Build date: 1780005603 - Thu May 28 22:00:03 UTC 2026 Build cvs date: 1780000317 - Thu May 28 20:31:57 UTC 2026 Build id: 2026-05-29.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P etc/etc.loongson/login.conf P etc/etc.octeon/login.conf P regress/usr.bin/ssh/dropbear-server.sh P sbin/ifconfig/ifconfig.8 P sbin/iked/pfkey.c P sbin/isakmpd/pf_key_v2.c P sys/arch/amd64/stand/biosboot/Makefile P sys/arch/amd64/stand/boot/Makefile P sys/arch/amd64/stand/cdboot/Makefile P sys/arch/amd64/stand/cdbr/Makefile P sys/arch/amd64/stand/mbr/Makefile P sys/arch/amd64/stand/pxeboot/Makefile P sys/arch/i386/stand/biosboot/Makefile P sys/arch/i386/stand/boot/Makefile P sys/arch/i386/stand/cdboot/Makefile P sys/arch/i386/stand/cdbr/Makefile P sys/arch/i386/stand/mbr/Makefile P sys/arch/i386/stand/pxeboot/Makefile P sys/dev/fdt/qciic_fdt.c P sys/dev/ic/qwx.c P sys/dev/ofw/fdt.c P sys/dev/ofw/openfirm.h P sys/dev/pci/if_iwx.c P sys/dev/pci/if_iwxreg.h P sys/dev/pci/if_qwx_pci.c M sys/dev/usb/uhidev.c P sys/kern/exec_elf.c P sys/net/pf_norm.c P sys/net80211/ieee80211.h P sys/net80211/ieee80211_input.c P sys/net80211/ieee80211_ioctl.h P sys/net80211/ieee80211_node.h P sys/net80211/ieee80211_output.c P sys/net80211/ieee80211_proto.c P sys/net80211/ieee80211_var.h P usr.bin/tmux/cmd-swap-pane.c P usr.bin/tmux/key-bindings.c P usr.bin/tmux/screen-write.c P usr.bin/tmux/server-client.c P usr.bin/tmux/tmux.h P usr.bin/tmux/tty.c P usr.bin/ul/ul.c P usr.sbin/bgpd/bgpd.conf.5 P usr.sbin/bgpd/mrt.c P usr.sbin/bgpd/parse.y P usr.sbin/bgpd/pfkey.c P usr.sbin/bgpd/rde.c P usr.sbin/bgpd/rde.h P usr.sbin/bgpd/rde_adjout.c P usr.sbin/bgpd/rde_peer.c P usr.sbin/bgpd/rde_rib.c P usr.sbin/bgpd/rde_update.c M usr.sbin/bgpd/session.c P usr.sbin/ldpd/pfkey.c P usr.sbin/vmd/config.c P usr.sbin/vmd/vioblk.c P usr.sbin/vmd/vioscsi.c P usr.sbin/vmd/virtio.c commit 59JN5M9oxhxXh9mU Author: hshoexer Date: 2026/05/28 20:31:57 vmd: Unbreak using images supplied with vmctl -b My previous fix for reused filedescriptors broke using images supplied with "vmctl -b": In that case, kernfd remained to be set to -1, thus passing that filedescriptor to the child process failed. To resolve this, dup vm->vm_kernel right before passing the descriptor with proc_compose(). This fixes -b and the keeps original fix working. In the error path I rely on vm_stop()/vm_remove() closing vm->vm_kernel. Therefore, remove the redundant close(). ok mlarkin@ deraadt@ usr.sbin/vmd/config.c commit cceUtg8IoqUAN4JM Author: mglocker Date: 2026/05/28 19:03:44 Replace OF_getprop() to get "compatible" string with OF_getpropstr(). ok kettenis@ sys/dev/fdt/qciic_fdt.c commit phnHgdBd1mDjIpna Author: mglocker Date: 2026/05/28 18:42:29 Introduce new FDT functions OF_getpropstr() and OF_freepropstr(). OF_getpropstr() is a clone of OF_getprop(), designed for retrieving strings, and differs as following: - Do dynamic allocation of the destination buffer using malloc(). - Guarantee a NUL termination of the returned string. A deraadt@ and kettenis@ collaboration. ok kettenis@ sys/dev/ofw/fdt.c sys/dev/ofw/openfirm.h commit 7u9hKeM566IccmjI Author: deraadt Date: 2026/05/28 17:24:32 unzero'd padding bytes in struct reg and struct fpreg (both machine dependent) leak kernel stack contents. from Andrew Griffiths at Calif sys/kern/exec_elf.c commit RdVCBWzvRTOpJhqg Author: deraadt Date: 2026/05/28 17:14:38 A privileged guest can program an out-of-layout Virtio 1.x `queue_avail` address for the `vioscsi` device and then notify the queue. The host-side `vioscsi` device process dereferences a pointer derived from the unchecked offset and terminates with `SIGSEGV`. from Quarkslab ok hshoexer, mlarkin usr.sbin/vmd/virtio.c commit iDE4FFFDedlqBZ1d Author: deraadt Date: 2026/05/28 17:13:17 A privileged guest can notify an invalid virtio-scsi queue index. The host-side `vioscsi` device process uses the guest-controlled value as an array index without a bounds check, interprets adjacent process memory as virtqueue metadata, and terminates with `SIGSEGV`. from Quarkslab ok hshoexer, mlarkin usr.sbin/vmd/vioscsi.c commit Coz8abhRZvVNGjeI Author: deraadt Date: 2026/05/28 17:11:39 Do not call `fatalx()` on malformed guest-provided descriptor lengths. Reject the request and return without terminating the VM process. from Quarkslab ok hshoexer, mlarkin usr.sbin/vmd/virtio.c commit ZYxxLX3X04445E5C Author: deraadt Date: 2026/05/28 17:10:44 A privileged guest can notify one invalid virtio-block queue index and terminate the host-side `vioblk` device process. In the confirmed run, this also caused the VM event thread to exit unexpectedly. from Quarkslab ok hshoexer, mlarkin usr.sbin/vmd/vioblk.c commit jzP1s6kVk4lrc0gw Author: deraadt Date: 2026/05/28 17:09:38 A privileged guest can make the host-side `vioblk` backend read a descriptor outside the configured virtqueue descriptor table and interpret the out-of-table entry as a block request descriptor. In the confirmed run, the guest-controlled out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command value, and the device entered `DEVICE_NEEDS_RESET`. from Quarkslab ok hshoexer, mlarkin usr.sbin/vmd/vioblk.c commit wq3KSuw5kXTaPf4u Author: naddy Date: 2026/05/28 16:35:12 with llvm22, -Ttext also requires --image-base to be specified with robert@ sys/arch/amd64/stand/biosboot/Makefile sys/arch/amd64/stand/boot/Makefile sys/arch/amd64/stand/cdboot/Makefile sys/arch/amd64/stand/cdbr/Makefile sys/arch/amd64/stand/mbr/Makefile sys/arch/amd64/stand/pxeboot/Makefile sys/arch/i386/stand/biosboot/Makefile sys/arch/i386/stand/boot/Makefile sys/arch/i386/stand/cdboot/Makefile sys/arch/i386/stand/cdbr/Makefile sys/arch/i386/stand/mbr/Makefile sys/arch/i386/stand/pxeboot/Makefile commit XDSqv5n6bkXXG9HC Author: stsp Date: 2026/05/28 16:00:22 add volatile casts to qwx for arm64, as mglocker@ did in qwz sys/dev/ic/qwx.c commit 4pyxS2fUm3Wx7Kbb Author: stsp Date: 2026/05/28 15:58:15 reset qwx command ring "queued" counter when the command ring gets reset Should fix bogus "command ring overflow" errors observed in my dmesg. sys/dev/pci/if_qwx_pci.c commit 4PD51vwLLTZKM6hc Author: stsp Date: 2026/05/28 15:55:43 ensure that qwx nq flags are always cleared when switching net80211 state similar fix found in mglocker@ qwz diffs sys/dev/ic/qwx.c commit LhfEzI3Si8hQ78TB Author: stsp Date: 2026/05/28 15:54:17 fix number of tx/rx streams set in qwx mac config from kirill@ via qwz sys/dev/ic/qwx.c commit szIpe6PaQVYRSUiG Author: claudio Date: 2026/05/28 14:01:46 Revert a small part of the earlier adjout_prefix_dump diff. In up_process_prefix() bring back the path_id_tx hack for regular peers. A peer not using add-path send will set the path_id_tx to 0 and so adjout_prefix_first() will return the right match. This was undone because there is a problem with this when a peer switches mode (from add-path send back to no add-path). adjout_prefix_first() returns a prefix where path_id_tx is not 0 but adjout_prefix_update() expects that to be 0. This edge case is far less common and a better workaround can be found here. Fixes the addpath intergration test. usr.sbin/bgpd/rde_update.c commit 4CewE1EbrUexq6hW Author: claudio Date: 2026/05/28 13:15:08 In mrt_dump_entry_mp() improve the length calculation handling and stop using an uint16_t len that could overflow because of MAX_EXT_PKTSIZE. OK tb@ usr.sbin/bgpd/mrt.c commit RTT9sPe80QvrkO8H Author: claudio Date: 2026/05/28 12:53:55 Previous commit introduced a logic bug. Code needs to call ib_dump_free() for every context where id matches ctx->ctx_id and ctx->ctx_re is set (this skips adjout_prefix_dump contexts since there ctx_re is NULL). OK tb@ usr.sbin/bgpd/rde_rib.c commit O4Yh2OmyXM1SB2Km Author: tb Date: 2026/05/28 12:07:38 Bump limit for the build user to 2560M for loongson and octeon from visa etc/etc.loongson/login.conf etc/etc.octeon/login.conf commit rngyc3OccxuBq7Uc Author: nicm Date: 2026/05/28 11:17:35 Swap panes on z-index list as well. usr.bin/tmux/cmd-swap-pane.c commit 3IwNNO0KmKOmaqZ3 Author: kirill Date: 2026/05/28 10:52:39 sbin/ifconfig: document new nwflag uapsd OK: phessler@, stsp@ sbin/ifconfig/ifconfig.8 commit F3vEL5TRHk2kYovU Author: kirill Date: 2026/05/28 10:51:52 sys/iwx: enable uAPSD when supported by AP OK: phessler@, stsp@ sys/dev/pci/if_iwx.c sys/dev/pci/if_iwxreg.h commit XayPATdNH03z0bfO Author: kirill Date: 2026/05/28 10:50:47 sys/ieee80211: add support of uAPSD OK: phessler@, stsp@ sys/net80211/ieee80211.h sys/net80211/ieee80211_input.c sys/net80211/ieee80211_ioctl.h sys/net80211/ieee80211_node.h sys/net80211/ieee80211_output.c sys/net80211/ieee80211_proto.c sys/net80211/ieee80211_var.h commit AyH6W8xk8OwkM2r6 Author: nicm Date: 2026/05/28 10:45:17 Do not try to use last pane if there isn't one. usr.bin/tmux/server-client.c commit XxtpN71Wvl3hKvms Author: nicm Date: 2026/05/28 10:34:38 Hide menu options that do not work for floating panes. usr.bin/tmux/key-bindings.c commit YBh5kkpiNsyqwTSf Author: hshoexer Date: 2026/05/28 09:54:05 Avoid infinite loop when parsing PFKEY replies In bgpd, iked, isakmpd, ldpd and sasyncd we have similar code to parse PFKEY replies from the kernel. To avoid an infinite loop on malformed replies validate the SADB extension size. For consistency with the other daemons rewrite the parsing loop of iked. sasyncd already validates the extension size, so no change needed. ok claudio@ tb@ tobhe@ sbin/iked/pfkey.c sbin/isakmpd/pf_key_v2.c usr.sbin/bgpd/pfkey.c usr.sbin/ldpd/pfkey.c commit 39mz3RHFUhC5UXwx Author: claudio Date: 2026/05/28 09:10:22 Adjust the adjout_prefix_dump walker to operate using the adjout_bid and stop using peer_get() in the walker. This fixes the peer_reaper walker which before this was not working at all. The peer reaper removed the peer from the RB tree before walking the table and so peer_get() would return NULL and abort the walk immediatly. Adjust the adjout_prefix_dump context to use the adjout_bid and stop using peer->conf.id and peer_get. To make this work the following changes are needed: - For the callback drop the struct rde_peer argument instead add a uint32_t bid argument. - adjout_prefix_first() also needs to switch to using the adjout bitmask id instead of using the peer directly. - also change adjout_prefix_next() just to be in sync with adjout_prefix_first() - In most callbacks use the arg pointer to pass in the peer - Adjust rde_dump_ctx_new() and rde_dump_adjout_upcall(). The latter now calls peer_get() using the struct rde_dump_ctx peerid for that. rde_dump_ctx_new() needs some fixes so that peerid and adjout_bid remain in sync. - In adjout_prefix_dump_r() check if adjout_bid is 0 and abort the walk if so. Doing this check in adjout_prefix_dump_new() is tricky since most code does not expect the done callback to be run that early. OK tb@ usr.sbin/bgpd/rde.c usr.sbin/bgpd/rde.h usr.sbin/bgpd/rde_adjout.c usr.sbin/bgpd/rde_peer.c usr.sbin/bgpd/rde_update.c commit l7fqm4WS6LT1O5kL Author: claudio Date: 2026/05/28 08:57:30 Ensure rib_dump_abort() only triggers for rib dumps and not for adjout prefix dumps by accident. OK tb@ usr.sbin/bgpd/rde_rib.c commit tbmQHTZr7Gp10I7r Author: claudio Date: 2026/05/28 08:47:09 The extended nexthop capability only works with 'fib-update no' enfoce this in the parser. Right now there is no FIB support for IPv6 nexthops for IPv4 routes. Both the bgpd kroute.c code and the OpenBSD network stack are not ready for this. This feature is currently only used to allow some IXP to play with RFC8950 so no FIB support is fine for that use case. Protect other people from tripping over this thinking there is full support. Issue brought up by a report from 7Asecurity OK tb@ usr.sbin/bgpd/bgpd.conf.5 usr.sbin/bgpd/parse.y commit CLgS2ji0s9PNNB3D Author: nicm Date: 2026/05/28 08:43:57 Use the correct ranges when a pane is covered by a popup in tty_draw_pane. usr.bin/tmux/tty.c commit Zokot5X316fzIdeP Author: nicm Date: 2026/05/28 07:58:45 Obscured check should not be true if pane is same size as window. usr.bin/tmux/screen-write.c commit VK5ou9KAdEJSmUcu Author: nicm Date: 2026/05/28 07:23:52 Check visible ranges for collected cell output. usr.bin/tmux/screen-write.c usr.bin/tmux/tmux.h commit lJEo30twbNF0inpu Author: renaud Date: 2026/05/28 07:01:46 Fix signed integer overflow in column position tracking OK millert@ usr.bin/ul/ul.c commit EUnWEbxhuICx12gf Author: sashan Date: 2026/05/28 06:41:24 pf(4) currently ignores fragment direction (in vs. out) in pf_frnode_compare() function. Issue noticed and reported by Frank Denis OK @bluhm sys/net/pf_norm.c commit h8qMA9iDQqSWw1fL Author: claudio Date: 2026/05/28 05:42:14 In rde_attr_missing() make sure the nexthop attribute is present if there is any nlri data. In rde_as4byte_fixup() only run if ATTR_ASPATH is present. Depending the nexthop attribute on MP_REACH is not correct since and UPDATE can in theory carry both MP_REACH nlri and old school IPv4 nlri. rde_as4byte_fixup() should only fixup paths that have - ATTR_AS4_AGGREGATOR or ATTR_AS4_PATH present - ATTR_ASPATH must be present as well - no parse error (F_ATTR_PARSE_ERR) The rde_as4byte_fixup() is entered all the time even for path that only contain an ATTR_MP_UNREACH (which then could also include an ATTR_AS4_PATH but no ATTR_ASPATH). Reported by 7Asecurity OK tb@ usr.sbin/bgpd/rde.c commit DH4BMeEPBsWBD5tx Author: dtucker Date: 2026/05/27 23:04:36 Test all mutually supported algorithms, using dropbear's new -Q option to query its algorithms where possible. regress/usr.bin/ssh/dropbear-server.sh