HardenedBSD/src bc6c9d7contrib/sqlite3 sqlite3.c sqlite3.h, sys/compat/linuxkpi/common/src linux_80211.c linux_pci.c

Merge remote-tracking branch 'internal/freebsd/current/main' into hardened/current/master
DeltaFile
+122-81contrib/sqlite3/sqlite3.c
+71-28sys/compat/linuxkpi/common/src/linux_80211.c
+45-45contrib/sqlite3/sqlite3.h
+5-10sys/powerpc/include/_stdint.h
+3-10sys/compat/linuxkpi/common/src/linux_pci.c
+1-1contrib/sqlite3/VERSION
+247-1753 files not shown
+250-1789 files

HardenedBSD/src b8cab6fshare/mk src.libnames.mk

HBSD: Resolve merge conflict

Also make it clearer what HardenedBSD's changes are to this file.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+3-4share/mk/src.libnames.mk
+3-41 files

HardenedBSD/ports cf061a1sysutils/fwupd-efi Makefile

HBSD: Disable FORTIFYSOURCE and HARDCFLAGS for sysutils/fwupd-efi

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+2-0sysutils/fwupd-efi/Makefile
+2-01 files

HardenedBSD/ports e77af36textproc/scim-table-imengine/files patch-src_scim__table__imengine__setup.cpp

HBSD: Fix HARDCFLAGS for textproc/scim-table-imengine

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+10-0textproc/scim-table-imengine/files/patch-src_scim__table__imengine__setup.cpp
+10-01 files

HardenedBSD/src 8209c08contrib/sqlite3 sqlite3.c sqlite3.h, libexec/rc/rc.d ippool

Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master
DeltaFile
+122-81contrib/sqlite3/sqlite3.c
+148-29sys/amd64/vmm/vmm.c
+45-45contrib/sqlite3/sqlite3.h
+7-23sys/amd64/vmm/vmm_dev.c
+3-0libexec/rc/rc.d/ippool
+2-1sys/amd64/include/vmm.h
+327-1793 files not shown
+330-1829 files

HardenedBSD/src 3807418libexec/rc/rc.d ippool

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+3-0libexec/rc/rc.d/ippool
+3-01 files

HardenedBSD/ports 6ecdb7bdevel/py-propcache/files patch-packaging_pep517__backend__backend.py, graphics/partio distinfo

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+0-13graphics/partio/files/patch-src_py_partio.i
+11-0devel/py-propcache/files/patch-packaging_pep517__backend__backend.py
+0-11graphics/partio/files/patch-src_tools_partedit.py
+5-5sysutils/eksctl/distinfo
+7-3graphics/partio/distinfo
+3-3lang/janet/distinfo
+26-3515 files not shown
+58-6221 files

HardenedBSD/src adb4901sys/compat/linuxkpi/common/src linux_80211.c

LinuxKPI: 802.11: when synching HT and VHT cap, mask rx_mcs

When we sync the sta data, mask the rx_mcs with what the hardware is
able to do so that we do not leave, e.g., a 2nd stream enabled on a 1x1
chipset.
iwlwifi(4) has a further check for the smps_mode to limit to NSS=1 but
I believe that is historic and not actually in use anymore.

This fixes firmware crashes on TLC updates with nss=1 but the nss=2 array
index also being populated (with HT/VHT80/160 mcs information):
data being populated:
  iwlwifi0: 0x20101A0D | ADVANCED_SYSASSERT
  iwlwifi0: 0x00000006 | umac data1
  iwlwifi0: 0x00000001 | umac data2
  iwlwifi0: 0x000003FF | umac data3
  iwlwifi0: 0x____050F | last host cmd

Reported by:    Claudio Zumbo (claudiozumbo gmail.com), Erik Power
Tested by:      Claudio Zumbo, Erik Power (eppower umich.edu)

    [3 lines not shown]
DeltaFile
+71-28sys/compat/linuxkpi/common/src/linux_80211.c
+71-281 files

HardenedBSD/src ed29ffdsys/compat/linuxkpi/common/src linux_pci.c

LinuxKPI: pci: undo the pci_resource_len() check in lkpi_pci_request_region()

Creating non-passthru SR-IOV interfaces on a mlx5en(4) failed.
The problem lies in the pci_resource_len() call but not that the BAR length
is tmeporary 0 but in that we call lkpi_pci_get_bar() with a true argument
which will create the BAR resource for us and report the approriate length
back.  However, the later call to bus_alloc_resource_any() will then fail
given the resource already exists.

Restore the previous behaviour and let bus_alloc_resource_any() do the
work.  Adjust the return values from -ENODEV to -EBUSY to match callers
expectations.

In linuxkpi_pcim_request_all_regions(), like in linuxkpi_pci_request_regions(),
filter out the -EBUSY errors as "not an error" and try the next bar.
This also seems to be consistent with the expectations of the callers.

PR:             290793
Reported by:    David BOYER (jcduss13 gmail.com)

    [6 lines not shown]
DeltaFile
+3-10sys/compat/linuxkpi/common/src/linux_pci.c
+3-101 files

HardenedBSD/ports 6a10b6blang/janet distinfo Makefile

lang/janet: update to v1.40.1

Differential Revision: https://reviews.freebsd.org/D54027
DeltaFile
+3-3lang/janet/distinfo
+1-1lang/janet/Makefile
+4-42 files

HardenedBSD/ports ab724e5sysutils/bastille distinfo pkg-descr

sysutils/bastille: Upgrade port to 1.2.0.251201

Co-authored-by: Michael Osipov <michaelo at FreeBSD.org>
PR:             291338
Approved by:    michaelo
MFH:            2025Q4
Release Notes:  https://github.com/BastilleBSD/bastille/releases/tag/1.2.0.251201
DeltaFile
+3-3sysutils/bastille/distinfo
+3-1sysutils/bastille/pkg-descr
+1-1sysutils/bastille/Makefile
+7-53 files

HardenedBSD/ports 9ac46aadevel/py-propcache/files patch-packaging_pep517__backend__backend.py

devel/py-propcache: fix build by ignoring cython version

Approved by:    portmgr blanket
DeltaFile
+11-0devel/py-propcache/files/patch-packaging_pep517__backend__backend.py
+11-01 files

HardenedBSD/ports 62d8b19www/qutebrowser distinfo Makefile

www/qutebrowser: update to 3.6.3
DeltaFile
+3-3www/qutebrowser/distinfo
+1-1www/qutebrowser/Makefile
+4-42 files

HardenedBSD/ports c8a66e0audio/fluida-lv2 distinfo Makefile

audio/fluida-lv2: update 0.9.3 → 0.9.5
DeltaFile
+3-3audio/fluida-lv2/distinfo
+1-1audio/fluida-lv2/Makefile
+4-42 files

HardenedBSD/ports 5dc2bf2mail/mailio distinfo Makefile

mail/mailio: update 0.25.1 → 0.25.3
DeltaFile
+3-3mail/mailio/distinfo
+1-2mail/mailio/Makefile
+4-52 files

HardenedBSD/ports 7a62d85audio/gmsynth-lv2 distinfo Makefile

audio/gmsynth-lv2: update 0.6.2 → 0.6.3
DeltaFile
+3-3audio/gmsynth-lv2/distinfo
+1-1audio/gmsynth-lv2/Makefile
+4-42 files

HardenedBSD/src 6924de8lib/libuvmem libuvmem.3, share/man/man4 ufintek.4

Merge remote-tracking branch 'internal/freebsd/current/main' into hardened/current/master

Conflicts:
        share/mk/src.libnames.mk (unresolved)
DeltaFile
+759-0sys/dev/usb/serial/ufintek.c
+146-21sys/kern/subr_vmem.c
+118-0share/man/man4/ufintek.4
+71-0lib/libuvmem/libuvmem.3
+37-0sys/modules/ufintek/Makefile
+15-8sys/sys/vmem.h
+1,146-299 files not shown
+1,199-3315 files

HardenedBSD/src 44d6df4sys/dev/nvme nvme.h

nvme: Use memcpy instead of memmove in nvme_cdata_get_disk_ident

These buffers should not overlap.

Reviewed by:    imp
Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D53842
DeltaFile
+1-1sys/dev/nvme/nvme.h
+1-11 files

HardenedBSD/src ef55f6bcontrib/sqlite3 sqlite3.c sqlite3.h

sqlite3: Update to 3.50.4

Release notes at https://www.sqlite.org/releaselog/3_50_4.html.

Obtained from:  https://www.sqlite.org/2025/sqlite-autoconf-3500400.tar.gz

Merge commit 'e7e917ee3cf2b3010b1c511c6ebaf8b65b983ad7'

(cherry picked from commit 07d5a9b1b2dd95d95137c6c2afcb84ad40c05b75)
DeltaFile
+122-81contrib/sqlite3/sqlite3.c
+45-45contrib/sqlite3/sqlite3.h
+1-1contrib/sqlite3/VERSION
+1-1contrib/sqlite3/sqlite3.pc.in
+1-1contrib/sqlite3/sqlite3rc.h
+170-1295 files

HardenedBSD/src 38eec1flibexec/rc/rc.d ippool

ipfilter: Load optionlist prior to ippool invocation

As a safety precaution df381bec2d2b limits ippool hash table size to 1K.
This causes any legitimely large hash table to fail to load. The
htable_size_max ipf tuneable adjusts this but the adjustment is made
in the ipfilter rc script, invoked after the ippool script (because it
depends on ippool). Let's load the ipfilter_optionlist in ippool as well.
ipfilter_optionlist load will also occur in the ipfilter rc script in case
the user uses ipfilter without ippool.

Fixes:          df381bec2d2b

(cherry picked from commit d5d005e9bf4933d5680dd0bb5d42bdf440122aa4)
DeltaFile
+3-0libexec/rc/rc.d/ippool
+3-01 files

HardenedBSD/src d712976libexec/rc/rc.d ippool

ipfilter: Load optionlist prior to ippool invocation

As a safety precaution df381bec2d2b limits ippool hash table size to 1K.
This causes any legitimely large hash table to fail to load. The
htable_size_max ipf tuneable adjusts this but the adjustment is made
in the ipfilter rc script, invoked after the ippool script (because it
depends on ippool). Let's load the ipfilter_optionlist in ippool as well.
ipfilter_optionlist load will also occur in the ipfilter rc script in case
the user uses ipfilter without ippool.

Fixes:          df381bec2d2b
(cherry picked from commit d5d005e9bf4933d5680dd0bb5d42bdf440122aa4)
DeltaFile
+3-0libexec/rc/rc.d/ippool
+3-01 files

HardenedBSD/src 07d5a9bcontrib/sqlite3 sqlite3.c sqlite3.h

sqlite3: Update to 3.50.4

Release notes at https://www.sqlite.org/releaselog/3_50_4.html.

Obtained from:  https://www.sqlite.org/2025/sqlite-autoconf-3500400.tar.gz

Merge commit 'e7e917ee3cf2b3010b1c511c6ebaf8b65b983ad7'
DeltaFile
+122-81contrib/sqlite3/sqlite3.c
+45-45contrib/sqlite3/sqlite3.h
+1-1contrib/sqlite3/VERSION
+1-1contrib/sqlite3/sqlite3.pc.in
+1-1contrib/sqlite3/sqlite3rc.h
+170-1295 files

HardenedBSD/src e7e917e. sqlite3.c sqlite3.h

sqlite3: Vendor import of sqlite3 3.50.4

Release notes at https://www.sqlite.org/releaselog/3_50_4.html.

Obtained from:  https://www.sqlite.org/2025/sqlite-autoconf-3500400.tar.gz
DeltaFile
+122-81sqlite3.c
+45-45sqlite3.h
+1-1VERSION
+1-1sqlite3.pc.in
+1-1sqlite3rc.h
+170-1295 files

HardenedBSD/src 1630af4sys/amd64/include vmm.h, sys/amd64/vmm vmm.c vmm_dev.c

vmm: Fix a deadlock between vm_smp_rendezvous() and vcpu_lock_all()

vm_smp_rendezvous() invokes a callback on all vCPUs, blocking the
initiator until all vCPUs have responded.  vcpu_lock_all() blocks each
vCPU by waiting for it to go idle and setting the vCPU state to frozen.
These two operations can deadlock on each other, particularly when
booting a Windows guest, when vcpu_lock_all() blocks waiting for a
rendezvous initiator, and the initiator is blocked waiting for the vCPU
thread which called vcpu_lock_all() to invoke the rendezvous callback.

Implement vcpu_lock_all() in a way that avoids deadlocks with
vm_smp_rendezvous().  In particular, when traversing vCPUs, invoke the
rendezvous callback on the vCPU's behalf to help the initiator finish.
We can only safely do so when the vCPU is IDLE or we have already locked
it, otherwise we may be racing with the target vCPU thread.  Thus:
- Use an exclusive lock to serialize vcpu_lock_all() callers, which lets
  us lock vCPUs out of order without fear of deadlock with parallel
  vcpu_lock_all() callers.
- If a rendezvous is pending, lock all idle vCPUs and invoke the

    [16 lines not shown]
DeltaFile
+148-29sys/amd64/vmm/vmm.c
+7-23sys/amd64/vmm/vmm_dev.c
+2-1sys/amd64/include/vmm.h
+157-533 files

HardenedBSD/ports a3185a4graphics/partio distinfo Makefile, graphics/partio/files patch-src_py_partio.i patch-src_tools_partedit.py

graphics/partio: update the port to the latest version 1.19.2

Replace our SWIG interface patch with two ones from upstream:
- Add typemaps to ensure that the std::map parameters work
  as expected
- Add overloaded methods to avoid ambiguous parameter errors
  in newer versions of SWIG

Reported by:    portscout
DeltaFile
+0-13graphics/partio/files/patch-src_py_partio.i
+0-11graphics/partio/files/patch-src_tools_partedit.py
+7-3graphics/partio/distinfo
+5-1graphics/partio/Makefile
+1-1graphics/partio/pkg-plist
+13-295 files

HardenedBSD/src f417c9esys/powerpc/include _stdint.h

powerpc/_stdint.h: fix SIG_ATOMIC_{MIN,MAX,WIDTH}

On powerpc/powerpc64, sig_atomic_t is an int, but was treated as if
it was a long by <machine/_stdint.h>.  This was finally caught by the
unit test added with 4a1c752 / D53831.

Reported by:    kib
Reviewed by:    kib, imp
Approved by:    markj (mentor)
Fixes:          c3e289e1ce8c9af8d14e9f727632e22b3bf901f9
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D54026
DeltaFile
+5-10sys/powerpc/include/_stdint.h
+5-101 files

HardenedBSD/ports fb1e76asysutils/eksctl distinfo Makefile

sysutils/eksctl: Update to 0.220.0

Changelog:
https://github.com/eksctl-io/eksctl/releases/tag/v0.220.0
DeltaFile
+5-5sysutils/eksctl/distinfo
+2-2sysutils/eksctl/Makefile
+7-72 files

HardenedBSD/ports 067cf89sysutils/awslim/files modules.txt go.sum, sysutils/cbsd pkg-plist

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+2,261-0sysutils/awslim/files/modules.txt
+877-0sysutils/awslim/files/go.sum
+439-0sysutils/awslim/files/go.mod
+182-160sysutils/cbsd/pkg-plist
+6-325www/npm-node24/pkg-plist
+149-117textproc/television/distinfo
+3,914-602388 files not shown
+5,817-2,010394 files

HardenedBSD/ports 7a500danet/syncthing distinfo Makefile

net/syncthing: Update to 2.0.12

re: https://github.com/syncthing/syncthing/releases/tag/v2.0.12

Sponsored by:   My local coffee shop
DeltaFile
+3-3net/syncthing/distinfo
+1-1net/syncthing/Makefile
+4-42 files

HardenedBSD/ports f95509esecurity/py-pyscard distinfo Makefile

security/py-pyscard: update to 2.3.1

PR:             291291
Approved by:    maintainer
DeltaFile
+3-3security/py-pyscard/distinfo
+1-1security/py-pyscard/Makefile
+4-42 files