Karel Zak [Thu, 9 Apr 2026 12:58:25 +0000 (14:58 +0200)]
Merge branch 'allow_negative_pids' of https://github.com/cgoesche/util-linux-fork
* 'allow_negative_pids' of https://github.com/cgoesche/util-linux-fork:
tests: add helper program and test for lib/pidutils.c
lib: (pidutils.c) allow zero and negative numbers for PIDs
Karel Zak [Thu, 9 Apr 2026 12:49:17 +0000 (14:49 +0200)]
Merge branch 'pam_resources' of https://github.com/stoeckmann/util-linux
* 'pam_resources' of https://github.com/stoeckmann/util-linux:
login-utils/auth: Drop pam_setcred
su: Clean up PAM resources on all error paths
login: Clean up PAM resources on error path
eject: tolerate ILLEGAL REQUEST on ALLOW_MEDIUM_REMOVAL
Some USB devices using the UAS driver do not support the SCSI
ALLOW_MEDIUM_REMOVAL command and return ILLEGAL REQUEST (sense
key 0x05). Previously, eject_scsi() treated any non-zero
driver_status as fatal, aborting before attempting START_STOP.
Now, when the device reports DRIVER_SENSE with sense key ILLEGAL
REQUEST, we continue to the START_STOP eject commands instead
of bailing out.
libblkid: Fix type access in zfs_extract_guid_name
Check if enough space is left for a 32 bit value before parsing it. This
is not a technical out of boundary issue, because due to alignment,
enough bytes are available.
It is possible to trigger an out of boundary read in zfs_process_value
if debugging is activated.
The debug message erroneously uses %*s (field width) instead of %.*s
(precision), which might lead to string output going past the boundary
of memory mapped buffer.
Fix this with proper casting: The value is always smaller than
VDEV_PHYS_SIZE (112 KB) at this stage, easily fitting into int.
A parse_dev debug line erroneously uses %*s instead of %.*s. While this
does not lead to out of boundary access because the line is properly
NUL-escaped by fgets, the output is incorrect.
Simply replace the ending char with NUL for debug, since the line is
modified a few lines below anyway. This offers more safety for
refactoring in the future if fgets is ever replaced with getline,
possibly leading to lines longer than INT_MAX.
The function blkid_probe_log_csum_mismatch is only used for debugging
purposes. Simplify the code to avoid any form of modifier for %s.
Right now, %*s is incorrect because it specifies the field width, not
the precision. This could theoretically lead to issues, but since this
function is always called with sizes of 8 or 32, it is safe.
Just make sure that the strings are always NUL-terminated, even if size
is 0 or larger than 256.
Two manual pages recently linked into the build lacked translation
entries, leading to asciidoctor warnings. Fix these by adding them:
```
unconfigured in /home/runner/work/util-linux/util-linux/po-man/po4a.cfg: ../liblastlog2/man/ll2_new_context.3.adoc
unconfigured in /home/runner/work/util-linux/util-linux/po-man/po4a.cfg: ../liblastlog2/man/ll2_unref_context.3.adoc
```
lib: (pidutils.c) allow zero and negative numbers for PIDs
kill(1) and kill(2) man pages clearly state that 0 and negative
numbers can be used. Therefore let us adapt the internal helper
function ul_parse_pid_str() to permit this value range, as the
previous behavior regressed the kill(1) PID parsing behavior.
The uncommon value range can be controlled with two new flags
UL_PID_ZERO and UL_PID_NEGATIVE, ORed together they will allow
0 and negative values down to INT_MIN. Otherwise they can be
passed individually to only allow either. If 0 is passed only
1 upto INT_MAX values are allowed.
Closes: #4194 Closes: #4195 Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
libblkid: Ignore secondary LUKS2 header in blkid_do_safeprobe()
The secondary LUKS2 header can match file data content on other
filesystems (e.g. an image file of a LUKS2 device stored on XFS whose
data blocks happen to land at device offsets where blkid looks for the
secondary LUKS2 header). This causes blkid to report a crypto_LUKS
superblock instead of the real filesystem.
Add a new flag BLKID_PROBE_FL_SAFEPROBE and skip scanning for the
secondary LUKS2 header in blkid_do_safeprobe(). The secondary LUKS2
header is only important for wipefs which uses a promiscuous probe.
Fixes: #4170 Fixes: 8bee1a2 Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
--
v2: Fix conflict with BLKID_FL_TINY_DEV flag
v3: Use pr->prob_flags instead of pr->flags
v4: Use original mask again as the use prob_flags resolves the conflict
If PAM_REINITIALIZEE_CRED fails at this point, PAM_ESTABLISH_CRED
succeeded before. Clean up credentials with PAM_DELETE_CRED in this case
just to be sure.
The CI fails the kill/name_to_number test when SIGRTMAX-0 (64)
is checked for s390x packaging. Although SIGRTMAX is a valid
signal number, kill(2) still returns EINVAL. This seems to be
related to the fact that QEMU reserves a signal number from
the high real-time signal range for internal usage, which
limits the maximum real-time signal number range.
We already check for the QEMU_USER environment variable, let us
also check if the QEMU emulator is mapped in memory for PID 1
to get more reliable information. In addition to that lets skip
RTMAX checks on s390x and QEMU emulated environments.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Tue, 7 Apr 2026 18:59:42 +0000 (20:59 +0200)]
Merge branch 'PR/script-fix-arg-permutation' of https://github.com/karelzak/util-linux-work
* 'PR/script-fix-arg-permutation' of https://github.com/karelzak/util-linux-work:
script: fix command and command_norm memory leaks
script: fix backward compatibility for options after non-option args
No known systems exist which use agetty and are neither Linux, GNU,
nor FreeBSD. Even MinGW/MSYS use syslog.
Alternative systems which could use the fallback do not build agetty,
e.g. OpenIndiana or other such systems.
This gets rid of a bug in custom /dev/console code in which the
formatter could be modified by a link to agetty containing more
printf modifiers in its name.
Since chroot only changes the root directory but not current working
directory, change the current working directory as well. This rebases
all possible future relative paths into the chroot environment as well.
Karel Zak [Tue, 7 Apr 2026 16:04:30 +0000 (18:04 +0200)]
Merge branch 'PR/libmount-btrfs-raid-mounted' of https://github.com/karelzak/util-linux-work
* 'PR/libmount-btrfs-raid-mounted' of https://github.com/karelzak/util-linux-work:
tests: add btrfs RAID is-mounted test for libmount
libmount: return btrfs rootfs from get_btrfs_fs_root()
libmount: use match_source for mountinfo comparison
The file-existing subtest fails on platforms with large native page
sizes (e.g. 64 KiB on aarch64) because the 40 KiB swap image is
too small. Add -p 4096 to match the other subtests.
Karel Zak [Tue, 7 Apr 2026 13:25:17 +0000 (15:25 +0200)]
script: fix command and command_norm memory leaks
Always own ctl.command by using xstrdup() for the -c optarg path
(the -- path already allocates via ul_strv_join), and free both
ctl.command and ctl.command_norm at exit.
Karel Zak [Tue, 7 Apr 2026 13:20:04 +0000 (15:20 +0200)]
script: fix backward compatibility for options after non-option args
The commit 7268e79b added "+" to the getopt_long() options string to
support the "--" separator for specifying commands. The "+" prefix
makes getopt stop processing at the first non-option argument, which
breaks the traditional "script file -c command" usage.
Fix this by pre-scanning argv for "--" before getopt, separating the
command arguments, and removing the "+" prefix to restore GNU getopt
argument permutation.
bits: prevent unsigned integer underflow and long-lived loop
If 0 is allowed for --width it will culminate to a wraparound
due to an unsigned integer underflow when a size_t for-loop
control variable, namely 'n', is setup. n is the result of
cpuset_nbits(size) - 1, where size is set by cpuset_alloc()
which was called with 0 (width) for the @ncpus parameter that
will make it so that @size remains 0 as the calculated memory
allocation size yields zero as well. Therefore the sum for 'n'
will be -1 that wraps around to UINT_MAX and end creates a
long-lived for loop.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Adding sys/mount.h, sys/vfs.h, and related includes to statfs_magic.h
caused build failures on older systems (e.g., Ubuntu) due to a
collision between sys/mount.h and linux/fs.h -- both define MS_RDONLY,
the first as an enum and the second as a macro.
The previous fix (guarding sys/mount.h with !defined(MS_RDONLY)) was
insufficient because on some systems linux/fs.h itself chains into
sys/mount.h, making the guard unreachable.
The correct approach is to keep statfs_magic.h minimal (only magic
numbers and sys/statfs.h) and let callers include the necessary
struct statfs headers. Currently, all callers of statfs_magic.h are
Linux-only (libmount requires sys/vfs.h, hardlink's USE_REFLINK
requires HAVE_LINUX_FIEMAP_H), so the Darwin-specific sys/mount.h
include is unreachable anyway.
Sorry for the mess, and sorry I had not used a PR for this.
Fixes: 1af964d935 ("include/statfs_magic.h: add portable struct statfs headers for Darwin") Fixes: 5f66e252c1 ("include/statfs_magic.h: avoid sys/mount.h and linux/fs.h collision") Signed-off-by: Karel Zak <kzak@redhat.com>
lib: (cpuset.c) dont calculate allocation size for 0 ncpus
If ncpus is not checked against the value 0, subsequent macros
CPU_ALLOC_SIZE and cpuset_nbits() will return garbage (0), which
can cause issues when memory has to be allocated or initialized
in callers where the size is assumed to be > 0. So let us return
NULL for 0 ncpus.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Tue, 7 Apr 2026 13:34:13 +0000 (15:34 +0200)]
include/statfs_magic.h: avoid sys/mount.h and linux/fs.h collision
Guard the sys/mount.h include with !defined(MS_RDONLY) to prevent
redefinition errors when linux/fs.h has already been included (e.g.,
in fstrim.c). This follows the same pattern used in libmount.h.in.
Fixes: 1af964d935 ("include/statfs_magic.h: add portable struct statfs headers for Darwin") Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 7 Apr 2026 12:46:06 +0000 (14:46 +0200)]
libcommon: move pidfd-utils.c to Linux-only sources
The pidfd-utils.c uses Linux-specific APIs (pidfd_open, statx, etc.)
and all its consumers are Linux-only tools. Move it under the LINUX
guard in both meson and autotools build systems.
Karel Zak [Tue, 7 Apr 2026 11:49:32 +0000 (13:49 +0200)]
Merge branch 'chrt_elaborate_on_sched_ext_policy' of https://github.com/cgoesche/util-linux-fork
* 'chrt_elaborate_on_sched_ext_policy' of https://github.com/cgoesche/util-linux-fork:
chrt: (man) explain which kernel config options are needed for SCHED_EXT
Karel Zak [Tue, 7 Apr 2026 11:49:02 +0000 (13:49 +0200)]
write, mesg: add S_ISCHR() check for terminal device paths
Verify that the target path is a character device before proceeding.
This hardens both utilities against symlink-to-regular-file attacks
as a defense-in-depth measure.
Note that the TOCTOU race condition between stat() and freopen()/open()
is only theoretical -- on modern Linux systems /dev/pts/ is a
kernel-managed devpts filesystem where unprivileged users cannot create
or replace entries, and the setgid tty privilege only grants write
access to terminal devices, not to arbitrary files.
Johannes Wüller [Sat, 4 Apr 2026 18:03:06 +0000 (20:03 +0200)]
mkswap: Fix --file chmod(2) check when file exists
The documentation claims that `--size` will resize the `--file`, but
it ends up failing like this:
# mkswap --file /swapfile --size 4G
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=1523588e-412a-4f25-8fac-aeaf638101aa
# mkswap --file /swapfile --size 4G
mkswap: cannot set permissions on swap file /swapfile: Success
There seems to have been a typo in the chmod(2) return value comparison.
It checked for `< 9` rather than `< 0`, which would usually indicate
failure. After the fix:
# mkswap --file /swapfile --size 4G
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=6be7c450-761c-442d-8d9a-3e8cd93506b5
# mkswap --file /swapfile --size 4G
mkswap: /swapfile: warning: wiping old swap signature.
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=617a793e-84b1-471d-96c5-c099f8b157db
The operation no longer fails, as validated by the added test.
chrt: (man) explain which kernel config options are needed for SCHED_EXT
On systems running kernel version 6.12+ it is still possible
that the syscall to set SCHED_EXT fails with EINVAL, this can
happen when certain kernel configuration options have not been
set. The list of required options can be found here:
https://docs.kernel.org/scheduler/sched-ext.html#switching-to-and-from-sched-ext
Let's document this in the man page to give users a heads up.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
The maximum amount of records to print can be specified in two different
ways: Either with -n/--limit or by specifying the number as argument,
i.e. -number.
The current parser does not check for possible overflow with -number
arguments and mixes -number arguments with -n arguments.
Properly split these two notations and use strtou32_or_err for overflow
checks.
Reset the child pid only after comparison with waitpid result.
Currently, this leads to returning -1 or 1, which ultimately leads
to exit code 1 in case of a SIGPIPE. This is the behavior as of 2.41,
which means that no regression between releases occurred. Yet, fix it
nonetheless.
If a UID/GID is larger than its respective data type allows (but smaller
than uint64_t), then tools like newgrp erroneously assume that the user
or group simply does not exist.
Set errno to indicate that the supplied UID/GID is out of range instead.
bash-completion: complete relative path for filenames as well
Commit 1a76e3e only helped with the completion of directory
names for relative paths. Let us complete filenames too for
completeness (no pun intended).
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
projects / thirdparty / util-linux.git / log
