Introduce the CTLFLAG_NEEDGIANT flag (modelled after D_NEEDGIANT) that can be used to name and shame sysctls still requiring Giant ;-)
Mark SYSCTL_STRING*, SYSCTL_OPAQUE* and SYSCTL_STRUCT* as inherently in need of Giant because of how the respective handlers work.
Set CTLFLAG_NEEDGIANT to all SYSCTL_(ADD_)PROCs not marked as MPSAFE.
Mark all SYSCTL_(ADD_)NODEs using custom handler and not already marked as MPSAFE as CTLFLAG_NEEDGIANT.
Mark all SYSCTL_(ADD_)NODEs with NULL handler as MPSAFE.
Mark all various handcrafted SYSCTL_(ADD_)OID etc invocation I've seen in the code.
Add a static_assert to check for one of the now required flags.
Full diff with -U999999 available at https://people.freebsd.org/~kaktus/sysctl.patch because it's getting close to 37MB.
TODO:
Check kmods in ports?