Build date: 1776376803 - Thu Apr 16 22:00:03 UTC 2026 Build cvs date: 1776375287 - Thu Apr 16 21:34:47 UTC 2026 Build id: 2026-04-17.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-ramdisk-diet.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P lib/libtls/tls.c P lib/libtls/tls_client.c P lib/libtls/tls_config.c P lib/libtls/tls_keypair.c P lib/libtls/tls_ocsp.c P lib/libtls/tls_server.c P lib/libtls/tls_signer.c P sbin/slaacd/engine.c P share/man/man4/pfsync.4 P sys/arch/octeon/dev/octciu.c P sys/dev/pv/if_vio.c M sys/dev/usb/uhidev.c P sys/kern/kern_sysctl.c P sys/kern/sysv_shm.c P sys/kern/tty.c P sys/netinet/ip_input.c P sys/netinet/tcp_input.c P sys/sys/sysctl.h P usr.bin/ipcs/ipcs.c P usr.sbin/bgpd/rde_community.c M usr.sbin/bgpd/session.c P usr.sbin/fw_update/patterns.c P usr.sbin/smtpd/smtpd-filters.7 P usr.sbin/smtpd/smtpd-tables.7 P usr.sbin/smtpd/smtpd.h P usr.sbin/smtpd/table.c P usr.sbin/vmctl/main.c P usr.sbin/vmctl/vmctl.c P usr.sbin/vmctl/vmctl.h commit qmPFLEL6zCUvH1P2 Author: dv Date: 2026/04/16 21:34:47 vmctl(8): switch to new disk format enum. Replace int's with the new enum type used by vmd. Discussed with mlarkin@ usr.sbin/vmctl/main.c usr.sbin/vmctl/vmctl.c usr.sbin/vmctl/vmctl.h commit t0qMo4JgIEljIEle Author: sf Date: 2026/04/16 21:00:00 vio: recover from missed RX interrupts It seems at least on Oracle Cloud (arm64, KVM) and on vmd, sometimes rx interrupts get lost. As a workaround, check the virtqueues in vio_rxtick(), which allows to recover from this situation. Diff from renaud@ tested by mbuhl@ ok stsp@ sys/dev/pv/if_vio.c commit RkiB1C8sWwZhBok6 Author: deraadt Date: 2026/04/16 20:03:14 The struct kfino_vmentry copied to userland is 80, and (depending on architecture?) has 7 bytes of padding at the end, which is uninitialized. Use M_ZERO. from tgs sys/kern/kern_sysctl.c commit 4AVKrlXhGs0PfI5l Author: op Date: 2026/04/16 19:37:42 smtpd: bump version to 7.9 usr.sbin/smtpd/smtpd-filters.7 usr.sbin/smtpd/smtpd-tables.7 usr.sbin/smtpd/smtpd.h commit HGFlmGJxh9QKbUbY Author: op Date: 2026/04/16 19:36:04 don't lowercase K_AUTH lookups this diff has circulated for a while, being written and re-written by different people. In this case, I'm taking Pietro Cerutti's version. usr.sbin/smtpd/table.c commit JCeymYMlc3S8Z00W Author: claudio Date: 2026/04/16 19:06:45 Avoid undefined behaviour in the community code by checking nentries to be not 0 before memcmp, bsearch or siphash calls. Calling these functions with a NULL pointer is UB even with a zero len. While I did fix some code already during a review of all such possible NULL, 0 calls I missed the bsearch one and introduced the community_equal memcmp after that. Reported by Synmac Oliver OK tb@ deraadt@ usr.sbin/bgpd/rde_community.c commit VUOLvaIP0yDJ5ZME Author: florian Date: 2026/04/16 16:59:07 Prevent buffer overflow by checking the correct counter. An attacker on the same layer 2 network can send rogue router advertisements, potentially crashing slaacd. From Maurice Hieronymus (mhi AT mailbox.org), thanks! OK deraadt sbin/slaacd/engine.c commit nAw443PPINdm9g6U Author: kirill Date: 2026/04/16 15:50:58 sys/octeon: cleanup all interrupts octciu_next_irq() operates on a uint64_t pending interrupt bitmap, and irq spans the full 0..63 range. Using 1u << irq therefore builds a 32 bit mask for a 64 bit word; once irq >= 32, the selected pending bit is no longer cleared correctly. The immediate consequence is loss of forward progress in the dispatcher loop: the same interrupt can remain logically pending in the local copy of isr, the loop can revisit it indefinitely, and the CPU can remain trapped in interrupt handling. OK: kettenis@, jca@, deraadt@ sys/arch/octeon/dev/octciu.c commit 80a4oBxrh48nDhtb Author: claudio Date: 2026/04/16 15:45:58 Properly handle the FIN flag in tcp_flush_queue. Once a FIN packet is received all following data should simply be discarded. Normally this is done in tcp_input but once traffic needs reassembly the FIN handling in the reassembly queue was not quite correct. Data directly following the FIN packet was also reassembled and the FIN was actually lost. The check if packets should be dropped only checked for SS_CANTRCVMORE which is only set after tcp_flush_queue returned TH_FIN. Reported by Xint Code OK sashan@ deraadt@ sys/netinet/tcp_input.c commit peGTkwdMES5OihTx Author: job Date: 2026/04/16 15:29:42 Don't mix heap and stack pointers in offset calculation OK canacar@ claudio@ deraadt@ sys/netinet/ip_input.c commit d4iMxv04bq3S7MtP Author: kettenis Date: 2026/04/16 15:21:12 Add pattern for riscv64-spacemit-dtb that matches smtgpio(4). ok deraadt@, jca@ usr.sbin/fw_update/patterns.c commit J8gtX543qtrzodox Author: deraadt Date: 2026/04/16 14:51:36 For sysctl({CTL_KERN, KERN_TTY, KERN_TTY_INFO), only export the t_session kernel address pointer if the caller is root. Reported by Bruce Dang of Calif.io ok claudio sys/kern/tty.c commit HRYmeG1LuyrQRF4c Author: deraadt Date: 2026/04/16 14:47:24 do not expose p_addr kernel address unless root from Bruce Dang of Calif.io ok claudio kettenis sys/sys/sysctl.h commit FFcnP6BkinrCNPcH Author: dgl Date: 2026/04/16 07:42:45 Fix missing word, that rather changed the meaning, spotted by "schalken" on IRC. share/man/man4/pfsync.4 commit KyN2LTebIR402VMH Author: tb Date: 2026/04/16 07:35:25 libtls: consistently handle allocation failures Use tls_set_errorx() or tls_error_setx() rather than the versions without x for TLS_ERROR_OUT_OF_MEMORY. ENOMEM adds no further info. From Michael Forney ok bcook lib/libtls/tls_ocsp.c lib/libtls/tls_signer.c commit otMPdS11dNTLLnVb Author: tb Date: 2026/04/16 07:33:11 libtls: use TLS_ERROR_OUT_OF_MEMORY after malloc failure tls_config_load_file() hat a spot that used TLS_ERROR_UNKNOWN, so switch that to the usual error code. Use tls_error_setx() since strerror(ENOMEM) adds nothing. From Michael Forney ok bcook lib/libtls/tls_config.c commit EUZWKsZT9GlYljTi Author: tb Date: 2026/04/16 07:29:53 libtls: use tls_error_setx() after BIO_new_mem_buf() This is the only place where tls_error_set() was used. While the new length check now guarantees that the failure is due to ENOMEM, this info does not add value. From Michael Forney ok bcook lib/libtls/tls_keypair.c commit QBOAOc08QRJENrwo Author: tb Date: 2026/04/16 07:28:00 libtls: prefer x version of error setting If a check fails and errno is not necessarily set by the previous API call use tls_set_errorx() or tls_error_setx() since turning an unrelated errno into an error string is unhelpful. From Michael Forney ok bcook lib/libtls/tls.c lib/libtls/tls_client.c lib/libtls/tls_keypair.c lib/libtls/tls_ocsp.c lib/libtls/tls_server.c commit TetivHnLHYpAhZIn Author: deraadt Date: 2026/04/16 07:09:41 Similar to sysctl KERN_SYSVIPC_SEMINFO, KERN_SYSVIPC_SHM_INFO also leaks the same kernel pointer that shminfo() leaks. ok dgl sys/kern/kern_sysctl.c commit kzZDrXHhRbdg5xKQ Author: dgl Date: 2026/04/16 07:03:15 sysctl KERN_SYSVIPC_SEM_INFO was leaking the sem_base kernel pointer to userland. This was used by ipcs(1), so change to use sem_ctime instead to decide if it should show the semaphore. Found independently by me and a report from Bruce Dang of Calif.io (minutes apart). ok deraadt sys/kern/kern_sysctl.c usr.bin/ipcs/ipcs.c commit plggQbh0W7DkklbU Author: tb Date: 2026/04/16 05:16:48 libtls: add missing length checks before BIO_new_mem_buf() Like all proper libcrypto APIs, BIO_new_mem_buf() takes an int as a length argument. Check the size_t passed in to be at most INT_MAX to avoid issues with truncation and overflow like it's done everywhere else. After release this should probably be clamped down further since legitimate files (certs and keys) are nowhere near this large. Prompted by a diff by Michael Forney ok jsing lib/libtls/tls_keypair.c lib/libtls/tls_signer.c commit UTM01t4iUytEUzWL Author: deraadt Date: 2026/04/16 05:07:07 shmctl IPC_STAT was leaking the shm_internal kernel malloc pointer into userland The manual page calls this "sysv stupidity", .h calls it 'implementation specific data". It is surprising we didn't fix this before. Found by tsg@, ok millert sys/kern/sysv_shm.c