mips/cavium: Simplify membars around interrupt establishment.

Previously I used xc_barrier to ensure the initialization of the
struct octeon_intrhand was witnessed on all CPUs before publishing
it, in order to avoid needing any barrier on the usage side to be
issued by the interrupt handler.

But there's no need to avoid atomic_load_consume at time of
interrupt: on MIPS it's the same as atomic_load_relaxed anyway, so
there's no additional memory barrier cost here.

(riastradh)

igpio(4): Use device_xname, not struct device members.

(riastradh)

igpio(4): Nix trailing whitespace.

(setq show-trailing-whitespace t), M-x delete-trailing-whitespace

(riastradh)

vfs(9): Add missing vnode lock around VOP_CLOSE in vfs_mountroot.

Maybe vnode_if.c should be taught to KASSERT the vnode lock now that
locks always work.

(riastradh)

entropy(9): Call entropy_softintr while bound to CPU.

It looks like We tripped on the new assertion in entropy_account_cpu
when there was pending entropy on cpu0 running lwp0 when xc_broadcast
ran -- since xc_broadcast calls the function directly rather than
calling it through softint_schedule, it's not called via the softint
lwp which would satisfy the assertion.

(riastradh)

mips/cavium: Fix membars around establishing interrupt handlers.

(riastradh)

viornd(4): Process host entropy in softint context.

Samples added to the entropy pool in hard interrupt context are only
buffered, never processed directly, and if they fill the buffer, the
sample is dropped -- this serves to encourage taking timing samples
in hard interrupt context because it's cheap, and we have no idea how
many samples we really need for full entropy so it's safer to err on
the side of `as many as we can get'.

But for viornd(4), we assume the host has full entropy so we only
need a single 32-byte sample, and we want to avoid dropping it so we
get full entropy ASAP.  Entering the sample in a soft interrupt
rather than hard interrupt achieves this.

(riastradh)

entropy(9): Include <sys/lwp.h> and <sys/proc.h> explicitly.

Now that we use curlwp, struct lwp::l_pflag, and LP_BOUND, let's not
rely on side-loads from other .h files.

(riastradh)

entropy(9): Bind to CPU temporarily to avoid race with lwp migration.

More fallout from the IPL_VM->IPL_SOFTSERIAL change.

In entropy_enter, there is a window when the lwp can be migrated to
another CPU:

ec = entropy_cpu_get();
...
pending = ec->ec_pending + ...;
...
entropy_cpu_put();

/* lwp migration possible here */

if (pending)
entropy_account_cpu(ec);

If this happens, we may trip over any of several problems in
entropy_account_cpu because it assumes ec is the current CPU's state
in order to decide whether we have anything to contribute from the
local pool to the global pool.

No need to do this in entropy_softintr because softints are bound to
the CPU anyway.

(riastradh)

autoconf(9): Enter more timing samples into entropy pool.

Previously, we sampled the time of each _failed_ config_search.  I'm
not sure why -- there was no explanation in the comment or the commit
message introducing this in rev. 1.230.2.1 on tls-earlyentropy.

With this change, we sample the time of _every_ search including the
successful ones -- and also measure the time to attach which often
includes things like probing device registers, triggering device
reset and waiting for it to post, &c.

(riastradh)

entropy(9): Make rnd_lock_sources work while cold.

x86 uses entropy_extract verrrrrry early.  Fixes mistake in previous
that did not manifest in my testing on aarch64, which does not use it
so early.

(riastradh)

entropy(9): Improve entropy warning messages and documentation.

- For the main warning message, use less jargon, say `security', and
  cite the entropy(7) man page for further reading.  Document this in
  rnd(4) and entropy(7).

- For the debug-only warning message, say `entropy' only once and omit
  it from the rnd(4) man page -- it's not very important unless you're
  debugging the kernel in which case you probably know what you're
  doing enough to not need the text explained in the man page.

(riastradh)

entropy(9): Fix premature optimization deadlock in entropy_request.

- For synchronous queries from /dev/random, which are waiting for
  entropy to be ready, wait for concurrent access -- e.g., concurrent
  rnd_detach_source -- to finish, and make sure to request entropy
  from all sources (unless we're interrupted by a signal).

- When invoked through softint context (e.g., cprng_fast_intr ->
  cprng_strong -> entropy_extract), don't wait, because we're
  forbidden from waiting anyway.

- For entropy_bootrequest, wait but don't bother failing on signal
  because this only happens in kthread context, not in userland
  process context, so there can't be signals.

Nix rnd_trylock_sources; use the same entropy_extract flags
(ENTROPY_WAIT, ENTROPY_SIG) for rnd_lock_sources.

(riastradh)

Revert "entropy(9): Nix rnd_trylock_sources."

Not a premature optimization after all -- this is necessary because
entropy_request can run in softint context, where the cv_wait_sig in
rnd_lock_sources is forbidden.  Need to do this another way.

(riastradh)

entropy(9): Nix rnd_trylock_sources.

This was a premature optimization that turned out to be bogus.  It's
not harmful to request more than we need from drivers, so let's not
go out of our way to avoid that.

(riastradh)

ualea(4): Enter the data under the softc lock.

This avoids a race with a concurrent ualea_get updating sc_needed,
which could lead to hang when requesting more entropy.

ualea(4) now survives

sysctl -w kern.entropy.depletion=1
cat </dev/random >/dev/null &
cat </dev/random >/dev/null &

without hanging for longer (even if yanked and reinserted in the
middle, although the detach path is not relevant to the bug this
change fixes).

(riastradh)

entropy(9): Fix another new race in entropy_account_cpu.

The consolidation xcall can preempt entropy_enter, between when it
unlocks the per-CPU state and when it calls entropy_account_cpu, with
the effect of setting ec->ec_pending=0.

Previously this was impossible because we called entropy_account_cpu
with the per-CPU state still locked, but that doesn't work now that
the global entropy lock is an adaptive lock which might sleep which
is forbidden while the per-CPU state is locked.

(riastradh)

entropy(9): Shuffle some assertions around.

Tripped over (diff || E->pending == ENTROPY_CAPACITY*NBBY), not sure
why yet, printing values will help.

No functional change intended.

(riastradh)

entropy(9): Lock the per-CPU state in entropy_account_cpu.

This was previously called with the per-CPU state locked, which
worked fine as long as the global entropy lock was a spin lock so
acquiring it would never sleep.  Now it's an adaptive lock, so it's
not safe to take with the per-CPU state lock -- but we still need to
prevent reentrant access to the per-CPU entropy pool by interrupt
handlers while we're extracting from it.  So now the logic for
entering a sample is:

- lock per-CPU state
- entpool_enter
- unlock per-CPU state
- if anything pending on this CPU and it's time to consolidate:
  - lock global entropy state
  - lock per-CPU state
  - transfer
  - unlock per-CPU state
  - unlock global entropy state

(riastradh)

entropy(9): Factor out logic to lock and unlock per-CPU state.

No functional change intended.

(riastradh)

ualea(4): Simplify xfer error branches.

- Avoid going into a loop in case the transfer fails repeatedly --
  just give up immediately if it fails.

- Assert result size is reasonable; no need to assume usbdi(9) is
  malicious.  If it can return ux_actlen > ux_length, that's a bug in
  usbdi(9) that we should fix.

(riastradh)

ualea(4): Fix detach and error paths.

- Set sc_needed before aborting the pipe to prevent the xfer callback
  from rescheduling itself.

- Make sure all paths out of the xfer callback clear sc_inflight.

While here, use device_printf instead of aprint_* after attach.

Now my system survives repeated insertion and yanking of ualea(4)
during:

sysctl -w kern.entropy.depletion=1
cat </dev/random >/dev/null

(riastradh)

usbdi(9): Make sure aborting a pipe waits for all callbacks.

There may be a callback in flight from an xfer that has already been
taken off the queue by the time usbd_ar_pipe gets to it.  We must
guarantee that even that callback has completed before returning
control to the caller.

(riastradh)

entropy(9): Avoid reentrance to per-CPU state from sleeping on lock.

Changing the global entropy lock from IPL_VM to IPL_SOFTSERIAL meant
it went from being a spin lock, which blocks preemption, to being an
adaptive lock, which might sleep -- and allow other threads to run
concurrently with the softint, even if those threads have softints
blocked with splsoftserial.

This manifested as KASSERT(!ec->ec_locked) triggering in
entropy_consolidate_xc -- presumably entropy_softintr slept on the
global entropy lock while holding the per-CPU state locked with
ec->ec_locked, and then entropy_consolidate_xc ran.

Instead, to protect access to the per-CPU state without taking a
global lock, defer entropy_account_cpu until after ec->ec_locked is
cleared.  This way, we never sleep while holding ec->ec_locked, nor
do we incur any contention on shared memory when entering entropy
unless we're about to distribute it.  To verify this, sprinkle in
assertions that curlwp->l_ncsw hasn't changed by the time we release
ec->ec_locked.

(riastradh)

usb: Insert assertion to diagnose ud_cdesc/ud_ifaces inconsistency.

Syzbot found a way to see ud_cdesc=NULL but ud_ifaces!=NULL:

https://syzkaller.appspot.com/bug?id=e6d4449a128e73a9a88100a5cc833e5cae9fecae

Maybe it's a race with two threads somehow doing usbd_free_device at
the same time when only one should, but let's rule this case out
early on to make it easier to prove it has to be a race.

(riastradh)

umidi(4): Parse descriptors a little more robustly.

Reported-by: syzbot+fd58d1d4dd12f8931486@syzkaller.appspotmail.com

(riastradh)

viornd(4): Revert IPL change for lock.

This lock is taken in hard interrupt context, so it needs to remain
at IPL_VM.

(riastradh)

rnd(9): Delete legacy rnd_initial_entropy symbol.

Use entropy_epoch() instead.

XXX kernel ABI change deleting symbol requires bump

(riastradh)

kern: Delete kernel_ticks from kernel ABI.

Use getticks() instead.

(riastradh)

rnd(9): Omit needless locks in various HWRNG drivers.

Now that the rnd(9) API guarantees serial callbacks, we can simplify
everything a bit more.

(Some drivers like hifn(4) and sun8icrypto(4) still use locks to
coordinate with other parts of the driver to submit requests to and
process responses from the device.)

(riastradh)

rnd(9): Document the serial use of rndsource callbacks.

This simplifies the rndsource API -- no need to lock, unless you're
also coordinating with other driver logic like concurrent
opencrypto(4) requests that share device requests.

(riastradh)

tegra124_car(4): Attach rndsource synchronously.

It looks like the original motivation for deferring to
config_interrupts was to wait until softint_establish worked.  But
this no longer needs to use softints to deliver the entropy, so
that's moot.

Doing this synchronously gives us a better chance for more entropy
earlier.

(riastradh)

rnd(9): Adjust IPL of locks used by rndsource callbacks.

These no longer ever run from hard interrupt context or with a spin
lock held, so there is no longer any need to have them at IPL_VM to
block hard interrupts.  Instead, lower them to IPL_SOFTSERIAL.

(riastradh)

tegra124_car(4): No need for rnd lock -- delete it.

This only ever reads from a single device register, so no need to
serialize access.

XXX This should really have a hardware-specific health test, but I
can't find any documentation on the underlying physical entropy
source.

(riastradh)

meson_rng(4): No need for lock -- delete it.

We only ever read a single register at a time; no exclusive access or
serialization needed.

XXX This driver should have some kind of hardware-specific health
test -- is there documentation anywhere for what this RNG actually
is?

(riastradh)

usbdi(9): Fix usbd_get_no_alts.

This incorrectly rejected the configuration as invalid if any
descriptor is not large enough to be interface descriptors.

Instead, it should reject the configuration only if any descriptor is
not large enough to be a _descriptor_, or if any interface-type
descriptor is not large enough to be an interface descriptor, but
skip over descriptors of other types even if they're smaller than
interface descriptors.

Candidate fix for PR kern/56762.

(riastradh)

clockrnd(9): Use atomic_load_relaxed for struct clockrnd::needed.

This may be set concurrently by clockrnd_get, so let's match the
atomic_store_relaxed and avoid the appearance of data races.

(riastradh)

entropy(9): Establish the softint a little earlier.

Just need to wait until softint_establish and high-priority xcalls
will work, no later than that.  Doing this earlier gives us slightly
more of a chance to ensure cprng_fast and ssp get entropy from
hardware RNG devices that rely on interrupts.

(riastradh)

sun8icrypto(4): Do self-test and first RNG draw synchronously.

If the self-test fails, disable everything else at boot -- don't just
leave it to the operator to notice and do something.

This way we get entropy earlier at boot, before threads start and
before the first things in the kernel that draw from it (cprng fast
init, ssp init).

(riastradh)

sun8icrypto(4): Attach rndsource as RND_TYPE_RNG.

Previously this was attached as RND_TYPE_UNKNOWN, at a time when the
kernel assumed _any_ RNG-type rndsource produced independent uniform
random bits and subjected it to automatic tests that would fail with
high probability for many other distributions.  But sun8icrypto(4) is
very nonuniform (probably yields consecutive samples of a ring
oscillator, which are very much not independent).

Now the kernel no longer makes this assumption, so it is valid to
label this as what it is -- a hardware RNG.  We should ideally still
have better information from the vendor about what's going on under
the hood before enabling nonzero entropy for it.  But at least we can
label its type accurately.

(riastradh)

sun8icrypto(4): Split out interrupt and thread locks.

No need to block interrupts while we're going through all the data
structures -- only need to block interrupts for the handoff from
interrupt handler to lower-priority logic.

(riastradh)

getrandom(2): Fix return value checks in automatic tests.

The syscall only guarantees up to 256 bytes in a single go -- if
interrupted, it might return short, but if the caller requested at
least 256 bytes it will definitely return 256 bytes.

(riastradh)

entropy(9): Count dropped or truncated interrupt samples.

(riastradh)

entropy(9): Reduce global entropy lock from IPL_VM to IPL_SOFTSERIAL.

This is no longer ever taken in hard interrupt context, so there's no
longer any need to block interrupts while doing crypto operations on
the global entropy pool.

(riastradh)

entropy(9): Request entropy after the softint is enabled.

Otherwise, there is a window during which interrupts are running, but
the softint is not, so if many interrupts queue (low-entropy) samples
early at boot, they might get dropped on the floor.  This could
happen, for instance, with a PCI RNG like ubsec(4) or hifn(4) which
requests entropy and processes it in its own hard interrupt handler.

(riastradh)

entropy(9): Use the early-entropy path only while cold.

This way, we never take the global entropy lock from interrupt
handlers (no interrupts while cold), so the global entropy lock need
not block interrupts.

There's an annoying ordering issue here: softint_establish doesn't
work until after CPUs have been detected, which happens inside
configure(), which is also what enables interrupts.  So we have no
opportunity to softint_establish the entropy softint _before_
interrupts are enabled.

To work around this, we have to put a conditional into the interrupt
path, and go out of our way to process any queued samples after
establishing the softint.  If we just made softint_establish work
early, like percpu_create does now, this problem would go away and we
could delete a bit of logic here.

Candidate fix for PR kern/56730.

(riastradh)

entropy(9): Create per-CPU state earlier.

This will make it possible to use it from interrupts as soon as they
start, which means the global entropy pool lock won't have to block
interrupts.

(riastradh)

drm: In ww_mutex_unlock, do lockdebug check first.

This way we get a full lockdebug dump when LOCKDEBUG is enabled,
instead of just the panic message (which includes the lock address
you could pass to `show lock' in ddb, but let's get the dump by
default even if you don't enter ddb).

Also in the KASSERT print the mutex.

(riastradh)

dwc2: Use getticks(), not hardclock_ticks.

(riastradh)

drm: Use getticks(), not hardclock_ticks.

(riastradh)

old drm: Use getticks(), not hardclock_ticks.

Should delete this code, no idea if it even still compiles.

(riastradh)

net80211: Use getticks(), not hardclock_ticks.

Less extern in .c this way too.

(riastradh)

osnet: Delete dead #if 0 code using hardclock_ticks.

(riastradh)

x86: Revert previous syscall biglock slippage attribution.

The attribution in userret is good enough as is, because the stack
trace on panic shows the syscall number in the trap frame, so no need
to put extra cost in the syscall entry logic even under DIAGNOSTIC.

(riastradh)

entropy(9): Forbid entropy_extract in hard interrupt context.

With a little additional work, this will let us reduce the global
entropy pool lock so it never blocks interrupts.

(riastradh)

cprng(9): Forbid use in hard interrupt context.

May need access to the global entropy pool (infrequently).  This way
the global entropy pool lock can be lowered to IPL_SOFTSERIAL too,
with a little additional work.

(riastradh)

i915: Avoid freeing anything under a spin lock.

(riastradh)

bpf(4): Handle null bf_insn on free.

This is not guaranteed by bpf_setf to be nonnull.

Reported-by: syzbot+de1ec9471dfc2f283dda@syzkaller.appspotmail.com

(riastradh)

posix_fadvise(2): Detect arithmetic overflow without UB.

Reported-by: syzbot+18f01abff11bd527c464@syzkaller.appspotmail.com

(riastradh)

tun(4): Fix bug introduced in previous locking change.

Now that tun_lock runs at IPL_NONE, taking it does not have the side
effect of disabling preemption, but pktq_enqueue assumes the caller
has disabled preemption so it can safely schedule a softint.

This isn't a problem in most physical network drivers because the
pktq_enqueue call happens from within the driver's softint context
anyway.  But tun(4) is special -- here, the pktq_enqueue is triggered
by a userland write to the device, which is in thread context.  So
let's just disable preemption in tunwrite.

Reported-by: syzbot+21c2cb300f1ec2162b35@syzkaller.appspotmail.com

(riastradh)

system(3): Simplify initialization of argp.

(riastradh)

system(3): Switch from vfork/execve to posix_spawn.

Changes by me:
- Minor style nits.
- Set errno on posix_spawn failure.
- Handle edge cases of SIGINT/SIGQUIT set to SIG_IGN by caller.

Author: Nikita Ronja Gillmann <nikita@NetBSD.org>
Committer: Taylor R Campbell <riastradh@NetBSD.org>

(riastradh)

audio(4): Fix typo in previous -- atomic_store_release, not reease.

Built the wrong kernel to compile-test AUDIO_DEBUG, oops.

(riastradh)

umidi(4): Bail early if no endpoints.

kmem_alloc is unhappy with zero-size allocation.

Reported-by: syzbot+483b984480c295979391@syzkaller.appspotmail.com

(riastradh)

syscall(2): Provide better attribution for biglock slippage.

This adds a small overhead to the syscall path, but only when invoked
via the syscall(2) syscall, for which stack traces generally don't
print the actual syscall number in question so the better attribution
may make a difference.

(riastradh)

audio(4): Membar audit.

Won't affect anything on x86 because atomic r/m/w operations are
always full sequential consistency barriers, but might potentially
fix problems on, e.g., arm.

Note 1: I'm not clear on why the track lock is a bespoke mutex made
out of an atomic -- why not just mutex(9)?

Note 2: I'm not convinced the audio_mlog_flush synchronization is
correct; what happens if the softint runs on two CPUs at the same
time and swaps mlog_wpage simultaneously?

Note 3: Should maybe use atomic_load/store_relaxed for mlog_full and
mlog_drop, and atomic_inc/dec for mlog_refs.

(riastradh)

tun(4): Fix some error branches in tunwrite.

(riastradh)

tun(4): Omit TUN_RWAIT micro-optimization.

cv_broadcast aleady has a fast path for no-waiters.

(riastradh)

tun(4): Deliver SIGIO for hangup under tun_lock.

Otherwise, tp->tun_pgid is not stable.

(riastradh)

tun(4): Reduce lock from IPL_NET to IPL_SOFTNET.

This is never taken from hardware interrupt handlers any more, as far
as I can tell -- only SOFTINT_NET soft interrupt handlers.

This avoids trying to take an adaptive lock, proc_lock, in fownsignal
while holding a spin lock.  Unfortunately, it doesn't entirely fix the
problem -- proc_lock is at IPL_NONE, and is held across some not
entirely trivial computations like allocating a new pid table.  So it
would really be better if we had some way to deliver SIGIO without
taking proc_lock.

Reported-by: syzbot+3dd54993d3e92e697e72@syzkaller.appspotmail.com
Reported-by: syzbot+aca29415f2f0bf23f082@syzkaller.appspotmail.com

(riastradh)

tun(4): Reduce tun_softc_lock from IPL_NET to IPL_NONE.

This is always taken in process/thread context, never in interrupt
context, hard or soft.

(riastradh)

tun(4): Factor out setup/teardown into separate routines.

- Reduce duplication.
- Plug softint leak on recycling tun.

(This recycling business seems kinda sketchy...)

(riastradh)

tun(4): Add missing includes in if_tun.h.

(riastradh)

tun(4): Add missing cv_destroy in tunclose.

(riastradh)

usb: Fix debug build.

(riastradh)

kern: Use harmless, not harmful, integer truncation in physio.

Reported-by: syzbot+13abd9bc700f7ceac337@syzkaller.appspotmail.com

(riastradh)

kern: Fix fencepost error in ts2timo overflow checks.

Triggered by

clock_settime({.tv_sec=0, .tv_nsec=0})
clock_nanosleep({.tv_sec=LLONG_MIN, .tv_nsec=0})

so that, by the time we enter ts2timo (after a few nanoseconds have
passed), we end up with

tsd = {.tv_sec=0, .tv_nsec=nonzero}
ts = {.tv_sec=LLONG_MIN, .tv_nsec=0}

and the subtraction ts - tsd leads to a borrow from tv_sec.

Reported-by: syzbot+14818113e9d0b45bca64@syzkaller.appspotmail.com

(riastradh)

kern: Fix ordering of loads for pid_table and pid_tbl_mask.

This introduces a load-acquire where there was none before.  This is
a simple correctness change.  We could avoid the load-acquire, and
use only load-consume, if we used a pointer indirection for _both_
pid_table and pid_tbl_mask.  Takes a little more work, and probably
costs an additional cache line of memory traffic, but might be worth
it to avoid the load-acquire for pid lookup.

Reported-by: syzbot+c49e405d0b977aeed663@syzkaller.appspotmail.com
Reported-by: syzbot+1c88ee7086f93607cea1@syzkaller.appspotmail.com
Reported-by: syzbot+da4e9ed1319b75fe2ef3@syzkaller.appspotmail.com

(riastradh)

vfs(9): Avoid arithmetic overflow in vn_seek.

Reported-by: syzbot+b9f9a02148a40675c38a@syzkaller.appspotmail.com

(riastradh)

usbdi(9): Fix mistake in previous change to usbd_fill_iface_data.

The previous change stopped and rejected any descriptors smaller than
an endpoint descriptor.  Restore the previous behaviour: just skip
over them (but it will now reject descriptors that are smaller than
_any_ descriptor, which is legitimately a hardware error).

(riastradh)

usbdi(9): Fix paste-o in previous change to usbd_ar_pipe.

(riastradh)

ntp(9): Avoid left shift of negative.

Kinda silly that this is UB at all...

Reported-by: syzbot+baf29c7f0756293b8257@syzkaller.appspotmail.com

(riastradh)

auvitek(4): Fix i2c detach if attach failed.

While here, use config_detach_children.

Reported-by: syzbot+bf05898af6a53cb3b262@syzkaller.appspotmail.com

(riastradh)

ntp(9): Clamp ntv->offset to avoid arithmetic overflow on adjtime.

Reported-by: syzbot+b8406db60db88650652e@syzkaller.appspotmail.com

(riastradh)

kern: Handle clock winding back in nanosleep1 without overflow.

Reported-by: syzbot+3bdd260582424a611946@syzkaller.appspotmail.com

(riastradh)

hid: Avoid arithmetic overflow by rearranging inequalities.

(riastradh)

usb: Parse descriptors a little more robustly.

- Avoid reading past the end in the event of bogus bLength.
- Avoid arithmetic overflow by rearranging inequalities.

Reported-by: syzbot+511227c050a2f164e34c@syzkaller.appspotmail.com

(riastradh)

xhci(4): Serialize access to portsc registers.

Both xhci_roothub_ctrl and xhci_suspend/resume do r/m/w on them, so
use a mutex to serialize access to avoid stomping on each other.

(riastradh)

xhci(4): Restore synchronous abort.

In revision 1.155, I made the logic to abort the hardware
asynchronous, under the misapprehension that it is necessary for
ubm_abortx not to release the bus lock.

Not only is this not necessary, but it is harmful to for the logic to
be asynchronous because the caller assumes the hardware won't use any
DMA buffers by the time ubm_abortx has returned so it is safe to
recycle them -- which is false if we don't synchronously wait for the
hardware to stop.

(riastradh)

uhci(4): Stop taking the intr lock in uhci_run.

Not needed for anything here.

(riastradh)

uhci(4): Simplify uhci_run.

`locked' is always 0 now.

No functional change intended.

(riastradh)

uhci(4): Fix synchronization between suspend/resume and poll hub.

- sc_intr_lock is not relevant to anything here -- stop using it.
- Never schedule the callout while suspended.
- Don't futz with usepolling; it makes sense only when all other CPUs
  and threads are quiesced, which is not the case here.

(riastradh)

ehci(4): Serialize access to portsc registers.

Both ehci_roothub_ctrl and ehci_suspend/resume do r/m/w on them, so
use a mutex to serialize access to avoid stomping on each other.

(riastradh)

ehci(4): Fix doorbell synchronization.

ehci_sync_hc was previously subject to spurious wakeup, in which case
the CPU might proceed from aborting and recycle a DMA buffer before
the hardware was done writing to it.  Now the code is not subject to
spurious wakeup -- it waits (up to the 1sec timeout) for the relevant
interrupt to be delivered, not for anything else.

(riastradh)

usb: Clarify contract of usbd_xfer_trycomplete.

No functional change.  This rule has always been in place since
usbd_xfer_trycomplete was created, just wasn't clearly articulated
anywhere.

(riastradh)

usb: Fix roothub ctrl xfer aborts.

No mechanism for actually aborting, but at least this now waits for
the xfer to have completed instead of blithely barging ahead whether
it's done or not.

(riastradh)

usbdi(9): Assert no concurrent aborts on a single pipe.

It is a driver bug to try to abort a pipe at the same time in two
different threads.

HCI drivers may release the bus lock to sleep in upm_abort while
waiting for the hardware to acknowledge an abort, so it won't try to,
e.g., scribble over a DMA buffer in the xfer that we've recycled
after usbd_abort_pipe returns.

If this happens, a concurrent usbd_abort_pipe might try to apply
upm_abort to the same xfer, which HCI drivers are not prepared for
and may wreak havoc.

To avoid this, allow only one usbd_abort_pipe in flight at any given
time.

(riastradh)

usbdi(9): Assert sleepable in usbd_ar_pipe.

Caller of usbd_suspend_pipe or usbd_abort_pipe must be prepared to
sleep for hardware to acknowledge abort and for in-flight callback on
another CPU to complete.  Let's catch the mistake early of calling
them in non-sleepable contexts where they might get lucky.

(riastradh)

kmem(9): Show the pointer in kmem_free(..., 0) assertion like before.

(riastradh)

ustir(4): Avoid undefined behaviour if register read fails.

(riastradh)

compat_30: Fix thinko in previous.

Let's not go into an infinite loop of stack smashing!

(riastradh)

autoconf(9): Refuse to consider negative unit numbers in cfdata.

Reported-by: syzbot+a63ae6c58df86f40b6f3@syzkaller.appspotmail.com

(riastradh)

emdtv(4): If register read fails, read as all zero.

Avoids undefined behaviour if device is yanked or broken.

Reported-by: syzbot+18ce1e017b9f802ed287@syzkaller.appspotmail.com

(riastradh)

ktrace(9): Avoid stomping over colliding KTROP_SET.

Reported-by: syzbot+1e2a24aaa5725cab16e1@syzkaller.appspotmail.com
Reported-by: syzbot+3f89dc33fa3020fab1c4@syzkaller.appspotmail.com
Reported-by: syzbot+44898c094ce209759d53@syzkaller.appspotmail.com
Reported-by: syzbot+99826cb4b0494bfbb828@syzkaller.appspotmail.com
Reported-by: syzbot+a7c4752dc308936c48b2@syzkaller.appspotmail.com
Reported-by: syzbot+c062464baf148ed5f192@syzkaller.appspotmail.com
Reported-by: syzbot+dfa19489edc185f94b0a@syzkaller.appspotmail.com
Reported-by: syzbot+e2c4a8195d3ad84342dc@syzkaller.appspotmail.com
Reported-by: syzbot+f31927b2905188fddc22@syzkaller.appspotmail.com

(riastradh)

kernfs: Just fail with EOPNOTSUPP, don't panic, on VOP_BMAP.

Reported-by: syzbot+870d2eb4b4c8904ac734@syzkaller.appspotmail.com

(riastradh)

ccd(4): Only pathbuf_destroy if pathbuf_copyin succeeded.

Reported-by: syzbot+a46aadc788a80afc8742@syzkaller.appspotmail.com

(riastradh)

bpf(4): Nix KM_NOSLEEP and prune dead branch.

https://syzkaller.appspot.com/bug?id=0fa7029d5565d9670a24c364d44bd116c76d7e7f

(riastradh)

crypto(4): Refuse count>1 for old CIOCNCRYPTM.

This hasn't worked since it was written in 2009; if anyone cared
surely they would have fixed it by now!

(Fixing this properly -- and putting a more reasonable upper bound
than the maximum that size_t arithmetic allows -- left as an exercise
or the reader.)

Reported-by: syzbot+798d4a16bc15ae88526e@syzkaller.appspotmail.com

(riastradh)

pad(4): Do harmless, not harmful, integer truncation.

Reported-by: syzbot+917ff3551897f1a99cf6@syzkaller.appspotmail.com

(riastradh)

scsi(9): Handle bogus number of LUNs in SCSI_REPORT_LUNS.

Reported-by: syzbot+76ef9084533d4bccec66@syzkaller.appspotmail.com

(riastradh)

kmem(9): Make kmem_alloc and kmem_free agree about rejecting zero.

Let's do both as KASSERT, unless there's a good reason to make them
both do an unconditional if/panic even in release builds.

(riastradh)

uvideo(4): Use kmem_zalloc, not kmem_alloc and memset.

(riastradh)

kern: Clamp time_adjtime to avoid overflow.

Reported-by: syzbot+7edce1a31dfd2a5eaa18@syzkaller.appspotmail.com

(riastradh)

bpf(4): Clamp read timeout to INT_MAX ticks to avoid overflow.

Reported-by: syzbot+c543d35064d3492b9091@syzkaller.appspotmail.com

(riastradh)

kern: m_copym(M_DONTWAIT) can fail; handle that case gracefully.

Not sure if this should truncate the result or just fail with nonzero
error code (ENOBUFS?).  Feel free to change this the other way if you
know better!

Reported-by: syzbot+54c34f25d1e4124eb85d@syzkaller.appspotmail.com

(riastradh)

compat_30: Avoid what might be technically undefined behaviour.

Not sure advancing a user pointer by one for the purpose of making an
equality test fail later on is actually likely to be a problem, but
let's just pacify the sanitizer.

Reported-by: syzbot+758b18164c5c444f4249@syzkaller.appspotmail.com

(riastradh)

x86: Provide better attribution for syscall biglock slippage.

(riastradh)

x86: Check for biglock leakage in interrupt handlers.

(riastradh)

ffs: Fix 64-bit inode integer truncation.

Reported-by: syzbot+1ae93e092d532582b809@syzkaller.appspotmail.com

(riastradh)

sys: Membar audit around reference count releases.

If two threads are using an object that is freed when the reference
count goes to zero, we need to ensure that all memory operations
related to the object happen before freeing the object.

Using an atomic_dec_uint_nv(&refcnt) == 0 ensures that only one
thread takes responsibility for freeing, but it's not enough to
ensure that the other thread's memory operations happen before the
freeing.

Consider:

  Thread A   Thread B
obj->foo = 42; obj->baz = 73;
mumble(&obj->bar); grumble(&obj->quux);
/* membar_exit(); */ /* membar_exit(); */
atomic_dec -- not last atomic_dec -- last
/* membar_enter(); */
KASSERT(invariant(obj->foo,
    obj->bar));
free_stuff(obj);

The memory barriers ensure that

obj->foo = 42;
mumble(&obj->bar);

in thread A happens before

KASSERT(invariant(obj->foo, obj->bar));
free_stuff(obj);

in thread B.  Without them, this ordering is not guaranteed.

So in general it is necessary to do

membar_exit();
if (atomic_dec_uint_nv(&obj->refcnt) != 0)
return;
membar_enter();

to release a reference, for the `last one out hit the lights' style
of reference counting.  (This is in contrast to the style where one
thread blocks new references and then waits under a lock for existing
ones to drain with a condvar -- no membar needed thanks to mutex(9).)

I searched for atomic_dec to find all these.  Obviously we ought to
have a better abstraction for this because there's so much copypasta.
This is a stop-gap measure to fix actual bugs until we have that.  It
would be nice if an abstraction could gracefully handle the different
styles of reference counting in use -- some years ago I drafted an
API for this, but making it cover everything got a little out of hand
(particularly with struct vnode::v_usecount) and I ended up setting
it aside to work on psref/localcount instead for better scalability.

I got bored of adding #ifdef __HAVE_ATOMIC_AS_MEMBAR everywhere, so I
only put it on things that look performance-critical on 5sec review.
We should really adopt membar_enter_preatomic/membar_exit_postatomic
or something (except they are applicable only to atomic r/m/w, not to
atomic_load/store_*, making the naming annoying) and get rid of all
the ifdefs.

(riastradh)

vhci(4): Make vhci_usb_attach/detach return void.

These never fail, so no need to return zero.

(riastradh)

vhci(4): Don't fail with ENOBUFS if no intrxfer is set up.

uhub(4) will set up the intrxfer and query the current state at its
leisure -- no need to treat racing with it as a failure.

(If there's some reason the caller needs to know about this state,
then (a) there should be a comment explaining why, and (b) the
assertion in vhci_fd_close needs to change.)

Should fix a host of syzbot crashes that were all tripping over the
same assertion but with different gobbledegook on the console --
here's all the ones I found in a quick skim of the front page:

Reported-by: syzbot+58b183ac688d656e1bfd@syzkaller.appspotmail.com
Reported-by: syzbot+e7b0e904184aa2c18224@syzkaller.appspotmail.com
Reported-by: syzbot+476b25a0a3655f3565d6@syzkaller.appspotmail.com
Reported-by: syzbot+e5b69892daf87a7464f2@syzkaller.appspotmail.com
Reported-by: syzbot+db7f0bc71c33a488d0fc@syzkaller.appspotmail.com
Reported-by: syzbot+71d0e82df292c56739da@syzkaller.appspotmail.com
Reported-by: syzbot+dbfaad061b2c909d6332@syzkaller.appspotmail.com
Reported-by: syzbot+d8b90cead59b887fee64@syzkaller.appspotmail.com
Reported-by: syzbot+ea147adc4461acb9f491@syzkaller.appspotmail.com
Reported-by: syzbot+cb7239776d4f51c39ca3@syzkaller.appspotmail.com
Reported-by: syzbot+ffbae2dd4d4a0196b026@syzkaller.appspotmail.com
Reported-by: syzbot+95d4852ea931f775cf35@syzkaller.appspotmail.com
Reported-by: syzbot+3236a5e1bc356909b322@syzkaller.appspotmail.com
Reported-by: syzbot+f5ac32d58eab38bce263@syzkaller.appspotmail.com
Reported-by: syzbot+beb9643da72188117748@syzkaller.appspotmail.com
Reported-by: syzbot+896191203695ba350566@syzkaller.appspotmail.com
Reported-by: syzbot+7c175b48b2682cc329a5@syzkaller.appspotmail.com
Reported-by: syzbot+caa5bc391d36d75335ea@syzkaller.appspotmail.com
Reported-by: syzbot+9fe6d4c43fa10f9e4dfa@syzkaller.appspotmail.com
Reported-by: syzbot+ae9ae663386e72d171b3@syzkaller.appspotmail.com
Reported-by: syzbot+a0c3a5c2f7af91e44c17@syzkaller.appspotmail.com
Reported-by: syzbot+3c157b017d0cafa7aea9@syzkaller.appspotmail.com
Reported-by: syzbot+1e05efbbf2d7df821bfd@syzkaller.appspotmail.com
Reported-by: syzbot+999f20b408f61e22f4e0@syzkaller.appspotmail.com
Reported-by: syzbot+22d227370f78b3a34442@syzkaller.appspotmail.com
Reported-by: syzbot+33760fa9b95349460293@syzkaller.appspotmail.com
Reported-by: syzbot+75d865aafbc9ebadb0f6@syzkaller.appspotmail.com
Reported-by: syzbot+3ddff5cb80bc0c9ac635@syzkaller.appspotmail.com
Reported-by: syzbot+0f942570160d533d892d@syzkaller.appspotmail.com

(riastradh)

kern: Use atomic_store_release/atomic_load_consume for pid_table.

This is read without the lock, so ordering is required.

(riastradh)

kern: Fix synchronization of clearing LP_RUNNING and lwp_free.

1. membar_sync is not necessary here -- only a store-release is
  required.

2. membar_consumer _before_ loading l->l_pflag is not enough; a
  load-acquire is required.

Actually it's not really clear to me why any barriers are needed, since
the store-release and load-acquire should be implied by releasing and
acquiring the lwp lock (and maybe we could spin with the lock instead
of reading l->l_pflag unlocked).  But maybe there's something subtle
about access to l->l_mutex that's not obvious here.

(riastradh)

gffb(4): Nix membar_sync and explain what's going on here.

(riastradh)

gffb(4): Use bus_space_barrier, not membar_sync.

(riastradh)

powerpc: Implement bus_space_barrier as eieio.

(riastradh)

xhci(4): Avoid holding bus lock across usb_delay_ms.

We may still need a mechanism to serialize access to the portsc
registers between xhci_roothub_ctrl and xhci_suspend/resume, but the
bus lock is no longer that, and holding the bus lock across
usb_delay_ms may lead to deadlock by blocking the softints that wake
usb_delay_ms.

(riastradh)

ohci(4): Don't flail around with enabling polling in suspend/resume.

This doesn't work -- polling mode only works when all other CPUs are
quiesced and the current one is running sequentially without
preemption.

Also not clear whether this does anything useful.  Maybe we need a
mechanism to block new xfers until resumed, but this wasn't that.

(riastradh)

ehci(4): Omit bus lock around ehci_suspend/resume.

This no longer serializes access to the portsc registers, also used
by ehci_roothub_ctrl, but it does pose a potential deadlock with
softints to wake usb_delay_ms.  So the bus lock doesn't help here,
and may cause deadlock.

(riastradh)

usb: Provisionally release bus lock around ubm_rhctrl.

This isn't quite correct, but it avoids a deadlock:

- *_roothub_ctrl holds bus lock, waits in usb_delay_ms for kpause
- softint waits for bus lock, holds up kpause wakeup

The deadlock is new since recent changes to hold the bus lock over
upm_start/upm_transfer.  Making this change regresses to other
problems:

- *_suspend/resume and *_roothub_ctrl often touch the same portsc
  registers

- roothub_ctrl_abort needs to wait for ubm_rhctrl to complete.

  When the bus lock was held across both, a noop served here, but we
  can't hold the bus lock across both, so that doesn't work.

However, these problems -- which we've had for a long time -- seem to
be less bad than the deadlock.  So let's avoid the deadlock for now
and then work out another way to serialize suspend/resume/rhctrl and
aborts.

Candidate fix for PR kern/56739.

(riastradh)

usb(4): Use atomics for usb_async_proc.

This is written under proc_lock and read without it in usb_add_event,
so using atomics pacifies the sanitizer.  No memory ordering needed
because the value isn't actually used until the softint runs, using
it under proc_lock.  Kind of a micro-optimization, but let's avoid
contention on proc_lock in the common case of no usb_async_proc set
up (why is this a system global, anyway? and why is there a softint
if usb_add_event always runs at IPL_NONE?).

Reported-by: syzbot+1b2fa68535e5b0f3dcaa@syzkaller.appspotmail.com

(riastradh)

usbnet(9): Clarify uno_stop contract in man page.

(riastradh)

usbnet(9): uno_init is now optional.

Update assertion and man page accordingly.

(riastradh)

Welcome to NetBSD 9.99.94!

- usbnet(9) overhaul.
- USB host controller interface API and ABI simplifications.
- usbdi(9) additions -- usbd_suspend_pipe, usbd_resume_pipe.
- video(9) change -- video_attach_mi takes explicit cookie argument.
- driver(9) addition -- device_set_private, in preparation for opaque
  struct device.

While here, fix typo noted by pgoyette@ -- `privilege', not
`priviledge'.

(riastradh)

vax: Use device_set_private.

(riastradh)

powerpc: Use device_set_private for e500 cpuN.

(riastradh)

mips: Carefully use device_set_private for cpuN.

But don't do it in cpu_attach_common because the callers aren't set
up right -- instead leave a comment about what's wrong, to be dealt
with later.

(riastradh)

mips: Use device_set_private in a few drivers.

(riastradh)

mips: Use device_set_private for cpuN on older ports.

Specifically, for those that don't use cpu_attach_common of
mips_subr.c.

(riastradh)

arm: Use device_set_private for various drivers.

(riastradh)

arc: Use device_set_private for cpuN.

(riastradh)

arm: Use device_set_private for cpuN.

For cpu at fdt, nix the fdt softc -- this was leaked and never used
for anything.  The device's private storage is the cpu_info.

(riastradh)

driver(9): New device_set_private.

Used to initialize a device_t's private pointer at most once.  Only
for drivers with zero cfattach size so autoconf doesn't preallocate;
KASSERT checks for this mistake.

(riastradh)

video(9): Make softc argument mandatory for video_attach_mi.

No separate video_attach_mi_softc function any more.

(riastradh)

uvideo(4): Attach one video(4) per independent stream.

(riastradh)

uvideo(4): Fix zero initialization of uvideo_stream.

Just use kmem_zalloc; don't memset it to zero, especially not after
we just inserted it into the list, with the side effect of deleting
the rest of the list!

(riastradh)

video(4): Allow drivers to pass the softc explicitly.

This way one device driver can have multiple video0, video1, &c.,
interfaces attached, using independent state and a common parent.

(riastradh)

uvideo(4): Sprinkle debug messages.

(riastradh)

uvideo(4): Use __nothing for empty DPRINTF, not actually empty.

(riastradh)

usbdi(9): Suspend control pipe on detach.

The device is gone so control transfers won't complete anyway.  This
obviates the need to wait for usbd_do_request to time out.

Seems like maybe we should make _all_ xfers fail with USBD_CANCELLED
when the device is detached, but there's no list of pipes we can just
walk down to suspend them, so we'd have to find another way to do so.
For now, we'll just keep having drivers suspend/abort pipes other
than the control pipe.

(riastradh)

usbdi(9): dtrace probes for USB control requests.

(riastradh)

usb: Assert hci doesn't synchronously complete async xfers.

The xfer callback must not be invoked synchronously, because it might
need to take a lock that the caller holds.

However, the hci might return failure to the caller, meaning the xfer
callback will not be invoked at all.

(riastradh)

usb: Hold pipe lock across upm_transfer and upm_start.

This simplifies the code and fixes races with abort.  Access to the
pipe's queue is now done exclusively while the pipe is locked.

(riastradh)

usb: In usbd_transfer, test whether aborting under the lock.

Otherwise this test is racy and can cause the bad state of a pipe
with a transfer that will never be completed in a pipe that's about
to close under the expectation that the pipe is empty.

(riastradh)

usb: Inline usb_insert_transfer.

This makes it clearer which part happens irrespective of error
(putting it on the queue -- unconditional, not rolled back by
usb_insert_transfer) and what the possible `errors' mean (neither of
which is an error, per se).

(riastradh)

usbdi(9): New usbd_suspend_pipe, usbd_resume_pipe.

- New usbd_suspend_pipe to persistently stop transfers on a pipe and
  cancel pending ones or wait for their callbacks to finish.
  Idempotent.

- New usbd_resume_pipe to allow transfers again.  Idempotent, but no
  new xfers may be submitted before repeating this.

  This way it is safe to usbd_abort_pipe in two threads concurrently,
  e.g. if one thread is closing a device while another is revoking it
  -- but the threads have to agree on when it is done being aborted
  before starting to use it again.

- Existing usbd_abort_pipe now does suspend then resume.  No change
  in semantics so drivers that relied on being able to submit
  transfers again won't be broken any worse than the already are
  broken.

This allows drivers to avoid races such as:

/* read */
if (sc->sc_dying)
return ENXIO;
/* (*) */
err = usbd_bulk_transfer(...);

/* detach or or close */
sc->sc_dying = true;
usbd_abort_pipe(...);
wait_for_io_to_drain(...);

The detach or close logic might happen at the same time as (*), with
no way to stop the bulk transfer before it starts, leading to
deadlock when detach/close waits for I/O operations like read to
drain.  Instead, the close routine can use usbd_suspend_pipe, and the
usbd_bulk_transfer is guaranteed to fail.

But some drivers such as ucom(4) don't close and reopen pipes after
aborting them -- they open on attach and close on detach, and just
abort when the /dev node is closed, expecting that xfers will
continue to work when next opened.  These drivers can instead use
usbd_suspend_pipe on close and usbd_resume_pipe on open.  Perhaps it
would be better to make them open pipes on open and close pipes on
close, but these functions make for a less intrusive transition.

(riastradh)

usb: Update tables of bus/pipe method locking rules.

No functional change.

(riastradh)

usb: Add missing includes in usb_mem.h.

(riastradh)

xhci(4): Add missing includes to xhcivar.h.

(riastradh)

usb: Factor usb_transfer_complete out of ubm_abortx method.

(riastradh)

usb: usbd_free_xfer never fails.  Make it return void.

(riastradh)

usb: usbd_close_pipe never fails.  Make it return void.

Prune dead branches as a result of this change.

(riastradh)

usb: usbd_abort_pipe never fails.  Make it return void.

Prune dead branches as a result of this change.

(riastradh)

usb: Factor usb_insert_transfer out of upm_transfer and make private.

Almost every upm_transfer function starts with:

mutex_enter(&sc->sc_lock);
err = usb_insert_transfer(xfer);
mutex_exit(&sc->sc_lock);
if (err)
return err;

Some of them have debug messages sprinkled in here too, or assert
that err == USBD_NORMAL_COMPLETION (alternative is USBD_IN_PROGRESS,
only for pipes with up_running or up_serialise, presumably not
applicable for these types of pipes).  Some of them also assert
xfer->ux_status == USBD_NOT_STARTED, which is guaranteed on entry and
preserved by usb_insert_transer.

Exceptions:

- arch/mips/adm5120/dev/ahci.c ahci_device_isoc_transfer just returns
  USBD_NORMAL_COMPLETION, but I'm pretty sure this is and always has
  been broken anyway, so won't make anything worse (if anything, might
  make it better...)

- external/bsd/dwc2/dwc2.c dwc2_device_bulk_transfer and
  dwc2_device_isoc_transfer _also_ issue dwc2_device_start(xfer)
  under the lock.  This is probably a better way to do it, but let's
  do it uniformly across all HCIs at once.

- rump/dev/lib/libugenhc/ugenhc.c rumpusb_device_bulk_transfer
  sometimes returns USBD_IN_PROGRESS _without_ queueing the transfer,
  in the !rump_threads case.  Not really sure how this is supposed to
  work...  If it actually breaks anything, we can figure it out.

(riastradh)

usbnet(9): Update man page.

(riastradh)

urndis(4): Simplify circuitous initialization logic.

(riastradh)

usbnet: Update some comments.

(riastradh)

usbnet: On if_stop, abort xfers before resetting hardware.

uno_stop is supposed to have exclusive access to the hardware; this
ensures that any concurrent uno_rx_loop has completed before we enter
uno_stop.

(riastradh)

usbnet: Fix type of struct usbnet::un_ed according to plan.

(riastradh)

usbnet: Omit needless detachcv name parameter to usbnet_attach.

(riastradh)

usbnet: Omit empty uno_init functions.

(riastradh)

usbnet: Factor usbnet_init_rx_tx out into usbnet_if_init.

Make it private; no need for drivers to call it any more.

(riastradh)

usbnet drivers: Simplify return of usbnet_init_rx_tx.

(riastradh)

usbnet: Handle usbnet_set_link for drivers with no media detect.

(riastradh)

url(4): Inline call to url_uno_stop -- alias for url_reset.

(riastradh)

usbnet drivers: Omit redundant device reset via *_uno_stop on init.

Only those drivers where *_uno_stop is just *_reset, and *_uno_init
immediately calls *_reset afterward, are affected.

(riastradh)

usbnet drivers: From *_uno_init, call *_uno_stop, not usbnet_stop.

Make usbnet_stop private now that no drivers use it.

None of the driver-independent logic in usbnet_stop has any effect at
this point because we are guaranteed not to be running, so only the
driver-dependent logic in *_uno_stop (at most) is needed.

For drivers with no *_uno_stop, just omit the call to usbnet_stop
altogether.

Some of this logic is obviously redundant with the subsequent call to
*_reset -- to be addressed in a subsequent commit.

(riastradh)

usbnet drivers: Prune dead IFF_RUNNING branches in *_uno_init.

usbnet(9) guarantees !IFF_RUNNING now before calling it.

(riastradh)

usbnet: Do nothing on if_init/stop if already in the target state.

The network stack _shouldn't_ ever call us if so, but I'm not yet
sure it _won't_.

(riastradh)

usbnet drivers: Omit needless isdying tests in *_uno_init.

usbnet(9) already checks this immediately before calling *_uno_init.

(riastradh)

usbnet: Delete the core lock from the API.

Init/stop and ioctl happen under IFNET_LOCK.  Multicast updates only
happen after init and before stop.  Core lock is no longer a relevant
part of the API.  Internally, it serves essentially just to lock out
asynchronous mii activity during init/stop.

(riastradh)

urndis(4): Delete some crazy logic that I think is unnecessary.

XXX definitely need to test this one

(riastradh)

usbnet drivers: Omit needless usbnet core lock and assertions.

During attach, the caller has exclusive access to the usbnet until
usbnet_attach_ifp.  At other times, register access is serialized
either by the usbnet multicast lock or by IFNET_LOCK.

(riastradh)

usbnet: Make usbnet_mii_readreg/writereg/statchg private to usbnet.c.

No drivers need to use these.

(riastradh)

usbnet drivers: Avoid undefined behaviour if read reg fails.

Some callers don't check the error code, e.g. ~all the mii phy
drivers using PHY_READ.  Just return zero if the device is gone or
the xfer fails for any other reason.

(riastradh)

axen(4): Use axen mii read/write reg routines, not usbnet ones.

The usbnet wrappers don't add anything important.  We already test
usbnet_isdying in axen_cmd, and that's already a best-effort thing
(which should probably be done better by having usbd_do_request fail
promptly if detaching anyway).

(riastradh)

usbnet drivers: Assert IFNET_LOCKED in if ioctl routines.

These only happen either during the transition up or down (init or
stop), or while that transition is excluded (ioctl).

This may be called from ioctl or from init, which both hold the ifnet
lock.

XXX smsc_setoe_locked should maybe trigger reinit because the rx loop
behaves differently depending on whether checksumming is enabled.

XXX mue_sethwcsum_locked needs to exclude mcast updates.

(riastradh)

udav(4): Stop asserting !usbnet_isdying.

This can change at any moment; no software lock can prevent the
device from being detached.  Any test of it is necessarily
best-effort just to avoid wasting time later on waiting for requests
to fail or time out.

(riastradh)

aue(4): Simplify.  No functional change.

(riastradh)

aue(4): Enable rx/tx registers on init before usbnet_init_rx_tx.

This way, we still have exclusive access to the registers before
calls to aue_uno_mcast can start happening without the usbnet core
lock.

(riastradh)

usbnet drivers: Omit redundant multicast filter update on init.

(riastradh)

usbnet: Apply hardware multicast filter updates synchronously again.

To make this work:

1. Do it only under a new lock, unp_mcastlock.  This lock lives at
  IPL_SOFTCLOCK so it can be taken from network stack callouts.  It
  is forbidden to acquire the usbnet core lock under unp_mcastlock.

2. Do it only after usbnet_init_rx_tx and before usbnet_stop; if
  issued at any other time, drop the update on the floor.

3. Make usbnet_init_rx_tx apply any pending multicast filter updates
  under the lock before setting the flag that allows SIOCADDMULTI or
  SIOCDELMULTI to apply the updates.

4. Remove core lock asserts from various drivers' register access
  routines.  This is necessary because the multicast filter updates
  are done with register reads/writes, but _cannot_ take the core
  lock when the caller holds softnet_lock.

This now programs the hardware multicast filter redundantly in many
drivers which already explicitly call *_uno_mcast from the *_uno_init
routines.  This is probably harmless, but it will likely be better to
remove the explicit calls.

(riastradh)

usbnet drivers: Stop abusing ifp->if_flags & IFF_ALLMULTI.

This legacy flag is a figment of userland's imagination.  The actual
kernel state is ec->ec_flags & ETHER_F_ALLMULTI, protected by the
ETHER_LOCK, so that multicast filter updates -- which run without
IFNET_LOCK -- need not attempt to write racily to ifp->if_flags.

(riastradh)

usbnet drivers: Omit needless uno_mcast locked subroutines.

uno_mcast is now called with the core lock already held so there is
no need for a separate locked subroutine.

(riastradh)

aue(4): Reduce aue_uno_mcast from aue_uno_init to aue_setiff_locked.

This operation only needs to update the hardware to reflect
SIOCADDMULTI/SIOCDELMULTI.  Not clear that everything in aue(4) needs
to be reset -- in fact I'm pretty sure that's undesirable!

WARNING: I have not tested this with a real aue(4) device.

(riastradh)

usbnet: Take the core lock around uno_mcast.

Every driver does this already.  This will enable us to change the
lock that serializes access to the registers so we can go back to
doing this synchronously in SIOCADDMULTI/SIOCDELMULTI.

(riastradh)

usbnet drivers: Omit needless uno_init locked subroutines.

uno_init is now called with the core lock already held so there is no
need for a separate locked subroutine.

(riastradh)

usbnet: No need for the core lock in usbnet_ifflags_cb.

The only state this touches is unp_if_flags, and all paths touching
it also hold IFNET_LOCK -- not to mention this is the only path that
touches unp_if_flags in the first place!

(riastradh)

usbnet: Make the tx/rx locks private to usbnet.c.

Suffice it for the drivers to know that uno_tx_prepare and
uno_rx_loop have exclusive access to the chain, and, for tx,
exclusive access to the mbuf.

(riastradh)