https://www.illumos.org/issues/7082
upstream
DLPX-40542 bptree_iterate() passes wrong args to zfs_dbgmsg()
Reviewed by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
Approved by: Dan McDonald <danmcd@omniti.com>
Author: Matthew Ahrens <mahrens@delphix.com>
https://www.illumos.org/issues/6314
Callers of dsl_dataset_name pass a buffer of size ZFS_MAXNAMELEN, but
dsl_dataset_name copies the datasets' name PLUS the snapshot name to it,
resulting in a max of 2 * ZFS_MAXNAMELEN + '@'.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
Approved by: Dan McDonald <danmcd@omniti.com>
Author: Matthew Ahrens <mahrens@delphix.com>
https://www.illumos.org/issues/6872
We compile the zfs libraries with -Wno-uninitialized. We should remove
this. Change makefiles, fix new warnings, fix pbchk errors.
Reviewed by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Approved by: Robert Mustacchi <rm@joyent.com>
Author: Paul Dagnelie <pcd@delphix.com>
https://www.illumos.org/issues/4521
zfstest is trying to execute evil "zfs unmount -a", which fails (fortunately,
as it would otherwise leave me with my ~ missing):
03:44:11.86 cannot unmount '/export/home/yuri': Device busy cannot unmount '/
export/home': Device busy
03:44:11.86 ERROR: /usr/sbin/zfs unmount -a exited 1
This affects, at least, zfs_mount_009_neg and zfs_mount_all_001_pos, both
failing on that step. The pool containing the /export/home hierarchy is
included in KEEP variable, but it doesn't seem to affect anything here.
Reviewed by: Andriy Gapon <avg@FreeBSD.org>
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: John Kennedy <john.kennedy@delphix.com>
Approved by: Robert Mustacchi <rm@joyent.com>
Author: Yuri Pankov <yuri.pankov@nexenta.com>
https://www.illumos.org/issues/6873
lzc_destroy_snaps() returns an nvlist in errlist.
zfs_destroy_snaps_nvl() should nvlist_free() it before returning.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Paul Dagnelie <pcd@delphix.com>
Approved by: Dan McDonald <danmcd@omniti.com>
Author: Chris Williamson <chris.williamson@delphix.com>
https://www.illumos.org/issues/6879
In libzfs_sendrecv, there's a typo:
case DRR_SPILL:
if (byteswap) {
drr->drr_u.drr_write.drr_length =
BSWAP_64(drr->drr_u.drr_spill.drr_length);
}
Instead of drr_write.drr_length, we should be assigning the result of the
byteswap to drr_spill.drr_length.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Paul Dagnelie <pcd@delphix.com>
Approved by: Robert Mustacchi <rm@joyent.com>
Author: Dan Kimmel <dan.kimmel@delphix.com>
https://www.illumos.org/issues/6111
If you create a zfs child folder, zfs send returns an error when a recursive
incremental send is done between two snapshots made prior to the folder
creation.
The problem can be reproduced with the following steps.
root@zfs:/# zfs create pool/test
root@zfs:/# zfs snapshot pool/test@snap1
root@zfs:/# zfs snapshot pool/test@snap2
root@zfs:/# zfs create pool/test/child
root@zfs:/# zfs send -R -I pool/test@snap1 pool/test@snap2 > /dev/null
WARNING: could not send pool/test/child@snap2: does not exist
WARNING: could not send pool/test/child@snap2: does not exist
root@zfs:/# echo $?
1
root@zfs:/# zfs snapshot -r pool/test@snap3
root@zfs:/# zfs send -R -I pool/test@snap1 pool/test@snap3 > /dev/null
root@zfs:/# echo $?
0
root@zfs:/# zfs send -R -I pool/test@snap2 pool/test@snap3 > /dev/null
root@zfs:/# echo $?
0
Since pool/test/child was created after snap2, zfs send should not expect snap2
to be in pool/test/child when doing a recursive send. It should examine the
compare the creation time of the snapshot and each child folder to decide if
the folder will be sent. The next incremental send between snap2 and snap3
would properly create the child folder and snap3 which first appears in the
child folder.
The problem is identical if '-i' is used instead of '-I'.
Reviewed by: Alex Aizman alex.aizman@nexenta.com
Reviewed by: Alek Pinchuk alek.pinchuk@nexenta.com
Reviewed by: Roman Strashkin roman.strashkin@nexenta.com
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Paul Dagnelie <pcd@delphix.com>
Approved by: Garrett D'Amore <garrett@damore.org>
Author: Alex Deiter <alex.deiter@nexenta.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Paul Dagnelie <pcd@delphix.com>
Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
Approved by: Dan McDonald <danmcd@omniti.com>
Author: Matthew Ahrens <mahrens@delphix.com>
https://www.illumos.org/issues/7019
Currently zfsdev_ioctl, when confronted by a request with the FKIOCTL flag set,
skips all processing of secpolicy functions. This means that ZFS is not doing
any kind of verification of the credentials or access rights of the caller and
assuming that (as it is an in-kernel client) all such checks have already been
done.
This turns out to be quite a dangerous assumption, especially with respect to
sdev. In general I don't think it's particularly reasonable to offload this
enforcement of access rights onto other kernel subsystems when ZFS has some
particular local semantics in this area (delegated datasets etc) and does not
provide any kind of API to allow other subsystems to avoid code duplication
when doing it. ZFS should apply its normal access policy to requests from
within the kernel, and callers should take care to give it the correct
credentials and call it from the correct context in order to get the results
they need.
You can observe the currently unfortunate consequences of this bug in any non-
global zone that has access to /dev/zvol or any subset of it via sdev profiles.
In particular, a zone used to contain a KVM or similar which has a single zvol
passed through to it using a <device match= block in its zone XML.
Even though sdev makes something of an attempt to control for whether the
caller should have access to nodes in /dev/zvol, it doesn't do this correctly,
or really at all in the lookup call path. So, if we have a zone that's been
given access to any part of /dev/zvol, it can simply look up the full path to
any other zvol on the entire system, and the node will appear and be able to be
used.
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Approved by: Dan McDonald <danmcd@omniti.com>
Author: Alex Wilson <alex.wilson@joyent.com>
https://www.illumos.org/issues/6922
ZFS does not do a config_sync after removing an aux (spare, log, or cache)
device. AFAICT this isn't being done because it is slow and was deemed
unnecessary. However, it should be such a rare operation that speed doesn't
matter, and not doing it results in two problems:
1) It is theoretically possible to remove an aux device from one pool and
attach it to another, then lose power. When power is restored, both pools woul
d
think that they own the aux device.
2) Removal of the aux device doesn't send any useful sysevents to userland.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Approved by: Dan McDonald <danmcd@omniti.com>
Author: Alan Somers <asomers@gmail.com>
Reviewed by: Paul Dagnelie <pcd@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Approved by: Robert Mustacchi <rm@joyent.com>
Author: Matthew Ahrens <mahrens@delphix.com>
[BHND/PMU] Correct shift of bits in BHND_PMU_SET_BITS macro
The purpose of BHND_PMU_{GET,SET}_BITS macro is to transform values from/into
register format. SET macro shifts value to left and applies filter mask.
GET macro applies filter mask and then shifts value to right.
Reviewed by: landonf, adrian (mentor)
Approved by: adrian (mentor)
Differential Revision: https://reviews.freebsd.org/D7721
https://www.illumos.org/issues/6876
Calling dsl_dataset_name on a dataset with a 256 byte buffer is asking for
trouble. We should check every dataset on import, using a 1024 byte buffer and
checking each time to see if the dataset's new name is longer than 256 bytes.
Reviewed by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
Author: Paul Dagnelie <pcd@delphix.com>
https://www.illumos.org/issues/6876
Calling dsl_dataset_name on a dataset with a 256 byte buffer is asking for
trouble. We should check every dataset on import, using a 1024 byte buffer and
checking each time to see if the dataset's new name is longer than 256 bytes.
Reviewed by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
Author: Paul Dagnelie <pcd@delphix.com>
andrew [Thu, 1 Sep 2016 10:26:06 +0000 (10:26 +0000)]
Fix arm64 superpages bugs in pmap_enter:
* Pass the correct virtual address when demoting a superpage
* Use the correct l3 table after demoting a superpage
* Remove an invalid KASSERT hit demoting then promoting a superpage [1]
With this it is believed that superpages on arm64 is stable.
Reported by: [1] cognet
Obtained from: ABT Systems Ltd
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Capture executable names for CC, CPP, CXX (assumed to be the
first non-CCACHE_BIN word).
This change strips out all of the cross-compiler arguments, (-target,
-B, etc), added to ${CC}, etc via ${CROSSENV} in Makefile.inc1, so it
doesn't infect the build and subsequently the test.
Add comments noting why this logic is being added, and why the logic in
r305041 was necessary/what it was trying to achieve.
This is required after recent changes made to the toolchain to always
specify --sysroot, -target, -B, etc with clang in buildworld (presumably
r304681).
Fix linker warnings (errors on gcc) that resulted from r304510.
The variables that are extern in the netmap header file should be
defined in ixl_txrx.c (the file that is included in both ixl(4)/ixlv(4),
not in the main driver source files.
np [Wed, 31 Aug 2016 23:23:46 +0000 (23:23 +0000)]
cxgbe/t4_tom: Add general purpose routines to deal with page pod regions
and allocations within them. Switch to these routines to manage the TOE
DDP region.
In existing implementations including FreeBSD, there is no reason to use
readdir_r() in the common case where potentially multiple threads each list
their own directory. Code using readdir() is simpler.
What's more, lthough readdir_r() can safely be used on FreeBSD because
NAME_MAX is forced to 255, it cannot be used safely on systems where
{NAME_MAX} is not fixed. As a concrete example, FAT/NTFS filenames can be up
to 255 UTF-16 code units long, which can be up to 765 UTF-8 bytes.
Deprecating readdir_r() in POSIX has been proposed in
http://www.austingroupbugs.net/view.php?id=696
and glibc wants to deprecate it as well.
bdrewery [Wed, 31 Aug 2016 19:30:00 +0000 (19:30 +0000)]
DIRDEPS_BUILD: Avoid cyclic dependency with libc++.
The DIRDEPS_BUILD does not have a 'make includes' phase, so it would
otherwise want libc++ to be fully built/staged before building
libgcc. Using the header directly works.
cem [Wed, 31 Aug 2016 18:10:41 +0000 (18:10 +0000)]
df(1): Allow duplicate -l flags gracefully
Rather than producing a misleading error message when duplicate -l flags are
provided to df(1), simply ignore extra flags and proceed as if only one was
specified. This seems most reasonable given the usage for -l:
-l Only display information about locally-mounted file systems.
l and t flags still conflict, as before.
PR: 208169
Reported by: by at reorigin.com
Reviewed by: allanjude
allanjude [Wed, 31 Aug 2016 17:52:11 +0000 (17:52 +0000)]
Eliminate unnecessary loop in _cap_check()
Calling cap_rights_contains() several times with the same inputs is not
going to produce a different output. The variable being iterated, i, is
never used inside the for loop.
The loop is actually done in cap_rights_contains()
Submitted by: Ryan Moeller <ryan@freqlabs.com>
Reviewed by: oshogbo, ed
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D7369
emaste [Wed, 31 Aug 2016 15:05:04 +0000 (15:05 +0000)]
Update to ELF Tool Chain r3490
Improvements include:
* readelf: report all relocation types in rel/rela for MIPS N64
* readelf: add ELFOSABI_ARM_AEABI
* elfdump: add ELFOSABI_ARM_AEABI and ELFOSABI_ARM
* Add recent RISC-V relocations
* elfcopy: use elftc_timestamp, to support SOURCE_DATE_EPOCH
kib [Wed, 31 Aug 2016 14:49:58 +0000 (14:49 +0000)]
Make swapoff reliable.
The swap_pager_swapoff() function uses trylock for the object lock
before pagein, which means that either i/o to md(4) over swap, or
intensive page faults over swap pager objects might prevent swapoff()
from making any progress. Then the retry < 100 check fails and machine
panics.
If trylock fails, acquire the object lock in the blockable way and
restart the hash bucket walk. Keep retries logic for now.
Reported and tested by: pho
Reviewed by: alc, markj
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D7688
bapt [Wed, 31 Aug 2016 13:16:40 +0000 (13:16 +0000)]
Netboot: allow both tftpfs and nfs in both pxeboot and loader.efi
Add a new 'netproto' variable which can be set for now to
NET_TFTP or NET_NFS (default to NET_NONE)
From the dhcp options if one sets the root-path option to:
"ip:path", the loader will consider it is booting over NFS
(meaning same behaviour as the default current behaviour)
if the dhcp option "tftp server address" is set (option 150)
the loader will consider it is booting over tftpfs, it will then
consider the root-path options with 2 possible case
1. "path" then the IP of the tftp server will be the one passed by
the option 150, and the files will be retrieved under "path" on the tftp
server
2. "ip:path" then the IP of the tftp server will be the one passed in
the option "overwritting the IP from the option 150.
We could not "abuse" the rootpath option in the form or tftp://ip:path because
this is already used for other purpose by iPXE preventing any chainload from
iPXE to the FreeBSD loader.
Given at each open(), the loader loops over all available filesystems and keep
the "best" error, we needed to prevent tftpfs to fallback on nfs and vice versa.
the tftpfs and nfs implementation in libstand now return EINVAL early if
'netproto' for that purpose.
mav [Wed, 31 Aug 2016 11:55:31 +0000 (11:55 +0000)]
Fix kernel panic when inheriting properties without default.
There are two writable hidden properties "iscsioptions" and "stmf_sbd_lu",
that have no default string value. Attempt to unset them or replicate
caused kernel panic. This simple bandaid seems fixes the problem nicely.
bde [Wed, 31 Aug 2016 11:10:39 +0000 (11:10 +0000)]
Add some locking to sc_cngetc().
Keyboard input needs Giant locking, and that is not possible to do
correctly here. Use mtx_trylock() and proceed unlocked as before if
we can't acquire Giant (non-recursively), except in kdb mode don't
even try to acquire Giant. Everything here is a hack, but it often
works. Even if mtx_trylock() succeeds, this might be a LOR.
Keyboard input also needs screen locking, to handle screen updates
and switches. Add this, using the same simplistic screen locking
as for sc_cnputc().
Giant must be acquired before the screen lock, and the screen lock
must be dropped when calling the keyboard driver (else it would get a
harmless LOR if it tries to acquire Giant). It was intended that sc
cn open/close hide the locking calls, and they do for i/o functions
functions except for this complication.
Non-console keyboard input is still only Giant-locked, with screen
locking in some called functions. This is correct for the keyboard
parts only.
When Giant cannot be acquired properly, atkbd and kbdmux tend to race
and work (they assume that the caller acquired Giant properly and don't
try to acquire it again or check that it has been acquired, and the
races rarely matter), while ukbd tends to deadlock or panic (since it
does the opposite, and has other usb threads to deadlock with).
The keyboard (Giant) locking here does very little, but the screen
locking completes screen locking for console mode except for not
detecting or handling deadlock.
sephe [Wed, 31 Aug 2016 06:00:20 +0000 (06:00 +0000)]
hyperv/timesync: Rework time adjustment policy
- By default, adjust time upon SYNC request. It can be disabled
through hw.hvtimesync.ignore_sync_req. SYNC request will be
sent by hypervisor the host is resumed, rebooted, etc.
- By default, adjust time upon SAMPLE request, if there is 100ms
difference between VM time and hypervisor time. This can be
disabled through hw.hvtimesync.sample_drift.
And nuke the unnecessary task, since channel callback is running
in a Hyper-V taskqueue nowadays.
Submitted by: YanZhe Chen <t-yachen microsoft com>
Discussed with: Dexuan Cui <decui microsoft com>, Hongjiang Zhang <honzhan microsoft com>, sephe
MFC after: 1 week
Sponsored by: Microsoft
Differential Revision: https://reviews.freebsd.org/D7707
imp [Wed, 31 Aug 2016 03:55:50 +0000 (03:55 +0000)]
Create a hook 'post-initialize' for people that want to define
something (perhaps in loader.rc.local) that can read in .conf files
after all the other .conf files have been read and override settings
in them. This is quite handy if the .conf file name is determined
while the loader is running, but might be generically useful for other
things. If this hook exists, call it, otherwise don't do anything.
Doing it in these functions ensures that this file is reliably
read. It also works around a defect in forth where s" isn't allowed
outside a function (well, in a compile context) leading to gross
workarounds if one were to hack loader.rc like:
: maybe-some-func s" some-func" sfind if execute else drop then ;
maybe-some-func
which somehow seems worse. Though I'm sure there's some clever forthy
way of doing that with a macro.
cognet [Tue, 30 Aug 2016 23:30:26 +0000 (23:30 +0000)]
Some old arm ports don't load the kernel at the beginning of the memory,
because the bootloader, ie redboot, won't let them do so, and so used the
memory before the kernel for early memory allocation, such as pagetables,
stacks, etc...
Make a bit of an effort to try to get that memory mapped.
dim [Tue, 30 Aug 2016 20:27:22 +0000 (20:27 +0000)]
Fix warnings in telnet about invalid constant conversions, e.g.:
contrib/telnet/telnet/commands.c:2914:13: error: implicit conversion
from 'int' to 'char' changes value from 137 to -119
[-Werror,-Wconstant-conversion]
*lsrp++ = IPOPT_SSRR;
~ ^~~~~~~~~~
/usr/include/netinet/ip.h:152:21: note: expanded from macro 'IPOPT_SSRR'
#define IPOPT_SSRR 137 /* strict source route */
^~~
contrib/telnet/telnet/commands.c:2916:13: error: implicit conversion
from 'int' to 'char' changes value from 131 to -125
[-Werror,-Wconstant-conversion]
*lsrp++ = IPOPT_LSRR;
~ ^~~~~~~~~~
/usr/include/netinet/ip.h:148:21: note: expanded from macro 'IPOPT_LSRR'
#define IPOPT_LSRR 131 /* loose source route */
^~~
dim [Tue, 30 Aug 2016 20:24:50 +0000 (20:24 +0000)]
Fix warnings in tnftp about invalid constant conversions, e.g.:
contrib/tnftp/src/ftp.c:2067:11: error: implicit conversion from 'int'
to 'char' changes value from 255 to -1 [-Werror,-Wconstant-conversion]
buf[0] = IAC;
~ ^~~
/usr/include/arpa/telnet.h:39:13: note: expanded from macro 'IAC'
#define IAC 255 /* interpret as command: */
^~~
contrib/tnftp/src/ftp.c:2068:11: error: implicit conversion from 'int'
to 'char' changes value from 244 to -12 [-Werror,-Wconstant-conversion]
buf[1] = IP;
~ ^~
/usr/include/arpa/telnet.h:50:12: note: expanded from macro 'IP'
#define IP 244 /* interrupt process--permanently */
^~~
pfg [Tue, 30 Aug 2016 19:39:33 +0000 (19:39 +0000)]
libcpp: Complete the __COUNTER__ support with upstream implementation.
We brought an original __COUNTER__ implementation in r228474, however, it
was missing documentation and it had a different behaviour for precompiled
headers with respect to the upstream version. Since the upstream version
is under the same license as GCC4.2, bring the missing pieces to reduce
differences against upstream.
dim [Tue, 30 Aug 2016 19:02:15 +0000 (19:02 +0000)]
Squelch clang 3.9.0 warnings about BASE (which is 32768) being converted
to -32768 when it is used as an argument to mp_itom(), in both libtelnet
and newkey. This code has been wrong since r26238 (!), so after almost
20 years it is rather useless to try to correct it.
imp [Tue, 30 Aug 2016 18:01:26 +0000 (18:01 +0000)]
The code only converts from bpbHugeSectors to bpbSectors if the sum of
the hidden and huge sectors is less than or equal MAXU16. When
formatting in Windows bpbSectors is still used for 63488 sectors and
2048 hidden (sum > MAXU16). The hidden sectors count is the number of
sectors before the FAT16 Boot Record so it shouldn't affect the sector
count. Attached patch (huge_sec_conversion.patch) to only check for
bpb.bpbHugeSectors <= MAXU16 when converting to bpbSectors.
andrew [Tue, 30 Aug 2016 16:45:15 +0000 (16:45 +0000)]
Because we need to use a break-before-make sequence when promoting pages
there is a short period where functions that walk the kernel page table
without locking them may see an invalid entry. One solution would be to add
locking to these functions, however some may be called from locations where
we are unable to sleep.
Until a better solution can be found stop promoting pages in the kernel
pmap so these functions work as expected.
Obtained from: ABT Systems Ltd
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
lidl [Tue, 30 Aug 2016 14:09:24 +0000 (14:09 +0000)]
Add refactored blacklist support to sshd
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file. This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.
Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().
Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.
Reviewed by: des
Approved by: des
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D7051
bde [Tue, 30 Aug 2016 12:36:14 +0000 (12:36 +0000)]
Fix keyboard polling "on/off" to support recursion. vt depends on
this, and sc will soon depend on it again.
The on/off request is passed without modification to lower layers,
so the bug was smaller in this layer than in in lower layers (the
sequence on;on;off left polling off when it should be on, but the
sequence on;on;off;on;off... doesn't allow the interrupt handler
to eat the input after an "off" that should't turn off polled mode,
provided lower layers don't have the bug, since this layer is virtual.
The bug was small in lower layers too. Normally everything is Giant
locked for keyboards, and this locks out the interrupt handler in
on;on;off;on;off... sequences. However, PR 211884 says that fixing
this bug in ukbd in r303765 apparently causes the eating-by-interrupt
behaviour that the fix is to prevent.
bde [Tue, 30 Aug 2016 10:57:19 +0000 (10:57 +0000)]
Start adding locking to sc_cngetc().
Restore an splx() lost in r228644. We aren't nearly ready to remove
spl's. They give hints about missing locking. This lost one was
misplaced. Dropping it early for convenience gave race windows for
accesses to the fkey buffer. Giant locking accidentally fixed this
for non-console cases.
Put the spl's around the whole function. Since there are many returns
that would need splx() just before them for a direct fix, split the
function into a wrapper that does the spl's and a "locked" function
that does the work.
Return earlier when no keyboard is attached to match the ordering in a
planned version. This breaks the dubious feature of returning keys
from the fkey buffer after the keyboard has gone away. Losing the keys
wouldn't matter, but we keep them too long now.