Build date: 1778364002 - Sat May 9 22:00:02 UTC 2026 Build cvs date: 1778355554 - Sat May 9 19:39:14 UTC 2026 Build id: 2026-05-10.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P lib/libc/asr/getrrsetbyname_async.c P lib/libc/dlfcn/init.c P lib/libc/gen/elf_aux_info.c P lib/libc/hidden/sys/auxv.h P lib/libcrypto/pkcs12/p12_npas.c P lib/libcrypto/sha/sha1_aarch64.c P lib/libcrypto/sha/sha1_aarch64_ce.S P lib/libcrypto/sha/sha1_amd64_shani.S P lib/libcrypto/sha/sha256.c P lib/libssl/ssl_lib.c P lib/libssl/ssl_tlsext.c P sys/arch/riscv64/conf/files.riscv64 P sys/arch/riscv64/include/cpu.h P sys/arch/riscv64/include/pcb.h P sys/arch/riscv64/include/reg.h P sys/arch/riscv64/include/riscvreg.h P sys/arch/riscv64/riscv64/cpu.c P sys/arch/riscv64/riscv64/exception.S P sys/arch/riscv64/riscv64/machdep.c P sys/arch/riscv64/riscv64/sig_machdep.c P sys/arch/riscv64/riscv64/trap.c U sys/arch/riscv64/riscv64/vector.c P sys/arch/riscv64/riscv64/vm_machdep.c P sys/dev/pci/if_mwx.c P sys/dev/pci/if_mwxreg.h P sys/dev/sun/sunkbd.c M sys/dev/usb/uhidev.c P sys/net/bpf_filter.c P sys/net/if_rport.c P sys/net/if_tun.c P sys/scsi/cd.c P sys/scsi/sd.c P usr.bin/awk/run.c P usr.bin/mandoc/main.c P usr.bin/openssl/crl.c P usr.bin/openssl/ecparam.c P usr.bin/openssl/s_client.c M usr.sbin/bgpd/session.c P usr.sbin/rpki-client/ip.c P usr.sbin/rpki-client/main.c commit bQgYvLm31vwMVnSC Author: naddy Date: 2026/05/09 19:39:14 libc: declare _hwcap and related variables as hidden ok tb@ deraadt@ lib/libc/dlfcn/init.c lib/libc/gen/elf_aux_info.c lib/libc/hidden/sys/auxv.h commit bAO6SNYCrJUqeThG Author: schwarze Date: 2026/05/09 19:02:53 The regression fix in rev. 1.271 was still incomplete. While the fchdir(2) in main() is indeed needed such that the mparse_open() in process_onefile() finds local files, there is a second, smaller issue purely inside check_xr(): As the ultimate fallback, fs_search() looks for cross-referenced manual pages in the current directory, which is typically used for working on software under development that is not yet installed. Consequently, a second fchdir(2) is needed inside check_xr() between mansearch(), which typically changes directory, and the subsequent fs_search(). This makes sure that "mandoc -T lint" on a manual page that contains an .Xr link to another manual page that is not installed but present in the current directory does not complain about that link. Again reported by anton@. The fix is slightly awkward because the directory file descriptor needs to be passed down through multiple layer of subroutines, but i fear that cannot be helped because it is needed both in the main program and in the low-level function check_xr(). usr.bin/mandoc/main.c commit k0zUXRPbKiXgsO8d Author: jsing Date: 2026/05/09 17:38:50 Add kernel support for the vector extension on riscv64. The V extension (where supported) adds an additional 32 vector registers that are variable length (up to 65,536 bits, but more commonly 2048 bits). In order to support the use of the V extension (and additional vector extensions) we need to enable the vector extension and save/restore the vector registers. ok kettenis@ sys/arch/riscv64/conf/files.riscv64 sys/arch/riscv64/include/cpu.h sys/arch/riscv64/include/pcb.h sys/arch/riscv64/include/reg.h sys/arch/riscv64/include/riscvreg.h sys/arch/riscv64/riscv64/cpu.c sys/arch/riscv64/riscv64/exception.S sys/arch/riscv64/riscv64/machdep.c sys/arch/riscv64/riscv64/sig_machdep.c sys/arch/riscv64/riscv64/trap.c sys/arch/riscv64/riscv64/vector.c sys/arch/riscv64/riscv64/vm_machdep.c commit X8ai9I1G8PuzyiMg Author: tb Date: 2026/05/09 14:28:18 openssl crl: make verify failure result in "app" failure Found by Frank Denis usr.bin/openssl/crl.c commit t0p5oYKr5x4GFHKC Author: tb Date: 2026/05/09 14:24:58 openssl ecparam: make EC_GROUP_check() failure result in "app" failure Found by Frank Denis usr.bin/openssl/ecparam.c commit 0pZhiLGAoSVvr61Z Author: tb Date: 2026/05/09 14:16:37 openssl s_client: avoid two out of bounds writes A NUL termination after an unchecked BIO_read() call in XMSS mode could lead to a write one byte before the start of sbuf or one past its end. Add an error check to avoid the former and read one byte less to avoid the latter. Found by Frank Denis usr.bin/openssl/s_client.c commit FcPkcGegp06MFspl Author: claudio Date: 2026/05/09 12:13:15 Simplify previous by shifting the rcpi value first then use a common mask. Also set ic_max_rssi = 0 since this driver will uses DBm reporting. sys/dev/pci/if_mwx.c sys/dev/pci/if_mwxreg.h commit Ze9aPy3WhpAmWInI Author: claudio Date: 2026/05/09 11:49:46 Implement RSSI reporting for mwx(4). Diff provided by Benjamin Lee McQueen (mcq at disroot.org) sys/dev/pci/if_mwx.c sys/dev/pci/if_mwxreg.h commit bEdSI2XS1i8pbWAD Author: tb Date: 2026/05/09 11:45:50 libssl: record extension lengths in ClientHello hashing The ClientHello hash is intended to ensure that the second CH after an HRR only makes the allowed changes to the TLS extensiosn by recording message type followed by the raw extension data if it must remain unchanged. This makes it possible (in principle) that part of free form extension data is confused with type (and length) information of a subsequent extension. Recording the length after the type prevents such a confusion and fixes the framing of the extensions. Found by Frank Denis ok jsing lib/libssl/ssl_tlsext.c commit ik8dUKa8jkSJkj9y Author: tb Date: 2026/05/09 11:29:51 ssl_lib: trade two extra empty lines for a missing one lib/libssl/ssl_lib.c commit aOOketJNDM6VQawV Author: jsg Date: 2026/05/09 11:20:54 unifdef call into removed sparc-only tctrl(4) sys/dev/sun/sunkbd.c commit vf2g3TJkC7i8Kb6n Author: tb Date: 2026/05/09 10:52:02 PKCS#12: fix erroneous error check in PKCS12_newpass() This is an error I introduced in a refactoring two years ago in r1.20. This means that nothing uses this... From Frank Denis via logan lib/libcrypto/pkcs12/p12_npas.c commit 5uFYuYz1jviz5VAc Author: jsg Date: 2026/05/09 09:11:47 remove unneeded ufs/ffs/fs.h includes added for BBSIZE and SBSIZE which are no longer used sys/scsi/cd.c sys/scsi/sd.c commit 151piwYLGpwh2qXz Author: jsing Date: 2026/05/09 07:14:42 Use uint32_t instead of SHA_LONG in the SHA-256 code. This is more readable and we already have a compile time assert that they are the same size. ok tb@ lib/libcrypto/sha/sha256.c commit jWrNEQw6nAmapOsL Author: jsing Date: 2026/05/09 07:12:51 Use W rather than X for the SHA-256 message schedule. This more closely matches the SHA-256 specification in FIPS 180-4. ok tb@ lib/libcrypto/sha/sha256.c commit qRkcT75LBml1YBTb Author: jsing Date: 2026/05/09 07:11:05 Use consistent variable names in the sha256 code. Use 'ctx' rather than 'c' for the SHA256_CTX and use data/len rather than d/n. ok kenjiro@ tb@ lib/libcrypto/sha/sha256.c commit 8aTQrtaamf5eWaQs Author: jsing Date: 2026/05/09 07:08:43 Use crypto_add_u32dw_u64() to increment SHA-256 message bit counter. ok kenjiro@ tb@ lib/libcrypto/sha/sha256.c commit vvEINHYRCKU8D79q Author: jsing Date: 2026/05/09 07:03:49 Correct argument type for SHA context. These are SHA_CTX not SHA256_CTX. lib/libcrypto/sha/sha1_aarch64.c commit 2IYHwqUtsHENcCCV Author: jsing Date: 2026/05/09 07:02:29 Correct argument type in comments. lib/libcrypto/sha/sha1_aarch64_ce.S lib/libcrypto/sha/sha1_amd64_shani.S commit bbXUFap6dFTRXEZs Author: jsg Date: 2026/05/09 06:36:06 remove unneeded mpls.h includes sys/net/if_rport.c sys/net/if_tun.c commit gyRC9uRc3cTarXuV Author: kevlo Date: 2026/05/09 05:50:33 MT_DMASHDL_SW_CONTROL is accessed via remapping. Define it with the explicit address 0x7c026004 as Linux does to avoid confusion. While here, remove duplicate definitions of MT_PCIE_MAC_BASE and MT_PCIE_MAC_INT_ENABLE. ok claudio@ sys/dev/pci/if_mwxreg.h commit prxJ2jA8P4vHQVmX Author: millert Date: 2026/05/09 02:13:21 split: allocate space for NUL terminator in CSV mode Found by Frank Denis usr.bin/awk/run.c commit zZPVUWycKAslGJtO Author: tb Date: 2026/05/09 01:54:51 Avoid recursive cleanup in getrrsetbyname() Instead of freeing struct dns_query and struct dns_rr by walking the linked lists recursively, use a simple loop. This avoids a possible stack exhaustion unlikely to be reachable with the limits modern resolvers impose. From Dhiraj Mishra ok djm lib/libc/asr/getrrsetbyname_async.c commit mroSkezOdqEUnDMd Author: dlg Date: 2026/05/09 01:47:12 avoid leaking memory when mbuf chain allocations fail in tun_dev_write() the mbufs built by tun_dev_write used to be limited to a single mbuf and cluster, but has grown in complexity now that it supports tun_hdr and tso, which required building mbuf chains. some of the error handling when allocating mbuf bits wasnt adapted to free the preceding chain when later allocaitons failed, resulting in a memory leak. reported by frank denis sys/net/if_tun.c commit EC4DoVtAfGY8JnBj Author: tb Date: 2026/05/09 01:42:30 rpki-client: fix ip_addr_check_overlap() There is an off-by-one in the ip_addr_check_overlap() logic which allows a newly added interval to overlap in a common end point with an interval already in the list. Disallow equality in the two memcmp to avoid this. This bug dates back to the initial import of rpki-client where malformed certificates would be accepted. In modern rpki-client, the impact of this has been minimal ever since we started requiring that libcrypto support the RFC 3779 extensions in early 2022 by disallowing unknown critical extensions (rpki-client 7.6): For certificates this duplicates a check in the X.509 verifier (where it is correct). For TA constraints we have a canonicalization procedure that ensures the absence of overlaps. For ROAs no such check can be made since standards historically haven't required that addresses are canonical and still don't. The only remaining use of this API is from rsc.c where the overlap condition is indeed a small problem. Found by Frank Denis ok job usr.sbin/rpki-client/ip.c commit XmLxHobeldLMY04W Author: tb Date: 2026/05/09 01:22:32 rpki-client: fix shortlist and skiplist checks Ensure that each le->fqdn is fully matched. If the the host in the SIA is short and matches a prefix of an FQDN in the shortlist or skiplist, the current checks in queue_add_from_cert() will incorrectly trigger. Compute the host length once and by checking it against the length of each le->fqdn ensure that it is an exact case sensitive match, rather than only a prefix. Found by Frank Denis ok claudio job usr.sbin/rpki-client/main.c commit Aa4OYgzOaO8Fltcn Author: dlg Date: 2026/05/09 00:37:45 detect out of bound reads from an int overflow in the bpf_mem backends. frank denis reported a problem in bpf_mem_ldw where a large indirect load offset could have the end of buffer calculation land at UINT_MAX and wrap, allowing a read of memory outside the buffer. this change tweaks the buffer checks by checking if the load offset is in range, taking that away from the buffer length, and then checking if the size of the load is in the remaining buffer length. this is the pattern that the bpf_mbuf_ops backend uses. this problem also exists in bpf_mem_ldh, so this code is factored out and used in all the bpf_mem_ops load backends. note that this issue is specific to the bpf_mem_ops backend used for running bpf filters against a vanilla memory buffer. this backend is largely unused in the kernel, which almost always uses the bpf_mbuf_ops backend to run filters against network packets in mbufs. the bpf_mem_ops are only used by ppp(4) for the "active-filter" and "pass-filter" config described in pppd(8). more generally, bpf is only really usable by root. in userland, bpf_filter is used by libpcap, and programs in base that use it are wary of it anyway and avoid running it in a privileged context. tcpdump is the most prominent example of this. discussed with djm@ claudio@ deraadt@ sys/net/bpf_filter.c commit qiqEZrCGiVd0mwtc Author: matthieu Date: 2026/05/08 19:57:29 update 3RDPARTY MODULES