apei(4): Fix register chunk counting.

Now it will actually read and write the registers!

Have been updating and reloading the wrong module to test this, oops.

PR kern/58046

(riastradh)

apei(4): Fix indexing of multi-unit register access.

PR kern/58046

(riastradh)

apei(4): Plug memory leak on teardown of instruction interpreter.

PR kern/58046

(riastradh)

acpihed(4): New driver for PNP0C33 to notify apei(4).

PNP0C33 denotes the ACPI Hardware Error Device, which exists only to
be a vector for event notifications.

PR kern/58046

(riastradh)

apei(4): Note some TODOs for EINJ and HEST.

No functional change intended, comments only.

PR kern/58046

(riastradh)

apei(4): Fix parsing checks for TRIGGER_ERROR action table.

The TableSize is size of the header plus the body, not just the body.

PR kern/58046

(riastradh)

apei(4): Tweak some comments about the APEI interpreter language.

No functional change intended.

PR kern/58046

(riastradh)

apei(4): Pacify -Wsign-compare.

Assert that the parsing made forward progress too while here.

PR kern/58046

(riastradh)

apei(4): New driver for ACPI Platform Error Interfaces.

For now it is wired up only in x86 ALL kernels, and built as a module
for x86 and Arm.  Once it gets a little more testing on machines with
APEI, I would like to flip it on by default.

PR kern/58046

(riastradh)

x86: Release the ramdisks too.

This way we will get cgdroot.fs (and zfsroot.fs too) in the release.

PR misc/57534

(riastradh)

libcrypto: Add expected symbol list to check at build-time.

(riastradh)

bsd.lib.mk: Check expected vs actual symbols at build-time.

If, for LIB=foo, you create a file foo.expsym, bsd.lib.mk will list
the dynamic symbols and their versions with

nm --dynamic --extern-only --defined-only --with-symbol-versions

and compare the names (not addresses or types) to foo.expsym.  If
there are any differences, they will be printed and the build will
fail.

foo.expsym should be sorted with `LANG=C sort -u'.

This way, you can verify changes don't inadvertently add or remove
symbols.  If you do want to add (or, if you're bumping the major,
remove) symbols, you can verify the changes and edit the foo.expsym
file accordingly.  This will also help to enforce rules about symbol
changes on pullups in release branches.

Note that using a version map (-Wl,--version-script=...) doesn't
catch symbol removal -- ld quietly ignores symbols in the version map
that aren't actually defined by any object in the library.  So this
supplements the version map.

Proposed on tech-userlevel:
https://mail-index.NetBSD.org/tech-userlevel/2024/03/16/msg014264.html

(riastradh)

acpi(4): Make apeibus actually work as an iattr.

PR kern/58046

(riastradh)

acpi(4): New iattr `apeibus' for attaching an APEI driver.

APEI is the ACPI Platform Error Interface, a standard (if very
complicated) interface for reporting hardware errors to the OS.

Firmware support for APEI is presented through the ACPI tables BERT
(Boot Error Record Table), ERST (Error Record Serialization Table),
EINJ (Error Injection Table), and HEST (Hardware Error Source Table),
rather than through nodes in the ACPI device tree, so it can't just
attach through the existing acpinodebus iattr and instead requires a
special pseudo-bus like acpiwdrt(4).

No driver yet -- this is just the hook to attach one in a module.

The new member sc_apei of struct acpi_softc is placed at the end of
the structure so that this change can be safely pulled up to release
branches without risk to ABI compatibility in existing modules such
as acpiverbose.kmod which may rely on the layout (but not size) of
struct acpi_softc.

PR kern/58046

(riastradh)

strptime(3): Declare digit d as time_t.

This doesn't make a semantic difference -- d can only take on the ten
values {0,1,2,3,4,5,6,7,8,9}, and the arithmetic with it later all
comes out the same whether the type is unsigned or time_t, even if
time_t were int32_t instead of int64_t.

But it pacifies overzealous compilers used by downstream users of
this code.  And while it's silly to use a much wider type (64-bit
signed) than is needed here to store a single digit, it doesn't
really hurt either (32-bit unsigned is much larger than needed too).

PR lib/58041

(riastradh)

strptime(3): Reduce unnecessary indentation.

Post-fix tidying.

No functional change intended.

PR lib/58041

(riastradh)

strptime(3): Avoid arithmetic overflow.

PR lib/58041

(riastradh)

strptime(3): Exercise some edge cases in the automatic tests.

Unfortunately, we can't quite use strptime as a black box to detect
the cases that triggered undefined behaviour, because strptime just
fails in that case anyway since the number that would go in .tm_year
is far out of the representable range.

PR lib/58041

(riastradh)

libcrypto: Fix buffer overrun in truncated SHA-512 functions.

Further fallout from the libc/openssl sha2 symbol collision.

PR lib/58039

(riastradh)

doc/3RDPARTY: Note OpenSSL vendor/release tags.

(riastradh)

libcrypto: Add some trivial tests for truncated SHA-512 variants.

These should use more of the test vectors from

https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Secure-Hashing#Testing

but this will do for now to detect the buffer overrun rake we left
lying around for ourselves.

PR lib/58039

(riastradh)

evbarm/instkernel/sshramdisk: Put firmware in the right paths.

Maybe this should also be wired up to `release' to put the ramdisk in
the releasedir so we detect destdir path leakage like this had.

PR port-evbarm/58035

(riastradh)

evbmips/interrupt.c: No need for __diagused with KASSERT.

KASSERT already references all the variables even in !DIAGNOSTIC
builds (but evaluates nothing at run-time in that case).

That said: Is the curlwp->l_blcnt assertion correct?  Can't curlwp be
changed in this interrupt handler by preemption?

(riastradh)

wg(4): Rework example numbering for clarity and add IPv6.

Let's avoid triggering unease with host number 0.

PR misc/58015

(riastradh)

nvme(4): Disestablish admin q interrupt while suspended.

And re-establish on resume.  Fixes nvmectl(8) after a suspend/resume
cycle on some systems.

Adapted from a patch by mrg@.

PR kern/58025

(riastradh)

wg(4): Bind to CPU in wg_handle_packet.

Required by use of psref there.

Assert we're bound up front so we catch mistakes early, rather than
later on if we get unlucky in preemption and scheduling.

PR bin/58021

(riastradh)

tun(4): Allow IPv6 packets with TUNSLMODE configured.

PR kern/58013

(riastradh)

wg(4): Spruce up example a bit.

- Suggest umask so the private keys aren't world readable.
- Suggest use of pre-shared key files.
- Use TEST-NET-1 and TEST-NET-2 addresses for the example instead of
  real publicly routable addresses.

Holding off on adding IPv6 example until the tun(4) issue is fixed
(PR bin/58013).

PR misc/58015

(riastradh)

pmf(9): Document the bug in pmf_device_register return type.

PR kern/57575

(riastradh)

heartbeat(9): Return early if panicstr is set.

This way we avoid doing unnecessary work -- and print unnecessary
messages -- to _not_ trigger another panic anyway.

PR kern/58011

(riastradh)

certctl(8): Pacify formal POSIX sh syntax.

According to POSIX 2018, the syntax between `then' and `elif' and
`fi' must be a _non-empty_ list of commands:

compound_list    : linebreak term
                | linebreak term separator
                ;
...
if_clause        : If compound_list Then compound_list else_part Fi
                | If compound_list Then compound_list          Fi
                ;
else_part        : Elif compound_list Then compound_list
                | Elif compound_list Then compound_list else_part
                | Else compound_list
                ;

https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_10_02

NetBSD's sh(1) currently doesn't enforce this and allows an empty
sequence of commands, but let's not rely on that nonstandard quirk.

Noted in PR 57997.

(riastradh)

certctl(8): Avoid basename(1).

Saves some time running subprocesses.  Since this is only used for
non-directories (i.e., there's never trailing / on the inputs), it
suffices to delete the longest prefix matching glob `*/' with shell
parameter expansion -- much cheaper than spawning a subprocess.

Shaves off about 1/3 of the time spent in `certctl list' on an
aarch64 VM in qemu.

PR bin/57993

(riastradh)

mozilla-certdata: Fix typo: sprintf, not snprintf, in awk.

Only used during import, and only in case something is wrong anyway
requiring manual intervention, so no change to builds.

(riastradh)

doc/3RDPARTY: mozilla-certdata is up-to-date.

(riastradh)

mozilla-certdata: Update set lists.

(riastradh)

mozilla-certdata: regen

(riastradh)

mozilla-certdata: Update reference in Makefile.

(riastradh)

netinet6: Avoid NPD on `ifconfig ifN inet6 ... pltime 0 vltime 0'.

PR kern/53922

(riastradh)

urtwn(4): Ditch old queued commands on overflow.

Don't increment ring->queued past what the task will decrement.

This is a stop-gap measure; really, we should just have one task for
each operation that is deferred to the task thread.

PR kern/57965

(riastradh)

heartbeat(9): Restore still-applicable comment nixed in last commit.

The nesting depth is stored in ci_heartbeat_suspend which is 32-bit.

(riastradh)

heartbeat(9): No kpreempt_disable/enable in heartbeat_suspend/resume.

This causes a leak of l_nopreempt in xc_thread when a CPU is offlined
and onlined again, because the offlining heartbeat_suspend and the
onlining heartbeat_resume happen in separate xcalls.

No change to callers because they are already bound to the CPU:

1. cnpollc does kpreempt_disable/enable itself around the calls to
  heartbeat_suspend/resume anyway

2. cpu_xc_offline/online run in the xcall thread, which is always
  bound to the CPU that is being offlined or onlined

(riastradh)

fenv(3): Fix fetestexcept to avoid side effects on trap state.

PR port-amd64/57949

(riastradh)

fenv(3): Add test for PR port-amd64/57949.

(riastradh)

longjmp(3) t_sigstack: Fix fencepost error.

Extremely unlikely to cause trouble, but let's just turn that into
`never' to keep it easier for readers.

PR lib/57946

(riastradh)

ramdisk-zfsroot: Enable build by default on amd64.

XXX Should maybe copy this to other ports like evbarm64 too.

PR port-amd64/57948

(riastradh)

longjmp(3) t_sigstack: Use a sigaltstack per handler entry.

longjmp evidently doesn't reset the state of whether the process is
executing on the alternate signal stack.  So when we re-enter the
signal handler, the alternate stack appears to be still in use, and
the system chooses the original stack for the second call to the
signal handler -- which trips our assertion asking to verify that the
signal handler is always using an alternate stack.

Not strictly necessary for the signal handler to use an alternate
stack on re-entry, but this makes it clearer that the signal handler
itself is always using the alternate stack so we can verify that the
interrupted code is _not_ in the signal handler.

With this change, the test now passes on aarch64.

PR lib/57946

(riastradh)

longjmp(3) t_sigstack: Note aarch64 seems to DTRT.

But only by code inspection; it appears to have another problem: on
re-entry, the signal handler is called on the normal stack, not on
the alternate signal stack.

PR lib/57946

(riastradh)

longjmp(3) t_sigstack: Print which entry failed.

PR lib/57946

(riastradh)

longjmp(3): Test signal mask vs stack restore with siglongjmp too.

PR lib/57946

(riastradh)

longjmp(3): Paranoia: more error checking in PR lib/57946 test.

(riastradh)

longjmp(3): Add test for PR lib/57946.

(riastradh)

hdaudio(4): KNF, no functional change intended

(riastradh)

hdaudio(4): Tighten hdafg_freem.

The fix for PR kern/57890 in hdafg.c 1.29 included more conditionals
than needed, covering cases that can't happen: if allocm returns
null, audio(4) does not call freem; and if hdafg_allocm returns
nonnull, then what audio(4) passes to hdafg_freem had better be
either the playback or the capture buffer address.

(riastradh)

agp_i810(4): Use ipi(9) for chipset flush on all CPUs, not xcall(9).

i915 now calls into this with a spin lock held, so we have to use
ipi(9), which spin-waits for the other CPUs to complete, rather than
xcall(9), which may sleep-wait.

Fortunately, this is just to execute WBINVD on x86 (and if this code
ever runs on other architectures, which it probably doesn't, it'll be
a similar barrier instruction), so spinning to wait for that on all
CPUs isn't too costly.

PR kern/57878

XXX pullup-10

(riastradh)

postinstall(8): Don't say /etc/openssl/certs.conf already exists.

It's confusing when all the other `postinstall fix' actions are
silent in the event they don't have anything to do.

PR install/57885

(riastradh)

tests/usr.bin/mtree: Fixed the set lists, no more xfail.

PR misc/57877

(riastradh)

NetBSD.dist.base: Nix /var/run/named.

/var/run is emptied at boot time by /etc/rc.d/mountcritlocal, so
there's no point in creating this at install time -- it has to be
created on the fly after /var/run is cleared on every boot anyway.

Mark /var/run/named obsolete in the set lists.  XXX This isn't quite
right, because it is legitimate for /var/run/named to exist in a
running installation, but it doesn't exist in a freshly installed
system any more.  Maybe we should just remove the entry from the set
lists and add a note to UPDATING about deleting it manually from the
destdir in incremental builds.

PR misc/57877

(riastradh)

NetBSD.dist.base: Fix permissions on /dev/pts.

No reason to write to this -- it's expected to have ptyfs mounted,
and ptyfs doesn't allow changing the directory.  So use 0555
(-r-xr-xr-x) instead of 0755 (-rwxr-xr-x), like it is by default with
ptyfs mounted.

PR misc/57877

(riastradh)

tests/usr.bin/mtree: xfail PR 57877; omit needless debug print.

(riastradh)

mtree(8): Test the installed sets.

Except etc and xetc, which likely won't match for reasons that aren't
great, like etc including empty log files which in an installed
system have probably changed.

This test will probably fail, but we should make sure it doesn't!

PR misc/57877

(riastradh)

ld@sdmmc(4): Hack around deadlock in cache sync on detach.

Yanking a card triggers the sdmmc discovery task, which runs in the
sdmmc task thread, to detach any attached child devices.

Detaching ld@sdmmc triggers a cache flush (via ldbegindetach ->
disk_begindetach -> ld_lastclose -> ld_flush -> ioctl DIOCCACHESYNC),
which is implemented by scheduling a task to do sdmmc_mem_flush_cache
and then waiting for it to complete.

The sdmmc_mem_cache_flush is done by an sdmmc task so it happens
after all previously scheduled I/O operations -- that way the cache
flush doesn't complete until the previously scheduled I/O operations
are complete.

However, when the cache flush task is issued from the discovery task,
this doesn't work, because the cache flush task can't start until the
discovery task has returned -- but the discovery task won't return
until the cache flush task has completed.

To work around this deadlock, which usually happens only when the
device has been yanked anyway so further I/O would be lost anyway,
just do the cache flush synchronously in DIOCCACHESYNC if we're
running in the task thread.

This isn't quite right -- implementation details of the task thread
shouldn't bleed into ld@sdmmc, and running the cache sync _before_
any subsequently scheduled I/O tasks is asking for trouble -- but it
should serve to avoid the deadlock in PR kern/57870 until we can fix
a host of concurrency bugs in sdmmc by fixing the locking scheme and
running discovery in a separate thread from tasks.

XXX pullup-10

(riastradh)

i915_gem_stolen: Fill sg_pgs, with size/PAGE_SIZE entries.

Use sg_alloc_table_from_bus_dmamem to do this.

i915_gem_mman.c vm_fault_cpu and i915_gem_object_release_mmap_offset
both rely on sg_pgs to be a page array, so providing a table with
only one entry doesn't work (except by accident, if the object is
page-sized anyway).  And they rely on the sg_pgs entries to be
initialized, which we weren't doing before, and which
sg_alloc_table_from_bus_dmamem does for us.

Related to PR kern/57833.

XXX pullup-10

(riastradh)

i915_gem_stolen: Fix memory leak.

Found while trying to address the PR 57833 class of problems.

XXX pullup-10

(riastradh)

i915_gem_region: Fill sg_pgs, with size/PAGE_SIZE entries.

Use sg_alloc_table_from_bus_dmamem to do this.

i915_gem_mman.c vm_fault_cpu and i915_gem_object_release_mmap_offset
both rely on sg_pgs to be a page array, so using something else like
size >> ilog2(mem->mm.chunk_size) entries doesn't work.  And they
rely on the sg_pgs entries to be initialized, which we weren't doing
before, and which sg_alloc_table_from_bus_dmamem does for us.

Related to PR kern/57833.

XXX pullup-10

(riastradh)

i915_gem_phys: Fill sg_pgs.

This is needed by i915 gem fault, which maps user virtual addresses
to those pages, and by i915 gem object destruction, which does
pmap_page_protect on the pages to remove any of those user virtual
mappings.

This needs pmap_kenter_pa rather than pmap_enter(pmap_kernel(), ...)
in order to preserve the _kernel's_ mapping of the pages after
pmap_page_protect.

But bus_dmamem_map currently uses pmap_enter(pmap_kernel(), ...)
instead which creates a mapping that is removed by pmap_page_protect.

So we use a variant of bus_dmamem_map that uses pmap_kenter_pa
instead.  Perhaps bus_dmamem_map should do this itself, but this
change is less risky to pull up than a change to bus_dmamem_map
itself.

PR kern/57833: kernel panic on xorg exit

XXX pullup-10

(riastradh)

i915_gem: Assert page array size.

Let's detect the bug of sg_npgs failing to match
obj->base.size/PAGE_SIZE earlier.

Related to PR kern/57833.

XXX pullup-10

(riastradh)

i915_gem: Avoid walking off end of sg_pgs.

sg_npgs currently fails to match obj->base.size/PAGE_SIZE only due to
bugs in the construction of sg_pgs in various i915 gem object types,
which we should also fix, but let's avoid compounding it here.

Related to PR kern/57833.

XXX pullup-10

(riastradh)

i915_gem_region: Reduce diff from upstream a little.

No functional change intended.

Prompted by upcoming nearby changes related to PR kern/57833.

XXX pullup-10 (to make subsequent pullups easier)

(riastradh)

i915: Backport change to downgrade gen7/vlv to aliasing-ppggtt.

PR kern/57268

XXX pullup-10

commit 4fbe112a569526e46fa2accb5763c069f78cb431
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:  Mon Feb 24 10:11:20 2020 +0000

    drm/i915/gtt: Downgrade gen7 (ivb, byt, hsw) back to aliasing-ppgtt

    Full-ppgtt on gen7 is proving to be highly unstable and not robust.

    Closes: https://gitlab.freedesktop.org/drm/intel/issues/694
    Fixes: 3cd6e8860ecd ("drm/i915/gen7: Re-enable full-ppgtt for ivb & hsw")
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
    Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
    Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
    Cc: Jani Nikula <jani.nikula@intel.com>
    Cc: Dave Airlie <airlied@redhat.com>
    Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200224101120.4024481-1-chris@chris-wilson.co.uk

(riastradh)

usbdi(9): Assert not polling in abort path.

XXX Not sure if this is safe.

(riastradh)

usbdi(9): Avoid taking locks in usbd_transfer while polling.

PR kern/57783

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

usbdi(9): Avoid calling ubm_softint with lock held and polling on.

PR kern/57783

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

getaddrinfo(1): Omit needless whitespace.

No functional change intended.

(riastradh)

fetch(3): Backport SSL validation from pkgsrc libfetch 2.40.

We should really sync with pkgsrc libfetch to avoid divergence, but
this is a low-risk, high-priority change for NetBSD 10:

https://mail-index.netbsd.org/pkgsrc-changes/2024/01/03/msg290052.html

(riastradh)

xennetback_xenbus.c: Nix trailing whitespace again.

No functional change intended.

(riastradh)

libiscsi: Fix types of Time2Wait and Time2Retain in logout decap.

According to https://www.rfc-editor.org/rfc/rfc7143#section-11.15,
these are both 2-byte quantities.  Loading 4-byte quantities and
passing them through ISCSI_NTOHS might have worked by accident on
x86, but it's not gonna fly on big-endian.  (Fortunately sparc64 is
not just big-endian but also strict-alignment so it caught this
problem!)

XXX Is there an upstream for this code?  doc/3RDPARTY doesn't cite
any easily-followed references.

PR port-sparc64/57784

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

httpd(8): Add missing newline to `SSL Error' messages.

Matches the pattern in all other printf/syslog calls.

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

skey(1): Fix documentation of `-x' to match implementation.

PR bin/28495

(riastradh)

stack(7): Fix diagram of non-main thread stacks.

Had stackaddr (pthread_attr_setstack parameter, lowest-numbered
virtual address of stack region) confused with stack base (where the
stack grows from, which is the highest-numbered virtual address on
machines where stack grows down).

PR pkg/57708

XXX pullup-10

(riastradh)

stack(7): Minor clarifications and wording tweaks.

Suggested by pgoyette@ and uwe@.

PR pkg/57708

XXX pullup-10

(riastradh)

pthread: Document the setstack vs setguardsize bug.

Suggest the safe, compatible workaround.

(riastradh)

t_setrlimit: Narrow the scope of stack-protector warning suppression.

(riastradh)

pthread: Don't adjust user-allocated stack addresses by guardsize.

PR lib/57721

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

libpthread/t_stack: Fix format string for size_t.

Tested this on i386 since that had been crashing before, but i386
doesn't see %zu for unsigned int as a problem.

PR lib/57721

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

libpthread/t_stack: Appease gcc12 maybe-uninitialized warning.

The jmp_buf is not, in fact, uninitialized at the point of use, but
it doesn't hurt to narrow the scope a bit to between when the jmp_buf
is initialized by setjmp, and when the signal handler might be called
after sigaction.

Noted by prlw1.

PR lib/57721

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

libpthread/t_stack: Omit needless cast in previous.

Arose from an earlier draft of the change.

PR lib/57721

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

libpthread/t_stack: Make this more robust to the guard size bug.

Make sure to allocate enough space for the thread's stack for a guard
even though there shouldn't be one, so that when we run the thread,
it doesn't start with the stack pointer pointing into someone else's
allocation (like malloc) causing stack frames to trash another data
structure -- or causing the user of that data structure to trash the
stack frames.

PR lib/57721

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

t_dlinfo, t_rtld_r_debug: Audit ATF_REQUIRE/CHECK, sprinkle messages.

Make sure to use ATF_REQUIRE when the subsequent code doesn't work if
the check fails.

(riastradh)

rtld tests: Don't use RZ for dlinfo.

Use

ATF_REQUIRE_EQ_MSG(dlinfo(...), 0, "dlinfo: %s", dlerror())

instead, in order to accurately report the error on failure.  RZ is
only for functions like pthread_create(3) that return zero on success
and errno(3) code on failure, but dlinfo returns -1 on failure and
sets dlerror() to report the nature of the error.

(riastradh)

tests: Audit RZ abuse.

RZ succeeds if x is zero, and fails if x is nonzero, treating a
nonzero value as a error number as in errno(3) to print the message.

The following library routines instead return -1 on failure and set
errno to the error code:

fuse_opt_add_arg
fuse_opt_add_opt
fuse_opt_add_opt_escaped
fuse_opt_insert_arg
lseek
system

So use RL instead for those -- succeeds if x is zero, and fails if x
is -1.

This shouldn't make any tests newly fail or newly succeed -- the
functions in question only ever return 0 or -1 -- but if the tests
were already failing anywhere, they will now fail with meaningful
messages.

TBD: dlinfo, which isn't fit for RL or RZ since it reports errors via
dlerror() rather than errno.

(riastradh)

t_rnd: Nix trailing whitespace.

No functional change intended.

(riastradh)

t_rnd: Fix misuse of RZ.

Not likely to matter, but in the unlikely event that rump_sys_close
fails, it will return -1 and set errno as RL expects, not return the
error code as RZ expects.

(riastradh)

pthread: Add tests for pthread user stack allocation.

PR lib/57721

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

stack(7): Consistently say `(in)accessible pages', not `... stack'.

PR pkg/57708

XXX pullup-10

(riastradh)

stack(7): Clarify some wording and diagrams.

PR pkg/57708

XXX pullup-10

(riastradh)

stack(7): Clarify thread stack guard vs program stack guard.

Just in case this confuses anyone dealing with PR pkg/57708.

XXX pullup-10

(riastradh)

stack(7): New man page.

Should help with PR pkg/57708.

XXX pullup-10

(riastradh)

share/man/man7/Makefile: Split MAN on separate lines, and sort.

Makes sorting and merging changes easier.

No functional change intended.

Preparing for a new stack(7) in the service of PR pkg/57708.

XXX pullup-10

(riastradh)

vfs(9): Make sure to kpause at least one tick, not zero.

kpause(9) forbids zero.

Local workaround for wider problem in PR kern/57718, to address
immediate symptom of crash on any system with hz=50, e.g. alpha in
qemu:

panic: kernel diagnostic assertion "timo != 0 || intr" failed: file "/usr/src/sys/kern/kern_synch.c", line 249

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

kpause(9): KASSERT -> KASSERTMSG

PR kern/57718 (might help to diagnose manifestations of the problem)

(riastradh)

t_setrlimit: Fix typos in comments and messages.

No substantive change intended.  Suggested by rillig@.

PR kern/57711

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

pax(9): Rework header file more coherently to nix some needless #ifs.

Cleans up some of the fallout from PR kern/57711 fixes.

Could do a little more to nix PAX_SEGVGUARD conditionals but maybe
not worth it.

(riastradh)

ddb: New db_stack_trace_print_ra.

Takes an optional extra argument for the return address so that the
stack parser has a chance to use instruction-dependent interpretation
of the frame to find parent frames.

Implemented only on Alpha for now, which needs it.  Other
architectures just ignore the extra argument.

PR port-alpha/57716

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

exec: Map noaccess part of stack with prot=NONE, maxprot=READ|WRITE.

This way, setrlimit(RLIMT_STACK) can grant READ|WRITE access when
increasing the stack size.

PR kern/57711

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

t_setrlimit: Verify changing RLIMIT_STACK affects access to stack.

PR kern/57711

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

eventfd(2): Prune dead branch.

Fallout from PR kern/57703 fix.

XXX pullup-10

(riastradh)

eventfd(2): Omit needless micro-optimization causing PR kern/57703.

Unfortunately, owing to PR kern/57705 and PR misc/57706, it isn't
convenient to flip the xfail switch on a test for this bug.  So we'll
do that separately.  (But I did verify that a rumpified version of
the test postd to PR kern/57703 failed without this change, and
passed with this change.)

PR kern/57703

XXX pullup-10

(riastradh)

t_fdrestart: Mark some tests no longer xfail.

Backing out ad's changes last month seemed to fix the symptoms
(although I'm pretty sure this logic is still broken, more to come).

PR kern/57659

(riastradh)

t_fenv: Factor checks out of switch in checkrounding.

No functional change intended, just tidies up a bit.

PR port-mips/57680

XXX pullup-10

(riastradh)

t_fenv: Use volatile intermediate to force rounding to double.

See comment for details about why this is necessary.

Should fix these tests on i386 (and perhaps m68k too).

PR port-mips/57680

XXX pullup-10

(riastradh)

t_fenv: Improve diagnostics when rounding mode tests fail.

Print the correct input, and print the rounding mode for clarity so
you don't have to cross-reference it by line number.

PR port-mips/57680

XXX pullup-10

(riastradh)

t_fenv: Add #pragma STDC FENV_ACCESS ON and verify FLT_RADIX is 2.

Except gcc doesn't implement this pragma, so make it conditional.

And clang only supports it on some architectures, so just leave it
out for now with a comment about why.

PR port-mips/57680

XXX pullup-10

(riastradh)

t_fenv: Verify rounding mode takes effect.

At least for addition operations, anyway.

Somewhat redundant with the test t_fe_round added by maya@ but this
gives two minimal pairs to easily diagnose exactly what the rounding
mode is when the wrong one was selected.

PR port-mips/57680

XXX pullup-10

(riastradh)

t_fenv: Check FLT_ROUNDS whenever we touch the rounding mode.

PR port-mips/57680

XXX pullup-10

(riastradh)

t_fenv: Print wrong values if tests fail.

XXX pullup-10

(riastradh)

eqos(4): Fix multicast filter updates.

1. Don't touch the obsolete IFF_ALLMULTI.
2. Set ETHER_F_ALLMULTI if we're accepting all multicast addresses.
3. If any multicast entry range is not a single address, accept all
  multicast addresses.

(riastradh)

eqos(4): Fix locking around multicast filter updates.

- Can't touch if_flags without IFNET_LOCK.
- Can't take IFNET_LOCK in SIOCADDMULTI/SIOCDELMULTI path.

Instead, cache IFF_PROMISC and IFF_ALLMULTI on if_init under a lock we
can take in this path.

XXX Is IFF_ALLMULTI relevant any more?  Hasn't it been moved to
ethercom flags?

XXX Should not take sc_lock around if_init/stop -- IFNET_LOCK is
enough.  Should narrow scope of sc_lock to be just tick/mii/multi
stuff.

(riastradh)

eqos(4): Don't touch if_flags in tx path.

Can't touch this without IFNET_LOCK.

(riastradh)

eqos(4): Wait for callout to halt and make sure it stays halted.

(riastradh)

ehci(4): Fix bug causing missed wakeups since ehci.c 1.308.

For reasons beyond me now, I used cv_signal on the same cv that is
used to wait for the doorbell to be available _and_ to wait for the
host controller to acknowledge the doorbell.  Which means when the
host controller acknowledges the doorbell, we might wake some thread
waiting for the doorbell to be available -- and leave the thread
waiting for the doorbell acknowledgment hanging indefinitely.

PR port-i386/57662

XXX pullup-10

(riastradh)

ehci(4): Fix cv_timedwait loop in ehci_sync_hc.

Stop when

now - starttime >= delta,

i.e., when at least delta ticks have elapsed since the start, not
when

endtime - now > delta,

i.e., more than delta ticks _remain_ to sleep, which is never going
to happen (except on arithmetic overflow).

As is, what will happen in the case that should time out is that we
wake up after delta ticks, and find now = getticks() is exactly
endtime, so we retry cv_timedwait with timo=(endtime - now)=0 which
means sleep indefinitely with no timeout as if with cv_wait.

PR port-i386/57662

XXX pullup-10

(riastradh)

mremap(2): Use .Lk for links in text.

.%U is only for links in reference sections.

(riastradh)

postinstall(8): Use /usr/sbin/certctl.

Obviates need to have /usr/sbin in PATH when running this.

XXX pullup-10

(riastradh)

drm(4): Fix thinko -- display configuration, not device configuration.

(riastradh)

drm(4): Update man page over the last decade.

While here, credit contributors just to the NetBSD port.  Too many
upstream contributors to list, not even sure where I'd find them all.

(riastradh)

Revert "x86: Panic early if fpu save size is too large, take 2."

Apparently this is too early to print anything useful, so it just
causes a reboot loop.

PR kern/57661

(riastradh)

thmap(9): Preallocate GC list storage for thmap_del.

thmap_del can't fail, and it is used in places in npf where sleeping
is forbidden, so it can't rely on allocating memory either.

Instead of having thmap_del allocate memory on the fly for each
object to defer freeing until thmap_gc, arrange to have thmap(9)
preallocate the same storage when allocating all the objects in the
first place, with a GC header.

This is suboptimal for memory usage, especially on insertion- and
lookup-heavy but deletion-light workloads, but it's not clear rmind's
alternative (https://github.com/rmind/thmap/tree/thmap_del_mem_fail)
is ready to use yet, so we'll go with this for correctness.

PR kern/57208
https://github.com/rmind/npf/issues/129

XXX pullup-10
XXX pullup-9

(riastradh)

thmap(9): Test alloc failure, not THMAP_GETPTR failure.

THMAP_GETPTR may return nonnull even though alloc returned zero.

Note that this failure branch is not actually appropriate;
thmap_create should not fail.  We really need to pass KM_SLEEP
through in this call site even though there are other call sites for
which KM_NOSLEEP is appropriate.

Adapted from: https://github.com/rmind/thmap/pull/14

PR kern/57666
https://github.com/rmind/thmap/issues/13

XXX pullup-10
XXX pullup-9

(riastradh)

x86: Panic early if fpu save size is too large, take 2.

This shouldn't break any existing systems (for real this time), but
it should make the failure mode more obvious on systems that are
already broken.

PR kern/57661

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

x86: Remove incomplete fpu save size check.

Will fix it later, but this makes pullups easier.

(riastradh)

sys/pipe.h: #define<tab>

No functional change intended.

(riastradh)

kern_ktrace.c: Sort includes.  No functional change intended.

(riastradh)

xen_machdep.c: Nix trailing whitespace.

No functional change intended.

(riastradh)

vax/pmap.c: Sort includes.  Nix traliing whitespace.

No functional change intended.

(riastradh)

sequencer.c: Nix trailing whitespace.

No functional change intended.

(riastradh)

x86: Disable savefpu size check for now.

This is apparently so broken that the error check for what should
have been a safe size fails, which is breaking boot on x86 all the
way back to Sandy Bridge at this point.  Grrr.

We need to expand savefpu so that it supports the maximum size
instead.

(riastradh)

t_fdrestart: Rework this to be a little more robust.

For the write test, need to make sure the pipe's buffer is full first
before the write that blocks, so that it doesn't return partial
progress rather than ERESTART if woken.

(riastradh)

t_fdrestart: Verify rump_sys_write failed second time around.

PR kern/57659

(riastradh)

t_fdrestart: New test of closing fd with another thread in I/O on it.

Adapted from regress/sys/kern/dislodgefd.

PR kern/57659

(riastradh)

x86: Panic if cpuid's fpu save size is larger than we support.

Ideally this wouldn't panic, but the alternative right now is to
crash in a memset later -- or silently corrupt kernel memory -- so
this doesn't make the situation worse than it was before.

PR kern/57661

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

sys/wchan.h: Need to install this for sanitizers.

(riastradh)

rump: Sprinkle sys/syncobj.h here too.

(riastradh)

kern_turnstile.c: Use <sys/lwp.h> explicitly for struct lwp members.

(riastradh)

sys/sleepq.h: Sort includes.  No functional change intended.

(riastradh)

sys/lwp.h: Sort includes.  No functional change intended.

(riastradh)

sys_select.c: Sort includes.  No functional change intended.

(riastradh)

kern_lwp.c: Sort includes.  No functional change intended.

(riastradh)

kern_synch.c: Sort includes.  No functional change intended.

(riastradh)

kern_sleepq.c: Sort includes.  No functional change intended.

(riastradh)

kern_rwlock.c: Sort includes.  No functional change intended.

(riastradh)

kern_mutex.c: Sort includes.  No functional change intended.

(riastradh)

kern_lwp: Sort includes.  No functional change intended.

(riastradh)

kern_condvar.c: Sort includes.  No functional change intended.

(riastradh)

ddb: Don't restrict `show all tstiles' to wmesg `tstile'.

This is no longer the wmesg, as of last week -- now it's the name of
the underlying syncobj, like `mutex' or `rwlock'.

(riastradh)

ddb: Constify db_syncobj_owner argument.

No need for it to be writable, and the actual type of the struct lwp
member is const.

(riastradh)

sys/lwp.h: Nix sys/syncobj.h dependency.

Remove it in ddb/db_syncobj.h too.

New sys/wchan.h defines wchan_t so that users need not pull in
sys/syncobj.h to get it.

Sprinkle #include <sys/syncobj.h> in .c files where it is now needed.

(riastradh)

heimdal: Make sure whatever uses libhdb also gets libsqlite3 & libm.

Loose ends for static builds in the fix for PR lib/57406.

XXX pullup-10

(riastradh)

certdata.awk: Treat CKT_NSS_TRUSTED as untrusted _as a CA_.

This means the certificate is trusted for the listed purpose, not as
a CA to issue certificates for the listed purpose.

Clarify warning message in this case.

No change to imported certificates so no need to regen or pull up --
this designator does not actually appear in certdata.txt, only in
Mozilla nss source code.

(riastradh)

igc(4): `nvm_ver & ...' has type int, so use %x, not %hx.

This happens even though nvm_ver is unsigned short (uint16_t),
because of the integer promotions.

Should fix clang build.

XXX pullup-10

(riastradh)

certctl(8): Reword various things in an attempt to clarify.

Suggest /etc/openssl/certs.local in the example config file.  Maybe
we can/should formalize this but let's just start with a suggestion.

XXX pullup-10

(riastradh)

heimdal: No need for -lm, was only added for -lsqlite3.

PR lib/57406

XXX pullup-10

(riastradh)

bsd.prog.mk: krb5 stuff no longer needs to link against sqlite3.

(Why is this here?  Seems like it should be a .mk fragment under
crypto/external/bsd/heimdal -- that way I would have found it for the
previous commit.)

PR lib/57406

XXX pullup-10

(riastradh)

heimdal: Disable sqlite3 credential cache (SCC).

SCC is not usable in Heimdal 7.8.0, and this brings a dependency on
libsqlite3 into libkrb5 and therefore libgssapi, which is problematic
downstream applications that have sqlite3 from pkgsrc or statically
built in.

SCC will undergo substantial revision in the next Heimdal version
(https://github.com/heimdal/heimdal/pull/1143).  We can revisit later
how to deal with this -- perhaps by symbol-renaming a copy of sqlite3
in Heimdal as it looks like upstream intends to do.

PR lib/57406

XXX pullup-10

(riastradh)

hier(7): Document /usr/share/certs/mozilla.

XXX pullup-10

(riastradh)

usbnet(9): Fix typo in comment.

No functional change intended.

PR kern/57645

XXX pullup-10

(riastradh)

usbnet(9): On if_init, stop/init if IFF_RUNNING -- not noop.

ether_ioctl(9) relies on this to reinitialize an interface when a
flags change returns ENETRESET.  We can't just reprogram the hardware
multicast filter because some drivers have logic in if_init that's
conditional on IFF_PROMISC; perhaps we can reduce the cost of this if
we can change those drivers to do it in uno_mcast but that requires
some analysis to determine.

PR kern/57645

XXX pullup-10

(riastradh)

usbnet(9): Fix sense of conditional in usbnet_ifflags_cb.

This appears to have been mistranscribed in revision 1.1 of usbnet.c.

PR kern/57645

XXX pullup-10

(riastradh)

usbnet(9): Make sure unp->unp_if_flags is initialized on init.

usbnet_ifflags_cb is only called if the flags change while up and
running.  (XXX Maybe it should be called in other circumstances too
so there's only one path here?)

Out of paranoia, clear the cache on stop.

PR kern/57645

XXX pullup-10

(riastradh)

net/if.h: Explain the IFF_ALLMULTI situation.

No functional change intended.

(riastradh)

rge(4): callout_stop can't be right here; just do callout_halt.

XXX pullup-10

(riastradh)

ure(4): Set all bits, not no bits, in multicast filter for promisc.

This was lost in revision 1.40.

PR kern/57648

XXX pullup-10

(riastradh)

lwp_pctr(9): Make this a little more robust.

No substantive change to machine code on aarch64.  (Instructions and
registers got reordered a little but not in a way that matters.)

(riastradh)

arm/gic: Check l_blcnt, not l_biglocks.

l_biglocks is a now-defunct temporary storage used only when
sleeping; l_blcnt is the number of kernel locks held by the lwp when
not sleeping.

Should fix arm builds.

(riastradh)

kern_cctr.c: Fix broken indentation.

No functional change intended.

(riastradh)

armpmu(4): Add missing newline to error message.

(riastradh)

acronyms.comp: SFP -- Small Form-factor Pluggable

(riastradh)

acronyms.comp: Add various CPU- and barrier-related acronyms.

CET, DMB, DSB, HLE, IBT, ISB, MDS, SSB, SSBB, SSBD, TAA, TSX

PR misc/57636

(riastradh)

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

gpt(8): Make gpt type array and enum match again.

Add cross-referencing comment to reduce the probability of these
getting out of sync again.

Should fix a slew of failing tests since kre's recent change to add
windows-recovery to the array but not to the enum:

sbin/gpt/t_gpt:create_2part
sbin/gpt/t_gpt:migrate_disklabel
sbin/gpt/t_gpt:recover_backup
sbin/gpt/t_gpt:recover_primary
sbin/gpt/t_gpt:remove_2part
sbin/gpt/t_gpt:resize_2part
sbin/gpt/t_gpt:restore_2part

Fail: stdout does not match golden output
--- /usr/tests/sbin/gpt/gpt.2part.show.normal  2023-09-26 15:48:30.000000000 +0000
+++ /tmp/check.sc6ylB/stdout                    2023-09-26 23:30:42.388157924 +0000
@@ -3,6 +3,6 @@
      1      1        Pri GPT header
      2    32        Pri GPT table
      34  1024      1  GPT part - EFI System
-  1058  9150      2  GPT part - NetBSD FFSv1/FFSv2
+  1058  9150      2  GPT part - NetBSD Cryptographic Disk
  10208    32        Sec GPT table
  10240      1        Sec GPT header

https://releng.netbsd.org/b5reports/i386/commits-2023.09.html#build-2023.09.26.15.47.11

(riastradh)

/etc/rc.d/certctl_init: Default off.

Otherwise in systems without certctl_init=YES, such as systems
installed with sysinst(8) where it's unnecessary because the rehash
has already happened at install time, you'll get spurious warnings.

PR install/57629

XXX pullup-10

(riastradh)

mozilla-certdata: Run certdata.awk with LC_ALL=C.

This has to be able to printf("%c", ...) to emit arbitrary bytes of
output in order to decode the octal-formatted DER data and print it
as raw binary DER data.

Relevant only at import time, doesn't affect builds.

(riastradh)

ec2_init: Suppress error message for nonexistent sysctl.

We're querying to see whether the sysctl node is available and if so
what its text is, not interested in the error message.

XXX pullup-10

(riastradh)

/etc/rc.d/cerctl_init: New script for certctl rehash in live images.

This is very limited -- it does not supplant postinstall to rehash
certificates on upgrade; it only runs certctl rehash if
/etc/openssl/certs is an empty directory, as you get in live images
not created with sysinst.

We could also have a more general-purpose way to run postinstall(8)
on first boot of an image, but that has a lot more moving parts to
think about, so let's start with this limited-scope low-risk
approach.

PR install/57629

XXX pullup-10

(riastradh)

sys/sleepq.h: Fix more syncobj_t creep.

(riastradh)

sys/lwp.h: Oops -- l_syncobj needs const now.

(riastradh)

sys/lwp.h: Revert unnecessary style- and build-breaking change.

Broke the clang builds because of duplicate syncobj_t definitions.

Just use `struct syncobj'; the `syncobj_t' alias causes more trouble
than it's worth -- KNF now advises against it and I see no compelling
reason to make an exception here.

(riastradh)

sbmips/systemsw.h: sys/stdbool.h for bool.

XXX sys/types.h should bring this in too, but that doesn't happen in
the crash(8) build, perhaps because sys/types.h only includes
sys/stdbool.h under _KERNEL or _STANDALONE but not _KMEMUSER -- maybe
we should fix that but this is a lower-risk change for now to fix a
build problem.

Found by Jan-Benedict Glaw.

(riastradh)

Revert "Teach zfs bdevsw to do b_psize."

This is used only by dump and swap, which won't work safely on zvols
anyway.  We should make swap work eventually, but right now it's
leading unwary ussers into deadlock scenarios, so let's make it fail
early instead.

(riastradh)

Revert "once(9): Assert sleepable in RUN_ONCE, unconditionally."

This would be nice but it'll break too many things for the moment.

(riastradh)

solaris: Use pool_cache_reclaim, not pool_cache_invalidate.

pool_cache_invalidate invalidates cached objects, but doesn't return
any backing pages to the underlying page allocator.

pool_cache_reclaim does pool_cache_invalidate _and_ reutrns backing
pages to the underlying page alloator, so it is actually useful for
the page daemon to do when trying to free memory.

PR kern/57558

XXX pullup-10
XXX pullup-9
XXX pullup-8 (by patch to kmem.h instead of kmem.c)

(riastradh)

once(9): Assert sleepable in RUN_ONCE, unconditionally.

Otherwise there's a good chance we'll never exercise many paths that
call RUN_ONCE when it's not sleepable, just because it's already been
done in a sleepable context before.

(riastradh)

ffs_sync: Avoid unlocked access to v_numoutput/v_dirtyblkhd.

Found by lockdoc.

PR kern/57606

(riastradh)

Makefile: Run `postinstall -d /', not `postinstall -d //'.

This happens when doing `build.sh install=/'.  The message is less
confusing and it makes postinstall's job simpler for detecting when
it's installing to / rather than somewhere else.

(riastradh)

sysinst(1): Run `certctl rehash' on fresh installs.

It has come to my attention that sysinst does not, in fact, run
postinstall(8) post-install -- only post-upgrade.

Perhaps we should change this so that postinstall serves the purpose
it says on the box -- make postinstall mandatory for new
installations.

XXX pullup-10

(riastradh)

pam_ksu(8): Allow homedir access during kuserok.

Otherwise, the default kuserok logic to look at ~targetuser/.k5login
would be blocked by the security measure to thwart NetBSD-SA2023-005.

(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf
so the file is /etc/k5login.d/user instead of ~user/.k5login, but
that's not the default configuration and there are plenty of
deployments that rely on ~user/.k5login today.)

I reviewed libkrb5 for homedir access checks.  There are three:

1. krb5_config_parse_file_multi, called only by:
  - verify_krb5_conf -- not relevant
  - krb5_config_parse_file -- not used here as far as I can tell,
    only by libhdb ldap logic and test code in heimdal
  - krb5_set_config_files -- used here only via krb5_init_context,
    which is done at this point

2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,
  which shouldn't be happening at this point, so this is almost
  certainly unreachable; also it only appears to control whether
  some old plugin API can be used, long after we have read the krb5
  config controlling which plugins are available, so this is
  probably harmless

3. krb5_kuserok, which is the one we want to allow

Note: This will have to be updated again in the next Heimdal update,
which eliminates the global homedir access flag in favour of making
the default per-context homedir access flag conditional on !issuid.

XXX pullup-10
XXX pullup-9
XXX pullup-8

(riastradh)

lib: Handle various external lib directories with build_install.

This way, update builds track shlib major bumps correctly.

For example, suppose you had built Heimdal's libkrb5.so.27 and
libgssapi.so.11 linked against it, and then you updated past the recent
shlib major bump raising them to libkrb5.so.28 and libgssapi.so.12.

Without this change, the build will make the following sequence of
targets (interleaved with some others):

1. make dependall in libkrb5
2. make dependall in libgssapi
3. make install in libkrb5
4. make install in libgssapi

The existing .WAIT tags in SUBDIR ensure that (1) happens before (2)
and (3) happens before (4).  Unfortunately, this sequence is wrong,
because it will produce the following effect:

1. make dependall in libkrb5 builds libkrb5.so.28
2. make dependall in libgssapi builds libgssapi.so.12, linked against
  libkrb5.so.27
3. make install in libkrb5 installs libkrb5.so.28
4. make install in libgssapi installs libgssapi.so.12

Why the out-of-date libkrb5.so.27 in step (2)?  Because we just pass
-L${DESTDIR}/usr/lib -lkrb5 to the linker (or the equivalent with
--sysroot and implied -L/usr/lib), and ${DESTDIR}/usr/lib still has
only libkrb5.so.27 by the time of step (2), not libkrb5.so.28.

Now any applications that link against libkrb5.so _and_ libgssapi.so
will get libkrb5.so.28 and libgssapi.so.12 -- but transitively, via
libgssapi.so.12, they will also get libkrb5.so.27, which is a recipe
for disaster.

Splicing the Heimdal library subdirectories into lib/Makefile, as
this does, ensures that we run make dependall _and_ make install in
libkrb5 _before_ make dependall in libgssapi, giving the following
correct sequence:

1. make dependall in libkrb5 builds libkrb5.so.28
2. make install in libkrb5 installs libkrb5.so.28
3. make dependall in libgssapi builds libgssapi.so.12, linked against
  libkrb5.so.28
4. make install in libgssapi installs libgssapi.so.12

Note that LIBDPLIBS isn't enough here, as implemented.  LIBDPLIBS
ensures that the incremental build will remake libgssapi.so.  But it
doesn't ensure that the new libkrb5.so.28 is available before then,
so it doesn't prevent this problem.

We use the same mechanism for crypto/external/bsd/openssl/lib
already; this just extends it to other external library collections.

As an alternative, in principle perhaps we could teach LIBDPLIBS to
ensure that libkrb5.so comes out of the libkrb5 objdir, and not out
of ${DESTDIR}/usr/lib.  But that requires some work to make happen,
and make it reliable, whereas this approach we've already confirmed
works without other adverse consequences (besides leaving
grody-looking mechanism lying around) for the libcrypto major bump
already.  We need to get this pulled up to the branch so all the
other major bumps it required are handled correctly by update builds.

XXX pullup-10

(riastradh)

postinstall(8): Modify default certs.conf.

When manually configured /etc/openssl/certs is detected, just
uncomment the `#manual' line in the default certs.conf rather than
writing a new one.  That way, you can switch to certctl-managed and
still get the default path by just deleting /etc/openssl/certs and
re-commenting the `manual' line.

(riastradh)

*/shlib_version: Ensure a boring line between RCS id and all else.

This makes cherry-picks easier by avoiding conflicts between the RCS
id and the interesting changes.

(riastradh)

libbozohttpd, libluabozohttpd: Bump major for libssl.so bump.

libluabozohttpd doesn't appear to be installed, but let's bump the
major just in case.

PR lib/57603

XXX pullup-10

(riastradh)

sys/param.h: Welcome to 10.99.8!

Courtesy of nestable heartbeat_suspend/resume, which changed struct
cpu_info.

(riastradh)