Karel Zak [Tue, 14 Jul 2026 12:48:39 +0000 (14:48 +0200)]
docs: findmnt: clarify that --target returns one filesystem
The --target option identifies the filesystem for a given path, and a
file always resides on exactly one filesystem. Document that --target
returns at most one entry and skips over-mounted entries.
Addresses: https://github.com/util-linux/util-linux/issues/4424 Signed-off-by: Karel Zak <kzak@redhat.com>
dengbo [Thu, 25 Jun 2026 13:52:16 +0000 (21:52 +0800)]
findmnt: skip shadowed entries when matching by --target
The previous approach filtered shadowed entries in match_func() using
mnt_table_over_fs() with is_defined_match(COL_TARGET) as the trigger.
This was fragile because COL_TARGET matching is also enabled by other
code paths (source/target swap fallback in get_next_fs(), poll_match()
swap logic, and positional arguments).
Replace with the standard mountinfo iteration pattern: read
/proc/self/mountinfo backward (MNT_ITER_BACKWARD), stop at the first
match (FL_FIRSTONLY), and disable source/target swapping
(FL_NOSWAPMATCH). Since later mounts appear later in mountinfo,
backward iteration naturally finds the visible (topmost) filesystem
for the given target path.
Karel Zak [Thu, 9 Jul 2026 14:44:20 +0000 (16:44 +0200)]
Merge branch 'PR/libblkid-vfs' of https://github.com/karelzak/util-linux-work
* 'PR/libblkid-vfs' of https://github.com/karelzak/util-linux-work:
lib/sysfs: add VFS parameter to sysfs_devno_is_dm_*()
lib/procfs: use VFS dispatch for read and close
lib/path: add VFS support
vfs: add FILE* stream support to the VFS abstraction layer
vfs: move mode2flags() to include/vfs.h as ul_mode_to_flags()
wipefs: use blkid_probe_open_device()
libblkid: use blkid_probe_open_device() in evaluate and verify
libblkid: add blkid_probe_open_device()
libblkid: use VFS I/O operations in probe
libblkid: add blkid_probe_set_vfs() for pluggable I/O
include: add VFS I/O abstraction layer
all-io: rename read_all/write_all to ul_read_all/ul_write_all
Karel Zak [Tue, 30 Jun 2026 15:30:33 +0000 (17:30 +0200)]
lib/sysfs: add VFS parameter to sysfs_devno_is_dm_*()
Add const struct ul_vfs_ops *vfs parameter to sysfs_devno_is_dm_hidden()
and sysfs_devno_is_dm_private() so the internal sysfs reads go through
VFS dispatch.
Wire pr->vfs in libblkid probe.c and topology/sysfs.c callers.
Non-library callers pass NULL.
Addresses: https://github.com/util-linux/util-linux/issues/4308 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 30 Jun 2026 14:53:56 +0000 (16:53 +0200)]
vfs: move mode2flags() to include/vfs.h as ul_mode_to_flags()
Move the fopen-style mode string to open(2) flags parser from
lib/path.c to include/vfs.h for reuse across the project,
especially in the upcoming ul_vfs_fopen() helper.
Addresses: https://github.com/util-linux/util-linux/issues/4308 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 30 Jun 2026 13:52:08 +0000 (15:52 +0200)]
wipefs: use blkid_probe_open_device()
Convert wipefs new_probe() to use blkid_probe_open_device() instead
of open() + blkid_probe_set_device(). The flags argument allows
passing the open mode directly.
Karel Zak [Tue, 30 Jun 2026 13:40:46 +0000 (15:40 +0200)]
libblkid: use blkid_probe_open_device() in evaluate and verify
Convert evaluate.c and verify.c to use blkid_probe_open_device()
instead of open() + blkid_probe_set_device(). This makes these
internal callers VFS-aware and simplifies fd ownership.
Clean up verify.c error paths with dev_err/dev_free labels.
Karel Zak [Tue, 30 Jun 2026 13:18:25 +0000 (15:18 +0200)]
libblkid: add blkid_probe_open_device()
Add a convenience function that opens a device and assigns it to
the probe, using VFS operations if previously set. This enables
the composable pattern:
Karel Zak [Tue, 30 Jun 2026 12:47:19 +0000 (14:47 +0200)]
libblkid: use VFS I/O operations in probe
Replace all direct I/O syscalls in the probe path with ul_vfs_*
dispatch functions that route through the pluggable VFS layer when
set, falling back to real syscalls otherwise.
Add ul_vfs_copy() to include/vfs.h for cloning VFS ops structs.
Changed call sites:
- read_buffer(): lseek + read
- is_sector_readable(): lseek + read, changed signature to take
blkid_probe instead of bare fd
- blkid_probe_set_device(): close
- blkid_do_wipe(): lseek + write_all + fsync
- blkid_free_probe(): close + free(pr->vfs)
- blkid_clone_probe(): allocate private VFS copy via ul_vfs_copy()
Addresses: https://github.com/util-linux/util-linux/issues/4308 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 30 Jun 2026 12:38:56 +0000 (14:38 +0200)]
libblkid: add blkid_probe_set_vfs() for pluggable I/O
Add public API to set custom VFS I/O operations on a blkid probe.
This allows callers (e.g., systemd fibers) to replace standard
read/write/lseek/open/close/fsync with custom implementations.
The ops struct is copied into a private allocation owned by the
probe. NULL function pointers fall back to standard syscalls.
Passing NULL resets to defaults.
New public symbol: blkid_probe_set_vfs()
New struct in public header: struct ul_vfs_ops (with include guard
shared with include/vfs.h)
Addresses: https://github.com/util-linux/util-linux/issues/4308 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 30 Jun 2026 12:20:50 +0000 (14:20 +0200)]
include: add VFS I/O abstraction layer
Add include/vfs.h with struct ul_vfs_ops — a pluggable I/O operations
table with function pointers matching POSIX signatures (read, write,
open, close, lseek, fsync). NULL function pointers fall back to real
syscalls. The size field enables forward/backward compatible struct
evolution.
Refactor include/all-io.h to use VFS dispatch internally:
- ul_write_all() and ul_read_all() become macros calling
__write_all(NULL, ...) and __read_all(NULL, ...)
- New ul_vfs_write_all() and ul_vfs_read_all() macros pass
through a VFS ops struct for custom I/O
Addresses: https://github.com/util-linux/util-linux/issues/4308 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 9 Jul 2026 10:09:14 +0000 (12:09 +0200)]
tests: lslocks filter, workaround duplicate lines in output
Duplicate lines have been observed in lslocks output on ppc64le
(kernel 7.0). The root cause is unknown. No duplication path has
been found in the lslocks code itself.
Wrap lslocks calls in do_lslocks() helper that deduplicates
consecutive identical lines via uniq. If duplicates are detected,
warn and mark the test as KNOWN FAILED.
Karel Zak [Wed, 8 Jul 2026 12:03:43 +0000 (14:03 +0200)]
mount: fix grammar and typo in X-mount.idmap documentation
Apply grammar improvements from PR #4400 (field order change
intentionally omitted as the current order matches the code).
Also fix a GUID -> GID typo in the example.
Karel Zak [Wed, 8 Jul 2026 11:57:12 +0000 (13:57 +0200)]
tests: (chrt) improve skip_policy with runtime probe
The skip_policy function relied solely on "chrt --max" output to
detect kernel support for scheduling policies. This is unreliable
for SCHED_EXT where sched_get_priority_max() returns 0 even on
kernels without CONFIG_SCHED_CLASS_EXT, causing the test to fail
with EINVAL instead of skipping gracefully.
Rework skip_policy to accept optional chrt probe arguments and
verify actual kernel support by attempting to set the policy on
the chrt process itself (--pid 0). Cache "chrt --max" output once
at startup to avoid repeated execution.
Additionally, filter the platform-dependent runtime parameter from
do_chrt output unless --sched-runtime was explicitly used. This
removes the need for kernel version gating on the basic batch and
other subtests, allowing them to run on all kernel versions.
Fixes: https://github.com/util-linux/util-linux/issues/4429 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Wed, 8 Jul 2026 09:28:22 +0000 (11:28 +0200)]
Merge branch 'col-cur-col-underflow' of https://github.com/aizu-m/util-linux
* 'col-cur-col-underflow' of https://github.com/aizu-m/util-linux:
col: guard c_width sign before size_t cast in BS branch
col: fix cur_col underflow on backspace over a wide char
Modifies setpriv to support the securebits `no_cap_ambient_raise`,
`exec_restrict_file`, `exec_deny_interactive`, and each of their
`_locked` variants.
The NO_CAP_AMBIENT_RAISE securebit was added in Linux 4.3, and the
EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits were added in
Linux 6.14.
Karel Zak [Tue, 7 Jul 2026 09:19:07 +0000 (11:19 +0200)]
Merge branch 'feat/4117-agetty-no-login-message' of https://github.com/mvanhorn/util-linux
* 'feat/4117-agetty-no-login-message' of https://github.com/mvanhorn/util-linux:
agetty: clarify nologin message and skip login wait under --chroot
agetty: handle systems without a shell or /bin/login
libblkid: (iso9660) fix out-of-bounds read of root dir record
root_len comes from the on-disk root directory record (rdr+10) and was only rejected when zero. The extent is then mapped for min(root_len, 2048) bytes and the first record is validated by reading rootdata[0], rootdata[32], rootdata[33] and isonum_731(rootdata+2). blkid_probe_get_buffer() only rounds a request up to io_size when the rounded region still fits the probing area, so a root extent sitting in the final partial io_size block of a crafted image returns a buffer of exactly root_len bytes. With root_len between 1 and 33 and rootdata[0] >= 34, the validation reads offsets 32/33 past that buffer. Reject an extent too small to hold the 34-byte record, which the surrounding comment already assumes.
Matt Van Horn [Sat, 4 Jul 2026 03:48:16 +0000 (20:48 -0700)]
agetty: clarify nologin message and skip login wait under --chroot
Address review notes from Karel: reword DEFAULT_NOLOGIN_MESSAGE so it
tells the user a keypress re-checks for the login program, and skip
wait_for_login_program() when --chroot is used since the path check
would test the wrong root. Update the man page accordingly.
Signed-off-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
libmount provides a context API that can be used to replace
the fork+exec code pattern needed to leverage umount(8).
This does not only simplify the code base but also removes
the concern for signal handling due to a wait(2) call, avoids
forking and allocating additional system resources, reduces
security management and makes the code more consistent as other
functions were already using some libmount functionalities.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
col: fix cur_col underflow on backspace over a wide char
The BS handler in handle_not_graphic() subtracts the last stored
character's width from lns->cur_col (a size_t) and only guards against
cur_col == 0. When the last graphic character is double-width and the
column was reset by CR then advanced by a single space, cur_col is 1 and
cur_col -= 2 wraps to SIZE_MAX. That feeds l_max_col and the stored
c_column, so flush_line() sizes count[] as l_max_col + 1 (== 0) and then
memsets sizeof(size_t) * l_max_col bytes and indexes count[SIZE_MAX] --
an out-of-bounds write reachable from stdin under a UTF-8 locale. Clamp
the subtraction so the column cannot go below zero.
Karel Zak [Wed, 1 Jul 2026 10:49:25 +0000 (12:49 +0200)]
libmount: add mnt_table_parse_utab()
Add new public API to parse the utab file into a table. The utab path
and format are private library details; this function hides them from
callers. NULL as filename is recommended to let the library determine
the correct path.
This is needed by systemd for incremental fanotify-based mount
monitoring, where utab needs to be parsed independently of the full
mountinfo/listmount rescan path.
Karel Zak [Tue, 30 Jun 2026 10:49:26 +0000 (12:49 +0200)]
libsmartcols: reject large interval repetition bounds in filter regex
ERE interval expressions like {,32232} cause glibc regcomp() to
allocate gigabytes for the NFA, triggering OOM even on tiny inputs.
The existing consecutive-quantifier and nested-group checks do not
catch this pattern.
Scan numbers inside {...} and reject any bound exceeding
SCOLS_FILTER_MAX_REPCNT (1024). Document the new limit in
scols-filter(5).
Addresses: https://oss-fuzz.com/testcase-detail/6017673394454528 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 30 Jun 2026 08:37:06 +0000 (10:37 +0200)]
Merge branch 'PR/libmount-utab-uniqid' of https://github.com/karelzak/util-linux-work
* 'PR/libmount-utab-uniqid' of https://github.com/karelzak/util-linux-work:
tests: (mount) strip UNIQID= from utab in special test
libmount: merge utab into listmount-based tables
libmount: use uniq_id for target mount verification
libmount: add mnt_fs_fetch_ids() and populate uniq_id for utab
libmount: fix missing space after UNIQID= in utab
libmount: copy uniq_id in mnt_copy_fs()
Chris Webb [Mon, 29 Jun 2026 15:37:27 +0000 (15:37 +0000)]
unshare: Fix --map-auto regression
Commit 07935158 fixed an unshare --user bug which wasted a UID/GID when
--map-auto was used with --map-root-user. This bug meant that, for example,
a user with a single extra UID and GID delegated to them in /etc/subuid
and /etc/subgid would not get that user or group mapped at all if they
attempted unshare -r --map-auto.
Two years later, commit b64b769b added unshare --map-subids to identity-map
subuids and subgids into a user namespace, but incorrectly removed a
load-bearing 'else if' in passing, and reintroduced the original bug.
Ironically, map->inner != -1 for an identity mapping, so the 'if' vs
'else if' change has no effect on the --map-subids option; it only breaks
--map-auto.
Karel Zak [Mon, 29 Jun 2026 11:58:35 +0000 (13:58 +0200)]
docs: remove obsolete mount.txt, update AUTHORS
Move mount/umount original authors (Doug Quale, H.J. Lu,
Rick Sladkey, Stephen Tweedie) to the AUTHORS file. Remove
the obsolete Documentation/mount.txt with its pre-libmount
developer notes.
Karel Zak [Mon, 29 Jun 2026 11:56:25 +0000 (13:56 +0200)]
docs: integrate release-schedule.txt into HOWTO-CONTRIBUTING.md
Move the release schedule and RC cadence information into the
HOWTO-CONTRIBUTING.md file. Drop the "Release criteria" section
as tests should always pass regardless of release status.
Karel Zak [Mon, 29 Jun 2026 11:54:10 +0000 (13:54 +0200)]
docs: replace howto-*.txt with HOWTO-*.md and add AGENTS.md
Replace the eight Documentation/howto-*.txt files with four consolidated
markdown documents:
HOWTO-BUILDING.md - compilation and build system internals
HOWTO-CONTRIBUTING.md - contribution guidelines and PR workflow
HOWTO-HACKING.md - usage functions, man pages, debugging
HOWTO-TESTING.md - test framework, env variables, fuzz targets
Add AGENTS.md to the project root with AI-specific coding guidance
(code style pitfalls, return conventions, memory management, commit
message format) and links to the new documentation files.
Rename 00-about-docs.txt to 00-about-docs.md with updated references.
Karel Zak [Thu, 25 Jun 2026 12:52:21 +0000 (14:52 +0200)]
libmount: merge utab into listmount-based tables
Extract utab merge logic from __mnt_table_parse_mountinfo() into a
shared mnt_table_merge_utab() function and call it at the end of
mnt_table_fetch_listmount(). This makes userspace mount options
(x-systemd.*, user=, etc.) available when the mount table is obtained
via listmount/statmount syscalls.
The merge sets user_optstr directly (instead of the combined optstr)
to avoid conflicts with lazy statmount() which populates kernel
options on demand.
Add mnt_table_disable_useropts() public API to allow callers to skip
utab merging when only kernel-side data is needed.
Use the new API in findmnt --kernel=listmount to keep backward
compatible behavior (kernel-only data); users who want userspace
options can use --mtab.
Karel Zak [Thu, 25 Jun 2026 10:32:46 +0000 (12:32 +0200)]
libmount: use uniq_id for target mount verification
Prefer the unique mount ID (STATX_MNT_ID_UNIQUE) over the old mount ID
when verifying that a mount landed on the expected target in
mnt_context_reopen_target_fd(). Fall back to the old ID when uniq_id is
not available.
Karel Zak [Thu, 25 Jun 2026 10:32:31 +0000 (12:32 +0200)]
libmount: add mnt_fs_fetch_ids() and populate uniq_id for utab
Add mnt_fs_fetch_ids() helper that fetches mount IDs from the kernel
via statx(). It prefers STATX_MNT_ID_UNIQUE and falls back to the old
STATX_MNT_ID on older kernels. Accepts an optional fd argument; when
fd < 0 it falls back to path-based lookup via fs->target.
Use it in hook_create_mount() (new mount API) with fd_tree for robust
fd-based ID, and in hook_mount() (legacy mount(2)) after
reopen_target_fd with fd_target when available.
This ensures utab entries contain UNIQID, which is needed for reliable
utab merging with listmount-based tables.
Karel Zak [Thu, 25 Jun 2026 10:17:13 +0000 (12:17 +0200)]
libmount: fix missing space after UNIQID= in utab
The fprintf format for UNIQID= was missing a trailing space separator,
causing the field to run into the next field (e.g.,
"UNIQID=2147492389SRC=tmpfs").
Karel Zak [Thu, 25 Jun 2026 10:17:02 +0000 (12:17 +0200)]
libmount: copy uniq_id in mnt_copy_fs()
The mnt_copy_fs() function copies all filesystem entry fields but
missed uniq_id, causing the unique mount ID to be lost when fs entries
are duplicated (e.g., for utab updates).
WanBingjiang [Thu, 25 Jun 2026 11:08:53 +0000 (19:08 +0800)]
hexdump: stop after stdout write errors
Stop the display loop once stdout reports an error. Otherwise hexdump keeps formatting and writing after the output stream has already failed, which can loop for a long time on errors such as ENOSPC.
Save the errno from the first stdout error before cleanup can overwrite it. Report that saved error from hexdump itself and bypass close_stdout_atexit, as ferror() only preserves the stream error state and does not recover the original errno.
Add a regression test that writes hexdump output to /dev/full and checks that the command fails with the ENOSPC write error.
Karel Zak [Thu, 25 Jun 2026 13:11:19 +0000 (15:11 +0200)]
bitops: avoid macro redefinition on macOS
Newer macOS SDKs provide htobe16/htole16/be16toh/etc. via
<sys/endian.h>. Skip our OSSwap-based definitions when that
header is available to avoid -Wmacro-redefined errors.
Previously, cpu_enable() and cpu_configure() compared the number
of fails with ctx->maxcpus and if equal it returned -1, which
culminated over to an exit code of 1 (failure). Otherwise, if
there were fails but less than ctx->maxcpus the fucntions return
code 1 would result in an exit code 64 indicating partial success.
Since ctx->maxcpus describes the maximum number of CPUs supported
by the kernel, in practice, this failure mode isn't really useful
as it means that a user would need to fail the configuration of
every possible CPU. This is why chcpu(8) almost always returns 64.
It is better to store the actual amount of requested CPUs and then
compare the amount of fails to it and provide more meaningful exit
codes.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Wed, 24 Jun 2026 11:29:16 +0000 (13:29 +0200)]
hwclock, rtcwake: hint about uninitialized RTC on EINVAL
Some RTC drivers (e.g., rtc-nxp-bbnsm) return EINVAL from
RTC_RD_TIME when the hardware time counter has never been
initialized. Print a hint so users know the likely cause rather
than just seeing "Invalid argument".
Karel Zak [Wed, 24 Jun 2026 11:22:12 +0000 (13:22 +0200)]
cfdisk: handle SIGHUP to avoid busy-loop on terminal loss
When the controlling terminal disappears (e.g., a web terminal
session is closed), the kernel sends SIGHUP. Without handling it,
cfdisk's getch() returns ERR in a tight loop, causing 100% CPU
usage indefinitely.
Register SIGHUP with the existing sig_handler_die() so that all
loops exit via the existing sig_die checks.
Karel Zak [Wed, 24 Jun 2026 09:56:34 +0000 (11:56 +0200)]
meson: add compile test for scandirat()
The link-only has_function() check is not sufficient on macOS where
scandirat() may exist in the SDK but is gated behind availability
annotations (e.g. macOS 26.4+). When the deployment target is older,
clang emits -Wunguarded-availability-new which -Werror turns into a
build failure.
Add a compile+link verification after the bulk function check to
detect this and disable HAVE_SCANDIRAT when the function is not
actually usable.
lijian [Wed, 24 Jun 2026 09:26:41 +0000 (11:26 +0200)]
fdisk: clean up dead code in resize_partition()
Remove unused variables 'pa', 'next', 'tb' and their corresponding
fdisk_unref_partition()/fdisk_unref_table() calls in the cleanup
path -- all three are initialized to NULL and never reassigned.
[kzak@redhat.com: - fix identification, remove also 'tb']
Signed-off-by: lijian <lijian01@kylinos.cn> Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 23 Jun 2026 14:21:39 +0000 (16:21 +0200)]
libsmartcols: reject pathological regex patterns in filter
Consecutive ERE quantifiers (e.g. a++, a**) and nested group
repetitions (e.g. (a+)+) cause glibc regcomp() to allocate gigabytes
for the NFA, triggering OOM on small inputs.
Reject such patterns in filter_compile_param() before they reach
regcomp(), and limit regex pattern size to SCOLS_FILTER_MAX_REGSZ (256
bytes). Document all filter expression limits in scols-filter(5).
Addresses: https://github.com/util-linux/util-linux/pull/4436 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 23 Jun 2026 09:52:30 +0000 (11:52 +0200)]
libsmartcols: harden filter parser against fuzzer issues
Reject non-param nodes in filter_compile_param() to prevent
type confusion when the parser passes an expression node as
a regex operand (heap-use-after-free / heap-buffer-overflow).
Limit filter expression size to SCOLS_FILTER_MAX_EXPRSZ to prevent
pathological inputs from causing unbounded memory growth in the parser
(OOM).
Addresses: https://github.com/util-linux/util-linux/pull/4430 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 23 Jun 2026 09:07:30 +0000 (11:07 +0200)]
libsmartcols: fix memory leak in filter reset
When parsing fails, filter params allocated during parsing but never
incorporated into the AST tree remain on the fltr->params list. The
reset_filter() only freed the tree via fltr->root, leaving orphaned
params leaked.
Add filter_free_params() to drain any remaining params from the list
during filter reset.
Addresses: https://github.com/util-linux/util-linux/pull/4430 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Mon, 22 Jun 2026 08:41:51 +0000 (10:41 +0200)]
libsmartcols: fix SEGV in filter_compile_param()
The val union in filter_param can hold different types (str, num, fnum,
boolean). When a non-string param (e.g. a number) is used as a regex
operand, the numeric value gets reinterpreted as a pointer through
val.str. A small number like 2 becomes pointer 0x2, which passes the
existing NULL check but crashes in regcomp().
Add a type check to reject non-string params before accessing val.str.
Addresses: https://github.com/util-linux/util-linux/pull/4430 Signed-off-by: Karel Zak <kzak@redhat.com>