HardenedBSD/src b094b48sys/kern uipc_shm.c

HBSD: Make sure the kinfo_file struct always gets zeroed

Similar to FreeBSD commit 25cc459286a02b646751541ccde5a33319471c73,
apply a memset in one of the core functions used to fill the structure.
This ensures that all kinfo_file structure allocations are zeroed (at
least, at the point of calling shm_fill_kinfo_locked).

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
MFC-to:         15-STABLE
DeltaFile
+2-0sys/kern/uipc_shm.c
+2-01 files

HardenedBSD/src 5d9c41csys/fs/fuse fuse_node.h fuse_node.c, sys/netinet ip_carp.c

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+122-315sys/netinet/ip_carp.c
+192-0tests/sys/fs/fusefs/read.cc
+11-121usr.bin/systat/netstat.c
+80-11sys/fs/fuse/fuse_node.h
+90-0tests/sys/fs/fusefs/rename.cc
+71-18sys/fs/fuse/fuse_node.c
+566-46524 files not shown
+816-59830 files

HardenedBSD/src b7a704dsys/fs/fuse fuse_node.h fuse_node.c, sys/netinet ip_carp.c

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+122-315sys/netinet/ip_carp.c
+192-0tests/sys/fs/fusefs/read.cc
+11-121usr.bin/systat/netstat.c
+80-11sys/fs/fuse/fuse_node.h
+90-0tests/sys/fs/fusefs/rename.cc
+71-18sys/fs/fuse/fuse_node.c
+566-46524 files not shown
+816-59830 files

HardenedBSD/src cedaa6dsbin/camcontrol camcontrol.c

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+31-0sbin/camcontrol/camcontrol.c
+31-01 files

HardenedBSD/ports 4e90e58devel/git-pkgs pkg-plist, www/npm-node24 pkg-plist

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+43-70www/npm-node24/pkg-plist
+66-0devel/git-pkgs/pkg-plist
+60-0x11-wm/mango/Makefile
+0-60x11-wm/mangowc/Makefile
+0-30x11-wm/mangowc/files/patch-meson.build
+30-0x11-wm/mango/files/patch-meson.build
+199-160236 files not shown
+963-691242 files

HardenedBSD/ports f7180c5x11-wm/mango distinfo Makefile

x11-wm/mango: Update to 0.12.6

ChangeLog:

  - https://github.com/mangowm/mango/releases/tag/0.12.5
  - https://github.com/mangowm/mango/releases/tag/0.12.6

Reported by:    DreamMaoMao <notifications at github.com>
DeltaFile
+3-3x11-wm/mango/distinfo
+1-1x11-wm/mango/Makefile
+4-42 files

HardenedBSD/ports f74d5e1x11-wm/mango Makefile, x11-wm/mango/files patch-meson.build pkg-message.in

MOVED: x11-wm/mangowc renamed upstream
DeltaFile
+0-60x11-wm/mangowc/Makefile
+60-0x11-wm/mango/Makefile
+30-0x11-wm/mango/files/patch-meson.build
+0-30x11-wm/mangowc/files/patch-meson.build
+20-0x11-wm/mango/files/pkg-message.in
+0-20x11-wm/mangowc/files/pkg-message.in
+110-1108 files not shown
+148-14714 files

HardenedBSD/src 815ef05sys/netinet tcp_var.h in_pcb.h, sys/netinet/cc cc.h

netinet: remove _WANT_INPCB and _WANT_TCPCB

These were hacks since FreeBSD 12 that provided some transition period for
utilities to migrate from reading kernel memory via kvm(3) to sysctl(3)
based APIs.  The transition period is over.
DeltaFile
+4-4sys/netinet/cc/cc.h
+2-2sys/netinet/tcp_var.h
+1-1sys/netinet/in_pcb.h
+7-73 files

HardenedBSD/src c0462c2sys/netinet/tcp_stacks sack_filter.c

tcp: make sack_filter.c compilable without _WANT_TCPCB

This file can be compiled as a standalone program for debugging purposes.
Achieve that without exposing hack from tcp_var.h that is destined for
removal.
DeltaFile
+15-14sys/netinet/tcp_stacks/sack_filter.c
+15-141 files

HardenedBSD/src 985ac74usr.bin/systat netstat.c systat.h

systat: remove kvm(3) support for -netstat mode

The kvm(3) mode was actually non-functional since FreeBSD 8 for kernels
with VIMAGE, since FreeBSD 12 for the GENERIC kernel and since FreeBSD 14
for all kernels.  The reason for that is that systat(1) tried to lookup
symbol "tcb" to check if kvm(3) is working.  The symbol no longer exist in
the kernel.

A side effect was that systat(1) lost true kvm(3) support for all other
modes, e.g. -swap or -pigs.  The tool was still working, but libkvm was
just a shim to sysctl(3) API.

So, contrary to what the header line says, this change actually restores
the kvm(3) support for other modes.  Now we read the "allproc" symbol.

This was the last tool that abused _WANT_INPCB.
DeltaFile
+11-121usr.bin/systat/netstat.c
+0-11usr.bin/systat/systat.h
+3-2usr.bin/systat/main.c
+0-2usr.bin/systat/extern.h
+14-1364 files

HardenedBSD/src a68e3a8sys/net pfvar.h, sys/sys systm.h

systm.h: don't declare socket and inpcb globally
DeltaFile
+0-2sys/sys/systm.h
+1-0sys/net/pfvar.h
+1-22 files

HardenedBSD/src 72472e5sbin/ifconfig carp.c, share/man/man4 carp.4

carp: retire ioctl(2) API

All supported stable branches use netlink(4) API to configure carp(4).
The deleted code also has kernel stack leak vulnerability, that requires
extra effort to fix.

Reviewed by:            pouria, kp
Differential Revision:  https://reviews.freebsd.org/D55804
DeltaFile
+122-315sys/netinet/ip_carp.c
+0-15sys/netinet/ip_carp.h
+3-9share/man/man4/carp.4
+0-10sys/net/if.c
+7-2sbin/ifconfig/carp.c
+1-1sys/sys/param.h
+133-3526 files

HardenedBSD/src 7e68af7sys/fs/fuse fuse_node.h fuse_node.c, tests/sys/fs/fusefs read.cc rename.cc

fusefs: redo vnode attribute locking

Previously most fields in fuse_vnode_data were protected by the vnode
lock.  But because DEBUG_VFS_LOCKS was never enabled by default until
stable/15 the assertions were never checked, and many were wrong.
Others were missing.  This led to panics in stable/15 and 16.0-CURRENT,
when a vnode was expected to be exclusively locked but wasn't, for fuse
file systems that mount with "-o async".

In some places it isn't possible to exclusively lock the vnode when
accessing these fields.  So protect them with a new mutex instead.  This
fixes panics and unprotected field accesses in VOP_READ,
VOP_COPY_FILE_RANGE, VOP_GETATTR, VOP_BMAP, and FUSE_NOTIFY_INVAL_ENTRY.
Add assertions everywhere the protected fields are accessed.

Lock the vnode exclusively when handling FUSE_NOTIFY_INVAL_INODE.

During fuse_vnode_setsize, if the vnode isn't already exclusively
locked, use the vn_delayed_setsize mechanism.  This fixes panics during

    [13 lines not shown]
DeltaFile
+192-0tests/sys/fs/fusefs/read.cc
+80-11sys/fs/fuse/fuse_node.h
+90-0tests/sys/fs/fusefs/rename.cc
+71-18sys/fs/fuse/fuse_node.c
+74-7sys/fs/fuse/fuse_vnops.c
+24-18sys/fs/fuse/fuse_internal.c
+531-545 files not shown
+609-7911 files

HardenedBSD/ports 5effadddevel/qt6-base Makefile, devel/qt6-base/files patch-src_corelib_configure.cmake

devel/qt6-base: Make use of renameat2 in QFileSystemEngine
DeltaFile
+22-0devel/qt6-base/files/patch-src_corelib_configure.cmake
+1-0devel/qt6-base/Makefile
+23-02 files

HardenedBSD/ports c109896print/py-frescobaldi distinfo Makefile

print/py-frescobaldi: Update 4.0.4 => 4.0.5

Changelog:
https://github.com/frescobaldi/frescobaldi/releases/tag/v4.0.5

Switch from dynamically generated by github tarball to statically
generated by upstream.

PR:     293742
DeltaFile
+3-3print/py-frescobaldi/distinfo
+2-3print/py-frescobaldi/Makefile
+5-62 files

HardenedBSD/ports d9533c7print/lilypond-devel distinfo Makefile

print/lilypond-devel: Update 2.25.27 => 2.25.35

Release Notes:
https://lilypond.org/news.html#LilyPond-2_002e25_002e35-released-March-7_002c-2026

PR:     293740
DeltaFile
+3-3print/lilypond-devel/distinfo
+1-1print/lilypond-devel/Makefile
+0-2print/lilypond-devel/pkg-plist
+4-63 files

HardenedBSD/ports 7d853d0graphics/py-qpageview distinfo Makefile

graphics/py-qpageview: Update 1.0.1 => 1.0.3

Changelog:
https://github.com/frescobaldi/qpageview/blob/v1.0.3/CHANGELOG.md

Update COMMENT - port uses Qt6, not Qt5 since version 1.0.0.

PR:     293741
MFH:    2026Q1
DeltaFile
+3-3graphics/py-qpageview/distinfo
+2-2graphics/py-qpageview/Makefile
+5-52 files

HardenedBSD/ports 690efa5www/freenginx-acme distinfo Makefile

www/freenginx-acme: update freenginx's version to the recent one

Bump PORTREVISION.

Sponsored by:   tipi.work
DeltaFile
+3-3www/freenginx-acme/distinfo
+1-1www/freenginx-acme/Makefile
+4-42 files

HardenedBSD/src ce9aff8sys/dev/hwpmc hwpmc_amd.c

hwpmc_amd: fix amd_get_msr() MSR offset for newer counter bases

The previous code subtracted AMD_PMC_PERFCTR_0 (0xC0010004) from all
perfctr MSR addresses to compute a relative offset. This is incorrect
for counters using AMD_PMC_CORE_BASE (0xC0010200), AMD_PMC_L3_BASE
(0xC0010230), and AMD_PMC_DF_BASE (0xC0010240), producing wrong offsets.

Fix by promoting amd_core_npmcs, amd_l3_npmcs, and amd_df_npmcs to
static module-level variables and computing the correct flat RDPMC
index per AMD BKDG 24594 page 440:

ECX 0-5:   Core counters 0-5
ECX 6-9:   DF counters 0-3
ECX 10-15: L3 Cache counters 0-5
ECX 16-27: DF counters 4-15
ECX > 27:  Reserved, returns EINVAL

Reviewed by:    Ali Mashtizadeh <ali at mashtizadeh.com>, mhorne
Sponsored by:   NLINK (https://nlink.com.br), Recife, Brazil

    [2 lines not shown]
DeltaFile
+33-3sys/dev/hwpmc/hwpmc_amd.c
+33-31 files

HardenedBSD/src 25cc459sys/kern uipc_shm.c

shm: Zero struct kinfo_file in sysctl handler

Reported by: Calif.io in collaboration with Claude and Anthropic Research
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55806
DeltaFile
+1-1sys/kern/uipc_shm.c
+1-11 files

HardenedBSD/ports 79939a7. MOVED, lang Makefile

lang/go124: Remove expired port

2026-03-11 lang/go124: End of life--please switch to go125 or go126
DeltaFile
+0-23lang/go124/files/patch-src_cmd_dist_build.go
+0-13lang/go124/distinfo
+0-11lang/go124/files/patch-src_cmd_go_internal_modload_vendor.go
+0-7lang/go124/Makefile
+0-1lang/Makefile
+1-0MOVED
+1-556 files

HardenedBSD/ports 7498a3edatabases/py-redisvl Makefile distinfo

databases/py-redisvl: Allow build with py-redis 7.2.0+

- Bump PORTREVISION for package change

Obtained from:  https://github.com/redis/redis-vl-python/commit/817a255df0c97921236ed507a177621a00e18bdf
Approved by:    portmgr (blanket)
DeltaFile
+5-1databases/py-redisvl/Makefile
+3-1databases/py-redisvl/distinfo
+8-22 files

HardenedBSD/ports c271194sysutils/rubygem-bundler distinfo Makefile

sysutils/rubygem-bundler: Update to 4.0.7

Changes:        https://github.com/ruby/rubygems/releases
                https://github.com/ruby/rubygems/blob/master/bundler/CHANGELOG.md
DeltaFile
+3-3sysutils/rubygem-bundler/distinfo
+1-1sysutils/rubygem-bundler/Makefile
+4-42 files

HardenedBSD/ports 20b9c42devel/ruby-gems distinfo Makefile

devel/ruby-gems: Update to 4.0.7

Changes:        https://github.com/ruby/rubygems/releases
                https://github.com/ruby/rubygems/blob/master/CHANGELOG.md
DeltaFile
+3-3devel/ruby-gems/distinfo
+1-1devel/ruby-gems/Makefile
+4-42 files

HardenedBSD/ports 7148a76devel/rubygem-aws-sdk-workspacesweb distinfo Makefile

devel/rubygem-aws-sdk-workspacesweb: Update to 1.59.0

Changes:        https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-workspacesweb/CHANGELOG.md
DeltaFile
+3-3devel/rubygem-aws-sdk-workspacesweb/distinfo
+1-1devel/rubygem-aws-sdk-workspacesweb/Makefile
+4-42 files

HardenedBSD/ports e1b89dddevel/rubygem-aws-sdk-wickr distinfo Makefile

devel/rubygem-aws-sdk-wickr: Update to 1.4.0

Changes:        https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-wickr/CHANGELOG.md
DeltaFile
+3-3devel/rubygem-aws-sdk-wickr/distinfo
+1-1devel/rubygem-aws-sdk-wickr/Makefile
+4-42 files

HardenedBSD/ports f04d54adevel/rubygem-aws-sdk-wafv2 distinfo Makefile

devel/rubygem-aws-sdk-wafv2: Update to 1.126.0

Changes:        https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-wafv2/CHANGELOG.md
DeltaFile
+3-3devel/rubygem-aws-sdk-wafv2/distinfo
+1-1devel/rubygem-aws-sdk-wafv2/Makefile
+4-42 files

HardenedBSD/ports d4bbb25devel/rubygem-aws-sdk-trustedadvisor distinfo Makefile

devel/rubygem-aws-sdk-trustedadvisor: Update to 1.34.0

Changes:        https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-trustedadvisor/CHANGELOG.md
DeltaFile
+3-3devel/rubygem-aws-sdk-trustedadvisor/distinfo
+2-2devel/rubygem-aws-sdk-trustedadvisor/Makefile
+5-52 files

HardenedBSD/ports 07affefdevel/rubygem-aws-sdk-transcribestreamingservice distinfo Makefile

devel/rubygem-aws-sdk-transcribestreamingservice: Update to 1.98.0

Changes:        https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-transcribestreamingservice/CHANGELOG.md
DeltaFile
+3-3devel/rubygem-aws-sdk-transcribestreamingservice/distinfo
+1-1devel/rubygem-aws-sdk-transcribestreamingservice/Makefile
+4-42 files

HardenedBSD/ports 341c1e5devel/rubygem-aws-sdk-ssm distinfo Makefile

devel/rubygem-aws-sdk-ssm: Update to 1.211.0

Changes:        https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-ssm/CHANGELOG.md
DeltaFile
+3-3devel/rubygem-aws-sdk-ssm/distinfo
+1-1devel/rubygem-aws-sdk-ssm/Makefile
+4-42 files