autoconf(9): Print `waiting for devices' normally once a minute.

autoconf(9): Omit config_detach kernel lock assertion too for now.

like in config_attach_pseudo, this assertion almost certainly
indicates real bugs, but let's try to get the tests back and running

autoconf(9): Omit config_detach kernel lock assertion too for now.

like in config_attach_pseudo, this assertion almost certainly
indicates real bugs, but let's try to get the tests back and running
again before addressing those.

show more ...

autoconf(9): Omit config_attach_pseudo kernel lock assertion for now.

Breaks too many things that I didn't test in the branch (cgd, fss,
&c.); let's address all forty-odd cases before turning it on.

autoconf(9): New functions for referenced attach/detach.

New functions:

- config_found_acquire(dev, aux, print, cfargs)
- config_attach_acquire(parent, cf, aux, print, cfargs)
- config_attach_pseud

autoconf(9): New functions for referenced attach/detach.

New functions:

- config_found_acquire(dev, aux, print, cfargs)
- config_attach_acquire(parent, cf, aux, print, cfargs)
- config_attach_pseudo_acquire(cf, aux)
- config_detach_release(dev, flags)
- device_acquire(dev)

The config_*_acquire functions are like the non-acquire versions, but
they return a referenced device_t, which is guaranteed to be safe to
use until released. The device's detach function may run while it is
referenced, but the device_t will not be freed and the parent's
.ca_childdetached routine will not be called.

=> config_attach_pseudo_acquire additionally lets you pass an aux
argument to the device's .ca_attach routine, unlike
config_attach_pseudo which always passes NULL.

=> Eventually, config_found, config_attach, and config_attach_pseudo
should be made to return void, because use of the device_t they
return is unsafe without the kernel lock and difficult to use
safely even with the kernel lock or in a UP system. For now,
they require the caller to hold the kernel lock, while
config_*_acquire do not.

config_detach_release is like device_release and then config_detach,
but avoids the race inherent with that sequence.

=> Eventually, config_detach should be eliminated, because getting at
the device_t it needs is unsafe without the kernel lock and
difficult to use safely even with the kernel lock or in a UP
system. For now, it requires the caller to hold the kernel lock,
while config_detach_release does not.

device_acquire acquires a reference to a device. It never fails and
can be used in thread context (but not interrupt context, hard or
soft). Caller is responsible for ensuring that the device_t cannot
be freed; in other words, the device_t must be made unavailable to
any device_acquire callers before the .ca_detach function returns.
Typically device_acquire will be used in a read section (mutex,
rwlock, pserialize, &c.) in a data structure lookup, with
corresponding logic in the .ca_detach function to remove the device
from the data structure and wait for all read sections to complete.

Proposed on tech-kern:
https://mail-index.netbsd.org/tech-kern/2023/05/10/msg028889.html

show more ...

autoconf(9): Add a comment where we risk arithmetic overflow.

autoconf(9): Assert alldevs_lock held in config_unit_nextfree.

The one caller, config_unit_alloc, guarantees it through
config_alldevs_enter/exit.

autoconf(9): Avoid potential ABA bug in config_makeroom.

When we unlock alldevs_lock to allocate a new cd_devs array nsp,
other threads may have:

1. freed the old one (osp),
2. done some other memo

autoconf(9): Avoid potential ABA bug in config_makeroom.

When we unlock alldevs_lock to allocate a new cd_devs array nsp,
other threads may have:

1. freed the old one (osp),
2. done some other memory allocation,
3. allocated a new _larger_ array whose address happens to concide
with osp (e.g., in (2) the page was recycled for a different pool
cache), and
4. updated cd_devs back to osp but increased cd_ndevs.

In that case, the memory may be corrupted: we try to copy the wrong
number of device_t pointers into nsp and we free osp with the wrong
(stale) length.

Avoid this by checking whether cd_ndevs has changed too -- if not,
osp might have been recycled but at least the lengths we're about to
copy and free are still correct so there's no harm in an ABA
situation.

XXX pullup-8
XXX pullup-9
XXX pullup-10

show more ...

autoconf(9): Clarify assertions about iattr in config_search.

autoconf(9): New diagnostic to detect double-detach.

- Rename dv_detached -> dv_detach_committed.
- Add dv_detach_done, asserted false and then set in config_detach.

dv_detach_done may appear redun

autoconf(9): New diagnostic to detect double-detach.

- Rename dv_detached -> dv_detach_committed.
- Add dv_detach_done, asserted false and then set in config_detach.

dv_detach_done may appear redundant with dv_del_gen, but dv_del_gen
will be used to safely detect config_detach on two valid references
to a device (e.g., a bus detaching its child concurrently with drvctl
detaching the same child), while dv_detach_done is strictly a
diagnostic to detect races in the config_detach API.

Currently the config_detach API itself is unsafe, but we can add a
config_detach_release function that simultaneously releases and
detaches a referenced device_t; this will continue to use dv_del_gen
to safely avoid multiple detach, and dv_detach_done to check for
races in usage.

show more ...

autoconf(9): Improve diagnostics for config_detach_enter/commit/exit.

pmf(9): *_child_register never fails. Make it return void.

No kernel bump because this isn't documented or used in any modules,
only in dev/pci/pci.c and dev/cardbus/cardbus.c which are as far as I

pmf(9): *_child_register never fails. Make it return void.

No kernel bump because this isn't documented or used in any modules,
only in dev/pci/pci.c and dev/cardbus/cardbus.c which are as far as I
know always statically linked into the kernel.

The next change, however, will require a revbump -- to make
pmf_device_register return void so we can prune vast swaths of dead
error branches.

show more ...

kern: device_pmf_driver_register never fails, so make it return void.

No ABI bump despite change to device.h because this is used only
inside autoconf.

autoconf(9): Provide diagnostics for config_detach_* misuse.

sys: Split struct device into a private device_impl.h.

Include this only inside autoconf itself, and a few files that abuse
autoconf in ways I can't confidently make easy fixes for.

XXX kernel ABI

sys: Split struct device into a private device_impl.h.

Include this only inside autoconf itself, and a few files that abuse
autoconf in ways I can't confidently make easy fixes for.

XXX kernel ABI change requires bump -- no more use of struct device
internals allowed, previously done by some drivers

show more ...

autoconf(9): Disentangle slightly circuitous config_detach logic.

No functional change intended.

autoconf(9): New function config_detach_commit.

When a driver's .ca_detach function has committed to detaching -- it
definitely won't back out with EBUSY, for instance -- it can call
this to wake al

autoconf(9): New function config_detach_commit.

When a driver's .ca_detach function has committed to detaching -- it
definitely won't back out with EBUSY, for instance -- it can call
this to wake all pending calls to device_lookup_acquire and make them
fail immediately.

This is necessary to break a deadlock if the device_lookup_acquire
calls happen inside I/O operations which the driver's .ca_detach
function waits for the completion of -- without config_detach_commit,
I/O operations would be stuck in device_lookup_acquire waiting for
.ca_detach and .ca_detach would be stuck waiting for I/O operations
to return.

Most drivers won't need to call this: for autoconf drivers used the
traditional way by devsw for userland device nodes, the .ca_detach
routine uses vdevgone, and we will arrange to make vdevgone call
config_detach_commit automagically in such drivers anyway.

XXX kernel ABI change to struct device requires bump -- later change
will make struct device opaque to ABI, but we're not there yet

show more ...

autoconf(9): New localcount-based device instance references.

device_lookup_acquire looks up an autoconf device instance, if found,
and acquires a reference the caller must release with device_relea

autoconf(9): New localcount-based device instance references.

device_lookup_acquire looks up an autoconf device instance, if found,
and acquires a reference the caller must release with device_release.
If attach or detach is still in progress, device_lookup_acquire waits
until it completes. While references are held, the device's softc
will not be freed or reused until the last reference is released.

The reference is meant to be held while opening a device in the short
term, and then to be passed off to a longer-term reference that can
be broken explicitly by detach -- usually a device special vnode,
which is broken by vdevgone in the driver's *_detach function.

Sleeping while holding a reference is allowed, e.g. waiting to open a
tty. A driver must arrange that its *_detach function will interrupt
any threads sleeping while holding references and cause them to back
out so that detach can complete promptly.

Subsequent changes to subr_devsw.c will make bdev_open and cdev_open
automatically take a reference to an autoconf instance for drivers
that opt into this, so there will be no logic changes needed in most
drivers other than to connect the autoconf cfdriver to the
bdevsw/cdevsw I/O operation tables. The effect will be that *_detach
may run while d_open is in progress, but no new d_open can begin
until *_detach has backed out from or committed to detaching.

XXX kernel ABI change to struct device requires bump -- later change
will make struct device opaque to ABI, but we're not there yet

show more ...

autoconf(9): Enter more timing samples into entropy pool.

Previously, we sampled the time of each _failed_ config_search. I'm
not sure why -- there was no explanation in the comment or the commit
m

autoconf(9): Enter more timing samples into entropy pool.

Previously, we sampled the time of each _failed_ config_search. I'm
not sure why -- there was no explanation in the comment or the commit
message introducing this in rev. 1.230.2.1 on tls-earlyentropy.

With this change, we sample the time of _every_ search including the
successful ones -- and also measure the time to attach which often
includes things like probing device registers, triggering device
reset and waiting for it to post, &c.

show more ...

autoconf(9): Refuse to consider negative unit numbers in cfdata.

Reported-by: syzbot+a63ae6c58df86f40b6f3@syzkaller.appspotmail.com

move attribute before function declarator

Revert previous, mark cfdriver_iattr_count as __diagused instead.

cfdriver_iattr_count() is only used in a KASSERT, so #ifdef DIAGNOSTIC it.

pmf(9): Conditionalize pmflock_debug output on PMFLOCK_DEBUG.

This is really only helpful for debugging the software logic to
handle the trees of devices for suspend/resume, not for debugging the
dr

pmf(9): Conditionalize pmflock_debug output on PMFLOCK_DEBUG.

This is really only helpful for debugging the software logic to
handle the trees of devices for suspend/resume, not for debugging the
drivers, which is most of what we need to do. If anyone still finds
this useful they can make a sysctl knob for it or something, but for
now this substantially reduces the amount of debug output that's
getting in my way.

show more ...

libkern: Make KASSERT verify expression is valid if !DIAGNOSTIC.

This way it is no longer necessary to mark variables __diagused if
they are used in KASSERT conditions.

Fix fallout from this by rem

libkern: Make KASSERT verify expression is valid if !DIAGNOSTIC.

This way it is no longer necessary to mark variables __diagused if
they are used in KASSERT conditions.

Fix fallout from this by removing now-unnecessary and `#ifdef
DIAGNOSTIC'.

Don't do the same for KDASSERT if !DEBUG -- unlike KASSERT and
DIAGNOSTIC, variables needed by KDASSERT and DEBUG are likely to be
expensive to compute (and potentially difficult for a compiler to
prove flushable), so we don't want to require them under !DEBUG.

show more ...

Squash "holding up boot" messages into a single line, and only print the
device list if no progress has been made in 1 second.