 212 za = zap_attribute_alloc(); 213 for (zap_cursor_init(&zc, os, deleteq_obj); 214 zap_cursor_retrieve(&zc, za) == 0; zap_cursor_advance(&zc)) { 215 struct objnode *obj = kmem_zalloc(sizeof (*obj), KM_SLEEP); 216 obj->obj = za->za_first_integer; 217 avl_add(&at, obj); 218 } 219 zap_cursor_fini(&zc); 220 zap_attribute_free(za); 221 222 struct objnode *next, *found = avl_first(&at); 223 while (found != NULL) { 224 next = AVL_NEXT(&at, found); 225 objlist_insert(deleteq_objlist, found->obj); 226 found = next; 227 } 228 229 void *cookie = NULL; 230 while ((found = avl_destroy_nodes(&at, &cookie)) != NULL) 231 kmem_free(found, sizeof (*found)); 232 avl_destroy(&at); 233 return (deleteq_objlist); 234 } 235 #endif 236 237 /* 238 * This is the callback function to traverse_dataset for the redaction threads 239 * for dmu_redact_snap. This thread is responsible for creating redaction 240 * records for all the data that is modified by the snapshots we're redacting 241 * with respect to. Redaction records represent ranges of data that have been 242 * modified by one of the redaction snapshots, and are stored in the 243 * redact_record struct. We need to create redaction records for three 244 * cases: 245 * 246 * First, if there's a normal write, we need to create a redaction record for 247 * that block. 248 * 249 * Second, if there's a hole, we need to create a redaction record that covers 250 * the whole range of the hole. If the hole is in the meta-dnode, it must cover 251 * every block in all of the objects in the hole. 252 * 253 * Third, if there is a deleted object, we need to create a redaction record for 254 * all of the blocks in that object. 255 */ 256 static int 257 redact_cb(spa_t *spa, zilog_t *zilog, const blkptr_t *bp, 258 const zbookmark_phys_t *zb, const struct dnode_phys *dnp, void *arg) 259 { 260 (void) spa, (void) zilog; 261 struct redact_thread_arg *rta = arg; 262 struct redact_record *record; 263 264 ASSERT(zb->zb_object == DMU_META_DNODE_OBJECT || 265 zb->zb_object >= rta->resume.zb_object); 266 267 if (rta->cancel) 268 return (SET_ERROR(EINTR)); 269 270 if (rta->ignore_object == zb->zb_object) 271 return (0); 272 273 /* 274 * If we're visiting a dnode, we need to handle the case where the 275 * object has been deleted. 276 */ 277 if (zb->zb_level == ZB_DNODE_LEVEL) { 278 ASSERT3U(zb->zb_level, ==, ZB_DNODE_LEVEL); 279 280 if (zb->zb_object == 0) 281 return (0); 282 283 /* 284 * If the object has been deleted, redact all of the blocks in 285 * it. 286 */ 287 if (dnp->dn_type == DMU_OT_NONE || 288 objlist_exists(rta->deleted_objs, zb->zb_object)) { 289 rta->ignore_object = zb->zb_object; 290 record = kmem_zalloc(sizeof (struct redact_record), 291 KM_SLEEP); 292 293 record->eos_marker = B_FALSE; 294 record->start_object = record->end_object = 295 zb->zb_object; 296 record->start_blkid = 0; 297 record->end_blkid = UINT64_MAX; 298 record_merge_enqueue(&rta->q, 299 &rta->current_record, record); 300 } 301 return (0); 302 } else if (zb->zb_level < 0) { 303 return (0); 304 } else if (zb->zb_level > 0 && !BP_IS_HOLE(bp)) { 305 /* 306 * If this is an indirect block, but not a hole, it doesn't 307 * provide any useful information for redaction, so ignore it. 308 */ 309 return (0); 310 } 311 312 /* 313 * At this point, there are two options left for the type of block we're 314 * looking at. Either this is a hole (which could be in the dnode or 315 * the meta-dnode), or it's a level 0 block of some sort. If it's a 316 * hole, we create a redaction record that covers the whole range. If 317 * the hole is in a dnode, we need to redact all the blocks in that 318 * hole. If the hole is in the meta-dnode, we instead need to redact 319 * all blocks in every object covered by that hole. If it's a level 0 320 * block, we only need to redact that single block. 321 */ 322 record = kmem_zalloc(sizeof (struct redact_record), KM_SLEEP); 323 record->eos_marker = B_FALSE; 324 325 record->start_object = record->end_object = zb->zb_object; 326 if (BP_IS_HOLE(bp)) { 327 record->start_blkid = zb->zb_blkid * 328 bp_span_in_blocks(dnp->dn_indblkshift, zb->zb_level); 329 330 record->end_blkid = ((zb->zb_blkid + 1) * 331 bp_span_in_blocks(dnp->dn_indblkshift, zb->zb_level)) - 1; 332 333 if (zb->zb_object == DMU_META_DNODE_OBJECT) { 334 record->start_object = record->start_blkid * 335 ((SPA_MINBLOCKSIZE * dnp->dn_datablkszsec) / 336 sizeof (dnode_phys_t)); 337 record->start_blkid = 0; 338 record->end_object = ((record->end_blkid + 339 1) * ((SPA_MINBLOCKSIZE * dnp->dn_datablkszsec) / 340 sizeof (dnode_phys_t))) - 1; 341 record->end_blkid = UINT64_MAX; 342 } 343 } else if (zb->zb_level != 0 || 344 zb->zb_object == DMU_META_DNODE_OBJECT) { 345 kmem_free(record, sizeof (*record)); 346 return (0); 347 } else { 348 record->start_blkid = record->end_blkid = zb->zb_blkid; 349 } 350 record->indblkshift = dnp->dn_indblkshift; 351 record->datablksz = dnp->dn_datablkszsec << SPA_MINBLOCKSHIFT; 352 record_merge_enqueue(&rta->q, &rta->current_record, record); 353 354 return (0); 355 } 356 357 static __attribute__((noreturn)) void 358 redact_traverse_thread(void *arg) 359 { 360 struct redact_thread_arg *rt_arg = arg; 361 int err; 362 struct redact_record *data; 363 #ifdef _KERNEL 364 if (rt_arg->os->os_phys->os_type == DMU_OST_ZFS) 365 rt_arg->deleted_objs = zfs_get_deleteq(rt_arg->os); 366 else 367 rt_arg->deleted_objs = objlist_create(); 368 #else 369 rt_arg->deleted_objs = objlist_create(); 370 #endif 371 372 err = traverse_dataset_resume(rt_arg->ds, rt_arg->txg, 373 &rt_arg->resume, TRAVERSE_PRE | TRAVERSE_PREFETCH_METADATA | 374 TRAVERSE_LOGICAL, redact_cb, rt_arg); 375 376 if (err != EINTR) 377 rt_arg->error_code = err; 378 objlist_destroy(rt_arg->deleted_objs); 379 data = kmem_zalloc(sizeof (*data), KM_SLEEP); 380 data->eos_marker = B_TRUE; 381 record_merge_enqueue(&rt_arg->q, &rt_arg->current_record, data); 382 thread_exit(); 383 } 384 385 static inline void 386 create_zbookmark_from_obj_off(zbookmark_phys_t *zb, uint64_t object, 387 uint64_t blkid) 388 { 389 zb->zb_object = object; 390 zb->zb_level = 0; 391 zb->zb_blkid = blkid; 392 } 393 394 /* 395 * This is a utility function that can do the comparison for the start or ends 396 * of the ranges in a redact_record. 397 */ 398 static int 399 redact_range_compare(uint64_t obj1, uint64_t off1, uint32_t dbss1, 400 uint64_t obj2, uint64_t off2, uint32_t dbss2) 401 { 402 zbookmark_phys_t z1, z2; 403 create_zbookmark_from_obj_off(&z1, obj1, off1); 404 create_zbookmark_from_obj_off(&z2, obj2, off2); 405 406 return (zbookmark_compare(dbss1 >> SPA_MINBLOCKSHIFT, 0, 407 dbss2 >> SPA_MINBLOCKSHIFT, 0, &z1, &z2)); 408 } 409 410 /* 411 * Compare two redaction records by their range's start location. Also makes 412 * eos records always compare last. We use the thread number in the redact_node 413 * to ensure that records do not compare equal (which is not allowed in our avl 414 * trees). 415 */ 416 static int 417 redact_node_compare_start(const void *arg1, const void *arg2) 418 { 419 const struct redact_node *rn1 = arg1; 420 const struct redact_node *rn2 = arg2; 421 const struct redact_record *rr1 = rn1->record; 422 const struct redact_record *rr2 = rn2->record; 423 if (rr1->eos_marker) 424 return (1); 425 if (rr2->eos_marker) 426 return (-1); 427 428 int cmp = redact_range_compare(rr1->start_object, rr1->start_blkid, 429 rr1->datablksz, rr2->start_object, rr2->start_blkid, 430 rr2->datablksz); 431 if (cmp == 0) 432 cmp = (rn1->thread_num < rn2->thread_num ? -1 : 1); 433 return (cmp); 434 } 435 436 /* 437 * Compare two redaction records by their range's end location. Also makes 438 * eos records always compare last. We use the thread number in the redact_node 439 * to ensure that records do not compare equal (which is not allowed in our avl 440 * trees). 441 */ 442 static int 443 redact_node_compare_end(const void *arg1, const void *arg2) 444 { 445 const struct redact_node *rn1 = arg1; 446 const struct redact_node *rn2 = arg2; 447 const struct redact_record *srr1 = rn1->record; 448 const struct redact_record *srr2 = rn2->record; 449 if (srr1->eos_marker) 450 return (1); 451 if (srr2->eos_marker) 452 return (-1); 453 454 int cmp = redact_range_compare(srr1->end_object, srr1->end_blkid, 455 srr1->datablksz, srr2->end_object, srr2->end_blkid, 456 srr2->datablksz); 457 if (cmp == 0) 458 cmp = (rn1->thread_num < rn2->thread_num ? -1 : 1); 459 return (cmp); 460 } 461 462 /* 463 * Utility function that compares two redaction records to determine if any part 464 * of the "from" record is before any part of the "to" record. Also causes End 465 * of Stream redaction records to compare after all others, so that the 466 * redaction merging logic can stay simple. 467 */ 468 static boolean_t 469 redact_record_before(const struct redact_record *from, 470 const struct redact_record *to) 471 { 472 if (from->eos_marker == B_TRUE) 473 return (B_FALSE); 474 else if (to->eos_marker == B_TRUE) 475 return (B_TRUE); 476 return (redact_range_compare(from->start_object, from->start_blkid, 477 from->datablksz, to->end_object, to->end_blkid, 478 to->datablksz) <= 0); 479 } 480 481 /* 482 * Pop a new redaction record off the queue, check that the records are in the 483 * right order, and free the old data. 484 */ 485 static struct redact_record * 486 get_next_redact_record(bqueue_t *bq, struct redact_record *prev) 487 { 488 struct redact_record *next = bqueue_dequeue(bq); 489 ASSERT(redact_record_before(prev, next)); 490 kmem_free(prev, sizeof (*prev)); 491 return (next); 492 } 493 494 /* 495 * Remove the given redaction node from both trees, pull a new redaction record 496 * off the queue, free the old redaction record, update the redaction node, and 497 * reinsert the node into the trees. 498 */ 499 static int 500 update_avl_trees(avl_tree_t *start_tree, avl_tree_t *end_tree, 501 struct redact_node *redact_node) 502 { 503 avl_remove(start_tree, redact_node); 504 avl_remove(end_tree, redact_node); 505 redact_node->record = get_next_redact_record(&redact_node->rt_arg->q, 506 redact_node->record); 507 avl_add(end_tree, redact_node); 508 avl_add(start_tree, redact_node); 509 return (redact_node->rt_arg->error_code); 510 } 511 512 /* 513 * Synctask for updating redaction lists. We first take this txg's list of 514 * redacted blocks and append those to the redaction list. We then update the 515 * redaction list's bonus buffer. We store the furthest blocks we visited and 516 * the list of snapshots that we're redacting with respect to. We need these so 517 * that redacted sends and receives can be correctly resumed. 518 */ 519 static void 520 redaction_list_update_sync(void *arg, dmu_tx_t *tx) 521 { 522 struct merge_data *md = arg; 523 uint64_t txg = dmu_tx_get_txg(tx); 524 list_t *list = &md->md_blocks[txg & TXG_MASK]; 525 redact_block_phys_t *furthest_visited = 526 &md->md_furthest[txg & TXG_MASK]; 527 objset_t *mos = tx->tx_pool->dp_meta_objset; 528 redaction_list_t *rl = md->md_redaction_list; 529 int bufsize = redact_sync_bufsize; 530 redact_block_phys_t *buf = kmem_alloc(bufsize * sizeof (*buf), 531 KM_SLEEP); 532 int index = 0; 533 534 dmu_buf_will_dirty(rl->rl_dbuf, tx); 535 536 for (struct redact_block_list_node *rbln = list_remove_head(list); 537 rbln != NULL; rbln = list_remove_head(list)) { 538 ASSERT3U(rbln->block.rbp_object, <=, 539 furthest_visited->rbp_object); 540 ASSERT(rbln->block.rbp_object < furthest_visited->rbp_object || 541 rbln->block.rbp_blkid <= furthest_visited->rbp_blkid); 542 buf[index] = rbln->block; 543 index++; 544 if (index == bufsize) { 545 dmu_write(mos, rl->rl_object, 546 rl->rl_phys->rlp_num_entries * sizeof (*buf), 547 bufsize * sizeof (*buf), buf, tx, 548 DMU_READ_NO_PREFETCH); 549 rl->rl_phys->rlp_num_entries += bufsize; 550 index = 0; 551 } 552 kmem_free(rbln, sizeof (*rbln)); 553 } 554 if (index > 0) { 555 dmu_write(mos, rl->rl_object, rl->rl_phys->rlp_num_entries * 556 sizeof (*buf), index * sizeof (*buf), buf, tx, 557 DMU_READ_NO_PREFETCH); 558 rl->rl_phys->rlp_num_entries += index; 559 } 560 kmem_free(buf, bufsize * sizeof (*buf)); 561 562 md->md_synctask_txg[txg & TXG_MASK] = B_FALSE; 563 rl->rl_phys->rlp_last_object = furthest_visited->rbp_object; 564 rl->rl_phys->rlp_last_blkid = furthest_visited->rbp_blkid; 565 } 566 567 static void 568 commit_rl_updates(objset_t *os, struct merge_data *md, uint64_t object, 569 uint64_t blkid) 570 { 571 dmu_tx_t *tx = dmu_tx_create_dd(spa_get_dsl(os->os_spa)->dp_mos_dir); 572 dmu_tx_hold_space(tx, sizeof (struct redact_block_list_node)); 573 VERIFY0(dmu_tx_assign(tx, DMU_TX_WAIT | DMU_TX_SUSPEND)); 574 uint64_t txg = dmu_tx_get_txg(tx); 575 if (!md->md_synctask_txg[txg & TXG_MASK]) { 576 dsl_sync_task_nowait(dmu_tx_pool(tx), 577 redaction_list_update_sync, md, tx); 578 md->md_synctask_txg[txg & TXG_MASK] = B_TRUE; 579 md->md_latest_synctask_txg = txg; 580 } 581 md->md_furthest[txg & TXG_MASK].rbp_object = object; 582 md->md_furthest[txg & TXG_MASK].rbp_blkid = blkid; 583 list_move_tail(&md->md_blocks[txg & TXG_MASK], 584 &md->md_redact_block_pending); 585 dmu_tx_commit(tx); 586 md->md_last_time = gethrtime(); 587 } 588 589 /* 590 * We want to store the list of blocks that we're redacting in the bookmark's 591 * redaction list. However, this list is stored in the MOS, which means it can 592 * only be written to in syncing context. To get around this, we create a 593 * synctask that will write to the mos for us. We tell it what to write by 594 * a linked list for each current transaction group; every time we decide to 595 * redact a block, we append it to the transaction group that is currently in 596 * open context. We also update some progress information that the synctask 597 * will store to enable resumable redacted sends. 598 */ 599 static void 600 update_redaction_list(struct merge_data *md, objset_t *os, 601 uint64_t object, uint64_t blkid, uint64_t endblkid, uint32_t blksz) 602 { 603 boolean_t enqueue = B_FALSE; 604 redact_block_phys_t cur = {0}; 605 uint64_t count = endblkid - blkid + 1; 606 while (count > REDACT_BLOCK_MAX_COUNT) { 607 update_redaction_list(md, os, object, blkid, 608 blkid + REDACT_BLOCK_MAX_COUNT - 1, blksz); 609 blkid += REDACT_BLOCK_MAX_COUNT; 610 count -= REDACT_BLOCK_MAX_COUNT; 611 } 612 redact_block_phys_t *coalesce = &md->md_coalesce_block; 613 boolean_t new; 614 if (coalesce->rbp_size_count == 0) { 615 new = B_TRUE; 616 enqueue = B_FALSE; 617 } else { 618 uint64_t old_count = redact_block_get_count(coalesce); 619 if (coalesce->rbp_object == object && 620 coalesce->rbp_blkid + old_count == blkid && 621 old_count + count <= REDACT_BLOCK_MAX_COUNT) { 622 ASSERT3U(redact_block_get_size(coalesce), ==, blksz); 623 redact_block_set_count(coalesce, old_count + count); 624 new = B_FALSE; 625 enqueue = B_FALSE; 626 } else { 627 new = B_TRUE; 628 enqueue = B_TRUE; 629 } 630 } 631 632 if (new) { 633 cur = *coalesce; 634 coalesce->rbp_blkid = blkid; 635 coalesce->rbp_object = object; 636 637 redact_block_set_count(coalesce, count); 638 redact_block_set_size(coalesce, blksz); 639 } 640 641 if (enqueue && redact_block_get_size(&cur) != 0) { 642 struct redact_block_list_node *rbln = 643 kmem_alloc(sizeof (struct redact_block_list_node), 644 KM_SLEEP); 645 rbln->block = cur; 646 list_insert_tail(&md->md_redact_block_pending, rbln); 647 } 648 649 if (gethrtime() > md->md_last_time + 650 redaction_list_update_interval_ns) { 651 commit_rl_updates(os, md, object, blkid); 652 } 653 } 654 655 /* 656 * This thread merges all the redaction records provided by the worker threads, 657 * and determines which blocks are redacted by all the snapshots. The algorithm 658 * for doing so is similar to performing a merge in mergesort with n sub-lists 659 * instead of 2, with some added complexity due to the fact that the entries are 660 * ranges, not just single blocks. This algorithm relies on the fact that the 661 * queues are sorted, which is ensured by the fact that traverse_dataset 662 * traverses the dataset in a consistent order. We pull one entry off the front 663 * of the queues of each secure dataset traversal thread. Then we repeat the 664 * following: each record represents a range of blocks modified by one of the 665 * redaction snapshots, and each block in that range may need to be redacted in 666 * the send stream. Find the record with the latest start of its range, and the 667 * record with the earliest end of its range. If the last start is before the 668 * first end, then we know that the blocks in the range [last_start, first_end] 669 * are covered by all of the ranges at the front of the queues, which means 670 * every thread redacts that whole range. For example, let's say the ranges on 671 * each queue look like this: 672 * 673 * Block Id 1 2 3 4 5 6 7 8 9 10 11 674 * Thread 1 | [====================] 675 * Thread 2 | [========] 676 * Thread 3 | [=================] 677 * 678 * Thread 3 has the last start (5), and the thread 2 has the last end (6). All 679 * three threads modified the range [5,6], so that data should not be sent over 680 * the wire. After we've determined whether or not to redact anything, we take 681 * the record with the first end. We discard that record, and pull a new one 682 * off the front of the queue it came from. In the above example, we would 683 * discard Thread 2's record, and pull a new one. Let's say the next record we 684 * pulled from Thread 2 covered range [10,11]. The new layout would look like 685 * this: 686 * 687 * Block Id 1 2 3 4 5 6 7 8 9 10 11 688 * Thread 1 | [====================] 689 * Thread 2 | [==] 690 * Thread 3 | [=================] 691 * 692 * When we compare the last start (10, from Thread 2) and the first end (9, from 693 * Thread 1), we see that the last start is greater than the first end. 694 * Therefore, we do not redact anything from these records. We'll iterate by 695 * replacing the record from Thread 1. 696 * 697 * We iterate by replacing the record with the lowest end because we know 698 * that the record with the lowest end has helped us as much as it can. All the 699 * ranges before it that we will ever redact have been redacted. In addition, 700 * by replacing the one with the lowest end, we guarantee we catch all ranges 701 * that need to be redacted. For example, if in the case above we had replaced 702 * the record from Thread 1 instead, we might have ended up with the following: 703 * 704 * Block Id 1 2 3 4 5 6 7 8 9 10 11 12 705 * Thread 1 | [==] 706 * Thread 2 | [========] 707 * Thread 3 | [=================] 708 * 709 * If the next record from Thread 2 had been [8,10], for example, we should have 710 * redacted part of that range, but because we updated Thread 1's record, we 711 * missed it. 712 * 713 * We implement this algorithm by using two trees. The first sorts the 714 * redaction records by their start_zb, and the second sorts them by their 715 * end_zb. We use these to find the record with the last start and the record 716 * with the first end. We create a record with that start and end, and send it 717 * on. The overall runtime of this implementation is O(n log m), where n is the 718 * total number of redaction records from all the different redaction snapshots, 719 * and m is the number of redaction snapshots. 720 * 721 * If we redact with respect to zero snapshots, we create a redaction 722 * record with the start object and blkid to 0, and the end object and blkid to 723 * UINT64_MAX. This will result in us redacting every block. 724 */ 725 static int 726 perform_thread_merge(bqueue_t *q, uint32_t num_threads, 727 struct redact_thread_arg *thread_args, boolean_t *cancel) 728 { 729 struct redact_node *redact_nodes = NULL; 730 avl_tree_t start_tree, end_tree; 731 struct redact_record *record; 732 struct redact_record *current_record = NULL; 733 int err = 0; 734 struct merge_data md = { {0} }; 735 list_create(&md.md_redact_block_pending, 736 sizeof (struct redact_block_list_node), 737 offsetof(struct redact_block_list_node, node)); 738 739 /* 740 * If we're redacting with respect to zero snapshots, then no data is 741 * permitted to be sent. We enqueue a record that redacts all blocks, 742 * and an eos marker. 743 */ 744 if (num_threads == 0) { 745 record = kmem_zalloc(sizeof (struct redact_record), 746 KM_SLEEP); 747 // We can't redact object 0, so don't try. 748 record->start_object = 1; 749 record->start_blkid = 0; 750 record->end_object = record->end_blkid = UINT64_MAX; 751 bqueue_enqueue(q, record, sizeof (*record)); 752 return (0); 753 } 754 redact_nodes = vmem_zalloc(num_threads * 755 sizeof (*redact_nodes), KM_SLEEP); 756 757 avl_create(&start_tree, redact_node_compare_start, 758 sizeof (struct redact_node), 759 offsetof(struct redact_node, avl_node_start)); 760 avl_create(&end_tree, redact_node_compare_end, 761 sizeof (struct redact_node), 762 offsetof(struct redact_node, avl_node_end)); 763 764 for (int i = 0; i < num_threads; i++) { 765 struct redact_node *node = &redact_nodes[i]; 766 struct redact_thread_arg *targ = &thread_args[i]; 767 node->record = bqueue_dequeue(&targ->q); 768 node->rt_arg = targ; 769 node->thread_num = i; 770 avl_add(&start_tree, node); 771 avl_add(&end_tree, node); 772 } 773 774 /* 775 * Once the first record in the end tree has returned EOS, every record 776 * must be an EOS record, so we should stop. 777 */ 778 while (err == 0 && !((struct redact_node *)avl_first(&end_tree))-> 779 record->eos_marker) { 780 if (*cancel) { 781 err = EINTR; 782 break; 783 } 784 struct redact_node *last_start = avl_last(&start_tree); 785 struct redact_node *first_end = avl_first(&end_tree); 786 787 /* 788 * If the last start record is before the first end record, 789 * then we have blocks that are redacted by all threads. 790 * Therefore, we should redact them. Copy the record, and send 791 * it to the main thread. 792 */ 793 if (redact_record_before(last_start->record, 794 first_end->record)) { 795 record = kmem_zalloc(sizeof (struct redact_record), 796 KM_SLEEP); 797 *record = *first_end->record; 798 record->start_object = last_start->record->start_object; 799 record->start_blkid = last_start->record->start_blkid; 800 record_merge_enqueue(q, ¤t_record, 801 record); 802 } 803 err = update_avl_trees(&start_tree, &end_tree, first_end); 804 } 805 806 /* 807 * We're done; if we were cancelled, we need to cancel our workers and 808 * clear out their queues. Either way, we need to remove every thread's 809 * redact_node struct from the avl trees. 810 */ 811 for (int i = 0; i < num_threads; i++) { 812 if (err != 0) { 813 thread_args[i].cancel = B_TRUE; 814 while (!redact_nodes[i].record->eos_marker) { 815 (void) update_avl_trees(&start_tree, &end_tree, 816 &redact_nodes[i]); 817 } 818 } 819 avl_remove(&start_tree, &redact_nodes[i]); 820 avl_remove(&end_tree, &redact_nodes[i]); 821 kmem_free(redact_nodes[i].record, 822 sizeof (struct redact_record)); 823 bqueue_destroy(&thread_args[i].q); 824 } 825 826 avl_destroy(&start_tree); 827 avl_destroy(&end_tree); 828 vmem_free(redact_nodes, num_threads * sizeof (*redact_nodes)); 829 if (current_record != NULL) 830 bqueue_enqueue(q, current_record, sizeof (*current_record)); 831 return (err); 832 } 833 834 struct redact_merge_thread_arg { 835 bqueue_t q; 836 spa_t *spa; 837 int numsnaps; 838 struct redact_thread_arg *thr_args; 839 boolean_t cancel; 840 int error_code; 841 }; 842 843 static __attribute__((noreturn)) void 844 redact_merge_thread(void *arg) 845 { 846 struct redact_merge_thread_arg *rmta = arg; 847 rmta->error_code = perform_thread_merge(&rmta->q, 848 rmta->numsnaps, rmta->thr_args, &rmta->cancel); 849 struct redact_record *rec = kmem_zalloc(sizeof (*rec), KM_SLEEP); 850 rec->eos_marker = B_TRUE; 851 bqueue_enqueue_flush(&rmta->q, rec, 1); 852 thread_exit(); 853 } 854 855 /* 856 * Find the next object in or after the redaction range passed in, and hold 857 * its dnode with the provided tag. Also update *object to contain the new 858 * object number. 859 */ 860 static int 861 hold_next_object(objset_t *os, struct redact_record *rec, const void *tag, 862 uint64_t *object, dnode_t **dn) 863 { 864 int err = 0; 865 if (*dn != NULL) 866 dnode_rele(*dn, tag); 867 *dn = NULL; 868 if (*object < rec->start_object) { 869 *object = rec->start_object - 1; 870 } 871 err = dmu_object_next(os, object, B_FALSE, 0); 872 if (err != 0) 873 return (err); 874 875 err = dnode_hold(os, *object, tag, dn); 876 while (err == 0 && (*object < rec->start_object || 877 DMU_OT_IS_METADATA((*dn)->dn_type))) { 878 dnode_rele(*dn, tag); 879 *dn = NULL; 880 err = dmu_object_next(os, object, B_FALSE, 0); 881 if (err != 0) 882 break; 883 err = dnode_hold(os, *object, tag, dn); 884 } 885 return (err); 886 } 887 888 static int 889 perform_redaction(objset_t *os, redaction_list_t *rl, 890 struct redact_merge_thread_arg *rmta) 891 { 892 int err = 0; 893 bqueue_t *q = &rmta->q; 894 struct redact_record *rec = NULL; 895 struct merge_data md = { {0} }; 896 897 list_create(&md.md_redact_block_pending, 898 sizeof (struct redact_block_list_node), 899 offsetof(struct redact_block_list_node, node)); 900 md.md_redaction_list = rl; 901 902 for (int i = 0; i < TXG_SIZE; i++) { 903 list_create(&md.md_blocks[i], 904 sizeof (struct redact_block_list_node), 905 offsetof(struct redact_block_list_node, node)); 906 } 907 dnode_t *dn = NULL; 908 uint64_t prev_obj = 0; 909 for (rec = bqueue_dequeue(q); !rec->eos_marker && err == 0; 910 rec = get_next_redact_record(q, rec)) { 911 ASSERT3U(rec->start_object, !=, 0); 912 uint64_t object; 913 if (prev_obj != rec->start_object) { 914 object = rec->start_object - 1; 915 err = hold_next_object(os, rec, FTAG, &object, &dn); 916 } else { 917 object = prev_obj; 918 } 919 while (err == 0 && object <= rec->end_object) { 920 if (issig()) { 921 err = EINTR; 922 break; 923 } 924 /* 925 * Part of the current object is contained somewhere in 926 * the range covered by rec. 927 */ 928 uint64_t startblkid; 929 uint64_t endblkid; 930 uint64_t maxblkid = dn->dn_phys->dn_maxblkid; 931 932 if (rec->start_object < object) 933 startblkid = 0; 934 else if (rec->start_blkid > maxblkid) 935 break; 936 else 937 startblkid = rec->start_blkid; 938 939 if (rec->end_object > object || rec->end_blkid > 940 maxblkid) { 941 endblkid = maxblkid; 942 } else { 943 endblkid = rec->end_blkid; 944 } 945 update_redaction_list(&md, os, object, startblkid, 946 endblkid, dn->dn_datablksz); 947 948 if (object == rec->end_object) 949 break; 950 err = hold_next_object(os, rec, FTAG, &object, &dn); 951 } 952 if (err == ESRCH) 953 err = 0; 954 if (dn != NULL) 955 prev_obj = object; 956 } 957 if (err == 0 && dn != NULL) 958 dnode_rele(dn, FTAG); 959 960 if (err == ESRCH) 961 err = 0; 962 rmta->cancel = B_TRUE; 963 while (!rec->eos_marker) 964 rec = get_next_redact_record(q, rec); 965 kmem_free(rec, sizeof (*rec)); 966 967 /* 968 * There may be a block that's being coalesced, sync that out before we 969 * return. 970 */ 971 if (err == 0 && md.md_coalesce_block.rbp_size_count != 0) { 972 struct redact_block_list_node *rbln = 973 kmem_alloc(sizeof (struct redact_block_list_node), 974 KM_SLEEP); 975 rbln->block = md.md_coalesce_block; 976 list_insert_tail(&md.md_redact_block_pending, rbln); 977 } 978 commit_rl_updates(os, &md, UINT64_MAX, UINT64_MAX); 979 980 /* 981 * Wait for all the redaction info to sync out before we return, so that 982 * anyone who attempts to resume this redaction will have all the data 983 * they need. 984 */ 985 dsl_pool_t *dp = spa_get_dsl(os->os_spa); 986 if (md.md_latest_synctask_txg != 0) 987 txg_wait_synced(dp, md.md_latest_synctask_txg); 988 for (int i = 0; i < TXG_SIZE; i++) 989 list_destroy(&md.md_blocks[i]); 990 return (err); 991 } 992 993 static boolean_t 994 redact_snaps_contains(uint64_t *snaps, uint64_t num_snaps, uint64_t guid) 995 { 996 for (int i = 0; i < num_snaps; i++) { 997 if (snaps[i] == guid) 998 return (B_TRUE); 999 } 1000 return (B_FALSE); 1001 } 1002 1003 int 1004 dmu_redact_snap(const char *snapname, nvlist_t *redactnvl, 1005 const char *redactbook) 1006 { 1007 int err = 0; 1008 dsl_pool_t *dp = NULL; 1009 dsl_dataset_t *ds = NULL; 1010 int numsnaps = 0; 1011 objset_t *os; 1012 struct redact_thread_arg *args = NULL; 1013 redaction_list_t *new_rl = NULL; 1014 char *newredactbook; 1015 1016 if ((err = dsl_pool_hold(snapname, FTAG, &dp)) != 0) 1017 return (err); 1018 1019 newredactbook = kmem_zalloc(sizeof (char) * ZFS_MAX_DATASET_NAME_LEN, 1020 KM_SLEEP); 1021 1022 if ((err = dsl_dataset_hold_flags(dp, snapname, DS_HOLD_FLAG_DECRYPT, 1023 FTAG, &ds)) != 0) { 1024 goto out; 1025 } 1026 dsl_dataset_long_hold(ds, FTAG); 1027 if (!ds->ds_is_snapshot || dmu_objset_from_ds(ds, &os) != 0) { 1028 err = EINVAL; 1029 goto out; 1030 } 1031 if (dsl_dataset_feature_is_active(ds, SPA_FEATURE_REDACTED_DATASETS)) { 1032 err = EALREADY; 1033 goto out; 1034 } 1035 1036 numsnaps = fnvlist_num_pairs(redactnvl); 1037 if (numsnaps > 0) 1038 args = vmem_zalloc(numsnaps * sizeof (*args), KM_SLEEP); 1039 1040 nvpair_t *pair = NULL; 1041 for (int i = 0; i < numsnaps; i++) { 1042 pair = nvlist_next_nvpair(redactnvl, pair); 1043 const char *name = nvpair_name(pair); 1044 struct redact_thread_arg *rta = &args[i]; 1045 err = dsl_dataset_hold_flags(dp, name, DS_HOLD_FLAG_DECRYPT, 1046 FTAG, &rta->ds); 1047 if (err != 0) 1048 break; 1049 /* 1050 * We want to do the long hold before we can get any other 1051 * errors, because the cleanup code will release the long 1052 * hold if rta->ds is filled in. 1053 */ 1054 dsl_dataset_long_hold(rta->ds, FTAG); 1055 1056 err = dmu_objset_from_ds(rta->ds, &rta->os); 1057 if (err != 0) 1058 break; 1059 if (!dsl_dataset_is_before(rta->ds, ds, 0)) { 1060 err = EINVAL; 1061 break; 1062 } 1063 if (dsl_dataset_feature_is_active(rta->ds, 1064 SPA_FEATURE_REDACTED_DATASETS)) { 1065 err = EALREADY; 1066 break; 1067 1068 } 1069 } 1070 if (err != 0) 1071 goto out; 1072 VERIFY0P(nvlist_next_nvpair(redactnvl, pair)); 1073 1074 boolean_t resuming = B_FALSE; 1075 zfs_bookmark_phys_t bookmark; 1076 1077 (void) strlcpy(newredactbook, snapname, ZFS_MAX_DATASET_NAME_LEN); 1078 char *c = strchr(newredactbook, '@'); 1079 ASSERT3P(c, !=, NULL); 1080 int n = snprintf(c, ZFS_MAX_DATASET_NAME_LEN - (c - newredactbook), 1081 "#%s", redactbook); 1082 if (n >= ZFS_MAX_DATASET_NAME_LEN - (c - newredactbook)) { 1083 dsl_pool_rele(dp, FTAG); 1084 kmem_free(newredactbook, 1085 sizeof (char) * ZFS_MAX_DATASET_NAME_LEN); 1086 if (args != NULL) 1087 vmem_free(args, numsnaps * sizeof (*args)); 1088 return (SET_ERROR(ENAMETOOLONG)); 1089 } 1090 err = dsl_bookmark_lookup(dp, newredactbook, NULL, &bookmark); 1091 if (err == 0) { 1092 resuming = B_TRUE; 1093 if (bookmark.zbm_redaction_obj == 0) { 1094 err = EEXIST; 1095 goto out; 1096 } 1097 err = dsl_redaction_list_hold_obj(dp, 1098 bookmark.zbm_redaction_obj, FTAG, &new_rl); 1099 if (err != 0) { 1100 err = EIO; 1101 goto out; 1102 } 1103 dsl_redaction_list_long_hold(dp, new_rl, FTAG); 1104 if (new_rl->rl_phys->rlp_num_snaps != numsnaps) { 1105 err = ESRCH; 1106 goto out; 1107 } 1108 for (int i = 0; i < numsnaps; i++) { 1109 struct redact_thread_arg *rta = &args[i]; 1110 if (!redact_snaps_contains(new_rl->rl_phys->rlp_snaps, 1111 new_rl->rl_phys->rlp_num_snaps, 1112 dsl_dataset_phys(rta->ds)->ds_guid)) { 1113 err = ESRCH; 1114 goto out; 1115 } 1116 } 1117 if (new_rl->rl_phys->rlp_last_blkid == UINT64_MAX && 1118 new_rl->rl_phys->rlp_last_object == UINT64_MAX) { 1119 err = EEXIST; 1120 goto out; 1121 } 1122 dsl_pool_rele(dp, FTAG); 1123 dp = NULL; 1124 } else { 1125 uint64_t *guids = NULL; 1126 if (numsnaps > 0) { 1127 guids = vmem_zalloc(numsnaps * sizeof (uint64_t), 1128 KM_SLEEP); 1129 } 1130 for (int i = 0; i < numsnaps; i++) { 1131 struct redact_thread_arg *rta = &args[i]; 1132 guids[i] = dsl_dataset_phys(rta->ds)->ds_guid; 1133 } 1134 1135 dsl_pool_rele(dp, FTAG); 1136 dp = NULL; 1137 err = dsl_bookmark_create_redacted(newredactbook, snapname, 1138 numsnaps, guids, FTAG, &new_rl); 1139 vmem_free(guids, numsnaps * sizeof (uint64_t)); 1140 if (err != 0) 1141 goto out; 1142 } 1143 1144 for (int i = 0; i < numsnaps; i++) { 1145 struct redact_thread_arg *rta = &args[i]; 1146 (void) bqueue_init(&rta->q, zfs_redact_queue_ff, 1147 zfs_redact_queue_length, 1148 offsetof(struct redact_record, ln)); 1149 if (resuming) { 1150 rta->resume.zb_blkid = 1151 new_rl->rl_phys->rlp_last_blkid; 1152 rta->resume.zb_object = 1153 new_rl->rl_phys->rlp_last_object; 1154 } 1155 rta->txg = dsl_dataset_phys(ds)->ds_creation_txg; 1156 (void) thread_create(NULL, 0, redact_traverse_thread, rta, 1157 0, curproc, TS_RUN, minclsyspri); 1158 } 1159 1160 struct redact_merge_thread_arg *rmta; 1161 rmta = kmem_zalloc(sizeof (struct redact_merge_thread_arg), KM_SLEEP); 1162 1163 (void) bqueue_init(&rmta->q, zfs_redact_queue_ff, 1164 zfs_redact_queue_length, offsetof(struct redact_record, ln)); 1165 rmta->numsnaps = numsnaps; 1166 rmta->spa = os->os_spa; 1167 rmta->thr_args = args; 1168 (void) thread_create(NULL, 0, redact_merge_thread, rmta, 0, curproc, 1169 TS_RUN, minclsyspri); 1170 err = perform_redaction(os, new_rl, rmta); 1171 bqueue_destroy(&rmta->q); 1172 kmem_free(rmta, sizeof (struct redact_merge_thread_arg)); 1173 1174 out: 1175 kmem_free(newredactbook, sizeof (char) * ZFS_MAX_DATASET_NAME_LEN); 1176 1177 if (new_rl != NULL) { 1178 dsl_redaction_list_long_rele(new_rl, FTAG); 1179 dsl_redaction_list_rele(new_rl, FTAG); 1180 } 1181 for (int i = 0; i < numsnaps; i++) { 1182 struct redact_thread_arg *rta = &args[i]; 1183 /* 1184 * rta->ds may be NULL if we got an error while filling 1185 * it in. 1186 */ 1187 if (rta->ds != NULL) { 1188 dsl_dataset_long_rele(rta->ds, FTAG); 1189 dsl_dataset_rele_flags(rta->ds, 1190 DS_HOLD_FLAG_DECRYPT, FTAG); 1191 } 1192 } 1193 1194 if (args != NULL) 1195 vmem_free(args, numsnaps * sizeof (*args)); 1196 if (dp != NULL) 1197 dsl_pool_rele(dp, FTAG); 1198 if (ds != NULL) { 1199 dsl_dataset_long_rele(ds, FTAG); 1200 dsl_dataset_rele_flags(ds, DS_HOLD_FLAG_DECRYPT, FTAG); 1201 } 1202 return (SET_ERROR(err)); 1203 1204 } 1205