Build date: 1774994403 - Tue Mar 31 22:00:03 UTC 2026
Build cvs date: 1774975982 - Tue Mar 31 16:53:02 UTC 2026
Build id: 2026-04-01.1
Build tags: amd64-regress ports sysupgrade

Applied the following diff(s):
/home/anton/tmp/robsd/src-sys-em.diff
/home/anton/tmp/robsd/src-sys-uhidev-sispm.diff
/home/anton/tmp/robsd/src-sysupgrade.diff

P lib/libc/sys/sysctl.2
P lib/libcrypto/x509/x509_verify.c
P regress/lib/libcrypto/certs/make-certs.sh
P regress/lib/libcrypto/certs/verify_test.go
U regress/lib/libcrypto/certs/14a/bundle.pem
U regress/lib/libcrypto/certs/14a/roots.pem
U regress/lib/libcrypto/certs/14b/bundle.pem
U regress/lib/libcrypto/certs/14b/roots.pem
P regress/lib/libcrypto/x509/callback.c
P regress/lib/libcrypto/x509/verify.c
P regress/usr.sbin/rpki-client/openssl/Makefile
P regress/usr.sbin/rpki-client/openssl/unistd.h
P regress/usr.sbin/rpki-client/openssl/build/Makefile
P sbin/sysctl/sysctl.c
P sys/arch/amd64/amd64/identcpu.c
P sys/arch/amd64/amd64/machdep.c
P sys/arch/amd64/include/cpu.h
P sys/arch/arm64/include/cpu.h
P sys/arch/riscv64/riscv64/cpu.c
P sys/dev/fdt/xhci_fdt.c
P sys/dev/pci/drm/drm_linux.c
M sys/dev/usb/uhidev.c
P sys/kern/kern_sched.c
P sys/kern/kern_sysctl.c
P sys/sys/sched.h
P sys/sys/sysctl.h
P usr.bin/tmux/input-keys.c
P usr.bin/tmux/key-string.c
P usr.bin/tmux/server-client.c
P usr.bin/tmux/tmux.h
P usr.sbin/bgpctl/output.c
M usr.sbin/bgpd/session.c

commit 5KLCak7ow7QT5Sn6
Author: deraadt
Date: 2026/03/31 16:53:02

  delete AMD smt related line accidentally deleted

  sys/arch/amd64/amd64/identcpu.c

commit eKMgpkQVxw8PayRd
Author: deraadt
Date: 2026/03/31 16:46:46

  warn if hw.smt is used, and recommend hw.blockcpu

  sbin/sysctl/sysctl.c

commit jRjbGkVJrLHUHicZ
Author: deraadt
Date: 2026/03/31 16:46:22

  Some new intel machines have a new 3rd tier of cpus called LP-E which are
  E-core (Atom) without L3 cache.  These cpus are Lethargic, and it sucks
  when processes migrate to them.
  This introduces sysctl hw.blockcpu= which takes a sequence of 4 letters.
  S (for SMT), P (regular performance cpu), E (efficient cpu) generally
  80% to 50% as fast), and L (lethargic cpu) which are even slower.
  By setting this, you can select cpus to kick out of the scheduler.  The
  default is SL.
  The hw.smt sysctl remains for now but we will eventually delete it.
  hw.smt changes and follows hw.blockcpu=S.
  ok kettenis mlarkin

  lib/libc/sys/sysctl.2
  sys/arch/amd64/amd64/identcpu.c
  sys/arch/amd64/amd64/machdep.c
  sys/arch/amd64/include/cpu.h
  sys/kern/kern_sched.c
  sys/kern/kern_sysctl.c
  sys/sys/sched.h
  sys/sys/sysctl.h

commit rBTKYAHjtwS2uHSH
Author: deraadt
Date: 2026/03/31 16:37:48

  add ci_cputypes field which will be needed by an upcoming MI change
  ok kettenis

  sys/arch/arm64/include/cpu.h

commit vehNZ7sntqRHNMHk
Author: kettenis
Date: 2026/03/31 14:42:54

  Attempt to power on attached USB hubs.  Add support for SpacemiT K1.

  ok phessler@, jca@, jsing@

  sys/dev/fdt/xhci_fdt.c

commit YWkFpNVVYDe9fCuY
Author: kettenis
Date: 2026/03/31 14:41:15

  Recognize SpacemiT X60 and X100 cores.

  ok jsg@

  sys/arch/riscv64/riscv64/cpu.c

commit Zu9pFq6U2nSMKWTd
Author: jsing
Date: 2026/03/31 13:58:05

  Fix an off-by-one error in the X.509 verifier depth checking.

  In x509_verify_build_chains(), ensure that we check the current depth
  against max_depth prior to turning it into a legacy-style depth index.
  Additionally, add a guard to x509_verify_chain_append() so that we avoid
  exceeding the maximum certs per chain, even if we fail to handle this
  correctly elsewhere. Also prevent the legacy callback from being able
  to override the maximum verification depth.

  The current off-by-one allows for a 4 byte overwrite to occur on heap
  allocated memory - this will likely trigger a crash on OpenBSD (but may
  go unnoticed elsewhere). This is only reachable if a TLS client is talking
  to a malicious server or if a TLS server has client certificate
  verification enabled - in both cases the verification depth also needs to
  be set to the maximum allowed value of 32.

  It is worth noting that many TLS clients/servers set the maximum
  verification depth to a value that is much less than the default. A libtls
  client or server uses a default depth of 6 and is not impacted in this
  configuration.

  Thanks to Calif.io in collaboration with Claude and Anthropic Research,
  for reporting the issue.

  ok tb@

  lib/libcrypto/x509/x509_verify.c

commit 4UBk45mkPrQMcdyg
Author: jsing
Date: 2026/03/31 13:39:48

  Add additional X.509 verifier test cases.

  The second case (14b) currently triggers a bug in the new verifier.

  regress/lib/libcrypto/x509/callback.c
  regress/lib/libcrypto/x509/verify.c

commit cLHIrB7eKrdJj8ZE
Author: jsing
Date: 2026/03/31 13:37:45

  Run new test certificate bundles through Go's verifier.

  regress/lib/libcrypto/certs/verify_test.go

commit 7GKQaj8HGBQvf5HS
Author: jsing
Date: 2026/03/31 13:37:11

  Add additional certificate test bundles.

  regress/lib/libcrypto/certs/14a/bundle.pem
  regress/lib/libcrypto/certs/14a/roots.pem
  regress/lib/libcrypto/certs/14b/bundle.pem
  regress/lib/libcrypto/certs/14b/roots.pem

commit CTPXkYOgzEHVFiAq
Author: jsing
Date: 2026/03/31 13:34:25

  Generate two additional certificate test scenarios which have deep chains.

  regress/lib/libcrypto/certs/make-certs.sh

commit WBEIonNbVuY6ytcX
Author: nicm
Date: 2026/03/31 11:46:43

  Reorganize structure of key_code so that it can be built directly by
  bitshifts rather than a load of huge switches, from Dane Jensen in
  GitHub issue 4953.

  usr.bin/tmux/input-keys.c
  usr.bin/tmux/key-string.c
  usr.bin/tmux/server-client.c
  usr.bin/tmux/tmux.h

commit t8uuP2tUQFcW2mW3
Author: claudio
Date: 2026/03/31 09:32:12

  Correctly align and space queue info in 'show neighbor' command.
  OK tb@

  usr.sbin/bgpctl/output.c

commit 0bFsUQsDHFDYmtQH
Author: jsg
Date: 2026/03/31 08:54:14

  access ida under spltty()

  ida is accessed from both process and interrupt contexts.

  The interrupt context use occurs when a fence is hardware signaled:
  dma_fence_signal -> amdgpu_pasid_free_cb -> ida_free -> idr_remove

  linux currently uses an xarray with XA_FLAGS_LOCK_IRQ for ida, which
  blocks interrupts when locked

  This change was prompted by protection faults such as:
  idr_tree_SPLAY+0x58
  idr_alloc+0xb1
  amdgpu_pasid_alloc+0x5d
  amdgpu_driver_open_kms+0xac
  drm_file_alloc+0x245
  drmopen+0x12c

  seen with 6.12 and 6.18 drm

  volker@ could more consistently reproduce this on a system with a
  Navi 31 (7900 XTX).

  Lots of testing from volker@ and feedback from kettenis@

  sys/dev/pci/drm/drm_linux.c

commit ep7p8n9japLbh1GK
Author: tb
Date: 2026/03/31 06:25:39

  rpki-client regress: align guard with portable

  regress/usr.sbin/rpki-client/openssl/Makefile
  regress/usr.sbin/rpki-client/openssl/unistd.h
  regress/usr.sbin/rpki-client/openssl/build/Makefile


P MODULES

commit ADh4bjRzl0Jo9Xxj
Author: matthieu
Date: 2026/03/31 19:06:28

  update

  MODULES