Karel Zak [Tue, 2 Jun 2026 11:34:00 +0000 (13:34 +0200)]
Merge branch 'PR/hexdump-color-overflow' of https://github.com/karelzak/util-linux-work
* 'PR/hexdump-color-overflow' of https://github.com/karelzak/util-linux-work:
tests: (hexdump) use arrays for OPTS and ADDRFMT
hexdump: fix buffer overflow in color_cond()
Karel Zak [Tue, 2 Jun 2026 11:32:44 +0000 (13:32 +0200)]
Merge branch 'PR/lscpu-arm-nooverwrite' of https://github.com/karelzak/util-linux-work
* 'PR/lscpu-arm-nooverwrite' of https://github.com/karelzak/util-linux-work:
lscpu: set nooverwrite for Phytium ARM implementer
lscpu: add nooverwrite flag for ARM implementer table
lscpu: add find_implementer() for ARM implementer lookup
Liu Zheng [Tue, 2 Jun 2026 06:26:28 +0000 (14:26 +0800)]
hardlink: preserve timestamps when reflinking files
When using --reflink=always, the destination file gets the current
timestamp instead of preserving the original file's atime and mtime.
This differs from both hardlink behavior and "cp -p --reflink=always".
Add futimens() call after successful reflink to restore the original
timestamps from the target file's stat data.
Commit ded434a63f3eee7fd7805b18d6c9bb912016c3c8 ("include/mount-api-utils:
add statmount and listmount") introduce a fallback definition for the
LSMT_ROOT defined, but a small typo makes this fallback definition
ineffective:
Karel Zak [Mon, 1 Jun 2026 09:23:57 +0000 (11:23 +0200)]
readprofile: replace popen() with fork/exec for .gz map files
Security scanners repeatedly flag the popen("zcat %s", name) pattern
as a command injection vulnerability (CWE-78). While this is a false
positive -- readprofile is not installed with elevated privileges and
the filename comes from the user's own command line -- the reports are
a recurring nuisance.
The root cause is that popen() passes the command through /bin/sh,
which makes scanners flag it regardless of whether the input is
actually untrusted. Replace popen() with fork()/execlp() to invoke
zcat directly without shell interpretation. This eliminates the
shell from the execution path and silences the scanners without
adding any new dependencies.
Also use ul_endswith() for the .gz suffix check, and handle fdopen()
failure after fork to avoid fd leak and zombie process.
Karel Zak [Mon, 1 Jun 2026 11:52:33 +0000 (13:52 +0200)]
tests: (hexdump) use arrays for OPTS and ADDRFMT
Convert OPTS and ADDRFMT from plain strings to bash arrays and use
proper "${…[@]}" expansion to fix shellcheck SC2090/SC2086 warnings
about unquoted variables containing quotes/backslashes.
Karel Zak [Thu, 28 May 2026 12:01:53 +0000 (14:01 +0200)]
fstrim: resolve non-device sources to real block devices
When fstrim reads fstab entries (--fstab, --listed-in), bind mount
entries use directory paths as sources (e.g. /data/ssd/ldap) rather
than device names. Source de-duplication compares path strings, so
these never match the real device paths (e.g. /dev/mapper/foo),
causing the same filesystem to be trimmed multiple times.
Use statmount(STATMOUNT_SB_SOURCE) to resolve directory source paths
to their real block device before de-duplication. Fall back to the
original source when statmount() is unavailable.
Addresses: https://github.com/util-linux/util-linux/issues/857 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 28 May 2026 14:09:20 +0000 (16:09 +0200)]
hexdump: fix buffer overflow in color_cond()
Widen the color condition value from int (4 bytes) to int64_t (8 bytes)
to accommodate format strings with 8-byte conversion units (e.g.,
1/8 "%016x"). The memcpy() in color_cond() copies clr->range bytes
into a local variable, and for 8-byte units this overflows a 4-byte
int.
Also switch strtoul() to strtoll() in the color format parser to
correctly parse 64-bit values into the widened int64_t field.
Change hexdump_clr.range from int to size_t (a byte count should never
be negative), add a defensive guard against memcpy overflow in
color_cond(), and add an 8-byte color condition regression test.
Reported-by: Michał Majchrowicz (AFINE Team) Reported-by: Marcin Wyczechowski (AFINE Team) Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 28 May 2026 10:03:28 +0000 (12:03 +0200)]
lscpu: add nooverwrite flag for ARM implementer table
Add a nooverwrite flag to struct hw_impl. When set, vendor and model
name already provided by the kernel in /proc/cpuinfo are preserved
rather than being overwritten by the hardcoded lookup tables. The
tables serve as a fallback when the kernel does not provide the
information.
This approach keeps all implementer entries in the table, which is
also required for "lscpu --arm-id" to list all known vendors and
part IDs.
Addresses: https://github.com/util-linux/util-linux/pull/4362 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Mon, 1 Jun 2026 10:15:53 +0000 (12:15 +0200)]
Merge branch 'PR/libmount-no-symlinks' of https://github.com/karelzak/util-linux-work
* 'PR/libmount-no-symlinks' of https://github.com/karelzak/util-linux-work:
loopdev: use openat2(RESOLVE_NO_SYMLINKS) for backing file
lib/fileutils: add ul_open_no_symlinks()
Furkan Caliskan [Sun, 31 May 2026 08:36:58 +0000 (11:36 +0300)]
uclampset: fix lost-update race in set_uclamp_one()
The function unconditionally sets both SCHED_FLAG_UTIL_CLAMP_MIN and
SCHED_FLAG_UTIL_CLAMP_MAX in sa.sched_flags regardless of which values
the user actually requested to change.
This creates a lost-update race: sched_getattr() fetches the current
clamp values, but between that call and sched_setattr(), another thread
may legitimately update the value we did not intend to touch. Because
both flags are always set, sched_setattr() forces the kernel to apply
the stale cached value, silently overwriting the concurrent update.
Brian Mak [Thu, 28 May 2026 19:08:04 +0000 (12:08 -0700)]
dmesg: fix off-by-one read buffer size
PRINTK_MESSAGE_MAX is 2048 in the kernel. In a formatted record that is
exactly 2048 bytes, reading /proc/kmsg with a size of PRINTK_MESSAGE_MAX
- 1 (2047) will result in the read syscall returning -EINVAL.
We see such a case when using a large initrd, for which the kernel
outputs loading spinner characters, based on the size of the initrd. For
a large enough initrd, there will be enough spinner characters to create
several formatted records of size 2048.
We fix this by increasing the kmsg_buf size by 1, which increases the
size used by the read syscall to PRINTK_MESSAGE_MAX (2048).
Karel Zak [Thu, 28 May 2026 10:01:01 +0000 (12:01 +0200)]
lscpu: add find_implementer() for ARM implementer lookup
Refactor ARM implementer lookup into a dedicated find_implementer()
function and use it in is_arm() and arm_ids_decode() to simplify
the code and avoid open-coded linear searches.
Addresses: https://github.com/util-linux/util-linux/pull/4362 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 28 May 2026 09:05:55 +0000 (11:05 +0200)]
tests: use tar --no-same-owner for sysfs dump extraction
Use --no-same-owner when extracting sysfs dump tarballs so that
extracted files are owned by the current user rather than preserving
the original (often root) ownership from the archive.
This allows chmem tests to run without root since they only operate
on a local sysfs dump via --sysroot. The valid_zones file (0444 in
real sysfs) needs an explicit chmod u+w before the test can write
to it. Apply --no-same-owner to lsblk, lscpu, lsmem, and hardlink
tests for consistency.
Karel Zak [Thu, 28 May 2026 08:54:33 +0000 (10:54 +0200)]
chmem: simplify have_mem_blk_zones()
Use ul_path_accessf() instead of manual ul_strconcat() + ul_path_access()
+ free(). This avoids a potential NULL dereference if ul_strconcat() fails
on memory allocation.
Karel Zak [Thu, 28 May 2026 08:52:28 +0000 (10:52 +0200)]
Merge branch 'chmem_tests' of https://github.com/cgoesche/util-linux-fork
* 'chmem_tests' of https://github.com/cgoesche/util-linux-fork:
tests: (chmem) add tests for aarch64 16K 16G memory layout
chmem: add helper function to sensibly detect the 'valid_zones' attribute
tests: (chmem) add missing tests
chmem: add a new --sysroot command line option
Karel Zak [Wed, 27 May 2026 13:15:22 +0000 (15:15 +0200)]
loopdev: use openat2(RESOLVE_NO_SYMLINKS) for backing file
Use ul_open_no_symlinks() instead of open(O_NOFOLLOW) when
LOOPDEV_FL_NOFOLLOW is set. O_NOFOLLOW only rejects symlinks at the
last path component, but TOCTOU attacks swap intermediate components.
openat2(RESOLVE_NO_SYMLINKS) rejects symlinks at any component.
Karel Zak [Wed, 27 May 2026 08:35:39 +0000 (10:35 +0200)]
lib/fileutils: add ul_open_no_symlinks()
Add a helper that opens a path rejecting symlinks at any component,
not just the last one. Uses openat2(RESOLVE_NO_SYMLINKS) when
available (Linux >= 5.6), falls back to open(O_NOFOLLOW).
Karel Zak [Thu, 28 May 2026 08:14:29 +0000 (10:14 +0200)]
Merge branch 'PR/getino-op-types' of https://github.com/karelzak/util-linux-work
* 'PR/getino-op-types' of https://github.com/karelzak/util-linux-work:
getino: cleanup whitespace
getino: rename GETINO_*_NAMESPACE to GETINO_NS_*
getino: split operation type and namespace type
Karel Zak [Tue, 26 May 2026 08:57:09 +0000 (10:57 +0200)]
getino: split operation type and namespace type
Separate the single GETINO_* enum into two levels: a basic operation
type (GETINO_OP_PIDFS vs GETINO_OP_NAMESPACE) and a namespace sub-type
that directly indexes the ns_info[] array starting at 0.
This eliminates the IS_NAMESPACE_OP() macro, the get_pidfd_ns_ioctl()
and pidfd_get_nsfd_or_err() helper functions, and the unused pidfd_ioctl
field from getino_context. The dispatch in print_inode() now uses a
clean switch on ctx->op.
Karel Zak [Tue, 26 May 2026 14:16:03 +0000 (16:16 +0200)]
libfdisk: fix use of on-disk sizeof_partition_entry in GPT
The GPT code hardcodes sizeof(struct gpt_entry) (128 bytes) in
several places instead of using the on-disk sizeof_partition_entry
field from the GPT header. The UEFI specification allows entry sizes
larger than 128 bytes.
- reject GPT headers where sizeof_partition_entry is smaller than
sizeof(struct gpt_entry) to prevent out-of-bounds reads when
accessing entry array elements
- use the on-disk entry size as the qsort element stride in
gpt_reorder() to avoid corrupting entries when sizeof_partition_entry
differs from 128
- use the on-disk entry size in gpt_copy_header() when calculating
the backup partition entry array LBA
chmem: add helper function to sensibly detect the 'valid_zones' attribute
On some systems the first available memory blocks start at an index
greater than 0, and on such systems we fail to properly detect the
valid_zones attribute, because we naively checked for the presence
of the memory block directory 'memory0'. To sensibly and reliably
detect the first memory block, we can use the directory sysmem->dirs
that are sorted in numeric order, so we can assume that the first
entry is the first memory block, i.e. sysmem->dirs[0]->d_name is
the name of the first configurable memory block.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
This new option allows an administrator to configure memory
on a Linux instance other than the one on which chmem(1) is
executed. Additionally, it facilitates regression testing
with sysfs dumps.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Tue, 26 May 2026 10:21:49 +0000 (12:21 +0200)]
chrt: always use sched_setattr() for all policies
Remove the set_sched_one_by_setscheduler() shortcut for non-deadline
policies from the HAVE_SCHED_SETATTR code path. The original reason
(2016, commit 88b60f0bdee6) was that sched_setattr() reset the nice
value, causing EPERM for non-root users. But getpriority() already
preserves the nice setting, making the shortcut unnecessary.
The shortcut caused --clamp-min/--clamp-max (SCHED_FLAG_UTIL_CLAMP)
to be silently ignored for SCHED_FIFO and SCHED_RR, because those
policies were routed through sched_setscheduler() which cannot pass
sched_flags at all.
Using sched_setattr() unconditionally ensures all sched_flags work
with all policies and prevents the same class of bug for future flag
additions.
Addresses: https://github.com/util-linux/util-linux/pull/4351 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 26 May 2026 10:10:42 +0000 (12:10 +0200)]
Merge branch 'chrt-util-clamp' of https://github.com/1frn10/util-linux-fork
* 'chrt-util-clamp' of https://github.com/1frn10/util-linux-fork:
chrt: Add uclamp reset support via -1 sentinel
Update schedutils/chrt.c
Update schedutils/chrt.c
chrt: Add support for SCHED_FLAG_UTIL_CLAMP
Karel Zak [Tue, 26 May 2026 09:29:46 +0000 (11:29 +0200)]
Merge branch 'PR/agetty-split' of https://github.com/karelzak/util-linux-work
* 'PR/agetty-split' of https://github.com/karelzak/util-linux-work: (24 commits)
agetty: guard conditional function declarations in header
agetty: fix path_cxt leak in credential loading
agetty: move fakehost to struct agetty_options
agetty: make longopts[] static const
agetty: move usage() and parse_args() before main()
agetty: clean up includes in agetty.c
agetty: add public domain header to all source files
agetty: remove duplicate ISSUEDIR_EXT from agetty.c
agetty: move login argv initialization to utils.c
agetty: move username to struct agetty_options
agetty: move parse_speeds() to utils.c
agetty: move init_special_char() to utils.c
agetty: move FIRST_SPEED to tty.c
agetty: use bool for struct agetty_issue bitfields
agetty: split out issue file functions to issuefile.c
agetty: move struct issue and related defines to agetty.h
agetty: split out terminal functions to tty.c
agetty: split out speed table and baud code to tty.c
agetty: move utility functions to utils.c
agetty: split out credential loading to credentials.c
...
Karel Zak [Mon, 25 May 2026 11:33:34 +0000 (13:33 +0200)]
pipesz: merge help/version getopt loop into main loop
The main() function scanned command-line options in two passes: the
first pass checked for --help/--version, and the second processed
normal options. When getopt_long encountered an unknown option in the
first pass, it printed an error message. The same error was then
printed again during the second pass, resulting in a duplicate
"unrecognized option" message.
Fix this by merging the first getopt_long loop into the main one,
following the standard util-linux convention.
Fixes: https://github.com/util-linux/util-linux/issues/3817 Signed-off-by: Karel Zak <kzak@redhat.com>
Furkan Caliskan [Fri, 15 May 2026 05:37:25 +0000 (08:37 +0300)]
chrt: Add uclamp reset support via -1 sentinel
Passing -1 to --clamp-min or --clamp-max sets the corresponding
sched_attr field to UINT32_MAX, which tells the kernel to reset
the utilization clamp to its system default. Resetting requires
kernel >= 5.11, otherwise the syscall will fail with EINVAL.
Karel Zak [Wed, 20 May 2026 10:44:21 +0000 (12:44 +0200)]
agetty: guard conditional function declarations in header
Wrap agetty_update_utmp() declaration with #ifdef SYSV_STYLE and
agetty_issue_is_changed()/agetty_reload() with #ifdef AGETTY_RELOAD
to match the guards on their definitions.
Thomas Weißschuh [Tue, 19 May 2026 20:54:44 +0000 (22:54 +0200)]
tests: fold ts_failed_subtest into ts_failed
The differences between ts_failed_subtest and ts_failed are miniminal.
Make ts_failed usable from subtest context and remove the now unnecessary
ts_failed_subtest.
Thomas Weißschuh [Tue, 19 May 2026 20:46:01 +0000 (22:46 +0200)]
tests: fold ts_skip_subtest into ts_skip
The differences between ts_skip_subtest and ts_skip are miniminal.
Make ts_skip usable from subtest context and remove the now unnecessary
ts_skip_subtest.
This allows subtests to make use of all of the convenient helpers built
around ts_skip.
Leonid Znamenok [Tue, 19 May 2026 18:41:57 +0000 (22:41 +0400)]
tests: (cramfs) restore umask after creating test input files
The cramfs doubles/mkfs/mkfs-endianness tests set "umask 133" to get
deterministic permission bits on the test input files. The umask was
never restored, so it stayed in effect for every command run later in
the test, including the build-tree mount/umount/mkfs.cramfs helpers.
When such a helper is a libtool wrapper script that has to relink its
real binary on first use (fast_install=yes), the relink runs under the
leaked umask 133 and the resulting .libs/lt-* binary is created without
execute bits (mode 0644). The wrapper then fails to exec it with
"Permission denied" (EACCES). Because the broken binary is cached, every
subsequent test using that helper fails as well:
Karel Zak [Tue, 19 May 2026 08:54:57 +0000 (10:54 +0200)]
pam_lastlog2: fix libpam linking in autotools build
Move -lpam from LDFLAGS to LIBADD. When -lpam is in LDFLAGS it
appears on the linker command line before object files, so the
--as-needed linker flag (default on Fedora) discards it before
seeing any undefined PAM symbols. This results in pam_lastlog2.so
missing libpam.so in its ELF NEEDED entries.
The module then fails to load with dlopen() if the calling process
does not itself link against libpam (e.g., systemd in Fedora 44+):
PAM unable to dlopen(pam_lastlog2.so): undefined symbol: pam_syslog
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2453457 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 19 May 2026 08:18:44 +0000 (10:18 +0200)]
libblkid: (dasd) guard against uint64 underflow in LDL size calculation
When an LDL volume label has ldl_version < 0xf2, the partition
size is derived from the device size. If the device is smaller
than the partition start offset (3 blocks), the subtraction
wraps around producing a bogus partition size.
Karel Zak [Tue, 19 May 2026 08:12:41 +0000 (10:12 +0200)]
libblkid: (dasd) add buffer size guards to helper functions
Add explicit buffer size parameters to dasd_get_volser(),
dasd_get_dsnam(), is_dasd_cdl_label(), is_dasd_ldl_label()
and is_dasd_f4_label() so that these functions can protect
against buffer overflows without relying on callers to pass
correctly sized buffers.
The conversion functions still follow the DASD standard field
sizes (DASD_VOLSER_LENGTH, sizeof DS1DSNAM), but clamp to the
buffer size as a safety net. The label detection functions
derive their minimum sizes from the actual struct offsets and
magic constants rather than hardcoded numbers.
Adam Sampson [Mon, 18 May 2026 13:41:40 +0000 (14:41 +0100)]
tests: test_scols_termreduce needs libsmartcols
This helper needs libsmartcols, so it can't be built if util-linux is
configured with --disable-libsmartcols. (It's still reasonable to want
to run the test suite in this case, for example if you're configuring
util-linux to only build libuuid.)
Karel Zak [Mon, 18 May 2026 09:59:17 +0000 (11:59 +0200)]
Merge branch 'macos' of https://github.com/t-8ch/util-linux
* 'macos' of https://github.com/t-8ch/util-linux:
ci: add a macos workflow
test_threads_create: add a macOS fallback
meson: gate test_child_create on sys/prctl.h
ctrlaltdel: pass correct integer types to printf
meson: gate irqtop on sys/epoll.h and cpu_set_t
meson: gate lsirq on cpu_set_t
meson: gate lsipc on LINUX
meson: gate pivot_root on LINUX
meson: gate lscpu on LINUX and cpu_set_t
meson: add build-lscpu option
Karel Zak [Mon, 18 May 2026 09:36:24 +0000 (11:36 +0200)]
Merge branch 'fincore_test' of https://github.com/cgoesche/util-linux-fork
* 'fincore_test' of https://github.com/cgoesche/util-linux-fork:
tests: (fincore) add --cachestat option test
fincore: define HAVE_CACHESTAT on fallback
Karel Zak [Mon, 18 May 2026 08:45:20 +0000 (10:45 +0200)]
readprofile: (man) clarify not designed for privilege-elevation use
Add a note to the DESCRIPTION that readprofile is a diagnostic tool
not intended for security-sensitive contexts (setuid, setgid, sudo).
Remove the suggestion to make readprofile set-user-ID 0 from the -r
option, and drop sudo from the example.
ionmeo [Wed, 13 May 2026 15:57:11 +0000 (11:57 -0400)]
license: switch from BSD 4-clause to 3-clause
Remove the advertising clause (clause 3) and renumber the
non-endorsement clause from 4 to 3 in all files containing the
BSD 4-clause license, following the notice issued by UC Berkeley
(quoted below).
Additional changes:
- Add SPDX-License-Identifier: BSD-3-Clause to each affected file.
- Remove the BSD-4-Clause-UC entry from README.licensing.
- Delete Documentation/licenses/COPYING.BSD-4-Clause-UC.
To all licensees, and distributors of software officially
licensed under a UC Berkeley version of the BSD license:
As you may know, certain software officially licensed by UC
Berkeley using the original 4-clause BSD license required that
further distributions of products containing all or portions of
the software acknowledge within their advertising materials that
such products contain software developed by UC Berkeley and its
contributors.
Specifically, the provision reads:
"3. All advertising materials mentioning features or use of
this software must display the following acknowledgement:
This product includes software developed by the University
of California, Berkeley and its contributors."
Effective immediately, licensees and distributors are no longer
required to include the acknowledgement within advertising
materials. Accordingly, the advertising clause 3 of the original
4-clause BSD license for any and all software officially licensed
by UC Berkeley, is hereby deleted in its entirety.
Michael Katz
Executive Director
Intellectual Property and Industry Research Alliances
University of California, Berkeley
Furkan Caliskan [Thu, 14 May 2026 11:52:22 +0000 (14:52 +0300)]
chrt: Add support for SCHED_FLAG_UTIL_CLAMP
The SCHED_FLAG_UTIL_CLAMP_MIN and SCHED_FLAG_UTIL_CLAMP_MAX flags
allow users to set utilization hints for tasks. The minimum clamp
tells the scheduler to place the task on a CPU with enough capacity,
while the maximum clamp prevents unnecessary CPU frequency boosting.
Both accept a value in the range 0-1024, where 1024 represents 100%
of maximum CPU capacity. Mainly useful on heterogeneous systems.
Add -U/--clamp-min and -X/--clamp-max options to allow users to
set these hints for any scheduling policy.
Karel Zak [Thu, 14 May 2026 10:13:39 +0000 (12:13 +0200)]
agetty: move fakehost to struct agetty_options
Move the file-scope fakehost variable into struct agetty_options
and drop the separate fakehost parameter from agetty_update_utmp()
and agetty_init_login_argv().
projects / thirdparty / util-linux.git / log
