Backport recent fixes to v260-stable

docs/SECURITY.md

@@ -18,3 +18,12 @@ Subscription to the Security Advisories and/or systemd-security mailing list is
 Those conditions should be backed by publicly accessible information (ideally, a track of posts and commits from the mail address in question).
 If you fall into one of those categories and wish to be subscribed,
 contact the maintainers or submit a **[subscription request](https://www.redhat.com/mailman/listinfo/systemd-security)**.
+
+# Requirements for a Valid Report
+
+- Please ensure the issue is reproducible on main.
+- Please ensure a fully working, end-to-end reproducer is provided.
+- Please ensure the reproducer is real-world and not simulated or abstracted.
+- Please ensure the reproducer demonstrably violates a security boundary.
+- Please understand that most of our maintainers are volunteers and already have a heavy review burden. While we will try to triage and fix issues in a timely manner, we cannot guarantee any fixed timeline for issue resolution.
+- While modern industry practices around coordinated disclosures encourage public disclosure to avoid vendors stonewalling researchers, we are an open source project that would gain little from needlessly stonewalling researchers. We thus kindly request that reporters do not publicly disclose issues they have reported to us before an agreed-to disclosure date.

meson.build

@@ -2866,7 +2866,13 @@ if git.found()
                      'ls-files', ':/*.[ch]', ':/*.cc',
                 check : false)
         if all_files.returncode() == 0
-                all_files = files(all_files.stdout().split())
+                existing_files = []
+                foreach f : all_files.stdout().split()
+                        if fs.exists(f)
+                                existing_files += f
+                        endif
+                endforeach
+                all_files = files(existing_files)
 
                 custom_target(
                         output : 'tags',

po/ar.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-06 03:46+0900\n"
-"PO-Revision-Date: 2026-02-26 13:58+0000\n"
+"PO-Revision-Date: 2026-04-11 19:58+0000\n"
 "Last-Translator: joo es <jonnyse@users.noreply.translate.fedoraproject.org>\n"
 "Language-Team: Arabic <https://translate.fedoraproject.org/projects/systemd/"
 "main/ar/>\n"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=6; plural=n==0 ? 0 : n==1 ? 1 : n==2 ? 2 : n%100>=3 "
 "&& n%100<=10 ? 3 : n%100>=11 ? 4 : 5;\n"
-"X-Generator: Weblate 5.16.1\n"
+"X-Generator: Weblate 5.16.2\n"
 
 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@@ -938,12 +938,10 @@ msgid "DHCP server sends force renew message"
 msgstr "خادم DHCP يرسل رسالة تجديد إجبارية"
 
 #: src/network/org.freedesktop.network1.policy:144
-#, fuzzy
-#| msgid "Authentication is required to send force renew message."
 msgid ""
 "Authentication is required to send a force renew message from the DHCP "
 "server."
-msgstr "الاستيثاق مطلوب للإرسال رسالة تجديد إجبارية."
+msgstr "الاستيثاق مطلوب للإرسال رسالة تجديد إجبارية من خادم DHCP."
 
 #: src/network/org.freedesktop.network1.policy:154
 msgid "Renew dynamic addresses"

src/basic/compress.c

@@ -434,6 +434,8 @@ int decompress_blob_lz4(
         size = unaligned_read_le64(src);
         if (size < 0 || (unsigned) size != unaligned_read_le64(src))
                 return -EFBIG;
+        if (dst_max > 0 && (size_t) size > dst_max)
+                return -ENOBUFS;
         out = greedy_realloc(dst, size, 1);
         if (!out)
                 return -ENOMEM;

src/basic/time-util.c

@@ -49,15 +49,28 @@ usec_t now(clockid_t clock_id) {
 
         assert_se(clock_gettime(map_clock_id(clock_id), &ts) == 0);
 
-        return timespec_load(&ts);
+        usec_t n = timespec_load(&ts);
+
+        /* We use both 0 and USEC_INFINITY as niche values. If the current time collides with either, things are
+         * really weird and really broken. Let's not allow this to go through, it would break too many of our
+         * assumptions in code. */
+        assert(n > 0);
+        assert(n < USEC_INFINITY);
+
+        return n;
 }
 
 nsec_t now_nsec(clockid_t clock_id) {
         struct timespec ts;
 
         assert_se(clock_gettime(map_clock_id(clock_id), &ts) == 0);
 
-        return timespec_load_nsec(&ts);
+        nsec_t n = timespec_load_nsec(&ts);
+
+        assert(n > 0);
+        assert(n < NSEC_INFINITY);
+
+        return n;
 }
 
 dual_timestamp* dual_timestamp_now(dual_timestamp *ts) {

src/basic/uid-range.c

@@ -71,6 +71,8 @@ static void uid_range_coalesce(UIDRange *range) {
                         if (range->n_entries > j + 1)
                                 memmove(y, y + 1, sizeof(UIDRangeEntry) * (range->n_entries - j - 1));
 
+                        /* Silence static analyzers, n_entries > 0 since j < n_entries holds in the loop condition */
+                        assert(range->n_entries > 0);
                         range->n_entries--;
                         j--;
                 }

src/core/cgroup.c

@@ -3982,6 +3982,29 @@ bool unit_cgroup_delegate(Unit *u) {
         return c->delegate;
 }
 
+void unit_cgroup_disable_all_controllers(Unit *u) {
+        int r;
+
+        assert(u);
+
+        CGroupRuntime *crt = unit_get_cgroup_runtime(u);
+        if (!crt || !crt->cgroup_path)
+                return;
+
+        if (!unit_cgroup_delegate(u))
+                return;
+
+        /* For delegated units, the previous payload may have enabled controllers (e.g. "pids") in
+         * cgroup.subtree_control. These persist after the service stops and turn the cgroup into an
+         * "internal node", causing clone3(CLONE_INTO_CGROUP) to fail with EBUSY. Clear them now, right
+         * before the new start, so that resource control is preserved for lingering processes as long as
+         * possible. Ignore errors — if sub-cgroups still have live processes the write will fail, but so
+         * will the upcoming spawn. */
+        r = cg_enable(u->manager->cgroup_supported, /* mask= */ 0, crt->cgroup_path, &crt->cgroup_enabled_mask);
+        if (r < 0)
+                log_unit_debug_errno(u, r, "Failed to disable controllers on cgroup %s, ignoring: %m", empty_to_root(crt->cgroup_path));
+}
+
 void manager_invalidate_startup_units(Manager *m) {
         Unit *u;
 

src/core/cgroup.h

@@ -442,6 +442,8 @@ void unit_cgroup_catchup(Unit *u);
 
 bool unit_cgroup_delegate(Unit *u);
 
+void unit_cgroup_disable_all_controllers(Unit *u);
+
 int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name);
 
 int unit_cgroup_freezer_action(Unit *u, FreezerAction action);

src/core/service.c

@@ -13,6 +13,7 @@
 #include "bus-common-errors.h"
 #include "bus-error.h"
 #include "bus-util.h"
+#include "cgroup.h"
 #include "chase.h"
 #include "dbus-service.h"
 #include "dbus-unit.h"
@@ -3165,8 +3166,10 @@ static int service_start(Unit *u) {
         exec_status_reset(&s->main_exec_status);
 
         CGroupRuntime *crt = unit_get_cgroup_runtime(u);
-        if (crt)
+        if (crt) {
+                unit_cgroup_disable_all_controllers(u);
                 crt->reset_accounting = true;
+        }
 
         service_enter_condition(s);
         return 1;
@@ -5629,6 +5632,7 @@ static int service_clean(Unit *u, ExecCleanMask mask) {
                 goto fail;
         }
 
+        unit_cgroup_disable_all_controllers(u);
         r = unit_fork_and_watch_rm_rf(u, l, &s->control_pid);
         if (r < 0) {
                 log_unit_warning_errno(u, r, "Failed to spawn cleaning task: %m");

src/core/unit.h

@@ -10,7 +10,7 @@
 #include "install.h"
 #include "iterator.h"
 #include "job.h"
-#include "journal-importer.h"
+#include "journal-def.h"
 #include "list.h"
 #include "log.h"
 #include "log-context.h"

src/core/varlink-unit.c

@@ -225,7 +225,7 @@ static int can_clean_build_json(sd_json_variant **ret, const char *name, void *u
         }
 
         if (FLAGS_SET(mask, EXEC_CLEAN_FDSTORE)) {
-                r = sd_json_variant_append_arrayb(&v, SD_JSON_BUILD_STRING("fdstore"));
+                r = sd_json_variant_append_arrayb(&v, JSON_BUILD_CONST_STRING("fdstore"));
                 if (r < 0)
                         return r;
         }

src/coredump/coredump-config.c

@@ -3,7 +3,7 @@
 #include "conf-parser.h"
 #include "coredump-config.h"
 #include "format-util.h"
-#include "journal-importer.h"
+#include "journal-def.h"
 #include "log.h"
 #include "string-table.h"
 #include "string-util.h"

src/debug-generator/debug-generator.c

@@ -101,7 +101,8 @@ static int parse_breakpoint_from_string(const char *s, uint32_t *ret_breakpoints
 
                 FOREACH_ELEMENT(i, breakpoint_info_table)
                         if (FLAGS_SET(i->validity, BREAKPOINT_DEFAULT) && breakpoint_applies(i, INT_MAX)) {
-                                breakpoints |= 1 << i->type;
+                                assert(i->type >= 0 && i->type < _BREAKPOINT_TYPE_MAX); /* silence coverity */
+                                breakpoints |= UINT32_C(1) << i->type;
                                 found_default = true;
                                 break;
                         }

src/fundamental/macro-fundamental.h

@@ -160,7 +160,7 @@
 #define U64_GB (UINT64_C(1024) * U64_MB)
 
 #undef MAX
-#define MAX(a, b) __MAX(UNIQ, (a), UNIQ, (b))
+#define MAX(a, b) __MAX(UNIQ, a, UNIQ, b)
 #define __MAX(aq, a, bq, b)                             \
         ({                                              \
                 const typeof(a) UNIQ_T(A, aq) = (a);    \
@@ -217,14 +217,22 @@ assert_cc(sizeof(long long) == sizeof(intmax_t));
         })
 
 #undef MIN
-#define MIN(a, b) __MIN(UNIQ, (a), UNIQ, (b))
+#define MIN(a, b) __MIN(UNIQ, a, UNIQ, b)
 #define __MIN(aq, a, bq, b)                             \
         ({                                              \
                 const typeof(a) UNIQ_T(A, aq) = (a);    \
                 const typeof(b) UNIQ_T(B, bq) = (b);    \
                 UNIQ_T(A, aq) < UNIQ_T(B, bq) ? UNIQ_T(A, aq) : UNIQ_T(B, bq); \
         })
 
+#define ABS_DIFF(a, b) __ABS_DIFF(UNIQ, a, UNIQ, b)
+#define __ABS_DIFF(aq, a, bq, b)                        \
+        ({                                              \
+                const typeof(a) UNIQ_T(A, aq) = (a);    \
+                const typeof(b) UNIQ_T(B, bq) = (b);    \
+                UNIQ_T(A, aq) < UNIQ_T(B, bq) ? UNIQ_T(B, bq) - UNIQ_T(A, aq) : UNIQ_T(A, aq) - UNIQ_T(B, bq); \
+        })
+
 /* evaluates to (void) if _A or _B are not constant or of different types */
 #define CONST_MIN(_A, _B) \
         (__builtin_choose_expr(                                         \
@@ -295,7 +303,7 @@ assert_cc(sizeof(long long) == sizeof(intmax_t));
         })
 
 #undef CLAMP
-#define CLAMP(x, low, high) __CLAMP(UNIQ, (x), UNIQ, (low), UNIQ, (high))
+#define CLAMP(x, low, high) __CLAMP(UNIQ, x, UNIQ, low, UNIQ, high)
 #define __CLAMP(xq, x, lowq, low, highq, high)                          \
         ({                                                              \
                 const typeof(x) UNIQ_T(X, xq) = (x);                    \
@@ -312,7 +320,7 @@ assert_cc(sizeof(long long) == sizeof(intmax_t));
  * computation should be possible in the given type. Therefore, we use
  * [x / y + !!(x % y)]. Note that on "Real CPUs" a division returns both the
  * quotient and the remainder, so both should be equally fast. */
-#define DIV_ROUND_UP(x, y) __DIV_ROUND_UP(UNIQ, (x), UNIQ, (y))
+#define DIV_ROUND_UP(x, y) __DIV_ROUND_UP(UNIQ, x, UNIQ, y)
 #define __DIV_ROUND_UP(xq, x, yq, y)                                    \
         ({                                                              \
                 const typeof(x) UNIQ_T(X, xq) = (x);                    \
@@ -324,11 +332,11 @@ assert_cc(sizeof(long long) == sizeof(intmax_t));
 #define __ROUND_UP(q, x, y)                                             \
         ({                                                              \
                 const typeof(y) UNIQ_T(A, q) = (y);                     \
-                const typeof(x) UNIQ_T(B, q) = DIV_ROUND_UP((x), UNIQ_T(A, q)); \
+                const typeof(x) UNIQ_T(B, q) = DIV_ROUND_UP(x, UNIQ_T(A, q)); \
                 typeof(x) UNIQ_T(C, q);                                 \
                 MUL_SAFE(&UNIQ_T(C, q), UNIQ_T(B, q), UNIQ_T(A, q)) ? UNIQ_T(C, q) : (typeof(x)) -1; \
         })
-#define ROUND_UP(x, y) __ROUND_UP(UNIQ, (x), (y))
+#define ROUND_UP(x, y) __ROUND_UP(UNIQ, x, y)
 
 #define  CASE_F_1(X)      case X:
 #define  CASE_F_2(X, ...) case X:  CASE_F_1( __VA_ARGS__)

src/home/homed-manager.c

@@ -1889,10 +1889,10 @@ static int manager_rebalance_calculate(Manager *m) {
                 assert(h->rebalance_usage <= usage_sum);
                 assert(h->rebalance_weight <= weight_sum);
 
-                d = ((double) (free_sum / 4096.0) * (double) h->rebalance_weight) / (double) weight_sum; /* Calculate new space for this home in units of 4K */
+                d = free_sum / 4096.0 * h->rebalance_weight / weight_sum; /* Calculate new space for this home in units of 4K */
 
                 /* Convert from units of 4K back to bytes */
-                if (d >= (double) (UINT64_MAX/4096))
+                if (d >= UINT64_MAX / 4096)
                         new_free = UINT64_MAX;
                 else
                         new_free = (uint64_t) d * 4096;
@@ -1928,7 +1928,7 @@ static int manager_rebalance_calculate(Manager *m) {
                         h->rebalance_pending = true;
                 }
 
-                if ((fabs((double) h->rebalance_size - (double) h->rebalance_goal) * 100 / (double) h->rebalance_size) >= 5.0)
+                if (ABS_DIFF(h->rebalance_size, h->rebalance_goal) * 100.0 / h->rebalance_size >= 5.0)
                         relevant = true;
         }
 

src/import/importctl.c

@@ -1269,7 +1269,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case 'N':
-                        arg_import_flags_mask &= ~IMPORT_PULL_KEEP_DOWNLOAD;
+                        arg_import_flags &= ~IMPORT_PULL_KEEP_DOWNLOAD;
                         arg_import_flags_mask |= IMPORT_PULL_KEEP_DOWNLOAD;
                         break;
 

src/journal-remote/journal-remote-main.c

@@ -286,7 +286,7 @@ static int process_http_upload(
                         _cleanup_free_ char *buf = NULL;
                         size_t buf_size;
 
-                        r = decompress_blob(source->compression, upload_data, *upload_data_size, (void **) &buf, &buf_size, 0);
+                        r = decompress_blob(source->compression, upload_data, *upload_data_size, (void **) &buf, &buf_size, DATA_SIZE_MAX);
                         if (r < 0)
                                 return mhd_respondf(connection, r, MHD_HTTP_BAD_REQUEST, "Decompression of received blob failed.");
 

src/journal/journald-native.c

@@ -10,7 +10,6 @@
 #include "fd-util.h"
 #include "format-util.h"
 #include "iovec-util.h"
-#include "journal-importer.h"
 #include "journal-internal.h"
 #include "journald-client.h"
 #include "journald-console.h"

src/libsystemd/sd-bus/bus-socket.c

@@ -1235,7 +1235,6 @@ int bus_socket_take_fd(sd_bus *b) {
 int bus_socket_write_message(sd_bus *bus, sd_bus_message *m, size_t *idx) {
         struct iovec *iov;
         ssize_t k;
-        size_t n;
         unsigned j;
         int r;
 
@@ -1251,9 +1250,8 @@ int bus_socket_write_message(sd_bus *bus, sd_bus_message *m, size_t *idx) {
         if (r < 0)
                 return r;
 
-        n = m->n_iovec * sizeof(struct iovec);
-        iov = newa(struct iovec, n);
-        memcpy_safe(iov, m->iovec, n);
+        iov = newa(struct iovec, m->n_iovec);
+        memcpy_safe(iov, m->iovec, sizeof(struct iovec) * m->n_iovec);
 
         j = 0;
         iovec_advance(iov, &j, *idx);

src/libsystemd/sd-event/sd-event.c

@@ -2025,11 +2025,13 @@ _public_ int sd_event_add_memory_pressure(
                 if (errno != ENOENT)
                         return -errno;
 
-                /* We got ENOENT. Three options now: try the fallback if we have one, or return the error as
-                 * is (if based on user/env config), or return -EOPNOTSUPP (because we picked the path, and
-                 * the PSI service apparently is not supported) */
-                if (!watch_fallback)
-                        return locked ? -ENOENT : -EOPNOTSUPP;
+                /* We got ENOENT. Two options now: try the fallback if we have one, or return the error as is
+                 * (when based on user/env config). */
+
+                if (!watch_fallback) {
+                        assert(locked);
+                        return -ENOENT;
+                }
 
                 path_fd = open(watch_fallback, O_PATH|O_CLOEXEC);
                 if (path_fd < 0) {

src/libsystemd/sd-journal/journal-def.h

@@ -6,6 +6,21 @@
 #include "sd-forward.h"
 #include "sparse-endian.h"
 
+/* Make sure not to make this smaller than the maximum coredump size.
+ * See JOURNAL_SIZE_MAX in coredump-config.h */
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+#define ENTRY_SIZE_MAX (1024*1024*770u)
+#define ENTRY_SIZE_UNPRIV_MAX (1024*1024*32u)
+#define DATA_SIZE_MAX (1024*1024*768u)
+#else
+#define ENTRY_SIZE_MAX (1024*1024*13u)
+#define ENTRY_SIZE_UNPRIV_MAX (1024*1024*8u)
+#define DATA_SIZE_MAX (1024*1024*11u)
+#endif
+
+/* The maximum number of fields in an entry */
+#define ENTRY_FIELD_COUNT_MAX 1024u
+
 /*
  * If you change this file you probably should also change its documentation:
  *

src/libsystemd/sd-journal/journal-file.c

@@ -1967,7 +1967,7 @@ static int maybe_decompress_payload(
                         }
                 }
 
-                r = decompress_blob(compression, payload, size, &f->compress_buffer, &rsize, 0);
+                r = decompress_blob(compression, payload, size, &f->compress_buffer, &rsize, DATA_SIZE_MAX);
                 if (r < 0)
                         return r;