Re: git: 99c3f1577459 - releng/13.1 - zfs: merge openzfs/zfs@52bad4f23 (zfs-2.1-release) into stable/13

From: Martin Matuska <mm_at_FreeBSD.org>
Date: Tue, 29 Mar 2022 15:57:46 UTC
Ok, stopping.

Then this should be fixed in main and OpenZFS master in a secure way.

mm

On 29. 3. 2022 17:53, Mateusz Guzik wrote:
> whoa, stop right there.
>
> The commit at hand introduces a security problem by modifying proc
> credentials. Another thread in the same process can race to snatch
> these creds permanently for itself.
>
> The patch is definitely wrong.
>
> On 3/29/22, Martin Matuska <mm@freebsd.org> wrote:
>> Looks like nobody proposed the commit for zfs-2.1-release at OpenZFS
>>
>> I am going to cherry-pick it to stable/13
>>
>> Cheers,
>> mm
>>
>> On 29. 3. 2022 17:41, Rob Wing wrote:
>>> Martin,
>>>
>>> Is there any reason not to cherry-pick this commit in:
>>> https://github.com/openzfs/zfs/commit/4a1195ca5041cbff2a6b025a31937fef84876c52?
>>>
>>> I bring it up because a few users have expressed interest in it.
>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260160
>>>
>>>
>>> On Tue, Mar 29, 2022 at 5:53 AM Martin Matuska <mm@freebsd.org> wrote:
>>>
>>>      The branch releng/13.1 has been updated by mm:
>>>
>>>      URL:
>>>
>>> https://cgit.FreeBSD.org/src/commit/?id=99c3f15774595c1163ecec87aa8cb157ccdc7d96
>>>
>>> <https://cgit.FreeBSD.org/src/commit/?id=99c3f15774595c1163ecec87aa8cb157ccdc7d96>
>>>
>>>      commit 99c3f15774595c1163ecec87aa8cb157ccdc7d96
>>>      Author:     Martin Matuska <mm@FreeBSD.org>
>>>      AuthorDate: 2022-03-29 10:41:53 +0000
>>>      Commit:     Martin Matuska <mm@FreeBSD.org>
>>>      CommitDate: 2022-03-29 13:50:47 +0000
>>>
>>>          zfs: merge openzfs/zfs@52bad4f23 (zfs-2.1-release) into stable/13
>>>
>>>          OpenZFS release 2.1.4
>>>
>>>          Notable upstream pull request merges:
>>>            #13219 FreeBSD: add missing replay check to an assert in
>>>      zfs_xvattr_set
>>>            #13220 module: freebsd: avoid a taking a destroyed lock in
>>>      zfs_zevent bits
>>>            #13221 Fix ACL checks for NFS kernel server
>>>
>>>          Obtained from:  OpenZFS
>>>          OpenZFS tag:    zfs-2.1.4
>>>          OpenZFS commit: 52bad4f23daaa5f827f802c8d05785a27b80275d
>>>          Relnotes:       yes
>>>          Approved by:    re (gjb)
>>>
>>>          (cherry picked from commit
>>>      c088e4d539e4cc947896a3b156646b831d932539)
>>>      ---
>>>       sys/conf/kern.pre.mk <http://kern.pre.mk>
>>>       |   2 +-
>>>       sys/contrib/openzfs/META                           |   4 +-
>>>       sys/contrib/openzfs/cmd/zed/agents/zfs_mod.c       | 179
>>>      +++++++++++++++++++--
>>>       sys/contrib/openzfs/cmd/zed/zed_disk_event.c       |  10 ++
>>>       .../openzfs/include/os/freebsd/spl/sys/Makefile.am |   1 -
>>>       .../openzfs/include/os/freebsd/spl/sys/cred.h      | 136
>>>      ++--------------
>>>       .../openzfs/include/os/freebsd/spl/sys/kidmap.h    |  41 -----
>>>       .../openzfs/include/os/freebsd/spl/sys/sid.h       |  25 ---
>>>       .../include/os/linux/kernel/linux/simd_x86.h       |   4 +-
>>>       .../openzfs/include/os/linux/spl/sys/cred.h        |   5 -
>>>       sys/contrib/openzfs/lib/libzfs/libzfs_crypto.c     |   1 -
>>>       .../lib/libzutil/os/linux/zutil_device_path_os.c   |  28 ++--
>>>       sys/contrib/openzfs/module/Makefile.bsd            |   2 +-
>>>       .../openzfs/module/os/freebsd/spl/spl_sysevent.c   |  12 +-
>>>       .../openzfs/module/os/freebsd/zfs/zfs_acl.c        |   6 +-
>>>       .../openzfs/module/os/freebsd/zfs/zfs_vnops_os.c   |  19 +--
>>>       .../openzfs/module/os/freebsd/zfs/zfs_znode.c      |   4 +-
>>>       sys/contrib/openzfs/module/os/linux/spl/spl-cred.c |  42 +----
>>>       sys/contrib/openzfs/module/os/linux/zfs/policy.c   |  10 +-
>>>       .../openzfs/module/os/linux/zfs/zpl_inode.c        |   4 +-
>>>       .../openzfs/module/os/linux/zfs/zpl_xattr.c        |   4 +-
>>>       sys/contrib/openzfs/module/zfs/arc.c               |   2 +-
>>>       sys/modules/zfs/Makefile                           |   2 +-
>>>       sys/modules/zfs/zfs_config.h                       |   8 +-
>>>       sys/modules/zfs/zfs_gitrev.h                       |   3 +-
>>>       25 files changed, 242 insertions(+), 312 deletions(-)
>>>
>>>      diff --git a/sys/conf/kern.pre.mk <http://kern.pre.mk>
>>>      b/sys/conf/kern.pre.mk <http://kern.pre.mk>
>>>      index d6ab5e17a82a..6be49642b04e 100644
>>>      --- a/sys/conf/kern.pre.mk <http://kern.pre.mk>
>>>      +++ b/sys/conf/kern.pre.mk <http://kern.pre.mk>
>>>      @@ -262,7 +262,7 @@ CDDL_C=             ${CC} -c ${CDDL_CFLAGS}
>>>      ${WERROR} ${PROF} ${.IMPSRC}
>>>       # Special flags for managing the compat compiles for ZFS
>>>       ZFS_CFLAGS+=   ${CDDL_CFLAGS} -DBUILDING_ZFS -DHAVE_UIO_ZEROCOPY \
>>>              -DWITH_NETDUMP -D__KERNEL__ -D_SYS_CONDVAR_H_ -DSMP \
>>>      -       -DIN_FREEBSD_BASE -DHAVE_KSID
>>>      +       -DIN_FREEBSD_BASE
>>>
>>>       .if ${MACHINE_ARCH} == "amd64"
>>>       ZFS_CFLAGS+= -DHAVE_AVX2 -DHAVE_AVX -D__x86_64 -DHAVE_SSE2
>>>      -DHAVE_AVX512F \
>>>      diff --git a/sys/contrib/openzfs/META b/sys/contrib/openzfs/META
>>>      index 0437224b403f..76e59a42074c 100644
>>>      --- a/sys/contrib/openzfs/META
>>>      +++ b/sys/contrib/openzfs/META
>>>      @@ -1,10 +1,10 @@
>>>       Meta:          1
>>>       Name:          zfs
>>>       Branch:        1.0
>>>      -Version:       2.1.3
>>>      +Version:       2.1.4
>>>       Release:       1
>>>       Release-Tags:  relext
>>>       License:       CDDL
>>>       Author:        OpenZFS
>>>      -Linux-Maximum: 5.16
>>>      +Linux-Maximum: 5.17
>>>       Linux-Minimum: 3.10
>>>      diff --git a/sys/contrib/openzfs/cmd/zed/agents/zfs_mod.c
>>>      b/sys/contrib/openzfs/cmd/zed/agents/zfs_mod.c
>>>      index 3bcdf6e1d718..a510d646e1f9 100644
>>>      --- a/sys/contrib/openzfs/cmd/zed/agents/zfs_mod.c
>>>      +++ b/sys/contrib/openzfs/cmd/zed/agents/zfs_mod.c
>>>      @@ -183,14 +183,14 @@ zfs_process_add(zpool_handle_t *zhp,
>>>      nvlist_t *vdev, boolean_t labeled)
>>>              nvlist_t *nvroot, *newvd;
>>>              pendingdev_t *device;
>>>              uint64_t wholedisk = 0ULL;
>>>      -       uint64_t offline = 0ULL;
>>>      +       uint64_t offline = 0ULL, faulted = 0ULL;
>>>              uint64_t guid = 0ULL;
>>>              char *physpath = NULL, *new_devid = NULL, *enc_sysfs_path
>>>      = NULL;
>>>              char rawpath[PATH_MAX], fullpath[PATH_MAX];
>>>              char devpath[PATH_MAX];
>>>              int ret;
>>>      -       boolean_t is_dm = B_FALSE;
>>>              boolean_t is_sd = B_FALSE;
>>>      +       boolean_t is_mpath_wholedisk = B_FALSE;
>>>              uint_t c;
>>>              vdev_stat_t *vs;
>>>
>>>      @@ -211,15 +211,73 @@ zfs_process_add(zpool_handle_t *zhp,
>>>      nvlist_t *vdev, boolean_t labeled)
>>>                  &enc_sysfs_path);
>>>              (void) nvlist_lookup_uint64(vdev, ZPOOL_CONFIG_WHOLE_DISK,
>>>      &wholedisk);
>>>              (void) nvlist_lookup_uint64(vdev, ZPOOL_CONFIG_OFFLINE,
>>>      &offline);
>>>      +       (void) nvlist_lookup_uint64(vdev, ZPOOL_CONFIG_FAULTED,
>>>      &faulted);
>>>      +
>>>              (void) nvlist_lookup_uint64(vdev, ZPOOL_CONFIG_GUID, &guid);
>>>
>>>      -       if (offline)
>>>      -               return;  /* don't intervene if it was taken offline
>>> */
>>>      +       /*
>>>      +        * Special case:
>>>      +        *
>>>      +        * We've seen times where a disk won't have a
>>>      ZPOOL_CONFIG_PHYS_PATH
>>>      +        * entry in their config. For example, on this
>>>      force-faulted disk:
>>>      +        *
>>>      +        *      children[0]:
>>>      +        *         type: 'disk'
>>>      +        *         id: 0
>>>      +        *         guid: 14309659774640089719
>>>      +        *        path: '/dev/disk/by-vdev/L28'
>>>      +        *        whole_disk: 0
>>>      +        *        DTL: 654
>>>      +        *        create_txg: 4
>>>      +        *        com.delphix:vdev_zap_leaf: 1161
>>>      +        *        faulted: 1
>>>      +        *        aux_state: 'external'
>>>      +        *      children[1]:
>>>      +        *        type: 'disk'
>>>      +        *        id: 1
>>>      +        *        guid: 16002508084177980912
>>>      +        *        path: '/dev/disk/by-vdev/L29'
>>>      +        *        devid: 'dm-uuid-mpath-35000c500a61d68a3'
>>>      +        *        phys_path: 'L29'
>>>      +        *        vdev_enc_sysfs_path:
>>>      '/sys/class/enclosure/0:0:1:0/SLOT 30 32'
>>>      +        *        whole_disk: 0
>>>      +        *        DTL: 1028
>>>      +        *        create_txg: 4
>>>      +        *        com.delphix:vdev_zap_leaf: 131
>>>      +        *
>>>      +        * If the disk's path is a /dev/disk/by-vdev/ path, then
>>>      we can infer
>>>      +        * the ZPOOL_CONFIG_PHYS_PATH from the by-vdev disk name.
>>>      +        */
>>>      +       if (physpath == NULL && path != NULL) {
>>>      +               /* If path begins with "/dev/disk/by-vdev/" ... */
>>>      +               if (strncmp(path, DEV_BYVDEV_PATH,
>>>      +                   strlen(DEV_BYVDEV_PATH)) == 0) {
>>>      +                       /* Set physpath to the char after
>>>      "/dev/disk/by-vdev" */
>>>      +                       physpath = &path[strlen(DEV_BYVDEV_PATH)];
>>>      +               }
>>>      +       }
>>>      +
>>>      +       /*
>>>      +        * We don't want to autoreplace offlined disks. However,
>>>      we do want to
>>>      +        * replace force-faulted disks (`zpool offline -f`).
>>>      Force-faulted
>>>      +        * disks have both offline=1 and faulted=1 in the nvlist.
>>>      +        */
>>>      +       if (offline && !faulted) {
>>>      +               zed_log_msg(LOG_INFO, "%s: %s is offline, skip
>>>      autoreplace",
>>>      +                   __func__, path);
>>>      +               return;
>>>      +       }
>>>
>>>      -       is_dm = zfs_dev_is_dm(path);
>>>      +       is_mpath_wholedisk = is_mpath_whole_disk(path);
>>>              zed_log_msg(LOG_INFO, "zfs_process_add: pool '%s' vdev
>>>      '%s', phys '%s'"
>>>      -           " wholedisk %d, %s dm (guid %llu)",
>>>      zpool_get_name(zhp), path,
>>>      -           physpath ? physpath : "NULL", wholedisk, is_dm ? "is"
>>>      : "not",
>>>      +           " %s blank disk, %s mpath blank disk, %s labeled, enc
>>>      sysfs '%s', "
>>>      +           "(guid %llu)",
>>>      +           zpool_get_name(zhp), path,
>>>      +           physpath ? physpath : "NULL",
>>>      +           wholedisk ? "is" : "not",
>>>      +           is_mpath_wholedisk? "is" : "not",
>>>      +           labeled ? "is" : "not",
>>>      +           enc_sysfs_path,
>>>                  (long long unsigned int)guid);
>>>
>>>              /*
>>>      @@ -253,8 +311,9 @@ zfs_process_add(zpool_handle_t *zhp, nvlist_t
>>>      *vdev, boolean_t labeled)
>>>                  ZFS_ONLINE_CHECKREMOVE | ZFS_ONLINE_UNSPARE,
>>>      &newstate) == 0 &&
>>>                  (newstate == VDEV_STATE_HEALTHY ||
>>>                  newstate == VDEV_STATE_DEGRADED)) {
>>>      -               zed_log_msg(LOG_INFO, "  zpool_vdev_online: vdev
>>>      %s is %s",
>>>      -                   fullpath, (newstate == VDEV_STATE_HEALTHY) ?
>>>      +               zed_log_msg(LOG_INFO,
>>>      +                   "  zpool_vdev_online: vdev '%s' ('%s') is "
>>>      +                   "%s", fullpath, physpath, (newstate ==
>>>      VDEV_STATE_HEALTHY) ?
>>>                          "HEALTHY" : "DEGRADED");
>>>                      return;
>>>              }
>>>      @@ -271,11 +330,12 @@ zfs_process_add(zpool_handle_t *zhp,
>>>      nvlist_t *vdev, boolean_t labeled)
>>>               * vdev online to trigger a FMA fault by posting an ereport.
>>>               */
>>>              if (!zpool_get_prop_int(zhp, ZPOOL_PROP_AUTOREPLACE, NULL) ||
>>>      -           !(wholedisk || is_dm) || (physpath == NULL)) {
>>>      +           !(wholedisk || is_mpath_wholedisk) || (physpath ==
>>>      NULL)) {
>>>                      (void) zpool_vdev_online(zhp, fullpath,
>>>      ZFS_ONLINE_FORCEFAULT,
>>>                          &newstate);
>>>                      zed_log_msg(LOG_INFO, "Pool's autoreplace is not
>>>      enabled or "
>>>      -                   "not a whole disk for '%s'", fullpath);
>>>      +                   "not a blank disk for '%s' ('%s')", fullpath,
>>>      +                   physpath);
>>>                      return;
>>>              }
>>>
>>>      @@ -287,7 +347,7 @@ zfs_process_add(zpool_handle_t *zhp, nvlist_t
>>>      *vdev, boolean_t labeled)
>>>              (void) snprintf(rawpath, sizeof (rawpath), "%s%s",
>>>                  is_sd ? DEV_BYVDEV_PATH : DEV_BYPATH_PATH, physpath);
>>>
>>>      -       if (realpath(rawpath, devpath) == NULL && !is_dm) {
>>>      +       if (realpath(rawpath, devpath) == NULL &&
>>>      !is_mpath_wholedisk) {
>>>                      zed_log_msg(LOG_INFO, "  realpath: %s failed (%s)",
>>>                          rawpath, strerror(errno));
>>>
>>>      @@ -303,12 +363,14 @@ zfs_process_add(zpool_handle_t *zhp,
>>>      nvlist_t *vdev, boolean_t labeled)
>>>              if ((vs->vs_state != VDEV_STATE_DEGRADED) &&
>>>                  (vs->vs_state != VDEV_STATE_FAULTED) &&
>>>                  (vs->vs_state != VDEV_STATE_CANT_OPEN)) {
>>>      +               zed_log_msg(LOG_INFO, "  not autoreplacing since
>>>      disk isn't in "
>>>      +                   "a bad state (currently %d)", vs->vs_state);
>>>                      return;
>>>              }
>>>
>>>              nvlist_lookup_string(vdev, "new_devid", &new_devid);
>>>
>>>      -       if (is_dm) {
>>>      +       if (is_mpath_wholedisk) {
>>>                      /* Don't label device mapper or multipath disks. */
>>>              } else if (!labeled) {
>>>                      /*
>>>      @@ -522,8 +584,11 @@ zfs_iter_vdev(zpool_handle_t *zhp, nvlist_t
>>>      *nvl, void *data)
>>>                       * the dp->dd_compare value.
>>>                       */
>>>                      if (nvlist_lookup_string(nvl, dp->dd_prop, &path)
>>>      != 0 ||
>>>      -                   strcmp(dp->dd_compare, path) != 0)
>>>      +                   strcmp(dp->dd_compare, path) != 0) {
>>>      +                       zed_log_msg(LOG_INFO, "  %s: no match (%s
>>>      != vdev %s)",
>>>      +                           __func__, dp->dd_compare, path);
>>>                              return;
>>>      +               }
>>>
>>>                      zed_log_msg(LOG_INFO, "  zfs_iter_vdev: matched %s
>>>      on %s",
>>>                          dp->dd_prop, path);
>>>      @@ -571,6 +636,8 @@ zfs_iter_pool(zpool_handle_t *zhp, void *data)
>>>                                  ZPOOL_CONFIG_VDEV_TREE, &nvl);
>>>                              zfs_iter_vdev(zhp, nvl, data);
>>>                      }
>>>      +       } else {
>>>      +               zed_log_msg(LOG_INFO, "%s: no config\n", __func__);
>>>              }
>>>
>>>              /*
>>>      @@ -619,6 +686,72 @@ devphys_iter(const char *physical, const char
>>>      *devid, zfs_process_func_t func,
>>>              return (data.dd_found);
>>>       }
>>>
>>>      +/*
>>>      + * Given a device identifier, find any vdevs with a matching by-vdev
>>>      + * path.  Normally we shouldn't need this as the comparison would be
>>>      + * made earlier in the devphys_iter().  For example, if we were
>>>      replacing
>>>      + * /dev/disk/by-vdev/L28, normally devphys_iter() would match the
>>>      + * ZPOOL_CONFIG_PHYS_PATH of "L28" from the old disk config to "L28"
>>>      + * of the new disk config.  However, we've seen cases where
>>>      + * ZPOOL_CONFIG_PHYS_PATH was not in the config for the old
>>>      disk.  Here's
>>>      + * an example of a real 2-disk mirror pool where one disk was force
>>>      + * faulted:
>>>      + *
>>>      + *       com.delphix:vdev_zap_top: 129
>>>      + *           children[0]:
>>>      + *               type: 'disk'
>>>      + *               id: 0
>>>      + *               guid: 14309659774640089719
>>>      + *               path: '/dev/disk/by-vdev/L28'
>>>      + *               whole_disk: 0
>>>      + *               DTL: 654
>>>      + *               create_txg: 4
>>>      + *               com.delphix:vdev_zap_leaf: 1161
>>>      + *               faulted: 1
>>>      + *               aux_state: 'external'
>>>      + *           children[1]:
>>>      + *               type: 'disk'
>>>      + *               id: 1
>>>      + *               guid: 16002508084177980912
>>>      + *               path: '/dev/disk/by-vdev/L29'
>>>      + *               devid: 'dm-uuid-mpath-35000c500a61d68a3'
>>>      + *               phys_path: 'L29'
>>>      + *               vdev_enc_sysfs_path:
>>>      '/sys/class/enclosure/0:0:1:0/SLOT 30 32'
>>>      + *               whole_disk: 0
>>>      + *               DTL: 1028
>>>      + *               create_txg: 4
>>>      + *               com.delphix:vdev_zap_leaf: 131
>>>      + *
>>>      + * So in the case above, the only thing we could compare is the
>>> path.
>>>      + *
>>>      + * We can do this because we assume by-vdev paths are
>>>      authoritative as physical
>>>      + * paths.  We could not assume this for normal paths like
>>>      /dev/sda since the
>>>      + * physical location /dev/sda points to could change over time.
>>>      + */
>>>      +static boolean_t
>>>      +by_vdev_path_iter(const char *by_vdev_path, const char *devid,
>>>      +    zfs_process_func_t func, boolean_t is_slice)
>>>      +{
>>>      +       dev_data_t data = { 0 };
>>>      +
>>>      +       data.dd_compare = by_vdev_path;
>>>      +       data.dd_func = func;
>>>      +       data.dd_prop = ZPOOL_CONFIG_PATH;
>>>      +       data.dd_found = B_FALSE;
>>>      +       data.dd_islabeled = is_slice;
>>>      +       data.dd_new_devid = devid;
>>>      +
>>>      +       if (strncmp(by_vdev_path, DEV_BYVDEV_PATH,
>>>      +           strlen(DEV_BYVDEV_PATH)) != 0) {
>>>      +               /* by_vdev_path doesn't start with
>>>      "/dev/disk/by-vdev/" */
>>>      +               return (B_FALSE);
>>>      +       }
>>>      +
>>>      +       (void) zpool_iter(g_zfshdl, zfs_iter_pool, &data);
>>>      +
>>>      +       return (data.dd_found);
>>>      +}
>>>      +
>>>       /*
>>>        * Given a device identifier, find any vdevs with a matching devid.
>>>        * On Linux we can match devid directly which is always a whole
>>> disk.
>>>      @@ -683,15 +816,17 @@ guid_iter(uint64_t pool_guid, uint64_t
>>>      vdev_guid, const char *devid,
>>>       static int
>>>       zfs_deliver_add(nvlist_t *nvl, boolean_t is_lofi)
>>>       {
>>>      -       char *devpath = NULL, *devid;
>>>      +       char *devpath = NULL, *devid = NULL;
>>>              uint64_t pool_guid = 0, vdev_guid = 0;
>>>              boolean_t is_slice;
>>>
>>>              /*
>>>               * Expecting a devid string and an optional physical
>>>      location and guid
>>>               */
>>>      -       if (nvlist_lookup_string(nvl, DEV_IDENTIFIER, &devid) != 0)
>>>      +       if (nvlist_lookup_string(nvl, DEV_IDENTIFIER, &devid) != 0) {
>>>      +               zed_log_msg(LOG_INFO, "%s: no dev identifier\n",
>>>      __func__);
>>>                      return (-1);
>>>      +       }
>>>
>>>              (void) nvlist_lookup_string(nvl, DEV_PHYS_PATH, &devpath);
>>>              (void) nvlist_lookup_uint64(nvl, ZFS_EV_POOL_GUID,
>>>      &pool_guid);
>>>      @@ -707,6 +842,8 @@ zfs_deliver_add(nvlist_t *nvl, boolean_t is_lofi)
>>>               * 1. ZPOOL_CONFIG_DEVID (identifies the unique disk)
>>>               * 2. ZPOOL_CONFIG_PHYS_PATH (identifies disk physical
>>>      location).
>>>               * 3. ZPOOL_CONFIG_GUID (identifies unique vdev).
>>>      +        * 4. ZPOOL_CONFIG_PATH for /dev/disk/by-vdev devices only
>>>      (since
>>>      +        *    by-vdev paths represent physical paths).
>>>               */
>>>              if (devid_iter(devid, zfs_process_add, is_slice))
>>>                      return (0);
>>>      @@ -717,6 +854,16 @@ zfs_deliver_add(nvlist_t *nvl, boolean_t
>>> is_lofi)
>>>                      (void) guid_iter(pool_guid, vdev_guid, devid,
>>>      zfs_process_add,
>>>                          is_slice);
>>>
>>>      +       if (devpath != NULL) {
>>>      +               /* Can we match a /dev/disk/by-vdev/ path? */
>>>      +               char by_vdev_path[MAXPATHLEN];
>>>      +               snprintf(by_vdev_path, sizeof (by_vdev_path),
>>>      +                   "/dev/disk/by-vdev/%s", devpath);
>>>      +               if (by_vdev_path_iter(by_vdev_path, devid,
>>>      zfs_process_add,
>>>      +                   is_slice))
>>>      +                       return (0);
>>>      +       }
>>>      +
>>>              return (0);
>>>       }
>>>
>>>      diff --git a/sys/contrib/openzfs/cmd/zed/zed_disk_event.c
>>>      b/sys/contrib/openzfs/cmd/zed/zed_disk_event.c
>>>      index 94e24236063c..52b80d8c4c93 100644
>>>      --- a/sys/contrib/openzfs/cmd/zed/zed_disk_event.c
>>>      +++ b/sys/contrib/openzfs/cmd/zed/zed_disk_event.c
>>>      @@ -215,6 +215,11 @@ zed_udev_monitor(void *arg)
>>>                      if (type != NULL && type[0] != '\0' &&
>>>                          strcmp(type, "disk") == 0 &&
>>>                          part != NULL && part[0] != '\0') {
>>>      +                       zed_log_msg(LOG_INFO,
>>>      +                           "%s: skip %s since it has a %s
>>>      partition already",
>>>      +                           __func__,
>>>      +  udev_device_get_property_value(dev, "DEVNAME"),
>>>      +                           part);
>>>                              /* skip and wait for partition event */
>>>                              udev_device_unref(dev);
>>>                              continue;
>>>      @@ -229,6 +234,11 @@ zed_udev_monitor(void *arg)
>>>                              sectors =
>>>      udev_device_get_sysattr_value(dev, "size");
>>>                      if (sectors != NULL &&
>>>                          strtoull(sectors, NULL, 10) < MINIMUM_SECTORS) {
>>>      +                       zed_log_msg(LOG_INFO,
>>>      +                           "%s: %s sectors %s < %llu (minimum)",
>>>      +                           __func__,
>>>      +  udev_device_get_property_value(dev, "DEVNAME"),
>>>      +                           sectors, MINIMUM_SECTORS);
>>>                              udev_device_unref(dev);
>>>                              continue;
>>>                      }
>>>      diff --git
>>>      a/sys/contrib/openzfs/include/os/freebsd/spl/sys/Makefile.am
>>>      b/sys/contrib/openzfs/include/os/freebsd/spl/sys/Makefile.am
>>>      index 232aaf569fa2..7488e56c7649 100644
>>>      --- a/sys/contrib/openzfs/include/os/freebsd/spl/sys/Makefile.am
>>>      +++ b/sys/contrib/openzfs/include/os/freebsd/spl/sys/Makefile.am
>>>      @@ -22,7 +22,6 @@ KERNEL_H = \
>>>              inttypes.h \
>>>              isa_defs.h \
>>>              kmem_cache.h \
>>>      -       kidmap.h \
>>>              kmem.h \
>>>              kstat.h \
>>>              list_impl.h \
>>>      diff --git a/sys/contrib/openzfs/include/os/freebsd/spl/sys/cred.h
>>>      b/sys/contrib/openzfs/include/os/freebsd/spl/sys/cred.h
>>>      index 86f79011d6da..db986af57bf5 100644
>>>      --- a/sys/contrib/openzfs/include/os/freebsd/spl/sys/cred.h
>>>      +++ b/sys/contrib/openzfs/include/os/freebsd/spl/sys/cred.h
>>>      @@ -48,138 +48,20 @@ extern "C" {
>>>       typedef struct ucred cred_t;
>>>
>>>       #define        CRED()          curthread->td_ucred
>>>      -#define        kcred   (thread0.td_ucred)
>>>      -
>>>      -#define        KUID_TO_SUID(x)         (x)
>>>      -#define        KGID_TO_SGID(x)         (x)
>>>      -#define        crgetuid(cred)          ((cred)->cr_uid)
>>>      -#define        crgetruid(cred)         ((cred)->cr_ruid)
>>>      -#define        crgetgid(cred)          ((cred)->cr_gid)
>>>      -#define        crgetgroups(cred)       ((cred)->cr_groups)
>>>      -#define        crgetngroups(cred) ((cred)->cr_ngroups)
>>>      -#define        crgetsid(cred, i)       (NULL)
>>>
>>>      -struct proc;                           /* cred.h is included in
>>>      proc.h */
>>>      -struct prcred;
>>>      -struct ksid;
>>>      -struct ksidlist;
>>>      -struct credklpd;
>>>      -struct credgrp;
>>>      -
>>>      -struct auditinfo_addr;                 /* cred.h is included in
>>>      audit.h */
>>>      -
>>>      -extern int ngroups_max;
>>>       /*
>>>        * kcred is used when you need all privileges.
>>>        */
>>>      +#define        kcred   (thread0.td_ucred)
>>>
>>>      -extern void cred_init(void);
>>>      -extern void crfree(cred_t *);
>>>      -extern cred_t *cralloc(void);          /* all but ref
>>>      uninitialized */
>>>      -extern cred_t *cralloc_ksid(void);     /* cralloc() + ksid
>>>      alloc'ed */
>>>      -extern cred_t *crget(void);            /* initialized */
>>>      -extern void crcopy_to(cred_t *, cred_t *);
>>>      -extern cred_t *crdup(cred_t *);
>>>      -extern void crdup_to(cred_t *, cred_t *);
>>>      -extern cred_t *crgetcred(void);
>>>      -extern void crset(struct proc *, cred_t *);
>>>      -extern void crset_zone_privall(cred_t *);
>>>      -extern int supgroupmember(gid_t, const cred_t *);
>>>      -extern int hasprocperm(const cred_t *, const cred_t *);
>>>      -extern int prochasprocperm(struct proc *, struct proc *, const
>>>      cred_t *);
>>>      -extern int crcmp(const cred_t *, const cred_t *);
>>>      -extern cred_t *zone_kcred(void);
>>>      -
>>>      -extern gid_t crgetrgid(const cred_t *);
>>>      -extern gid_t crgetsgid(const cred_t *);
>>>      -
>>>      -#define        crgetzoneid(cr) ((cr)->cr_prison->pr_id)
>>>      -extern projid_t crgetprojid(const cred_t *);
>>>      -
>>>      -extern cred_t *crgetmapped(const cred_t *);
>>>      -
>>>      -
>>>      -extern const struct auditinfo_addr *crgetauinfo(const cred_t *);
>>>      -extern struct auditinfo_addr *crgetauinfo_modifiable(cred_t *);
>>>      -
>>>      -extern uint_t crgetref(const cred_t *);
>>>      -
>>>      -extern const gid_t *crgetggroups(const struct credgrp *);
>>>      -
>>>      -
>>>      -/*
>>>      - * Sets real, effective and/or saved uid/gid;
>>>      - * -1 argument accepted as "no change".
>>>      - */
>>>      -extern int crsetresuid(cred_t *, uid_t, uid_t, uid_t);
>>>      -extern int crsetresgid(cred_t *, gid_t, gid_t, gid_t);
>>>      -
>>>      -/*
>>>      - * Sets real, effective and saved uids/gids all to the same
>>>      - * values.  Both values must be non-negative and <= MAXUID
>>>      - */
>>>      -extern int crsetugid(cred_t *, uid_t, gid_t);
>>>      -
>>>      -/*
>>>      - * Functions to handle the supplemental group list.
>>>      - */
>>>      -extern struct credgrp *crgrpcopyin(int, gid_t *);
>>>      -extern void crgrprele(struct credgrp *);
>>>      -extern void crsetcredgrp(cred_t *, struct credgrp *);
>>>      -
>>>      -/*
>>>      - * Private interface for setting zone association of credential.
>>>      - */
>>>      -struct zone;
>>>      -extern void crsetzone(cred_t *, struct zone *);
>>>      -extern struct zone *crgetzone(const cred_t *);
>>>      -
>>>      -/*
>>>      - * Private interface for setting project id in credential.
>>>      - */
>>>      -extern void crsetprojid(cred_t *, projid_t);
>>>      -
>>>      -/*
>>>      - * Private interface for nfs.
>>>      - */
>>>      -extern cred_t *crnetadjust(cred_t *);
>>>      -
>>>      -/*
>>>      - * Private interface for procfs.
>>>      - */
>>>      -extern void cred2prcred(const cred_t *, struct prcred *);
>>>      -
>>>      -/*
>>>      - * Private interfaces for Rampart Trusted Solaris.
>>>      - */
>>>      -struct ts_label_s;
>>>      -extern struct ts_label_s *crgetlabel(const cred_t *);
>>>      -extern boolean_t crisremote(const cred_t *);
>>>      -
>>>      -/*
>>>      - * Private interfaces for ephemeral uids.
>>>      - */
>>>      -#define        VALID_UID(id, zn)          \
>>>      -       ((id) <= MAXUID || valid_ephemeral_uid((zn), (id)))
>>>      -
>>>      -#define        VALID_GID(id, zn)          \
>>>      -       ((id) <= MAXUID || valid_ephemeral_gid((zn), (id)))
>>>      -
>>>      -extern boolean_t valid_ephemeral_uid(struct zone *, uid_t);
>>>      -extern boolean_t valid_ephemeral_gid(struct zone *, gid_t);
>>>      -
>>>      -extern int eph_uid_alloc(struct zone *, int, uid_t *, int);
>>>      -extern int eph_gid_alloc(struct zone *, int, gid_t *, int);
>>>      -
>>>      -extern void crsetsid(cred_t *, struct ksid *, int);
>>>      -extern void crsetsidlist(cred_t *, struct ksidlist *);
>>>      -
>>>      -extern struct ksidlist *crgetsidlist(const cred_t *);
>>>      -
>>>      -extern int crsetpriv(cred_t *, ...);
>>>      -
>>>      -extern struct credklpd *crgetcrklpd(const cred_t *);
>>>      -extern void crsetcrklpd(cred_t *, struct credklpd *);
>>>      +#define        KUID_TO_SUID(x)         (x)
>>>      +#define        KGID_TO_SGID(x)         (x)
>>>      +#define        crgetuid(cr)            ((cr)->cr_uid)
>>>      +#define        crgetruid(cr)           ((cr)->cr_ruid)
>>>      +#define        crgetgid(cr)            ((cr)->cr_gid)
>>>      +#define        crgetgroups(cr)         ((cr)->cr_groups)
>>>      +#define        crgetngroups(cr)        ((cr)->cr_ngroups)
>>>      +#define        crgetzoneid(cr)  ((cr)->cr_prison->pr_id)
>>>
>>>       #ifdef __cplusplus
>>>       }
>>>      diff --git
>>>      a/sys/contrib/openzfs/include/os/freebsd/spl/sys/kidmap.h
>>>      b/sys/contrib/openzfs/include/os/freebsd/spl/sys/kidmap.h
>>>      deleted file mode 100644
>>>      index dc0cf5988a42..000000000000
>>>      --- a/sys/contrib/openzfs/include/os/freebsd/spl/sys/kidmap.h
>>>      +++ /dev/null
>>>      @@ -1,41 +0,0 @@
>>>      -/*
>>>      - * Copyright (c) 2007 Pawel Jakub Dawidek <pjd@FreeBSD.org>
>>>      - * All rights reserved.
>>>      - *
>>>      - * Redistribution and use in source and binary forms, with or
>>> without
>>>      - * modification, are permitted provided that the following
>>> conditions
>>>      - * are met:
>>>      - * 1. Redistributions of source code must retain the above copyright
>>>      - *    notice, this list of conditions and the following disclaimer.
>>>      - * 2. Redistributions in binary form must reproduce the above
>>>      copyright
>>>      - *    notice, this list of conditions and the following
>>>      disclaimer in the
>>>      - *    documentation and/or other materials provided with the
>>>      distribution.
>>>      - *
>>>      - * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS
>>>      IS'' AND
>>>      - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
>>>      TO, THE
>>>      - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
>>>      PARTICULAR PURPOSE
>>>      - * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS
>>>      BE LIABLE
>>>      - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>>>      CONSEQUENTIAL
>>>      - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
>>>      SUBSTITUTE GOODS
>>>      - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
>>>      INTERRUPTION)
>>>      - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
>>>      CONTRACT, STRICT
>>>      - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
>>>      IN ANY WAY
>>>      - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
>>>      POSSIBILITY OF
>>>      - * SUCH DAMAGE.
>>>      - *
>>>      - * $FreeBSD$
>>>      - */
>>>      -
>>>      -#ifndef _OPENSOLARIS_SYS_KIDMAP_H_
>>>      -#define        _OPENSOLARIS_SYS_KIDMAP_H_
>>>      -
>>>      -#include <sys/idmap.h>
>>>      -
>>>      -typedef int32_t        idmap_stat;
>>>      -typedef void   idmap_get_handle_t;
>>>      -
>>>      -#define        kidmap_get_create()             (NULL)
>>>      -#define        kidmap_get_destroy(hdl)         do { } while (0)
>>>      -#define        kidmap_get_mappings(hdl)        (NULL)
>>>      -
>>>      -#endif /* _OPENSOLARIS_SYS_KIDMAP_H_ */
>>>      diff --git a/sys/contrib/openzfs/include/os/freebsd/spl/sys/sid.h
>>>      b/sys/contrib/openzfs/include/os/freebsd/spl/sys/sid.h
>>>      index d3fab8b24744..f249d05d55a0 100644
>>>      --- a/sys/contrib/openzfs/include/os/freebsd/spl/sys/sid.h
>>>      +++ b/sys/contrib/openzfs/include/os/freebsd/spl/sys/sid.h
>>>      @@ -29,7 +29,6 @@
>>>       #ifndef _OPENSOLARIS_SYS_SID_H_
>>>       #define        _OPENSOLARIS_SYS_SID_H_
>>>       #include <sys/idmap.h>
>>>      -#include <sys/kidmap.h>
>>>
>>>       typedef struct ksiddomain {
>>>              char    *kd_name;       /* Domain part of SID */
>>>      @@ -59,28 +58,4 @@ ksiddomain_rele(ksiddomain_t *kd)
>>>              kmem_free(kd, sizeof (*kd));
>>>       }
>>>
>>>      -static __inline uint_t
>>>      -ksid_getid(ksid_t *ks)
>>>      -{
>>>      -
>>>      -       panic("%s has been unexpectedly called", __func__);
>>>      -}
>>>      -
>>>      -static __inline const char *
>>>      -ksid_getdomain(ksid_t *ks)
>>>      -{
>>>      -
>>>      -       panic("%s has been unexpectedly called", __func__);
>>>      -}
>>>      -
>>>      -static __inline uint_t
>>>      -ksid_getrid(ksid_t *ks)
>>>      -{
>>>      -
>>>      -       panic("%s has been unexpectedly called", __func__);
>>>      -}
>>>      -
>>>      -#define        kidmap_getsidbyuid(zone, uid, sid_prefix, rid)  (1)
>>>      -#define        kidmap_getsidbygid(zone, gid, sid_prefix, rid)  (1)
>>>      -
>>>       #endif /* _OPENSOLARIS_SYS_SID_H_ */
>>>      diff --git
>>>      a/sys/contrib/openzfs/include/os/linux/kernel/linux/simd_x86.h
>>>      b/sys/contrib/openzfs/include/os/linux/kernel/linux/simd_x86.h
>>>      index 6d4c7a09fe82..0f6a222ba667 100644
>>>      --- a/sys/contrib/openzfs/include/os/linux/kernel/linux/simd_x86.h
>>>      +++ b/sys/contrib/openzfs/include/os/linux/kernel/linux/simd_x86.h
>>>      @@ -420,9 +420,9 @@ kfpu_end(void)
>>>              if (static_cpu_has(X86_FEATURE_XSAVE)) {
>>>                      kfpu_do_xrstor("xrstor", &state->xsave, ~0);
>>>              } else if (static_cpu_has(X86_FEATURE_FXSR)) {
>>>      -               kfpu_save_fxsr(&state->fxsave);
>>>      +               kfpu_restore_fxsr(&state->fxsave);
>>>              } else {
>>>      -               kfpu_save_fsave(&state->fsave);
>>>      +               kfpu_restore_fsave(&state->fsave);
>>>              }
>>>       out:
>>>              local_irq_enable();
>>>      diff --git a/sys/contrib/openzfs/include/os/linux/spl/sys/cred.h
>>>      b/sys/contrib/openzfs/include/os/linux/spl/sys/cred.h
>>>      index 9cc85deb5c8a..b7d3f38d70bb 100644
>>>      --- a/sys/contrib/openzfs/include/os/linux/spl/sys/cred.h
>>>      +++ b/sys/contrib/openzfs/include/os/linux/spl/sys/cred.h
>>>      @@ -49,12 +49,7 @@ extern void crhold(cred_t *cr);
>>>       extern void crfree(cred_t *cr);
>>>       extern uid_t crgetuid(const cred_t *cr);
>>>       extern uid_t crgetruid(const cred_t *cr);
>>>      -extern uid_t crgetsuid(const cred_t *cr);
>>>      -extern uid_t crgetfsuid(const cred_t *cr);
>>>       extern gid_t crgetgid(const cred_t *cr);
>>>      -extern gid_t crgetrgid(const cred_t *cr);
>>>      -extern gid_t crgetsgid(const cred_t *cr);
>>>      -extern gid_t crgetfsgid(const cred_t *cr);
>>>       extern int crgetngroups(const cred_t *cr);
>>>       extern gid_t *crgetgroups(const cred_t *cr);
>>>       extern int groupmember(gid_t gid, const cred_t *cr);
>>>      diff --git a/sys/contrib/openzfs/lib/libzfs/libzfs_crypto.c
>>>      b/sys/contrib/openzfs/lib/libzfs/libzfs_crypto.c
>>>      index 644dd26859f1..f77becd6a5c1 100644
>>>      --- a/sys/contrib/openzfs/lib/libzfs/libzfs_crypto.c
>>>      +++ b/sys/contrib/openzfs/lib/libzfs/libzfs_crypto.c
>>>      @@ -606,7 +606,6 @@ get_key_material_https(libzfs_handle_t *hdl,
>>>      const char *uri,
>>>       kfdok:
>>>              if ((key = fdopen(kfd, "r+")) == NULL) {
>>>                      ret = errno;
>>>      -               free(path);
>>>                      (void) close(kfd);
>>>                      zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
>>>                          "Couldn't reopen temporary file: %s"),
>>>      strerror(ret));
>>>      diff --git
>>>      a/sys/contrib/openzfs/lib/libzutil/os/linux/zutil_device_path_os.c
>>>      b/sys/contrib/openzfs/lib/libzutil/os/linux/zutil_device_path_os.c
>>>      index 13f8bd031612..45a6f6f5935b 100644
>>>      ---
>>> a/sys/contrib/openzfs/lib/libzutil/os/linux/zutil_device_path_os.c
>>>      +++
>>> b/sys/contrib/openzfs/lib/libzutil/os/linux/zutil_device_path_os.c
>>>      @@ -527,7 +527,7 @@ zfs_dev_is_dm(const char *dev_name)
>>>       boolean_t
>>>       zfs_dev_is_whole_disk(const char *dev_name)
>>>       {
>>>      -       struct dk_gpt *label;
>>>      +       struct dk_gpt *label = NULL;
>>>              int fd;
>>>
>>>              if ((fd = open(dev_name, O_RDONLY | O_DIRECT | O_CLOEXEC))
>>>      < 0)
>>>      @@ -613,22 +613,24 @@ zfs_get_underlying_path(const char *dev_name)
>>>       /*
>>>        * A disk is considered a multipath whole disk when:
>>>        *     DEVNAME key value has "dm-"
>>>      - *     DM_NAME key value has "mpath" prefix
>>>      - *     DM_UUID key exists
>>>      + *     DM_UUID key exists and starts with 'mpath-'
>>>        *     ID_PART_TABLE_TYPE key does not exist or is not gpt
>>>      + *     ID_FS_LABEL key does not exist (disk isn't labeled)
>>>        */
>>>       static boolean_t
>>>      -udev_mpath_whole_disk(struct udev_device *dev)
>>>      +is_mpath_udev_sane(struct udev_device *dev)
>>>       {
>>>      -       const char *devname, *type, *uuid;
>>>      +       const char *devname, *type, *uuid, *label;
>>>
>>>              devname = udev_device_get_property_value(dev, "DEVNAME");
>>>              type = udev_device_get_property_value(dev,
>>>      "ID_PART_TABLE_TYPE");
>>>              uuid = udev_device_get_property_value(dev, "DM_UUID");
>>>      +       label = udev_device_get_property_value(dev, "ID_FS_LABEL");
>>>
>>>              if ((devname != NULL && strncmp(devname, "/dev/dm-", 8) ==
>>>      0) &&
>>>                  ((type == NULL) || (strcmp(type, "gpt") != 0)) &&
>>>      -           (uuid != NULL)) {
>>>      +           ((uuid != NULL) && (strncmp(uuid, "mpath-", 6) == 0)) &&
>>>      +           (label == NULL)) {
>>>                      return (B_TRUE);
>>>              }
>>>
>>>      @@ -636,7 +638,11 @@ udev_mpath_whole_disk(struct udev_device *dev)
>>>       }
>>>
>>>       /*
>>>      - * Check if a disk is effectively a multipath whole disk
>>>      + * Check if a disk is a multipath "blank" disk:
>>>      + *
>>>      + * 1. The disk has udev values that suggest it's a multipath disk
>>>      + * 2. The disk is not currently labeled with a filesystem of any
>>> type
>>>      + * 3. There are no partitions on the disk
>>>        */
>>>       boolean_t
>>>       is_mpath_whole_disk(const char *path)
>>>      @@ -645,7 +651,6 @@ is_mpath_whole_disk(const char *path)
>>>              struct udev_device *dev = NULL;
>>>              char nodepath[MAXPATHLEN];
>>>              char *sysname;
>>>      -       boolean_t wholedisk = B_FALSE;
>>>
>>>              if (realpath(path, nodepath) == NULL)
>>>                      return (B_FALSE);
>>>      @@ -660,10 +665,11 @@ is_mpath_whole_disk(const char *path)
>>>                      return (B_FALSE);
>>>              }
>>>
>>>      -       wholedisk = udev_mpath_whole_disk(dev);
>>>      -
>>>      +       /* Sanity check some udev values */
>>>      +       boolean_t is_sane = is_mpath_udev_sane(dev);
>>>              udev_device_unref(dev);
>>>      -       return (wholedisk);
>>>      +
>>>      +       return (is_sane);
>>>       }
>>>
>>>       #else /* HAVE_LIBUDEV */
>>>      diff --git a/sys/contrib/openzfs/module/Makefile.bsd
>>>      b/sys/contrib/openzfs/module/Makefile.bsd
>>>      index 8aa4ed22275e..dc6cc2b74243 100644
>>>      --- a/sys/contrib/openzfs/module/Makefile.bsd
>>>      +++ b/sys/contrib/openzfs/module/Makefile.bsd
>>>      @@ -32,7 +32,7 @@ CFLAGS+= -include
>>>      ${INCDIR}/os/freebsd/spl/sys/ccompile.h
>>>
>>>       CFLAGS+= -D__KERNEL__ -DFREEBSD_NAMECACHE -DBUILDING_ZFS
>>>      -D__BSD_VISIBLE=1 \
>>>               -DHAVE_UIO_ZEROCOPY -DWITHOUT_NETDUMP -D__KERNEL
>>>      -D_SYS_CONDVAR_H_ \
>>>      -        -D_SYS_VMEM_H_ -DKDTRACE_HOOKS -DSMP -DHAVE_KSID
>>>      -DCOMPAT_FREEBSD11
>>>      +        -D_SYS_VMEM_H_ -DKDTRACE_HOOKS -DSMP -DCOMPAT_FREEBSD11
>>>
>>>       .if ${MACHINE_ARCH} == "amd64"
>>>       CFLAGS+= -DHAVE_AVX2 -DHAVE_AVX -D__x86_64 -DHAVE_SSE2
>>>      -DHAVE_AVX512F -DHAVE_SSSE3
>>>      diff --git
>>>      a/sys/contrib/openzfs/module/os/freebsd/spl/spl_sysevent.c
>>>      b/sys/contrib/openzfs/module/os/freebsd/spl/spl_sysevent.c
>>>      index d5d50080fafd..16188c71b53d 100644
>>>      --- a/sys/contrib/openzfs/module/os/freebsd/spl/spl_sysevent.c
>>>      +++ b/sys/contrib/openzfs/module/os/freebsd/spl/spl_sysevent.c
>>>      @@ -250,7 +250,17 @@ sysevent_worker(void *arg __unused)
>>>                              nvlist_free(event);
>>>                      }
>>>              }
>>>      -       zfs_zevent_destroy(ze);
>>>      +
>>>      +       /*
>>>      +        * We avoid zfs_zevent_destroy() here because we're
>>>      otherwise racing
>>>      +        * against fm_fini() destroying the zevent_lock.
>>>      zfs_zevent_destroy()
>>>      +        * will currently only clear `ze->ze_zevent` from an event
>>>      list then
>>>      +        * free `ze`, so just inline the free() here -- events
>>>      have already
>>>      +        * been drained.
>>>      +        */
>>>      +       VERIFY3P(ze->ze_zevent, ==, NULL);
>>>      +       kmem_free(ze, sizeof (zfs_zevent_t));
>>>      +
>>>              kthread_exit();
>>>       }
>>>
>>>      diff --git a/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_acl.c
>>>      b/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_acl.c
>>>      index ae758bcefe21..fe0f69132321 100644
>>>      --- a/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_acl.c
>>>      +++ b/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_acl.c
>>>      @@ -1653,8 +1653,10 @@ zfs_acl_ids_create(znode_t *dzp, int flag,
>>>      vattr_t *vap, cred_t *cr,
>>>                          ZFS_GROUP, &acl_ids->z_fuidp);
>>>                      gid = vap->va_gid;
>>>              } else {
>>>      -               acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs,
>>>      ZFS_OWNER,
>>>      -                   cr, &acl_ids->z_fuidp);
>>>      +               uid_t id = crgetuid(cr);
>>>      +               if (IS_EPHEMERAL(id))
>>>      +                       id = UID_NOBODY;
>>>      +               acl_ids->z_fuid = (uint64_t)id;
>>>                      acl_ids->z_fgid = 0;
>>>                      if (vap->va_mask & AT_GID)  {
>>>                              acl_ids->z_fgid = zfs_fuid_create(zfsvfs,
>>>      diff --git
>>>      a/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c
>>>      b/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c
>>>      index 7bcf80bf5a94..b2cc3d063f9c 100644
>>>      --- a/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c
>>>      +++ b/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c
>>>      @@ -1060,8 +1060,7 @@ zfs_create(znode_t *dzp, const char *name,
>>>      vattr_t *vap, int excl, int mode,
>>>              objset_t        *os;
>>>              dmu_tx_t        *tx;
>>>              int             error;
>>>      -       ksid_t          *ksid;
>>>      -       uid_t           uid;
>>>      +       uid_t           uid = crgetuid(cr);
>>>              gid_t           gid = crgetgid(cr);
>>>              uint64_t        projid = ZFS_DEFAULT_PROJID;
>>>              zfs_acl_ids_t   acl_ids;
>>>      @@ -1075,13 +1074,6 @@ zfs_create(znode_t *dzp, const char *name,
>>>      vattr_t *vap, int excl, int mode,
>>>               * If we have an ephemeral id, ACL, or XVATTR then
>>>               * make sure file system is at proper version
>>>               */
>>>      -
>>>      -       ksid = crgetsid(cr, KSID_OWNER);
>>>      -       if (ksid)
>>>      -               uid = ksid_getid(ksid);
>>>      -       else
>>>      -               uid = crgetuid(cr);
>>>      -
>>>              if (zfsvfs->z_use_fuids == B_FALSE &&
>>>                  (vsecp || (vap->va_mask & AT_XVATTR) ||
>>>                  IS_EPHEMERAL(uid) || IS_EPHEMERAL(gid)))
>>>      @@ -1415,8 +1407,7 @@ zfs_mkdir(znode_t *dzp, const char *dirname,
>>>      vattr_t *vap, znode_t **zpp,
>>>              uint64_t        txtype;
>>>              dmu_tx_t        *tx;
>>>              int             error;
>>>      -       ksid_t          *ksid;
>>>      -       uid_t           uid;
>>>      +       uid_t           uid = crgetuid(cr);
>>>              gid_t           gid = crgetgid(cr);
>>>              zfs_acl_ids_t   acl_ids;
>>>              boolean_t       fuid_dirtied;
>>>      @@ -1427,12 +1418,6 @@ zfs_mkdir(znode_t *dzp, const char
>>>      *dirname, vattr_t *vap, znode_t **zpp,
>>>               * If we have an ephemeral id, ACL, or XVATTR then
>>>               * make sure file system is at proper version
>>>               */
>>>      -
>>>      -       ksid = crgetsid(cr, KSID_OWNER);
>>>      -       if (ksid)
>>>      -               uid = ksid_getid(ksid);
>>>      -       else
>>>      -               uid = crgetuid(cr);
>>>              if (zfsvfs->z_use_fuids == B_FALSE &&
>>>                  ((vap->va_mask & AT_XVATTR) ||
>>>                  IS_EPHEMERAL(uid) || IS_EPHEMERAL(gid)))
>>>      diff --git a/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_znode.c
>>>      b/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_znode.c
>>>      index d14df9d88a35..8a2773ac7971 100644
>>>      --- a/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_znode.c
>>>      +++ b/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_znode.c
>>>      @@ -839,7 +839,9 @@ zfs_xvattr_set(znode_t *zp, xvattr_t *xvap,
>>>      dmu_tx_t *tx)
>>>              xoap = xva_getxoptattr(xvap);
>>>              ASSERT3P(xoap, !=, NULL);
>>>
>>>      -       ASSERT_VOP_IN_SEQC(ZTOV(zp));
>>>      +       if (zp->z_zfsvfs->z_replay == B_FALSE) {
>>>      +               ASSERT_VOP_IN_SEQC(ZTOV(zp));
>>>      +       }
>>>
>>>              if (XVA_ISSET_REQ(xvap, XAT_CREATETIME)) {
>>>                      uint64_t times[2];
>>>      diff --git a/sys/contrib/openzfs/module/os/linux/spl/spl-cred.c
>>>      b/sys/contrib/openzfs/module/os/linux/spl/spl-cred.c
>>>      index 8fe1cc30ba99..f81b9540a639 100644
>>>      --- a/sys/contrib/openzfs/module/os/linux/spl/spl-cred.c
>>>      +++ b/sys/contrib/openzfs/module/os/linux/spl/spl-cred.c
>>>      @@ -128,7 +128,7 @@ groupmember(gid_t gid, const cred_t *cr)
>>>       uid_t
>>>       crgetuid(const cred_t *cr)
>>>       {
>>>      -       return (KUID_TO_SUID(cr->euid));
>>>      +       return (KUID_TO_SUID(cr->fsuid));
>>>       }
>>>
>>>       /* Return the real user id */
>>>      @@ -138,44 +138,9 @@ crgetruid(const cred_t *cr)
>>>              return (KUID_TO_SUID(cr->uid));
>>>       }
>>>
>>>      -/* Return the saved user id */
>>>      -uid_t
>>>      -crgetsuid(const cred_t *cr)
>>>      -{
>>>      -       return (KUID_TO_SUID(cr->suid));
>>>      -}
>>>      -
>>>      -/* Return the filesystem user id */
>>>      -uid_t
>>>      -crgetfsuid(const cred_t *cr)
>>>      -{
>>>      -       return (KUID_TO_SUID(cr->fsuid));
>>>      -}
>>>      -
>>>       /* Return the effective group id */
>>>       gid_t
>>>       crgetgid(const cred_t *cr)
>>>      -{
>>>      -       return (KGID_TO_SGID(cr->egid));
>>>      -}
>>>      -
>>>      -/* Return the real group id */
>>>      -gid_t
>>>      -crgetrgid(const cred_t *cr)
>>>      -{
>>>      -       return (KGID_TO_SGID(cr->gid));
>>>      -}
>>>      -
>>>      -/* Return the saved group id */
>>>      -gid_t
>>>      -crgetsgid(const cred_t *cr)
>>>      -{
>>>      -       return (KGID_TO_SGID(cr->sgid));
>>>      -}
>>>      -
>>>      -/* Return the filesystem group id */
>>>      -gid_t
>>>      -crgetfsgid(const cred_t *cr)
>>>       {
>>>              return (KGID_TO_SGID(cr->fsgid));
>>>       }
>>>      @@ -184,12 +149,7 @@ EXPORT_SYMBOL(crhold);
>>>       EXPORT_SYMBOL(crfree);
>>>       EXPORT_SYMBOL(crgetuid);
>>>       EXPORT_SYMBOL(crgetruid);
>>>      -EXPORT_SYMBOL(crgetsuid);
>>>      -EXPORT_SYMBOL(crgetfsuid);
>>>       EXPORT_SYMBOL(crgetgid);
>>>      -EXPORT_SYMBOL(crgetrgid);
>>>      -EXPORT_SYMBOL(crgetsgid);
>>>      -EXPORT_SYMBOL(crgetfsgid);
>>>       EXPORT_SYMBOL(crgetngroups);
>>>       EXPORT_SYMBOL(crgetgroups);
>>>       EXPORT_SYMBOL(groupmember);
>>>      diff --git a/sys/contrib/openzfs/module/os/linux/zfs/policy.c
>>>      b/sys/contrib/openzfs/module/os/linux/zfs/policy.c
>>>      index bbccb2e572d9..5a52092bb90a 100644
>>>      --- a/sys/contrib/openzfs/module/os/linux/zfs/policy.c
>>>      +++ b/sys/contrib/openzfs/module/os/linux/zfs/policy.c
>>>      @@ -121,7 +121,7 @@ secpolicy_vnode_access2(const cred_t *cr,
>>>      struct inode *ip, uid_t owner,
>>>       int
>>>       secpolicy_vnode_any_access(const cred_t *cr, struct inode *ip,
>>>      uid_t owner)
>>>       {
>>>      -       if (crgetfsuid(cr) == owner)
>>>      +       if (crgetuid(cr) == owner)
>>>                      return (0);
>>>
>>>              if (zpl_inode_owner_or_capable(kcred->user_ns, ip))
>>>      @@ -147,7 +147,7 @@ secpolicy_vnode_any_access(const cred_t *cr,
>>>      struct inode *ip, uid_t owner)
>>>       int
>>>       secpolicy_vnode_chown(const cred_t *cr, uid_t owner)
>>>      *** 141 LINES SKIPPED ***
>>>
>