Build date: 1776808803 - Tue Apr 21 22:00:03 UTC 2026 Build cvs date: 1776804921 - Tue Apr 21 20:55:21 UTC 2026 Build id: 2026-04-22.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P distrib/notes/riscv64/prep P distrib/sets/lists/comp/md.loongson P libexec/spamd/spamd.c P libexec/tradcpp/macro.c P regress/lib/libcrypto/pkcs7/pkcs7test.c P regress/lib/libcrypto/wycheproof/wycheproof.go P share/man/man4/gpio.4 P share/man/man4/iic.4 P share/man/man4/openprom.4 P sys/arch/octeon/dev/if_cnmac.c P sys/arch/octeon/dev/octpcie.c P sys/dev/ic/qwz.c M sys/dev/usb/uhidev.c P sys/kern/subr_xxx.c P sys/net/pf_if.c P sys/netinet/tcp_input.c P sys/sys/systm.h M usr.sbin/bgpd/session.c P usr.sbin/ntpd/control.c P usr.sbin/ntpd/ntp.c P usr.sbin/ntpd/ntp_dns.c P usr.sbin/ntpd/ntpd.c P usr.sbin/rad/frontend.c commit ZvKzNh9y0sxKusrp Author: tb Date: 2026/04/21 20:55:21 wycheproof: skip BLS test vectors to prepare for update regress/lib/libcrypto/wycheproof/wycheproof.go commit RzBXIQtbFdIeDRND Author: kirill Date: 2026/04/21 20:20:09 sys/cnmac: support SoftLRO This work based on previous work of Janne Johansson OK: visa@ sys/arch/octeon/dev/if_cnmac.c commit UigZNv08E2MImdzD Author: jca Date: 2026/04/21 20:00:55 Mention powerpc64 and riscv64 support share/man/man4/openprom.4 commit NC7HMFksqunEeQ2F Author: jca Date: 2026/04/21 19:58:49 Mention smtiic(4) share/man/man4/iic.4 commit DbOsQ6G7JW8PSqa9 Author: jca Date: 2026/04/21 19:58:21 Mention sfgpio(4) and smtgpio(4) share/man/man4/gpio.4 commit 4GOlCRDvM1CZIzE4 Author: kirill Date: 2026/04/21 19:43:47 sys/octeon: fix PCIe config tag layout Octeon PCIe config-space MMIO uses a 12-bit register field; function, device, and bus begin at bits 12, 15, and 20. octpcie_make_tag() and octpcie_decompose_tag() used the conventional PCI tag layout instead, so config accesses to non-zero device or function numbers used the wrong MMIO offset. On SRX300 this breaks enumeration of the second Broadcom switch function at 0:0:1, which reads back garbage until the tag layout is corrected. OK: kettenis@, visa@ sys/arch/octeon/dev/octpcie.c commit 73BzYuUp3K5I1reX Author: claudio Date: 2026/04/21 18:36:13 A packet with a FIN flag needs to act as a barrier in tcp_flush_queue. Once a FIN packet is received all following data should simply be discarded. tcp_input handels this FIN but for that tcp_reass() needs to properly return TH_FIN when a FIN is processed in tcp_flush_queue. This reassembly was not quite correct. Unexpected data directly following the FIN packet was also reassembled and the FIN was actually lost. The failure to return TH_FIN caused the regression in the previous fix. tcp_input() passes some FIN packets through reassembly even though they are in sequence and the queue is empty. tcp_flush_queue() needs to treat packets with TH_FIN set as a barrier and stop reassembly after processing this last packet. This ensures that tcp_reass() returns TH_FIN to tcp_input which then changes the state of the session. It also ensures that only data up to the FIN packet are passed to userland. Reported by Xint Code OK sashan@ sys/netinet/tcp_input.c commit VadSK19UoxxugO1L Author: deraadt Date: 2026/04/21 18:18:11 the enosys() stub has not been used for decades ok jsg jca sys/kern/subr_xxx.c sys/sys/systm.h commit L9aleXimZMevOEyw Author: kn Date: 2026/04/21 17:24:40 Fix PREF64 option corruption if DNSSL is also set On octeon (but not amd64) setting both a NAT64 prefix and a search domain causes the former ICMPv6 option to be corrupted due to how it is added last in the Router Advertisement packet, following too much zero padding. Bytes after the DNSSL option are zeroed up the next 8-byte boundary to align options inside the packet. Instead of checking alignment of the pointer address somewhere inside the packet buffer that lives on the stack, which is thus architecture specific, use their offset, i.e. see how many bytes were already written, in order to zero-fill what is left between last search domain and next 8-byte boundary. This makes RAs byte-identical between octeon and amd64 and prevents rad(8) from sending the kind of invalid packets that clients like slaacd(8) and gelatod(8) (from ports) need 029_v6daemons for. OK florian usr.sbin/rad/frontend.c commit AnYdFoP94UPWbRk8 Author: miod Date: 2026/04/21 16:23:21 sync distrib/sets/lists/comp/md.loongson commit duqrh1TNFHDRolPu Author: millert Date: 2026/04/21 14:44:29 Fix handing of multi-line blacklist error strings in spamd.conf When appending the blacklist error string, spamd splits the message on a newline and continues the message on a new line. There was a bug where the current pointer was incremented too far, which resulted in the message being truncated at the newline instead of continued. For very long blacklist messages (around 8K) in spamd.conf, this could result in heap corruption. However, this is very unlikely in practice. OK jsg@ Reported by and fix from Dhiraj Mishra libexec/spamd/spamd.c commit RxsyQouxZg6Ycrl6 Author: henning Date: 2026/04/21 14:36:00 newer gcc is so smart to point out that settime_deadline may be used uninitialized. of course it is wrong. sprinkle a "= 0" to shut it up. pointed out by bcook, discussed with, gcc confronted by and ok claudio bcook usr.sbin/ntpd/ntpd.c commit bGMTOTZml4kX63My Author: henning Date: 2026/04/21 14:31:03 newer gcc thinks it's smart (do they call it AI yet?) and points out peercount may be used unitialized. of course it is utterly wrong. move peercount = 0 initialization 2 lines up to shut gcc up pointed out by bcook, dicussed with, gcc-checked by and ok bcook claudio usr.sbin/ntpd/ntp.c commit YWSUdS3V0RO2QYtc Author: henning Date: 2026/04/21 14:20:00 in control_check(), rename struct sockaddr_un sun to sa - for consistency with control_init() just underneath, and because "sun" causes problems for portable on solaris pretty much from bcook's portable repo, but another name, ok bcook usr.sbin/ntpd/control.c commit FCC8LIhdC6R1RevH Author: henning Date: 2026/04/21 12:35:45 we use clock_gettime() here and thus shall explicitely include time.h from bcook's portable repo, ok bcook usr.sbin/ntpd/ntp_dns.c commit pjyDuyvDs5sNyVCt Author: mglocker Date: 2026/04/21 08:56:22 Enable nwid scanning by doing two things: 1. Disable the 802.11d scanning command for now, since it causes a firmware error for which we currently have no solution. This isn't a critical feature, and we can progress without it until we find a solution. 2. Send the HTT software ring setup messages for the receive rings, otherwise the firmware never initializes its RXDMA pipeline, and delivers no frames to the host. For that we did port over the ath12k_dp_rxdma_ring_sel_config_wcn7850() and ath12k_dp_rx_htt_setup() functions from the linux driver. Tested and ok kettenis@, kirill@ sys/dev/ic/qwz.c commit RfrXUhWuNVgmiWRC Author: renaud Date: 2026/04/21 07:42:38 expand_domacro() handled a defined() with the wrong argument count via an error path that doesn't drain es->args OK jsg libexec/tradcpp/macro.c commit DFINAHJF0Ig6CAK6 Author: sashan Date: 2026/04/21 06:38:28 PFI_FLAG_SKIP may be lost when interface disappears and then reappears if 'set skip on ...' in pf.conf(5) refers to interface (or interface group) which is yet to be created in system, then all is good. However if the interface (or interface group) exists in system at the time when pf.conf(5) is being loaded to pf(4) the effect of skip flag might get lost. The scenario for tap0 interface goes as follows: tap0 (and tap interface) exist in system and is known to pf(4), meaning 'pfctl -sI' reports tap0 and tap. pf.conf with 'set skip on tap' is loaded. The pf(4) sets the flag on `kif` instance without obtaining a reference to keep it in table until skip flag (PFI_FLAG_SKIP) is reset. tap0 interface is removed from system (ifconfig tap0 destroy), the tap0 is removed from system and also corresponding kif instance is removed from pf(4). kif is forgotten together with flag settings. If tap0 happens to be the last tap interface, then tap interface group (including its kif) is also removed from system (and pf(4)). Now tap0 is going to be re-created by running 'ifconfig tap0 up'. The corresponding kif instances (kif instance for tap0 interface and tap interface group) are inserted to interface table in pf(4) with default interface flags, loosing 'set skip on tap...' setting found in pf.conf. To workaround this one has to reload pf.conf so interface flags are set again. The issue has been noticed and kindly reported by Atanas Vladimirov OK bluhm@ sys/net/pf_if.c commit eycBTRfzE95TPwq5 Author: tb Date: 2026/04/21 05:18:35 pkcs7test: factor main into a helper so we can add some unit tests easily regress/lib/libcrypto/pkcs7/pkcs7test.c commit 2Jt23D4ONEREicQT Author: jca Date: 2026/04/20 22:20:07 Remove the bootcmd hint for now On this jupiter box, U-Boot's bootcmd can't be interrupted on the serial console by pressing any key, Ctrl+C or ESC, even though the official docs say it should be possible by pressing any key. sigh distrib/notes/riscv64/prep commit T3SRD7ME60ee9pYn Author: jca Date: 2026/04/20 21:51:22 Better wording and typo fix for the Spacemit K1 boards distrib/notes/riscv64/prep P 3RDPARTY P MODULES P lib/libXpm/src/data.c P lib/libXpm/src/parse.c P lib/libpng/.gitignore P lib/libpng/ANNOUNCE P lib/libpng/CHANGES P lib/libpng/CMakeLists.txt P lib/libpng/README P lib/libpng/configure P lib/libpng/configure.ac P lib/libpng/libpng-manual.txt P lib/libpng/libpng.3 P lib/libpng/libpngpf.3 P lib/libpng/png.5 P lib/libpng/png.c P lib/libpng/png.h P lib/libpng/pngconf.h P lib/libpng/pngrtran.c P lib/libpng/pngtest.c P lib/libpng/contrib/libtests/pnggetset.c P lib/libpng/scripts/libpng-config-head.in P lib/libpng/scripts/libpng.pc.in P lib/libpng/scripts/pnglibconf.h.prebuilt commit SLyFevoQ6CJzGHqB Author: matthieu Date: 2026/04/21 15:03:11 update 3RDPARTY MODULES commit 3dLySKBXdCqVPJ7K Author: matthieu Date: 2026/04/21 14:42:57 update to libpng 1.6.58. ok deraadt@ lib/libpng/.gitignore lib/libpng/ANNOUNCE lib/libpng/CHANGES lib/libpng/CMakeLists.txt lib/libpng/README lib/libpng/configure lib/libpng/configure.ac lib/libpng/libpng-manual.txt lib/libpng/libpng.3 lib/libpng/libpngpf.3 lib/libpng/png.5 lib/libpng/png.c lib/libpng/png.h lib/libpng/pngconf.h lib/libpng/pngrtran.c lib/libpng/pngtest.c lib/libpng/contrib/libtests/pnggetset.c lib/libpng/scripts/libpng-config-head.in lib/libpng/scripts/libpng.pc.in lib/libpng/scripts/pnglibconf.h.prebuilt commit w8cAy9eubxwEEOMt Author: bluhm Date: 2026/04/21 14:07:07 Fix Out-of-bounds read. CVE-2026-4367 from matthieu@ this is errata/7.7/038_libxpm.patch.sig lib/libXpm/src/data.c lib/libXpm/src/parse.c commit 6UdLQdDm42T7MgHk Author: bluhm Date: 2026/04/21 14:06:16 Fix Out-of-bounds read. CVE-2026-4367 from matthieu@ this is errata/7.8/032_libxpm.patch.sig lib/libXpm/src/data.c lib/libXpm/src/parse.c commit XmE5GG0Yxpvqye5i Author: matthieu Date: 2026/04/21 13:19:01 Fix Out-of-bounds read. CVE-2026-4367 lib/libXpm/src/data.c lib/libXpm/src/parse.c