Home | History | Annotate | Download | only in kern
History log of /src/sys/kern/subr_prf.c
RevisionDateAuthorComments
 1.203  29-Aug-2023  andvar remove broken #ifdef KADB code block in subr_prf.
kdbpanic() was seemingly MIPS only and removed back in 1997,
since mips/locore.S rev 1.31.
should fix builds with KADB option enabled (tested on arc).
 1.202  04-Aug-2023  riastradh entropy(9): Simplify stages. Split interrupt vs non-interrupt paths.

- Nix the entropy stage (cold, warm, hot). Just use the usual kernel
`cold' (cold: single-core, single-thread; interrupts may happen),
and don't make any three-way distinction about whether interrupts
or threads or other CPUs can be running.

Instead, while cold, use splhigh/splx or forbid paths to come from
interrupt context, and while warm, use mutex or the per-CPU hard
and soft interrupt paths for low latency. This comes at a small
cost to some interrupt latency, since we may stir the pool in
interrupt context -- but only for a very short window early at boot
between configure and configure2, so it's hard to imagine it
matters much.

- Allow rnd_add_uint32 to run in hard interrupt context or with spin
locks held, but defer processing to softint and drop samples on the
floor if buffer is full. This is mainly used for cheaply tossing
samples from drivers for non-HWRNG devices into the entropy pool,
so it is often used from interrupt context and/or under spin locks.

- New rnd_add_data_intr provides the interrupt-like data entry path
for arbitrary buffers and driver-specified entropy estimates: defer
processing to softint and drop samples on the floor if buffer is
full.

- Document that rnd_add_data is forbidden under spin locks outside
interrupt context (will crash in LOCKDEBUG), and inadvisable in
interrupt context (but technically permitted just in case there are
compatibility issues for now); later we can forbid it altogether in
interrupt context or under spin locks.

- Audit all uses of rnd_add_data to use rnd_add_data_intr where it
might be used in interrupt context or under a spin lock.

This fixes a regression from last year when the global entropy lock
was changed from IPL_VM (spin) to IPL_SOFTSERIAL (adaptive). Thought
I'd caught all the problems from that, but another one bit three
different people this week, presumably because of recent changes that
led to more non-HWRNG drivers entering the entropy consolidation
path from rnd_add_uint32.

In my attempt to preserve the rnd(9) API for the (now long-since
abandoned) prospect of pullup to netbsd-9 in my rewrite of the
entropy subsystem in 2020, I didn't introduce a separate entry point
for entering entropy from interrupt context or equivalent, i.e., spin
locks held, and instead made rnd_add_data rely on cpu_intr_p() to
decide whether to process the whole sample under a lock or only take
as much as there's buffer space for before scheduling a softint. In
retrospect, that was a mistake (though perhaps not as much of a
mistake as other entropy API decisions...), a mistake which is
finally getting rectified now by rnd_add_data_intr.

XXX pullup-10
 1.201  17-Jul-2023  riastradh device_printf(9): Lock to avoid interleaving output.

XXX pullup-9
XXX pullup-10
 1.200  12-Apr-2023  riastradh ttycheckoutq(9): wait=0 always, parameter no longer useful, nix it.

XXX kernel revbump
 1.199  09-Apr-2023  riastradh kern: KASSERT(A && B) -> KASSERT(A); KASSERT(B)
 1.198  07-Feb-2023  macallan fix logic-reversing tpyo in putone()
 1.197  05-Feb-2023  mrg avoid pserialize usage in early boot

there are DEBUG-only aprint_normal() calls early in eg, ksyms
setup that may happen before eg curcpu() is setup. this is the
case in sparc64, where it sets up ksyms as early as it can so
that DDB has symbols early, which is before the curcpu() setup
is created, and thus the calls to pserialize_read_enter() and
pserialize_read_exit() attempt to access unmapped cpu_info and
due to being so early, the system faults to the prom.

simply use "cold" to determine whether to skip these pserialize
calls or not.

ok riastradh

XXX: pullup-10
 1.196  31-Oct-2022  simonb branches: 1.196.2;
Fix (invalid) gcc uninitialised warning with i386 gcc using -Os.
 1.195  26-Oct-2022  riastradh sys/msgbuf.h: New home for extern log_open.
 1.194  25-Oct-2022  riastradh constty(4): Make MP-safe, take three.

Access to the global constty variable is coordinated as follows:

1. Setting constty to nonnull, with atomic_store_release, is allowed
only under the new adaptive constty_lock in thread context. This
serializes TIOCCONS operations and ensures unlocked readers can
safely use a constty pointer read with atomic_load_consume.

2. Changing constty from nonnull to null, with atomic_cas_ptr, is
allowed in any context -- printf(9) uses this to disable a broken
constty.

3. Reading constty under constty_lock is allowed with
atomic_load_relaxed, because while constty_lock is held, it can
only be made null by some other thread/CPU, never made nonnull.

4. Reading constty outside constty_lock is allowed with
atomic_load_consume in a pserialize read section -- constty is
only ever made nonnull with atomic_store_release, in (1).
ttyclose will wait for all these pserialize read sections to
complete before flushing the tty.

5. To continue to use a struct tty pointer in (4) after the
pserialize read section has completed, caller must use tty_acquire
during the pserialize read section and then tty_release when done.
ttyclose will wait for all these references to drain before
returning.

These access rules allow us to serialize TIOCCONS, and safely destroy
ttys, without putting any locks on the access paths like printf(9)
that use constty. Once we set D_MPSAFE, operations on /dev/console
will contend only with other users of the same tty as constty, which
will be an improvement over contending with all other kernel lock
users in the system.

Changes second time around:
- Fix initialization of ok in cons.c cn_redirect.
- Fix reversed sense of conditional in subr_prf.c putone.

Changes third time around:
- Initialize ttyref_cv so we don't panic when trying to use it,
leading to infinite loop when panic tries to take tty_lock to print
the panic message while we already hold tty_lock.
 1.193  07-Oct-2022  riastradh Revert "constty(4): Make MP-safe."

Something is still busted and this is interfering with the releng
amd64 testbed.
 1.192  06-Oct-2022  riastradh constty(4): Make MP-safe.

Access to the global constty variable is coordinated as follows:

1. Setting constty to nonnull, with atomic_store_release, is allowed
only under the new adaptive constty_lock in thread context. This
serializes TIOCCONS operations and ensures unlocked readers can
safely use a constty pointer read with atomic_load_consume.

2. Changing constty from nonnull to null, with atomic_cas_ptr, is
allowed in any context -- printf(9) uses this to disable a broken
constty.

3. Reading constty under constty_lock is allowed with
atomic_load_relaxed, because while constty_lock is held, it can
only be made null by some other thread/CPU, never made nonnull.

4. Reading constty outside constty_lock is allowed with
atomic_load_consume in a pserialize read section -- constty is
only ever made nonnull with atomic_store_release, in (1).
ttyclose will wait for all these pserialize read sections to
complete before flushing the tty.

5. To continue to use a struct tty pointer in (4) after the
pserialize read section has completed, caller must use tty_acquire
during the pserialize read section and then tty_release when done.
ttyclose will wait for all these references to drain before
returning.

These access rules allow us to serialize TIOCCONS, and safely destroy
ttys, without putting any locks on the access paths like printf(9)
that use constty. Once we set D_MPSAFE, operations on /dev/console
will contend only with other users of the same tty as constty, which
will be an improvement over contending with all other kernel lock
users in the system.

Changes second time around:
- Fix initialization of ok in cons.c cn_redirect.
- Fix reversed sense of conditional in subr_prf.c putone.
 1.191  04-Oct-2022  riastradh Revert "constty(4): Make MP-safe."

Something appears to be wrong with this.
 1.190  03-Oct-2022  riastradh constty(4): Make MP-safe.

Access to the global constty variable is coordinated as follows:

1. Setting constty to nonnull, with atomic_store_release, is allowed
only under the new adaptive constty_lock in thread context. This
serializes TIOCCONS operations and ensures unlocked readers can
safely use a constty pointer read with atomic_load_consume.

2. Changing constty from nonnull to null, with atomic_cas_ptr, is
allowed in any context -- printf(9) uses this to disable a broken
constty.

3. Reading constty under constty_lock is allowed with
atomic_load_relaxed, because while constty_lock is held, it can
only be made null by some other thread/CPU, never made nonnull.

4. Reading constty outside constty_lock is allowed with
atomic_load_consume in a pserialize read section -- constty is
only ever made nonnull with atomic_store_release, in (1).
ttyclose will wait for all these pserialize read sections to
complete before flushing the tty.

5. To continue to use a struct tty pointer in (4) after the
pserialize read section has completed, caller must use tty_acquire
during the pserialize read section and then tty_release when done.
ttyclose will wait for all these references to drain before
returning.

These access rules allow us to serialize TIOCCONS, and safely destroy
ttys, without putting any locks on the access paths like printf(9)
that use constty. Once we set D_MPSAFE, operations on /dev/console
will contend only with other users of the same tty as constty, which
will be an improvement over contending with all other kernel lock
users in the system.
 1.189  11-Aug-2022  gutteridge subr_prf.c & luasystm.c: s/panicing/panicking/ in comments
 1.188  17-Apr-2022  riastradh panic(9): Serialize panicstr access and printing `panic:' message.

This isn't riskier than before -- previously we took kprintf_lock
inside each separate printf/vprintf call here. Now we just take it
once around access to panicstr and printing the message.

With any luck, this should help avoid interleaving panic messages
with each other and with other output -- and maybe cut down on the
number of syzkaller duplicates.
 1.187  16-Mar-2022  andvar s/paniced/panicked/ and s/borken/broken/ in comments.
 1.186  10-Mar-2021  simonb Add printf_nostamp(9), kernel printf() without prepending a timestamp.
 1.185  11-Jul-2020  maxv branches: 1.185.2;
Remove support for '%n' in the kernel printf functions.

It makes vulnerabilities too easily exploitable, is unused and as a sanity
rule should not be used in the kernel to begin with.

Now, "printf(unfiltered_string);" is much less of a problem.
 1.184  23-May-2020  ad Move proc_lock into the data segment. It was dynamically allocated because
at the time we had mutex_obj_alloc() but not __cacheline_aligned.
 1.183  30-Apr-2020  riastradh Rewrite entropy subsystem.

Primary goals:

1. Use cryptography primitives designed and vetted by cryptographers.
2. Be honest about entropy estimation.
3. Propagate full entropy as soon as possible.
4. Simplify the APIs.
5. Reduce overhead of rnd_add_data and cprng_strong.
6. Reduce side channels of HWRNG data and human input sources.
7. Improve visibility of operation with sysctl and event counters.

Caveat: rngtest is no longer used generically for RND_TYPE_RNG
rndsources. Hardware RNG devices should have hardware-specific
health tests. For example, checking for two repeated 256-bit outputs
works to detect AMD's 2019 RDRAND bug. Not all hardware RNGs are
necessarily designed to produce exactly uniform output.

ENTROPY POOL

- A Keccak sponge, with test vectors, replaces the old LFSR/SHA-1
kludge as the cryptographic primitive.

- `Entropy depletion' is available for testing purposes with a sysctl
knob kern.entropy.depletion; otherwise it is disabled, and once the
system reaches full entropy it is assumed to stay there as far as
modern cryptography is concerned.

- No `entropy estimation' based on sample values. Such `entropy
estimation' is a contradiction in terms, dishonest to users, and a
potential source of side channels. It is the responsibility of the
driver author to study the entropy of the process that generates
the samples.

- Per-CPU gathering pools avoid contention on a global queue.

- Entropy is occasionally consolidated into global pool -- as soon as
it's ready, if we've never reached full entropy, and with a rate
limit afterward. Operators can force consolidation now by running
sysctl -w kern.entropy.consolidate=1.

- rndsink(9) API has been replaced by an epoch counter which changes
whenever entropy is consolidated into the global pool.
. Usage: Cache entropy_epoch() when you seed. If entropy_epoch()
has changed when you're about to use whatever you seeded, reseed.
. Epoch is never zero, so initialize cache to 0 if you want to reseed
on first use.
. Epoch is -1 iff we have never reached full entropy -- in other
words, the old rnd_initial_entropy is (entropy_epoch() != -1) --
but it is better if you check for changes rather than for -1, so
that if the system estimated its own entropy incorrectly, entropy
consolidation has the opportunity to prevent future compromise.

- Sysctls and event counters provide operator visibility into what's
happening:
. kern.entropy.needed - bits of entropy short of full entropy
. kern.entropy.pending - bits known to be pending in per-CPU pools,
can be consolidated with sysctl -w kern.entropy.consolidate=1
. kern.entropy.epoch - number of times consolidation has happened,
never 0, and -1 iff we have never reached full entropy

CPRNG_STRONG

- A cprng_strong instance is now a collection of per-CPU NIST
Hash_DRBGs. There are only two in the system: user_cprng for
/dev/urandom and sysctl kern.?random, and kern_cprng for kernel
users which may need to operate in interrupt context up to IPL_VM.

(Calling cprng_strong in interrupt context does not strike me as a
particularly good idea, so I added an event counter to see whether
anything actually does.)

- Event counters provide operator visibility into when reseeding
happens.

INTEL RDRAND/RDSEED, VIA C3 RNG (CPU_RNG)

- Unwired for now; will be rewired in a subsequent commit.
 1.182  01-Jan-2020  thorpej - Introduce a new global kernel variable "shutting_down" to indicate that
the system is shutting down or rebooting.
- Set this global in a new function called kern_reboot(), which is currently
just a basic wrapper around cpu_reboot().
- Call kern_reboot() instead of cpu_reboot() almost everywhere; a few
places remain where it's still called directly, but those are in early
pre-main() machdep locations.

Eventually, all of the various cpu_reboot() functions should be re-factored
and common functionality moved to kern_reboot(), but that's for another day.
 1.181  21-May-2019  christos put back line accidentally removed.
 1.180  21-May-2019  christos undo the unintended part of the previous commit.
 1.179  21-May-2019  christos va_copy list needs va_end; pointed out by kre@
 1.178  21-May-2019  kre Need <sys/kmem.h> for kmem_alloc()
 1.177  20-May-2019  christos Add a simple vasprintf() implementation that uses 2 passes, one to compute
the length and a second to place the data. Requested by rmind@
 1.176  14-Jan-2019  jdolecek add KASSERT()s to ensure aprint_*_dev() and aprint_*_ifp() is not called
with NULL dv or ifp respectively

related to PR kern/53789
 1.175  07-Jan-2019  martin Introduce new helper printf functions that get passed output
flags. Add a new kprintf flag to avoid adding time stamps
when outputing to the console. Mostly from Christos, any bugs
added by me.

Use above to print the "twiddle" (when using boot -z) without
timestamps.
 1.174  15-Jul-2018  martin More ipkdb removal
 1.173  01-Jul-2018  jmcneill Revert previous
 1.172  30-Jun-2018  jmcneill When cold, manually update timecounters before calling getnanouptime. Now
kernel printf timestamps are updated properly before interrupts are
enabled.
 1.171  03-Jun-2018  jakllsch branches: 1.171.2;
Make identification of accounted aprint_error()s possible by putting a
big ugly "autoconfiguration error: " in the log when they occur.
 1.170  14-Apr-2018  kre Change the default precision of timestamps from 9 digits (nanosecs)
to 7 (100's of nanosecs). This should perhaps depend upon the
port (what resolution is rational) the CPU speed, and the clock
update frequency (no point printing nanoseconds if the value being
brinted is only updated every few microseconds).

Eventually it should be able to be controlled by a sysctl, but
the default still matters, as that's what the autoconf (boot time,
before init starts) messages will use.
 1.169  14-Apr-2018  kre Allow the precision of the sub-second field of timestamps to
be controlled - for now that is done by editing this file and
recompiling (or using gdb or equiv to patch /netbsd or /dev/kmem)
but adding a sysctl to allow dynamic userland control should be easy.

Also reduce the initial seconds field width of timestamp from 5 to 4
(it grows wider as needed.)

Avoid printing timestamps if we cannot be sure there will be
a message to accompany them. (Observed happening...)
 1.168  13-Apr-2018  christos make this narrower by popular request.
 1.167  11-Apr-2018  christos fix type confusion on 32 bits
 1.166  11-Apr-2018  christos flip the default and enable kernel timestamps.
 1.165  01-Apr-2018  christos Add the ability to prepend a timestamp [ sec.nsec] relative to boottime
in kernel messages if KLOG_TIMESTAMP is enabled.
 1.164  01-Apr-2018  christos Instead of expanding the syslog level into <level> early, defer expansion
inside putchar; extract the actual character addition function to a separate
function.
 1.163  31-Mar-2018  christos factor out some repeated code and simplify the logputchar function.
 1.162  27-Oct-2017  joerg branches: 1.162.2;
Revert printf return value change.
 1.161  27-Oct-2017  utkarsh009 [syzkaller] Cast all the printf's to (void *)
> as a result of new printf(9) declaration.
 1.160  27-Jul-2016  skrll branches: 1.160.8;
Bump size of scratchstr - some KASSERTMGS exceed 256 characters
 1.159  24-Aug-2015  pooka branches: 1.159.2;
to garnish, dust with _KERNEL_OPT
 1.158  13-Apr-2015  riastradh Convert remaining MI <sys/rnd.h> stragglers. Many MD ones left.
 1.157  04-Feb-2015  msaitoh Remove useless semicolon reported by Henning Petersen in PR#49635.
 1.156  15-Aug-2014  apb branches: 1.156.2;
If mutex_tryenter() fails, don't call mutex_exit().
 1.155  15-Aug-2014  mrg avoid calling into time code when cold, and avoid calling nanotime()
if we're not going to use the result anyway.

XXX: not necessarily the best fix, but better than crashing *early*
boot due to too-early nanotime() calls.

XXX: pullup.
 1.154  10-Aug-2014  tls branches: 1.154.2;
Merge tls-earlyentropy branch into HEAD.
 1.153  26-Mar-2014  christos branches: 1.153.2;
remove {v,}sprintf
 1.152  12-Jan-2014  joerg Revert, breaks the build due to missing rumpns_delay in librump.so.
 1.151  11-Jan-2014  christos Sleep 10 seconds before rebooting due to panic()
To give an opportunity to screencap a panic(), or pause a VM to attach
a debugger. (Richard Hansen)
 1.150  10-Feb-2013  apb branches: 1.150.2;
Move the DDB-specific part of vpanic() to a new db_panic() function,
defined in ddb/db_panic.c and declared in ddb/ddbvar.h. No functional
change.

The copyright years in db_panic.c are the years in which changes were
made to the code that has now been moved to db_panic.c. No pre-NetBSD
copyright notice is needed because revision 1.12 of subr_prf.c had only
the trivial "#ifdef DDB \\ Debugger(); \\ #endif"
 1.149  12-Mar-2012  dholland branches: 1.149.2;
Repeated typo/varargs anachronism in comments.
 1.148  24-Nov-2011  christos branches: 1.148.2;
- fixed signed/unsigned comparison
- don't write/increment sbuf if NULL
 1.147  24-Nov-2011  christos - don't let arguments in macros have side effects
- nul terminate properly
 1.146  22-Nov-2011  christos Increment the source buffer when we overflow so that we don't get stuck in
an infinite loop.
 1.145  21-Nov-2011  christos - use va_copy where needed
- always nul terminate vsnprintf()
- make snprintf() call vsnprintf()
 1.144  20-Nov-2011  christos snprintf/vsnprintf can accept NULL/0 buffers and work properly as expected.
Before they used to return incorrect length on short buffers. Remove unused
error path.
 1.143  29-Sep-2011  christos branches: 1.143.2;
Add vpanic()
 1.142  08-Sep-2011  jym Use a scratch space in panic(9) so we can store a more meaningful
message for panicstr instead of just the format string.

Keep setting the panicstr to fmt beforehand though for safety precaution.

ok joerg@.
 1.141  17-Jul-2011  joerg Retire varargs.h support. Move machine/stdarg.h logic into MI
sys/stdarg.h and expect compiler to provide proper builtins, defaulting
to the GCC interface. lint still has a special fallback.
Reduce abuse of _BSD_VA_LIST_ by defining __va_list by default and
derive va_list as required by standards.
 1.140  24-Apr-2011  rmind - Replace few malloc(9) uses with kmem(9).
- Rename buf_malloc() to buf_alloc(), fix comments.
- Remove some unnecessary inclusions.
 1.139  21-Jan-2011  dyoung Move device_printf() from ath_netbsd.c to subr_prf.c for reuse in a new
driver.
 1.138  26-Jan-2010  he branches: 1.138.4; 1.138.6; 1.138.8;
On a recursive panic(), don't try to take a dump, as that may very
well have triggered the recursive panic.
Fix the comment for panic() to reflect now-current reality: the code
was already changed never to sync() on panic(), now we avoid dumping
core on a recursive panic.
 1.137  03-Nov-2009  dyoung Add a kernel configuration flag, SPLDEBUG, that activates a per-CPU log
of transitions to IPL_HIGH from lower IPLs. SPLDEBUG is only available
on i386 and Xen kernels, today.

'options SPLDEBUG' adds instrumentation to spllower() and splraise() as
well as routines to start/stop debugging and to record IPL transitions:
spldebug_start(), spldebug_stop(), spldebug_raise(), spldebug_lower().
 1.136  28-Jun-2009  rmind panic: use MI cpu_index(), instead of cpu_number(), which could be sparse.
 1.135  20-Jun-2009  cegger Return type of cpu_number(9) is cpuid_t which is effectively unsigned long.
So cast return type to unsigned long.
Fixes build for alpha GENERIC kernel.
 1.134  18-Jun-2009  mrg when printing a ddb stack trace when entering ddb, include the cpu number
 1.133  25-Apr-2009  rmind - Rearrange pg_delete() and pg_remove() (renamed pg_free), thus
proc_enterpgrp() with proc_leavepgrp() to free process group and/or
session without proc_lock held.
- Rename SESSHOLD() and SESSRELE() to to proc_sesshold() and
proc_sessrele(). The later releases proc_lock now.

Quick OK by <ad>.
 1.132  15-Mar-2009  cegger ansify function definitions
 1.131  10-Mar-2009  mlelstv Make curlwp accesses conditional on wether the data structures
have been initialized. Fixes PR kern/38599.
 1.130  30-Jan-2009  pooka branches: 1.130.2;
Quote PR number in XXX comment. No functional change.
 1.129  02-Jan-2009  pooka My clever hack was not enough. Disable DELAY via ifndef _RUMPKERN in
subr_prf until I manage to get all archs in line with a proper MI
signature.
 1.128  02-Jan-2009  pooka We use CPU_INFO_FOREACH here -> include sys/cpu.h
 1.127  02-Jan-2009  pooka Include kernel printf routines in rump instead of relying on the
magic libc symbol. This also allows to bid farewell to subr_prf2.c
and merge the contents back to subr_prf.c. The host kernel bridging
is now done via rumpuser_putchar().
 1.126  01-Jan-2009  pooka * unexpose kprintf locking internals
* migrate from simplelock to kmutex

Don't bother to bump kernel version, since nothing outside of subr_prf
used KPRINTF_MUTEX_ENXIT()
 1.125  21-Dec-2008  ad Don't try to sync if panicing:

- It doesn't work and a dead system that can't be reset from the console is
worse than a system that has painced and rebooted. If you can make it work
reliably please do so.

- If the system is paniced there is every reason to suspect VM structures
and the contents of the buffer cache.
 1.124  23-Sep-2008  pooka branches: 1.124.2; 1.124.4;
Move [hH][eE][xX][dD][iI][gG][iI][tT][sS](*) from subr_prf to subr_prf2
for use with rumps.

*) yes, I just had to. Notably though, there were only two
symbols instead of 128.
 1.123  31-May-2008  dyoung branches: 1.123.2; 1.123.4;
Add printf_tolog(), which writes to the kernel message buffer,
only. I believe this is the safest way to log serious conditions
indicated by NMI.
 1.122  19-May-2008  ad Reduce ifdefs due to MULTIPROCESSOR slightly.
 1.121  13-May-2008  ad In panic, we busy wait if another CPU is already panicking. Don't spl0(),
because we could recurse and run off the end of the stack. Pointed out by
chs@.
 1.120  27-Apr-2008  ad branches: 1.120.2; 1.120.4;
- Rename crit_enter/crit_exit to kpreempt_disable/kpreempt_enable.
DragonflyBSD uses the crit names for something quite different.
- Add a kpreempt_disabled function for diagnostic assertions.
- Add inline versions of kpreempt_enable/kpreempt_disable for primitives.
- Make some more changes for preemption safety to the x86 pmap.
 1.119  24-Apr-2008  ad Network protocol interrupts can now block on locks, so merge the globals
proclist_mutex and proclist_lock into a single adaptive mutex (proc_lock).
Implications:

- Inspecting process state requires thread context, so signals can no longer
be sent from a hardware interrupt handler. Signal activity must be
deferred to a soft interrupt or kthread.

- As the proc state locking is simplified, it's now safe to take exit()
and wait() out from under kernel_lock.

- The system spends less time at IPL_SCHED, and there is less lock activity.
 1.118  17-Apr-2008  yamt branches: 1.118.2;
acquire proclist_lock for SESSHOLD/SESSRELE.
 1.117  12-Apr-2008  ad Move the LW_BOUND flag into the thread-private flag word. It can be tested
by other threads/CPUs but that is only done when the LWP is known to be in a
quiescent state (for example, on a run queue).
 1.116  19-Feb-2008  dogcow branches: 1.116.6;
Always include <sys/cpu.h>, to pick up CPU_INFO_ITERATOR et al.
 1.115  18-Feb-2008  ad panic: allow only one CPU to panic. Try to make the panicing thread bound
and try take all CPUs offline, in case we can block at some point in the
future.
 1.114  04-Jan-2008  ad Start detangling lock.h from intr.h. This is likely to cause short term
breakage, but the mess of dependencies has been regularly breaking the
build recently anyhow.
 1.113  04-Jan-2008  ad - Always include kprintf_slock.
- sys/lock.h -> sys/simplelock.h
 1.112  30-Dec-2007  pooka tablefull: subr_prf -> subr_prf2
 1.111  07-Nov-2007  ad branches: 1.111.2; 1.111.6;
Merge from vmlocking.
 1.110  19-Oct-2007  ad branches: 1.110.2;
machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h
 1.109  26-Sep-2007  he branches: 1.109.2;
Add an explicit include of <sys/device.h> to make sparc64 and sun2
build. Needed for device_xname() and device_t, use added by previous
change.
 1.108  24-Sep-2007  joerg Extend the aprint family with _dev and _ifnet versions that take
a device_t or struct ifnet * as first argument and prefix the log
message with the corresponding device/interface name.
 1.107  29-Jul-2007  pooka branches: 1.107.4; 1.107.6; 1.107.8; 1.107.10;
Move bitmask_snprintf() from subr_prf.c to subr_prf_bitmask.c to permit
standalone compilation. No functional change.
 1.106  28-Apr-2007  isaki branches: 1.106.2;
Fix format of the combination of 'F\B\L' and ':\V' in
bitmask_snprintf(9).
 1.105  22-Feb-2007  thorpej branches: 1.105.4; 1.105.6;
TRUE -> true, FALSE -> false
 1.104  09-Feb-2007  ad branches: 1.104.2;
Merge newlock2 to head.
 1.103  03-Sep-2006  martin branches: 1.103.2;
Fix %X in kernel printf, from Arnaud Degroote in PR kern/34459.
 1.102  28-Jan-2006  darrenr branches: 1.102.2; 1.102.6;
if db_onpanic is -1, do not invoke any ddb functions at all when handling
a panic. This allows ddb's behaviour on a panic to be controlled via
sysctl rather than just compiling it in/out.
 1.101  28-Jan-2006  darrenr Introduce a new style of behaviour for ddb_onpanic == 2.
When set to 0 or 1, behaviour is normal (today)
When set to 2, kernel will display a stack trace and then enter ddb.
 1.100  11-Dec-2005  christos branches: 1.100.2;
merge ktrace-lwp.
 1.99  23-Jun-2005  thorpej branches: 1.99.2;
Use ANSI function decls.
 1.98  29-May-2005  christos - add const.
- remove unnecessary casts.
- add __UNCONST casts and mark them with XXXUNCONST as necessary.
 1.97  17-May-2005  christos Yes, it was a cool trick >20 years ago to use "0123456789abcdef"[a] to
implement, xtoa(), but I think defining the samestring 50 times is a bit
too much. Defined HEXDIGITS and hexdigits in subr_prf.c and use it...
 1.96  26-Feb-2005  perry nuke trailing whitespace
 1.95  29-Sep-2004  reinoud branches: 1.95.4; 1.95.6;
Implement ddb setting that allows all ddb output to be teed into the
kernel message buffer/log. Its off by default and can be switched on in the
kernel configuration on build time, be set as a variable in ddb and be set
using sysctl.

This adds the sysctl value
ddb.tee_msgbuf = 0
by default.

The functionality is especially added and aimed for developers who are not
blessed with a serial console and wish to keep all their ddb output in the
log. Specifying /l as a modifier to some selected commands will also put
the output in the log but not all commands provide one nor has the same
meaning for all commands.

This feature could in the future also be implemented as an ddb command but
that could lead to more bloat allthough maybe easier for non developpers to
use when mailing their backtraces from kernel crashes.
 1.94  23-Mar-2004  junyoung Nuke __P().
 1.93  07-Aug-2003  agc Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22364, verified by myself.
 1.92  06-Mar-2003  matt branches: 1.92.2;
Make sure to flush each line after printf.
 1.91  17-Feb-2003  christos - remove __STDC__ crap. It did not work anyway with pre-ansi compilers, since
va_start() takes one arg, and va_alist must be the only argument of a
varyadic in the K&R world.
- pass flags to tputchar.
 1.90  10-Feb-2003  atatat Add a kern.dump_on_panic sysctl variable (and documentation, and a
kernel config option) that controls whether the kernel dumps to the
dump device on panic. Dumps can still be forced via the ``sync''
command from ddb. Defaults to ``on''.
 1.89  31-Dec-2002  thorpej Add aprint_error(), which is like aprint_normal(), but also records
the number of times it is called. This allows subsystems to report
the number of errors that occurred during a quiet/silent subsystem
startup. aprint_get_error_count() reports this count and resets it
to 0.

Also add printf_nolog(), which is like printf(), but prevents the
output from hitting the system log.
 1.88  31-Dec-2002  thorpej Add the following message printing routines, designed for printing
autoconfiguration messages:

aprint_normal: Send to console unless AB_QUIET. Always goes to the log.
aprint_naive: Send to console only if AB_QUIET. Never goes to the log.
aprint_verbose: Send to console only if AB_VERBOSE. Always goes to the log.
aprint_debug: Send to console and log only if AB_DEBUG.

API inspired by the same routines in BSD/OS.

Will be used to address kern/5155.
 1.87  31-Dec-2002  thorpej Partially expose some of the kernel printf internals in the new
<sys/kprintf.h> header file. This allows subsystems that need
printf semantics other than what are provided by the standard
kernel printf routines to implement exactly what they want.
 1.86  02-Nov-2002  perry /*CONTCOND*/ while (0)'ed macros
 1.85  26-Aug-2002  scw Casting from a pointer, to a db_expr_t, has to go via an intptr_t.
(db_expr_t == int64_t on sh5, for example).
 1.84  05-Jun-2002  drochner provide a db_vprintf() which is exactly what the name suggests
 1.83  21-Nov-2001  enami branches: 1.83.8;
Protect multi statement macro with do {} while (0). This is not cosmetic.
 1.82  12-Nov-2001  lukem add RCSIDs
 1.81  10-Jul-2001  fvdl branches: 1.81.4;
Check msgbufenabled before referencing msgbufp in panic. Avoids
a NULL ptr reference if there is an early panic (i.e. before
initmsgbuf() was called).
 1.80  30-May-2001  lukem branches: 1.80.2;
add missing #include "opt_kgdb.h"
 1.79  06-May-2001  simonb Save the start and end positions in the message buffer of the formatted
panic string.

Suggested by Jason Thorpe eons ago.
 1.78  30-Apr-2001  kleink Add %j, %t and %z modifiers.
 1.77  09-Mar-2001  tsutsui Declare constty extern.
 1.76  09-Aug-2000  tv branches: 1.76.2;
Strip %b and DDB formats out of kprintf, as they are no longer supported.
 1.75  04-Jul-2000  jdolecek change tablefull() to accept one more parameter - optional hint

use that to inform about way to raise current limit when we reach maximum
number of processes, descriptors or vnodes

XXX hopefully I catched all users of tablefull()
 1.74  10-Jun-2000  sommerfeld branches: 1.74.2;
Fix assorted bugs around shutdown/reboot/panic time.
- add a new global variable, doing_shutdown, which is nonzero if
vfs_shutdown() or panic() have been called.
- in panic, set RB_NOSYNC if doing_shutdown is already set on entry
so we don't reenter vfs_shutdown if we panic'ed there.
- in vfs_shutdown, don't use proc0's process for sys_sync unless
curproc is NULL.
- in lockmgr, attribute successful locks to proc0 if doing_shutdown
&& curproc==NULL, and panic if we can't get the lock right away; avoids the
spurious lockmgr DIAGNOSTIC panic from the ddb reboot command.
- in subr_pool, deal with curproc==NULL in the doing_shutdown case.
- in mfs_strategy, bitbucket writes if doing_shutdown, so we don't
wedge waiting for the mfs process.
- in ltsleep, treat ((curproc == NULL) && doing_shutdown) like the
panicstr case.

Appears to fix: kern/9239, kern/10187, kern/9367.
May also fix kern/10122.
 1.73  29-May-2000  jhawk Ensure that a fault inside the traceback printing code
(i.e. db_stack_trace_print()) does not cause an infinite loop of
faults.
 1.72  26-May-2000  jhawk branches: 1.72.2;
If db_onpanic is unset and DDB is compiled in, panic() now calls
db_stack_trace_print(__builtin_frame_address(0),...), to printf() the
stack trace to the message bufffer and console. Idea from SunOS/Solaris.
Useful when dumping fails.
 1.71  25-May-2000  jhawk Support ddb-specific nonstandard printf formats %r and %z in kprintf(),
even when not called with (flags&TODDB != 0), such that ddb print routines
can use them when printing elsewhere, such as to the message buffer.
 1.70  02-May-2000  pk Lock internals have changed, and we depend on those in here.
 1.69  30-Mar-2000  augustss Get rid of register declarations.
 1.68  29-Mar-2000  simonb Remove declaration of db_radix - <ddb/db_output.h> has one.
Also remove <sys/conf.h> - don't need it here.
 1.67  22-Mar-2000  ws Make IPKDB working again.
Add support for i386 debugging and pci-based ne2000 boards.
 1.66  26-Jan-2000  thorpej Remove unused global `consintr'. Rob Black, kern/3841.
 1.65  13-Dec-1999  sommerfeld bitmask_snprintf: avoid returning too soon if we're using the
new-style format.
 1.64  27-Aug-1999  thorpej branches: 1.64.2; 1.64.8;
Implement vlog() (varargs version of log()).
 1.63  27-Jul-1999  thorpej Make sure the kprintf_slock is initialized, and use the low-level atomic
locking primitive directly to lock it, since those will never attempt
to call printf() to display debugging information (and thus deadlock
on recursion into the kprintf_slock).
 1.62  12-Feb-1999  thorpej branches: 1.62.4;
Fix some printf format problems on Alpha.
 1.61  10-Feb-1999  explorer no need to set tailp twice.
 1.60  06-Feb-1999  explorer rewrite usage of tailp slightly, to convince gcc that it really isn't used
initialized.
 1.59  03-Feb-1999  msaitoh fix compiler warning
 1.58  28-Jan-1999  msaitoh Implement [v]snprintf()
 1.57  26-Jan-1999  drochner make console_debugger() a macro - no need to waste a stackframe
 1.56  29-Oct-1998  jonathan Add options DDB_FROMCONSOLE and sysctl ddb.fromconsole, analagous to
DDB_ONPANIC. Lets user ignore breaks but enter DDB on panic. Intended
for machines where debug on panic is useful, but DDB entry is not,
(public-access console, or terminal-servers which send spurious breaks)

Add new ddb hook, console_debugger(), which decides whether or not to
ignore console ddb requests. Console drivers should be updated to call
console_debugger(), not Debugger(), in response to serial-console
break or ddb keyboard sequence.
 1.55  29-Sep-1998  thorpej Implement vsprintf().
 1.54  29-Sep-1998  thorpej If MULTIPROCESSOR, add a spin lock around the kernel printf (in the
appropriate places). This makes debugging messages work a LOT better
on my multiprocessor Alpha.
 1.53  12-Sep-1998  pk Nuke spurious pointer incrementation.
 1.52  31-Aug-1998  mrg minor KNF nit
 1.51  23-Aug-1998  pk Merge Chris Torek's new `%b' bit-field format into bitmask_snprintf().
 1.50  04-Aug-1998  perry Abolition of bcopy, ovbcopy, bcmp, and bzero, phase one.
bcopy(x, y, z) -> memcpy(y, x, z)
ovbcopy(x, y, z) -> memmove(y, x, z)
bcmp(x, y, z) -> memcmp(x, y, z)
bzero(x, y) -> memset(x, 0, y)
 1.49  04-Jul-1998  jonathan defopt DDB.
 1.48  01-Mar-1998  fvdl Merge with Lite2 + local changes
 1.47  17-Nov-1997  ross Put it back the way it was.
 1.46  15-Nov-1997  ross A new kprintf was imported on 10/24, and it will cause a kernel panic
whenever the %: format is used on NetBSD/Alpha. Disable %: for __alpha__.
Note: the "correct" (but untested on other architectures) fix is to
change the wrong: kprintf(cp, oflags, tp, NULL, va_arg(ap, va_list));
to the right: kprintf(cp, oflags, tp, NULL, ap);
 1.45  24-Oct-1997  chuck import chris torek's vfprintf() from libc [renamed to kprintf and all
floating point stuff removed].

the new kprintf replaces the 3 different (and buggy) versions of
printf that were in the kernel before (kprintf, sprintf, and db_printf),
thus reducing duplicated code by 2/3's. this fixes (or adds) several
printf formats. examples:
%#x - previously only supported by db_printf [not printf/sprintf]
%8.8s - printf would print "000chuck" for "chuck" before
%5p - printf would print "0x 1" for value 1 before

XXX: new kprintf still supports several non-standard '%' formats that
are supposed to eventually be removed:
%: - passes an additional format string and argument list recursively
%b - used to decode error registers
%r - int, but print in radix "db_radix" [DDB only]
%z - 'signed hex' [DDB only]
%n - unsigned int, but print in radix "db_radix" [DDB only]

note that DDB's "%n" conflicts with standard "%n" which takes the
number of characters written so far and stores it into the integer
indicated by the "int *" pointer arg. yuck!

while here, add comments for each function explaining what it is
supposed to do.
 1.44  19-Sep-1997  leo Implement the kernel part of pr-1891. This allows for a more flexible sized
msgbuf. Note that old 'dmesg' and 'syslogd' binaries will continue running,
though old 'dmesg' binaries will output a few bytes of junk at the start of
the buffer, and will miss a few bytes at the end of the buffer.
 1.43  26-Jun-1997  thorpej branches: 1.43.4;
Avoid running off the end of the format string if the caller botched
the format modifer. Reported by and suggested fix from Daniel G. Pouzzner
in PR #2633. Final fix is slightly different now that we support the %q
modifier. This fix also includes the equivalent fix for sprintf().
 1.42  26-Jun-1997  thorpej If KGDB is defined, pull in <sys/kgdb.h> for prototypes.
 1.41  16-Jun-1997  drochner Implement quad_t (%qx, %qd, %qo) printf formats.
Closes pr kern/3747.
 1.40  17-Apr-1997  thorpej XXX Kludge for PowerPC; needs a kernel vfprintf().
 1.39  26-Mar-1997  gwr Renames: /dumpconf/cpu_dumpconf/, /boot/cpu_reboot/
 1.38  09-Jan-1997  thorpej Only call Debugger() on panic if "db_onpanic" is set.
 1.37  13-Nov-1996  thorpej Implement bitmask_snprintf(), which takes a value and a string
representing the names of those bits, prints them into a buffer
provided by the caller, and returns a pointer to that buffer.
Functionality is identical to that of the (non-standard) `%b' printf()
format, which will be deprecated.

Rename the non-exported function ksprintn() to ksnprintn(), and change
it to use a buffer provided by the caller, rather than at static
buffer.
 1.36  27-Oct-1996  gwr Minor nit in my change regarding const and non-ansi code...
 1.35  27-Oct-1996  gwr Oops, part of that last commit was not meant to go in.
The definitions of va_alist, va_dcl belong elsewhere.
 1.34  27-Oct-1996  gwr The hack-ish tricks to make the ANSI-style va_start macro work in
non-ANSI mode were not quite complete. This makes non-ANSI work.
Perhaps it would be better to eliminate this hack altogether...
 1.33  25-Oct-1996  cgd don't assign non-const pointers from const pointers; make the appropriate
pointers 'const'. (-Wcast-qual)
 1.32  16-Oct-1996  ws Rename recently checked in KGDB to IPKDB to resolve conflicts with older KGDB
 1.31  15-Oct-1996  cgd panic must print a newline
 1.30  13-Oct-1996  christos backout previous kprintf change
 1.29  10-Oct-1996  christos printf -> kprintf, sprintf -> ksprintf
 1.28  30-Sep-1996  ws Enter new KGDB on panic just like other kernel debuggers
 1.27  25-Sep-1996  christos Recognize %.2x as %02x
 1.26  09-Aug-1996  mrg Change reboot(2) to take two arguments: bootopt like normal and also
a boot string for firmware that can do this, such as the SPARC and
the sun3 models. It is currently silently ignored on all other
hardware now, however. The MD function "boot()" has been changed to
also take a char *.
 1.25  22-Apr-1996  christos remove include of <sys/cpu.h>
 1.24  30-Mar-1996  christos Change %r -> %: as for recursive printf's
 1.23  16-Mar-1996  christos Fix printf() formats.
 1.22  14-Mar-1996  christos - fdopen -> filedescopen
- bring kgdb prototype in scope.
 1.21  09-Feb-1996  christos More proto fixes
 1.20  04-Feb-1996  christos First pass at prototyping
 1.19  16-Jun-1995  cgd copy some format specifiers from kprintf to sprintf. b & r still missing
 1.18  19-Mar-1995  mycroft Actually, do the previous differently.
 1.17  19-Mar-1995  mycroft Add a `%p' format.
 1.16  28-Dec-1994  mycroft Handle null pointers like libc.
 1.15  29-Jun-1994  cgd New RCS ID's, take two. they're more aesthecially pleasant, and use 'NetBSD'
 1.14  13-May-1994  cgd update; minor clean, cruft removal.
 1.13  12-May-1994  mycroft Make logpri() non-static.
 1.12  05-May-1994  cgd lots of changes: prototype migration, move lots of variables, definitions,
and structure elements around. kill some unnecessary type and macro
definitions. standardize clock handling. More changes than you'd want.
 1.11  04-May-1994  cgd Rename a lot of process flags.
 1.10  30-Jan-1994  deraadt make panic a varargs function
 1.9  18-Dec-1993  mycroft Canonicalize all #includes.
 1.8  27-Aug-1993  brezak branches: 1.8.2;
Machine independant changes to VM for handling non-contiguous memory.
 1.7  27-Jun-1993  andrew ANSIfications - removed all implicit function return types and argument
definitions. Ensured that all files include "systm.h" to gain access to
general prototypes. Casts where necessary.
 1.6  22-May-1993  cgd add include of select.h if necessary for protos, or delete if extraneous
 1.5  18-May-1993  cgd make kernel select interface be one-stop shopping & clean it all up.
 1.4  13-May-1993  cgd fix kernel printf %b format.
from Gordon Burditt <gordon@sneaky.lonestar.org>
 1.3  10-Apr-1993  glass fixed to be compliant, subservient, and to take advantage of the newly
hacked config(8)
 1.2  28-Mar-1993  cgd if PANICWAIT defined, will always wait for a key press before reboot
after panic. (note that this only makes a difference if DDB is not
installed.)
 1.1  21-Mar-1993  cgd branches: 1.1.1;
Initial revision
 1.1.1.3  01-Mar-1998  fvdl Import 4.4BSD-Lite2
 1.1.1.2  01-Mar-1998  fvdl Import 4.4BSD-Lite for reference
 1.1.1.1  21-Mar-1993  cgd initial import of 386bsd-0.1 sources
 1.8.2.5  14-Nov-1993  mycroft Canonicalize all #includes.
 1.8.2.4  27-Sep-1993  deraadt Colour me a very bright shiny shade of stupid.
 1.8.2.3  27-Sep-1993  deraadt no snprintf() inside the kernel, use sprintf() and pray
 1.8.2.2  24-Sep-1993  mycroft Make all files using spl*() #include cpu.h. Changes from trunk.
init_main.c: New method of pseudo-device of initialization.
kern_clock.c: hardclock() and softclock() now take a pointer to a clockframe.
softclock() only does callouts.
kern_synch.c: Remove spurious declaration of endtsleep(). Adjust uses of
averunnable for new struct loadav.
subr_prf.c: Allow printf() formats in panic().
tty.c: averunnable changes.
vfs_subr.c: va_size and va_bytes are now quads.
 1.8.2.1  14-Sep-1993  mycroft init_main.c: clock changes from 4.4; initclocks() is called after vfsinit().
No startrtclock() or enablertclock(). Some pseudo-device cruft, but this needs
to be updated.
kern_clock.c: from 4.4: gatherstats() --> statclock(). statclock(),
hardclock(), and softclock() take a `struct clockframe *'. New initclocks(),
harclock(), statclock(), startprofclock(), and stopprofclock().
kern_synch.c: from 4.4: machine-independent swtch(), which is now where
process time is integrated. Calls cpu_swtch() with the current process as an
arg.
subr_autoconf.c: Fix typo.
subr_prf.c: msgbufp and msgbufmapped are define in machdep.c
tty.c: Make TIOCHPCL #ifdef COMPAT_43.
Incorporate changes from main branch.
 1.43.4.1  22-Sep-1997  thorpej Update marc-pcmcia branch from trunk.
 1.62.4.1  02-Aug-1999  thorpej Update from trunk.
 1.64.8.1  27-Dec-1999  wrstuden Pull up to last week's -current.
 1.64.2.2  12-Mar-2001  bouyer Sync with HEAD.
 1.64.2.1  20-Nov-2000  bouyer Update thorpej_scsipi to -current as of a month ago
 1.72.2.1  22-Jun-2000  minoura Sync w/ netbsd-1-5-base.
 1.74.2.1  04-Jul-2000  jdolecek Pullup from trunk [approved by thorpej]:

change tablefull() to accept one more parameter - optional hint

use that to inform about way to raise current limit when we reach maximum
number of processes, descriptors or vnodes
 1.76.2.12  03-Jan-2003  thorpej Sync with HEAD.
 1.76.2.11  11-Nov-2002  nathanw Catch up to -current
 1.76.2.10  27-Aug-2002  nathanw Catch up to -current.
 1.76.2.9  12-Jul-2002  nathanw No longer need to pull in lwp.h; proc.h pulls it in for us.
 1.76.2.8  24-Jun-2002  nathanw Curproc->curlwp renaming.

Change uses of "curproc->l_proc" back to "curproc", which is more like the
original use. Bare uses of "curproc" are now "curlwp".

"curproc" is now #defined in proc.h as ((curlwp) ? (curlwp)->l_proc) : NULL)
so that it is always safe to reference curproc (*de*referencing curproc
is another story, but that's always been true).
 1.76.2.7  20-Jun-2002  nathanw Catch up to -current.
 1.76.2.6  08-Jan-2002  nathanw Catch up to -current.
 1.76.2.5  14-Nov-2001  nathanw Catch up to -current.
 1.76.2.4  24-Aug-2001  nathanw Catch up with -current.
 1.76.2.3  21-Jun-2001  nathanw Catch up to -current.
 1.76.2.2  09-Apr-2001  nathanw Catch up with -current.
 1.76.2.1  05-Mar-2001  nathanw Initial commit of scheduler activations and lightweight process support.
 1.80.2.4  06-Sep-2002  jdolecek sync kqueue branch with HEAD
 1.80.2.3  23-Jun-2002  jdolecek catch up with -current on kqueue branch
 1.80.2.2  10-Jan-2002  thorpej Sync kqueue branch with -current.
 1.80.2.1  03-Aug-2001  lukem update to -current
 1.81.4.1  12-Nov-2001  thorpej Sync the thorpej-mips-cache branch with -current.
 1.83.8.2  29-Aug-2002  gehenna catch up with -current.
 1.83.8.1  20-Jun-2002  gehenna catch up with -current.
 1.92.2.6  10-Nov-2005  skrll Sync with HEAD. Here we go again...
 1.92.2.5  04-Mar-2005  skrll Sync with HEAD.

Hi Perry!
 1.92.2.4  19-Oct-2004  skrll Sync with HEAD
 1.92.2.3  21-Sep-2004  skrll Fix the sync with head I botched.
 1.92.2.2  18-Sep-2004  skrll Sync with HEAD.
 1.92.2.1  03-Aug-2004  skrll Sync with HEAD
 1.95.6.1  19-Mar-2005  yamt sync with head. xen and whitespace. xen part is not finished.
 1.95.4.1  29-Apr-2005  kent sync with -current
 1.99.2.8  27-Feb-2008  yamt sync with head.
 1.99.2.7  21-Jan-2008  yamt sync with head
 1.99.2.6  15-Nov-2007  yamt sync with head.
 1.99.2.5  27-Oct-2007  yamt sync with head.
 1.99.2.4  03-Sep-2007  yamt sync with head.
 1.99.2.3  26-Feb-2007  yamt sync with head.
 1.99.2.2  30-Dec-2006  yamt sync with head.
 1.99.2.1  21-Jun-2006  yamt sync with head.
 1.100.2.1  01-Feb-2006  yamt sync with head.
 1.102.6.1  14-Sep-2006  yamt sync with head.
 1.102.2.1  09-Sep-2006  rpaulo sync with head
 1.103.2.3  20-Jan-2007  ad Don't take the proclist_mutex for now; wait until tty locking is worked out.
 1.103.2.2  29-Dec-2006  ad Checkpoint work in progress.
 1.103.2.1  17-Nov-2006  ad Checkpoint work in progress.
 1.104.2.2  07-May-2007  yamt sync with head.
 1.104.2.1  27-Feb-2007  yamt - sync with head.
- move sched_changepri back to kern_synch.c as it doesn't know PPQ anymore.
 1.105.6.1  11-Jul-2007  mjf Sync with head.
 1.105.4.5  28-Oct-2007  ad /dev/klog:

- Put locking around it since it's used by printf().
- Mark it MPSAFE.
 1.105.4.4  23-Oct-2007  ad Sync with head.
 1.105.4.3  09-Oct-2007  ad Sync with head.
 1.105.4.2  20-Aug-2007  ad Sync with HEAD.
 1.105.4.1  08-Jun-2007  ad Sync with head.
 1.106.2.1  15-Aug-2007  skrll Sync with HEAD.
 1.107.10.2  29-Jul-2007  pooka Move bitmask_snprintf() from subr_prf.c to subr_prf_bitmask.c to permit
standalone compilation. No functional change.
 1.107.10.1  29-Jul-2007  pooka file subr_prf.c was added on branch matt-mips64 on 2007-07-29 09:38:02 +0000
 1.107.8.1  06-Oct-2007  yamt sync with head.
 1.107.6.4  23-Mar-2008  matt sync with HEAD
 1.107.6.3  09-Jan-2008  matt sync with HEAD
 1.107.6.2  08-Nov-2007  matt sync with -HEAD
 1.107.6.1  06-Nov-2007  matt sync with HEAD
 1.107.4.3  11-Nov-2007  joerg Sync with HEAD.
 1.107.4.2  26-Oct-2007  joerg Sync with HEAD.

Follow the merge of pmap.c on i386 and amd64 and move
pmap_init_tmp_pgtbl into arch/x86/x86/pmap.c. Modify the ACPI wakeup
code to restore CR4 before jumping back into kernel space as the large
page option might cover that.
 1.107.4.1  02-Oct-2007  joerg Sync with HEAD.
 1.109.2.2  13-Nov-2007  bouyer Sync with HEAD
 1.109.2.1  25-Oct-2007  bouyer Sync with HEAD.
 1.110.2.2  18-Feb-2008  mjf Sync with HEAD.
 1.110.2.1  19-Nov-2007  mjf Sync with HEAD.
 1.111.6.2  08-Jan-2008  bouyer Sync with HEAD
 1.111.6.1  02-Jan-2008  bouyer Sync with HEAD
 1.111.2.2  26-Dec-2007  ad Back out the dumppcb changes for the time being.
 1.111.2.1  12-Dec-2007  ad - Dump basic trap and register info before entering the debugger, in
case ddb screws the machine up further.
- Fill dumppcb asap so that gdb has less chance to get confused.
 1.116.6.3  17-Jan-2009  mjf Sync with HEAD.
 1.116.6.2  28-Sep-2008  mjf Sync with HEAD.
 1.116.6.1  02-Jun-2008  mjf Sync with HEAD.
 1.118.2.2  04-Jun-2008  yamt sync with head
 1.118.2.1  18-May-2008  yamt sync with head.
 1.120.4.2  10-Oct-2008  skrll Sync with HEAD.
 1.120.4.1  23-Jun-2008  wrstuden Sync w/ -current. 34 merge conflicts to follow.
 1.120.2.5  11-Mar-2010  yamt sync with head
 1.120.2.4  18-Jul-2009  yamt sync with head.
 1.120.2.3  20-Jun-2009  yamt sync with head
 1.120.2.2  04-May-2009  yamt sync with head.
 1.120.2.1  16-May-2008  yamt sync with head.
 1.123.4.1  19-Oct-2008  haad Sync with HEAD.
 1.123.2.2  27-Jun-2008  simonb Revert local changes that were not meant to be in previous "sync with
head" commit.
 1.123.2.1  27-Jun-2008  simonb Sync with head.
 1.124.4.1  02-Feb-2009  snj branches: 1.124.4.1.4;
Pull up following revision(s) (requested by ad in ticket #365):
sys/kern/subr_prf.c: revision 1.125
Don't try to sync if panicing:
- It doesn't work and a dead system that can't be reset from the console is
worse than a system that has painced and rebooted. If you can make it work
reliably please do so.
- If the system is paniced there is every reason to suspect VM structures
and the contents of the buffer cache.
 1.124.4.1.4.2  14-Feb-2014  matt Change KASSERTMSG/KDASSERTMSG to use varadic arguments like HEAD.
panic -> vpanic, add panic wrapper to vpanic.
 1.124.4.1.4.1  14-Nov-2013  matt more things for xhci
 1.124.2.3  28-Apr-2009  skrll Sync with HEAD.
 1.124.2.2  03-Mar-2009  skrll Sync with HEAD.
 1.124.2.1  19-Jan-2009  skrll Sync with HEAD.
 1.130.2.2  23-Jul-2009  jym Sync with HEAD.
 1.130.2.1  13-May-2009  jym Sync with HEAD.

Commit is split, to avoid a "too many arguments" protocol error.
 1.138.8.1  08-Feb-2011  bouyer Sync with HEAD
 1.138.6.1  06-Jun-2011  jruoho Sync with HEAD.
 1.138.4.2  31-May-2011  rmind sync with head
 1.138.4.1  05-Mar-2011  rmind sync with head
 1.143.2.2  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.143.2.1  17-Apr-2012  yamt sync with head
 1.148.2.1  05-Apr-2012  mrg sync to latest -current.
 1.149.2.3  03-Dec-2017  jdolecek update from HEAD
 1.149.2.2  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.149.2.1  25-Feb-2013  tls resync with head
 1.150.2.1  18-May-2014  rmind sync with head
 1.153.2.4  10-Aug-2014  tls The printf entropy source seems to have a lock-recursion problem.
Temporarily disable it unless options RND_PRINTF is set.
 1.153.2.3  17-Jul-2014  tls Adjustments to the "earlyentropy" branch in response to the various
discussions beginning with my initial proposal
http://mail-index.netbsd.org/tech-kern/2014/04/08/msg016876.html and
particularly the long discussion of cprng_fast() performance (e.g.
https://mail-index.netbsd.org/tech-crypto/2014/04/21/msg000642.html).

In particular:

* Per-CPU, lockless cprng_fast replacement using Dennis Ferguson's
"ccrand" implementation of ChaCha8.

* libkern arc4random() is gone, gone, gone.

* Entropy estimator reverted to 32-bit recordkeeping and timestamps
per Dennis' comments and analysis.

* LZF entropy estimator removed: it required a great deal of state,
and rejected only truly pathological input.

I have not yet reverted the changes that provide LZF in the kernel
as generic functionality; I will likely revert those changes prior
to any merge of this branch to HEAD.
 1.153.2.2  09-Apr-2014  tls Skip mutex_tryenter() if !kprnd_added.
 1.153.2.1  07-Apr-2014  tls Get more entropy into the system early:

1) Add device attach timings from autoconf.
2) Accumulate the output of kernel printf (as well as the times
when it's called) and add this periodically. To avoid issues
with recursion through diagnostic printfs, we use SHA512 to
accumulate the printf output, then mix in its output.
3) Add all sysctl settings -- mixes in the hostname and likely a
bit more.
 1.154.2.2  15-Aug-2014  riz Pull up following revision(s) (requested by apb in ticket #26):
sys/kern/subr_prf.c: revision 1.156
If mutex_tryenter() fails, don't call mutex_exit().
 1.154.2.1  15-Aug-2014  martin Pull up following revision(s) (requested by mrg in ticket #24):
sys/kern/subr_prf.c: revision 1.155
avoid calling into time code when cold, and avoid calling nanotime()
if we're not going to use the result anyway.
XXX: not necessarily the best fix, but better than crashing *early*
boot due to too-early nanotime() calls.
XXX: pullup.
 1.156.2.4  05-Oct-2016  skrll Sync with HEAD
 1.156.2.3  22-Sep-2015  skrll Sync with HEAD
 1.156.2.2  06-Jun-2015  skrll Sync with HEAD
 1.156.2.1  06-Apr-2015  skrll Sync with HEAD
 1.159.2.1  06-Aug-2016  pgoyette Sync with HEAD
 1.160.8.2  17-Apr-2023  martin Fix merge mishap in applying the changes from rev 1.171 in ticket #1804:
patch accidently applied the change to a nearby very similar function
(aprint_verbose_internal instead of aprint_error_internal).
 1.160.8.1  24-Feb-2023  martin Pull up following revision(s) (requested by msaitoh in ticket #1804):

sys/kern/subr_prf.c: revision 1.171

Make identification of accounted aprint_error()s possible by putting a
big ugly "autoconfiguration error: " in the log when they occur.
 1.162.2.5  18-Jan-2019  pgoyette Synch with HEAD
 1.162.2.4  28-Jul-2018  pgoyette Sync with HEAD
 1.162.2.3  25-Jun-2018  pgoyette Sync with HEAD
 1.162.2.2  16-Apr-2018  pgoyette Sync with HEAD, resolve some conflicts
 1.162.2.1  07-Apr-2018  pgoyette Sync with HEAD. 77 conflicts resolved - all of them $NetBSD$
 1.171.2.2  08-Apr-2020  martin Merge changes from current as of 20200406
 1.171.2.1  10-Jun-2019  christos Sync with HEAD
 1.185.2.1  03-Apr-2021  thorpej Sync with HEAD.
 1.196.2.2  11-Aug-2023  martin Pull up following revision(s) (requested by riastradh in ticket #319):

sys/dev/pci/ubsec.c: revision 1.64
sys/dev/pci/hifn7751.c: revision 1.82
lib/libc/gen/getentropy.3: revision 1.5
lib/libc/gen/getentropy.3: revision 1.6
share/man/man4/rnd.4: revision 1.41
lib/libc/sys/getrandom.2: revision 1.2
lib/libc/sys/getrandom.2: revision 1.3
share/man/man5/rc.conf.5: revision 1.193
share/man/man7/entropy.7: revision 1.5
share/man/man7/entropy.7: revision 1.6
share/man/man7/entropy.7: revision 1.7
share/man/man7/entropy.7: revision 1.8
etc/security: revision 1.130
share/man/man7/entropy.7: revision 1.9
etc/security: revision 1.131
sys/crypto/cprng_fast/cprng_fast.c: revision 1.19
sys/sys/rndio.h: revision 1.3
tests/lib/libc/sys/t_getrandom.c: revision 1.5
etc/defaults/rc.conf: revision 1.164
etc/defaults/rc.conf: revision 1.165
sys/sys/rndsource.h: revision 1.10
sys/kern/kern_entropy.c: revision 1.62
sys/kern/kern_entropy.c: revision 1.63
sys/kern/kern_entropy.c: revision 1.64
sys/kern/subr_cprng.c: revision 1.44
sys/kern/kern_entropy.c: revision 1.65
sys/kern/kern_clock.c: revision 1.149
sys/dev/pci/viornd.c: revision 1.22
share/man/man9/rnd.9: revision 1.32
sys/kern/subr_prf.c: revision 1.202
sys/sys/rndsource.h: revision 1.8
sys/sys/rndsource.h: revision 1.9
share/man/man7/entropy.7: revision 1.10

1. Reinstate netbsd<=9 entropy estimator to unblock /dev/random, in
parallel with assessment of only confident entropy sources (seed,
HWRNG) for security warnings like sshd keys in motd and daily
insecurity report.

2. Make multiuser boot wait for first /dev/random output soon after
loading a seed and configuring rndctl, so that getentropy(3) meets
its contract starting early at boot without introducing blocking
paths that could cause hangs in init(8) or single-user mode.
Operators can choose to disable this wait in rc.conf.

3. Fix some bugs left over from reducing the global entropy lock from
a spin lock at IPL_VM to an adaptive lock at IPL_SOFTSERIAL.

4. Update man pages.
 1.196.2.1  08-Feb-2023  martin Pull up following revision(s) (requested by mrg in ticket #75):

sys/kern/subr_prf.c: revision 1.197
sys/kern/subr_prf.c: revision 1.198

avoid pserialize usage in early boot

there are DEBUG-only aprint_normal() calls early in eg, ksyms
setup that may happen before eg curcpu() is setup. this is the
case in sparc64, where it sets up ksyms as early as it can so
that DDB has symbols early, which is before the curcpu() setup
is created, and thus the calls to pserialize_read_enter() and
pserialize_read_exit() attempt to access unmapped cpu_info and
due to being so early, the system faults to the prom.
simply use "cold" to determine whether to skip these pserialize
calls or not.

ok riastradh
XXX: pullup-10

fix logic-reversing tpyo in putone()

RSS XML Feed