networkd: fix for networkd crash when client sends Option 82 via SendOption=
When a DHCP client uses SendOption=82:string:..., option_append() calls
the SD_DHCP_OPTION_RELAY_AGENT_INFORMATION case which was written for
the server relay path. It casts optval to sd_dhcp_server* and calls
strlen() on its members, but optval is actually raw binary data from
the client, causing SIGSEGV. The same is applicable when option 43 and
option 77 are passed to SendOption.
Fix by checking optlen > 0 and appending the option as a plain TLV,
skipping the server-specific relay agent logic.
Luca Boccassi [Mon, 9 Mar 2026 11:25:50 +0000 (11:25 +0000)]
nsresourced: downgrade benign log message to debug
This is very noisy as there's a dozen of these message every
time it gets called, and it's not really an error but an
expected situation, so downgrade from info to debug
* 56e0eed69a Update changelog for 260~rc2-1 release
* 36e6a6d247 Install new files
* 692d0ffde5 Install new files for upstream build
* 04e77a9300 Enable getty@ via packaging scriptlets, not static anymore
* 65e7898ab5 Remove build-depend on rsync, meson is new enough
* 1ab5e82a93 Update changelog for 260~rc1-2 release
* 17a8004c53 sd-boot-efi: do not pick up hwids, they are shipped by sd-ukify
* b620f379b3 Update changelog for 260~rc1-1 release
* 8eb95fc404 Drop unused Lintian overrides
* 82a111e7ef Update symbols file for v260~rc1
* 9cb8e0457b Disable remaining deprecated sysv interfaces
* 100d97ba82 Install new files for v260~rc1
* b8e9e50f4d initramfs-tools: copy udev link files from /usr/local/lib/systemd/network too
Yu Watanabe [Tue, 10 Mar 2026 00:18:48 +0000 (09:18 +0900)]
semaphore: use Ubuntu 24.04
Semaphore CI/CD now emits the following error.
```
OS image 'ubuntu2004' for machine type 'e1-standard-2' is currently in a brownout phase.
Please use another OS image.
```
Let's use newer image.
Yu Watanabe [Mon, 9 Mar 2026 04:24:03 +0000 (13:24 +0900)]
sd-device: refuse spurious properties
Properties are set through uevent, udev rules, or program output by IMPORT.
They may contain spurious characters and udev database parsers may be confused.
Let's refuse spurious properties.
When using systemd-mount to create a transient .mount/.automount file
for removable storage, the option to specify the idle timeout on the
commandline using **--timeout-idle-sec=SEC** is not reflected in the
generated .automount file. Instead, the idle timeout is always set to 1
second.
arg_timeout_idle_set was never set to true when passing the argument, so
arg_timeout_idle was always set to 1s.
Daan De Meyer [Mon, 9 Mar 2026 09:33:20 +0000 (10:33 +0100)]
ci: Don't cancel in progress jobs for claude-review workflow
This workflow runs on any comment to a github PR. 99% of the time the
workflow will be skipped yet it will still cancel any previous ongoing
workflows. Let's not cancel in progress workflow but instead queue the
workflow so we don't cancel in progress reviews any time a comment is
posted on a PR that is being reviewed.
Daan De Meyer [Fri, 6 Mar 2026 14:58:06 +0000 (15:58 +0100)]
ci: privilege-separate Claude review workflow
The workflow is split into two jobs for least-privilege:
1. 'review' job — runs Claude with read-only permissions (contents: read,
id-token: write for AWS OIDC, actions: read). Claude produces a structured
JSON review via --json-schema with a 'comments' array and a 'summary'
string. Its tools are restricted to read-only operations (Read, LS, Grep,
Glob, Task, and various Bash prefixes for common read-only commands).
Claude also has access to CI MCP tools to analyze failed workflow runs.
2. 'post' job — only has pull-requests: write. Reads the structured JSON
output from the review job and posts inline comments individually (so
re-runs only add new comments). Maintains a tracking comment with a
<!-- claude-pr-review --> marker that is created on first run and updated
in-place on subsequent runs, preserving existing item order, wording,
and checkbox state. Posts a notification comment when the tracking
comment is updated or left unchanged.
Comment deduplication is handled by Claude in the prompt rather than in
the posting script, allowing for better semantic understanding of whether
two comments address the same issue.
The PR number is resolved via github.event.pull_request.number with a
fallback to github.event.issue.number for issue_comment events where
github.event.pull_request is not populated. The concurrency group uses
the same fallback.
Yu Watanabe [Mon, 9 Mar 2026 02:46:01 +0000 (11:46 +0900)]
network: route bound to a link requires the link is up
We checked if the link is up only when configuring (explicit) nexthop,
but we did not checked that when configuring route which has (implicit)
nexthop.
Let's move the checks from nexthop_is_ready_to_configure() to
gateway_is_ready(), which is called for both implicit and explict
nexthops.
Yu Watanabe [Mon, 9 Mar 2026 02:30:54 +0000 (11:30 +0900)]
network: check if gateway is ready only when the nexthop is bound to link
Currently, we support three types of nexthop:
1. simple nexthop, which is bound to link, may have specific gateway
address,
2. blackhole nexthop, which is global configuration and is not bound to
any links,
3. group nexthop, which is also global configuration and is not bound to
any links.
Thus, gateway_is_ready() is only necessary to call for simple nexthop
case. Let's make the logic simpler.
Luca Boccassi [Sat, 7 Mar 2026 10:55:42 +0000 (10:55 +0000)]
Translations update from Fedora Weblate (#40984)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
A S Alam [Sat, 7 Mar 2026 01:58:35 +0000 (01:58 +0000)]
po: Translated using Weblate (Punjabi)
Currently translated at 34.5% (92 of 266 strings)
Co-authored-by: A S Alam <aalam@users.noreply.translate.fedoraproject.org>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/pa/
Translation: systemd/main
Add a simple fuzzer that verifies our machinery for parsing user records
from JSON works as intended.
The initial corpus was created with the help of Claude, so we have a
bunch of valid user records with as much fields as possible for the
initial corpus.
The fido2_hmac_salt/fido2_hmac_credential/recovery_key fields kept
leaking memory as the array itself wasn't deallocated after deallocating
each of its elements data:
Direct leak of 112 byte(s) in 1 object(s) allocated from:
#0 0x7f56f00e5e4b in realloc.part.0 (/lib64/libasan.so.8+0xe5e4b) (BuildId: 25975f766867e9e604dc5a71a8befeaed3301942)
#1 0x7f56ed869e42 in greedy_realloc ../src/basic/alloc-util.c:65
#2 0x7f56ed7ff5e9 in dispatch_fido2_hmac_salt ../src/shared/user-record.c:836
#3 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#4 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#5 0x7f56ed80100b in dispatch_privileged ../src/shared/user-record.c:998
#6 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#7 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#8 0x7f56ed80622c in user_record_load ../src/shared/user-record.c:1697
#9 0x000000408c15 in display_user ../src/userdb/userdbctl.c:447
#10 0x7f56ed83cc9a in dispatch_verb ../src/shared/verbs.c:137
#11 0x00000041df2b in run ../src/userdb/userdbctl.c:1908
#12 0x00000041dfbe in main ../src/userdb/userdbctl.c:1911
#13 0x7f56ec8105b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#14 0x7f56ec810667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#15 0x000000404a44 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/userdbctl+0x404a44) (BuildId: 19e8b7e7b7038d2cea20bc18a55bea2a9e4406d5)
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f56f00e5e4b in realloc.part.0 (/lib64/libasan.so.8+0xe5e4b) (BuildId: 25975f766867e9e604dc5a71a8befeaed3301942)
#1 0x7f56ed869e42 in greedy_realloc ../src/basic/alloc-util.c:65
#2 0x7f56ed7fe779 in dispatch_fido2_hmac_credential_array ../src/shared/user-record.c:775
#3 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#4 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#5 0x7f56ed80622c in user_record_load ../src/shared/user-record.c:1697
#6 0x000000408c15 in display_user ../src/userdb/userdbctl.c:447
#7 0x7f56ed83cc9a in dispatch_verb ../src/shared/verbs.c:137
#8 0x00000041df2b in run ../src/userdb/userdbctl.c:1908
#9 0x00000041dfbe in main ../src/userdb/userdbctl.c:1911
#10 0x7f56ec8105b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#11 0x7f56ec810667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#12 0x000000404a44 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/userdbctl+0x404a44) (BuildId: 19e8b7e7b7038d2cea20bc18a55bea2a9e4406d5)
SUMMARY: AddressSanitizer: 176 byte(s) leaked in 2 allocation(s).
shared/format-table: fix potential memleaks of d->formatted
We don't always return d->formatted, even if it is available. And
depending on the cell type, we'd either overwrite it directly or free
first. Let's always free it upfront and then set unconditionally.
(In this case, we don't need to spend effort on preserving the
existing value. It's just a cache.) Setting the variable directly
allows many temporary variables to be eliminated.
Also use asprintf_safe() to simplify the allocation of the buffer.
This is probably a tiny bit slower than the direct allocation, but
table formatting shouldn't be a hot path.
asprintf is nice to use, but the _documented_ error return convention is
unclear:
> If memory allocation wasn't possible, or some other error occurs,
> these functions will return -1, and the contents of strp are undefined.
What exactly "undefined" means is up for debate: if it was really
undefined, the caller wouldn't be able to meaningfully clean up, because
they wouldn't know if strp is a valid pointer. So far we interpreted
"undefined" — in some parts of the code base — as "either NULL or a
valid pointer that needs to be freed", and — in other parts of the
codebase — as "always NULL". I checked glibc and musl, and they both
uncoditionally set the output pointer to NULL on failure.
There is also no information _why_ asprintf failed. It could be an
allocation error or format string error. But we just don't have this
information.
Let's add a wrapper that either returns a good string or a NULL pointer.
Since there's just one failure result, we don't need a separate return
value and an output argument and can simplify callers.
It's actually only used in one place in libsystemd and moving it even makes
libsystemd smaller (in a non-optimized build):
$ ls -l build/libsystemd.so.0.43.0*
-rwxr-xr-x 1 zbyszek zbyszek 5763336 Mar 3 09:54 build/libsystemd.so.0.43.0-old
-rwxr-xr-x 1 zbyszek zbyszek 5763216 Mar 3 09:54 build/libsystemd.so.0.43.0
Also, move the definitions in the .h file so that similar functions are
grouped together and then move the definitions around in the .c file so
that they are in the same order as in the header.
Daan De Meyer [Fri, 6 Mar 2026 14:06:36 +0000 (15:06 +0100)]
ci: Make claude action review PRs only and fix the instructions
Turns out the claude code action has issues reviewing PRs from forks
(https://github.com/anthropics/claude-code-action/issues/939). Let's
reuse the approach from https://github.com/pzmarzly/demo--claude-bot-reviews
instead (which I've explicitly asked permission for to reuse).
Unlike the linked demo, we still insist on a comment by a maintainer
before claude reviews the PR.
sd-varlink: pin error message while we invoke a reply callback
Let's make sure the parameters/error pointers into the message remain
valid as long as the reply callback is running, even if the reply
otherwise resets the pending message.
Daan De Meyer [Fri, 6 Mar 2026 09:17:01 +0000 (10:17 +0100)]
agent: Minimize the amount of instructions in AGENTS.md
Let's only keep instructions for stuff that we've seen the AI
mess up in practice rather than having a bunch of AI generated
text that it can figure out for itself these days (given it was
trained on systemd's source code in the first place).
Also add a rule to use git worktrees and check out PRs locally when
reviewing them, since I've seen it mess that up in practice.
This will allow maintainers to mention claude in comments on issues and
prs to do stuff like review something or try to reproduce a bug or other
stuff. Let's give it a try and see whether we like it or not.
Daan De Meyer [Fri, 6 Mar 2026 07:54:33 +0000 (08:54 +0100)]
Move AI instructions to AGENTS.md
This seems to be what all the tools are standardizing on, except
claude (https://github.com/anthropics/claude-code/issues/6235) so
add a symlink from CLAUDE.md to AGENTS.md for now until they support
it as well.
Luca Boccassi [Fri, 6 Mar 2026 00:29:03 +0000 (00:29 +0000)]
Translations update from Fedora Weblate (#40968)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Ronan Pigott [Thu, 5 Mar 2026 22:42:30 +0000 (15:42 -0700)]
zsh: fixup some recent zsh completers
These two completers are written in a stacked _arguments style, and some
generic options are valid before or after the verb. If the toplevel
_arguments is permitted to match options after the verb, it will halt
completion prematurely, so stop toplevel matching after the verb.
This corrects the following error:
$ userdbctl --output=class user <TAB> # completes users
$ userdbctl user --output=class <TAB> # completes nothing
Daan De Meyer [Thu, 5 Mar 2026 20:39:14 +0000 (21:39 +0100)]
ci: Add claude code github action
This will allow maintainers to mention claude in comments on issues
and prs to do stuff like review something or try to reproduce a bug
or other stuff. Let's give it a try and see whether we like it or
not.
Suppress warnings like the following from clang tidy:
```
../src/boot/addon.c:11:19: error: function 'efi_main' can be made static to enforce internal linkage [misc-use-internal-linkage,-warnings-as-errors]
11 | EFIAPI EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *system_table);
| ^
```
Some warnings are suppressed simply by setting comments to ignore the warning,
some are by making global variables static, or include a suitable header.
Luca Boccassi [Thu, 5 Mar 2026 17:19:19 +0000 (17:19 +0000)]
libcrypt: also try to dlopen libcrypt.so.1.1
On top of libcrypt.so.2 and libcrypt.so.1, also try libcrypt.so.1.1
as a third fallback. This is used on debian alpha, and it was
reported that it is intended to ship like that, with a different
SONAME than other architectures:
Fergus Dall [Sun, 30 Nov 2025 05:38:49 +0000 (16:08 +1030)]
pcrlock: Record predictions at start of component range
Currently pcrlock won't predict PCR values that would be present at the start
of the requested location range (unless there are no events for that PCR in the
location range). This means predictions for the default range 760:940, which is
intended to start just after entering the initrd, are not actually possible to
fulfill until after the initrd is exited (or possibly even later, depending on
what other events are recorded).
Fix this by recording predictions immediately prior to processing components
after the start point.
Hans de Goede [Thu, 5 Mar 2026 13:20:06 +0000 (14:20 +0100)]
boot: Make missing CHID DTB match a debug message instead of an error
With distributions like Ubuntu and Fedora using systemd-stub to auto load
DTB's on Windows on ARM laptops, the CHID DTB match failing is expected
when that same UKI is instead booted on an ARM SystemReady system where
no DTB is necessary.
In the ARM SystemReady case showing a big red error message is undesirable
and leads to confused users and bug-reports. Lower the message to debug
level when the status is EFI_NOT_FOUND to avoid these false positive error
messages.
Michal Sekletar [Wed, 25 Feb 2026 18:45:55 +0000 (19:45 +0100)]
core: cleanup unit's dropin directories from global cache
When user creates dropin files via API (e.g. systemctl set-property ...)
we put the dropin directory path into unit_path_cache. Drop those
directories from the cache in unit_free() and prevent memory leak.
Currently, parsing zlib.h on Fedora (and possibly others) causes spatch
to fail with an assertion. Let's work around that by defining two extra
macros in our Coccinelle parsing hacks.
projects / thirdparty / systemd.git / log
