xref: /freebsd/sys/contrib/openzfs/module/zfs/spa_errlog.c (revision b197d4b893974c9eb4d7b38704c6d5c486235d6f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or https://opensource.org/licenses/CDDL-1.0.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright (c) 2013, 2014, Delphix. All rights reserved.
24  * Copyright (c) 2019 Datto Inc.
25  * Copyright (c) 2021, 2022, George Amanakis. All rights reserved.
26  */
27 
28 /*
29  * Routines to manage the on-disk persistent error log.
30  *
31  * Each pool stores a log of all logical data errors seen during normal
32  * operation.  This is actually the union of two distinct logs: the last log,
33  * and the current log.  All errors seen are logged to the current log.  When a
34  * scrub completes, the current log becomes the last log, the last log is thrown
35  * out, and the current log is reinitialized.  This way, if an error is somehow
36  * corrected, a new scrub will show that it no longer exists, and will be
37  * deleted from the log when the scrub completes.
38  *
39  * The log is stored using a ZAP object whose key is a string form of the
40  * zbookmark_phys tuple (objset, object, level, blkid), and whose contents is an
41  * optional 'objset:object' human-readable string describing the data.  When an
42  * error is first logged, this string will be empty, indicating that no name is
43  * known.  This prevents us from having to issue a potentially large amount of
44  * I/O to discover the object name during an error path.  Instead, we do the
45  * calculation when the data is requested, storing the result so future queries
46  * will be faster.
47  *
48  * If the head_errlog feature is enabled, a different on-disk format is used.
49  * The error log of each head dataset is stored separately in the zap object
50  * and keyed by the head id. This enables listing every dataset affected in
51  * userland. In order to be able to track whether an error block has been
52  * modified or added to snapshots since it was marked as an error, a new tuple
53  * is introduced: zbookmark_err_phys_t. It allows the storage of the birth
54  * transaction group of an error block on-disk. The birth transaction group is
55  * used by check_filesystem() to assess whether this block was freed,
56  * re-written or added to a snapshot since its marking as an error.
57  *
58  * This log is then shipped into an nvlist where the key is the dataset name and
59  * the value is the object name.  Userland is then responsible for uniquifying
60  * this list and displaying it to the user.
61  */
62 
63 #include <sys/dmu_tx.h>
64 #include <sys/spa.h>
65 #include <sys/spa_impl.h>
66 #include <sys/zap.h>
67 #include <sys/zio.h>
68 #include <sys/dsl_dir.h>
69 #include <sys/dmu_objset.h>
70 #include <sys/dbuf.h>
71 #include <sys/zfs_znode.h>
72 
73 #define	NAME_MAX_LEN 64
74 
75 /*
76  * spa_upgrade_errlog_limit : A zfs module parameter that controls the number
77  *		of on-disk error log entries that will be converted to the new
78  *		format when enabling head_errlog. Defaults to 0 which converts
79  *		all log entries.
80  */
81 static uint32_t spa_upgrade_errlog_limit = 0;
82 
83 /*
84  * Convert a bookmark to a string.
85  */
86 static void
87 bookmark_to_name(zbookmark_phys_t *zb, char *buf, size_t len)
88 {
89 	(void) snprintf(buf, len, "%llx:%llx:%llx:%llx",
90 	    (u_longlong_t)zb->zb_objset, (u_longlong_t)zb->zb_object,
91 	    (u_longlong_t)zb->zb_level, (u_longlong_t)zb->zb_blkid);
92 }
93 
94 /*
95  * Convert an err_phys to a string.
96  */
97 static void
98 errphys_to_name(zbookmark_err_phys_t *zep, char *buf, size_t len)
99 {
100 	(void) snprintf(buf, len, "%llx:%llx:%llx:%llx",
101 	    (u_longlong_t)zep->zb_object, (u_longlong_t)zep->zb_level,
102 	    (u_longlong_t)zep->zb_blkid, (u_longlong_t)zep->zb_birth);
103 }
104 
105 /*
106  * Convert a string to a err_phys.
107  */
108 static void
109 name_to_errphys(char *buf, zbookmark_err_phys_t *zep)
110 {
111 	zep->zb_object = zfs_strtonum(buf, &buf);
112 	ASSERT(*buf == ':');
113 	zep->zb_level = (int)zfs_strtonum(buf + 1, &buf);
114 	ASSERT(*buf == ':');
115 	zep->zb_blkid = zfs_strtonum(buf + 1, &buf);
116 	ASSERT(*buf == ':');
117 	zep->zb_birth = zfs_strtonum(buf + 1, &buf);
118 	ASSERT(*buf == '\0');
119 }
120 
121 /*
122  * Convert a string to a bookmark.
123  */
124 static void
125 name_to_bookmark(char *buf, zbookmark_phys_t *zb)
126 {
127 	zb->zb_objset = zfs_strtonum(buf, &buf);
128 	ASSERT(*buf == ':');
129 	zb->zb_object = zfs_strtonum(buf + 1, &buf);
130 	ASSERT(*buf == ':');
131 	zb->zb_level = (int)zfs_strtonum(buf + 1, &buf);
132 	ASSERT(*buf == ':');
133 	zb->zb_blkid = zfs_strtonum(buf + 1, &buf);
134 	ASSERT(*buf == '\0');
135 }
136 
137 #ifdef _KERNEL
138 static void
139 zep_to_zb(uint64_t dataset, zbookmark_err_phys_t *zep, zbookmark_phys_t *zb)
140 {
141 	zb->zb_objset = dataset;
142 	zb->zb_object = zep->zb_object;
143 	zb->zb_level = zep->zb_level;
144 	zb->zb_blkid = zep->zb_blkid;
145 }
146 #endif
147 
148 static void
149 name_to_object(char *buf, uint64_t *obj)
150 {
151 	*obj = zfs_strtonum(buf, &buf);
152 	ASSERT(*buf == '\0');
153 }
154 
155 static int
156 get_head_and_birth_txg(spa_t *spa, zbookmark_err_phys_t *zep, uint64_t ds_obj,
157     uint64_t *head_dataset_id)
158 {
159 	dsl_pool_t *dp = spa->spa_dsl_pool;
160 	dsl_dataset_t *ds;
161 	objset_t *os;
162 
163 	dsl_pool_config_enter(dp, FTAG);
164 	int error = dsl_dataset_hold_obj(dp, ds_obj, FTAG, &ds);
165 	if (error != 0) {
166 		dsl_pool_config_exit(dp, FTAG);
167 		return (error);
168 	}
169 	ASSERT(head_dataset_id);
170 	*head_dataset_id = dsl_dir_phys(ds->ds_dir)->dd_head_dataset_obj;
171 
172 	error = dmu_objset_from_ds(ds, &os);
173 	if (error != 0) {
174 		dsl_dataset_rele(ds, FTAG);
175 		dsl_pool_config_exit(dp, FTAG);
176 		return (error);
177 	}
178 
179 	/*
180 	 * If the key is not loaded dbuf_dnode_findbp() will error out with
181 	 * EACCES. However in that case dnode_hold() will eventually call
182 	 * dbuf_read()->zio_wait() which may call spa_log_error(). This will
183 	 * lead to a deadlock due to us holding the mutex spa_errlist_lock.
184 	 * Avoid this by checking here if the keys are loaded, if not return.
185 	 * If the keys are not loaded the head_errlog feature is meaningless
186 	 * as we cannot figure out the birth txg of the block pointer.
187 	 */
188 	if (dsl_dataset_get_keystatus(ds->ds_dir) ==
189 	    ZFS_KEYSTATUS_UNAVAILABLE) {
190 		zep->zb_birth = 0;
191 		dsl_dataset_rele(ds, FTAG);
192 		dsl_pool_config_exit(dp, FTAG);
193 		return (0);
194 	}
195 
196 	dnode_t *dn;
197 	blkptr_t bp;
198 
199 	error = dnode_hold(os, zep->zb_object, FTAG, &dn);
200 	if (error != 0) {
201 		dsl_dataset_rele(ds, FTAG);
202 		dsl_pool_config_exit(dp, FTAG);
203 		return (error);
204 	}
205 
206 	rw_enter(&dn->dn_struct_rwlock, RW_READER);
207 	error = dbuf_dnode_findbp(dn, zep->zb_level, zep->zb_blkid, &bp, NULL,
208 	    NULL);
209 	if (error == 0 && BP_IS_HOLE(&bp))
210 		error = SET_ERROR(ENOENT);
211 
212 	/*
213 	 * If the key is loaded but the encrypted filesystem is unmounted when
214 	 * a scrub is run, then dbuf_dnode_findbp() will still error out with
215 	 * EACCES (possibly due to the key mapping being removed upon
216 	 * unmounting). In that case the head_errlog feature is also
217 	 * meaningless as we cannot figure out the birth txg of the block
218 	 * pointer.
219 	 */
220 	if (error == EACCES)
221 		error = 0;
222 	else if (!error)
223 		zep->zb_birth = bp.blk_birth;
224 
225 	rw_exit(&dn->dn_struct_rwlock);
226 	dnode_rele(dn, FTAG);
227 	dsl_dataset_rele(ds, FTAG);
228 	dsl_pool_config_exit(dp, FTAG);
229 	return (error);
230 }
231 
232 /*
233  * Log an uncorrectable error to the persistent error log.  We add it to the
234  * spa's list of pending errors.  The changes are actually synced out to disk
235  * during spa_errlog_sync().
236  */
237 void
238 spa_log_error(spa_t *spa, const zbookmark_phys_t *zb)
239 {
240 	spa_error_entry_t search;
241 	spa_error_entry_t *new;
242 	avl_tree_t *tree;
243 	avl_index_t where;
244 
245 	/*
246 	 * If we are trying to import a pool, ignore any errors, as we won't be
247 	 * writing to the pool any time soon.
248 	 */
249 	if (spa_load_state(spa) == SPA_LOAD_TRYIMPORT)
250 		return;
251 
252 	mutex_enter(&spa->spa_errlist_lock);
253 
254 	/*
255 	 * If we have had a request to rotate the log, log it to the next list
256 	 * instead of the current one.
257 	 */
258 	if (spa->spa_scrub_active || spa->spa_scrub_finished)
259 		tree = &spa->spa_errlist_scrub;
260 	else
261 		tree = &spa->spa_errlist_last;
262 
263 	search.se_bookmark = *zb;
264 	if (avl_find(tree, &search, &where) != NULL) {
265 		mutex_exit(&spa->spa_errlist_lock);
266 		return;
267 	}
268 
269 	new = kmem_zalloc(sizeof (spa_error_entry_t), KM_SLEEP);
270 	new->se_bookmark = *zb;
271 	avl_insert(tree, new, where);
272 
273 	mutex_exit(&spa->spa_errlist_lock);
274 }
275 
276 #ifdef _KERNEL
277 static int
278 find_birth_txg(dsl_dataset_t *ds, zbookmark_err_phys_t *zep,
279     uint64_t *birth_txg)
280 {
281 	objset_t *os;
282 	int error = dmu_objset_from_ds(ds, &os);
283 	if (error != 0)
284 		return (error);
285 
286 	dnode_t *dn;
287 	blkptr_t bp;
288 
289 	error = dnode_hold(os, zep->zb_object, FTAG, &dn);
290 	if (error != 0)
291 		return (error);
292 
293 	rw_enter(&dn->dn_struct_rwlock, RW_READER);
294 	error = dbuf_dnode_findbp(dn, zep->zb_level, zep->zb_blkid, &bp, NULL,
295 	    NULL);
296 	if (error == 0 && BP_IS_HOLE(&bp))
297 		error = SET_ERROR(ENOENT);
298 
299 	*birth_txg = bp.blk_birth;
300 	rw_exit(&dn->dn_struct_rwlock);
301 	dnode_rele(dn, FTAG);
302 	return (error);
303 }
304 
305 /*
306  * This function serves a double role. If only_count is true, it returns
307  * (in *count) how many times an error block belonging to this filesystem is
308  * referenced by snapshots or clones. If only_count is false, each time the
309  * error block is referenced by a snapshot or clone, it fills the userspace
310  * array at uaddr with the bookmarks of the error blocks. The array is filled
311  * from the back and *count is modified to be the number of unused entries at
312  * the beginning of the array.
313  */
314 static int
315 check_filesystem(spa_t *spa, uint64_t head_ds, zbookmark_err_phys_t *zep,
316     uint64_t *count, void *uaddr, boolean_t only_count)
317 {
318 	dsl_dataset_t *ds;
319 	dsl_pool_t *dp = spa->spa_dsl_pool;
320 
321 	int error = dsl_dataset_hold_obj(dp, head_ds, FTAG, &ds);
322 	if (error != 0)
323 		return (error);
324 
325 	uint64_t latest_txg;
326 	uint64_t txg_to_consider = spa->spa_syncing_txg;
327 	boolean_t check_snapshot = B_TRUE;
328 	error = find_birth_txg(ds, zep, &latest_txg);
329 
330 	/*
331 	 * If we cannot figure out the current birth txg of the block pointer
332 	 * error out. If the filesystem is encrypted and the key is not loaded
333 	 * or the encrypted filesystem is not mounted the error will be EACCES.
334 	 * In that case do not return an error.
335 	 */
336 	if (error == EACCES) {
337 		dsl_dataset_rele(ds, FTAG);
338 		return (0);
339 	}
340 	if (error) {
341 		dsl_dataset_rele(ds, FTAG);
342 		return (error);
343 	}
344 	if (zep->zb_birth == latest_txg) {
345 		/* Block neither free nor rewritten. */
346 		if (!only_count) {
347 			zbookmark_phys_t zb;
348 			zep_to_zb(head_ds, zep, &zb);
349 			if (copyout(&zb, (char *)uaddr + (*count - 1)
350 			    * sizeof (zbookmark_phys_t),
351 			    sizeof (zbookmark_phys_t)) != 0) {
352 				dsl_dataset_rele(ds, FTAG);
353 				return (SET_ERROR(EFAULT));
354 			}
355 			(*count)--;
356 		} else {
357 			(*count)++;
358 		}
359 		check_snapshot = B_FALSE;
360 	} else {
361 		ASSERT3U(zep->zb_birth, <, latest_txg);
362 		txg_to_consider = latest_txg;
363 	}
364 
365 	/* How many snapshots reference this block. */
366 	uint64_t snap_count;
367 	error = zap_count(spa->spa_meta_objset,
368 	    dsl_dataset_phys(ds)->ds_snapnames_zapobj, &snap_count);
369 	if (error != 0) {
370 		dsl_dataset_rele(ds, FTAG);
371 		return (error);
372 	}
373 
374 	if (snap_count == 0) {
375 		/* File system has no snapshot. */
376 		dsl_dataset_rele(ds, FTAG);
377 		return (0);
378 	}
379 
380 	uint64_t *snap_obj_array = kmem_alloc(snap_count * sizeof (uint64_t),
381 	    KM_SLEEP);
382 
383 	int aff_snap_count = 0;
384 	uint64_t snap_obj = dsl_dataset_phys(ds)->ds_prev_snap_obj;
385 	uint64_t snap_obj_txg = dsl_dataset_phys(ds)->ds_prev_snap_txg;
386 
387 	/* Check only snapshots created from this file system. */
388 	while (snap_obj != 0 && zep->zb_birth < snap_obj_txg &&
389 	    snap_obj_txg <= txg_to_consider) {
390 
391 		dsl_dataset_rele(ds, FTAG);
392 		error = dsl_dataset_hold_obj(dp, snap_obj, FTAG, &ds);
393 		if (error != 0)
394 			goto out;
395 
396 		if (dsl_dir_phys(ds->ds_dir)->dd_head_dataset_obj != head_ds)
397 			break;
398 
399 		boolean_t affected = B_TRUE;
400 		if (check_snapshot) {
401 			uint64_t blk_txg;
402 			error = find_birth_txg(ds, zep, &blk_txg);
403 			affected = (error == 0 && zep->zb_birth == blk_txg);
404 		}
405 
406 		if (affected) {
407 			snap_obj_array[aff_snap_count] = snap_obj;
408 			aff_snap_count++;
409 
410 			if (!only_count) {
411 				zbookmark_phys_t zb;
412 				zep_to_zb(snap_obj, zep, &zb);
413 				if (copyout(&zb, (char *)uaddr + (*count - 1) *
414 				    sizeof (zbookmark_phys_t),
415 				    sizeof (zbookmark_phys_t)) != 0) {
416 					dsl_dataset_rele(ds, FTAG);
417 					error = SET_ERROR(EFAULT);
418 					goto out;
419 				}
420 				(*count)--;
421 			} else {
422 				(*count)++;
423 			}
424 
425 			/*
426 			 * Only clones whose origins were affected could also
427 			 * have affected snapshots.
428 			 */
429 			zap_cursor_t zc;
430 			zap_attribute_t za;
431 			for (zap_cursor_init(&zc, spa->spa_meta_objset,
432 			    dsl_dataset_phys(ds)->ds_next_clones_obj);
433 			    zap_cursor_retrieve(&zc, &za) == 0;
434 			    zap_cursor_advance(&zc)) {
435 				error = check_filesystem(spa,
436 				    za.za_first_integer, zep,
437 				    count, uaddr, only_count);
438 
439 				if (error != 0) {
440 					zap_cursor_fini(&zc);
441 					goto out;
442 				}
443 			}
444 			zap_cursor_fini(&zc);
445 		}
446 		snap_obj_txg = dsl_dataset_phys(ds)->ds_prev_snap_txg;
447 		snap_obj = dsl_dataset_phys(ds)->ds_prev_snap_obj;
448 	}
449 	dsl_dataset_rele(ds, FTAG);
450 
451 out:
452 	kmem_free(snap_obj_array, sizeof (*snap_obj_array));
453 	return (error);
454 }
455 
456 static int
457 find_top_affected_fs(spa_t *spa, uint64_t head_ds, zbookmark_err_phys_t *zep,
458     uint64_t *top_affected_fs)
459 {
460 	uint64_t oldest_dsobj;
461 	int error = dsl_dataset_oldest_snapshot(spa, head_ds, zep->zb_birth,
462 	    &oldest_dsobj);
463 	if (error != 0)
464 		return (error);
465 
466 	dsl_dataset_t *ds;
467 	error = dsl_dataset_hold_obj(spa->spa_dsl_pool, oldest_dsobj,
468 	    FTAG, &ds);
469 	if (error != 0)
470 		return (error);
471 
472 	*top_affected_fs =
473 	    dsl_dir_phys(ds->ds_dir)->dd_head_dataset_obj;
474 	dsl_dataset_rele(ds, FTAG);
475 	return (0);
476 }
477 
478 static int
479 process_error_block(spa_t *spa, uint64_t head_ds, zbookmark_err_phys_t *zep,
480     uint64_t *count, void *uaddr, boolean_t only_count)
481 {
482 	dsl_pool_t *dp = spa->spa_dsl_pool;
483 	uint64_t top_affected_fs;
484 
485 	/*
486 	 * If the zb_birth is 0 it means we failed to retrieve the birth txg
487 	 * of the block pointer. This happens when an encrypted filesystem is
488 	 * not mounted or when the key is not loaded. Do not proceed to
489 	 * check_filesystem(), instead do the accounting here.
490 	 */
491 	if (zep->zb_birth == 0) {
492 		if (!only_count) {
493 			zbookmark_phys_t zb;
494 			zep_to_zb(head_ds, zep, &zb);
495 			if (copyout(&zb, (char *)uaddr + (*count - 1)
496 			    * sizeof (zbookmark_phys_t),
497 			    sizeof (zbookmark_phys_t)) != 0) {
498 				return (SET_ERROR(EFAULT));
499 			}
500 			(*count)--;
501 		} else {
502 			(*count)++;
503 		}
504 		return (0);
505 	}
506 
507 	dsl_pool_config_enter(dp, FTAG);
508 	int error = find_top_affected_fs(spa, head_ds, zep, &top_affected_fs);
509 	if (error == 0)
510 		error = check_filesystem(spa, top_affected_fs, zep, count,
511 		    uaddr, only_count);
512 
513 	dsl_pool_config_exit(dp, FTAG);
514 	return (error);
515 }
516 
517 static uint64_t
518 get_errlog_size(spa_t *spa, uint64_t spa_err_obj)
519 {
520 	if (spa_err_obj == 0)
521 		return (0);
522 	uint64_t total = 0;
523 
524 	zap_cursor_t zc;
525 	zap_attribute_t za;
526 	for (zap_cursor_init(&zc, spa->spa_meta_objset, spa_err_obj);
527 	    zap_cursor_retrieve(&zc, &za) == 0; zap_cursor_advance(&zc)) {
528 
529 		zap_cursor_t head_ds_cursor;
530 		zap_attribute_t head_ds_attr;
531 		zbookmark_err_phys_t head_ds_block;
532 
533 		uint64_t head_ds;
534 		name_to_object(za.za_name, &head_ds);
535 
536 		for (zap_cursor_init(&head_ds_cursor, spa->spa_meta_objset,
537 		    za.za_first_integer); zap_cursor_retrieve(&head_ds_cursor,
538 		    &head_ds_attr) == 0; zap_cursor_advance(&head_ds_cursor)) {
539 
540 			name_to_errphys(head_ds_attr.za_name, &head_ds_block);
541 			(void) process_error_block(spa, head_ds, &head_ds_block,
542 			    &total, NULL, B_TRUE);
543 		}
544 		zap_cursor_fini(&head_ds_cursor);
545 	}
546 	zap_cursor_fini(&zc);
547 	return (total);
548 }
549 
550 static uint64_t
551 get_errlist_size(spa_t *spa, avl_tree_t *tree)
552 {
553 	if (avl_numnodes(tree) == 0)
554 		return (0);
555 	uint64_t total = 0;
556 
557 	spa_error_entry_t *se;
558 	for (se = avl_first(tree); se != NULL; se = AVL_NEXT(tree, se)) {
559 		zbookmark_err_phys_t zep;
560 		zep.zb_object = se->se_bookmark.zb_object;
561 		zep.zb_level = se->se_bookmark.zb_level;
562 		zep.zb_blkid = se->se_bookmark.zb_blkid;
563 		zep.zb_birth = 0;
564 
565 		/*
566 		 * If we cannot find out the head dataset and birth txg of
567 		 * the present error block, we opt not to error out. In the
568 		 * next pool sync this information will be retrieved by
569 		 * sync_error_list() and written to the on-disk error log.
570 		 */
571 		uint64_t head_ds_obj;
572 		int error = get_head_and_birth_txg(spa, &zep,
573 		    se->se_bookmark.zb_objset, &head_ds_obj);
574 
575 		if (!error)
576 			(void) process_error_block(spa, head_ds_obj, &zep,
577 			    &total, NULL, B_TRUE);
578 	}
579 	return (total);
580 }
581 #endif
582 
583 /*
584  * If a healed bookmark matches an entry in the error log we stash it in a tree
585  * so that we can later remove the related log entries in sync context.
586  */
587 static void
588 spa_add_healed_error(spa_t *spa, uint64_t obj, zbookmark_phys_t *healed_zb)
589 {
590 	char name[NAME_MAX_LEN];
591 
592 	if (obj == 0)
593 		return;
594 
595 	bookmark_to_name(healed_zb, name, sizeof (name));
596 	mutex_enter(&spa->spa_errlog_lock);
597 	if (zap_contains(spa->spa_meta_objset, obj, name) == 0) {
598 		/*
599 		 * Found an error matching healed zb, add zb to our
600 		 * tree of healed errors
601 		 */
602 		avl_tree_t *tree = &spa->spa_errlist_healed;
603 		spa_error_entry_t search;
604 		spa_error_entry_t *new;
605 		avl_index_t where;
606 		search.se_bookmark = *healed_zb;
607 		mutex_enter(&spa->spa_errlist_lock);
608 		if (avl_find(tree, &search, &where) != NULL) {
609 			mutex_exit(&spa->spa_errlist_lock);
610 			mutex_exit(&spa->spa_errlog_lock);
611 			return;
612 		}
613 		new = kmem_zalloc(sizeof (spa_error_entry_t), KM_SLEEP);
614 		new->se_bookmark = *healed_zb;
615 		avl_insert(tree, new, where);
616 		mutex_exit(&spa->spa_errlist_lock);
617 	}
618 	mutex_exit(&spa->spa_errlog_lock);
619 }
620 
621 /*
622  * If this error exists in the given tree remove it.
623  */
624 static void
625 remove_error_from_list(spa_t *spa, avl_tree_t *t, const zbookmark_phys_t *zb)
626 {
627 	spa_error_entry_t search, *found;
628 	avl_index_t where;
629 
630 	mutex_enter(&spa->spa_errlist_lock);
631 	search.se_bookmark = *zb;
632 	if ((found = avl_find(t, &search, &where)) != NULL) {
633 		avl_remove(t, found);
634 		kmem_free(found, sizeof (spa_error_entry_t));
635 	}
636 	mutex_exit(&spa->spa_errlist_lock);
637 }
638 
639 
640 /*
641  * Removes all of the recv healed errors from both on-disk error logs
642  */
643 static void
644 spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
645 {
646 	char name[NAME_MAX_LEN];
647 	spa_error_entry_t *se;
648 	void *cookie = NULL;
649 
650 	ASSERT(MUTEX_HELD(&spa->spa_errlog_lock));
651 
652 	while ((se = avl_destroy_nodes(&spa->spa_errlist_healed,
653 	    &cookie)) != NULL) {
654 		remove_error_from_list(spa, s, &se->se_bookmark);
655 		remove_error_from_list(spa, l, &se->se_bookmark);
656 		bookmark_to_name(&se->se_bookmark, name, sizeof (name));
657 		kmem_free(se, sizeof (spa_error_entry_t));
658 		(void) zap_remove(spa->spa_meta_objset,
659 		    spa->spa_errlog_last, name, tx);
660 		(void) zap_remove(spa->spa_meta_objset,
661 		    spa->spa_errlog_scrub, name, tx);
662 	}
663 }
664 
665 /*
666  * Stash away healed bookmarks to remove them from the on-disk error logs
667  * later in spa_remove_healed_errors().
668  */
669 void
670 spa_remove_error(spa_t *spa, zbookmark_phys_t *zb)
671 {
672 	char name[NAME_MAX_LEN];
673 
674 	bookmark_to_name(zb, name, sizeof (name));
675 
676 	spa_add_healed_error(spa, spa->spa_errlog_last, zb);
677 	spa_add_healed_error(spa, spa->spa_errlog_scrub, zb);
678 }
679 
680 /*
681  * Return the number of errors currently in the error log.  This is actually the
682  * sum of both the last log and the current log, since we don't know the union
683  * of these logs until we reach userland.
684  */
685 uint64_t
686 spa_get_errlog_size(spa_t *spa)
687 {
688 	uint64_t total = 0;
689 
690 	if (!spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
691 		mutex_enter(&spa->spa_errlog_lock);
692 		uint64_t count;
693 		if (spa->spa_errlog_scrub != 0 &&
694 		    zap_count(spa->spa_meta_objset, spa->spa_errlog_scrub,
695 		    &count) == 0)
696 			total += count;
697 
698 		if (spa->spa_errlog_last != 0 && !spa->spa_scrub_finished &&
699 		    zap_count(spa->spa_meta_objset, spa->spa_errlog_last,
700 		    &count) == 0)
701 			total += count;
702 		mutex_exit(&spa->spa_errlog_lock);
703 
704 		mutex_enter(&spa->spa_errlist_lock);
705 		total += avl_numnodes(&spa->spa_errlist_last);
706 		total += avl_numnodes(&spa->spa_errlist_scrub);
707 		mutex_exit(&spa->spa_errlist_lock);
708 	} else {
709 #ifdef _KERNEL
710 		mutex_enter(&spa->spa_errlog_lock);
711 		total += get_errlog_size(spa, spa->spa_errlog_last);
712 		total += get_errlog_size(spa, spa->spa_errlog_scrub);
713 		mutex_exit(&spa->spa_errlog_lock);
714 
715 		mutex_enter(&spa->spa_errlist_lock);
716 		total += get_errlist_size(spa, &spa->spa_errlist_last);
717 		total += get_errlist_size(spa, &spa->spa_errlist_scrub);
718 		mutex_exit(&spa->spa_errlist_lock);
719 #endif
720 	}
721 	return (total);
722 }
723 
724 /*
725  * This function sweeps through an on-disk error log and stores all bookmarks
726  * as error bookmarks in a new ZAP object. At the end we discard the old one,
727  * and spa_update_errlog() will set the spa's on-disk error log to new ZAP
728  * object.
729  */
730 static void
731 sync_upgrade_errlog(spa_t *spa, uint64_t spa_err_obj, uint64_t *newobj,
732     dmu_tx_t *tx)
733 {
734 	zap_cursor_t zc;
735 	zap_attribute_t za;
736 	zbookmark_phys_t zb;
737 	uint64_t count;
738 
739 	*newobj = zap_create(spa->spa_meta_objset, DMU_OT_ERROR_LOG,
740 	    DMU_OT_NONE, 0, tx);
741 
742 	/*
743 	 * If we cannnot perform the upgrade we should clear the old on-disk
744 	 * error logs.
745 	 */
746 	if (zap_count(spa->spa_meta_objset, spa_err_obj, &count) != 0) {
747 		VERIFY0(dmu_object_free(spa->spa_meta_objset, spa_err_obj, tx));
748 		return;
749 	}
750 
751 	for (zap_cursor_init(&zc, spa->spa_meta_objset, spa_err_obj);
752 	    zap_cursor_retrieve(&zc, &za) == 0;
753 	    zap_cursor_advance(&zc)) {
754 		if (spa_upgrade_errlog_limit != 0 &&
755 		    zc.zc_cd == spa_upgrade_errlog_limit)
756 			break;
757 
758 		name_to_bookmark(za.za_name, &zb);
759 
760 		zbookmark_err_phys_t zep;
761 		zep.zb_object = zb.zb_object;
762 		zep.zb_level = zb.zb_level;
763 		zep.zb_blkid = zb.zb_blkid;
764 		zep.zb_birth = 0;
765 
766 		/*
767 		 * We cannot use get_head_and_birth_txg() because it will
768 		 * acquire the pool config lock, which we already have. In case
769 		 * of an error we simply continue.
770 		 */
771 		uint64_t head_dataset_obj;
772 		dsl_pool_t *dp = spa->spa_dsl_pool;
773 		dsl_dataset_t *ds;
774 		objset_t *os;
775 
776 		int error = dsl_dataset_hold_obj(dp, zb.zb_objset, FTAG, &ds);
777 		if (error != 0)
778 			continue;
779 
780 		head_dataset_obj =
781 		    dsl_dir_phys(ds->ds_dir)->dd_head_dataset_obj;
782 
783 		/*
784 		 * The objset and the dnode are required for getting the block
785 		 * pointer, which is used to determine if BP_IS_HOLE(). If
786 		 * getting the objset or the dnode fails, do not create a
787 		 * zap entry (presuming we know the dataset) as this may create
788 		 * spurious errors that we cannot ever resolve. If an error is
789 		 * truly persistent, it should re-appear after a scan.
790 		 */
791 		if (dmu_objset_from_ds(ds, &os) != 0) {
792 			dsl_dataset_rele(ds, FTAG);
793 			continue;
794 		}
795 
796 		dnode_t *dn;
797 		blkptr_t bp;
798 
799 		if (dnode_hold(os, zep.zb_object, FTAG, &dn) != 0) {
800 			dsl_dataset_rele(ds, FTAG);
801 			continue;
802 		}
803 
804 		rw_enter(&dn->dn_struct_rwlock, RW_READER);
805 		error = dbuf_dnode_findbp(dn, zep.zb_level, zep.zb_blkid, &bp,
806 		    NULL, NULL);
807 		if (error == EACCES)
808 			error = 0;
809 		else if (!error)
810 			zep.zb_birth = bp.blk_birth;
811 
812 		rw_exit(&dn->dn_struct_rwlock);
813 		dnode_rele(dn, FTAG);
814 		dsl_dataset_rele(ds, FTAG);
815 
816 		if (error != 0 || BP_IS_HOLE(&bp))
817 			continue;
818 
819 		uint64_t err_obj;
820 		error = zap_lookup_int_key(spa->spa_meta_objset, *newobj,
821 		    head_dataset_obj, &err_obj);
822 
823 		if (error == ENOENT) {
824 			err_obj = zap_create(spa->spa_meta_objset,
825 			    DMU_OT_ERROR_LOG, DMU_OT_NONE, 0, tx);
826 
827 			(void) zap_update_int_key(spa->spa_meta_objset,
828 			    *newobj, head_dataset_obj, err_obj, tx);
829 		}
830 
831 		char buf[64];
832 		errphys_to_name(&zep, buf, sizeof (buf));
833 
834 		const char *name = "";
835 		(void) zap_update(spa->spa_meta_objset, err_obj,
836 		    buf, 1, strlen(name) + 1, name, tx);
837 	}
838 	zap_cursor_fini(&zc);
839 
840 	VERIFY0(dmu_object_free(spa->spa_meta_objset, spa_err_obj, tx));
841 }
842 
843 void
844 spa_upgrade_errlog(spa_t *spa, dmu_tx_t *tx)
845 {
846 	uint64_t newobj = 0;
847 
848 	mutex_enter(&spa->spa_errlog_lock);
849 	if (spa->spa_errlog_last != 0) {
850 		sync_upgrade_errlog(spa, spa->spa_errlog_last, &newobj, tx);
851 		spa->spa_errlog_last = newobj;
852 	}
853 
854 	if (spa->spa_errlog_scrub != 0) {
855 		sync_upgrade_errlog(spa, spa->spa_errlog_scrub, &newobj, tx);
856 		spa->spa_errlog_scrub = newobj;
857 	}
858 	mutex_exit(&spa->spa_errlog_lock);
859 }
860 
861 #ifdef _KERNEL
862 /*
863  * If an error block is shared by two datasets it will be counted twice. For
864  * detailed message see spa_get_errlog_size() above.
865  */
866 static int
867 process_error_log(spa_t *spa, uint64_t obj, void *uaddr, uint64_t *count)
868 {
869 	zap_cursor_t zc;
870 	zap_attribute_t za;
871 
872 	if (obj == 0)
873 		return (0);
874 
875 	if (!spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
876 		for (zap_cursor_init(&zc, spa->spa_meta_objset, obj);
877 		    zap_cursor_retrieve(&zc, &za) == 0;
878 		    zap_cursor_advance(&zc)) {
879 			if (*count == 0) {
880 				zap_cursor_fini(&zc);
881 				return (SET_ERROR(ENOMEM));
882 			}
883 
884 			zbookmark_phys_t zb;
885 			name_to_bookmark(za.za_name, &zb);
886 
887 			if (copyout(&zb, (char *)uaddr +
888 			    (*count - 1) * sizeof (zbookmark_phys_t),
889 			    sizeof (zbookmark_phys_t)) != 0) {
890 				zap_cursor_fini(&zc);
891 				return (SET_ERROR(EFAULT));
892 			}
893 			*count -= 1;
894 
895 		}
896 		zap_cursor_fini(&zc);
897 		return (0);
898 	}
899 
900 	for (zap_cursor_init(&zc, spa->spa_meta_objset, obj);
901 	    zap_cursor_retrieve(&zc, &za) == 0;
902 	    zap_cursor_advance(&zc)) {
903 
904 		zap_cursor_t head_ds_cursor;
905 		zap_attribute_t head_ds_attr;
906 
907 		uint64_t head_ds_err_obj = za.za_first_integer;
908 		uint64_t head_ds;
909 		name_to_object(za.za_name, &head_ds);
910 		for (zap_cursor_init(&head_ds_cursor, spa->spa_meta_objset,
911 		    head_ds_err_obj); zap_cursor_retrieve(&head_ds_cursor,
912 		    &head_ds_attr) == 0; zap_cursor_advance(&head_ds_cursor)) {
913 
914 			zbookmark_err_phys_t head_ds_block;
915 			name_to_errphys(head_ds_attr.za_name, &head_ds_block);
916 			int error = process_error_block(spa, head_ds,
917 			    &head_ds_block, count, uaddr, B_FALSE);
918 
919 			if (error != 0) {
920 				zap_cursor_fini(&head_ds_cursor);
921 				zap_cursor_fini(&zc);
922 				return (error);
923 			}
924 		}
925 		zap_cursor_fini(&head_ds_cursor);
926 	}
927 	zap_cursor_fini(&zc);
928 	return (0);
929 }
930 
931 static int
932 process_error_list(spa_t *spa, avl_tree_t *list, void *uaddr, uint64_t *count)
933 {
934 	spa_error_entry_t *se;
935 
936 	if (!spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
937 		for (se = avl_first(list); se != NULL;
938 		    se = AVL_NEXT(list, se)) {
939 
940 			if (*count == 0)
941 				return (SET_ERROR(ENOMEM));
942 
943 			if (copyout(&se->se_bookmark, (char *)uaddr +
944 			    (*count - 1) * sizeof (zbookmark_phys_t),
945 			    sizeof (zbookmark_phys_t)) != 0)
946 				return (SET_ERROR(EFAULT));
947 
948 			*count -= 1;
949 		}
950 		return (0);
951 	}
952 
953 	for (se = avl_first(list); se != NULL; se = AVL_NEXT(list, se)) {
954 		zbookmark_err_phys_t zep;
955 		zep.zb_object = se->se_bookmark.zb_object;
956 		zep.zb_level = se->se_bookmark.zb_level;
957 		zep.zb_blkid = se->se_bookmark.zb_blkid;
958 		zep.zb_birth = 0;
959 
960 		uint64_t head_ds_obj;
961 		int error = get_head_and_birth_txg(spa, &zep,
962 		    se->se_bookmark.zb_objset, &head_ds_obj);
963 
964 		if (!error)
965 			error = process_error_block(spa, head_ds_obj, &zep,
966 			    count, uaddr, B_FALSE);
967 		if (error)
968 			return (error);
969 	}
970 	return (0);
971 }
972 #endif
973 
974 /*
975  * Copy all known errors to userland as an array of bookmarks.  This is
976  * actually a union of the on-disk last log and current log, as well as any
977  * pending error requests.
978  *
979  * Because the act of reading the on-disk log could cause errors to be
980  * generated, we have two separate locks: one for the error log and one for the
981  * in-core error lists.  We only need the error list lock to log and error, so
982  * we grab the error log lock while we read the on-disk logs, and only pick up
983  * the error list lock when we are finished.
984  */
985 int
986 spa_get_errlog(spa_t *spa, void *uaddr, uint64_t *count)
987 {
988 	int ret = 0;
989 
990 #ifdef _KERNEL
991 	mutex_enter(&spa->spa_errlog_lock);
992 
993 	ret = process_error_log(spa, spa->spa_errlog_scrub, uaddr, count);
994 
995 	if (!ret && !spa->spa_scrub_finished)
996 		ret = process_error_log(spa, spa->spa_errlog_last, uaddr,
997 		    count);
998 
999 	mutex_enter(&spa->spa_errlist_lock);
1000 	if (!ret)
1001 		ret = process_error_list(spa, &spa->spa_errlist_scrub, uaddr,
1002 		    count);
1003 	if (!ret)
1004 		ret = process_error_list(spa, &spa->spa_errlist_last, uaddr,
1005 		    count);
1006 	mutex_exit(&spa->spa_errlist_lock);
1007 
1008 	mutex_exit(&spa->spa_errlog_lock);
1009 #else
1010 	(void) spa, (void) uaddr, (void) count;
1011 #endif
1012 
1013 	return (ret);
1014 }
1015 
1016 /*
1017  * Called when a scrub completes.  This simply set a bit which tells which AVL
1018  * tree to add new errors.  spa_errlog_sync() is responsible for actually
1019  * syncing the changes to the underlying objects.
1020  */
1021 void
1022 spa_errlog_rotate(spa_t *spa)
1023 {
1024 	mutex_enter(&spa->spa_errlist_lock);
1025 	spa->spa_scrub_finished = B_TRUE;
1026 	mutex_exit(&spa->spa_errlist_lock);
1027 }
1028 
1029 /*
1030  * Discard any pending errors from the spa_t.  Called when unloading a faulted
1031  * pool, as the errors encountered during the open cannot be synced to disk.
1032  */
1033 void
1034 spa_errlog_drain(spa_t *spa)
1035 {
1036 	spa_error_entry_t *se;
1037 	void *cookie;
1038 
1039 	mutex_enter(&spa->spa_errlist_lock);
1040 
1041 	cookie = NULL;
1042 	while ((se = avl_destroy_nodes(&spa->spa_errlist_last,
1043 	    &cookie)) != NULL)
1044 		kmem_free(se, sizeof (spa_error_entry_t));
1045 	cookie = NULL;
1046 	while ((se = avl_destroy_nodes(&spa->spa_errlist_scrub,
1047 	    &cookie)) != NULL)
1048 		kmem_free(se, sizeof (spa_error_entry_t));
1049 
1050 	mutex_exit(&spa->spa_errlist_lock);
1051 }
1052 
1053 /*
1054  * Process a list of errors into the current on-disk log.
1055  */
1056 void
1057 sync_error_list(spa_t *spa, avl_tree_t *t, uint64_t *obj, dmu_tx_t *tx)
1058 {
1059 	spa_error_entry_t *se;
1060 	char buf[NAME_MAX_LEN];
1061 	void *cookie;
1062 
1063 	if (avl_numnodes(t) == 0)
1064 		return;
1065 
1066 	/* create log if necessary */
1067 	if (*obj == 0)
1068 		*obj = zap_create(spa->spa_meta_objset, DMU_OT_ERROR_LOG,
1069 		    DMU_OT_NONE, 0, tx);
1070 
1071 	/* add errors to the current log */
1072 	if (!spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
1073 		for (se = avl_first(t); se != NULL; se = AVL_NEXT(t, se)) {
1074 			bookmark_to_name(&se->se_bookmark, buf, sizeof (buf));
1075 
1076 			const char *name = se->se_name ? se->se_name : "";
1077 			(void) zap_update(spa->spa_meta_objset, *obj, buf, 1,
1078 			    strlen(name) + 1, name, tx);
1079 		}
1080 	} else {
1081 		for (se = avl_first(t); se != NULL; se = AVL_NEXT(t, se)) {
1082 			zbookmark_err_phys_t zep;
1083 			zep.zb_object = se->se_bookmark.zb_object;
1084 			zep.zb_level = se->se_bookmark.zb_level;
1085 			zep.zb_blkid = se->se_bookmark.zb_blkid;
1086 			zep.zb_birth = 0;
1087 
1088 			/*
1089 			 * If we cannot find out the head dataset and birth txg
1090 			 * of the present error block, we simply continue.
1091 			 * Reinserting that error block to the error lists,
1092 			 * even if we are not syncing the final txg, results
1093 			 * in duplicate posting of errors.
1094 			 */
1095 			uint64_t head_dataset_obj;
1096 			int error = get_head_and_birth_txg(spa, &zep,
1097 			    se->se_bookmark.zb_objset, &head_dataset_obj);
1098 			if (error)
1099 				continue;
1100 
1101 			uint64_t err_obj;
1102 			error = zap_lookup_int_key(spa->spa_meta_objset,
1103 			    *obj, head_dataset_obj, &err_obj);
1104 
1105 			if (error == ENOENT) {
1106 				err_obj = zap_create(spa->spa_meta_objset,
1107 				    DMU_OT_ERROR_LOG, DMU_OT_NONE, 0, tx);
1108 
1109 				(void) zap_update_int_key(spa->spa_meta_objset,
1110 				    *obj, head_dataset_obj, err_obj, tx);
1111 			}
1112 			errphys_to_name(&zep, buf, sizeof (buf));
1113 
1114 			const char *name = se->se_name ? se->se_name : "";
1115 			(void) zap_update(spa->spa_meta_objset,
1116 			    err_obj, buf, 1, strlen(name) + 1, name, tx);
1117 		}
1118 	}
1119 	/* purge the error list */
1120 	cookie = NULL;
1121 	while ((se = avl_destroy_nodes(t, &cookie)) != NULL)
1122 		kmem_free(se, sizeof (spa_error_entry_t));
1123 }
1124 
1125 static void
1126 delete_errlog(spa_t *spa, uint64_t spa_err_obj, dmu_tx_t *tx)
1127 {
1128 	if (spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
1129 		zap_cursor_t zc;
1130 		zap_attribute_t za;
1131 		for (zap_cursor_init(&zc, spa->spa_meta_objset, spa_err_obj);
1132 		    zap_cursor_retrieve(&zc, &za) == 0;
1133 		    zap_cursor_advance(&zc)) {
1134 			VERIFY0(dmu_object_free(spa->spa_meta_objset,
1135 			    za.za_first_integer, tx));
1136 		}
1137 		zap_cursor_fini(&zc);
1138 	}
1139 	VERIFY0(dmu_object_free(spa->spa_meta_objset, spa_err_obj, tx));
1140 }
1141 
1142 /*
1143  * Sync the error log out to disk.  This is a little tricky because the act of
1144  * writing the error log requires the spa_errlist_lock.  So, we need to lock the
1145  * error lists, take a copy of the lists, and then reinitialize them.  Then, we
1146  * drop the error list lock and take the error log lock, at which point we
1147  * do the errlog processing.  Then, if we encounter an I/O error during this
1148  * process, we can successfully add the error to the list.  Note that this will
1149  * result in the perpetual recycling of errors, but it is an unlikely situation
1150  * and not a performance critical operation.
1151  */
1152 void
1153 spa_errlog_sync(spa_t *spa, uint64_t txg)
1154 {
1155 	dmu_tx_t *tx;
1156 	avl_tree_t scrub, last;
1157 	int scrub_finished;
1158 
1159 	mutex_enter(&spa->spa_errlist_lock);
1160 
1161 	/*
1162 	 * Bail out early under normal circumstances.
1163 	 */
1164 	if (avl_numnodes(&spa->spa_errlist_scrub) == 0 &&
1165 	    avl_numnodes(&spa->spa_errlist_last) == 0 &&
1166 	    avl_numnodes(&spa->spa_errlist_healed) == 0 &&
1167 	    !spa->spa_scrub_finished) {
1168 		mutex_exit(&spa->spa_errlist_lock);
1169 		return;
1170 	}
1171 
1172 	spa_get_errlists(spa, &last, &scrub);
1173 	scrub_finished = spa->spa_scrub_finished;
1174 	spa->spa_scrub_finished = B_FALSE;
1175 
1176 	mutex_exit(&spa->spa_errlist_lock);
1177 	mutex_enter(&spa->spa_errlog_lock);
1178 
1179 	tx = dmu_tx_create_assigned(spa->spa_dsl_pool, txg);
1180 
1181 	/*
1182 	 * Remove healed errors from errors.
1183 	 */
1184 	spa_remove_healed_errors(spa, &last, &scrub, tx);
1185 
1186 	/*
1187 	 * Sync out the current list of errors.
1188 	 */
1189 	sync_error_list(spa, &last, &spa->spa_errlog_last, tx);
1190 
1191 	/*
1192 	 * Rotate the log if necessary.
1193 	 */
1194 	if (scrub_finished) {
1195 		if (spa->spa_errlog_last != 0)
1196 			delete_errlog(spa, spa->spa_errlog_last, tx);
1197 		spa->spa_errlog_last = spa->spa_errlog_scrub;
1198 		spa->spa_errlog_scrub = 0;
1199 
1200 		sync_error_list(spa, &scrub, &spa->spa_errlog_last, tx);
1201 	}
1202 
1203 	/*
1204 	 * Sync out any pending scrub errors.
1205 	 */
1206 	sync_error_list(spa, &scrub, &spa->spa_errlog_scrub, tx);
1207 
1208 	/*
1209 	 * Update the MOS to reflect the new values.
1210 	 */
1211 	(void) zap_update(spa->spa_meta_objset, DMU_POOL_DIRECTORY_OBJECT,
1212 	    DMU_POOL_ERRLOG_LAST, sizeof (uint64_t), 1,
1213 	    &spa->spa_errlog_last, tx);
1214 	(void) zap_update(spa->spa_meta_objset, DMU_POOL_DIRECTORY_OBJECT,
1215 	    DMU_POOL_ERRLOG_SCRUB, sizeof (uint64_t), 1,
1216 	    &spa->spa_errlog_scrub, tx);
1217 
1218 	dmu_tx_commit(tx);
1219 
1220 	mutex_exit(&spa->spa_errlog_lock);
1221 }
1222 
1223 static void
1224 delete_dataset_errlog(spa_t *spa, uint64_t spa_err_obj, uint64_t ds,
1225     dmu_tx_t *tx)
1226 {
1227 	if (spa_err_obj == 0)
1228 		return;
1229 
1230 	zap_cursor_t zc;
1231 	zap_attribute_t za;
1232 	for (zap_cursor_init(&zc, spa->spa_meta_objset, spa_err_obj);
1233 	    zap_cursor_retrieve(&zc, &za) == 0; zap_cursor_advance(&zc)) {
1234 		uint64_t head_ds;
1235 		name_to_object(za.za_name, &head_ds);
1236 		if (head_ds == ds) {
1237 			(void) zap_remove(spa->spa_meta_objset, spa_err_obj,
1238 			    za.za_name, tx);
1239 			VERIFY0(dmu_object_free(spa->spa_meta_objset,
1240 			    za.za_first_integer, tx));
1241 			break;
1242 		}
1243 	}
1244 	zap_cursor_fini(&zc);
1245 }
1246 
1247 void
1248 spa_delete_dataset_errlog(spa_t *spa, uint64_t ds, dmu_tx_t *tx)
1249 {
1250 	mutex_enter(&spa->spa_errlog_lock);
1251 	delete_dataset_errlog(spa, spa->spa_errlog_scrub, ds, tx);
1252 	delete_dataset_errlog(spa, spa->spa_errlog_last, ds, tx);
1253 	mutex_exit(&spa->spa_errlog_lock);
1254 }
1255 
1256 static int
1257 find_txg_ancestor_snapshot(spa_t *spa, uint64_t new_head, uint64_t old_head,
1258     uint64_t *txg)
1259 {
1260 	dsl_dataset_t *ds;
1261 	dsl_pool_t *dp = spa->spa_dsl_pool;
1262 
1263 	int error = dsl_dataset_hold_obj(dp, old_head, FTAG, &ds);
1264 	if (error != 0)
1265 		return (error);
1266 
1267 	uint64_t prev_obj = dsl_dataset_phys(ds)->ds_prev_snap_obj;
1268 	uint64_t prev_obj_txg = dsl_dataset_phys(ds)->ds_prev_snap_txg;
1269 
1270 	while (prev_obj != 0) {
1271 		dsl_dataset_rele(ds, FTAG);
1272 		if ((error = dsl_dataset_hold_obj(dp, prev_obj,
1273 		    FTAG, &ds)) == 0 &&
1274 		    dsl_dir_phys(ds->ds_dir)->dd_head_dataset_obj == new_head)
1275 			break;
1276 
1277 		if (error != 0)
1278 			return (error);
1279 
1280 		prev_obj_txg = dsl_dataset_phys(ds)->ds_prev_snap_txg;
1281 		prev_obj = dsl_dataset_phys(ds)->ds_prev_snap_obj;
1282 	}
1283 	dsl_dataset_rele(ds, FTAG);
1284 	ASSERT(prev_obj != 0);
1285 	*txg = prev_obj_txg;
1286 	return (0);
1287 }
1288 
1289 static void
1290 swap_errlog(spa_t *spa, uint64_t spa_err_obj, uint64_t new_head, uint64_t
1291     old_head, dmu_tx_t *tx)
1292 {
1293 	if (spa_err_obj == 0)
1294 		return;
1295 
1296 	uint64_t old_head_errlog;
1297 	int error = zap_lookup_int_key(spa->spa_meta_objset, spa_err_obj,
1298 	    old_head, &old_head_errlog);
1299 
1300 	/* If no error log, then there is nothing to do. */
1301 	if (error != 0)
1302 		return;
1303 
1304 	uint64_t txg;
1305 	error = find_txg_ancestor_snapshot(spa, new_head, old_head, &txg);
1306 	if (error != 0)
1307 		return;
1308 
1309 	/*
1310 	 * Create an error log if the file system being promoted does not
1311 	 * already have one.
1312 	 */
1313 	uint64_t new_head_errlog;
1314 	error = zap_lookup_int_key(spa->spa_meta_objset, spa_err_obj, new_head,
1315 	    &new_head_errlog);
1316 
1317 	if (error != 0) {
1318 		new_head_errlog = zap_create(spa->spa_meta_objset,
1319 		    DMU_OT_ERROR_LOG, DMU_OT_NONE, 0, tx);
1320 
1321 		(void) zap_update_int_key(spa->spa_meta_objset, spa_err_obj,
1322 		    new_head, new_head_errlog, tx);
1323 	}
1324 
1325 	zap_cursor_t zc;
1326 	zap_attribute_t za;
1327 	zbookmark_err_phys_t err_block;
1328 	for (zap_cursor_init(&zc, spa->spa_meta_objset, old_head_errlog);
1329 	    zap_cursor_retrieve(&zc, &za) == 0; zap_cursor_advance(&zc)) {
1330 
1331 		const char *name = "";
1332 		name_to_errphys(za.za_name, &err_block);
1333 		if (err_block.zb_birth < txg) {
1334 			(void) zap_update(spa->spa_meta_objset, new_head_errlog,
1335 			    za.za_name, 1, strlen(name) + 1, name, tx);
1336 
1337 			(void) zap_remove(spa->spa_meta_objset, old_head_errlog,
1338 			    za.za_name, tx);
1339 		}
1340 	}
1341 	zap_cursor_fini(&zc);
1342 }
1343 
1344 void
1345 spa_swap_errlog(spa_t *spa, uint64_t new_head_ds, uint64_t old_head_ds,
1346     dmu_tx_t *tx)
1347 {
1348 	mutex_enter(&spa->spa_errlog_lock);
1349 	swap_errlog(spa, spa->spa_errlog_scrub, new_head_ds, old_head_ds, tx);
1350 	swap_errlog(spa, spa->spa_errlog_last, new_head_ds, old_head_ds, tx);
1351 	mutex_exit(&spa->spa_errlog_lock);
1352 }
1353 
1354 #if defined(_KERNEL)
1355 /* error handling */
1356 EXPORT_SYMBOL(spa_log_error);
1357 EXPORT_SYMBOL(spa_get_errlog_size);
1358 EXPORT_SYMBOL(spa_get_errlog);
1359 EXPORT_SYMBOL(spa_errlog_rotate);
1360 EXPORT_SYMBOL(spa_errlog_drain);
1361 EXPORT_SYMBOL(spa_errlog_sync);
1362 EXPORT_SYMBOL(spa_get_errlists);
1363 EXPORT_SYMBOL(spa_delete_dataset_errlog);
1364 EXPORT_SYMBOL(spa_swap_errlog);
1365 EXPORT_SYMBOL(sync_error_list);
1366 EXPORT_SYMBOL(spa_upgrade_errlog);
1367 #endif
1368 
1369 /* BEGIN CSTYLED */
1370 ZFS_MODULE_PARAM(zfs_spa, spa_, upgrade_errlog_limit, INT, ZMOD_RW,
1371 	"Limit the number of errors which will be upgraded to the new "
1372 	"on-disk error log when enabling head_errlog");
1373 /* END CSTYLED */
1374