itimer(9): Sprinkle some more assertions.

itimer(9): Use callout_setfunc/schedule instead of callout_reset.

No semantic change intended.

In itimer_arm_real(), KASSERT that it->it_dying is false. This was
already implicitly assumed, but make it explicit in hopes of tracking
down kern/57226.

branches: 1.218.2;
sys: Put externs for time_adjtime and time_adjusted in .h files.

time_adjtime: sys/timex.h (defined in ntp code)
time_adjusted: sys/timevar.h (defined in non-ntp code)

(Not really sure this is a valuable distinction to maintain; there's
non-ntp code that uses time_adjtime too.)

kern: KNF in kern_time.c: Omit needless return parentheses.

Also nix trailing whitespace while here.

No functional change intended.

setitimer(2): Avoid arithmetic overflow in periodic bookkeeping.

Reported-by: syzbot+93cef6090844ec304cde@syzkaller.appspotmail.com

setitimer(2): Guard against overflow in arithmetic.

Reported-by: syzbot+6036bc8b6d2b963e3ba6@syzkaller.appspotmail.com

adjtime(2): Handle negative tv_sec and tv_usec.

Previously I clamped these to avoid dangerous arithmetic overflow.
But I assumed sensible values should be nonnegative.

For tv_sec, this assumption was just wrong -- the adjustment may be
negative.

For tv_usec, this assumption is...not wrong, but also not right.
tv_usec is not _supposed_ to be negative (by POSIX, the type need
only represent values in [-1, 1000000]; semantically the member is
supposed to be a nonnegative number of microseconds below 1000000),
but ntp abuses it to hold negative values, for reasons unclear -- the
same effect could be had by subtracting one from tv_sec, and adding
1000000 to the negative tv_usec. However, let's not break existing
ntp userlands...

kern: Handle clock winding back in nanosleep1 without overflow.

Reported-by: syzbot+3bdd260582424a611946@syzkaller.appspotmail.com

kern: Clamp time_adjtime to avoid overflow.

Reported-by: syzbot+7edce1a31dfd2a5eaa18@syzkaller.appspotmail.com

Centralise the setitimer() timer type validation in dosetitimer() as is
done with dogetitimer().

branches: 1.210.2;
A couple of tweaks to the previous re-factor:

- Some of what was defined as "generic itimer" behavior turned out to be
ptimer-specific. As such, everything related to the "fired timer queue"
is now specific to ptimers, and the queue and softint handle fields of
itimer_ops are not needed.

- Split itimer_fini() into 2 parts: itimer_poision() marks the timer as
dead and attempts to cancel it. itimer_fini() is then just responsible
for freeing itimer resources and releasing the lock. They are split
into two parts, as ptimers require an addition processing step between
those two operations, but other kinds of itimers do not necessarily require
that.

- Export a few more itimer-related symbols that other itimer types will
need.

Riding previous kernel version bump since there are no external uses of
this code since the version bump that accompanied the original change.

fix the build; gcc does not always see that it can't happen.

Fix an uninitialized pointer deref introduced in rev 1.207.

Reported-by: syzbot+6d69101d5f2fd954c4e2@syzkaller.appspotmail.com

Refactor interval timers to make it possible to support types other than
the BSD/POSIX per-process timers:

- "struct ptimer" is split into "struct itimer" (common interval timer
data) and "struct ptimer" (per-process timer data, which contains a
"struct itimer").

- Introduce a new "struct itimer_ops" that supplies information about
the specific kind of interval timer, including it's processing
queue, the softint handle used to schedule processing, the function
to call when the timer fires (which adds it to the queue), and an
optional function to call when the CLOCK_REALTIME clock is changed by
a call to clock_settime() or settimeofday().

- Rename some fuctions to clearly identify what they're operating on
(ptimer vs itimer).

- Use kmem(9) to allocate ptimer-related structures, rather than having
dedicated pools for them.

Welcome to NetBSD 9.99.77.

branches: 1.206.2;
kern_time: prevent the system clock from being set too low or high

currently doing this will drive KUBSAN haywire and possibly cause
system lock-ups, so more testing should probably be performed before
we let the clock be set too many thousands of years into the future.

ditto for negative values, which were being passed by chrony for
some reason while my internet connection was being unreliable.
this also triggered some interesting KUBSAN reports.

Move proc_lock into the data segment. It was dynamically allocated because
at the time we had mutex_obj_alloc() but not __cacheline_aligned.

Fix uninitialized memory access. Found by KMSAN.

Reported-by: syzbot+9f2a173d29d66c88f9ac@syzkaller.appspotmail.com

- Eliminate the global "boottime" variable, which was being accessed
without any synchronization against changes by e.g. clock_settime().
- Replace with new getbinboottime() / getnanoboottime() / getmicroboottime()
functions (naming mirrors that of other time access functions in kern_tc.c).
It returns the (maybe-converted) value of timebasebin, which also tracks
our estimate of when the system was booted (i.e. the legacy "boottime" was
redundant).

XXX There needs to be a lockless synchronization mechanism for reading
timebasebin, but this is a problem in kern_tc.c that pre-existed these
"boottime" changes. At least now the problem is centralized in one location.

Remove superfluous splclock()/splx() pair around tc_setclock().

Check for valid timespec in clock_settime1()

An alternative approach would be to check the valie in settime1(), but
it would result in multiple checks for valid tv_nsec, as there are
settime1() users that need to check the ranges earlier.

Reported-by: syzbot+96e5ce2c2c704d96c2f0@syzkaller.appspotmail.com

Validate usec ranges in settimeofday1()

mark a variable __diagused to fix this problem affecting many builds:

kern/kern_time.c:1413:6: error: variable 'error' set but not used [-Werror=unused-but-set-variable]

Fix race in timer destruction.

Anything we confirmed about the world before callout_halt may cease
to be true afterward, so make sure to start over in that case.

Add some comments explaining what's going on.

Reported-by: syzbot+d58da99969f58c1a024a@syzkaller.appspotmail.com

branches: 1.197.4;
Fix the code that deals with very long sleeps (> 248 days) which
go beyond the maximum that the callout mechanism can handle.
[See the comments in tvtohz() in subr_sleep.c for the details.]

When that happens the timeout is clamped to MAX_INT (ticks), and the
code in nanosleep1() looped (or tried to) repeating the sleep (aka
kpause()) until the requested end time for the sleep was reached.

Unfortunately, the code assumed that kpause() would return 0 when
it returned after the timeout expired. But it doesn't, it returns
EWOULDBLOCK instead (why is incomprehensible to me, but I assume
there is a reason.) [That comes from sleepq_block() which returns
EWOULDBLOCK when callout_halt() indicates that the callout had fired,
which is exactly what has happened when the time has elapsed.]

There was already code to deal with that EWOULDBLOCK and return 0
instead of an error in that case - but it was placed after the
error code was tested against 0 for the purposes of the loop.

Simply move the EWOULDBLOCK->0 mapping earlier, so the code which
is expecting "error == 0" to mean "nothing went wrong" actually
gets to see that happen, and the loop can actually loop.

(Someday the loop should probably be rewritten as a loop, instead of
as a bunch of code followed by a "goto again"!)

The callout is used by any nonvirtual timer including CLOCK_MONOTONIC
and needs to be initialized.

Detected by [syzkaller].

Introduce PR_ZERO to avoid open-coding memset()s everywhere. OK riastradh@.

Fix kernel info leaks.

Improve my kern_time.c::rev1.192, systematically clear the buffers we get
from 'ptimer_pool' to prevent more leaks.

Fix kernel info leak.

+ Possible info leak: [len=32, leaked=16]
| #0 0xffffffff80baf3a7 in kleak_copyout
| #1 0xffffffff80b940f8 in sys___timer_settime50
| #2 0xffffffff80259c42 in syscall

Fix kernel info leak. There are 2x4 bytes of padding in struct itimerval.

[ 738.451860] kleak: Possible leak in copyout: [len=32, leaked=8]
[ 738.481840] #0 0xffffffff80b7c42a in kleak_note <netbsd>
[ 738.491821] #1 0xffffffff80b7c4aa in kleak_copyout <netbsd>
[ 738.501806] #2 0xffffffff80b6154e in sys___getitimer50 <netbsd>
[ 738.511778] #3 0xffffffff80b61e39 in sys___setitimer50 <netbsd>
[ 738.521781] #4 0xffffffff8025ab3c in sy_call <netbsd>
[ 738.521781] #5 0xffffffff8025ad6e in sy_invoke <netbsd>
[ 738.531808] #6 0xffffffff8025adf4 in syscall <netbsd>

Fix stack info leak. There are 4 bytes of padding in struct timeval. Looks
like there are other leaks related to timeval in this file.

[ 133.414352] kleak: Possible leak in copyout: [len=16, leaked=4]
[ 133.414352] #0 0xffffffff80224d0a in kleak_note <netbsd>
[ 133.424360] #1 0xffffffff80224d8a in kleak_copyout <netbsd>
[ 133.434361] #2 0xffffffff80b5fd79 in sys___gettimeofday50 <netbsd>
[ 133.434361] #3 0xffffffff8025a89c in sy_call <netbsd>
[ 133.444351] #4 0xffffffff8025aace in sy_invoke <netbsd>
[ 133.454365] #5 0xffffffff8025ab54 in syscall <netbsd>

branches: 1.189.8; 1.189.14; 1.189.16;
Adjust clock_nanosleep(2) to not copyout remaining time struct if
TIMER_ABSTIME flag is set.

Ok Christos.

branches: 1.188.2;
KNF. Remove extra spaces. No functional change.

GSoC 2016: Charles Cui: Add timer related macros
_POSIX_CPUTIME
_POSIX_THREAD_CPUTIME
_POSIX_DELAYTIMER_MAX

Add clock_getcpuclockid2(2) as well as CLOCK_{PROCESS,THREAD}_CPUTIME_ID.

- GC pts_fired, and fix the comment about MAX_TIMERS
- Bump MAX_TIMERS to 36 so that we have 32 POSIX user timers which is the
minimum required.

Don't leak garabage from the kernel stack on sleep(0) and equivalents.
Hat tip to perl's ext/POSIX/t/wrappers.t

Make comments and code match reality; there are 4 reserved timers.

CID/1325753: remove extra return.

PR/50295: clock_nanotime() should not set errno, but return the error.

Unused inits (harmless).

Found by Brainy.

branches: 1.179.8; 1.179.10; 1.179.12;
Make ts2timo(9) always return the absolute start time if the start argument
is present, and handle the TIMER_ABSTIME case in nanosleep1(9).

always return immediately on error, and if we passed negative seconds,
return with 0.

Move clock_gettime1() to subr_time.c (which is included in rump kernels)

Centralize the computation of struct timespec to the int timo.
Make lwp_park take the regular arguments for specifying what kind
of timeout we supply like clock_nanosleep(), namely clockid_t and flags.

kernel portion of clock_nanosleep()

branches: 1.174.2;
Misplaced parenthesis; fixes PR 44927

itimerfire: fix a regression, check if timer is already queued.

Remove COMPAT_SA / KERN_SA. Welcome to 6.99.3!
Approved by core@.

Fix monotonic interval timers.

branches: 1.170.2; 1.170.6;
There is no reason not to support CLOCK_MONOTONIC in {g,s}etitimer() since
the underlying implementation already supports it, so add it.

These don't need uvm/uvm_extern.h.

implement timer_create of CLOCK_MONOTONIC

fix assertion failure in timer_intr. CLOCK_REALTIME timers can be on
timer_queue.

branches: 1.166.2;
realtimerexpire: rename a confusing variable. no functional change.
(now_ms -> now_ns as it hold a nano second value)

Add a new clock_gettime1() function that holds most of the
clock_gettime syscall code (except for the copyout). Adjust all
corresponding syscalls to make use of it.

Move most clock_getres syscall code, except for coypout call, to a new
clock_getres1() function which can be used by emulations. Adjust all
clock_getres syscalls to now make of use it.

branches: 1.163.2; 1.163.4;
If a struct sigevent with SIGEV_SIGNAL is passed to timer_create(2),
check the signal number to be in the allowed range. An invalid
signal number could crash the kernel by overflowing the sigset_t
array.
More checks would be good, and SIGEV_THREAD shouldn't be dropped
silently, but this fixes at least the local DOS vulnerability.

Introduce time_wraps() to check if setting the time will wrap it (or
close to it). Useful for secmodels.

Replace open-coded form with it in secmodel code (securelevel, keylock).

Note: I need to find a way to make secmodel_keylock.c ~<100 lines.

Wipe out the last vestiges of POOL_INIT with one swift stroke. In
most cases, use a proper constructor. For proplib, give a local
equivalent of POOL_INIT for the kernel object implementation. This
way the code structure can be preserved, and a local link set is
not hazardous anyway (unless proplib is split to several modules,
but that'll be the day).

tested by booting a kernel in qemu and compile-testing i386/ALL

Move the internal poll/select related API's to use timespec instead
of timeval (rides the uvm bump).

branches: 1.159.2;
settime1: fix a bug i introduced when i made l_stime use monotonic time.
from Matthias Drochner on tech-kern@. PR/40511 from Martin Husemann.

timer_intr: hold proc_lock across the loop, otherwise the process we are
about to signal could disappear.

- fix leaked lock, thanks ad@ for noticing.
- remove unneeded cast.

merge christos-time_t

branches: 1.155.2; 1.155.4;
Adjust locking on the sadata::sa_vps list. The main time we
walk the list, we're looking for a vp to do something with. We do
this in the signal code and in the timer code. The signal code already
runs with proc::p_lock held, so it's a very natural lock to use. The
timer code, however, calls into the sa timer code with a spinlock held.
Since proc::p_lock is an adaptable mutex, we can sleep to get it. Sleeping
with a spinlock is BAD. So proc::p_lock is _not_ the right lock there,
and something like sadata::sa_mutex would be best.

Address this difficulty by noting that both uses actually just read
the list. Changing the list of VPs is rare - once one's added, it stays
until the process ends. So make the locking protocol that to write the
list you have to hold both proc::p_lock and sadata::sa_mutex (taken
in that order). Thus holding either one individually grants read access.

This removes a case where we could sleep with timer_lock, a spinlock at
IPL_SCHED (!!), while trying to get p_lock. If that ever happened, we'd
pretty much be dead. So don't do that!

This fixes a merge botch from how I handled our gaining p_lock - p_lock
should not have simply replaced p_smutex.

While here, tweak the sa_unblock_userret() code for the case
when the blessed vp is actually running (on another CPU). Make its
resched RESCHED_IMMED so we whack the CPU. Addresses a hang I've
observed in starting firefox on occasion when I see one thread running
in userland and another thread sitting in lwpublk, which means it's on
the list of threads for which we need an unblocked upcall. This list is
one on which things should NOT linger.

Merge wrstuden-revivesa into HEAD.

Split rate-checking routines into their own module for easier reuse.

fix half-assed change usec -> nsec that broke non-real timers.

Fix broken setitimer(). (Sverre Froyen)

Use more timespecs internally. From Alexander Shishkin and me.
Welcome to 4.99.70, 30 more to go for 100.

Fix to bug reported and tested by Alexander Shishkin. struct ptimer has
a union that contains either a callout [for CLOCK_REALTIME] or a flag
and a list [for other clock types]. Make sure we perform the right actions
on the right union member depending on the clock type. Otherwise this would
result in crashes.

branches: 1.148.2; 1.148.4;
Explicitly compute the next interval using 64bit arithmetic, if the time
was either stepped backwards or the timer has overflown. This fixes
PR 26470.

- Add tc_gonebad(): allows timecounter to be flagged as bad and removed at
the next clock tick.
- Remove time_lock, which is no longer required.

branches: 1.146.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.145.2;
Network protocol interrupts can now block on locks, so merge the globals
proclist_mutex and proclist_lock into a single adaptive mutex (proc_lock).
Implications:

- Inspecting process state requires thread context, so signals can no longer
be sent from a hardware interrupt handler. Signal activity must be
deferred to a soft interrupt or kthread.

- As the proc state locking is simplified, it's now safe to take exit()
and wait() out from under kernel_lock.

- The system spends less time at IPL_SCHED, and there is less lock activity.

Give callout_halt() an additional 'kmutex_t *interlock' argument. If there
is a need to block and wait for the callout to complete, and there is an
interlock, it will be dropped while waiting and reacquired before return.

Make ntp, pmc, reboot, sysarch, time syscalls MPSAFE.

timer fixes for PR 37093:

- Fix serious concurrency problems, making the code MT and MP safe in
the process.
- Don't allocate memory or inspect process state from hardclock().

branches: 1.141.2; 1.141.4;
nanosleep1: handle kpause spontaneous wakeups.

branches: 1.140.2; 1.140.6;
wrap long lines. no functional change.

nanosleep1: whitespace. no functional change.

Now that __HAVE_TIMECOUNTER and __HAVE_GENERIC_TODR are invariants,
remove the conditionals and the code associated with the undef case.

use binuptime for l_stime/l_rtime.

reduce #ifdef __HAVE_TIMECOUNTER.

Convert all the system call entry points from:
int foo(struct lwp *l, void *v, register_t *retval)
to:
int foo(struct lwp *l, const struct foo_args *uap, register_t *retval)
Fixup compat code to not write into 'uap' and (in some cases) to actually
pass a correctly formatted 'uap' structure with the right name to the
next routine.
A few 'compat' routines that just call standard ones have been deleted.
All the 'compat' code compiles (along with the kernels required to test
build it).
98% done by automated scripts.

branches: 1.134.4;
Replace usage of p_cred in kauth(9) call with kauth_cred_get().

okay yamt@.

branches: 1.133.2;
Kill a KAUTH_REQ_SYSTEM_TIME_SYSTEM request that's no longer needed.

Refactor time modification checks and place them in the secmodel code.

okay christos@

Add a bit of locking around timecounter attachment / selection.

branches: 1.130.2;
machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h

branches: 1.129.2;
Merge run time accounting changes from the vmlocking branch. These make
the LWP "start time" per-thread instead of per-CPU.

branches: 1.128.2; 1.128.4;
Shuffle routines which just roll values around from kern_clock.c
and kern_time.c to subr_time.c.

No reason not to make itimespecfix() generally available..

Export itimespecfix() until itimerfix() dies.

branches: 1.125.2; 1.125.6;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

rename si_sigval -> si_value to match POSIX RTS.

nanosleep1() shouldn't try to get the current time into a NULL address.

Instead of the #define versions of tc_getfrequency() and nanouptime(), use
the function ones in kern_kern_clock.c (adding tc_getfrequency).
Adjust includes so this builds.

Add a #define for nanouptime() in the !__HAVE_TIMECOUNTERS case.

Split sys_nanosleep().

Change interface to settimeofday1() so that it can also be used from
compat code in order to avoid the stackgap.

branches: 1.118.2; 1.118.4;
Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.

branches: 1.117.2;
- Make the proclist_lock a mutex. The write:read ratio is unfavourable,
and mutexes are cheaper use than RW locks.
- LOCK_ASSERT -> KASSERT in some places.
- Hold proclist_lock/kernel_lock longer in a couple of places.

Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

TRUE -> true, FALSE -> false

branches: 1.114.2;
Remove spllowersoftclock() and CLKF_BASEPRI(), and always dispatch callouts
via a soft interrupt. In the near future, softclock will be run from process
context.

Merge newlock2 to head.

remove nqnfs.

use KSI_INIT rather than memset. no functional changes.

remove some __unused from function parameters.

Add an XXX to remind me why it's there when grepping. (securelevel ref)

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

PR/34612: Bucky Katz: SA returns from sleep do not set the signal flags
Patch applied, many thanks for the example!

branches: 1.106.2;
First take at security model abstraction.

- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.

This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...

* And of course, documentation describing how to do the above for quick
reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)

branches: 1.105.4;
Use the LWP cached credentials where sane.

fix another t{s,v}tohz() fallout (invalid remaining time)
now passes regression/sys/kern/sleeping

keep NetBSD boottime semantics:
- only set at boot
- only tracking delta of set-time operations
-> will keep boottime stable across ACPI sleeps
uptime(1) will report the time since last boot

report true clock resolution based on the frequency information
from the underlying counter in clock_getres(). For frequencies
above 1GHz report a resolution if 1 nsec.

branches: 1.101.2;
merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
time.tv_sec -> time_second
- struct timeval mono_time is gone
mono_time.tv_sec -> time_uptime
- access to time via
{get,}{micro,nano,bin}time()
get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html

branches: 1.100.2;
timers_alloc: use PR_WAITOK.

integrate kauth.

branches: 1.98.4; 1.98.6; 1.98.8; 1.98.10; 1.98.12;
- make settime take timespec.
- avoid wrapping of time in settime (from OpenBSD)
- pass struct proc down so that we can log a detailed message.

Convert malloc/free of struct ptimers to pools.
Move the ptimer pool to kern_time.c to keep like pools together,
and it wasn't used in kern_proc.c

branches: 1.96.2;
Call nanotime() directly, instead of doing the
microtime()/TIMEVAL_TO_TIMESPEC() dance.

Implement a few changes needed to properly resolve PR#30924, as
discussed in the PR.

- introduce sys/timevar.h to hold kernel-specific stuff relevant to
sys/time.h. Ideally, timevar.h would contain all (or almost) of the
#ifdef _KERNEL part of time.h, but that's a pretty big and tedious
change to make. For now, it will contain only the prototypes I
introduced when working on COMPAT_NETBSD32.

- split copyinout_t into copyin_t and copyout_t, it makes prototypes more
explicit about the meaning of a given argument. Suggested by yamt@.

- move copyinout_t definition in sys/time.h to systm.h as copyin_t and
copyout_t

- make everything uses the new types and include the proper headers at
the proper places.

branches: 1.94.2;
avoid calling into the pool code while holding sched_lock
since both pool_get() and pool_put() can call wakeup().
instead, allocate the struct sadata_upcall before taking
sched_lock in mi_switch() and free it after releasing sched_lock.

clean up some modularity warts by adding a callback to
struct sadata_upcall for freeing sa_arg.

Apply the NFS exports list rototill patch:

- Remove all NFS related stuff from file system specific code.
- Drop the vfs_checkexp hook and generalize it in the new nfs_check_export
function, thus removing redundancy from all file systems.
- Move all NFS export-related stuff from kern/vfs_subr.c to the new
file sys/nfs/nfs_export.c. The former was becoming large and its code
is always compiled, regardless of the build options. Using the latter,
the code is only compiled in when NFSSERVER is enabled. While doing this,
also make some functions in nfs_subs.c conditional to NFSSERVER.
- Add a new command in nfssvc(2), called NFSSVC_SETEXPORTSLIST, that takes a
path and a set of export entries. At the moment it can only clear the
exports list or append entries, one by one, but it is done in a way that
allows setting the whole set of entries atomically in the future (see the
comment in mountd_set_exports_list or in doc/TODO).
- Change mountd(8) to use the nfssvc(2) system call instead of mount(2) so
that it becomes file system agnostic. In fact, all this whole thing was
done to remove a 'XXX' block from this utility!
- Change the mount*, newfs and fsck* userland utilities to not deal with NFS
exports initialization; done internally by the kernel when initializing
the NFS support for each file system.
- Implement an interface for VFS (called VFS hooks) so that several kernel
subsystems can run arbitrary code upon receipt of specific VFS events.
At the moment, this only provides support for unmount and is used to
destroy NFS exports lists from the file systems being unmounted, though it
has room for extension.

Thanks go to yamt@, chs@, thorpej@, wrstuden@ and others for their comments
and advice in the development of this patch.

Split sys_timer_create, sys_timer_gettime and sys_timer_settime so they
can be easily used by netbsd32 code.

XXX Meanwhile, introduce a copyinout_t type that matches the prototype of
XXX copyin(9) and copyout(9). Its logical place would be in systm.h, near
XXX the definition of copyin, but, well, see the comment.

Split sys_getitimer and sys_setitimer to make it possible to share the
relevant code with the COMPAT_NETBSD32 version, and make the latter use
the new functions.

This fixes netbsd32_setitimer() which had drifted from the native syscall
and did not work properly anymore.

branches: 1.90.2;
Use ANSI function decls. Apply some static.

- add const.
- remove unnecessary casts.
- add __UNCONST casts and mark them with XXXUNCONST as necessary.

branches: 1.88.2;
Copyright maintenance.

nuke trailing whitespace

branches: 1.86.2; 1.86.4;
If sa_upcall() fails (which is always going to be due to resource exhaustion),
do not leak siginfo structures.

Note that in the cases of trap signals and timer events, losing this
information could be very bad; right now it will cause us to spin until the
process is SIGKILLed.

"Needs work."

Wrap TIMEVAL_TO_TIMESPEC and TIMESPEC_TO_TIMEVAL macros in

do { ... } while(/*CONSTCOND*/0)

so that they can be used unadorned in if/else blocks, etc. This means
that you now *have* to put a ; at the end of the "call" to these
macros.

Fix "comments within comments" problem pointed out by Geoff Wing on
source-changes.

POSIX-2001: Add restrict keywords to gettimeofday(2) and setitimer(2);
further deprecate struct timezone usage by changing `tzp' argument to
gettimeofday() to void *; align utimes(2) declaration by changing `times`
argument from struct timeval * to struct timeval[2]. From Murray
Armfield in PR standards/25331.

In due curse, reflect these changes in futimes(2), lutimes(2), and
settimeofday(2).

branches: 1.82.2; 1.82.4; 1.82.6;
add kernel part of concurrency support for SA on MP systems
- move per VP data into struct sadata_vp referenced from l->l_savp
* VP id
* lock on VP data
* LWP on VP
* recently blocked LWP on VP
* queue of LWPs woken which ran on this VP before sleep
* faultaddr
* LWP cache for upcalls
* upcall queue
- add current concurrency and requested concurrency variables
- make process exit run LWP on all VPs
- make signal delivery consider all VPs
- make timer events consider all VPs
- add sa_newsavp to allocate new sadata_vp structure
- add sa_increaseconcurrency to prepare new VP
- make sys_sa_setconcurrency request new VP or wakeup idle VP
- make sa_yield lower current concurrency
- set sa_cpu = VP id in upcalls
- maintain cached LWPs per VP

kernel part of no-syscall upcall stack return: libpthread registers
an offset between ss_sp and struct sa_stackinfo_t (located in struct
__pthread_st) when calling sa_register. The kernel increments the
sast_gen counter in struct sastack when an upcall stack is used.
libpthread increments the sasi_stackgen counter in struct
sa_stackinfo_t when an upcall stack is freed. The kernel compares the
two counters to decide if a stack is free or in use.

- add struct sa_stackinfo_t with sasi_stackgen to count stack use in
userland
- add sast_gen to struct sastack to count stack use in kernel
- add SA_FLAG_STACKINFO to enable the stackinfo_offset argument in the
sa_register syscall
- add sa_stackinfo_offset to struct sadata for offset between ss_sp
and struct sa_stackinfo_t
- add ssize_t stackinfo_offset argument to sa_register, initialize
struct sadata's sa_stackinfo_offset from it if SA_FLAG_STACKINFO is
set
- add sa_getstack, sa_getstack0, sa_stackused and sa_setstackfree
functions to find/use/free upcall stacks and use these where
appropriate
- don't record stack for upcall in sa_upcall0
- pass sau to sa_switchcall instead of l2 (l2 = curlwp in sa_switchcall)
- add sa_vp_blocker to struct sadata to pass recently blocked lwp to
sa_switchcall
- delay finding a stack for blocked upcalls to sa_switchcall
- add sa_stacknext to struct sadata pointing to next most likely free
upcall stack; also g/c sa_stackslist in struct sadata and sast_list
in struct sastack
- add L_SA_WOKEN flag: LWP is on sa_woken queue
- add L_SA_RECYCLE flag: LWP should be recycled in sa_setwoken
- replace l_upcallstack with L_SA_WOKEN/L_SA_RECYCLE/L_SA_BLOCKING
flags
- g/c now unused sast_blocker in struct sastack
- make sa_switchcall, sa_upcall0 and sa_upcall_getstate static in
kern_sa.c
- call sa_upcall_userret only once in userret
- split sa_makeupcalls out of sa_upcall_userret and use to process
the sa_upcalls queue
- on process exit: mark LWPs sleeping in saunblock interruptible; also
there are no LWPs sleeping on l->l_upcallstack anymore; also clear
sa_wokenq_head to prevent unblocked upcalls

additional changes:
- cleanup timerupcall sa_vp == curlwp check
- add check in sa_yield if we didn't block on our way here and we
wouldn't any longer be the LWP on the VP
- invalidate sa_vp_ofaultaddr after resolving pagefault

PR/23613: Christian Biere: Bogus bounds check in nanosleep.

eliminate uvm_useracc() in favor of checking the return value of
copyin() or copyout().

uvm_useracc() tells us whether the mapping permissions allow access to
the desired part of an address space, and many callers assume that
this is the same as knowing whether an attempt to access that part of
the address space will succeed. however, access to user space can
fail for reasons other than insufficient permission, most notably that
paging in any non-resident data can fail due to i/o errors. most of
the callers of uvm_useracc() make the above incorrect assumption. the
rest are all misguided optimizations, which optimize for the case
where an operation will fail. we'd rather optimize for operations
succeeding, in which case we should just attempt the access and handle
failures due to insufficient permissions the same way we handle i/o
errors. since there appear to be no good uses of uvm_useracc(), we'll
just remove it.

Cleanup signal delivery for SA processes:
General idea: only consider the LWP on the VP for signal delivery, all
other LWPs are either asleep or running from waking up until repossessing
the VP.

- in kern_sig.c:kpsignal2: handle all states the LWP on the VP can be in
- in kern_sig.c:proc_stop: only try to stop the LWP on the VP. All other
LWPs will suspend in sa_vp_repossess() until the VP-LWP donates the VP.
Restore original behaviour (before SA-specific hacks were added) for
non-SA processes.
- in kern_sig.c:proc_unstop: only return the LWP on the VP
- handle sa_yield as case 0 in sa_switch instead of clearing L_SA, add an
L_SA_YIELD flag
- replace sa_idle by L_SA_IDLE flag since it was either NULL or == sa_vp

Also don't output itimerfire overrun warning if the process is already
exiting.
Also g/c sa_woken because it's not used.
Also g/c some #if 0 code.

* Shuffle some data structures so, and add a flags word to ksiginfo_t.
Right now the only flag is used to indicate if a ksiginfo_t is a
result of a trap. Add a predicate macro to test for this flag.
* Add initialization macros for ksiginfo_t's.
* Add accssor macro for ksi_trap. Expands to 0 if the ksiginfo_t was
not the result of a trap. This matches the sigcontext trapcode semantics.
* In kpsendsig(), use KSI_TRAP_P() to select the lwp that gets the signal.
Inspired by Matthias Drochner's fix to kpsendsig(), but correctly handles
the case of non-trap-generated signals that have a > 0 si_code.

This patch fixes a signal delivery problem with threaded programs noted by
Matthias Drochner on tech-kern.

As discussed on tech-kern. Reviewed and OK's by Christos.

set the sigval in the setitimer case.

enable SI_TIMER notification.

fix timerupcall breakage after SA_SIGINFO changes:
- sa_upcall only stores a pointer to the `arg'

SA_SIGINFO changes.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22364, verified by myself.

Changes from Stephan Uphoff to patch problems with LWPs blocking when they
shouldn't, and MP.

branches: 1.70.2;
Expand the test in itimerfire() to only wake up an idle SA LWP if the
process isn't stopped.

Make ppsratecheck conform with its man page, which says, "If maxpps
is set to 0, the function will always return 0 (no packets/events
are permitted)." Before this patch, ppsratecheck returned 1 once
a second when maxpps was 0.

Flag that adjtime has happened, hardware RTC might be wrong

Change the contract for timer_settime() (the internal routine, not the
syscall sys_timer_settime()) to take an absolute value for realtime
timers. This avoids a pair of gratiuitous conversions with the
possibility that the timer's intermediate value would be 0.0, which
would signal timer_settime() to cancel the timer.

Adjust callers of timer_settime() to compensate; catch the case where
sys_timer_settime() with an absolute time value of now and a virtual
timer would also be subtracted down to a timer-cancelling 0.0.

This should fix the bug seen in libpthread's nanosleep() where certain
applications, such as xmms, would wedge with unexpired userlevel
alarms.

itimerfire(): fix bug in previous - if two or more timers would
fire close together, the second (and every other) timer would be
added to mask incorrectly - timerid value would be shifted twice,
and sa_upcall() would later kill process with SIGILL

cosmetic - use type 'timer_t' for timerid local in sys_timer_create()
and sys_timer_delete()

Prevent one timer from overrunning another with the current userret
mechanism by keeping a list (bitset) of which timers have fired and using
that list in the upcall (Does this sound familiar? SEND HELP NEED SIGINFO).

Provoke the idle LWP into running again with setrunnable(sa->sa_idle)
instead of a wakeup() call, since we know what it is.

Merge the nathanw_sa branch.

"oatv" in adjtime1() isn't used after being set; remove it.

branches: 1.61.10;
Implement the CLOCK_MONOTONIC clock for the posix/opengroup realtime
clock_() functions. This simply returns the kernel mono_time variable.
As discussed on tech-kern.

Changed clocktl interface to use syscallargs structures

PR/8657: z@rentaboat.se: alarm takes more seconds that it can handle.

This is a followup to PR/14558.

- itimerfix(9) limited the number of seconds to 100M, before I changed
it to 1000M for PR/14558.
- nanosleep(2) documents a limit of 1000M seconds.
- setitimer(2), select(2), and other library functions that indirectly
use setitimer(2) for example alarm(3) don't specify a limit.

So it only seems appropriate that any positive number of seconds in
struct timeval should be accepted by any code that uses itimerfix(9)
directly, except nanosleep(2) which should check for 1000M seconds
manually. This changes makes the manual pages of select(2), nanosleep(2),
setitimer(2), and alarm(3) consistent with the code.

add RCSIDs

PR/14558: Tero Kivinen: There is no point in limiting the number of seconds
to 100 million. Use 1000 million like the man page for nanosleep suggests.
This is much closer to MAXINT, and it conforms to POSIX.

branches: 1.56.2;
Split root-only time-related system calls so that we have an upper part, that
checks root privs, and a lower part that does the actual job. The lower part
will be called by the upcoming clockctl driver. Approved by Christos
Also fixed a few cosmetic things

branches: 1.55.2; 1.55.4;
Lower interrupt priortiy properly if setting the setting the kernel time
is denied in a securelevel above 1. This fixes PR kern/13158.

branches: 1.54.2;
Extend NFS_V2_ONLY to remove NQNFS lease support as well. Saves another 10k.

allow admins to disable pps rate limitation, by setting "maxpps"
parameter to negative value.

Add a comment about the hzto() return value.

Comment police. s/DIAGNOSTICS/DIAGNOSTIC/

add ppsratelimit(9), which does event-per-sec rate limitation.
use it from icmp6 error rate limitation code.
XXX better name for the function?

shorten splclock() period in ratelimit().
From: onoe

remove include of <vm/vm.h>

branches: 1.47.2;
Track which process a CPU is running/has last run on by adding a
p_cpu member to struct proc. Use this in certain places when
accessing scheduler state, etc. For the single-processor case,
just initialize p_cpu in fork1() to avoid having to set it in the
low-level context switch code on platforms which will never have
multiprocessing.

While I'm here, comment a few places where there are known issues
for the SMP implementation.

branches: 1.46.2;
First sweep at scheduler state cleanup. Collect MI scheduler
state into global and per-CPU scheduler state:

- Global state: sched_qs (run queues), sched_whichqs (bitmap
of non-empty run queues), sched_slpque (sleep queues).
NOTE: These may collectively move into a struct schedstate
at some point in the future.

- Per-CPU state, struct schedstate_percpu: spc_runtime
(time process on this CPU started running), spc_flags
(replaces struct proc's p_schedflags), and
spc_curpriority (usrpri of processes on this CPU).

- Every platform must now supply a struct cpu_info and
a curcpu() macro. Simplify existing cpu_info declarations
where appropriate.

- All references to per-CPU scheduler state now made through
curcpu(). NOTE: this will likely be adjusted in the future
after further changes to struct proc are made.

Tested on i386 and Alpha. Changes are mostly mechanical, but apologies
in advance if it doesn't compile on a particular platform.

Get rid of register declarations.

New callout mechanism with two major improvements over the old
timeout()/untimeout() API:
- Clients supply callout handle storage, thus eliminating problems of
resource allocation.
- Insertion and removal of callouts is constant time, important as
this facility is used quite a lot in the kernel.

The old timeout()/untimeout() API has been removed from the kernel.

correct ratecheck() signedness. without this fix, ratecheck() will never
success again after first success with lasttime=(0,0).

Implement ratecheck(), a function which can help programmers implement
rate-limited actions. See ratecheck(9) for details of its use.

branches: 1.41.2;
If time delta is larger than thresh. Use 10* adj factor. Make this
work for negative deltas too. From NAKAJIMA Yoshihiro <nakayosh@kcn.ne.jp>
in kern/8589.

branches: 1.40.2;
Remove the prototype for settime(), it is in "sys/time.h" now.

Make settime() public because we need to use it for the Linux emulation.

Change the semantics of splsoftclock() to be like other spl*() functions,
that is priority is rasied. Add a new spllowersoftclock() to provide the
atomic drop-to-softclock semantics that the old splsoftclock() provided,
and update calls accordingly.

This fixes a problem with using the "rnd" pseudo-device from within
interrupt context to extract random data (e.g. from within the softnet
interrupt) where doing so would incorrectly unblock interrupts (causing
all sorts of lossage).

XXX 4 platforms do not have priority-raising capability: newsmips, sparc,
XXX sparc64, and VAX. This platforms still have this bug until their
XXX spl*() functions are fixed.

Make sure `olddelta' is a valid pointer before performing the guts of
the adjtime(2) system call. Fixes PR #7721, Darren Reed.

branches: 1.36.6; 1.36.8; 1.36.10;
Add some braces to make egcs happy (ambiguous else warning).

fix sizeofs so they comply with the KNF style guide. yes, it is pedantic.

branches: 1.34.2;
defopt NFSSERVER

Merge with Lite2 + local changes

Fix missing newline in time zone warning.

Include the NFS option header.

Adjust u_int arguments of some system calls to int, to match user-level
prototypes.

Don't allow the time to be set backwards if in highly secure mode, since this would allow inode change times to be manipulated.

In nanosleep, use local error variable when storing rqtp in so that
an error from a failed tsleep will still be returned to the caller.

Add POSIX.1b nanosleep().

NFSCLIENT -> NFS

Eliminate obsolete TIMEZONE and DST options.
Eliminate obsolete global kernel variable "struct timezone tz"
Add RTC_OFFSET option
Add global kernel variable rtc_offset, which is initialized by
RTC_OFFSET at kernel compile time.
on i386, x68k, mac68k, pc532 and arm32, RTC_OFFSET indicates how many
minutes west (east) of GMT the hardware RTC runs. Defaults to 0.
Places where tz variable was used to indicate this in the past have
been replaced with rtc_offset.
Add sysctl interface to rtc_offset.
Kill obsolete DST_* macros in sys/time.h
gettimeofday now always returns zeroed timezone if zone is requested.
settimeofday now ignores and logs attempts to set non-existant kernel
timezone.

branches: 1.24.2;
* catch up with system call argument type fixups/const poisoning.
* Fix arguments to various copyin()/copyout() invocations, to avoid
gratuitous casts.
* Some KNF formatting fixes

clean up a few spaces vs. tabs and KNF bogons. Make this compile
cleanly with -Wall -Wstrict-prototypes -Wmissing-prototypes -Wcast-qual.

Add clock_gettime, clock_settime, and clock_getres

replace a construction in sys_setitimer() that was too tricky for its
(and my!) own good with a more straightforward one that is equally (and
more apparently) correct.

branches: 1.20.4;
Changes for NVSv3 code: pull in more NFS include files into kern_time.c
to get types right (overkill for just one function call, but oh well).
Clear B_NEEDCOMMIT in bdwrite().

uipc_proto.c: No need for the forward decls anymore; everything is prototyped.
kern_time.c: add header to get the NFS prototypes if needed.

More proto fixes

First pass at prototyping

Prefix names of system call implementation functions with `sys_'.

Make system calls conform to a standard prototype and bring those
prototypes into scope.

Update to use timer{add,sub}().

LEASE_UPDATETIME -> lease_updatetime

Use __timer{add,sub}(), not timeval{add,sub}(). Remove the latter completely.

update for new syscall args description mechanism

Remove extern of tickadj.

New RCS ID's, take two. they're more aesthecially pleasant, and use 'NetBSD'

update to Lite

Remove now-bogus casts.

lots of changes: prototype migration, move lots of variables, definitions,
and structure elements around. kill some unnecessary type and macro
definitions. standardize clock handling. More changes than you'd want.

Canonicalize all #includes.

branches: 1.4.4;
break args structs out, into syscallname_args structs, so gcc2 doesn't
whine so much.

ANSIfications - removed all implicit function return types and argument
definitions. Ensured that all files include "systm.h" to gain access to
general prototypes. Casts where necessary.

add $Id$ strings, and clean up file headers where necessary

branches: 1.1.1;
Initial revision

In itimer_arm_real(), KASSERT that it->it_dying is false. This was
already implicitly assumed, but make it explicit in hopes of tracking
down kern/57226.

sys: Put externs for time_adjtime and time_adjusted in .h files.

time_adjtime: sys/timex.h (defined in ntp code)
time_adjusted: sys/timevar.h (defined in non-ntp code)

(Not really sure this is a valuable distinction to maintain; there's
non-ntp code that uses time_adjtime too.)

kern: KNF in kern_time.c: Omit needless return parentheses.

Also nix trailing whitespace while here.

No functional change intended.

setitimer(2): Avoid arithmetic overflow in periodic bookkeeping.

Reported-by: syzbot+93cef6090844ec304cde@syzkaller.appspotmail.com

setitimer(2): Guard against overflow in arithmetic.

Reported-by: syzbot+6036bc8b6d2b963e3ba6@syzkaller.appspotmail.com

adjtime(2): Handle negative tv_sec and tv_usec.

Previously I clamped these to avoid dangerous arithmetic overflow.
But I assumed sensible values should be nonnegative.

For tv_sec, this assumption was just wrong -- the adjustment may be
negative.

For tv_usec, this assumption is...not wrong, but also not right.
tv_usec is not _supposed_ to be negative (by POSIX, the type need
only represent values in [-1, 1000000]; semantically the member is
supposed to be a nonnegative number of microseconds below 1000000),
but ntp abuses it to hold negative values, for reasons unclear -- the
same effect could be had by subtracting one from tv_sec, and adding
1000000 to the negative tv_usec. However, let's not break existing
ntp userlands...

kern: Handle clock winding back in nanosleep1 without overflow.

Reported-by: syzbot+3bdd260582424a611946@syzkaller.appspotmail.com

kern: Clamp time_adjtime to avoid overflow.

Reported-by: syzbot+7edce1a31dfd2a5eaa18@syzkaller.appspotmail.com

Centralise the setitimer() timer type validation in dosetitimer() as is
done with dogetitimer().

branches: 1.210.2;
A couple of tweaks to the previous re-factor:

- Some of what was defined as "generic itimer" behavior turned out to be
ptimer-specific. As such, everything related to the "fired timer queue"
is now specific to ptimers, and the queue and softint handle fields of
itimer_ops are not needed.

- Split itimer_fini() into 2 parts: itimer_poision() marks the timer as
dead and attempts to cancel it. itimer_fini() is then just responsible
for freeing itimer resources and releasing the lock. They are split
into two parts, as ptimers require an addition processing step between
those two operations, but other kinds of itimers do not necessarily require
that.

- Export a few more itimer-related symbols that other itimer types will
need.

Riding previous kernel version bump since there are no external uses of
this code since the version bump that accompanied the original change.

fix the build; gcc does not always see that it can't happen.

Fix an uninitialized pointer deref introduced in rev 1.207.

Reported-by: syzbot+6d69101d5f2fd954c4e2@syzkaller.appspotmail.com

Refactor interval timers to make it possible to support types other than
the BSD/POSIX per-process timers:

- "struct ptimer" is split into "struct itimer" (common interval timer
data) and "struct ptimer" (per-process timer data, which contains a
"struct itimer").

- Introduce a new "struct itimer_ops" that supplies information about
the specific kind of interval timer, including it's processing
queue, the softint handle used to schedule processing, the function
to call when the timer fires (which adds it to the queue), and an
optional function to call when the CLOCK_REALTIME clock is changed by
a call to clock_settime() or settimeofday().

- Rename some fuctions to clearly identify what they're operating on
(ptimer vs itimer).

- Use kmem(9) to allocate ptimer-related structures, rather than having
dedicated pools for them.

Welcome to NetBSD 9.99.77.

branches: 1.206.2;
kern_time: prevent the system clock from being set too low or high

currently doing this will drive KUBSAN haywire and possibly cause
system lock-ups, so more testing should probably be performed before
we let the clock be set too many thousands of years into the future.

ditto for negative values, which were being passed by chrony for
some reason while my internet connection was being unreliable.
this also triggered some interesting KUBSAN reports.

Move proc_lock into the data segment. It was dynamically allocated because
at the time we had mutex_obj_alloc() but not __cacheline_aligned.

Fix uninitialized memory access. Found by KMSAN.

Reported-by: syzbot+9f2a173d29d66c88f9ac@syzkaller.appspotmail.com

- Eliminate the global "boottime" variable, which was being accessed
without any synchronization against changes by e.g. clock_settime().
- Replace with new getbinboottime() / getnanoboottime() / getmicroboottime()
functions (naming mirrors that of other time access functions in kern_tc.c).
It returns the (maybe-converted) value of timebasebin, which also tracks
our estimate of when the system was booted (i.e. the legacy "boottime" was
redundant).

XXX There needs to be a lockless synchronization mechanism for reading
timebasebin, but this is a problem in kern_tc.c that pre-existed these
"boottime" changes. At least now the problem is centralized in one location.

Remove superfluous splclock()/splx() pair around tc_setclock().

Check for valid timespec in clock_settime1()

An alternative approach would be to check the valie in settime1(), but
it would result in multiple checks for valid tv_nsec, as there are
settime1() users that need to check the ranges earlier.

Reported-by: syzbot+96e5ce2c2c704d96c2f0@syzkaller.appspotmail.com

Validate usec ranges in settimeofday1()

mark a variable __diagused to fix this problem affecting many builds:

kern/kern_time.c:1413:6: error: variable 'error' set but not used [-Werror=unused-but-set-variable]

Fix race in timer destruction.

Anything we confirmed about the world before callout_halt may cease
to be true afterward, so make sure to start over in that case.

Add some comments explaining what's going on.

Reported-by: syzbot+d58da99969f58c1a024a@syzkaller.appspotmail.com

branches: 1.197.4;
Fix the code that deals with very long sleeps (> 248 days) which
go beyond the maximum that the callout mechanism can handle.
[See the comments in tvtohz() in subr_sleep.c for the details.]

When that happens the timeout is clamped to MAX_INT (ticks), and the
code in nanosleep1() looped (or tried to) repeating the sleep (aka
kpause()) until the requested end time for the sleep was reached.

Unfortunately, the code assumed that kpause() would return 0 when
it returned after the timeout expired. But it doesn't, it returns
EWOULDBLOCK instead (why is incomprehensible to me, but I assume
there is a reason.) [That comes from sleepq_block() which returns
EWOULDBLOCK when callout_halt() indicates that the callout had fired,
which is exactly what has happened when the time has elapsed.]

There was already code to deal with that EWOULDBLOCK and return 0
instead of an error in that case - but it was placed after the
error code was tested against 0 for the purposes of the loop.

Simply move the EWOULDBLOCK->0 mapping earlier, so the code which
is expecting "error == 0" to mean "nothing went wrong" actually
gets to see that happen, and the loop can actually loop.

(Someday the loop should probably be rewritten as a loop, instead of
as a bunch of code followed by a "goto again"!)

The callout is used by any nonvirtual timer including CLOCK_MONOTONIC
and needs to be initialized.

Detected by [syzkaller].

Introduce PR_ZERO to avoid open-coding memset()s everywhere. OK riastradh@.

Fix kernel info leaks.

Improve my kern_time.c::rev1.192, systematically clear the buffers we get
from 'ptimer_pool' to prevent more leaks.

Fix kernel info leak.

+ Possible info leak: [len=32, leaked=16]
| #0 0xffffffff80baf3a7 in kleak_copyout
| #1 0xffffffff80b940f8 in sys___timer_settime50
| #2 0xffffffff80259c42 in syscall

Fix kernel info leak. There are 2x4 bytes of padding in struct itimerval.

[ 738.451860] kleak: Possible leak in copyout: [len=32, leaked=8]
[ 738.481840] #0 0xffffffff80b7c42a in kleak_note <netbsd>
[ 738.491821] #1 0xffffffff80b7c4aa in kleak_copyout <netbsd>
[ 738.501806] #2 0xffffffff80b6154e in sys___getitimer50 <netbsd>
[ 738.511778] #3 0xffffffff80b61e39 in sys___setitimer50 <netbsd>
[ 738.521781] #4 0xffffffff8025ab3c in sy_call <netbsd>
[ 738.521781] #5 0xffffffff8025ad6e in sy_invoke <netbsd>
[ 738.531808] #6 0xffffffff8025adf4 in syscall <netbsd>

Fix stack info leak. There are 4 bytes of padding in struct timeval. Looks
like there are other leaks related to timeval in this file.

[ 133.414352] kleak: Possible leak in copyout: [len=16, leaked=4]
[ 133.414352] #0 0xffffffff80224d0a in kleak_note <netbsd>
[ 133.424360] #1 0xffffffff80224d8a in kleak_copyout <netbsd>
[ 133.434361] #2 0xffffffff80b5fd79 in sys___gettimeofday50 <netbsd>
[ 133.434361] #3 0xffffffff8025a89c in sy_call <netbsd>
[ 133.444351] #4 0xffffffff8025aace in sy_invoke <netbsd>
[ 133.454365] #5 0xffffffff8025ab54 in syscall <netbsd>

branches: 1.189.8; 1.189.14; 1.189.16;
Adjust clock_nanosleep(2) to not copyout remaining time struct if
TIMER_ABSTIME flag is set.

Ok Christos.

branches: 1.188.2;
KNF. Remove extra spaces. No functional change.

GSoC 2016: Charles Cui: Add timer related macros
_POSIX_CPUTIME
_POSIX_THREAD_CPUTIME
_POSIX_DELAYTIMER_MAX

Add clock_getcpuclockid2(2) as well as CLOCK_{PROCESS,THREAD}_CPUTIME_ID.

- GC pts_fired, and fix the comment about MAX_TIMERS
- Bump MAX_TIMERS to 36 so that we have 32 POSIX user timers which is the
minimum required.

Don't leak garabage from the kernel stack on sleep(0) and equivalents.
Hat tip to perl's ext/POSIX/t/wrappers.t

Make comments and code match reality; there are 4 reserved timers.

CID/1325753: remove extra return.

PR/50295: clock_nanotime() should not set errno, but return the error.

Unused inits (harmless).

Found by Brainy.

branches: 1.179.8; 1.179.10; 1.179.12;
Make ts2timo(9) always return the absolute start time if the start argument
is present, and handle the TIMER_ABSTIME case in nanosleep1(9).

always return immediately on error, and if we passed negative seconds,
return with 0.

Move clock_gettime1() to subr_time.c (which is included in rump kernels)

Centralize the computation of struct timespec to the int timo.
Make lwp_park take the regular arguments for specifying what kind
of timeout we supply like clock_nanosleep(), namely clockid_t and flags.

kernel portion of clock_nanosleep()

branches: 1.174.2;
Misplaced parenthesis; fixes PR 44927

itimerfire: fix a regression, check if timer is already queued.

Remove COMPAT_SA / KERN_SA. Welcome to 6.99.3!
Approved by core@.

Fix monotonic interval timers.

branches: 1.170.2; 1.170.6;
There is no reason not to support CLOCK_MONOTONIC in {g,s}etitimer() since
the underlying implementation already supports it, so add it.

These don't need uvm/uvm_extern.h.

implement timer_create of CLOCK_MONOTONIC

fix assertion failure in timer_intr. CLOCK_REALTIME timers can be on
timer_queue.

branches: 1.166.2;
realtimerexpire: rename a confusing variable. no functional change.
(now_ms -> now_ns as it hold a nano second value)

Add a new clock_gettime1() function that holds most of the
clock_gettime syscall code (except for the copyout). Adjust all
corresponding syscalls to make use of it.

Move most clock_getres syscall code, except for coypout call, to a new
clock_getres1() function which can be used by emulations. Adjust all
clock_getres syscalls to now make of use it.

branches: 1.163.2; 1.163.4;
If a struct sigevent with SIGEV_SIGNAL is passed to timer_create(2),
check the signal number to be in the allowed range. An invalid
signal number could crash the kernel by overflowing the sigset_t
array.
More checks would be good, and SIGEV_THREAD shouldn't be dropped
silently, but this fixes at least the local DOS vulnerability.

Introduce time_wraps() to check if setting the time will wrap it (or
close to it). Useful for secmodels.

Replace open-coded form with it in secmodel code (securelevel, keylock).

Note: I need to find a way to make secmodel_keylock.c ~<100 lines.

Wipe out the last vestiges of POOL_INIT with one swift stroke. In
most cases, use a proper constructor. For proplib, give a local
equivalent of POOL_INIT for the kernel object implementation. This
way the code structure can be preserved, and a local link set is
not hazardous anyway (unless proplib is split to several modules,
but that'll be the day).

tested by booting a kernel in qemu and compile-testing i386/ALL

Move the internal poll/select related API's to use timespec instead
of timeval (rides the uvm bump).

branches: 1.159.2;
settime1: fix a bug i introduced when i made l_stime use monotonic time.
from Matthias Drochner on tech-kern@. PR/40511 from Martin Husemann.

timer_intr: hold proc_lock across the loop, otherwise the process we are
about to signal could disappear.

- fix leaked lock, thanks ad@ for noticing.
- remove unneeded cast.

merge christos-time_t

branches: 1.155.2; 1.155.4;
Adjust locking on the sadata::sa_vps list. The main time we
walk the list, we're looking for a vp to do something with. We do
this in the signal code and in the timer code. The signal code already
runs with proc::p_lock held, so it's a very natural lock to use. The
timer code, however, calls into the sa timer code with a spinlock held.
Since proc::p_lock is an adaptable mutex, we can sleep to get it. Sleeping
with a spinlock is BAD. So proc::p_lock is _not_ the right lock there,
and something like sadata::sa_mutex would be best.

Address this difficulty by noting that both uses actually just read
the list. Changing the list of VPs is rare - once one's added, it stays
until the process ends. So make the locking protocol that to write the
list you have to hold both proc::p_lock and sadata::sa_mutex (taken
in that order). Thus holding either one individually grants read access.

This removes a case where we could sleep with timer_lock, a spinlock at
IPL_SCHED (!!), while trying to get p_lock. If that ever happened, we'd
pretty much be dead. So don't do that!

This fixes a merge botch from how I handled our gaining p_lock - p_lock
should not have simply replaced p_smutex.

While here, tweak the sa_unblock_userret() code for the case
when the blessed vp is actually running (on another CPU). Make its
resched RESCHED_IMMED so we whack the CPU. Addresses a hang I've
observed in starting firefox on occasion when I see one thread running
in userland and another thread sitting in lwpublk, which means it's on
the list of threads for which we need an unblocked upcall. This list is
one on which things should NOT linger.

Merge wrstuden-revivesa into HEAD.

Split rate-checking routines into their own module for easier reuse.

fix half-assed change usec -> nsec that broke non-real timers.

Fix broken setitimer(). (Sverre Froyen)

Use more timespecs internally. From Alexander Shishkin and me.
Welcome to 4.99.70, 30 more to go for 100.

Fix to bug reported and tested by Alexander Shishkin. struct ptimer has
a union that contains either a callout [for CLOCK_REALTIME] or a flag
and a list [for other clock types]. Make sure we perform the right actions
on the right union member depending on the clock type. Otherwise this would
result in crashes.

branches: 1.148.2; 1.148.4;
Explicitly compute the next interval using 64bit arithmetic, if the time
was either stepped backwards or the timer has overflown. This fixes
PR 26470.

- Add tc_gonebad(): allows timecounter to be flagged as bad and removed at
the next clock tick.
- Remove time_lock, which is no longer required.

branches: 1.146.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.145.2;
Network protocol interrupts can now block on locks, so merge the globals
proclist_mutex and proclist_lock into a single adaptive mutex (proc_lock).
Implications:

- Inspecting process state requires thread context, so signals can no longer
be sent from a hardware interrupt handler. Signal activity must be
deferred to a soft interrupt or kthread.

- As the proc state locking is simplified, it's now safe to take exit()
and wait() out from under kernel_lock.

- The system spends less time at IPL_SCHED, and there is less lock activity.

Give callout_halt() an additional 'kmutex_t *interlock' argument. If there
is a need to block and wait for the callout to complete, and there is an
interlock, it will be dropped while waiting and reacquired before return.

Make ntp, pmc, reboot, sysarch, time syscalls MPSAFE.

timer fixes for PR 37093:

- Fix serious concurrency problems, making the code MT and MP safe in
the process.
- Don't allocate memory or inspect process state from hardclock().

branches: 1.141.2; 1.141.4;
nanosleep1: handle kpause spontaneous wakeups.

branches: 1.140.2; 1.140.6;
wrap long lines. no functional change.

nanosleep1: whitespace. no functional change.

Now that __HAVE_TIMECOUNTER and __HAVE_GENERIC_TODR are invariants,
remove the conditionals and the code associated with the undef case.

use binuptime for l_stime/l_rtime.

reduce #ifdef __HAVE_TIMECOUNTER.

Convert all the system call entry points from:
int foo(struct lwp *l, void *v, register_t *retval)
to:
int foo(struct lwp *l, const struct foo_args *uap, register_t *retval)
Fixup compat code to not write into 'uap' and (in some cases) to actually
pass a correctly formatted 'uap' structure with the right name to the
next routine.
A few 'compat' routines that just call standard ones have been deleted.
All the 'compat' code compiles (along with the kernels required to test
build it).
98% done by automated scripts.

branches: 1.134.4;
Replace usage of p_cred in kauth(9) call with kauth_cred_get().

okay yamt@.

branches: 1.133.2;
Kill a KAUTH_REQ_SYSTEM_TIME_SYSTEM request that's no longer needed.

Refactor time modification checks and place them in the secmodel code.

okay christos@

Add a bit of locking around timecounter attachment / selection.

branches: 1.130.2;
machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h

branches: 1.129.2;
Merge run time accounting changes from the vmlocking branch. These make
the LWP "start time" per-thread instead of per-CPU.

branches: 1.128.2; 1.128.4;
Shuffle routines which just roll values around from kern_clock.c
and kern_time.c to subr_time.c.

No reason not to make itimespecfix() generally available..

Export itimespecfix() until itimerfix() dies.

branches: 1.125.2; 1.125.6;
Merge some of the less invasive changes from the vmlocking branch:

- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements

rename si_sigval -> si_value to match POSIX RTS.

nanosleep1() shouldn't try to get the current time into a NULL address.

Instead of the #define versions of tc_getfrequency() and nanouptime(), use
the function ones in kern_kern_clock.c (adding tc_getfrequency).
Adjust includes so this builds.

Add a #define for nanouptime() in the !__HAVE_TIMECOUNTERS case.

Split sys_nanosleep().

Change interface to settimeofday1() so that it can also be used from
compat code in order to avoid the stackgap.

branches: 1.118.2; 1.118.4;
Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.

branches: 1.117.2;
- Make the proclist_lock a mutex. The write:read ratio is unfavourable,
and mutexes are cheaper use than RW locks.
- LOCK_ASSERT -> KASSERT in some places.
- Hold proclist_lock/kernel_lock longer in a couple of places.

Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

TRUE -> true, FALSE -> false

branches: 1.114.2;
Remove spllowersoftclock() and CLKF_BASEPRI(), and always dispatch callouts
via a soft interrupt. In the near future, softclock will be run from process
context.

Merge newlock2 to head.

remove nqnfs.

use KSI_INIT rather than memset. no functional changes.

remove some __unused from function parameters.

Add an XXX to remind me why it's there when grepping. (securelevel ref)

- sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386

PR/34612: Bucky Katz: SA returns from sleep do not set the signal flags
Patch applied, many thanks for the example!

branches: 1.106.2;
First take at security model abstraction.

- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.

This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...

* And of course, documentation describing how to do the above for quick
reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)

branches: 1.105.4;
Use the LWP cached credentials where sane.

fix another t{s,v}tohz() fallout (invalid remaining time)
now passes regression/sys/kern/sleeping

keep NetBSD boottime semantics:
- only set at boot
- only tracking delta of set-time operations
-> will keep boottime stable across ACPI sleeps
uptime(1) will report the time since last boot

report true clock resolution based on the frequency information
from the underlying counter in clock_getres(). For frequencies
above 1GHz report a resolution if 1 nsec.

branches: 1.101.2;
merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
time.tv_sec -> time_second
- struct timeval mono_time is gone
mono_time.tv_sec -> time_uptime
- access to time via
{get,}{micro,nano,bin}time()
get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html

branches: 1.100.2;
timers_alloc: use PR_WAITOK.

integrate kauth.

branches: 1.98.4; 1.98.6; 1.98.8; 1.98.10; 1.98.12;
- make settime take timespec.
- avoid wrapping of time in settime (from OpenBSD)
- pass struct proc down so that we can log a detailed message.

Convert malloc/free of struct ptimers to pools.
Move the ptimer pool to kern_time.c to keep like pools together,
and it wasn't used in kern_proc.c

branches: 1.96.2;
Call nanotime() directly, instead of doing the
microtime()/TIMEVAL_TO_TIMESPEC() dance.

Implement a few changes needed to properly resolve PR#30924, as
discussed in the PR.

- introduce sys/timevar.h to hold kernel-specific stuff relevant to
sys/time.h. Ideally, timevar.h would contain all (or almost) of the
#ifdef _KERNEL part of time.h, but that's a pretty big and tedious
change to make. For now, it will contain only the prototypes I
introduced when working on COMPAT_NETBSD32.

- split copyinout_t into copyin_t and copyout_t, it makes prototypes more
explicit about the meaning of a given argument. Suggested by yamt@.

- move copyinout_t definition in sys/time.h to systm.h as copyin_t and
copyout_t

- make everything uses the new types and include the proper headers at
the proper places.

branches: 1.94.2;
avoid calling into the pool code while holding sched_lock
since both pool_get() and pool_put() can call wakeup().
instead, allocate the struct sadata_upcall before taking
sched_lock in mi_switch() and free it after releasing sched_lock.

clean up some modularity warts by adding a callback to
struct sadata_upcall for freeing sa_arg.

Apply the NFS exports list rototill patch:

- Remove all NFS related stuff from file system specific code.
- Drop the vfs_checkexp hook and generalize it in the new nfs_check_export
function, thus removing redundancy from all file systems.
- Move all NFS export-related stuff from kern/vfs_subr.c to the new
file sys/nfs/nfs_export.c. The former was becoming large and its code
is always compiled, regardless of the build options. Using the latter,
the code is only compiled in when NFSSERVER is enabled. While doing this,
also make some functions in nfs_subs.c conditional to NFSSERVER.
- Add a new command in nfssvc(2), called NFSSVC_SETEXPORTSLIST, that takes a
path and a set of export entries. At the moment it can only clear the
exports list or append entries, one by one, but it is done in a way that
allows setting the whole set of entries atomically in the future (see the
comment in mountd_set_exports_list or in doc/TODO).
- Change mountd(8) to use the nfssvc(2) system call instead of mount(2) so
that it becomes file system agnostic. In fact, all this whole thing was
done to remove a 'XXX' block from this utility!
- Change the mount*, newfs and fsck* userland utilities to not deal with NFS
exports initialization; done internally by the kernel when initializing
the NFS support for each file system.
- Implement an interface for VFS (called VFS hooks) so that several kernel
subsystems can run arbitrary code upon receipt of specific VFS events.
At the moment, this only provides support for unmount and is used to
destroy NFS exports lists from the file systems being unmounted, though it
has room for extension.

Thanks go to yamt@, chs@, thorpej@, wrstuden@ and others for their comments
and advice in the development of this patch.

Split sys_timer_create, sys_timer_gettime and sys_timer_settime so they
can be easily used by netbsd32 code.

XXX Meanwhile, introduce a copyinout_t type that matches the prototype of
XXX copyin(9) and copyout(9). Its logical place would be in systm.h, near
XXX the definition of copyin, but, well, see the comment.

Split sys_getitimer and sys_setitimer to make it possible to share the
relevant code with the COMPAT_NETBSD32 version, and make the latter use
the new functions.

This fixes netbsd32_setitimer() which had drifted from the native syscall
and did not work properly anymore.

branches: 1.90.2;
Use ANSI function decls. Apply some static.

- add const.
- remove unnecessary casts.
- add __UNCONST casts and mark them with XXXUNCONST as necessary.

branches: 1.88.2;
Copyright maintenance.

nuke trailing whitespace

branches: 1.86.2; 1.86.4;
If sa_upcall() fails (which is always going to be due to resource exhaustion),
do not leak siginfo structures.

Note that in the cases of trap signals and timer events, losing this
information could be very bad; right now it will cause us to spin until the
process is SIGKILLed.

"Needs work."

Wrap TIMEVAL_TO_TIMESPEC and TIMESPEC_TO_TIMEVAL macros in

do { ... } while(/*CONSTCOND*/0)

so that they can be used unadorned in if/else blocks, etc. This means
that you now *have* to put a ; at the end of the "call" to these
macros.

Fix "comments within comments" problem pointed out by Geoff Wing on
source-changes.

POSIX-2001: Add restrict keywords to gettimeofday(2) and setitimer(2);
further deprecate struct timezone usage by changing `tzp' argument to
gettimeofday() to void *; align utimes(2) declaration by changing `times`
argument from struct timeval * to struct timeval[2]. From Murray
Armfield in PR standards/25331.

In due curse, reflect these changes in futimes(2), lutimes(2), and
settimeofday(2).

branches: 1.82.2; 1.82.4; 1.82.6;
add kernel part of concurrency support for SA on MP systems
- move per VP data into struct sadata_vp referenced from l->l_savp
* VP id
* lock on VP data
* LWP on VP
* recently blocked LWP on VP
* queue of LWPs woken which ran on this VP before sleep
* faultaddr
* LWP cache for upcalls
* upcall queue
- add current concurrency and requested concurrency variables
- make process exit run LWP on all VPs
- make signal delivery consider all VPs
- make timer events consider all VPs
- add sa_newsavp to allocate new sadata_vp structure
- add sa_increaseconcurrency to prepare new VP
- make sys_sa_setconcurrency request new VP or wakeup idle VP
- make sa_yield lower current concurrency
- set sa_cpu = VP id in upcalls
- maintain cached LWPs per VP

kernel part of no-syscall upcall stack return: libpthread registers
an offset between ss_sp and struct sa_stackinfo_t (located in struct
__pthread_st) when calling sa_register. The kernel increments the
sast_gen counter in struct sastack when an upcall stack is used.
libpthread increments the sasi_stackgen counter in struct
sa_stackinfo_t when an upcall stack is freed. The kernel compares the
two counters to decide if a stack is free or in use.

- add struct sa_stackinfo_t with sasi_stackgen to count stack use in
userland
- add sast_gen to struct sastack to count stack use in kernel
- add SA_FLAG_STACKINFO to enable the stackinfo_offset argument in the
sa_register syscall
- add sa_stackinfo_offset to struct sadata for offset between ss_sp
and struct sa_stackinfo_t
- add ssize_t stackinfo_offset argument to sa_register, initialize
struct sadata's sa_stackinfo_offset from it if SA_FLAG_STACKINFO is
set
- add sa_getstack, sa_getstack0, sa_stackused and sa_setstackfree
functions to find/use/free upcall stacks and use these where
appropriate
- don't record stack for upcall in sa_upcall0
- pass sau to sa_switchcall instead of l2 (l2 = curlwp in sa_switchcall)
- add sa_vp_blocker to struct sadata to pass recently blocked lwp to
sa_switchcall
- delay finding a stack for blocked upcalls to sa_switchcall
- add sa_stacknext to struct sadata pointing to next most likely free
upcall stack; also g/c sa_stackslist in struct sadata and sast_list
in struct sastack
- add L_SA_WOKEN flag: LWP is on sa_woken queue
- add L_SA_RECYCLE flag: LWP should be recycled in sa_setwoken
- replace l_upcallstack with L_SA_WOKEN/L_SA_RECYCLE/L_SA_BLOCKING
flags
- g/c now unused sast_blocker in struct sastack
- make sa_switchcall, sa_upcall0 and sa_upcall_getstate static in
kern_sa.c
- call sa_upcall_userret only once in userret
- split sa_makeupcalls out of sa_upcall_userret and use to process
the sa_upcalls queue
- on process exit: mark LWPs sleeping in saunblock interruptible; also
there are no LWPs sleeping on l->l_upcallstack anymore; also clear
sa_wokenq_head to prevent unblocked upcalls

additional changes:
- cleanup timerupcall sa_vp == curlwp check
- add check in sa_yield if we didn't block on our way here and we
wouldn't any longer be the LWP on the VP
- invalidate sa_vp_ofaultaddr after resolving pagefault

PR/23613: Christian Biere: Bogus bounds check in nanosleep.

eliminate uvm_useracc() in favor of checking the return value of
copyin() or copyout().

uvm_useracc() tells us whether the mapping permissions allow access to
the desired part of an address space, and many callers assume that
this is the same as knowing whether an attempt to access that part of
the address space will succeed. however, access to user space can
fail for reasons other than insufficient permission, most notably that
paging in any non-resident data can fail due to i/o errors. most of
the callers of uvm_useracc() make the above incorrect assumption. the
rest are all misguided optimizations, which optimize for the case
where an operation will fail. we'd rather optimize for operations
succeeding, in which case we should just attempt the access and handle
failures due to insufficient permissions the same way we handle i/o
errors. since there appear to be no good uses of uvm_useracc(), we'll
just remove it.

Cleanup signal delivery for SA processes:
General idea: only consider the LWP on the VP for signal delivery, all
other LWPs are either asleep or running from waking up until repossessing
the VP.

- in kern_sig.c:kpsignal2: handle all states the LWP on the VP can be in
- in kern_sig.c:proc_stop: only try to stop the LWP on the VP. All other
LWPs will suspend in sa_vp_repossess() until the VP-LWP donates the VP.
Restore original behaviour (before SA-specific hacks were added) for
non-SA processes.
- in kern_sig.c:proc_unstop: only return the LWP on the VP
- handle sa_yield as case 0 in sa_switch instead of clearing L_SA, add an
L_SA_YIELD flag
- replace sa_idle by L_SA_IDLE flag since it was either NULL or == sa_vp

Also don't output itimerfire overrun warning if the process is already
exiting.
Also g/c sa_woken because it's not used.
Also g/c some #if 0 code.

* Shuffle some data structures so, and add a flags word to ksiginfo_t.
Right now the only flag is used to indicate if a ksiginfo_t is a
result of a trap. Add a predicate macro to test for this flag.
* Add initialization macros for ksiginfo_t's.
* Add accssor macro for ksi_trap. Expands to 0 if the ksiginfo_t was
not the result of a trap. This matches the sigcontext trapcode semantics.
* In kpsendsig(), use KSI_TRAP_P() to select the lwp that gets the signal.
Inspired by Matthias Drochner's fix to kpsendsig(), but correctly handles
the case of non-trap-generated signals that have a > 0 si_code.

This patch fixes a signal delivery problem with threaded programs noted by
Matthias Drochner on tech-kern.

As discussed on tech-kern. Reviewed and OK's by Christos.

set the sigval in the setitimer case.

enable SI_TIMER notification.

fix timerupcall breakage after SA_SIGINFO changes:
- sa_upcall only stores a pointer to the `arg'

SA_SIGINFO changes.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22364, verified by myself.

Changes from Stephan Uphoff to patch problems with LWPs blocking when they
shouldn't, and MP.

branches: 1.70.2;
Expand the test in itimerfire() to only wake up an idle SA LWP if the
process isn't stopped.

Make ppsratecheck conform with its man page, which says, "If maxpps
is set to 0, the function will always return 0 (no packets/events
are permitted)." Before this patch, ppsratecheck returned 1 once
a second when maxpps was 0.

Flag that adjtime has happened, hardware RTC might be wrong

Change the contract for timer_settime() (the internal routine, not the
syscall sys_timer_settime()) to take an absolute value for realtime
timers. This avoids a pair of gratiuitous conversions with the
possibility that the timer's intermediate value would be 0.0, which
would signal timer_settime() to cancel the timer.

Adjust callers of timer_settime() to compensate; catch the case where
sys_timer_settime() with an absolute time value of now and a virtual
timer would also be subtracted down to a timer-cancelling 0.0.

This should fix the bug seen in libpthread's nanosleep() where certain
applications, such as xmms, would wedge with unexpired userlevel
alarms.

itimerfire(): fix bug in previous - if two or more timers would
fire close together, the second (and every other) timer would be
added to mask incorrectly - timerid value would be shifted twice,
and sa_upcall() would later kill process with SIGILL

cosmetic - use type 'timer_t' for timerid local in sys_timer_create()
and sys_timer_delete()

Prevent one timer from overrunning another with the current userret
mechanism by keeping a list (bitset) of which timers have fired and using
that list in the upcall (Does this sound familiar? SEND HELP NEED SIGINFO).

Provoke the idle LWP into running again with setrunnable(sa->sa_idle)
instead of a wakeup() call, since we know what it is.

Merge the nathanw_sa branch.

"oatv" in adjtime1() isn't used after being set; remove it.

branches: 1.61.10;
Implement the CLOCK_MONOTONIC clock for the posix/opengroup realtime
clock_() functions. This simply returns the kernel mono_time variable.
As discussed on tech-kern.

Changed clocktl interface to use syscallargs structures

PR/8657: z@rentaboat.se: alarm takes more seconds that it can handle.

This is a followup to PR/14558.

- itimerfix(9) limited the number of seconds to 100M, before I changed
it to 1000M for PR/14558.
- nanosleep(2) documents a limit of 1000M seconds.
- setitimer(2), select(2), and other library functions that indirectly
use setitimer(2) for example alarm(3) don't specify a limit.

So it only seems appropriate that any positive number of seconds in
struct timeval should be accepted by any code that uses itimerfix(9)
directly, except nanosleep(2) which should check for 1000M seconds
manually. This changes makes the manual pages of select(2), nanosleep(2),
setitimer(2), and alarm(3) consistent with the code.

add RCSIDs

PR/14558: Tero Kivinen: There is no point in limiting the number of seconds
to 100 million. Use 1000 million like the man page for nanosleep suggests.
This is much closer to MAXINT, and it conforms to POSIX.

branches: 1.56.2;
Split root-only time-related system calls so that we have an upper part, that
checks root privs, and a lower part that does the actual job. The lower part
will be called by the upcoming clockctl driver. Approved by Christos
Also fixed a few cosmetic things

branches: 1.55.2; 1.55.4;
Lower interrupt priortiy properly if setting the setting the kernel time
is denied in a securelevel above 1. This fixes PR kern/13158.

branches: 1.54.2;
Extend NFS_V2_ONLY to remove NQNFS lease support as well. Saves another 10k.

allow admins to disable pps rate limitation, by setting "maxpps"
parameter to negative value.

Add a comment about the hzto() return value.

Comment police. s/DIAGNOSTICS/DIAGNOSTIC/