LLVM/project b9ed506llvm/lib/Transforms/Instrumentation MemProfUse.cpp

merge clang-format changes
DeltaFile
+9-4llvm/lib/Transforms/Instrumentation/MemProfUse.cpp
+9-41 files

LLVM/project 82bd77allvm/lib/Transforms/Instrumentation MemProfUse.cpp

apply clang format
DeltaFile
+9-4llvm/lib/Transforms/Instrumentation/MemProfUse.cpp
+9-41 files

LLVM/project d87fb48llvm/lib/Analysis StaticDataProfileInfo.cpp, llvm/lib/Transforms/Instrumentation MemProfUse.cpp

Update codegen pass
DeltaFile
+7-7llvm/lib/Transforms/Instrumentation/MemProfUse.cpp
+5-5llvm/lib/Analysis/StaticDataProfileInfo.cpp
+12-122 files

LLVM/project cf4ce38clang/cmake/caches hexagon-unknown-linux-musl-clang-dylib.cmake hexagon-unknown-linux-musl-clang-cross.cmake

[hexagon] Add dylib cmake + toolchain_only (#177247)

The toolchains take up much less space when we enable dylib, so let's
create an option to build them that way.

Also: TOOLCHAIN_ONLY was ineffective in
hexagon-unknown-linux-musl-clang-cross.cmake because cmake takes the
first setting from hexagon-unknown-linux-musl-clang.cmake with
precedence. FORCE it to fix that issue.

Signed-off-by: Brian Cain <brian.cain at oss.qualcomm.com>
DeltaFile
+7-0clang/cmake/caches/hexagon-unknown-linux-musl-clang-dylib.cmake
+3-1clang/cmake/caches/hexagon-unknown-linux-musl-clang-cross.cmake
+10-12 files

LLVM/project 5b46cedllvm/test/Transforms/PGOProfile data-access-profile.ll

tighten up test
DeltaFile
+22-14llvm/test/Transforms/PGOProfile/data-access-profile.ll
+22-141 files

LLVM/project 8a62457llvm/test/CodeGen/NVPTX atomicrmw-sm60.ll atomicrmw-sm70.ll

Revert "[NVPTX][AtomicExpandPass] Complete support for AtomicRMW in NVPTX (#176015)" (#178329)

This reverts commit 1d379d05d46d77b5f008349cc14de27dd055f4b9. This
change breaks llvm-nvptx-nvidia-win in the buildbot.
DeltaFile
+0-3,137llvm/test/CodeGen/NVPTX/atomicrmw-sm60.ll
+0-3,111llvm/test/CodeGen/NVPTX/atomicrmw-sm70.ll
+0-2,983llvm/test/CodeGen/NVPTX/atomicrmw-sm90.ll
+476-3llvm/test/CodeGen/NVPTX/atomics.ll
+151-0llvm/test/CodeGen/NVPTX/atomicrmw-expand.ll
+147-0llvm/test/CodeGen/NVPTX/atomics-sm90.ll
+774-9,2348 files not shown
+1,053-9,54914 files

LLVM/project a2d07b8clang/lib/AST Mangle.cpp, clang/test/CodeGenObjC expose-direct-method.m expose-direct-method-varargs.m

further fix mangling
DeltaFile
+52-52clang/test/CodeGenObjC/expose-direct-method.m
+9-9clang/test/CodeGenObjC/expose-direct-method-varargs.m
+4-4clang/test/CodeGenObjC/direct-method-ret-mismatch.m
+1-2clang/lib/AST/Mangle.cpp
+66-674 files

LLVM/project 5477a33llvm/lib/Transforms/Instrumentation MemProfUse.cpp, llvm/test/Transforms/PGOProfile data-access-profile.ll

Annotate string literal section prefix
DeltaFile
+54-15llvm/test/Transforms/PGOProfile/data-access-profile.ll
+49-1llvm/lib/Transforms/Instrumentation/MemProfUse.cpp
+103-162 files

HardenedBSD/src 988bcd8lib/libc/net getnetbydns.c

libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup

If net is all-zero, the loop to extract all leading non-zero octets will
iterate zero times and leave nn with the value 4, which the following
switch statement to initialise qbuf does not handle. As a result,
_dns_getnetbyaddr will look up the PTR record for this uninitialised
string, which will leak the pre-existing contents of that stack memory
to the DNS resolver and, if remote and not otherwise protected, network.

Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured
to enable the "dns" source for the "networks" database, which is not the
default configuration in FreeBSD.

For glibc this same bug, in code also derived from BIND's, was issued
CVE-2026-0915. This commit adopts the same behaviour as glibc's fix,
which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD
will return NS_UNAVAIL instead, which may or may not make more sense,
but in general glibc compatibility tends to cause less friction when
there's not a good reason to avoid it.

    [8 lines not shown]
DeltaFile
+3-0lib/libc/net/getnetbydns.c
+3-01 files

HardenedBSD/src df54707crypto/openssl/apps pkeyutl.c, crypto/openssl/apps/lib apps.c

openssl: Fix multiple vulnerabilities

This is a rollup commit from upstream to fix:
  Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
  Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
  NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
  "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
  TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
  Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
  Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
  Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
  Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
  NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
  Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
  ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)

See https://openssl-library.org/news/secadv/ for additional details.

Approved by:    so

    [17 lines not shown]
DeltaFile
+28-27crypto/openssl/apps/lib/apps.c
+18-18crypto/openssl/apps/pkeyutl.c
+26-6crypto/openssl/crypto/bio/bf_lbuf.c
+20-0crypto/openssl/crypto/asn1/evp_asn1.c
+16-2crypto/openssl/crypto/pkcs12/p12_mutl.c
+8-2crypto/openssl/crypto/modes/ocb128.c
+116-5512 files not shown
+158-7018 files

HardenedBSD/src 4e0dec8lib/libc/net getnetbydns.c

libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup

If net is all-zero, the loop to extract all leading non-zero octets will
iterate zero times and leave nn with the value 4, which the following
switch statement to initialise qbuf does not handle. As a result,
_dns_getnetbyaddr will look up the PTR record for this uninitialised
string, which will leak the pre-existing contents of that stack memory
to the DNS resolver and, if remote and not otherwise protected, network.

Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured
to enable the "dns" source for the "networks" database, which is not the
default configuration in FreeBSD.

For glibc this same bug, in code also derived from BIND's, was issued
CVE-2026-0915. This commit adopts the same behaviour as glibc's fix,
which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD
will return NS_UNAVAIL instead, which may or may not make more sense,
but in general glibc compatibility tends to cause less friction when
there's not a good reason to avoid it.

    [8 lines not shown]
DeltaFile
+3-0lib/libc/net/getnetbydns.c
+3-01 files

HardenedBSD/src 7f81757crypto/openssl/apps pkeyutl.c, crypto/openssl/apps/lib apps.c

openssl: Fix multiple vulnerabilities

This is a rollup commit from upstream to fix:
  Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
  Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
  NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
  "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
  TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
  Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
  Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
  Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
  Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
  NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
  Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
  ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)

See https://openssl-library.org/news/secadv/ for additional details.

Approved by:    so

    [17 lines not shown]
DeltaFile
+28-27crypto/openssl/apps/lib/apps.c
+18-18crypto/openssl/apps/pkeyutl.c
+26-6crypto/openssl/crypto/bio/bf_lbuf.c
+20-0crypto/openssl/crypto/asn1/evp_asn1.c
+16-2crypto/openssl/crypto/pkcs12/p12_mutl.c
+8-2crypto/openssl/crypto/pkcs12/p12_kiss.c
+116-5512 files not shown
+158-7018 files

HardenedBSD/src 1153b03lib/libc/net getnetbydns.c

libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup

If net is all-zero, the loop to extract all leading non-zero octets will
iterate zero times and leave nn with the value 4, which the following
switch statement to initialise qbuf does not handle. As a result,
_dns_getnetbyaddr will look up the PTR record for this uninitialised
string, which will leak the pre-existing contents of that stack memory
to the DNS resolver and, if remote and not otherwise protected, network.

Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured
to enable the "dns" source for the "networks" database, which is not the
default configuration in FreeBSD.

For glibc this same bug, in code also derived from BIND's, was issued
CVE-2026-0915. This commit adopts the same behaviour as glibc's fix,
which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD
will return NS_UNAVAIL instead, which may or may not make more sense,
but in general glibc compatibility tends to cause less friction when
there's not a good reason to avoid it.

    [8 lines not shown]
DeltaFile
+3-0lib/libc/net/getnetbydns.c
+3-01 files

HardenedBSD/src 1656130release/tools oci-image-static.conf

HBSD: Resolve merge conflict

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+1-18release/tools/oci-image-static.conf
+1-181 files

HardenedBSD/src 26ee1decrypto/openssl/apps pkeyutl.c, crypto/openssl/apps/lib apps.c

Merge remote-tracking branch 'internal/freebsd/current/main' into hardened/current/master

Conflicts:
        release/tools/oci-image-static.conf (unresolved)
DeltaFile
+28-27crypto/openssl/apps/lib/apps.c
+18-18crypto/openssl/apps/pkeyutl.c
+26-6crypto/openssl/crypto/bio/bf_lbuf.c
+20-0crypto/openssl/crypto/asn1/evp_asn1.c
+16-2crypto/openssl/crypto/pkcs12/p12_mutl.c
+16-2tests/sys/kern/ssl_sendfile.c
+124-5517 files not shown
+208-7923 files

FreeBSD/ports 01bdc28security/vuxml/vuln 2026.xml

security/vuxml: add FreeBSD SA issued on 2026-01-27

FreeBSD-SA-26:02.jail affects 13.5R and 14.3R
DeltaFile
+34-0security/vuxml/vuln/2026.xml
+34-01 files

FreeBSD/ports bad5869security/vuxml/vuln 2026.xml

security/vuxml: reference FreeBSD-SA-26:01.openssl

Add a reference to FreeBSD-SA-26:01.openssl (issued 2026-01-27) to the
vuxml entry for OpenSSL CVE-2025-11187, CVE-2025-15467, CVE-2025-15468,
CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418,
CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795 and
CVE-2026-22796.

FreeBSD-SA-26:01.openssl affects all supported versions of FreeBSD
DeltaFile
+8-0security/vuxml/vuln/2026.xml
+8-01 files

HardenedBSD/src 1565054crypto/openssl/apps pkeyutl.c, crypto/openssl/apps/lib apps.c

openssl: Fix multiple vulnerabilities

This is a rollup commit from upstream to fix:
  Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
  Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
  NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
  "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
  TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
  Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
  Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
  Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
  Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
  NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
  Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
  ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)

See https://openssl-library.org/news/secadv/ for additional details.

Approved by:    so

    [17 lines not shown]
DeltaFile
+28-27crypto/openssl/apps/lib/apps.c
+18-18crypto/openssl/apps/pkeyutl.c
+26-6crypto/openssl/crypto/bio/bf_lbuf.c
+20-0crypto/openssl/crypto/asn1/evp_asn1.c
+16-2crypto/openssl/crypto/pkcs12/p12_mutl.c
+8-2crypto/openssl/crypto/modes/ocb128.c
+116-5512 files not shown
+158-7018 files

HardenedBSD/src e10af1fcrypto/openssl/apps pkeyutl.c, crypto/openssl/apps/lib apps.c

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+28-27crypto/openssl/apps/lib/apps.c
+18-18crypto/openssl/apps/pkeyutl.c
+26-6crypto/openssl/crypto/bio/bf_lbuf.c
+20-0crypto/openssl/crypto/asn1/evp_asn1.c
+16-2crypto/openssl/crypto/pkcs12/p12_mutl.c
+8-2crypto/openssl/crypto/modes/ocb128.c
+116-5513 files not shown
+161-7019 files

FreeBSD/doc 5f65861website/content/en/releases/13.5R errata.adoc, website/content/en/releases/14.3R errata.adoc

Add errata affecting 13.5R, 14.3R and 15.0R

FreeBSD-EN-26:01.devinfo affects 15.0R
FreeBSD-EN-26:02.arm64 affects 14.3R and 15.0R
FreeBSD-EN-26:03.vm affects affects all supported releases
DeltaFile
+3-0website/content/en/releases/15.0R/errata.adoc
+2-0website/content/en/releases/14.3R/errata.adoc
+1-0website/content/en/releases/13.5R/errata.adoc
+6-03 files

HardenedBSD/ports 1eefea8databases/duckdb pkg-plist, lang/gleam distinfo Makefile.crates

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+169-163lang/gleam/distinfo
+124-124security/openssl/files/extra-patch-ktls
+83-80lang/gleam/Makefile.crates
+56-2databases/duckdb/pkg-plist
+56-0www/py-flatnotes/pkg-plist
+54-0www/py-flatnotes/Makefile
+542-36940 files not shown
+791-52246 files

FreeBSD/src 9f0b953release Makefile, stand/images Makefile freebsd-install-brand-rev.png

lualoader: Add distinct brand for installer

Make it obvious to users that the system is booting into the installer.

Reviewed by:    kevans, manu
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D51001

(cherry picked from commit ac7a19d41ee5eb1271c46fbc620b2f98dffa2230)
DeltaFile
+24-0stand/lua/gfx-install.lua
+3-0release/Makefile
+2-1stand/images/Makefile
+1-0stand/lua/Makefile
+0-0stand/images/freebsd-install-brand-rev.png
+30-15 files

FreeBSD/src 7aee235usr.sbin/periodic/etc/daily 460.status-mail-rejects, usr.sbin/periodic/etc/security 900.tcpwrap 800.loginfail

periodic: Support RFC 5424 syslog timestamps

This is based on an initial implementation by michaelo in
https://reviews.freebsd.org/D54361.

PR:             270497
Reported by:    michaelo
Reviewed by:    michaelo
Tested by:      michaelo
MFC after:      1 week
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D54606

(cherry picked from commit 8ac6427b1bb95470f6c755202d1c0391ed8eefbd)
DeltaFile
+10-3usr.sbin/periodic/etc/daily/460.status-mail-rejects
+9-2usr.sbin/periodic/etc/security/900.tcpwrap
+9-2usr.sbin/periodic/etc/security/800.loginfail
+28-73 files

FreeBSD/src 1b3972abin/sh alias.c

sh: Avoid referencing uninitialized memory in alias

If run as
        alias ''
uninitialized memory could be referenced.

This is based on a fix from NetBSD.  For more information, refer to
https://github.com/NetBSD/src/commit/10cfed82c28 .

Obtained from:  NetBSD (Robert Elz <kre at netbsd.org>, 10cfed82c28)
MFC after:      3 days

Reported by:    mckusick, Robert Elz <kre at netbsd.org>
Reviewed by:    emaste
Differential Revision:  https://reviews.freebsd.org/D50364

(cherry picked from commit 9d29fc2e4bfba9fcd3b0944e683458a3f1fa0c47)
DeltaFile
+5-0bin/sh/alias.c
+5-01 files

FreeBSD/doc 9e77404website/content/en/releases/13.5R errata.adoc, website/content/en/releases/14.3R errata.adoc

Add security advisories affecting 13.5R, 14.3R and 15.0R

FreeBSD-SA-26:01.openssl affects all supported releases
FreeBSD-SA-25:02.jail affects 13.5R and 14.3R
DeltaFile
+2-0website/content/en/releases/14.3R/errata.adoc
+2-0website/content/en/releases/13.5R/errata.adoc
+1-0website/content/en/releases/15.0R/errata.adoc
+5-03 files

FreeNAS/freenas 2b94116src/middlewared/middlewared/plugins/service_/services base.py base_state.py

NAS-139515 / 26.0.0-BETA.1 / fix sysds migration instability (#18113)

DeltaFile
+165-36src/middlewared/middlewared/plugins/service_/services/base.py
+0-4src/middlewared/middlewared/plugins/service_/services/base_state.py
+165-402 files

FreeBSD/ports cfb4159databases/duckdb pkg-plist distinfo, databases/py-duckdb Makefile distinfo

databases/{,py-}duckdb: update 1.3.2 → 1.4.4
DeltaFile
+56-2databases/duckdb/pkg-plist
+21-23databases/duckdb/distinfo
+25-14databases/duckdb/Makefile
+29-0databases/py-duckdb/files/patch-pyproject.toml
+11-8databases/py-duckdb/Makefile
+3-3databases/py-duckdb/distinfo
+145-506 files

HardenedBSD/ports cfb4159databases/duckdb pkg-plist distinfo, databases/py-duckdb Makefile distinfo

databases/{,py-}duckdb: update 1.3.2 → 1.4.4
DeltaFile
+56-2databases/duckdb/pkg-plist
+21-23databases/duckdb/distinfo
+25-14databases/duckdb/Makefile
+29-0databases/py-duckdb/files/patch-pyproject.toml
+11-8databases/py-duckdb/Makefile
+3-3databases/py-duckdb/distinfo
+145-506 files

LLVM/project 7982c91clang/include/clang/AST Mangle.h, clang/lib/AST Mangle.cpp

using new mangling as suggested by the reviewer
DeltaFile
+27-3clang/lib/AST/Mangle.cpp
+11-1clang/include/clang/AST/Mangle.h
+4-4clang/lib/CodeGen/CGObjCMac.cpp
+2-2clang/lib/CodeGen/CGObjCRuntime.cpp
+1-1clang/lib/CodeGen/CGObjCRuntime.h
+45-115 files

LLVM/project 3b0880aclang/test/ClangScanDeps modules.cpp

[clang][test][NFC] Fix more dependency test failures (#178313)

The bots found another spot where the path to SDKSettings.json is short
enough to go on the same line as the file in the output.
DeltaFile
+11-11clang/test/ClangScanDeps/modules.cpp
+11-111 files