From 3d0dc614480ab7a1fbdd07a3389f0ff67dae97f1 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Sun, 27 Aug 2023 15:34:02 +0000
Subject: [PATCH 1/7] ukbd(4): Fix ordering in ukbd_cnpollc exit.

This is probably an MP-safety issue waiting to happen, but let's at
least make the wind and unwind sequences mirror images.
---
 sys/dev/usb/ukbd.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sys/dev/usb/ukbd.c b/sys/dev/usb/ukbd.c
index 0f1b73eda04d..0dd593f758f5 100644
--- a/sys/dev/usb/ukbd.c
+++ b/sys/dev/usb/ukbd.c
@@ -1055,11 +1055,12 @@ ukbd_cnpollc(void *v, int on)
 	if (on) {
 		sc->sc_spl = splusb();
 		pollenter++;
-	} else {
-		splx(sc->sc_spl);
-		pollenter--;
 	}
 	usbd_set_polling(dev, on);
+	if (!on) {
+		pollenter--;
+		splx(sc->sc_spl);
+	}
 }
 
 int

From 37af7b98829e7e0ea8d7952c53a048a9646944dd Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Sun, 27 Aug 2023 15:49:41 +0000
Subject: [PATCH 2/7] ukbd(4): Sort includes.

No functional change intended.
---
 sys/dev/usb/ukbd.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/sys/dev/usb/ukbd.c b/sys/dev/usb/ukbd.c
index 0dd593f758f5..3207c0af2069 100644
--- a/sys/dev/usb/ukbd.c
+++ b/sys/dev/usb/ukbd.c
@@ -47,28 +47,29 @@ __KERNEL_RCSID(0, "$NetBSD: ukbd.c,v 1.162 2023/01/10 18:20:10 mrg Exp $");
 #endif /* _KERNEL_OPT */
 
 #include <sys/param.h>
-#include <sys/systm.h>
+
 #include <sys/callout.h>
-#include <sys/kernel.h>
 #include <sys/device.h>
-#include <sys/ioctl.h>
 #include <sys/file.h>
-#include <sys/select.h>
+#include <sys/ioctl.h>
+#include <sys/kernel.h>
+#include <sys/poll.h>
 #include <sys/proc.h>
+#include <sys/select.h>
+#include <sys/systm.h>
 #include <sys/vnode.h>
-#include <sys/poll.h>
 
-#include <dev/usb/usb.h>
-#include <dev/usb/usbhid.h>
+#include <dev/hid/hid.h>
 
+#include <dev/usb/uhidev.h>
+#include <dev/usb/ukbdvar.h>
+#include <dev/usb/usb.h>
+#include <dev/usb/usb_quirks.h>
+#include <dev/usb/usbdevs.h>
 #include <dev/usb/usbdi.h>
 #include <dev/usb/usbdi_util.h>
 #include <dev/usb/usbdivar.h>
-#include <dev/usb/usbdevs.h>
-#include <dev/usb/usb_quirks.h>
-#include <dev/usb/uhidev.h>
-#include <dev/usb/ukbdvar.h>
-#include <dev/hid/hid.h>
+#include <dev/usb/usbhid.h>
 
 #include <dev/wscons/wsconsio.h>
 #include <dev/wscons/wskbdvar.h>

From 92a6431cbbea3f1c824aada3c0fdb69134e4e5eb Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Sun, 27 Aug 2023 15:47:14 +0000
Subject: [PATCH 3/7] cpu_setstate: Fix call to heartbeat_suspend.

Do this on successful offlining, not on failed offlining.

No functional change right now because heartbeat_suspend is
implemented as a noop -- heartbeat(9) will just check the
SPCF_OFFLINE flag.  But if we change it to not be a noop, well, then
we need to call it in the right place.
---
 sys/kern/kern_cpu.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/sys/kern/kern_cpu.c b/sys/kern/kern_cpu.c
index d082994d2661..88cb8f505617 100644
--- a/sys/kern/kern_cpu.c
+++ b/sys/kern/kern_cpu.c
@@ -370,6 +370,10 @@ cpu_xc_offline(struct cpu_info *ci, void *unused)
 	pcu_save_all_on_cpu();
 #endif
 
+#ifdef HEARTBEAT
+	heartbeat_suspend();
+#endif
+
 #ifdef __HAVE_MD_CPU_OFFLINE
 	cpu_offline_md();
 #endif
@@ -379,10 +383,6 @@ fail:
 	s = splsched();
 	spc->spc_flags &= ~SPCF_OFFLINE;
 	splx(s);
-
-#ifdef HEARTBEAT
-	heartbeat_suspend();
-#endif
 }
 
 static void

From 308cec58e0773dad7494b2985e3227eaef818dc1 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Sun, 27 Aug 2023 15:52:49 +0000
Subject: [PATCH 4/7] heartbeat(9): New flag SPCF_HEARTBEATSUSPENDED.

This way we can suspend heartbeats on a single CPU while the console
is in polling mode, not just when the CPU is offlined.  This should
be rare, so it's not _convenient_, but it should enable us to fix
polling-mode console input when the hardclock timer is still running
on other CPUs.
---
 sys/kern/kern_heartbeat.c | 60 ++++++++++++++++++++++++++++-----------
 sys/sys/sched.h           |  1 +
 2 files changed, 44 insertions(+), 17 deletions(-)

diff --git a/sys/kern/kern_heartbeat.c b/sys/kern/kern_heartbeat.c
index e293eb4ad3e2..e7792398722f 100644
--- a/sys/kern/kern_heartbeat.c
+++ b/sys/kern/kern_heartbeat.c
@@ -127,17 +127,22 @@ void *heartbeat_sih			__read_mostly;
  *	Suspend heartbeat monitoring of the current CPU.
  *
  *	Called after the current CPU has been marked offline but before
- *	it has stopped running.  Caller must have preemption disabled.
+ *	it has stopped running, or after IPL has been raised for
+ *	polling-mode console input.  Caller must have preemption
+ *	disabled.  Non-nestable.  Reversed by heartbeat_resume.
  */
 void
 heartbeat_suspend(void)
 {
+	struct cpu_info *ci = curcpu();
+	int s;
 
 	KASSERT(curcpu_stable());
+	KASSERT((ci->ci_schedstate.spc_flags & SPCF_HEARTBEATSUSPENDED) == 0);
 
-	/*
-	 * Nothing to do -- we just check the SPCF_OFFLINE flag.
-	 */
+	s = splsched();
+	ci->ci_schedstate.spc_flags |= SPCF_HEARTBEATSUSPENDED;
+	splx(s);
 }
 
 /*
@@ -148,6 +153,8 @@ heartbeat_suspend(void)
  *	Called at startup while cold, and whenever heartbeat monitoring
  *	is re-enabled after being disabled or the period is changed.
  *	When not cold, ci must be the current CPU.
+ *
+ *	Must be run at splsched.
  */
 static void
 heartbeat_resume_cpu(struct cpu_info *ci)
@@ -155,6 +162,7 @@ heartbeat_resume_cpu(struct cpu_info *ci)
 
 	KASSERT(__predict_false(cold) || curcpu_stable());
 	KASSERT(__predict_false(cold) || ci == curcpu());
+	/* XXX KASSERT IPL_SCHED */
 
 	ci->ci_heartbeat_count = 0;
 	ci->ci_heartbeat_uptime_cache = time_uptime;
@@ -167,9 +175,8 @@ heartbeat_resume_cpu(struct cpu_info *ci)
  *	Resume heartbeat monitoring of the current CPU.
  *
  *	Called after the current CPU has started running but before it
- *	has been marked online.  Also used internally when starting up
- *	heartbeat monitoring at boot or when the maximum period is set
- *	from zero to nonzero.  Caller must have preemption disabled.
+ *	has been marked online, or when ending polling-mode input
+ *	before IPL is restored.  Caller must have preemption disabled.
  */
 void
 heartbeat_resume(void)
@@ -178,6 +185,7 @@ heartbeat_resume(void)
 	int s;
 
 	KASSERT(curcpu_stable());
+	KASSERT(ci->ci_schedstate.spc_flags & SPCF_HEARTBEATSUSPENDED);
 
 	/*
 	 * Block heartbeats while we reset the state so we don't
@@ -185,6 +193,7 @@ heartbeat_resume(void)
 	 * resetting the count and the uptime stamp.
 	 */
 	s = splsched();
+	ci->ci_schedstate.spc_flags &= ~SPCF_HEARTBEATSUSPENDED;
 	heartbeat_resume_cpu(ci);
 	splx(s);
 }
@@ -198,8 +207,11 @@ heartbeat_resume(void)
 static void
 heartbeat_reset_xc(void *a, void *b)
 {
+	int s;
 
-	heartbeat_resume();
+	s = splsched();
+	heartbeat_resume_cpu(curcpu());
+	splx(s);
 }
 
 /*
@@ -488,7 +500,7 @@ select_patient(void)
 	 * in the iteration order.
 	 */
 	for (CPU_INFO_FOREACH(cii, ci)) {
-		if (ci->ci_schedstate.spc_flags & SPCF_OFFLINE)
+		if (ci->ci_schedstate.spc_flags & SPCF_HEARTBEATSUSPENDED)
 			continue;
 		if (passedcur) {
 			/*
@@ -565,7 +577,8 @@ heartbeat(void)
 	period_secs = atomic_load_relaxed(&heartbeat_max_period_secs);
 	if (__predict_false(period_ticks == 0) ||
 	    __predict_false(period_secs == 0) ||
-	    __predict_false(curcpu()->ci_schedstate.spc_flags & SPCF_OFFLINE))
+	    __predict_false(curcpu()->ci_schedstate.spc_flags &
+		SPCF_HEARTBEATSUSPENDED))
 		return;
 
 	/*
@@ -637,8 +650,8 @@ heartbeat(void)
 	 * Verify that time is advancing on the patient CPU.  If the
 	 * delta exceeds UINT_MAX/2, that means it is already ahead by
 	 * a little on the other CPU, and the subtraction went
-	 * negative, which is OK.  If the CPU has been
-	 * offlined since we selected it, no worries.
+	 * negative, which is OK.  If the CPU's heartbeats have been
+	 * suspended since we selected it, no worries.
 	 *
 	 * This uses the current CPU to ensure the other CPU has made
 	 * progress, even if the other CPU's hard timer interrupt
@@ -650,7 +663,8 @@ heartbeat(void)
 	d = uptime - atomic_load_relaxed(&patient->ci_heartbeat_uptime_cache);
 	if (__predict_false(d > period_secs) &&
 	    __predict_false(d < UINT_MAX/2) &&
-	    ((patient->ci_schedstate.spc_flags & SPCF_OFFLINE) == 0))
+	    ((patient->ci_schedstate.spc_flags & SPCF_HEARTBEATSUSPENDED)
+		== 0))
 		defibrillate(patient, d);
 }
 
@@ -661,11 +675,21 @@ heartbeat(void)
  */
 #ifdef DDB
 static unsigned
-db_read_unsigned(const unsigned *p)
+db_read_unsigned(const volatile unsigned *p)
 {
 	unsigned x;
 
-	db_read_bytes((db_addr_t)p, sizeof(x), (char *)&x);
+	db_read_bytes((db_addr_t)(uintptr_t)p, sizeof(x), (char *)&x);
+
+	return x;
+}
+
+static int
+db_read_signed(const volatile int *p)
+{
+	int x;
+
+	db_read_bytes((db_addr_t)(uintptr_t)p, sizeof(x), (char *)&x);
 
 	return x;
 }
@@ -677,11 +701,13 @@ heartbeat_dump(void)
 
 	db_printf("Heartbeats:\n");
 	for (ci = db_cpu_first(); ci != NULL; ci = db_cpu_next(ci)) {
-		db_printf("cpu%u: count %u uptime %u stamp %u\n",
+		db_printf("cpu%u: count %u uptime %u stamp %u%s\n",
 		    db_read_unsigned(&ci->ci_index),
 		    db_read_unsigned(&ci->ci_heartbeat_count),
 		    db_read_unsigned(&ci->ci_heartbeat_uptime_cache),
-		    db_read_unsigned(&ci->ci_heartbeat_uptime_stamp));
+		    db_read_unsigned(&ci->ci_heartbeat_uptime_stamp),
+		    (db_read_signed(&ci->ci_schedstate.spc_flags) &
+			SPCF_HEARTBEATSUSPENDED ? " (suspended)" : ""));
 	}
 }
 #endif
diff --git a/sys/sys/sched.h b/sys/sys/sched.h
index 119aa1c768d1..2e67b59b4c01 100644
--- a/sys/sys/sched.h
+++ b/sys/sys/sched.h
@@ -188,6 +188,7 @@ struct schedstate_percpu {
 #define	SPCF_1STCLASS		0x0040	/* first class scheduling entity */
 #define	SPCF_CORE1ST		0x0100	/* first CPU in core */
 #define	SPCF_PACKAGE1ST		0x0200	/* first CPU in package */
+#define	SPCF_HEARTBEATSUSPENDED	0x0400	/* heartbeat (temporarily) suspended */
 
 #define	SPCF_SWITCHCLEAR	(SPCF_SEENRR|SPCF_SHOULDYIELD)
 

From 158c2a6db02bb5638a890aed43f5ed2c3d7bafe0 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Sun, 27 Aug 2023 15:30:51 +0000
Subject: [PATCH 5/7] cons(9): Sort includes.

No functional change intended.
---
 sys/dev/cons.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/sys/dev/cons.c b/sys/dev/cons.c
index fd2a5b507503..12525d2f75e2 100644
--- a/sys/dev/cons.c
+++ b/sys/dev/cons.c
@@ -42,20 +42,21 @@
 __KERNEL_RCSID(0, "$NetBSD: cons.c,v 1.92 2022/10/25 23:21:33 riastradh Exp $");
 
 #include <sys/param.h>
-#include <sys/proc.h>
-#include <sys/systm.h>
+
+#include <sys/atomic.h>
 #include <sys/buf.h>
-#include <sys/ioctl.h>
-#include <sys/poll.h>
-#include <sys/tty.h>
-#include <sys/file.h>
 #include <sys/conf.h>
-#include <sys/vnode.h>
+#include <sys/file.h>
+#include <sys/ioctl.h>
 #include <sys/kauth.h>
-#include <sys/mutex.h>
 #include <sys/module.h>
-#include <sys/atomic.h>
+#include <sys/mutex.h>
+#include <sys/poll.h>
+#include <sys/proc.h>
 #include <sys/pserialize.h>
+#include <sys/systm.h>
+#include <sys/tty.h>
+#include <sys/vnode.h>
 
 #include <dev/cons.h>
 

From e3cc6322b08551cee2a2c061e33713b4b6afdf48 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Mon, 28 Aug 2023 12:19:20 +0000
Subject: [PATCH 6/7] cons(9): Suspend heartbeat checks while in polled-input
 mode.

This goes into a tight loop at high IPL, so it is to be expected that
the heartbeats will stop happening.

Should fix heartbeat panics at root device prompt on boot.
---
 sys/dev/cons.c | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/sys/dev/cons.c b/sys/dev/cons.c
index 12525d2f75e2..b7e797ba5e52 100644
--- a/sys/dev/cons.c
+++ b/sys/dev/cons.c
@@ -41,12 +41,17 @@
 #include <sys/cdefs.h>
 __KERNEL_RCSID(0, "$NetBSD: cons.c,v 1.92 2022/10/25 23:21:33 riastradh Exp $");
 
+#ifdef _KERNEL_OPT
+#include "opt_heartbeat.h"
+#endif
+
 #include <sys/param.h>
 
 #include <sys/atomic.h>
 #include <sys/buf.h>
 #include <sys/conf.h>
 #include <sys/file.h>
+#include <sys/heartbeat.h>
 #include <sys/ioctl.h>
 #include <sys/kauth.h>
 #include <sys/module.h>
@@ -417,8 +422,30 @@ cnpollc(int on)
 		return;
 	if (!on)
 		--refcount;
-	if (refcount == 0)
+	if (refcount == 0) {
+#ifdef HEARTBEAT
+		if (on) {
+			/*
+			 * Bind to the current CPU by disabling
+			 * preemption (more convenient than finding a
+			 * place to store a stack to unwind for
+			 * curlwp_bind/bindx, and preemption wouldn't
+			 * happen anyway while spinning at high IPL in
+			 * cngetc) so that curcpu() is stable so that
+			 * we can suspend heartbeat checks for it.
+			 */
+			kpreempt_disable();
+			heartbeat_suspend();
+		}
+#endif
 		(*cn_tab->cn_pollc)(cn_tab->cn_dev, on);
+#ifdef HEARTBEAT
+		if (!on) {
+			heartbeat_resume();
+			kpreempt_enable();
+		}
+#endif
+	}
 	if (on)
 		++refcount;
 }

From 1945bde01aab73cb7c9bd7f66a09b839f3550f93 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Mon, 28 Aug 2023 12:56:44 +0000
Subject: [PATCH 7/7] heartbeat(9): Ignore stale tc if primary CPU heartbeat is
 suspended.

The timecounter ticks only on the primary CPU, so of course it will
go stale if it's suspended.

(It is, perhaps, a mistake that it only ticks on the primary CPU,
even if the primary CPU is offlined or in a polled-input console
loop, but that's a separate issue.)
---
 sys/kern/kern_heartbeat.c | 41 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_heartbeat.c b/sys/kern/kern_heartbeat.c
index e7792398722f..4cf0ddcddb1a 100644
--- a/sys/kern/kern_heartbeat.c
+++ b/sys/kern/kern_heartbeat.c
@@ -198,6 +198,41 @@ heartbeat_resume(void)
 	splx(s);
 }
 
+/*
+ * heartbeat_timecounter_suspended()
+ *
+ *	True if timecounter heartbeat checks are suspended because the
+ *	timecounter may not be advancing, false if heartbeat checks
+ *	should check for timecounter progress.
+ */
+static bool
+heartbeat_timecounter_suspended(void)
+{
+	CPU_INFO_ITERATOR cii;
+	struct cpu_info *ci;
+
+	/*
+	 * The timecounter ticks only on the primary CPU.  Check
+	 * whether it's suspended.
+	 *
+	 * XXX Would be nice if we could find the primary CPU without
+	 * iterating over all CPUs.
+	 */
+	for (CPU_INFO_FOREACH(cii, ci)) {
+		if (CPU_IS_PRIMARY(ci)) {
+			return ci->ci_schedstate.spc_flags &
+			    SPCF_HEARTBEATSUSPENDED;
+		}
+	}
+
+	/*
+	 * This should be unreachable -- there had better be a primary
+	 * CPU in the system!  If not, the timecounter will be busted
+	 * anyway.
+	 */
+	panic("no primary CPU");
+}
+
 /*
  * heartbeat_reset_xc(a, b)
  *
@@ -598,7 +633,8 @@ heartbeat(void)
 		/*
 		 * Timecounter hasn't advanced by more than a second.
 		 * Make sure the timecounter isn't stuck according to
-		 * our heartbeats.
+		 * our heartbeats -- unless timecounter heartbeats are
+		 * suspended too.
 		 *
 		 * Our own heartbeat count can't roll back, and
 		 * time_uptime should be updated before it wraps
@@ -608,7 +644,8 @@ heartbeat(void)
 		stamp =
 		    atomic_load_relaxed(&curcpu()->ci_heartbeat_uptime_stamp);
 		d = count - stamp;
-		if (__predict_false(d > period_ticks)) {
+		if (__predict_false(d > period_ticks) &&
+		    !heartbeat_timecounter_suspended()) {
 			panic("%s: time has not advanced in %u heartbeats",
 			    cpu_name(curcpu()), d);
 		}