Build date: 1778191203 - Thu May 7 22:00:03 UTC 2026 Build cvs date: 1778188120 - Thu May 7 21:08:40 UTC 2026 Build id: 2026-05-08.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P gnu/llvm/libcxx/include/deque P gnu/usr.bin/clang/llvm-tblgen/Makefile P lib/libagentx/ax.c P lib/libc/gen/getgrent.c P lib/libc/gen/getpwent.c P lib/libcrypto/crypto_assembly.h P lib/libcrypto/sha/sha1_aarch64_ce.S P lib/libcrypto/sha/sha1_amd64_generic.S P lib/libcrypto/sha/sha1_amd64_shani.S P lib/libcrypto/sha/sha256_aarch64_ce.S P lib/libcrypto/sha/sha256_amd64_generic.S P lib/libcrypto/sha/sha256_amd64_shani.S P lib/libcrypto/sha/sha512_aarch64_ce.S P lib/libcrypto/sha/sha512_amd64_generic.S P regress/usr.sbin/bgpd/integrationtests/Makefile P sys/dev/pci/drm/amd/amdgpu/amdgpu_gart.c P sys/dev/pci/drm/amd/amdgpu/amdgpu_ttm.c P sys/dev/pci/drm/amd/amdgpu/amdgpu_vcn.h P sys/dev/pci/drm/amd/amdgpu/jpeg_v4_0_3.c P sys/dev/pci/drm/amd/display/dc/dc_dmub_srv.c M sys/dev/usb/uhidev.c P sys/netinet/ipsec_input.c P usr.bin/tmux/key-bindings.c P usr.bin/tmux/layout-custom.c P usr.bin/tmux/tmux.1 P usr.bin/tmux/window-copy.c P usr.sbin/bgpctl/parser.c P usr.sbin/bgpd/bgpd.h P usr.sbin/bgpd/chash.c P usr.sbin/bgpd/control.c P usr.sbin/bgpd/mrt.c P usr.sbin/bgpd/parse.y P usr.sbin/bgpd/rde.c P usr.sbin/bgpd/rde.h P usr.sbin/bgpd/rde_adjout.c P usr.sbin/bgpd/rde_attr.c P usr.sbin/bgpd/rde_peer.c P usr.sbin/bgpd/rde_rib.c P usr.sbin/bgpd/rde_update.c RCS file: /cvs/src/usr.sbin/bgpd/session.c,v retrieving revision 1.530 retrieving revision 1.533 Merging differences between 1.530 and 1.533 into session.c M usr.sbin/bgpd/session.c P usr.sbin/bgpd/session.h P usr.sbin/bgpd/session_bgp.c P usr.sbin/snmpd/ax.c P usr.sbin/vmd/vmd.c commit taetC1QfBAqoWZgP Author: claudio Date: 2026/05/07 21:08:40 Add forgotten addpath regress test. regress/usr.sbin/bgpd/integrationtests/Makefile commit 5sCH7YyAQMeKmjXR Author: claudio Date: 2026/05/07 20:35:19 Use unsigned int for the length variable when traversing the others array. Doing this in all places now after fixing an overflow in attr_optadd(). OK tb@ deraadt@ usr.sbin/bgpd/mrt.c usr.sbin/bgpd/rde.c usr.sbin/bgpd/rde_attr.c usr.sbin/bgpd/rde_update.c commit dATIJ9TBe5Bqg7VT Author: claudio Date: 2026/05/07 18:56:38 Convert grestart.timeout to uint16_t while the value can never be negative the compiler trips over this in a comparison with u_int. OK tb@ usr.sbin/bgpd/bgpd.h commit lY1vYJsxdLhrF0jN Author: claudio Date: 2026/05/07 18:55:05 Reduce maximum configurable stale time to CAPA_GR_TIMEMASK (4095) since that is the maximum anyway. OK tb@ usr.sbin/bgpd/parse.y commit LUPAbwFtm2sBMiAp Author: deraadt Date: 2026/05/07 18:22:26 A collection of AI-assisted reports come from Frank Denis, which says that the YP getgrent code when doing YP operations has a group of buffer mismanagement issues which in the reports are labelled 'high severity'. This fixes the buffer checks. The big question to ask is this: Is a malicious YP server going to send you messages that exercise a buffer overflow codepath, or are they going to send you perfectly correct messages containing wrong group members? The old-school ypserv model was that you run ypserv on a "trusted network" segment, which today is laughable but it matched operations in that era. (Our) new operational model is that ypbind is reached with a custom system call and provides trusted path to a an on-host ypserv, which is more likely to be the ypldap(8) LDAP schema to YP protocol converter. If a YP server is broken and sending bad messages, THIS code is the least of your worries. High severity? No. ok millert jmatthew lib/libc/gen/getgrent.c commit IQXSShjT3O9KcSPc Author: deraadt Date: 2026/05/07 18:21:27 A collection of AI-assisted reports come from Frank Denis, which says that the YP getpwent code when doing YP operations has a group of buffer mismanagement issues which in the reports are labelled 'high severity'. This fixes the buffer checks. In reality, the memory being operated on is always a full page so the overflow onto unmanagement memory is hard to see as a risk. The big question to ask is this: Is a malicious YP server going to send you messages that exercise a buffer overflow codepath, or are they going to send you perfectly correct messages containing :0:0: ? The old-school ypserv model was that you run ypserv on a "trusted network" segment, which today is laughable but it matched operations in that era. (Our) new operational model is that ypbind is reached with a custom system call and provides trusted path to a an on-host ypserv, which is more likely to be the ypldap(8) LDAP schema to YP protocol converter. If a YP server is broken and sending bad messages, THIS code is the least of your worries. High severity? No. ok millert jmatthew lib/libc/gen/getpwent.c commit M1PBeta0dcBvYiKt Author: deraadt Date: 2026/05/07 17:59:56 In the yp_next() case, on error the key memory is leaked. Hiding in an unrelated diff from Frank Denis ok millert jmatthew lib/libc/gen/getpwent.c commit iyb0O37T9RyhyvI5 Author: claudio Date: 2026/05/07 17:59:15 In session_graceful_restart() also arm the SessionDown timer session_graceful_restart() does more or less the same as session_down() and therefor needs to arm the SessionDown timer and on top of that update stats.last_updown. The interval for the SessionDown timer needs to depend on the graceful restart timer, since that one needs to fire first. OK tb@ usr.sbin/bgpd/session.c commit HAYZFeGunDvhHCZj Author: jsing Date: 2026/05/07 15:50:47 Use macros for global functions and objects within SHA assembly. This lets us remove some of the repetitive statements and allows for them to be adjusted for various platforms. ok kenjiro@ tb@ lib/libcrypto/crypto_assembly.h lib/libcrypto/sha/sha1_aarch64_ce.S lib/libcrypto/sha/sha1_amd64_generic.S lib/libcrypto/sha/sha1_amd64_shani.S lib/libcrypto/sha/sha256_aarch64_ce.S lib/libcrypto/sha/sha256_amd64_generic.S lib/libcrypto/sha/sha256_amd64_shani.S lib/libcrypto/sha/sha512_aarch64_ce.S lib/libcrypto/sha/sha512_amd64_generic.S commit p8GfsnzAQVOR0oC3 Author: jsing Date: 2026/05/07 15:41:37 Use defines for symbol offsets in aarch64 assembly. These also very between platforms. ok kenjiro@ tb@ lib/libcrypto/crypto_assembly.h lib/libcrypto/sha/sha256_aarch64_ce.S lib/libcrypto/sha/sha512_aarch64_ce.S commit STs8jeZndOfIeQAN Author: jsing Date: 2026/05/07 15:40:33 Use defines for text and rodata section names in SHA assembly. These vary between platforms. ok kenjiro@ tb@ lib/libcrypto/crypto_assembly.h lib/libcrypto/sha/sha1_aarch64_ce.S lib/libcrypto/sha/sha1_amd64_shani.S lib/libcrypto/sha/sha256_aarch64_ce.S lib/libcrypto/sha/sha256_amd64_generic.S lib/libcrypto/sha/sha256_amd64_shani.S lib/libcrypto/sha/sha512_aarch64_ce.S lib/libcrypto/sha/sha512_amd64_generic.S commit EeW7Jc4wOBXFlSTN Author: jsing Date: 2026/05/07 15:38:03 Use a define based instruction separator in SHA assembly. Unfortunately, not all assemblers use the same instruction separator. In particular, LLVM on macOS uses %% as an instruction separator, while most other assemblers use a semi-colon. ok kenjiro@ tb@ lib/libcrypto/crypto_assembly.h lib/libcrypto/sha/sha1_aarch64_ce.S lib/libcrypto/sha/sha1_amd64_generic.S lib/libcrypto/sha/sha1_amd64_shani.S lib/libcrypto/sha/sha256_aarch64_ce.S lib/libcrypto/sha/sha256_amd64_generic.S lib/libcrypto/sha/sha256_amd64_shani.S lib/libcrypto/sha/sha512_aarch64_ce.S lib/libcrypto/sha/sha512_amd64_generic.S commit 3YkrGnkgSIeilmiD Author: claudio Date: 2026/05/07 14:58:03 In ipsec_common_input_cb() ensure that the packet size does not overflow the maximum packet size before writing the value back to the IP header. IPv4 and IPv6 have slightly different rules and so do it per AF. OK millert@ sys/netinet/ipsec_input.c commit zGgJGtk3AlYZgQBi Author: martijn Date: 2026/05/07 14:51:20 Include the padding length when testing the remaining bytes in an octet string, to prevent a size_t underflow on a malformed packet and make us run into infinity. Same diff as for snmpd lib/libagentx/ax.c commit s2mFhhWEsUWKSM8X Author: claudio Date: 2026/05/07 14:47:36 Template peers need to check xp->rdesession to know if the RDE has the session running or not. Right now it checks the template itself which is never synced. OK tb@ usr.sbin/bgpd/session.c commit oAGfINz9BZ3dm4Cz Author: martijn Date: 2026/05/07 14:35:12 Include the padding length when testing the remaining bytes in an octet string, to prevent a size_t underflow on a malformed packet and make us run into infinity. OK deraadt@ usr.sbin/snmpd/ax.c commit GEeHBuZ6kL5p8GW2 Author: claudio Date: 2026/05/07 12:35:03 Default to STDIN_FILENO for the mrtfd so that the documented behaviour of using stdin in show mrt, if no file argument is used, is restored. OK tb@ usr.sbin/bgpctl/parser.c commit mi3MV7VIAc8OBM49 Author: claudio Date: 2026/05/07 12:33:12 Typecast idx to size_t so that the comparison is safe on 32bit arch. idx < 0 was already checked so casting this value from signed to unsigned is safe. OK tb@ usr.sbin/bgpd/rde_adjout.c commit somb7ZPCnyMJ85iO Author: claudio Date: 2026/05/07 12:20:42 KNF usr.sbin/bgpd/session_bgp.c commit ru7HHoipLB6wQWxO Author: claudio Date: 2026/05/07 11:21:24 Improve path_calc_hash() Includes other attributes into the hash calculation and also adjust the the span of hashed elements of struct rde_aspath to exclude aspa_generation. On top of this reshuffle the siphash calls to work on 64bit values first and only then other sizes. OK tb@ usr.sbin/bgpd/rde.h usr.sbin/bgpd/rde_rib.c commit zESxcL6yKiVaPS5J Author: claudio Date: 2026/05/07 09:42:26 Fix treat as withdraw handling for invalid ORIGIN attributes If a prefix triggers the F_ATTR_PARSE_ERR case and therefor a RFC 7606 treat as withdraw rde_attr_parse() needs to return a success and not -1. The return (-1) was missed when the RFC 7606 handling was added. Move the F_ATTR_ORIGIN marker up to be more in line with other attributes. OK tb@ usr.sbin/bgpd/rde.c commit ox8KHIs2xb25T9Yy Author: robert Date: 2026/05/07 09:28:48 lower std::deque blocksize if _LIBCPP_USE_LOWER_DEQUE_BLOCK_SIZE is defined defining _LIBCPP_USE_LOWER_DEQUE_BLOCK_SIZE will make std::deque behave more in line with what libstdc++ is doing by using 512 byte blocks instead of 4096 to waste less memory this can be used by llvm-tblgen to reduce the memory usage of some operations which completely blow up with llvm22, so let's prepare now https://github.com/llvm/llvm-project/issues/31782 https://chromium.googlesource.com/android_ndk/+/eecd8c2d681b019efca486f92fdda9a93f52328f%5E%21/#F0 ok deraadt@ gnu/llvm/libcxx/include/deque gnu/usr.bin/clang/llvm-tblgen/Makefile commit tjiWjneNguZyISJC Author: claudio Date: 2026/05/07 09:22:10 Fix two memory accounting issues in chash - ch_table_resize() did not increase the global cc_num_extendible value - ch_sub_free() can be called with NULL pointer arguments and in that case the accounting must be skipped OK tb@ usr.sbin/bgpd/chash.c commit Z8We86784oASgw1X Author: nicm Date: 2026/05/07 09:21:05 Require layout prefix to be 5 characters, GitHub issue 5067 from cglosner at gmail dot com. usr.bin/tmux/layout-custom.c usr.bin/tmux/window-copy.c commit wtV9BgflCTbf7X9t Author: claudio Date: 2026/05/07 09:19:48 Use simpler logic to ensure path_id_tx is never 0 There is a theoretical case where the 0 conflict would be missed if this arc4random() returned 0 for the first peer. OK tb@ usr.sbin/bgpd/rde_peer.c commit noZpsltCaZva5HWX Author: claudio Date: 2026/05/07 09:17:27 Convert the control_accept pauseaccept timeout to a deadline. In rev. 1.525 of session.c the pauseaccept was converted to a deadline. This part was missed in this conversion. OK tb@ usr.sbin/bgpd/control.c usr.sbin/bgpd/session.c usr.sbin/bgpd/session.h commit 0q2Qw1sTMsdYqfUs Author: nicm Date: 2026/05/07 09:15:44 Add Emacs-style recentre-top-bottom, GitHub issue 5053 from sinyax75 at gmail dot com. usr.bin/tmux/key-bindings.c usr.bin/tmux/tmux.1 usr.bin/tmux/window-copy.c commit X0iqCY4CJwUOFQHW Author: jsg Date: 2026/05/07 06:36:31 drm/amdgpu: fix zero-size GDS range init on RDNA4 From Arjan van de Ven 30c000a49094ec568c9b51b7421f7a4a3f0b0298 in linux-6.18.y/6.18.27 095a8b0ad3c3b5cdc3850d961adb8a8f735220bb in mainline linux sys/dev/pci/drm/amd/amdgpu/amdgpu_ttm.c commit 8t53IcoNhTQVV6Wr Author: jsg Date: 2026/05/07 06:34:30 amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2 From David (Ming Qiang) Wu f7d9d0e4a64fe42c4f25e2a4fbabe3887efbb490 in linux-6.18.y/6.18.27 e90dc3b2d73986610476b02c29d0074aa4d92fb0 in mainline linux sys/dev/pci/drm/amd/amdgpu/jpeg_v4_0_3.c commit TYAIdNSrv6NPrZb9 Author: jsg Date: 2026/05/07 06:31:44 drm/amd: Fix set but not used warnings From Tiezhu Yang 77eb3e79a3e75b1dff8d8a8a6772a7d0ceaeccb5 in linux-6.18.y/6.18.27 46791d147d3ab3262298478106ef2a52fc7192e2 in mainline linux sys/dev/pci/drm/amd/amdgpu/amdgpu_gart.c sys/dev/pci/drm/amd/amdgpu/amdgpu_vcn.h sys/dev/pci/drm/amd/display/dc/dc_dmub_srv.c commit 6At728othZVI4pjG Author: mlarkin Date: 2026/05/07 06:15:23 fix copy-paste error assigning vmc owner fields from Jan Schreiber, thanks usr.sbin/vmd/vmd.c