diff --git a/sys/kern/kern_kexec.c b/sys/kern/kern_kexec.c
--- a/sys/kern/kern_kexec.c
+++ b/sys/kern/kern_kexec.c
@@ -342,7 +342,19 @@
 {
 	int error;
 
-	// FIXME: Do w need a better privilege check than PRIV_REBOOT here?
+/*
+ * XXX: Is PRIV_REBOOT sufficient here?
+ *
+ * Loading a new kernel image via kexec_load() is a more powerful operation
+ * than a traditional reboot, as it allows replacing the running kernel
+ * without returning to firmware or the bootloader.
+ *
+ * The current use of PRIV_REBOOT relies on the system security policy
+ * (e.g., MAC frameworks, jail restrictions) to further constrain access
+ * where appropriate.  A more specific privilege (e.g., kexec-specific)
+ * could provide finer-grained control in environments requiring stricter
+ * separation of administrative capabilities.
+ */
 	error = priv_check(td, PRIV_REBOOT);
 	if (error != 0)
 		return (error);
diff --git a/sys/kern/kern_ntptime.c b/sys/kern/kern_ntptime.c
--- a/sys/kern/kern_ntptime.c
+++ b/sys/kern/kern_ntptime.c
@@ -388,7 +388,7 @@
 			time_constant = ntv->constant;
 	}
 	if (modes & MOD_TAI) {
-		if (ntv->constant > 0) /* XXX zero & negative numbers ? */
+		if (ntv->constant > 0) /* TAI-UTC offset is strictly positive */
 			time_tai = ntv->constant;
 	}
 #ifdef PPS_SYNC
diff --git a/sys/kern/kern_syscalls.c b/sys/kern/kern_syscalls.c
--- a/sys/kern/kern_syscalls.c
+++ b/sys/kern/kern_syscalls.c
@@ -161,8 +161,13 @@
 {
 	struct sysent *se;
 
-	if (offset == 0)
-		return (0); /* XXX? */
+	if (offset == 0) {
+		/*
+		 * Syscall number 0 is reserved and is not dynamically registered.
+		 * Treat deregistration as a no-op to simplify module unload paths.
+		 */
+		return (0);
+	}
 
 	se = &sysents[offset];
 	if ((se->sy_thrcnt & SY_THR_STATIC) != 0)