shutdown: audit shutdown_post_sync event callbacks

Ensure they are all panic/debugger safe.

Most handlers for this event are for disk drivers/geom modules. There
are a mix of checks being used here (or not), so let's standardize on
checking the presence of the RB_NOSYNC flag.

This flag is set whenever:
 1. The kernel has panicked and kern.sync_on_panic=0*
 2. We reboot from within the kernel debugger (the "reset" command)
 3. Userspace requested it, e.g. by 'reboot -n'

Name the functions consistently.

*This sysctl is tuned to zero by default, but its existence means that
these handlers can be executed after a panic, at the user's discretion.
IMO this use-case is implicitly understood to be risky, and we'd be
better off eliminating it altogether.

Reviewed by:    markj
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D42337

4 files changed, 15 insertions, 4 deletions

diff --git a/sys/geom/journal/g_journal.c b/sys/geom/journal/g_journal.c
index 147e83cc7e21..11a75e541fda 100644
--- a/sys/geom/journal/g_journal.c
+++ b/sys/geom/journal/g_journal.c
@@ -39,6 +39,7 @@
 #include <sys/mount.h>
 #include <sys/mutex.h>
 #include <sys/proc.h>
+#include <sys/reboot.h>
 #include <sys/sbuf.h>
 #include <sys/sched.h>
 #include <sys/sysctl.h>
@@ -2655,13 +2656,14 @@ static eventhandler_tag g_journal_event_shutdown = NULL;
 static eventhandler_tag g_journal_event_lowmem = NULL;
 
 static void
-g_journal_shutdown(void *arg, int howto __unused)
+g_journal_shutdown_post_sync(void *arg, int howto)
 {
 	struct g_class *mp;
 	struct g_geom *gp, *gp2;
 
-	if (KERNEL_PANICKED())
+	if ((howto & RB_NOSYNC) != 0)
 		return;
+
 	mp = arg;
 	g_topology_lock();
 	LIST_FOREACH_SAFE(gp, &mp->geom, geom, gp2) {
@@ -2738,7 +2740,7 @@ g_journal_init(struct g_class *mp)
 		    (g_journal_cache_limit / 100) * g_journal_cache_switch;
 	}
 	g_journal_event_shutdown = EVENTHANDLER_REGISTER(shutdown_post_sync,
-	    g_journal_shutdown, mp, EVENTHANDLER_PRI_FIRST);
+	    g_journal_shutdown_post_sync, mp, EVENTHANDLER_PRI_FIRST);
 	if (g_journal_event_shutdown == NULL)
 		GJ_DEBUG(0, "Warning! Cannot register shutdown event.");
 	g_journal_event_lowmem = EVENTHANDLER_REGISTER(vm_lowmem,
diff --git a/sys/geom/mirror/g_mirror.c b/sys/geom/mirror/g_mirror.c
index b2bcea2f0dbb..c6f95f28ba89 100644
--- a/sys/geom/mirror/g_mirror.c
+++ b/sys/geom/mirror/g_mirror.c
@@ -39,6 +39,7 @@
 #include <sys/malloc.h>
 #include <sys/mutex.h>
 #include <sys/proc.h>
+#include <sys/reboot.h>
 #include <sys/sbuf.h>
 #include <sys/sched.h>
 #include <sys/sx.h>
@@ -3546,7 +3547,7 @@ g_mirror_shutdown_post_sync(void *arg, int howto)
 	struct g_mirror_softc *sc;
 	int error;
 
-	if (KERNEL_PANICKED())
+	if ((howto & RB_NOSYNC) != 0)
 		return;
 
 	mp = arg;
diff --git a/sys/geom/raid/g_raid.c b/sys/geom/raid/g_raid.c
index 437cef416ca3..6938491d696c 100644
--- a/sys/geom/raid/g_raid.c
+++ b/sys/geom/raid/g_raid.c
@@ -38,6 +38,7 @@
 #include <sys/module.h>
 #include <sys/mutex.h>
 #include <sys/proc.h>
+#include <sys/reboot.h>
 #include <sys/sbuf.h>
 #include <sys/sched.h>
 #include <sys/sysctl.h>
@@ -2457,6 +2458,9 @@ g_raid_shutdown_post_sync(void *arg, int howto)
 	struct g_raid_softc *sc;
 	struct g_raid_volume *vol;
 
+	if ((howto & RB_NOSYNC) != 0)
+		return;
+
 	mp = arg;
 	g_topology_lock();
 	g_raid_shutdown = 1;
diff --git a/sys/geom/raid3/g_raid3.c b/sys/geom/raid3/g_raid3.c
index 8f12f14cf09b..721610cefbec 100644
--- a/sys/geom/raid3/g_raid3.c
+++ b/sys/geom/raid3/g_raid3.c
@@ -38,6 +38,7 @@
 #include <sys/module.h>
 #include <sys/mutex.h>
 #include <sys/proc.h>
+#include <sys/reboot.h>
 #include <sys/sbuf.h>
 #include <sys/sched.h>
 #include <sys/sysctl.h>
@@ -3573,6 +3574,9 @@ g_raid3_shutdown_post_sync(void *arg, int howto)
 	struct g_raid3_softc *sc;
 	int error;
 
+	if ((howto & RB_NOSYNC) != 0)
+		return;
+
 	mp = arg;
 	g_topology_lock();
 	g_raid3_shutdown = 1;