module: icp: rip out insane crypto_req_handle_t mechanism, inline KM_SLEEP

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz> Closes #12901
2021-12-25 04:34:29 +01:00 · 2021-12-25 04:34:29 +01:00 · df7b54f1d9
parent 15ec086396
commit df7b54f1d9
16 changed files with 187 additions and 339 deletions
--- a/include/sys/crypto/api.h
+++ b/include/sys/crypto/api.h
@ -36,8 +36,6 @@ extern "C" {
 typedef void *crypto_context_t;
 typedef void *crypto_ctx_template_t;
 typedef struct {} crypto_call_req_t;
 /*
 * Returns the mechanism type corresponding to a mechanism name.
 */
@ -48,17 +46,16 @@ extern crypto_mech_type_t crypto_mech2id(const char *name);
 * Create and destroy context templates.
 */
 extern int crypto_create_ctx_template(crypto_mechanism_t *mech,
-    crypto_key_t *key, crypto_ctx_template_t *tmpl, int kmflag);
+    crypto_key_t *key, crypto_ctx_template_t *tmpl);
 extern void crypto_destroy_ctx_template(crypto_ctx_template_t tmpl);
 /*
 * Single and multi-part MAC operations.
 */
 extern int crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data,
-    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac,
+    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac);
    crypto_call_req_t *cr);
 extern int crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key,
-    crypto_ctx_template_t tmpl, crypto_context_t *ctxp, crypto_call_req_t *cr);
+    crypto_ctx_template_t tmpl, crypto_context_t *ctxp);
 extern int crypto_mac_update(crypto_context_t ctx, crypto_data_t *data);
 extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data);
@ -66,11 +63,9 @@ extern int crypto_mac_final(crypto_context_t ctx, crypto_data_t *data);
 * Single-part encryption/decryption operations.
 */
 extern int crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext,
-    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext,
+    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext);
    crypto_call_req_t *cr);
 extern int crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext,
-    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext,
+    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext);
    crypto_call_req_t *cr);
 #ifdef	__cplusplus
 }
--- a/module/icp/algs/modes/gcm.c
+++ b/module/icp/algs/modes/gcm.c
@ -342,7 +342,7 @@ gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length,
 	 */
 	if (length > 0) {
 		new_len = ctx->gcm_pt_buf_len + length;
-		new = vmem_alloc(new_len, ctx->gcm_kmflag);
+		new = vmem_alloc(new_len, KM_SLEEP);
 		if (new == NULL) {
 			vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len);
 			ctx->gcm_pt_buf = NULL;
@ -654,7 +654,7 @@ gcm_init_ctx(gcm_ctx_t *gcm_ctx, char *param, size_t block_size,
 		}
 		gcm_ctx->gcm_htab_len = htab_len;
 		gcm_ctx->gcm_Htable =
-		    (uint64_t *)kmem_alloc(htab_len, gcm_ctx->gcm_kmflag);
+		    (uint64_t *)kmem_alloc(htab_len, KM_SLEEP);
 		if (gcm_ctx->gcm_Htable == NULL) {
 			return (CRYPTO_HOST_MEMORY);
@ -729,7 +729,7 @@ gmac_init_ctx(gcm_ctx_t *gcm_ctx, char *param, size_t block_size,
 		}
 		gcm_ctx->gcm_htab_len = htab_len;
 		gcm_ctx->gcm_Htable =
-		    (uint64_t *)kmem_alloc(htab_len, gcm_ctx->gcm_kmflag);
+		    (uint64_t *)kmem_alloc(htab_len, KM_SLEEP);
 		if (gcm_ctx->gcm_Htable == NULL) {
 			return (CRYPTO_HOST_MEMORY);
@ -780,12 +780,6 @@ gmac_alloc_ctx(int kmflag)
 	return (gcm_ctx);
 }
 void
 gcm_set_kmflag(gcm_ctx_t *ctx, int kmflag)
 {
 	ctx->gcm_kmflag = kmflag;
 }
 /* GCM implementation that contains the fastest methods */
 static gcm_impl_ops_t gcm_fastest_impl = {
 	.name = "fastest"
@ -1212,7 +1206,7 @@ gcm_mode_encrypt_contiguous_blocks_avx(gcm_ctx_t *ctx, char *data,
 	/* Allocate a buffer to encrypt to if there is enough input. */
 	if (bleft >= GCM_AVX_MIN_ENCRYPT_BYTES) {
-		ct_buf = vmem_alloc(chunk_size, ctx->gcm_kmflag);
+		ct_buf = vmem_alloc(chunk_size, KM_SLEEP);
 		if (ct_buf == NULL) {
 			return (CRYPTO_HOST_MEMORY);
 		}
--- a/module/icp/api/kcf_cipher.c
+++ b/module/icp/api/kcf_cipher.c
@ -52,7 +52,6 @@
 *	tmpl:	a crypto_ctx_template_t, opaque template of a context of an
 *		encryption with the 'mech' using 'key'. 'tmpl' is created by
 *		a previous call to crypto_create_ctx_template().
 *	cr:	crypto_call_req_t calling conditions and call back info.
 *
 * Description:
 *	Asynchronously submits a request for, or synchronously performs a
@ -62,16 +61,12 @@
 *	message.
 *	Relies on the KCF scheduler to pick a provider.
 *
 * Context:
 *	Process or interrupt, according to the semantics dictated by the 'cr'.
 *
 * Returns:
 *	See comment in the beginning of the file.
 */
 int
 crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext,
-    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext,
+    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *ciphertext)
    crypto_call_req_t *crq)
 {
 	int error;
 	kcf_mech_entry_t *me;
@ -95,12 +90,12 @@ retry:
 	crypto_mechanism_t lmech = *mech;
 	KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech);
 	error = KCF_PROV_ENCRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key,
-	    plaintext, ciphertext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq));
+	    plaintext, ciphertext, spi_ctx_tmpl);
 	KCF_PROV_INCRSTATS(pd, error);
 	if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) {
 		/* Add pd to the linked list of providers tried. */
-		if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
+		if (kcf_insert_triedlist(&list, pd, KM_SLEEP) != NULL)
 			goto retry;
 	}
@ -129,7 +124,6 @@ retry:
 *	tmpl:	a crypto_ctx_template_t, opaque template of a context of an
 *		encryption with the 'mech' using 'key'. 'tmpl' is created by
 *		a previous call to crypto_create_ctx_template().
 *	cr:	crypto_call_req_t calling conditions and call back info.
 *
 * Description:
 *	Asynchronously submits a request for, or synchronously performs a
@ -139,16 +133,12 @@ retry:
 *	message.
 *	Relies on the KCF scheduler to choose a provider.
 *
 * Context:
 *	Process or interrupt, according to the semantics dictated by the 'cr'.
 *
 * Returns:
 *	See comment in the beginning of the file.
 */
 int
 crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext,
-    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext,
+    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *plaintext)
    crypto_call_req_t *crq)
 {
 	int error;
 	kcf_mech_entry_t *me;
@ -173,12 +163,12 @@ retry:
 	KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech);
 	error = KCF_PROV_DECRYPT_ATOMIC(pd, pd->pd_sid, &lmech, key,
-	    ciphertext, plaintext, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq));
+	    ciphertext, plaintext, spi_ctx_tmpl);
 	KCF_PROV_INCRSTATS(pd, error);
 	if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) {
 		/* Add pd to the linked list of providers tried. */
-		if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
+		if (kcf_insert_triedlist(&list, pd, KM_SLEEP) != NULL)
 			goto retry;
 	}
--- a/module/icp/api/kcf_ctxops.c
+++ b/module/icp/api/kcf_ctxops.c
@ -48,7 +48,6 @@
 *	ptmpl:	a storage for the opaque crypto_ctx_template_t, allocated and
 *		initialized by the software provider this routine is
 *		dispatched to.
 *	kmflag:	KM_SLEEP/KM_NOSLEEP mem. alloc. flag.
 *
 * Description:
 *	Redirects the call to the software provider of the specified
@ -69,7 +68,7 @@
 */
 int
 crypto_create_ctx_template(crypto_mechanism_t *mech, crypto_key_t *key,
-    crypto_ctx_template_t *ptmpl, int kmflag)
+    crypto_ctx_template_t *ptmpl)
 {
 	int error;
 	kcf_mech_entry_t *me;
@ -90,7 +89,7 @@ crypto_create_ctx_template(crypto_mechanism_t *mech, crypto_key_t *key,
 		return (error);
 	if ((ctx_tmpl = (kcf_ctx_template_t *)kmem_alloc(
-	    sizeof (kcf_ctx_template_t), kmflag)) == NULL) {
+	    sizeof (kcf_ctx_template_t), KM_SLEEP)) == NULL) {
 		KCF_PROV_REFRELE(pd);
 		return (CRYPTO_HOST_MEMORY);
 	}
@ -101,7 +100,7 @@ crypto_create_ctx_template(crypto_mechanism_t *mech, crypto_key_t *key,
 	prov_mech.cm_param_len = mech->cm_param_len;
 	error = KCF_PROV_CREATE_CTX_TEMPLATE(pd, &prov_mech, key,
-	    &(ctx_tmpl->ct_prov_tmpl), &(ctx_tmpl->ct_size), KCF_RHNDL(kmflag));
+	    &(ctx_tmpl->ct_prov_tmpl), &(ctx_tmpl->ct_size));
 	if (error == CRYPTO_SUCCESS) {
 		*ptmpl = ctx_tmpl;
--- a/module/icp/api/kcf_mac.c
+++ b/module/icp/api/kcf_mac.c
@ -67,7 +67,6 @@
 *	tmpl:	a crypto_ctx_template_t, opaque template of a context of a
 *		MAC with the 'mech' using 'key'. 'tmpl' is created by
 *		a previous call to crypto_create_ctx_template().
 *	cr:	crypto_call_req_t calling conditions and call back info.
 *
 * Description:
 *	Asynchronously submits a request for, or synchronously performs a
@ -78,16 +77,12 @@
 *	authentication code.
 *	Relies on the KCF scheduler to choose a provider.
 *
 * Context:
 *	Process or interrupt, according to the semantics dictated by the 'crq'.
 *
 * Returns:
 *	See comment in the beginning of the file.
 */
 int
 crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data,
-    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac,
+    crypto_key_t *key, crypto_ctx_template_t tmpl, crypto_data_t *mac)
    crypto_call_req_t *crq)
 {
 	int error;
 	kcf_mech_entry_t *me;
@ -111,12 +106,12 @@ retry:
 	crypto_mechanism_t lmech = *mech;
 	KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech);
 	error = KCF_PROV_MAC_ATOMIC(pd, pd->pd_sid, &lmech, key, data,
-	    mac, spi_ctx_tmpl, KCF_SWFP_RHNDL(crq));
+	    mac, spi_ctx_tmpl);
 	KCF_PROV_INCRSTATS(pd, error);
 	if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) {
 		/* Add pd to the linked list of providers tried. */
-		if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
+		if (kcf_insert_triedlist(&list, pd, KM_SLEEP) != NULL)
 			goto retry;
 	}
@ -143,7 +138,6 @@ retry:
 *		MAC with the 'mech' using 'key'. 'tmpl' is created by
 *		a previous call to crypto_create_ctx_template().
 *	ctxp:	Pointer to a crypto_context_t.
 *	cr:	crypto_call_req_t calling conditions and call back info.
 *
 * Description:
 *	Asynchronously submits a request for, or synchronously performs the
@ -156,16 +150,13 @@ retry:
 *	The caller should hold a reference on the specified provider
 *	descriptor before calling this function.
 *
 * Context:
 *	Process or interrupt, according to the semantics dictated by the 'cr'.
 *
 * Returns:
 *	See comment in the beginning of the file.
 */
 static int
 crypto_mac_init_prov(kcf_provider_desc_t *pd,
    crypto_mechanism_t *mech, crypto_key_t *key, crypto_spi_ctx_template_t tmpl,
-    crypto_context_t *ctxp, crypto_call_req_t *crq)
+    crypto_context_t *ctxp)
 {
 	int rv;
 	crypto_ctx_t *ctx;
@ -174,13 +165,12 @@ crypto_mac_init_prov(kcf_provider_desc_t *pd,
 	ASSERT(KCF_PROV_REFHELD(pd));
 	/* Allocate and initialize the canonical context */
-	if ((ctx = kcf_new_ctx(crq, real_provider)) == NULL)
+	if ((ctx = kcf_new_ctx(real_provider)) == NULL)
 		return (CRYPTO_HOST_MEMORY);
 	crypto_mechanism_t lmech = *mech;
 	KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech);
-	rv = KCF_PROV_MAC_INIT(real_provider, ctx, &lmech, key, tmpl,
+	rv = KCF_PROV_MAC_INIT(real_provider, ctx, &lmech, key, tmpl);
 	    KCF_SWFP_RHNDL(crq));
 	KCF_PROV_INCRSTATS(pd, rv);
 	if (rv == CRYPTO_SUCCESS)
@ -200,8 +190,7 @@ crypto_mac_init_prov(kcf_provider_desc_t *pd,
 */
 int
 crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key,
-    crypto_ctx_template_t tmpl, crypto_context_t *ctxp,
+    crypto_ctx_template_t tmpl, crypto_context_t *ctxp)
    crypto_call_req_t  *crq)
 {
 	int error;
 	kcf_mech_entry_t *me;
@ -230,10 +219,10 @@ retry:
 		spi_ctx_tmpl = ctx_tmpl->ct_prov_tmpl;
 	error = crypto_mac_init_prov(pd, mech, key,
-	    spi_ctx_tmpl, ctxp, crq);
+	    spi_ctx_tmpl, ctxp);
 	if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) {
 		/* Add pd to the linked list of providers tried. */
-		if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
+		if (kcf_insert_triedlist(&list, pd, KM_SLEEP) != NULL)
 			goto retry;
 	}
@ -254,9 +243,6 @@ retry:
 * Description:
 *	Synchronously performs a part of a MAC operation.
 *
 * Context:
 *	Process or interrupt, according to the semantics dictated by the 'cr'.
 *
 * Returns:
 *	See comment in the beginning of the file.
 */
@ -273,7 +259,7 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data)
 		return (CRYPTO_INVALID_CONTEXT);
 	}
-	int rv = KCF_PROV_MAC_UPDATE(pd, ctx, data, NULL);
+	int rv = KCF_PROV_MAC_UPDATE(pd, ctx, data);
 	KCF_PROV_INCRSTATS(pd, rv);
 	return (rv);
 }
@ -288,9 +274,6 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data)
 * Description:
 *	Synchronously performs a part of a message authentication operation.
 *
 * Context:
 *	Process or interrupt, according to the semantics dictated by the 'cr'.
 *
 * Returns:
 *	See comment in the beginning of the file.
 */
@ -307,7 +290,7 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac)
 		return (CRYPTO_INVALID_CONTEXT);
 	}
-	int rv = KCF_PROV_MAC_FINAL(pd, ctx, mac, NULL);
+	int rv = KCF_PROV_MAC_FINAL(pd, ctx, mac);
 	KCF_PROV_INCRSTATS(pd, rv);
 	/* Release the hold done in kcf_new_ctx() during init step. */
--- a/module/icp/core/kcf_sched.c
+++ b/module/icp/core/kcf_sched.c
@ -37,19 +37,17 @@
 /* kmem caches used by the scheduler */
 static kmem_cache_t *kcf_context_cache;
 ulong_t kcf_swprov_hndl = 0;
 /*
 * Create a new context.
 */
 crypto_ctx_t *
-kcf_new_ctx(crypto_call_req_t *crq, kcf_provider_desc_t *pd)
+kcf_new_ctx(kcf_provider_desc_t *pd)
 {
 	crypto_ctx_t *ctx;
 	kcf_context_t *kcf_ctx;
-	kcf_ctx = kmem_cache_alloc(kcf_context_cache,
+	kcf_ctx = kmem_cache_alloc(kcf_context_cache, KM_SLEEP);
 	    (crq == NULL) ? KM_SLEEP : KM_NOSLEEP);
 	if (kcf_ctx == NULL)
 		return (NULL);
--- a/module/icp/include/modes/modes.h
+++ b/module/icp/include/modes/modes.h
@ -207,10 +207,6 @@ typedef struct ccm_ctx {
 *
 * gcm_len_a_len_c:	64-bit representations of the bit lengths of
 *			AAD and ciphertext.
 *
 * gcm_kmflag:		Current value of kmflag. Used for allocating
 *			the plaintext buffer during decryption and a
 *			gcm_avx_chunk_size'd buffer for avx enabled encryption.
 */
 typedef struct gcm_ctx {
 	struct common_ctx gcm_common;
@ -231,7 +227,6 @@ typedef struct gcm_ctx {
 	uint64_t gcm_J0[2];
 	uint64_t gcm_len_a_len_c[2];
 	uint8_t *gcm_pt_buf;
 	int gcm_kmflag;
 #ifdef CAN_USE_GCM_ASM
 	boolean_t gcm_use_avx;
 #endif
@ -402,7 +397,6 @@ extern void *ccm_alloc_ctx(int);
 extern void *gcm_alloc_ctx(int);
 extern void *gmac_alloc_ctx(int);
 extern void crypto_free_mode_ctx(void *);
 extern void gcm_set_kmflag(gcm_ctx_t *, int);
 #ifdef	__cplusplus
 }
--- a/module/icp/include/sys/crypto/impl.h
+++ b/module/icp/include/sys/crypto/impl.h
@ -76,7 +76,7 @@ typedef struct kcf_sched_info {
 * other purposes, that base value is mostly same across all providers.
 * So, it is a good measure of the load on a provider when it is not
 * in a busy state. Once a provider notifies it is busy, requests
- * backup in the taskq. So, we use tq_nalloc in that case which gives
+ * back up in the taskq. So, we use tq_nalloc in that case which gives
 * the number of task entries in the task queue. Note that we do not
 * acquire any locks here as it is not critical to get the exact number
 * and the lock contention may be too costly for this code path.
@ -387,76 +387,73 @@ typedef struct crypto_minor {
 * Wrappers for crypto_digest_ops(9S) entry points.
 */
-#define	KCF_PROV_DIGEST_INIT(pd, ctx, mech, req) ( \
+#define	KCF_PROV_DIGEST_INIT(pd, ctx, mech) ( \
 	(KCF_PROV_DIGEST_OPS(pd) && KCF_PROV_DIGEST_OPS(pd)->digest_init) ? \
-	KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech, req) : \
+	KCF_PROV_DIGEST_OPS(pd)->digest_init(ctx, mech) : \
 	CRYPTO_NOT_SUPPORTED)
 /*
 * Wrappers for crypto_cipher_ops(9S) entry points.
 */
-#define	KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template, req) ( \
+#define	KCF_PROV_ENCRYPT_INIT(pd, ctx, mech, key, template) ( \
 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_init) ? \
-	KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template, \
+	KCF_PROV_CIPHER_OPS(pd)->encrypt_init(ctx, mech, key, template) : \
 	    req) : \
 	CRYPTO_NOT_SUPPORTED)
 #define	KCF_PROV_ENCRYPT_ATOMIC(pd, session, mech, key, plaintext, ciphertext, \
-	    template, req) ( \
+	    template) ( \
 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic) ? \
 	KCF_PROV_CIPHER_OPS(pd)->encrypt_atomic( \
 	    (pd)->pd_prov_handle, session, mech, key, plaintext, ciphertext, \
-	    template, req) : \
+	    template) : \
 	CRYPTO_NOT_SUPPORTED)
 #define	KCF_PROV_DECRYPT_ATOMIC(pd, session, mech, key, ciphertext, plaintext, \
-	    template, req) ( \
+	    template) ( \
 	(KCF_PROV_CIPHER_OPS(pd) && KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic) ? \
 	KCF_PROV_CIPHER_OPS(pd)->decrypt_atomic( \
 	    (pd)->pd_prov_handle, session, mech, key, ciphertext, plaintext, \
-	    template, req) : \
+	    template) : \
 	CRYPTO_NOT_SUPPORTED)
 /*
 * Wrappers for crypto_mac_ops(9S) entry points.
 */
-#define	KCF_PROV_MAC_INIT(pd, ctx, mech, key, template, req) ( \
+#define	KCF_PROV_MAC_INIT(pd, ctx, mech, key, template) ( \
 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_init) ? \
-	KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template, req) \
+	KCF_PROV_MAC_OPS(pd)->mac_init(ctx, mech, key, template) \
 	: CRYPTO_NOT_SUPPORTED)
 /*
 * The _ (underscore) in _mac is needed to avoid replacing the
 * function mac().
 */
-#define	KCF_PROV_MAC_UPDATE(pd, ctx, data, req) ( \
+#define	KCF_PROV_MAC_UPDATE(pd, ctx, data) ( \
 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_update) ? \
-	KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data, req) : \
+	KCF_PROV_MAC_OPS(pd)->mac_update(ctx, data) : \
 	CRYPTO_NOT_SUPPORTED)
-#define	KCF_PROV_MAC_FINAL(pd, ctx, mac, req) ( \
+#define	KCF_PROV_MAC_FINAL(pd, ctx, mac) ( \
 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_final) ? \
-	KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac, req) : \
+	KCF_PROV_MAC_OPS(pd)->mac_final(ctx, mac) : \
 	CRYPTO_NOT_SUPPORTED)
-#define	KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template, \
+#define	KCF_PROV_MAC_ATOMIC(pd, session, mech, key, data, mac, template) ( \
 	    req) ( \
 	(KCF_PROV_MAC_OPS(pd) && KCF_PROV_MAC_OPS(pd)->mac_atomic) ? \
 	KCF_PROV_MAC_OPS(pd)->mac_atomic( \
-	    (pd)->pd_prov_handle, session, mech, key, data, mac, template, \
+	    (pd)->pd_prov_handle, session, mech, key, data, mac, template) : \
 	    req) : \
 	CRYPTO_NOT_SUPPORTED)
 /*
 * Wrappers for crypto_ctx_ops(9S) entry points.
 */
-#define	KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size, req) ( \
+#define	KCF_PROV_CREATE_CTX_TEMPLATE(pd, mech, key, template, size) ( \
 	(KCF_PROV_CTX_OPS(pd) && KCF_PROV_CTX_OPS(pd)->create_ctx_template) ? \
 	KCF_PROV_CTX_OPS(pd)->create_ctx_template( \
-	    (pd)->pd_prov_handle, mech, key, template, size, req) : \
+	    (pd)->pd_prov_handle, mech, key, template, size) : \
 	CRYPTO_NOT_SUPPORTED)
 #define	KCF_PROV_FREE_CONTEXT(pd, ctx) ( \
--- a/module/icp/include/sys/crypto/sched_impl.h
+++ b/module/icp/include/sys/crypto/sched_impl.h
@ -40,28 +40,6 @@ extern "C" {
 #include <sys/crypto/impl.h>
 #include <sys/crypto/common.h>
 #define	KCF_KMFLAG(crq)	(((crq) == NULL) ? KM_SLEEP : KM_NOSLEEP)
 /*
 * The framework keeps an internal handle to use in the adaptive
 * asynchronous case. This is the case when a client has the
 * CRYPTO_ALWAYS_QUEUE bit clear and a provider is used for
 * the request. The request is completed in the context of the calling
 * thread and kernel memory must be allocated with KM_NOSLEEP.
 *
 * The framework passes a pointer to the handle in crypto_req_handle_t
 * argument when it calls the SPI of the provider. The macros
 * KCF_RHNDL() and KCF_SWFP_RHNDL() are used to do this.
 *
 * When a provider asks the framework for kmflag value via
 * crypto_kmflag(9S) we use REQHNDL2_KMFLAG() macro.
 */
 extern ulong_t kcf_swprov_hndl;
 #define	KCF_RHNDL(kmflag) (((kmflag) == KM_SLEEP) ? NULL : &kcf_swprov_hndl)
 #define	KCF_SWFP_RHNDL(crq) (((crq) == NULL) ? NULL : &kcf_swprov_hndl)
 #define	REQHNDL2_KMFLAG(rhndl) \
 	((rhndl == &kcf_swprov_hndl) ? KM_NOSLEEP : KM_SLEEP)
 typedef struct kcf_prov_tried {
 	kcf_provider_desc_t	*pt_pd;
 	struct kcf_prov_tried	*pt_next;
@ -144,7 +122,7 @@ extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **,
    kcf_provider_desc_t *, int);
 extern kcf_provider_desc_t *kcf_get_mech_provider(crypto_mech_type_t,
    kcf_mech_entry_t **, int *, kcf_prov_tried_t *, crypto_func_group_t);
-extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t  *, kcf_provider_desc_t *);
+extern crypto_ctx_t *kcf_new_ctx(kcf_provider_desc_t *);
 extern void kcf_sched_destroy(void);
 extern void kcf_sched_init(void);
 extern void kcf_free_context(kcf_context_t *);
--- a/module/icp/include/sys/crypto/spi.h
+++ b/module/icp/include/sys/crypto/spi.h
@ -59,12 +59,6 @@ typedef void *crypto_provider_handle_t;
 */
 typedef void *crypto_spi_ctx_template_t;
 /*
 * Request handles are used by the kernel to identify an asynchronous
 * request being processed by a provider.
 */
 typedef void *crypto_req_handle_t;
 /*
 * The context structure is passed from the kernel to a provider.
 * It contains the information needed to process a multi-part or
@ -88,18 +82,14 @@ typedef struct crypto_ctx {
 * kernel using crypto_register_provider(9F).
 */
 typedef struct crypto_digest_ops {
-	int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *,
+	int (*digest_init)(crypto_ctx_t *, crypto_mechanism_t *);
-	    crypto_req_handle_t);
+	int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *);
-	int (*digest)(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
+	int (*digest_update)(crypto_ctx_t *, crypto_data_t *);
-	    crypto_req_handle_t);
+	int (*digest_key)(crypto_ctx_t *, crypto_key_t *);
-	int (*digest_update)(crypto_ctx_t *, crypto_data_t *,
+	int (*digest_final)(crypto_ctx_t *, crypto_data_t *);
 	    crypto_req_handle_t);
 	int (*digest_key)(crypto_ctx_t *, crypto_key_t *, crypto_req_handle_t);
 	int (*digest_final)(crypto_ctx_t *, crypto_data_t *,
 	    crypto_req_handle_t);
 	int (*digest_atomic)(crypto_provider_handle_t, crypto_session_id_t,
 	    crypto_mechanism_t *, crypto_data_t *,
-	    crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *);
 } __no_const crypto_digest_ops_t;
 /*
@ -111,29 +101,29 @@ typedef struct crypto_digest_ops {
 typedef struct crypto_cipher_ops {
 	int (*encrypt_init)(crypto_ctx_t *,
 	    crypto_mechanism_t *, crypto_key_t *,
-	    crypto_spi_ctx_template_t, crypto_req_handle_t);
+	    crypto_spi_ctx_template_t);
 	int (*encrypt)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *, crypto_data_t *);
 	int (*encrypt_update)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *, crypto_data_t *);
 	int (*encrypt_final)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *);
 	int (*encrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
-	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
+	    crypto_data_t *, crypto_spi_ctx_template_t);
 	int (*decrypt_init)(crypto_ctx_t *,
 	    crypto_mechanism_t *, crypto_key_t *,
-	    crypto_spi_ctx_template_t, crypto_req_handle_t);
+	    crypto_spi_ctx_template_t);
 	int (*decrypt)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *, crypto_data_t *);
 	int (*decrypt_update)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *, crypto_data_t *);
 	int (*decrypt_final)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *);
 	int (*decrypt_atomic)(crypto_provider_handle_t, crypto_session_id_t,
 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
-	    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
+	    crypto_data_t *, crypto_spi_ctx_template_t);
 } __no_const crypto_cipher_ops_t;
 /*
@ -145,21 +135,19 @@ typedef struct crypto_cipher_ops {
 typedef struct crypto_mac_ops {
 	int (*mac_init)(crypto_ctx_t *,
 	    crypto_mechanism_t *, crypto_key_t *,
-	    crypto_spi_ctx_template_t, crypto_req_handle_t);
+	    crypto_spi_ctx_template_t);
 	int (*mac)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *, crypto_data_t *);
 	int (*mac_update)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *);
 	int (*mac_final)(crypto_ctx_t *,
-	    crypto_data_t *, crypto_req_handle_t);
+	    crypto_data_t *);
 	int (*mac_atomic)(crypto_provider_handle_t, crypto_session_id_t,
 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
-	    crypto_data_t *, crypto_spi_ctx_template_t,
+	    crypto_data_t *, crypto_spi_ctx_template_t);
 	    crypto_req_handle_t);
 	int (*mac_verify_atomic)(crypto_provider_handle_t, crypto_session_id_t,
 	    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
-	    crypto_data_t *, crypto_spi_ctx_template_t,
+	    crypto_data_t *, crypto_spi_ctx_template_t);
 	    crypto_req_handle_t);
 } __no_const crypto_mac_ops_t;
 /*
@ -171,7 +159,7 @@ typedef struct crypto_mac_ops {
 typedef struct crypto_ctx_ops {
 	int (*create_ctx_template)(crypto_provider_handle_t,
 	    crypto_mechanism_t *, crypto_key_t *,
-	    crypto_spi_ctx_template_t *, size_t *, crypto_req_handle_t);
+	    crypto_spi_ctx_template_t *, size_t *);
 	int (*free_context)(crypto_ctx_t *);
 } __no_const crypto_ctx_ops_t;
@ -263,7 +251,6 @@ typedef struct crypto_provider_info {
 extern int crypto_register_provider(const crypto_provider_info_t *,
 		crypto_kcf_provider_handle_t *);
 extern int crypto_unregister_provider(crypto_kcf_provider_handle_t);
 extern int crypto_kmflag(crypto_req_handle_t);
 #ifdef	__cplusplus
--- a/module/icp/io/aes.c
+++ b/module/icp/io/aes.c
@ -74,33 +74,29 @@ static const crypto_mech_info_t aes_mech_info_tab[] = {
 };
 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
-    crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_key_t *, crypto_spi_ctx_template_t);
 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
-    crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_key_t *, crypto_spi_ctx_template_t);
 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *,
-    crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t);
+    crypto_key_t *, crypto_spi_ctx_template_t, boolean_t);
 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *,
    crypto_mechanism_t *, crypto_key_t *, int, boolean_t);
-static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *,
+static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *);
-    crypto_req_handle_t);
+static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *);
 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *,
    crypto_req_handle_t);
-static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
+static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *);
    crypto_req_handle_t);
 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *,
-    crypto_data_t *, crypto_req_handle_t);
+    crypto_data_t *);
 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
-    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_data_t *, crypto_spi_ctx_template_t);
-static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
+static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *);
    crypto_req_handle_t);
 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *,
-    crypto_data_t *, crypto_req_handle_t);
+    crypto_data_t *);
 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
-    crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_data_t *, crypto_spi_ctx_template_t);
 static const crypto_cipher_ops_t aes_cipher_ops = {
 	.encrypt_init = aes_encrypt_init,
@ -117,10 +113,10 @@ static const crypto_cipher_ops_t aes_cipher_ops = {
 static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
-    crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_spi_ctx_template_t);
 static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
-    crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_spi_ctx_template_t);
 static const crypto_mac_ops_t aes_mac_ops = {
 	.mac_init = NULL,
@ -133,7 +129,7 @@ static const crypto_mac_ops_t aes_mac_ops = {
 static int aes_create_ctx_template(crypto_provider_handle_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
-    size_t *, crypto_req_handle_t);
+    size_t *);
 static int aes_free_context(crypto_ctx_t *);
 static const crypto_ctx_ops_t aes_ctx_ops = {
@ -188,7 +184,7 @@ aes_mod_fini(void)
 }
 static int
-aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
+aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx)
 {
 	void *p = NULL;
 	boolean_t param_required = B_TRUE;
@ -230,7 +226,7 @@ aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
 		rv = CRYPTO_MECHANISM_PARAM_INVALID;
 	}
 	if (ctx != NULL) {
-		p = (alloc_fun)(kmflag);
+		p = (alloc_fun)(KM_SLEEP);
 		*ctx = p;
 	}
 	return (rv);
@ -257,18 +253,16 @@ init_keysched(crypto_key_t *key, void *newbie)
 static int
 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
-    crypto_key_t *key, crypto_spi_ctx_template_t template,
+    crypto_key_t *key, crypto_spi_ctx_template_t template)
    crypto_req_handle_t req)
 {
-	return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE));
+	return (aes_common_init(ctx, mechanism, key, template, B_TRUE));
 }
 static int
 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
-    crypto_key_t *key, crypto_spi_ctx_template_t template,
+    crypto_key_t *key, crypto_spi_ctx_template_t template)
    crypto_req_handle_t req)
 {
-	return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE));
+	return (aes_common_init(ctx, mechanism, key, template, B_FALSE));
 }
@ -279,18 +273,16 @@ aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
 static int
 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
    crypto_key_t *key, crypto_spi_ctx_template_t template,
-    crypto_req_handle_t req, boolean_t is_encrypt_init)
+    boolean_t is_encrypt_init)
 {
 	aes_ctx_t *aes_ctx;
 	int rv;
 	int kmflag;
-	kmflag = crypto_kmflag(req);
+	if ((rv = aes_check_mech_param(mechanism, &aes_ctx))
 	if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
 	    != CRYPTO_SUCCESS)
 		return (rv);
-	rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag,
+	rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, KM_SLEEP,
 	    is_encrypt_init);
 	if (rv != CRYPTO_SUCCESS) {
 		crypto_free_mode_ctx(aes_ctx);
@ -320,7 +312,7 @@ aes_copy_block64(uint8_t *in, uint64_t *out)
 static int
 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
-    crypto_data_t *ciphertext, crypto_req_handle_t req)
+    crypto_data_t *ciphertext)
 {
 	int ret = CRYPTO_FAILED;
@ -372,7 +364,7 @@ aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
 	/*
 	 * Do an update on the specified input data.
 	 */
-	ret = aes_encrypt_update(ctx, plaintext, ciphertext, req);
+	ret = aes_encrypt_update(ctx, plaintext, ciphertext);
 	if (ret != CRYPTO_SUCCESS) {
 		return (ret);
 	}
@ -435,7 +427,7 @@ aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
 static int
 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
-    crypto_data_t *plaintext, crypto_req_handle_t req)
+    crypto_data_t *plaintext)
 {
 	int ret = CRYPTO_FAILED;
@ -493,7 +485,7 @@ aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
 	/*
 	 * Do an update on the specified input data.
 	 */
-	ret = aes_decrypt_update(ctx, ciphertext, plaintext, req);
+	ret = aes_decrypt_update(ctx, ciphertext, plaintext);
 	if (ret != CRYPTO_SUCCESS) {
 		goto cleanup;
 	}
@ -549,9 +541,8 @@ cleanup:
 static int
 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
-    crypto_data_t *ciphertext, crypto_req_handle_t req)
+    crypto_data_t *ciphertext)
 {
 	(void) req;
 	off_t saved_offset;
 	size_t saved_length, out_len;
 	int ret = CRYPTO_SUCCESS;
@ -618,7 +609,7 @@ aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
 static int
 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
-    crypto_data_t *plaintext, crypto_req_handle_t req)
+    crypto_data_t *plaintext)
 {
 	off_t saved_offset;
 	size_t saved_length, out_len;
@ -650,9 +641,6 @@ aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
 	saved_offset = plaintext->cd_offset;
 	saved_length = plaintext->cd_length;
 	if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE))
 		gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req));
 	/*
 	 * Do the AES update on the specified input data.
 	 */
@ -696,10 +684,8 @@ aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
 }
 static int
-aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
+aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data)
    crypto_req_handle_t req)
 {
 	(void) req;
 	aes_ctx_t *aes_ctx;
 	int ret;
@ -753,10 +739,8 @@ aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
 }
 static int
-aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
+aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data)
    crypto_req_handle_t req)
 {
 	(void) req;
 	aes_ctx_t *aes_ctx;
 	int ret;
 	off_t saved_offset;
@ -859,7 +843,7 @@ static int
 aes_encrypt_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
    crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
-    crypto_spi_ctx_template_t template, crypto_req_handle_t req)
+    crypto_spi_ctx_template_t template)
 {
 	(void) provider, (void) session_id;
 	aes_ctx_t aes_ctx;	/* on the stack */
@ -885,13 +869,13 @@ aes_encrypt_atomic(crypto_provider_handle_t provider,
 			return (CRYPTO_DATA_LEN_RANGE);
 	}
-	if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
+	if ((ret = aes_check_mech_param(mechanism, NULL)) != CRYPTO_SUCCESS)
 		return (ret);
 	bzero(&aes_ctx, sizeof (aes_ctx_t));
 	ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
-	    crypto_kmflag(req), B_TRUE);
+	    KM_SLEEP, B_TRUE);
 	if (ret != CRYPTO_SUCCESS)
 		return (ret);
@ -995,7 +979,7 @@ static int
 aes_decrypt_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
    crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
-    crypto_spi_ctx_template_t template, crypto_req_handle_t req)
+    crypto_spi_ctx_template_t template)
 {
 	(void) provider, (void) session_id;
 	aes_ctx_t aes_ctx;	/* on the stack */
@ -1021,13 +1005,13 @@ aes_decrypt_atomic(crypto_provider_handle_t provider,
 			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
 	}
-	if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
+	if ((ret = aes_check_mech_param(mechanism, NULL)) != CRYPTO_SUCCESS)
 		return (ret);
 	bzero(&aes_ctx, sizeof (aes_ctx_t));
 	ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
-	    crypto_kmflag(req), B_FALSE);
+	    KM_SLEEP, B_FALSE);
 	if (ret != CRYPTO_SUCCESS)
 		return (ret);
@ -1057,10 +1041,6 @@ aes_decrypt_atomic(crypto_provider_handle_t provider,
 	saved_offset = plaintext->cd_offset;
 	saved_length = plaintext->cd_length;
 	if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
 	    mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE)
 		gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req));
 	/*
 	 * Do an update on the specified input data.
 	 */
@ -1164,7 +1144,7 @@ out:
 static int
 aes_create_ctx_template(crypto_provider_handle_t provider,
    crypto_mechanism_t *mechanism, crypto_key_t *key,
-    crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
+    crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size)
 {
 	(void) provider;
 	void *keysched;
@ -1179,8 +1159,7 @@ aes_create_ctx_template(crypto_provider_handle_t provider,
 	    mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE)
 		return (CRYPTO_MECHANISM_INVALID);
-	if ((keysched = aes_alloc_keysched(&size,
+	if ((keysched = aes_alloc_keysched(&size, KM_SLEEP)) == NULL) {
 	    crypto_kmflag(req))) == NULL) {
 		return (CRYPTO_HOST_MEMORY);
 	}
@ -1342,7 +1321,7 @@ static int
 aes_mac_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
    crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
-    crypto_spi_ctx_template_t template, crypto_req_handle_t req)
+    crypto_spi_ctx_template_t template)
 {
 	CK_AES_GCM_PARAMS gcm_params;
 	crypto_mechanism_t gcm_mech;
@ -1357,14 +1336,14 @@ aes_mac_atomic(crypto_provider_handle_t provider,
 	gcm_mech.cm_param = (char *)&gcm_params;
 	return (aes_encrypt_atomic(provider, session_id, &gcm_mech,
-	    key, &null_crypto_data, mac, template, req));
+	    key, &null_crypto_data, mac, template));
 }
 static int
 aes_mac_verify_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
    crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
-    crypto_spi_ctx_template_t template, crypto_req_handle_t req)
+    crypto_spi_ctx_template_t template)
 {
 	CK_AES_GCM_PARAMS gcm_params;
 	crypto_mechanism_t gcm_mech;
@ -1379,5 +1358,5 @@ aes_mac_verify_atomic(crypto_provider_handle_t provider,
 	gcm_mech.cm_param = (char *)&gcm_params;
 	return (aes_decrypt_atomic(provider, session_id, &gcm_mech,
-	    key, mac, &null_crypto_data, template, req));
+	    key, mac, &null_crypto_data, template));
 }
--- a/module/icp/io/sha2_mod.c
+++ b/module/icp/io/sha2_mod.c
@ -105,17 +105,12 @@ static const crypto_mech_info_t sha2_mech_info_tab[] = {
 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES}
 };
-static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
+static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *);
-    crypto_req_handle_t);
+static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *);
-static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
+static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *);
-    crypto_req_handle_t);
+static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *);
 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
    crypto_req_handle_t);
 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
    crypto_req_handle_t);
 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
+    crypto_mechanism_t *, crypto_data_t *, crypto_data_t *);
    crypto_req_handle_t);
 static const crypto_digest_ops_t sha2_digest_ops = {
 	.digest_init = sha2_digest_init,
@ -126,16 +121,15 @@ static const crypto_digest_ops_t sha2_digest_ops = {
 };
 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
-    crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_spi_ctx_template_t);
-static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
+static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *);
-    crypto_req_handle_t);
+static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *);
 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
-    crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_spi_ctx_template_t);
 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
-    crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_spi_ctx_template_t);
 static const crypto_mac_ops_t sha2_mac_ops = {
 	.mac_init = sha2_mac_init,
@ -148,7 +142,7 @@ static const crypto_mac_ops_t sha2_mac_ops = {
 static int sha2_create_ctx_template(crypto_provider_handle_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
-    size_t *, crypto_req_handle_t);
+    size_t *);
 static int sha2_free_context(crypto_ctx_t *);
 static const crypto_ctx_ops_t sha2_ctx_ops = {
@ -215,15 +209,13 @@ sha2_mod_fini(void)
 */
 static int
-sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
+sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism)
    crypto_req_handle_t req)
 {
 	/*
 	 * Allocate and initialize SHA2 context.
 	 */
-	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
+	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t), KM_SLEEP);
 	    crypto_kmflag(req));
 	if (ctx->cc_provider_private == NULL)
 		return (CRYPTO_HOST_MEMORY);
@ -388,10 +380,8 @@ sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
 }
 static int
-sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
+sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest)
    crypto_req_handle_t req)
 {
 	(void) req;
 	int ret = CRYPTO_SUCCESS;
 	uint_t sha_digest_len;
@ -476,10 +466,8 @@ sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
 }
 static int
-sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
+sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data)
    crypto_req_handle_t req)
 {
 	(void) req;
 	int ret = CRYPTO_SUCCESS;
 	ASSERT(ctx->cc_provider_private != NULL);
@ -505,10 +493,8 @@ sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
 }
 static int
-sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
+sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest)
    crypto_req_handle_t req)
 {
 	(void) req;
 	int ret = CRYPTO_SUCCESS;
 	uint_t sha_digest_len;
@ -570,10 +556,9 @@ sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
 static int
 sha2_digest_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
-    crypto_data_t *data, crypto_data_t *digest,
+    crypto_data_t *data, crypto_data_t *digest)
    crypto_req_handle_t req)
 {
-	(void) provider, (void) session_id, (void) req;
+	(void) provider, (void) session_id;
 	int ret = CRYPTO_SUCCESS;
 	SHA2_CTX sha2_ctx;
 	uint32_t sha_digest_len;
@ -709,8 +694,7 @@ sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
 */
 static int
 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
-    crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
+    crypto_key_t *key, crypto_spi_ctx_template_t ctx_template)
    crypto_req_handle_t req)
 {
 	int ret = CRYPTO_SUCCESS;
 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
@ -737,8 +721,8 @@ sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
 		return (CRYPTO_MECHANISM_INVALID);
 	}
-	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
+	ctx->cc_provider_private =
-	    crypto_kmflag(req));
+	    kmem_alloc(sizeof (sha2_hmac_ctx_t), KM_SLEEP);
 	if (ctx->cc_provider_private == NULL)
 		return (CRYPTO_HOST_MEMORY);
@ -792,10 +776,8 @@ sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
 }
 static int
-sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
+sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data)
    crypto_req_handle_t req)
 {
 	(void) req;
 	int ret = CRYPTO_SUCCESS;
 	ASSERT(ctx->cc_provider_private != NULL);
@ -822,9 +804,8 @@ sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
 }
 static int
-sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
+sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac)
 {
 	(void) req;
 	int ret = CRYPTO_SUCCESS;
 	uchar_t digest[SHA512_DIGEST_LENGTH];
 	uint32_t digest_len, sha_digest_len;
@ -938,9 +919,9 @@ static int
 sha2_mac_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
    crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
-    crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
+    crypto_spi_ctx_template_t ctx_template)
 {
-	(void) provider, (void) session_id, (void) req;
+	(void) provider, (void) session_id;
 	int ret = CRYPTO_SUCCESS;
 	uchar_t digest[SHA512_DIGEST_LENGTH];
 	sha2_hmac_ctx_t sha2_hmac_ctx;
@ -1072,9 +1053,9 @@ static int
 sha2_mac_verify_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
    crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
-    crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
+    crypto_spi_ctx_template_t ctx_template)
 {
-	(void) provider, (void) session_id, (void) req;
+	(void) provider, (void) session_id;
 	int ret = CRYPTO_SUCCESS;
 	uchar_t digest[SHA512_DIGEST_LENGTH];
 	sha2_hmac_ctx_t sha2_hmac_ctx;
@ -1247,8 +1228,7 @@ bail:
 static int
 sha2_create_ctx_template(crypto_provider_handle_t provider,
    crypto_mechanism_t *mechanism, crypto_key_t *key,
-    crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
+    crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size)
    crypto_req_handle_t req)
 {
 	(void) provider;
 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
@ -1279,8 +1259,7 @@ sha2_create_ctx_template(crypto_provider_handle_t provider,
 	/*
 	 * Allocate and initialize SHA2 context.
 	 */
-	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
+	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t), KM_SLEEP);
 	    crypto_kmflag(req));
 	if (sha2_hmac_ctx_tmpl == NULL)
 		return (CRYPTO_HOST_MEMORY);
--- a/module/icp/io/skein_mod.c
+++ b/module/icp/io/skein_mod.c
@ -51,15 +51,12 @@ static const crypto_mech_info_t skein_mech_info_tab[] = {
 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES}
 };
-static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
+static int skein_digest_init(crypto_ctx_t *, crypto_mechanism_t *);
-    crypto_req_handle_t);
+static int skein_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *);
-static int skein_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
+static int skein_update(crypto_ctx_t *, crypto_data_t *);
-    crypto_req_handle_t);
+static int skein_final(crypto_ctx_t *, crypto_data_t *);
 static int skein_update(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
 static int skein_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
 static int skein_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
-    crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
+    crypto_mechanism_t *, crypto_data_t *, crypto_data_t *);
    crypto_req_handle_t);
 static const crypto_digest_ops_t skein_digest_ops = {
 	.digest_init = skein_digest_init,
@ -70,10 +67,10 @@ static const crypto_digest_ops_t skein_digest_ops = {
 };
 static int skein_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
-    crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_spi_ctx_template_t);
 static int skein_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
-    crypto_spi_ctx_template_t, crypto_req_handle_t);
+    crypto_spi_ctx_template_t);
 static const crypto_mac_ops_t skein_mac_ops = {
 	.mac_init = skein_mac_init,
@ -86,7 +83,7 @@ static const crypto_mac_ops_t skein_mac_ops = {
 static int skein_create_ctx_template(crypto_provider_handle_t,
    crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
-    size_t *, crypto_req_handle_t);
+    size_t *);
 static int skein_free_context(crypto_ctx_t *);
 static const crypto_ctx_ops_t skein_ctx_ops = {
@ -264,8 +261,7 @@ skein_digest_update_uio(skein_ctx_t *ctx, const crypto_data_t *data)
 * Performs a Final on a context and writes to a uio digest output.
 */
 static int
-skein_digest_final_uio(skein_ctx_t *ctx, crypto_data_t *digest,
+skein_digest_final_uio(skein_ctx_t *ctx, crypto_data_t *digest)
    crypto_req_handle_t req)
 {
 	off_t offset = digest->cd_offset;
 	uint_t vec_idx = 0;
@ -298,7 +294,7 @@ skein_digest_final_uio(skein_ctx_t *ctx, crypto_data_t *digest,
 		size_t cur_len;
 		digest_tmp = kmem_alloc(CRYPTO_BITS2BYTES(
-		    ctx->sc_digest_bitlen), crypto_kmflag(req));
+		    ctx->sc_digest_bitlen), KM_SLEEP);
 		if (digest_tmp == NULL)
 			return (CRYPTO_HOST_MEMORY);
 		SKEIN_OP(ctx, Final, digest_tmp);
@ -342,16 +338,14 @@ skein_digest_final_uio(skein_ctx_t *ctx, crypto_data_t *digest,
 * for Skein-1024).
 */
 static int
-skein_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
+skein_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism)
    crypto_req_handle_t req)
 {
 	int	error = CRYPTO_SUCCESS;
 	if (!VALID_SKEIN_DIGEST_MECH(mechanism->cm_type))
 		return (CRYPTO_MECHANISM_INVALID);
-	SKEIN_CTX_LVALUE(ctx) = kmem_alloc(sizeof (*SKEIN_CTX(ctx)),
+	SKEIN_CTX_LVALUE(ctx) = kmem_alloc(sizeof (*SKEIN_CTX(ctx)), KM_SLEEP);
 	    crypto_kmflag(req));
 	if (SKEIN_CTX(ctx) == NULL)
 		return (CRYPTO_HOST_MEMORY);
@ -376,8 +370,7 @@ errout:
 * see what to pass here.
 */
 static int
-skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
+skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest)
    crypto_req_handle_t req)
 {
 	int error = CRYPTO_SUCCESS;
@ -390,7 +383,7 @@ skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
 		return (CRYPTO_BUFFER_TOO_SMALL);
 	}
-	error = skein_update(ctx, data, req);
+	error = skein_update(ctx, data);
 	if (error != CRYPTO_SUCCESS) {
 		bzero(SKEIN_CTX(ctx), sizeof (*SKEIN_CTX(ctx)));
 		kmem_free(SKEIN_CTX(ctx), sizeof (*SKEIN_CTX(ctx)));
@ -398,7 +391,7 @@ skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
 		digest->cd_length = 0;
 		return (error);
 	}
-	error = skein_final(ctx, digest, req);
+	error = skein_final(ctx, digest);
 	return (error);
 }
@ -409,9 +402,8 @@ skein_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
 * Supported input data formats are raw, uio and mblk.
 */
 static int
-skein_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
+skein_update(crypto_ctx_t *ctx, crypto_data_t *data)
 {
 	(void) req;
 	int error = CRYPTO_SUCCESS;
 	ASSERT(SKEIN_CTX(ctx) != NULL);
@ -438,7 +430,7 @@ skein_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
 * Supported output digest formats are raw, uio and mblk.
 */
 static int
-skein_final(crypto_ctx_t *ctx, crypto_data_t *digest, crypto_req_handle_t req)
+skein_final(crypto_ctx_t *ctx, crypto_data_t *digest)
 {
 	int error = CRYPTO_SUCCESS;
@ -457,7 +449,7 @@ skein_final(crypto_ctx_t *ctx, crypto_data_t *digest, crypto_req_handle_t req)
 		    (uint8_t *)digest->cd_raw.iov_base + digest->cd_offset);
 		break;
 	case CRYPTO_DATA_UIO:
-		error = skein_digest_final_uio(SKEIN_CTX(ctx), digest, req);
+		error = skein_digest_final_uio(SKEIN_CTX(ctx), digest);
 		break;
 	default:
 		error = CRYPTO_ARGUMENTS_BAD;
@ -485,9 +477,9 @@ skein_final(crypto_ctx_t *ctx, crypto_data_t *digest, crypto_req_handle_t req)
 static int
 skein_digest_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
-    crypto_data_t *data, crypto_data_t *digest, crypto_req_handle_t req)
+    crypto_data_t *data, crypto_data_t *digest)
 {
-	(void) provider, (void) session_id, (void) req;
+	(void) provider, (void) session_id;
 	int	 error;
 	skein_ctx_t skein_ctx;
 	crypto_ctx_t ctx;
@ -502,9 +494,9 @@ skein_digest_atomic(crypto_provider_handle_t provider,
 		goto out;
 	SKEIN_OP(&skein_ctx, Init, skein_ctx.sc_digest_bitlen);
-	if ((error = skein_update(&ctx, data, digest)) != CRYPTO_SUCCESS)
+	if ((error = skein_update(&ctx, data)) != CRYPTO_SUCCESS)
 		goto out;
-	if ((error = skein_final(&ctx, data, digest)) != CRYPTO_SUCCESS)
+	if ((error = skein_final(&ctx, data)) != CRYPTO_SUCCESS)
 		goto out;
 out:
@ -553,13 +545,11 @@ skein_mac_ctx_build(skein_ctx_t *ctx, crypto_mechanism_t *mechanism,
 */
 static int
 skein_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
-    crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
+    crypto_key_t *key, crypto_spi_ctx_template_t ctx_template)
    crypto_req_handle_t req)
 {
 	int	error;
-	SKEIN_CTX_LVALUE(ctx) = kmem_alloc(sizeof (*SKEIN_CTX(ctx)),
+	SKEIN_CTX_LVALUE(ctx) = kmem_alloc(sizeof (*SKEIN_CTX(ctx)), KM_SLEEP);
 	    crypto_kmflag(req));
 	if (SKEIN_CTX(ctx) == NULL)
 		return (CRYPTO_HOST_MEMORY);
@ -592,7 +582,7 @@ static int
 skein_mac_atomic(crypto_provider_handle_t provider,
    crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
    crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
-    crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
+    crypto_spi_ctx_template_t ctx_template)
 {
 	/* faux crypto context just for skein_digest_{update,final} */
 	(void) provider, (void) session_id;
@ -609,9 +599,9 @@ skein_mac_atomic(crypto_provider_handle_t provider,
 			goto errout;
 	}
-	if ((error = skein_update(&ctx, data, req)) != CRYPTO_SUCCESS)
+	if ((error = skein_update(&ctx, data)) != CRYPTO_SUCCESS)
 		goto errout;
-	if ((error = skein_final(&ctx, mac, req)) != CRYPTO_SUCCESS)
+	if ((error = skein_final(&ctx, mac)) != CRYPTO_SUCCESS)
 		goto errout;
 	return (CRYPTO_SUCCESS);
@ -632,14 +622,13 @@ errout:
 static int
 skein_create_ctx_template(crypto_provider_handle_t provider,
    crypto_mechanism_t *mechanism, crypto_key_t *key,
-    crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
+    crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size)
    crypto_req_handle_t req)
 {
 	(void) provider;
 	int	 error;
 	skein_ctx_t *ctx_tmpl;
-	ctx_tmpl = kmem_alloc(sizeof (*ctx_tmpl), crypto_kmflag(req));
+	ctx_tmpl = kmem_alloc(sizeof (*ctx_tmpl), KM_SLEEP);
 	if (ctx_tmpl == NULL)
 		return (CRYPTO_HOST_MEMORY);
 	error = skein_mac_ctx_build(ctx_tmpl, mechanism, key);
--- a/module/icp/spi/kcf_spi.c
+++ b/module/icp/spi/kcf_spi.c
@ -220,18 +220,6 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle)
 	return (CRYPTO_SUCCESS);
 }
 /*
 * This routine is used by providers to determine
 * whether to use KM_SLEEP or KM_NOSLEEP during memory allocation.
 *
 * This routine can be called from user or interrupt context.
 */
 int
 crypto_kmflag(crypto_req_handle_t handle)
 {
 	return (REQHNDL2_KMFLAG(handle));
 }
 /*
 * Process the mechanism info structures specified by the provider
 * during registration. A NULL crypto_provider_info_t indicates
--- a/module/os/linux/zfs/zio_crypt.c
+++ b/module/os/linux/zfs/zio_crypt.c
@ -269,13 +269,13 @@ zio_crypt_key_init(uint64_t crypt, zio_crypt_key_t *key)
 	 */
 	mech.cm_type = crypto_mech2id(zio_crypt_table[crypt].ci_mechname);
 	ret = crypto_create_ctx_template(&mech, &key->zk_current_key,
-	    &key->zk_current_tmpl, KM_SLEEP);
+	    &key->zk_current_tmpl);
 	if (ret != CRYPTO_SUCCESS)
 		key->zk_current_tmpl = NULL;
 	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
 	ret = crypto_create_ctx_template(&mech, &key->zk_hmac_key,
-	    &key->zk_hmac_tmpl, KM_SLEEP);
+	    &key->zk_hmac_tmpl);
 	if (ret != CRYPTO_SUCCESS)
 		key->zk_hmac_tmpl = NULL;
@ -323,7 +323,7 @@ zio_crypt_key_change_salt(zio_crypt_key_t *key)
 	/* destroy the old context template and create the new one */
 	crypto_destroy_ctx_template(key->zk_current_tmpl);
 	ret = crypto_create_ctx_template(&mech, &key->zk_current_key,
-	    &key->zk_current_tmpl, KM_SLEEP);
+	    &key->zk_current_tmpl);
 	if (ret != CRYPTO_SUCCESS)
 		key->zk_current_tmpl = NULL;
@ -447,15 +447,13 @@ zio_do_crypt_uio(boolean_t encrypt, uint64_t crypt, crypto_key_t *key,
 	/* perform the actual encryption */
 	if (encrypt) {
-		ret = crypto_encrypt(&mech, &plaindata, key, tmpl, &cipherdata,
+		ret = crypto_encrypt(&mech, &plaindata, key, tmpl, &cipherdata);
 		    NULL);
 		if (ret != CRYPTO_SUCCESS) {
 			ret = SET_ERROR(EIO);
 			goto error;
 		}
 	} else {
-		ret = crypto_decrypt(&mech, &cipherdata, key, tmpl, &plaindata,
+		ret = crypto_decrypt(&mech, &cipherdata, key, tmpl, &plaindata);
 		    NULL);
 		if (ret != CRYPTO_SUCCESS) {
 			ASSERT3U(ret, ==, CRYPTO_INVALID_MAC);
 			ret = SET_ERROR(ECKSUM);
@ -619,13 +617,13 @@ zio_crypt_key_unwrap(crypto_key_t *cwkey, uint64_t crypt, uint64_t version,
 	 */
 	mech.cm_type = crypto_mech2id(zio_crypt_table[crypt].ci_mechname);
 	ret = crypto_create_ctx_template(&mech, &key->zk_current_key,
-	    &key->zk_current_tmpl, KM_SLEEP);
+	    &key->zk_current_tmpl);
 	if (ret != CRYPTO_SUCCESS)
 		key->zk_current_tmpl = NULL;
 	mech.cm_type = crypto_mech2id(SUN_CKM_SHA512_HMAC);
 	ret = crypto_create_ctx_template(&mech, &key->zk_hmac_key,
-	    &key->zk_hmac_tmpl, KM_SLEEP);
+	    &key->zk_hmac_tmpl);
 	if (ret != CRYPTO_SUCCESS)
 		key->zk_hmac_tmpl = NULL;
@ -689,7 +687,7 @@ zio_crypt_do_hmac(zio_crypt_key_t *key, uint8_t *data, uint_t datalen,
 	/* generate the hmac */
 	ret = crypto_mac(&mech, &in_data, &key->zk_hmac_key, key->zk_hmac_tmpl,
-	    &digest_data, NULL);
+	    &digest_data);
 	if (ret != CRYPTO_SUCCESS) {
 		ret = SET_ERROR(EIO);
 		goto error;
@ -1139,7 +1137,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen,
 	cd.cd_offset = 0;
 	/* calculate the portable MAC from the portable fields and metadnode */
-	ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx, NULL);
+	ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx);
 	if (ret != CRYPTO_SUCCESS) {
 		ret = SET_ERROR(EIO);
 		goto error;
@ -1226,7 +1224,7 @@ zio_crypt_do_objset_hmacs(zio_crypt_key_t *key, void *data, uint_t datalen,
 	}
 	/* calculate the local MAC from the userused and groupused dnodes */
-	ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx, NULL);
+	ret = crypto_mac_init(&mech, &key->zk_hmac_key, NULL, &ctx);
 	if (ret != CRYPTO_SUCCESS) {
 		ret = SET_ERROR(EIO);
 		goto error;
--- a/module/zfs/hkdf.c
+++ b/module/zfs/hkdf.c
@ -52,7 +52,7 @@ hkdf_sha512_extract(uint8_t *salt, uint_t salt_len, uint8_t *key_material,
 	output_cd.cd_raw.iov_base = (char *)out_buf;
 	output_cd.cd_raw.iov_len = output_cd.cd_length;
-	ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd, NULL);
+	ret = crypto_mac(&mech, &input_cd, &key, NULL, &output_cd);
 	if (ret != CRYPTO_SUCCESS)
 		return (SET_ERROR(EIO));
@ -108,7 +108,7 @@ hkdf_sha512_expand(uint8_t *extract_key, uint8_t *info, uint_t info_len,
 		T_cd.cd_length = T_len;
 		T_cd.cd_raw.iov_len = T_cd.cd_length;
-		ret = crypto_mac_init(&mech, &key, NULL, &ctx, NULL);
+		ret = crypto_mac_init(&mech, &key, NULL, &ctx);
 		if (ret != CRYPTO_SUCCESS)
 			return (SET_ERROR(EIO));