xref: /freebsd/sys/kern/kern_shutdown.c (revision 13de33a5dc2304b13d595d75d48c51793958474f)
1 /*-
2  * Copyright (c) 1986, 1988, 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  * (c) UNIX System Laboratories, Inc.
5  * All or some portions of this file are derived from material licensed
6  * to the University of California by American Telephone and Telegraph
7  * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8  * the permission of UNIX System Laboratories, Inc.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 4. Neither the name of the University nor the names of its contributors
19  *    may be used to endorse or promote products derived from this software
20  *    without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  *	@(#)kern_shutdown.c	8.3 (Berkeley) 1/21/94
35  */
36 
37 #include <sys/cdefs.h>
38 __FBSDID("$FreeBSD$");
39 
40 #include "opt_ddb.h"
41 #include "opt_kdb.h"
42 #include "opt_panic.h"
43 #include "opt_sched.h"
44 #include "opt_watchdog.h"
45 
46 #include <sys/param.h>
47 #include <sys/systm.h>
48 #include <sys/bio.h>
49 #include <sys/buf.h>
50 #include <sys/conf.h>
51 #include <sys/cons.h>
52 #include <sys/eventhandler.h>
53 #include <sys/jail.h>
54 #include <sys/kdb.h>
55 #include <sys/kernel.h>
56 #include <sys/kerneldump.h>
57 #include <sys/kthread.h>
58 #include <sys/ktr.h>
59 #include <sys/malloc.h>
60 #include <sys/mount.h>
61 #include <sys/priv.h>
62 #include <sys/proc.h>
63 #include <sys/reboot.h>
64 #include <sys/resourcevar.h>
65 #include <sys/rwlock.h>
66 #include <sys/sched.h>
67 #include <sys/smp.h>
68 #include <sys/sysctl.h>
69 #include <sys/sysproto.h>
70 #include <sys/vnode.h>
71 #include <sys/watchdog.h>
72 
73 #include <ddb/ddb.h>
74 
75 #include <machine/cpu.h>
76 #include <machine/pcb.h>
77 #include <machine/smp.h>
78 
79 #include <security/mac/mac_framework.h>
80 
81 #include <vm/vm.h>
82 #include <vm/vm_object.h>
83 #include <vm/vm_page.h>
84 #include <vm/vm_pager.h>
85 #include <vm/swap_pager.h>
86 
87 #include <sys/signalvar.h>
88 
89 #ifndef PANIC_REBOOT_WAIT_TIME
90 #define PANIC_REBOOT_WAIT_TIME 15 /* default to 15 seconds */
91 #endif
92 static int panic_reboot_wait_time = PANIC_REBOOT_WAIT_TIME;
93 SYSCTL_INT(_kern, OID_AUTO, panic_reboot_wait_time, CTLFLAG_RW | CTLFLAG_TUN,
94     &panic_reboot_wait_time, 0,
95     "Seconds to wait before rebooting after a panic");
96 TUNABLE_INT("kern.panic_reboot_wait_time", &panic_reboot_wait_time);
97 
98 /*
99  * Note that stdarg.h and the ANSI style va_start macro is used for both
100  * ANSI and traditional C compilers.
101  */
102 #include <machine/stdarg.h>
103 
104 #ifdef KDB
105 #ifdef KDB_UNATTENDED
106 int debugger_on_panic = 0;
107 #else
108 int debugger_on_panic = 1;
109 #endif
110 SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic,
111     CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_TUN,
112     &debugger_on_panic, 0, "Run debugger on kernel panic");
113 TUNABLE_INT("debug.debugger_on_panic", &debugger_on_panic);
114 
115 #ifdef KDB_TRACE
116 static int trace_on_panic = 1;
117 #else
118 static int trace_on_panic = 0;
119 #endif
120 SYSCTL_INT(_debug, OID_AUTO, trace_on_panic,
121     CTLFLAG_RW | CTLFLAG_SECURE | CTLFLAG_TUN,
122     &trace_on_panic, 0, "Print stack trace on kernel panic");
123 TUNABLE_INT("debug.trace_on_panic", &trace_on_panic);
124 #endif /* KDB */
125 
126 static int sync_on_panic = 0;
127 SYSCTL_INT(_kern, OID_AUTO, sync_on_panic, CTLFLAG_RW | CTLFLAG_TUN,
128 	&sync_on_panic, 0, "Do a sync before rebooting from a panic");
129 TUNABLE_INT("kern.sync_on_panic", &sync_on_panic);
130 
131 static SYSCTL_NODE(_kern, OID_AUTO, shutdown, CTLFLAG_RW, 0,
132     "Shutdown environment");
133 
134 #ifndef DIAGNOSTIC
135 static int show_busybufs;
136 #else
137 static int show_busybufs = 1;
138 #endif
139 SYSCTL_INT(_kern_shutdown, OID_AUTO, show_busybufs, CTLFLAG_RW,
140 	&show_busybufs, 0, "");
141 
142 /*
143  * Variable panicstr contains argument to first call to panic; used as flag
144  * to indicate that the kernel has already called panic.
145  */
146 const char *panicstr;
147 
148 int dumping;				/* system is dumping */
149 int rebooting;				/* system is rebooting */
150 static struct dumperinfo dumper;	/* our selected dumper */
151 
152 /* Context information for dump-debuggers. */
153 static struct pcb dumppcb;		/* Registers. */
154 lwpid_t dumptid;			/* Thread ID. */
155 
156 static void poweroff_wait(void *, int);
157 static void shutdown_halt(void *junk, int howto);
158 static void shutdown_panic(void *junk, int howto);
159 static void shutdown_reset(void *junk, int howto);
160 static void vpanic(const char *fmt, va_list ap) __dead2;
161 
162 /* register various local shutdown events */
163 static void
164 shutdown_conf(void *unused)
165 {
166 
167 	EVENTHANDLER_REGISTER(shutdown_final, poweroff_wait, NULL,
168 	    SHUTDOWN_PRI_FIRST);
169 	EVENTHANDLER_REGISTER(shutdown_final, shutdown_halt, NULL,
170 	    SHUTDOWN_PRI_LAST + 100);
171 	EVENTHANDLER_REGISTER(shutdown_final, shutdown_panic, NULL,
172 	    SHUTDOWN_PRI_LAST + 100);
173 	EVENTHANDLER_REGISTER(shutdown_final, shutdown_reset, NULL,
174 	    SHUTDOWN_PRI_LAST + 200);
175 }
176 
177 SYSINIT(shutdown_conf, SI_SUB_INTRINSIC, SI_ORDER_ANY, shutdown_conf, NULL);
178 
179 /*
180  * The system call that results in a reboot.
181  */
182 /* ARGSUSED */
183 int
184 sys_reboot(struct thread *td, struct reboot_args *uap)
185 {
186 	int error;
187 
188 	error = 0;
189 #ifdef MAC
190 	error = mac_system_check_reboot(td->td_ucred, uap->opt);
191 #endif
192 	if (error == 0)
193 		error = priv_check(td, PRIV_REBOOT);
194 	if (error == 0) {
195 		mtx_lock(&Giant);
196 		kern_reboot(uap->opt);
197 		mtx_unlock(&Giant);
198 	}
199 	return (error);
200 }
201 
202 /*
203  * Called by events that want to shut down.. e.g  <CTL><ALT><DEL> on a PC
204  */
205 static int shutdown_howto = 0;
206 
207 void
208 shutdown_nice(int howto)
209 {
210 
211 	shutdown_howto = howto;
212 
213 	/* Send a signal to init(8) and have it shutdown the world */
214 	if (initproc != NULL) {
215 		PROC_LOCK(initproc);
216 		kern_psignal(initproc, SIGINT);
217 		PROC_UNLOCK(initproc);
218 	} else {
219 		/* No init(8) running, so simply reboot */
220 		kern_reboot(RB_NOSYNC);
221 	}
222 	return;
223 }
224 static int	waittime = -1;
225 
226 static void
227 print_uptime(void)
228 {
229 	int f;
230 	struct timespec ts;
231 
232 	getnanouptime(&ts);
233 	printf("Uptime: ");
234 	f = 0;
235 	if (ts.tv_sec >= 86400) {
236 		printf("%ldd", (long)ts.tv_sec / 86400);
237 		ts.tv_sec %= 86400;
238 		f = 1;
239 	}
240 	if (f || ts.tv_sec >= 3600) {
241 		printf("%ldh", (long)ts.tv_sec / 3600);
242 		ts.tv_sec %= 3600;
243 		f = 1;
244 	}
245 	if (f || ts.tv_sec >= 60) {
246 		printf("%ldm", (long)ts.tv_sec / 60);
247 		ts.tv_sec %= 60;
248 		f = 1;
249 	}
250 	printf("%lds\n", (long)ts.tv_sec);
251 }
252 
253 int
254 doadump(boolean_t textdump)
255 {
256 	boolean_t coredump;
257 
258 	if (dumping)
259 		return (EBUSY);
260 	if (dumper.dumper == NULL)
261 		return (ENXIO);
262 
263 	savectx(&dumppcb);
264 	dumptid = curthread->td_tid;
265 	dumping++;
266 
267 	coredump = TRUE;
268 #ifdef DDB
269 	if (textdump && textdump_pending) {
270 		coredump = FALSE;
271 		textdump_dumpsys(&dumper);
272 	}
273 #endif
274 	if (coredump)
275 		dumpsys(&dumper);
276 
277 	dumping--;
278 	return (0);
279 }
280 
281 static int
282 isbufbusy(struct buf *bp)
283 {
284 	if (((bp->b_flags & (B_INVAL | B_PERSISTENT)) == 0 &&
285 	    BUF_ISLOCKED(bp)) ||
286 	    ((bp->b_flags & (B_DELWRI | B_INVAL)) == B_DELWRI))
287 		return (1);
288 	return (0);
289 }
290 
291 /*
292  * Shutdown the system cleanly to prepare for reboot, halt, or power off.
293  */
294 void
295 kern_reboot(int howto)
296 {
297 	static int first_buf_printf = 1;
298 
299 #if defined(SMP)
300 	/*
301 	 * Bind us to CPU 0 so that all shutdown code runs there.  Some
302 	 * systems don't shutdown properly (i.e., ACPI power off) if we
303 	 * run on another processor.
304 	 */
305 	if (!SCHEDULER_STOPPED()) {
306 		thread_lock(curthread);
307 		sched_bind(curthread, 0);
308 		thread_unlock(curthread);
309 		KASSERT(PCPU_GET(cpuid) == 0, ("boot: not running on cpu 0"));
310 	}
311 #endif
312 	/* We're in the process of rebooting. */
313 	rebooting = 1;
314 
315 	/* collect extra flags that shutdown_nice might have set */
316 	howto |= shutdown_howto;
317 
318 	/* We are out of the debugger now. */
319 	kdb_active = 0;
320 
321 	/*
322 	 * Do any callouts that should be done BEFORE syncing the filesystems.
323 	 */
324 	EVENTHANDLER_INVOKE(shutdown_pre_sync, howto);
325 
326 	/*
327 	 * Now sync filesystems
328 	 */
329 	if (!cold && (howto & RB_NOSYNC) == 0 && waittime < 0) {
330 		register struct buf *bp;
331 		int iter, nbusy, pbusy;
332 #ifndef PREEMPTION
333 		int subiter;
334 #endif
335 
336 		waittime = 0;
337 
338 		wdog_kern_pat(WD_LASTVAL);
339 		sys_sync(curthread, NULL);
340 
341 		/*
342 		 * With soft updates, some buffers that are
343 		 * written will be remarked as dirty until other
344 		 * buffers are written.
345 		 */
346 		for (iter = pbusy = 0; iter < 20; iter++) {
347 			nbusy = 0;
348 			for (bp = &buf[nbuf]; --bp >= buf; )
349 				if (isbufbusy(bp))
350 					nbusy++;
351 			if (nbusy == 0) {
352 				if (first_buf_printf)
353 					printf("All buffers synced.");
354 				break;
355 			}
356 			if (first_buf_printf) {
357 				printf("Syncing disks, buffers remaining... ");
358 				first_buf_printf = 0;
359 			}
360 			printf("%d ", nbusy);
361 			if (nbusy < pbusy)
362 				iter = 0;
363 			pbusy = nbusy;
364 
365 			wdog_kern_pat(WD_LASTVAL);
366 			sys_sync(curthread, NULL);
367 
368 #ifdef PREEMPTION
369 			/*
370 			 * Drop Giant and spin for a while to allow
371 			 * interrupt threads to run.
372 			 */
373 			DROP_GIANT();
374 			DELAY(50000 * iter);
375 			PICKUP_GIANT();
376 #else
377 			/*
378 			 * Drop Giant and context switch several times to
379 			 * allow interrupt threads to run.
380 			 */
381 			DROP_GIANT();
382 			for (subiter = 0; subiter < 50 * iter; subiter++) {
383 				thread_lock(curthread);
384 				mi_switch(SW_VOL, NULL);
385 				thread_unlock(curthread);
386 				DELAY(1000);
387 			}
388 			PICKUP_GIANT();
389 #endif
390 		}
391 		printf("\n");
392 		/*
393 		 * Count only busy local buffers to prevent forcing
394 		 * a fsck if we're just a client of a wedged NFS server
395 		 */
396 		nbusy = 0;
397 		for (bp = &buf[nbuf]; --bp >= buf; ) {
398 			if (isbufbusy(bp)) {
399 #if 0
400 /* XXX: This is bogus.  We should probably have a BO_REMOTE flag instead */
401 				if (bp->b_dev == NULL) {
402 					TAILQ_REMOVE(&mountlist,
403 					    bp->b_vp->v_mount, mnt_list);
404 					continue;
405 				}
406 #endif
407 				nbusy++;
408 				if (show_busybufs > 0) {
409 					printf(
410 	    "%d: buf:%p, vnode:%p, flags:%0x, blkno:%jd, lblkno:%jd, buflock:",
411 					    nbusy, bp, bp->b_vp, bp->b_flags,
412 					    (intmax_t)bp->b_blkno,
413 					    (intmax_t)bp->b_lblkno);
414 					BUF_LOCKPRINTINFO(bp);
415 					if (show_busybufs > 1)
416 						vn_printf(bp->b_vp,
417 						    "vnode content: ");
418 				}
419 			}
420 		}
421 		if (nbusy) {
422 			/*
423 			 * Failed to sync all blocks. Indicate this and don't
424 			 * unmount filesystems (thus forcing an fsck on reboot).
425 			 */
426 			printf("Giving up on %d buffers\n", nbusy);
427 			DELAY(5000000);	/* 5 seconds */
428 		} else {
429 			if (!first_buf_printf)
430 				printf("Final sync complete\n");
431 			/*
432 			 * Unmount filesystems
433 			 */
434 			if (panicstr == 0)
435 				vfs_unmountall();
436 		}
437 		swapoff_all();
438 		DELAY(100000);		/* wait for console output to finish */
439 	}
440 
441 	print_uptime();
442 
443 	cngrab();
444 
445 	/*
446 	 * Ok, now do things that assume all filesystem activity has
447 	 * been completed.
448 	 */
449 	EVENTHANDLER_INVOKE(shutdown_post_sync, howto);
450 
451 	if ((howto & (RB_HALT|RB_DUMP)) == RB_DUMP && !cold && !dumping)
452 		doadump(TRUE);
453 
454 	/* Now that we're going to really halt the system... */
455 	EVENTHANDLER_INVOKE(shutdown_final, howto);
456 
457 	for(;;) ;	/* safety against shutdown_reset not working */
458 	/* NOTREACHED */
459 }
460 
461 /*
462  * If the shutdown was a clean halt, behave accordingly.
463  */
464 static void
465 shutdown_halt(void *junk, int howto)
466 {
467 
468 	if (howto & RB_HALT) {
469 		printf("\n");
470 		printf("The operating system has halted.\n");
471 		printf("Please press any key to reboot.\n\n");
472 		switch (cngetc()) {
473 		case -1:		/* No console, just die */
474 			cpu_halt();
475 			/* NOTREACHED */
476 		default:
477 			howto &= ~RB_HALT;
478 			break;
479 		}
480 	}
481 }
482 
483 /*
484  * Check to see if the system paniced, pause and then reboot
485  * according to the specified delay.
486  */
487 static void
488 shutdown_panic(void *junk, int howto)
489 {
490 	int loop;
491 
492 	if (howto & RB_DUMP) {
493 		if (panic_reboot_wait_time != 0) {
494 			if (panic_reboot_wait_time != -1) {
495 				printf("Automatic reboot in %d seconds - "
496 				       "press a key on the console to abort\n",
497 					panic_reboot_wait_time);
498 				for (loop = panic_reboot_wait_time * 10;
499 				     loop > 0; --loop) {
500 					DELAY(1000 * 100); /* 1/10th second */
501 					/* Did user type a key? */
502 					if (cncheckc() != -1)
503 						break;
504 				}
505 				if (!loop)
506 					return;
507 			}
508 		} else { /* zero time specified - reboot NOW */
509 			return;
510 		}
511 		printf("--> Press a key on the console to reboot,\n");
512 		printf("--> or switch off the system now.\n");
513 		cngetc();
514 	}
515 }
516 
517 /*
518  * Everything done, now reset
519  */
520 static void
521 shutdown_reset(void *junk, int howto)
522 {
523 
524 	printf("Rebooting...\n");
525 	DELAY(1000000);	/* wait 1 sec for printf's to complete and be read */
526 
527 	/*
528 	 * Acquiring smp_ipi_mtx here has a double effect:
529 	 * - it disables interrupts avoiding CPU0 preemption
530 	 *   by fast handlers (thus deadlocking  against other CPUs)
531 	 * - it avoids deadlocks against smp_rendezvous() or, more
532 	 *   generally, threads busy-waiting, with this spinlock held,
533 	 *   and waiting for responses by threads on other CPUs
534 	 *   (ie. smp_tlb_shootdown()).
535 	 *
536 	 * For the !SMP case it just needs to handle the former problem.
537 	 */
538 #ifdef SMP
539 	mtx_lock_spin(&smp_ipi_mtx);
540 #else
541 	spinlock_enter();
542 #endif
543 
544 	/* cpu_boot(howto); */ /* doesn't do anything at the moment */
545 	cpu_reset();
546 	/* NOTREACHED */ /* assuming reset worked */
547 }
548 
549 #if defined(WITNESS) || defined(INVARIANTS)
550 static int kassert_warn_only = 0;
551 #ifdef KDB
552 static int kassert_do_kdb = 0;
553 #endif
554 #ifdef KTR
555 static int kassert_do_ktr = 0;
556 #endif
557 static int kassert_do_log = 1;
558 static int kassert_log_pps_limit = 4;
559 static int kassert_log_mute_at = 0;
560 static int kassert_log_panic_at = 0;
561 static int kassert_warnings = 0;
562 
563 SYSCTL_NODE(_debug, OID_AUTO, kassert, CTLFLAG_RW, NULL, "kassert options");
564 
565 SYSCTL_INT(_debug_kassert, OID_AUTO, warn_only, CTLFLAG_RW | CTLFLAG_TUN,
566     &kassert_warn_only, 0,
567     "KASSERT triggers a panic (1) or just a warning (0)");
568 TUNABLE_INT("debug.kassert.warn_only", &kassert_warn_only);
569 
570 #ifdef KDB
571 SYSCTL_INT(_debug_kassert, OID_AUTO, do_kdb, CTLFLAG_RW | CTLFLAG_TUN,
572     &kassert_do_kdb, 0, "KASSERT will enter the debugger");
573 TUNABLE_INT("debug.kassert.do_kdb", &kassert_do_kdb);
574 #endif
575 
576 #ifdef KTR
577 SYSCTL_UINT(_debug_kassert, OID_AUTO, do_ktr, CTLFLAG_RW | CTLFLAG_TUN,
578     &kassert_do_ktr, 0,
579     "KASSERT does a KTR, set this to the KTRMASK you want");
580 TUNABLE_INT("debug.kassert.do_ktr", &kassert_do_ktr);
581 #endif
582 
583 SYSCTL_INT(_debug_kassert, OID_AUTO, do_log, CTLFLAG_RW | CTLFLAG_TUN,
584     &kassert_do_log, 0, "KASSERT triggers a panic (1) or just a warning (0)");
585 TUNABLE_INT("debug.kassert.do_log", &kassert_do_log);
586 
587 SYSCTL_INT(_debug_kassert, OID_AUTO, warnings, CTLFLAG_RW | CTLFLAG_TUN,
588     &kassert_warnings, 0, "number of KASSERTs that have been triggered");
589 TUNABLE_INT("debug.kassert.warnings", &kassert_warnings);
590 
591 SYSCTL_INT(_debug_kassert, OID_AUTO, log_panic_at, CTLFLAG_RW | CTLFLAG_TUN,
592     &kassert_log_panic_at, 0, "max number of KASSERTS before we will panic");
593 TUNABLE_INT("debug.kassert.log_panic_at", &kassert_log_panic_at);
594 
595 SYSCTL_INT(_debug_kassert, OID_AUTO, log_pps_limit, CTLFLAG_RW | CTLFLAG_TUN,
596     &kassert_log_pps_limit, 0, "limit number of log messages per second");
597 TUNABLE_INT("debug.kassert.log_pps_limit", &kassert_log_pps_limit);
598 
599 SYSCTL_INT(_debug_kassert, OID_AUTO, log_mute_at, CTLFLAG_RW | CTLFLAG_TUN,
600     &kassert_log_mute_at, 0, "max number of KASSERTS to log");
601 TUNABLE_INT("debug.kassert.log_mute_at", &kassert_log_mute_at);
602 
603 static int kassert_sysctl_kassert(SYSCTL_HANDLER_ARGS);
604 
605 SYSCTL_PROC(_debug_kassert, OID_AUTO, kassert,
606     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE, NULL, 0,
607     kassert_sysctl_kassert, "I", "set to trigger a test kassert");
608 
609 static int
610 kassert_sysctl_kassert(SYSCTL_HANDLER_ARGS)
611 {
612 	int error, i;
613 
614 	error = sysctl_wire_old_buffer(req, sizeof(int));
615 	if (error == 0) {
616 		i = 0;
617 		error = sysctl_handle_int(oidp, &i, 0, req);
618 	}
619 	if (error != 0 || req->newptr == NULL)
620 		return (error);
621 	KASSERT(0, ("kassert_sysctl_kassert triggered kassert %d", i));
622 	return (0);
623 }
624 
625 /*
626  * Called by KASSERT, this decides if we will panic
627  * or if we will log via printf and/or ktr.
628  */
629 void
630 kassert_panic(const char *fmt, ...)
631 {
632 	static char buf[256];
633 	va_list ap;
634 
635 	va_start(ap, fmt);
636 	(void)vsnprintf(buf, sizeof(buf), fmt, ap);
637 	va_end(ap);
638 
639 	/*
640 	 * panic if we're not just warning, or if we've exceeded
641 	 * kassert_log_panic_at warnings.
642 	 */
643 	if (!kassert_warn_only ||
644 	    (kassert_log_panic_at > 0 &&
645 	     kassert_warnings >= kassert_log_panic_at)) {
646 		va_start(ap, fmt);
647 		vpanic(fmt, ap);
648 		/* NORETURN */
649 	}
650 #ifdef KTR
651 	if (kassert_do_ktr)
652 		CTR0(ktr_mask, buf);
653 #endif /* KTR */
654 	/*
655 	 * log if we've not yet met the mute limit.
656 	 */
657 	if (kassert_do_log &&
658 	    (kassert_log_mute_at == 0 ||
659 	     kassert_warnings < kassert_log_mute_at)) {
660 		static  struct timeval lasterr;
661 		static  int curerr;
662 
663 		if (ppsratecheck(&lasterr, &curerr, kassert_log_pps_limit)) {
664 			printf("KASSERT failed: %s\n", buf);
665 			kdb_backtrace();
666 		}
667 	}
668 #ifdef KDB
669 	if (kassert_do_kdb) {
670 		kdb_enter(KDB_WHY_KASSERT, buf);
671 	}
672 #endif
673 	atomic_add_int(&kassert_warnings, 1);
674 }
675 #endif
676 
677 /*
678  * Panic is called on unresolvable fatal errors.  It prints "panic: mesg",
679  * and then reboots.  If we are called twice, then we avoid trying to sync
680  * the disks as this often leads to recursive panics.
681  */
682 void
683 panic(const char *fmt, ...)
684 {
685 	va_list ap;
686 
687 	va_start(ap, fmt);
688 	vpanic(fmt, ap);
689 }
690 
691 static void
692 vpanic(const char *fmt, va_list ap)
693 {
694 #ifdef SMP
695 	cpuset_t other_cpus;
696 #endif
697 	struct thread *td = curthread;
698 	int bootopt, newpanic;
699 	static char buf[256];
700 
701 	spinlock_enter();
702 
703 #ifdef SMP
704 	/*
705 	 * stop_cpus_hard(other_cpus) should prevent multiple CPUs from
706 	 * concurrently entering panic.  Only the winner will proceed
707 	 * further.
708 	 */
709 	if (panicstr == NULL && !kdb_active) {
710 		other_cpus = all_cpus;
711 		CPU_CLR(PCPU_GET(cpuid), &other_cpus);
712 		stop_cpus_hard(other_cpus);
713 	}
714 
715 	/*
716 	 * We set stop_scheduler here and not in the block above,
717 	 * because we want to ensure that if panic has been called and
718 	 * stop_scheduler_on_panic is true, then stop_scheduler will
719 	 * always be set.  Even if panic has been entered from kdb.
720 	 */
721 	td->td_stopsched = 1;
722 #endif
723 
724 	bootopt = RB_AUTOBOOT;
725 	newpanic = 0;
726 	if (panicstr)
727 		bootopt |= RB_NOSYNC;
728 	else {
729 		bootopt |= RB_DUMP;
730 		panicstr = fmt;
731 		newpanic = 1;
732 	}
733 
734 	if (newpanic) {
735 		(void)vsnprintf(buf, sizeof(buf), fmt, ap);
736 		panicstr = buf;
737 		cngrab();
738 		printf("panic: %s\n", buf);
739 	} else {
740 		printf("panic: ");
741 		vprintf(fmt, ap);
742 		printf("\n");
743 	}
744 #ifdef SMP
745 	printf("cpuid = %d\n", PCPU_GET(cpuid));
746 #endif
747 
748 #ifdef KDB
749 	if (newpanic && trace_on_panic)
750 		kdb_backtrace();
751 	if (debugger_on_panic)
752 		kdb_enter(KDB_WHY_PANIC, "panic");
753 #endif
754 	/*thread_lock(td); */
755 	td->td_flags |= TDF_INPANIC;
756 	/* thread_unlock(td); */
757 	if (!sync_on_panic)
758 		bootopt |= RB_NOSYNC;
759 	kern_reboot(bootopt);
760 }
761 
762 /*
763  * Support for poweroff delay.
764  *
765  * Please note that setting this delay too short might power off your machine
766  * before the write cache on your hard disk has been flushed, leading to
767  * soft-updates inconsistencies.
768  */
769 #ifndef POWEROFF_DELAY
770 # define POWEROFF_DELAY 5000
771 #endif
772 static int poweroff_delay = POWEROFF_DELAY;
773 
774 SYSCTL_INT(_kern_shutdown, OID_AUTO, poweroff_delay, CTLFLAG_RW,
775     &poweroff_delay, 0, "Delay before poweroff to write disk caches (msec)");
776 
777 static void
778 poweroff_wait(void *junk, int howto)
779 {
780 
781 	if (!(howto & RB_POWEROFF) || poweroff_delay <= 0)
782 		return;
783 	DELAY(poweroff_delay * 1000);
784 }
785 
786 /*
787  * Some system processes (e.g. syncer) need to be stopped at appropriate
788  * points in their main loops prior to a system shutdown, so that they
789  * won't interfere with the shutdown process (e.g. by holding a disk buf
790  * to cause sync to fail).  For each of these system processes, register
791  * shutdown_kproc() as a handler for one of shutdown events.
792  */
793 static int kproc_shutdown_wait = 60;
794 SYSCTL_INT(_kern_shutdown, OID_AUTO, kproc_shutdown_wait, CTLFLAG_RW,
795     &kproc_shutdown_wait, 0, "Max wait time (sec) to stop for each process");
796 
797 void
798 kproc_shutdown(void *arg, int howto)
799 {
800 	struct proc *p;
801 	int error;
802 
803 	if (panicstr)
804 		return;
805 
806 	p = (struct proc *)arg;
807 	printf("Waiting (max %d seconds) for system process `%s' to stop...",
808 	    kproc_shutdown_wait, p->p_comm);
809 	error = kproc_suspend(p, kproc_shutdown_wait * hz);
810 
811 	if (error == EWOULDBLOCK)
812 		printf("timed out\n");
813 	else
814 		printf("done\n");
815 }
816 
817 void
818 kthread_shutdown(void *arg, int howto)
819 {
820 	struct thread *td;
821 	int error;
822 
823 	if (panicstr)
824 		return;
825 
826 	td = (struct thread *)arg;
827 	printf("Waiting (max %d seconds) for system thread `%s' to stop...",
828 	    kproc_shutdown_wait, td->td_name);
829 	error = kthread_suspend(td, kproc_shutdown_wait * hz);
830 
831 	if (error == EWOULDBLOCK)
832 		printf("timed out\n");
833 	else
834 		printf("done\n");
835 }
836 
837 static char dumpdevname[sizeof(((struct cdev*)NULL)->si_name)];
838 SYSCTL_STRING(_kern_shutdown, OID_AUTO, dumpdevname, CTLFLAG_RD,
839     dumpdevname, 0, "Device for kernel dumps");
840 
841 /* Registration of dumpers */
842 int
843 set_dumper(struct dumperinfo *di, const char *devname)
844 {
845 	size_t wantcopy;
846 
847 	if (di == NULL) {
848 		bzero(&dumper, sizeof dumper);
849 		dumpdevname[0] = '\0';
850 		return (0);
851 	}
852 	if (dumper.dumper != NULL)
853 		return (EBUSY);
854 	dumper = *di;
855 	wantcopy = strlcpy(dumpdevname, devname, sizeof(dumpdevname));
856 	if (wantcopy >= sizeof(dumpdevname)) {
857 		printf("set_dumper: device name truncated from '%s' -> '%s'\n",
858 			devname, dumpdevname);
859 	}
860 	return (0);
861 }
862 
863 /* Call dumper with bounds checking. */
864 int
865 dump_write(struct dumperinfo *di, void *virtual, vm_offset_t physical,
866     off_t offset, size_t length)
867 {
868 
869 	if (length != 0 && (offset < di->mediaoffset ||
870 	    offset - di->mediaoffset + length > di->mediasize)) {
871 		printf("Attempt to write outside dump device boundaries.\n"
872 	    "offset(%jd), mediaoffset(%jd), length(%ju), mediasize(%jd).\n",
873 		    (intmax_t)offset, (intmax_t)di->mediaoffset,
874 		    (uintmax_t)length, (intmax_t)di->mediasize);
875 		return (ENOSPC);
876 	}
877 	return (di->dumper(di->priv, virtual, physical, offset, length));
878 }
879 
880 void
881 mkdumpheader(struct kerneldumpheader *kdh, char *magic, uint32_t archver,
882     uint64_t dumplen, uint32_t blksz)
883 {
884 
885 	bzero(kdh, sizeof(*kdh));
886 	strncpy(kdh->magic, magic, sizeof(kdh->magic));
887 	strncpy(kdh->architecture, MACHINE_ARCH, sizeof(kdh->architecture));
888 	kdh->version = htod32(KERNELDUMPVERSION);
889 	kdh->architectureversion = htod32(archver);
890 	kdh->dumplength = htod64(dumplen);
891 	kdh->dumptime = htod64(time_second);
892 	kdh->blocksize = htod32(blksz);
893 	strncpy(kdh->hostname, prison0.pr_hostname, sizeof(kdh->hostname));
894 	strncpy(kdh->versionstring, version, sizeof(kdh->versionstring));
895 	if (panicstr != NULL)
896 		strncpy(kdh->panicstring, panicstr, sizeof(kdh->panicstring));
897 	kdh->parity = kerneldump_parity(kdh);
898 }
899