[AArch64] Sink NOT to be fold into BIC/ORN/EON (#176194)
Undoes a negation being hoisted out of a loop, so that if can be fold
into an inverted bitwise operation in the loop.
Implements #108840 on AArch64
www/garage: Update to 2.2.0
* Take MAINTAINERSHIP.
* Pet portclippy/portfmt.
* Run garage as a unprivileged user.
* Create a sample configuration file to use /var/db/garage as default
meta and data directory.
* Add DOCS option.
* Fix pkg-message formatting.
ChangeLog: https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v2.2.0
PR: 293011
Reported by: yds at Necessitu.de
Approved by: ashish@ (email)
pf tests: verify that we handle address range rules correctly
There's been a problem where rules which differed only in address ranges
were considered duplicates and not added. Test for this.
Approved by: so
Security: FreeBSD-SA-26:09.pf
Security: CVE-2026-4748
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit ab74151e8d097b263237942c0b12277098bc9533)
(cherry picked from commit 958dbc87e9c59a2e9f83d84115ce03fb96e9b249)
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
ifnet: Fix decreasing the vnet interface count
It should be decreased only when the interface has been successfully
removed from the "active" list.
This prevents vnet_if_return() from potential OOB writes to the
allocated memory "pending".
Reviewed by: kp, pouria
Fixes: a779388f8bb3 if: Protect V_ifnet in vnet_if_return()
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D55873
(cherry picked from commit 8065ff63c0e5c3bb4abb02f55b20cb47bb51d1a7)
(cherry picked from commit 1b7687f053afcf251ee7643ee5a4f22a225f4a02)
LinuxKPI: avoid -Werror=unused-value in sort() from BUILD_BUG_ON_ZERO()
The BUILD_BUG_ON_ZERO() macro returns an (int)0 if it does not fail
at build time. LinuxKPI sort() has it as a guard for an unsupported
argument but ignores the return value.
This leads to gcc complaining:
/usr/src/sys/compat/linuxkpi/common/include/linux/build_bug.h:60:33: error: statement with no effect [-Werror=unused-value]
60 | #define BUILD_BUG_ON_ZERO(x) ((int)sizeof(struct { int:-((x) != 0); }))
| ^
/usr/src/sys/compat/linuxkpi/common/include/linux/sort.h:37:9: note: in expansion of macro 'BUILD_BUG_ON_ZERO'
37 | BUILD_BUG_ON_ZERO(swap); \
| ^~~~~~~~~~~~~~~~~
/usr/src/sys/contrib/dev/rtw89/core.c:2575:9: note: in expansion of macro 'sort'
2575 | sort(drift, RTW89_BCN_TRACK_STAT_NR, sizeof(*drift), cmp_u16, NULL);
Change to BUILD_BUG_ON() for the statement version.
[8 lines not shown]
[DA] Fix overflow of calculation in weakCrossingSIVtest
This patch fixes a correctness issue where integer overflow in the
upper bound calculation of weakCrossingSIVtest caused the pass to
incorrectly prove independence.
The previous logic used `SCEV::getMulExpr` to calculate
`2 * ConstCoeff * UpperBound` and compared it to `Delta` using
`isKnownPredicate`. In the presence of overflow, this could yield
unsafe results.
This change replaces the SCEV arithmetic with `ConstantRange` and
its operation (`smul_fast`). If the calculation overflows,
`intersectWith(MLRange).isEmptySet()` would be false, ensures we
conservatively assume a dependence if the bounds cannot be proven
safe.
Signed-off-by: Ruoyu Qiu <cabbaken at outlook.com>
[DA] Hoist division check for early exit in weakCrossingSIVtest (NFC)
This patch moves the check that `Coeff` divides `Delta` earlier in the
function to enable an early exit. Potentially improve performance.
Signed-off-by: Ruoyu Qiu <cabbaken at outlook.com>
[DA] Consolidate the core logic of the Weak Zero SIV tests (NFCI) (#185577)
There have existed two functions `weakZeroSrcSIVtest` and
`weakZeroDstSIVtest`, which are almost identical, except for some minor
differences (e.g., the Direction to be updated). This patch consolidates
the shared core logic into a single function `weakZeroSIVtestImpl` then
calls it from both `weakZeroSrcSIVtest` and `weakZeroDstSIVtest`,
passing the appropriate parameters to handle the differences. This
reduces code duplication and improves maintainability.
[LLVM-Flang] Add support for -fdebug-info-for-profiling option (#188022)
Added support for option "-fdebug-info-for-profiling" in flang.
- When the option `-fdebug-info-for-profiling` option is passed,
compiler sets the `DebugInfoForProfiling` flag and triggers the
`AddDiscriminatorsPass`. This pass inserts additional debug metadata,
specifically discriminator values into the IR to improve the profiling
precision.
- Additionally `-add-debug-info` pass has been updated to emit an extra
field, `debugInfoForProfiling: true` inside the generated DICompileUnit
metadata node.
py-coverage: updated to 7.13.5
Version 7.13.5 — 2026-03-17
- Fix: `issue 2138`_ describes a memory leak that happened when repeatedly
using the Coverage API with in-memory data. This is now fixed.
- Fix: the markdown-formatted coverage report didn't fully escape special
characters in file paths (`issue 2141`_). This would be very unlikely to
cause a problem, but now it's done properly, thanks to `Ellie Ayla
<pull 2142_>`_.
- Fix: the C extension wouldn't build on VS2019, but now it does (`issue
2145`_).
[lldb] Protect frame provider construction from re-entrant frame access
When a scripted frame provider calls HandleCommand or other
frame-accessing APIs during __init__, GetStackFrameList() re-enters
without the re-entrancy guard, causing infinite recursion. On Windows
(1MB default stack), this results in a stack overflow (0xC00000FD)
before Python's recursion limit can intervene.
The existing PushProviderFrameList/PopProviderFrameList guard only
protected GetFrameAtIndex calls in FetchFramesUpTo. This wraps the
CreateInstance call in LoadScriptedFrameProvider with the same guard
so that provider construction is also protected.
Signed-off-by: Med Ismail Bennani <ismail at bennani.ma>
libgsf: updated to 1.14.56
libgsf 1.14.56
liren:
* Fix problems with ole files using codepage 1200 (unicode).
* Restore check for ole cycles accidentally removed in fixing 43.
Fix lld/wasm/SyntheticSections.cpp after SyntheticSections.h #undef
SyntheticSections.cpp uses LLVM_DEBUG but had no #define DEBUG_TYPE,
relying on the leaked "lld" from SyntheticSections.h. Add an
explicit #define DEBUG_TYPE.