Set Content-Type / Retry-After for custom ARI resp (#506)

Fixes #502

.github/workflows/checks.yml

@@ -12,7 +12,7 @@ permissions:
 env:
   CGO_ENABLED: 0
   GO_VERSION: stable
-  GOLANGCI_LINT_VERSION: v1.56.2
+  GOLANGCI_LINT_VERSION: v1.64.5
   SHELLCHECK_SCRIPTS: ./*.sh
 jobs:
   go-lint-checks:
@@ -23,11 +23,8 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Run GolangCI-Lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
-          # skip cache because of flaky behaviors
-          skip-build-cache: true
-          skip-pkg-cache: true
           version: ${{ env.GOLANGCI_LINT_VERSION }}
   go-mod-checks:
     runs-on: ubuntu-latest

.github/workflows/tests.yml

@@ -59,6 +59,33 @@ jobs:
         run: |
           git clone https://github.com/eggsampler/acme.git /tmp/eggsampler-acme
           cd /tmp/eggsampler-acme && make test
+  lego-eab-linux:
+    name: Test lego with EAB
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install lego cli
+        run: go install github.com/go-acme/lego/v4/cmd/lego@latest
+      - name: go install commands
+        run: go install -v ./cmd/...
+      - name: launch pebble
+        run: |
+          GORACE="halt_on_error=1" PEBBLE_VA_ALWAYS_VALID=1 \
+          pebble -config test/config/pebble-config-external-account-bindings.json &
+      - run: |
+          LEGO_CA_CERTIFICATES=./test/certs/pebble.minica.pem \
+          lego --accept-tos \
+               --server=https://localhost:14000/dir \
+               --email="pebble-test@example.letsencrypt.org" \
+               --domains=example.letsencrypt.org \
+               --eab \
+                 --kid kid-3 \
+                 --hmac=HjudV5qnbreN-n9WyFSH-t4HXuEx_XFen45zuxY-G1h6fr74V3cUM_dVlwQZBWmc \
+               --http --http.port=:5002 \
+               run
   go-linux:
     name: Run Go tests on Linux
     runs-on: ubuntu-latest

.golangci.yaml

@@ -1,8 +1,6 @@
 linters-settings:
   gocyclo:
     min-complexity: 25
-  govet:
-    check-shadowing: false
   misspell:
     locale: "US"
 
@@ -14,6 +12,7 @@ linters:
     - bidichk
     - bodyclose
     - containedctx
+    - copyloopvar
     - decorder
     - dogsled
     - dupword
@@ -21,7 +20,6 @@ linters:
     - errcheck
     - errchkjson
     - errorlint
-    - exportloopref
     - forcetypeassert
     - ginkgolinter
     - gocheckcompilerdirectives
@@ -55,7 +53,6 @@ linters:
     - revive
     - staticcheck
     - tagalign
-    - tenv
     - testableexamples
     - testifylint
     - thelper
@@ -63,6 +60,7 @@ linters:
     - unparam
     - unused
     - usestdlibvars
+    - usetesting
     - wastedassign
 
 issues:

README.md

@@ -55,9 +55,8 @@ clients are not hardcoding URLs.)
 ## Limitations
 
 Pebble is missing some ACME features (PRs are welcome!). It does not presently
-support subproblems, or pre-authorization. Pebble does not support revoking a 
-certificate issued by a different ACME account by proving authorization of all
-of the certificate's domains.
+support pre-authorization or revoking a certificate issued by a different ACME
+account by proving authorization of all of the certificate's domains.
 
 Pebble does not perform all of the same input validation as Boulder. Some domain
 names that would be rejected by Boulder/Let's Encrypt may work with Pebble.
@@ -95,7 +94,7 @@ at `https://localhost:14000/dir`.
 
 Pebble includes a [docker-compose](https://docs.docker.com/compose/) file that
 will create a `pebble` instance that uses a `pebble-challtestsrv` instance for
-DNS resolution.
+DNS resolution with the correct ports mapped to the host system.
 
 To download and start the containers run:
 
@@ -119,21 +118,25 @@ See the [pebble-challtestsrv
 README](https://github.com/letsencrypt/pebble/blob/master/cmd/pebble-challtestsrv/README.md)
 for more information.
 
+If you are running a one-off container for either `pebble` or
+`pebble-challtestsrv`, you will need to manually map ports.
+```
+docker run -p 14000:14000 -p 15000:15000 ghcr.io/letsencrypt/pebble:latest
+docker run -p 5001:5001 -p 5002:5002 -p 5003:5003 -p 8053:8053 -p 8055:8055 -p 8443:8443 ghcr.io/letsencrypt/pebble-challtestsrv:latest
+```
+
 #### Prebuilt Docker Images
 
-If you would prefer not to use the provided `docker-compose.yml`, or to build
-container images yourself, you can also use the [published
-images](https://hub.docker.com/r/letsencrypt/pebble/).
+Pebble releases are published as Docker images to the
+[Github Container Registry](https://github.com/orgs/letsencrypt/packages?repo_name=pebble)
 
 With a docker-compose file:
 
 ```yaml
-version: '3'
-
 services:
  pebble:
-  image: letsencrypt/pebble
-  command: pebble -config /test/my-pebble-config.json
+  image: ghcr.io/letsencrypt/pebble:latest
+  command: -config /test/my-pebble-config.json
   ports:
     - 14000:14000  # ACME port
     - 15000:15000  # Management port
@@ -146,13 +149,11 @@ services:
 With a Docker command:
 
 ```bash
-docker run -e "PEBBLE_VA_NOSLEEP=1" letsencrypt/pebble
+docker run -p 14000:14000 -p 15000:15000 -e "PEBBLE_VA_NOSLEEP=1" ghcr.io/letsencrypt/pebble
 # or
-docker run -e "PEBBLE_VA_NOSLEEP=1" --mount src=$(pwd)/my-pebble-config.json,target=/test/my-pebble-config.json,type=bind letsencrypt/pebble pebble -config /test/my-pebble-config.json
+docker run -p 14000:14000 -p 15000:15000 -e "PEBBLE_VA_NOSLEEP=1" --mount src=$(pwd)/my-pebble-config.json,target=/test/my-pebble-config.json,type=bind ghcr.io/letsencrypt/pebble -config /test/my-pebble-config.json
 ```
 
-**Note**: The Pebble dockerfile uses [multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/) and requires Docker CE 17.05.0-ce or newer.
-
 ### Default validation ports
 
 To make it easier to test ACME clients and run challenge response servers

acme/common.go

@@ -15,9 +15,10 @@ const (
 	IdentifierDNS = "dns"
 	IdentifierIP  = "ip"
 
-	ChallengeHTTP01    = "http-01"
-	ChallengeTLSALPN01 = "tls-alpn-01"
-	ChallengeDNS01     = "dns-01"
+	ChallengeHTTP01       = "http-01"
+	ChallengeTLSALPN01    = "tls-alpn-01"
+	ChallengeDNS01        = "dns-01"
+	ChallengeDNSAccount01 = "dns-account-01"
 
 	HTTP01BaseURL = ".well-known/acme-challenge/"
 
@@ -53,11 +54,15 @@ type Order struct {
 	Error          *ProblemDetails `json:"error,omitempty"`
 	Expires        string          `json:"expires"`
 	Identifiers    []Identifier    `json:"identifiers,omitempty"`
+	Profile        string          `json:"profile,omitempty"`
 	Finalize       string          `json:"finalize"`
 	NotBefore      string          `json:"notBefore,omitempty"`
 	NotAfter       string          `json:"notAfter,omitempty"`
 	Authorizations []string        `json:"authorizations"`
 	Certificate    string          `json:"certificate,omitempty"`
+
+	// https://datatracker.ietf.org/doc/html/draft-ietf-acme-ari-03#section-5
+	Replaces string `json:"replaces,omitempty"`
 }
 
 // An Authorization is created for each identifier in an order

acme/problems.go

@@ -6,23 +6,24 @@ import (
 )
 
 const (
-	errNS                  = "urn:ietf:params:acme:error:"
-	serverInternalErr      = errNS + "serverInternal"
-	malformedErr           = errNS + "malformed"
-	badNonceErr            = errNS + "badNonce"
-	badCSRErr              = errNS + "badCSR"
-	agreementReqErr        = errNS + "agreementRequired"
-	externalAccountReqErr  = errNS + "externalAccountRequired"
-	connectionErr          = errNS + "connection"
-	unauthorizedErr        = errNS + "unauthorized"
-	invalidContactErr      = errNS + "invalidContact"
-	unsupportedContactErr  = errNS + "unsupportedContact"
-	accountDoesNotExistErr = errNS + "accountDoesNotExist"
-	badRevocationReasonErr = errNS + "badRevocationReason"
-	alreadyRevokedErr      = errNS + "alreadyRevoked"
-	orderNotReadyErr       = errNS + "orderNotReady"
-	badPublicKeyErr        = errNS + "badPublicKey"
-	rejectedIdentifierErr  = errNS + "rejectedIdentifier"
+	errNS                    = "urn:ietf:params:acme:error:"
+	serverInternalErr        = errNS + "serverInternal"
+	malformedErr             = errNS + "malformed"
+	badNonceErr              = errNS + "badNonce"
+	badCSRErr                = errNS + "badCSR"
+	agreementReqErr          = errNS + "agreementRequired"
+	externalAccountReqErr    = errNS + "externalAccountRequired"
+	connectionErr            = errNS + "connection"
+	unauthorizedErr          = errNS + "unauthorized"
+	invalidContactErr        = errNS + "invalidContact"
+	unsupportedContactErr    = errNS + "unsupportedContact"
+	accountDoesNotExistErr   = errNS + "accountDoesNotExist"
+	badRevocationReasonErr   = errNS + "badRevocationReason"
+	alreadyRevokedErr        = errNS + "alreadyRevoked"
+	orderNotReadyErr         = errNS + "orderNotReady"
+	badPublicKeyErr          = errNS + "badPublicKey"
+	badSignatureAlgorithmErr = errNS + "badSignatureAlgorithm"
+	rejectedIdentifierErr    = errNS + "rejectedIdentifier"
 )
 
 type ProblemDetails struct {
@@ -189,6 +190,14 @@ func BadPublicKeyProblem(detail string) *ProblemDetails {
 	}
 }
 
+func BadSignatureAlgorithmProblem(detail string) *ProblemDetails {
+	return &ProblemDetails{
+		Type:       badSignatureAlgorithmErr,
+		Detail:     detail,
+		HTTPStatus: http.StatusBadRequest,
+	}
+}
+
 func RejectedIdentifierProblem(ident Identifier, detail string) *ProblemDetails {
 	return &ProblemDetails{
 		Type:       rejectedIdentifierErr,

appveyor.yml

@@ -1,51 +0,0 @@
-image: Visual Studio 2022
-
-hosts:
-  example.letsencrypt.org: 127.0.0.1
-  elpmaxe.letsencrypt.org: 127.0.0.1
-
-environment:
-  PATH: C:\Python39-x64;C:\msys64\mingw64\bin;%USERPROFILE%\go\bin;%PATH%
-  PEBBLE_WFE_NONCEREJECT: 0
-
-# Declare artifacts that can become release assets on GitHub
-artifacts:
-  - path: deploy\pebble_windows-amd64.exe
-    name: Pebble
-  - path: deploy\pebble-challtestsrv_windows-amd64.exe
-    name: Pebble-Challtestsrv
-
-install:
-  - git clone --single-branch --depth=1 -b master https://github.com/certbot/certbot
-  - cd certbot
-  - python tools\venv.py
-  - venv\Scripts\activate.bat
-  - cd ..
-
-build_script:
-  - go install -v -mod=vendor ./...
-
-after_build:
-  - ps: $PebbleProcess = Start-Process pebble -PassThru
-  - mkdir deploy
-  # Two following lines are copying built executable to the proper artifacts folder
-  - copy %USERPROFILE%\go\bin\pebble.exe deploy\pebble_windows-amd64.exe
-  - copy %USERPROFILE%\go\bin\pebble-challtestsrv.exe deploy\pebble-challtestsrv_windows-amd64.exe
-
-test_script:
-  # Run project unit tests (with the race detector enabled)
-  - go test -mod=vendor -v -race ./...
-  # Perform a test issuance with chisel2.py
-  - cmd /c "set REQUESTS_CA_BUNDLE=./test/certs/pebble.minica.pem && python .\test\chisel2.py example.letsencrypt.org elpmaxe.letsencrypt.org"
-
-before_deploy:
-  - ps: .ci\publish_windows.ps1
-
-deploy:
-  - provider: GitHub
-    auth_token: $(GITHUB_AUTH_TOKEN)
-    # References here correspond to artifacts name fields in artifacts section
-    artifact: Pebble,Pebble-Challtestsrv
-    draft: true
-    on:
-      APPVEYOR_REPO_TAG: true

ca/ca.go

@@ -27,7 +27,7 @@ import (
 const (
 	rootCAPrefix          = "Pebble Root CA "
 	intermediateCAPrefix  = "Pebble Intermediate CA "
-	defaultValidityPeriod = 157766400
+	defaultValidityPeriod = 7776000
 )
 
 type CAImpl struct {
@@ -35,9 +35,8 @@ type CAImpl struct {
 	db               *db.MemoryStore
 	ocspResponderURL string
 
-	chains []*chain
-
-	certValidityPeriod uint64
+	chains   []*chain
+	profiles map[string]*Profile
 }
 
 type chain struct {
@@ -45,6 +44,11 @@ type chain struct {
 	intermediates []*issuer
 }
 
+type Profile struct {
+	Description    string
+	ValidityPeriod uint64
+}
+
 func (c *chain) String() string {
 	fullchain := append(c.intermediates, c.root)
 	n := len(fullchain)
@@ -108,7 +112,7 @@ func makeKey() (*rsa.PrivateKey, []byte, error) {
 	return key, ski, nil
 }
 
-func (ca *CAImpl) makeRootCert(
+func (ca *CAImpl) makeCACert(
 	subjectKey crypto.Signer,
 	subject pkix.Name,
 	subjectKeyID []byte,
@@ -122,7 +126,7 @@ func (ca *CAImpl) makeRootCert(
 		NotAfter:     time.Now().AddDate(30, 0, 0),
 
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		SubjectKeyId:          subjectKeyID,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
@@ -175,7 +179,7 @@ func (ca *CAImpl) newRootIssuer(name string) (*issuer, error) {
 	subject := pkix.Name{
 		CommonName: rootCAPrefix + name,
 	}
-	rc, err := ca.makeRootCert(rk, subject, subjectKeyID, nil)
+	rc, err := ca.makeCACert(rk, subject, subjectKeyID, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -192,7 +196,7 @@ func (ca *CAImpl) newIntermediateIssuer(root *issuer, intermediateKey crypto.Sig
 		return nil, errors.New("internal error: root must not be nil")
 	}
 	// Make an intermediate certificate with the root issuer
-	ic, err := ca.makeRootCert(intermediateKey, subject, subjectKeyID, root)
+	ic, err := ca.makeCACert(intermediateKey, subject, subjectKeyID, root)
 	if err != nil {
 		return nil, err
 	}
@@ -253,7 +257,7 @@ func (ca *CAImpl) newChain(intermediateKey crypto.Signer, intermediateSubject pk
 	return c
 }
 
-func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.PublicKey, accountID, notBefore, notAfter string, extensions []pkix.Extension) (*core.Certificate, error) {
+func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.PublicKey, accountID, notBefore, notAfter, profileName string, extensions []pkix.Extension) (*core.Certificate, error) {
 	if len(domains) == 0 && len(ips) == 0 {
 		return nil, errors.New("must specify at least one domain name or IP address")
 	}
@@ -264,12 +268,13 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
 	}
 	issuer := defaultChain[0]
 
-	subjectKeyID, err := makeSubjectKeyID(key)
-	if err != nil {
-		return nil, fmt.Errorf("cannot create subject key ID: %s", err.Error())
+	prof, ok := ca.profiles[profileName]
+	if !ok {
+		return nil, fmt.Errorf("unrecgonized profile name %q", profileName)
 	}
 
 	certNotBefore := time.Now()
+	var err error
 	if notBefore != "" {
 		certNotBefore, err = time.Parse(time.RFC3339, notBefore)
 		if err != nil {
@@ -277,7 +282,7 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
 		}
 	}
 
-	certNotAfter := certNotBefore.Add(time.Duration(ca.certValidityPeriod-1) * time.Second)
+	certNotAfter := certNotBefore.Add(time.Duration(prof.ValidityPeriod-1) * time.Second)
 	maxNotAfter := time.Date(9999, 12, 31, 0, 0, 0, 0, time.UTC)
 	if certNotAfter.After(maxNotAfter) {
 		certNotAfter = maxNotAfter
@@ -297,9 +302,8 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
 		NotBefore:    certNotBefore,
 		NotAfter:     certNotAfter,
 
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		SubjectKeyId:          subjectKeyID,
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		ExtraExtensions:       extensions,
 		BasicConstraintsValid: true,
 		IsCA:                  false,
@@ -342,11 +346,11 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
 	return newCert, nil
 }
 
-func New(log *log.Logger, db *db.MemoryStore, ocspResponderURL string, alternateRoots int, chainLength int, certificateValidityPeriod uint64) *CAImpl {
+func New(log *log.Logger, db *db.MemoryStore, ocspResponderURL string, alternateRoots int, chainLength int, profiles map[string]Profile) *CAImpl {
 	ca := &CAImpl{
-		log:                log,
-		db:                 db,
-		certValidityPeriod: defaultValidityPeriod,
+		log:      log,
+		db:       db,
+		profiles: make(map[string]*Profile, len(profiles)),
 	}
 
 	if ocspResponderURL != "" {
@@ -366,12 +370,14 @@ func New(log *log.Logger, db *db.MemoryStore, ocspResponderURL string, alternate
 		ca.chains[i] = ca.newChain(intermediateKey, intermediateSubject, subjectKeyID, chainLength)
 	}
 
-	if certificateValidityPeriod != 0 && certificateValidityPeriod < 9223372038 {
-		ca.certValidityPeriod = certificateValidityPeriod
+	for name, prof := range profiles {
+		if prof.ValidityPeriod <= 0 || prof.ValidityPeriod >= 9223372038 {
+			prof.ValidityPeriod = defaultValidityPeriod
+		}
+		ca.profiles[name] = &prof
+		ca.log.Printf("Loaded profile %q with certificate validity period of %d seconds", name, prof.ValidityPeriod)
 	}
 
-	ca.log.Printf("Using certificate validity period of %d seconds", ca.certValidityPeriod)
-
 	return ca
 }
 
@@ -425,7 +431,7 @@ func (ca *CAImpl) CompleteOrder(order *core.Order) {
 
 	// issue a certificate for the csr
 	csr := order.ParsedCSR
-	cert, err := ca.newCertificate(csr.DNSNames, csr.IPAddresses, csr.PublicKey, order.AccountID, order.NotBefore, order.NotAfter, extensions)
+	cert, err := ca.newCertificate(csr.DNSNames, csr.IPAddresses, csr.PublicKey, order.AccountID, order.NotBefore, order.NotAfter, order.Profile, extensions)
 	if err != nil {
 		ca.log.Printf("Error: unable to issue order: %s", err.Error())
 		return
@@ -438,6 +444,25 @@ func (ca *CAImpl) CompleteOrder(order *core.Order) {
 	order.Unlock()
 }
 
+// RecognizedSKID attempts to match the incoming Authority Key Idenfitier (AKID)
+// bytes to the Subject Key Identifier (SKID) of an intermediate certificate. It
+// returns an error if no match is found.
+func (ca *CAImpl) RecognizedSKID(issuer []byte) error {
+	if issuer == nil {
+		return errors.New("issuer bytes must not be nil")
+	}
+
+	for _, chain := range ca.chains {
+		for _, intermediate := range chain.intermediates {
+			if bytes.Equal(intermediate.cert.Cert.SubjectKeyId, issuer) {
+				return nil
+			}
+		}
+	}
+
+	return errors.New("no known issuer matches the provided Authority Key Identifier ")
+}
+
 func (ca *CAImpl) GetNumberOfRootCerts() int {
 	return len(ca.chains)
 }
@@ -492,3 +517,11 @@ func (ca *CAImpl) GetIntermediateKey(no int) *rsa.PrivateKey {
 	}
 	return nil
 }
+
+func (ca *CAImpl) GetProfiles() map[string]string {
+	res := make(map[string]string, len(ca.profiles))
+	for name, prof := range ca.profiles {
+		res[name] = prof.Description
+	}
+	return res
+}

ca/ca_test.go

@@ -27,7 +27,7 @@ var (
 func makeCa() *CAImpl {
 	logger := log.New(os.Stdout, "Pebble ", log.LstdFlags)
 	db := db.NewMemoryStore()
-	return New(logger, db, "", 0, 1, 0)
+	return New(logger, db, "", 0, 1, map[string]Profile{"default": {}})
 }
 
 func makeCertOrderWithExtensions(extensions []pkix.Extension) core.Order {
@@ -50,6 +50,7 @@ func makeCertOrderWithExtensions(extensions []pkix.Extension) core.Order {
 			Status:      acme.StatusPending,
 			Expires:     time.Now().AddDate(0, 0, 1).UTC().Format(time.RFC3339),
 			Identifiers: []acme.Identifier{},
+			Profile:     "default",
 			NotBefore:   time.Now().UTC().Format(time.RFC3339),
 			NotAfter:    time.Now().AddDate(30, 0, 0).UTC().Format(time.RFC3339),
 		},

cmd/pebble-challtestsrv/main.go

@@ -6,12 +6,14 @@ package main
 import (
 	"context"
 	"flag"
+	"fmt"
 	"log"
 	"net/http"
 	"os"
 	"strings"
 
 	"github.com/letsencrypt/challtestsrv"
+
 	"github.com/letsencrypt/pebble/v2/cmd"
 )
 
@@ -75,6 +77,12 @@ func main() {
 
 	flag.Parse()
 
+	if len(flag.Args()) > 0 {
+		fmt.Printf("invalid command line arguments: %s\n", strings.Join(flag.Args(), " "))
+		flag.Usage()
+		os.Exit(1)
+	}
+
 	httpOneAddresses := filterEmpty(strings.Split(*httpOneBind, ","))
 	httpsOneAddresses := filterEmpty(strings.Split(*httpsOneBind, ","))
 	dohAddresses := filterEmpty(strings.Split(*dohBind, ","))

cmd/pebble/main.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 
 	"github.com/letsencrypt/pebble/v2/ca"
 	"github.com/letsencrypt/pebble/v2/cmd"
@@ -31,12 +32,15 @@ type config struct {
 		ExternalAccountMACKeys         map[string]string
 		// Configure policies to deny certain domains
 		DomainBlocklist []string
+		Profiles        map[string]ca.Profile
 
-		CertificateValidityPeriod uint64
-		RetryAfter                struct {
+		RetryAfter struct {
 			Authz int
 			Order int
 		}
+
+		// Deprecated: use Profiles.ValidityPeriod instead
+		CertificateValidityPeriod uint64
 	}
 }
 
@@ -59,6 +63,12 @@ func main() {
 		"Print the software version")
 	flag.Parse()
 
+	if len(flag.Args()) > 0 {
+		fmt.Printf("invalid command line arguments: %s\n", strings.Join(flag.Args(), " "))
+		flag.Usage()
+		os.Exit(1)
+	}
+
 	if *versionFlag {
 		// Print the version and exit
 		fmt.Printf("Pebble version: %s\n", version)
@@ -93,9 +103,19 @@ func main() {
 		chainLength = int(val)
 	}
 
+	profiles := c.Pebble.Profiles
+	if len(profiles) == 0 {
+		profiles = map[string]ca.Profile{
+			"default": {
+				Description:    "The default profile",
+				ValidityPeriod: 0, // Will be overridden by the CA's default
+			},
+		}
+	}
+
 	db := db.NewMemoryStore()
-	ca := ca.New(logger, db, c.Pebble.OCSPResponderURL, alternateRoots, chainLength, c.Pebble.CertificateValidityPeriod)
-	va := va.New(logger, c.Pebble.HTTPPort, c.Pebble.TLSPort, *strictMode, *resolverAddress)
+	ca := ca.New(logger, db, c.Pebble.OCSPResponderURL, alternateRoots, chainLength, profiles)
+	va := va.New(logger, c.Pebble.HTTPPort, c.Pebble.TLSPort, *strictMode, *resolverAddress, db)
 
 	for keyID, key := range c.Pebble.ExternalAccountMACKeys {
 		err := db.AddExternalAccountKeyByID(keyID, key)

core/types.go

@@ -5,9 +5,11 @@ import (
 	"crypto"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"math/big"
 	"sync"
 	"time"
 
@@ -27,6 +29,8 @@ type Order struct {
 	AuthorizationObjects []*Authorization
 	BeganProcessing      bool
 	CertificateObject    *Certificate
+	// Indicates if the finalized order has been successfully replaced via ARI.
+	IsReplaced bool
 }
 
 func (o *Order) GetStatus() (string, error) {
@@ -55,22 +59,15 @@ func (o *Order) GetStatus() (string, error) {
 		}
 	}
 
-	// An order is invalid if **any** of its authzs are invalid
-	if authzStatuses[acme.StatusInvalid] > 0 {
+	// An order is invalid if ANY of its authzs are invalid, deactivated, or
+	// expired per: https://tools.ietf.org/html/rfc8555#page-32
+	if authzStatuses[acme.StatusInvalid] > 0 ||
+		authzStatuses[acme.StatusDeactivated] > 0 ||
+		authzStatuses[acme.StatusExpired] > 0 {
 		return acme.StatusInvalid, nil
 	}
 
-	// An order is expired if **any** of its authzs are expired
-	if authzStatuses[acme.StatusExpired] > 0 {
-		return acme.StatusInvalid, nil
-	}
-
-	// An order is deactivated if **any** of its authzs are deactivated
-	if authzStatuses[acme.StatusDeactivated] > 0 {
-		return acme.StatusDeactivated, nil
-	}
-
-	// An order is pending if **any** of its authzs are pending
+	// Otherwise, an order is pending if ANY of its authzs are pending.
 	if authzStatuses[acme.StatusPending] > 0 {
 		return acme.StatusPending, nil
 	}
@@ -152,6 +149,8 @@ type Certificate struct {
 	DER          []byte
 	IssuerChains [][]*Certificate
 	AccountID    string
+	// When non-empty, this is the ARI response sent for this certificate.
+	ARIResponse string
 }
 
 func (c Certificate) PEM() []byte {
@@ -200,3 +199,104 @@ type ValidationRecord struct {
 	Error       *acme.ProblemDetails
 	ValidatedAt time.Time
 }
+
+// CertID represents a unique identifier (CertID) for a certificate as per the
+// ACME protocol's "renewalInfo" resource, as specified in draft-ietf-acme-ari-
+// 03. The CertID is a composite string derived from the base64url-encoded
+// keyIdentifier of the certificate's Authority Key Identifier (AKI) and the
+// base64url-encoded serial number of the certificate, separated by a period.
+// For more details see:
+// https://datatracker.ietf.org/doc/html/draft-ietf-acme-ari-02#section-4.1.
+type CertID struct {
+	KeyIdentifier []byte
+	SerialNumber  *big.Int
+	// id is the pre-computed hex encoding of SerialNumber.
+	id string
+}
+
+// SerialHex returns a CertID's id field.
+func (c CertID) SerialHex() string {
+	return c.id
+}
+
+// NewCertID takes bytes representing a serial number and authority key
+// identifier and returns a CertID or an error.
+func NewCertID(serial []byte, akid []byte) (*CertID, error) {
+	if serial == nil || akid == nil {
+		return nil, errors.New("must send non-nil bytes")
+	}
+
+	return &CertID{
+		KeyIdentifier: akid,
+		SerialNumber:  new(big.Int).SetBytes(serial),
+		id:            hex.EncodeToString(serial),
+	}, nil
+}
+
+// SuggestedWindow is a type exposed inside the RenewalInfo resource.
+type SuggestedWindow struct {
+	Start time.Time `json:"start"`
+	End   time.Time `json:"end"`
+}
+
+// IsWithin returns true if the given time is within the suggested window,
+// inclusive of the start time and exclusive of the end time.
+func (window SuggestedWindow) IsWithin(now time.Time) bool {
+	return !now.Before(window.Start) && now.Before(window.End)
+}
+
+// RenewalInfo is a type which is exposed to clients which query the renewalInfo
+// endpoint specified in draft-aaron-ari.
+type RenewalInfo struct {
+	SuggestedWindow SuggestedWindow `json:"suggestedWindow"`
+}
+
+// RenewalInfoSimple constructs a `RenewalInfo` object and suggested window
+// using a very simple renewal calculation: calculate a point 2/3rds of the way
+// through the validity period, then give a 2-day window around that. Both the
+// `issued` and `expires` timestamps are expected to be UTC.
+func RenewalInfoSimple(issued time.Time, expires time.Time) *RenewalInfo {
+	validity := expires.Add(time.Second).Sub(issued)
+	renewalOffset := validity / time.Duration(3)
+	idealRenewal := expires.Add(-renewalOffset)
+	windowStart := idealRenewal.Add(-24 * time.Hour)
+	windowEnd := idealRenewal.Add(24 * time.Hour)
+
+	// Ensure RenewalWindow is not after the expiry
+	if windowEnd.After(expires) {
+		windowEnd = expires
+	}
+	// Ensure correct start for future issueds
+	if windowStart.Before(issued) {
+		windowStart = issued
+	}
+
+	// draft-ietf-acme-ari states:
+	// A RenewalInfo object in which the end timestamp
+	// equals or precedes the start timestamp is invalid.
+	if !windowStart.Before(windowEnd) {
+		windowStart = windowStart.Add(-1 * time.Second)
+	}
+
+	return &RenewalInfo{
+		SuggestedWindow: SuggestedWindow{
+			Start: windowStart.Truncate(time.Millisecond),
+			End:   windowEnd.Truncate(time.Millisecond),
+		},
+	}
+}
+
+// RenewalInfoImmediate constructs a `RenewalInfo` object with a suggested
+// window in the past. Per the draft-ietf-acme-ari-01 spec, clients should
+// attempt to renew immediately if the suggested window is in the past. The
+// passed `now` is assumed to be a timestamp representing the current moment in
+// time.
+func RenewalInfoImmediate(now time.Time) *RenewalInfo {
+	oneHourAgo := now.Add(-1 * time.Hour)
+	return &RenewalInfo{
+		SuggestedWindow: SuggestedWindow{
+			Start: oneHourAgo.Truncate(time.Millisecond),
+			End:   oneHourAgo.Add(1 * time.Second).Truncate(time.Millisecond),
+		},
+	}
+}

db/memorystore.go

@@ -46,8 +46,11 @@ type MemoryStore struct {
 	// key bytes.
 	accountsByKeyID map[string]*core.Account
 
-	ordersByID        map[string]*core.Order
-	ordersByAccountID map[string][]*core.Order
+	// ordersByIssuedSerial indexes the hex encoding of the certificate's
+	// SerialNumber.
+	ordersByIssuedSerial map[string]*core.Order
+	ordersByID           map[string]*core.Order
+	ordersByAccountID    map[string][]*core.Order
 
 	authorizationsByID map[string]*core.Authorization
 
@@ -66,6 +69,7 @@ func NewMemoryStore() *MemoryStore {
 		accountRand:             rand.New(rand.NewSource(time.Now().UnixNano())),
 		accountsByID:            make(map[string]*core.Account),
 		accountsByKeyID:         make(map[string]*core.Account),
+		ordersByIssuedSerial:    make(map[string]*core.Order),
 		ordersByID:              make(map[string]*core.Order),
 		ordersByAccountID:       make(map[string][]*core.Order),
 		authorizationsByID:      make(map[string]*core.Authorization),
@@ -94,6 +98,28 @@ func (m *MemoryStore) GetAccountByKey(key crypto.PublicKey) (*core.Account, erro
 	return m.accountsByKeyID[keyID], nil
 }
 
+// UpdateReplacedOrder takes a serial and marks a parent order as
+// replaced/not-replaced or returns an error.
+//
+// We intentionally don't Lock the database inside this method because the inner
+// GetOrderByIssuedSerial which is used elsewhere does an RLock which would
+// hang.
+func (m *MemoryStore) UpdateReplacedOrder(serial string, shouldBeReplaced bool) error {
+	if serial == "" {
+		return acme.InternalErrorProblem("no serial provided")
+	}
+
+	originalOrder, err := m.GetOrderByIssuedSerial(serial)
+	if err != nil {
+		return acme.InternalErrorProblem(fmt.Sprintf("could not find an order for the given certificate: %s", err))
+	}
+	originalOrder.Lock()
+	defer originalOrder.Unlock()
+	originalOrder.IsReplaced = shouldBeReplaced
+
+	return nil
+}
+
 // Note that this function should *NOT* be used for key changes. It assumes
 // the public key associated to the account does not change. Use ChangeAccountKey
 // to change the account's public key.
@@ -195,6 +221,19 @@ func (m *MemoryStore) AddOrder(order *core.Order) (int, error) {
 	return len(m.ordersByID), nil
 }
 
+func (m *MemoryStore) AddOrderByIssuedSerial(order *core.Order) error {
+	m.Lock()
+	defer m.Unlock()
+
+	if order.CertificateObject == nil {
+		return errors.New("order must have non-empty CertificateObject")
+	}
+
+	m.ordersByIssuedSerial[order.CertificateObject.ID] = order
+
+	return nil
+}
+
 func (m *MemoryStore) GetOrderByID(id string) *core.Order {
 	m.RLock()
 	defer m.RUnlock()
@@ -212,6 +251,20 @@ func (m *MemoryStore) GetOrderByID(id string) *core.Order {
 	return nil
 }
 
+// GetOrderByIssuedSerial returns the order that resulted in the given certificate
+// serial. If no such order exists, an error will be returned.
+func (m *MemoryStore) GetOrderByIssuedSerial(serial string) (*core.Order, error) {
+	m.RLock()
+	defer m.RUnlock()
+
+	order, ok := m.ordersByIssuedSerial[serial]
+	if !ok {
+		return nil, errors.New("could not find order resulting in the given certificate serial number")
+	}
+
+	return order, nil
+}
+
 func (m *MemoryStore) GetOrdersByAccountID(accountID string) []*core.Order {
 	m.RLock()
 	defer m.RUnlock()
@@ -360,7 +413,6 @@ func (m *MemoryStore) RevokeCertificate(cert *core.RevokedCertificate) {
 	m.Lock()
 	defer m.Unlock()
 	m.revokedCertificatesByID[cert.Certificate.ID] = cert
-	delete(m.certificatesByID, cert.Certificate.ID)
 }
 
 /*
@@ -496,3 +548,19 @@ func (m *MemoryStore) IsDomainBlocked(name string) bool {
 
 	return false
 }
+
+// SetARIResponse looks up a certificate by serial number and sets its ARI response field
+func (m *MemoryStore) SetARIResponse(serial *big.Int, ariResponse string) error {
+	m.Lock()
+	defer m.Unlock()
+
+	for _, cert := range m.certificatesByID {
+		if cert.Cert.SerialNumber.Cmp(serial) == 0 {
+			cert.ARIResponse = ariResponse
+			return nil
+		}
+	}
+
+	// Certificate not found
+	return fmt.Errorf("certificate with serial number %s not found", serial.String())
+}

go.mod

@@ -1,19 +1,19 @@
 module github.com/letsencrypt/pebble/v2
 
-go 1.21
+go 1.24
+
+toolchain go1.24.2
 
 require (
-	github.com/go-jose/go-jose/v4 v4.0.1
+	github.com/go-jose/go-jose/v4 v4.1.0
 	github.com/letsencrypt/challtestsrv v1.3.2
-	github.com/miekg/dns v1.1.58
+	github.com/miekg/dns v1.1.62
 )
 
 require (
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/stretchr/testify v1.8.4 // indirect
-	golang.org/x/crypto v0.19.0 // indirect
-	golang.org/x/mod v0.15.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
-	golang.org/x/tools v0.18.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 )

go.sum

@@ -1,36 +1,34 @@
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
-github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
+github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/letsencrypt/challtestsrv v1.3.2 h1:pIDLBCLXR3B1DLmOmkkqg29qVa7DDozBnsOpL9PxmAY=
 github.com/letsencrypt/challtestsrv v1.3.2/go.mod h1:Ur4e4FvELUXLGhkMztHOsPIsvGxD/kzSJninOrkM+zc=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
-github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
-github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8=
-golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ=
-golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

test/config/pebble-config-external-account-bindings.json

@@ -10,11 +10,12 @@
     "retryAfter": {
         "authz": 3,
         "order": 5
-    }
+    },
     "externalAccountBindingRequired": true,
     "externalAccountMACKeys": {
       "kid-1": "zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W",
-      "kid-2": "b10lLJs8l1GPIzsLP0s6pMt8O0XVGnfTaCeROxQM0BIt2XrJMDHJZBM5NuQmQJQH"
+      "kid-2": "b10lLJs8l1GPIzsLP0s6pMt8O0XVGnfTaCeROxQM0BIt2XrJMDHJZBM5NuQmQJQH",
+      "kid-3": "HjudV5qnbreN-n9WyFSH-t4HXuEx_XFen45zuxY-G1h6fr74V3cUM_dVlwQZBWmc"
     },
     "certificateValidityPeriod": 157766400
   }

test/config/pebble-config.json

@@ -13,6 +13,15 @@
         "authz": 3,
         "order": 5
     },
-    "certificateValidityPeriod": 157766400
+    "profiles": {
+      "default": {
+        "description": "The profile you know and love",
+        "validityPeriod": 7776000
+      },
+      "shortlived": {
+        "description": "A short-lived cert profile, without actual enforcement",
+        "validityPeriod": 518400
+      }
+    }
   }
 }

va/va.go

@@ -7,6 +7,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/asn1"
+	"encoding/base32"
 	"encoding/base64"
 	"fmt"
 	"io"
@@ -26,6 +27,7 @@ import (
 	"github.com/letsencrypt/challtestsrv"
 	"github.com/letsencrypt/pebble/v2/acme"
 	"github.com/letsencrypt/pebble/v2/core"
+	"github.com/letsencrypt/pebble/v2/db"
 )
 
 const (
@@ -92,6 +94,8 @@ type vaTask struct {
 	Identifier acme.Identifier
 	Challenge  *core.Challenge
 	Account    *core.Account
+	AccountURL string
+	Wildcard   bool
 }
 
 type VAImpl struct {
@@ -105,12 +109,18 @@ type VAImpl struct {
 	strict             bool
 	customResolverAddr string
 	dnsClient          *dns.Client
+
+	// The VA having a DB client is indeed strange. This is only used to
+	// facilitate va.setOrderError changing the ARI related order replacement
+	// field on failed orders.
+	db *db.MemoryStore
 }
 
 func New(
 	log *log.Logger,
 	httpPort, tlsPort int,
 	strict bool, customResolverAddr string,
+	db *db.MemoryStore,
 ) *VAImpl {
 	va := &VAImpl{
 		log:                log,
@@ -121,6 +131,7 @@ func New(
 		sleepTime:          defaultSleepTime,
 		strict:             strict,
 		customResolverAddr: customResolverAddr,
+		db:                 db,
 	}
 
 	if customResolverAddr != "" {
@@ -157,11 +168,13 @@ func New(
 	return va
 }
 
-func (va VAImpl) ValidateChallenge(ident acme.Identifier, chal *core.Challenge, acct *core.Account) {
+func (va VAImpl) ValidateChallenge(ident acme.Identifier, chal *core.Challenge, acct *core.Account, acctURL string, wildcard bool) {
 	task := &vaTask{
 		Identifier: ident,
 		Challenge:  chal,
 		Account:    acct,
+		AccountURL: acctURL,
+		Wildcard:   wildcard,
 	}
 	// Submit the task for validation
 	va.tasks <- task
@@ -204,10 +217,17 @@ func (va VAImpl) setAuthzValid(authz *core.Authorization, chal *core.Challenge)
 
 // setOrderError updates an order with an error from an authorization
 // validation.
-func (va VAImpl) setOrderError(order *core.Order, err *acme.ProblemDetails) {
+func (va VAImpl) setOrderError(order *core.Order, prob *acme.ProblemDetails) {
 	order.Lock()
 	defer order.Unlock()
-	order.Error = err
+	order.Error = prob
+
+	// Mark the parent order as "not replaced yet" so a new replacement order
+	// can be attempted.
+	err := va.db.UpdateReplacedOrder(order.Replaces, false)
+	if err != nil {
+		va.log.Printf("Error updating replacement order: %s", err)
+	}
 }
 
 // setAuthzInvalid updates an authorization and an associated challenge to be
@@ -299,6 +319,8 @@ func (va VAImpl) performValidation(task *vaTask, results chan<- *core.Validation
 		results <- va.validateTLSALPN01(task)
 	case acme.ChallengeDNS01:
 		results <- va.validateDNS01(task)
+	case acme.ChallengeDNSAccount01:
+		results <- va.validateDNSAccount01(task)
 	default:
 		va.log.Printf("Error: performValidation(): Invalid challenge type: %q", task.Challenge.Type)
 	}
@@ -342,6 +364,45 @@ func (va VAImpl) validateDNS01(task *vaTask) *core.ValidationRecord {
 	return result
 }
 
+func (va VAImpl) validateDNSAccount01(task *vaTask) *core.ValidationRecord {
+	acctHash := sha256.Sum256([]byte(task.AccountURL))
+	acctLabel := strings.ToLower(base32.StdEncoding.EncodeToString(acctHash[0:10]))
+	challengeSubdomain := fmt.Sprintf("_%s._acme-challenge.%s", acctLabel, task.Identifier.Value)
+
+	result := &core.ValidationRecord{
+		URL:         challengeSubdomain,
+		ValidatedAt: time.Now(),
+	}
+
+	txts, err := va.getTXTEntry(challengeSubdomain)
+	if err != nil {
+		result.Error = acme.UnauthorizedProblem(fmt.Sprintf("Error retrieving TXT records for DNS-ACCOUNT-01 challenge (%q)", err))
+		return result
+	}
+
+	if len(txts) == 0 {
+		msg := "No TXT records found for DNS-ACCOUNT-01 challenge"
+		result.Error = acme.UnauthorizedProblem(msg)
+		return result
+	}
+
+	task.Challenge.RLock()
+	expectedKeyAuthorization := task.Challenge.ExpectedKeyAuthorization(task.Account.Key)
+	h := sha256.Sum256([]byte(expectedKeyAuthorization))
+	task.Challenge.RUnlock()
+	authorizedKeysDigest := base64.RawURLEncoding.EncodeToString(h[:])
+
+	for _, element := range txts {
+		if subtle.ConstantTimeCompare([]byte(element), []byte(authorizedKeysDigest)) == 1 {
+			return result
+		}
+	}
+
+	msg := "Correct value not found for DNS-ACCOUNT-01 challenge"
+	result.Error = acme.UnauthorizedProblem(msg)
+	return result
+}
+
 func (va VAImpl) validateTLSALPN01(task *vaTask) *core.ValidationRecord {
 	portString := strconv.Itoa(va.tlsPort)
 

va/va_test.go

@@ -31,7 +31,7 @@ func TestAuthzRace(_ *testing.T) {
 
 	// This whole test can be removed if/when the MemoryStore becomes 100% by value
 	ms := db.NewMemoryStore()
-	va := New(log.New(os.Stdout, "Pebble/TestRace", log.LstdFlags), 14000, 15000, false, "")
+	va := New(log.New(os.Stdout, "Pebble/TestRace", log.LstdFlags), 14000, 15000, false, "", ms)
 
 	authz := &core.Authorization{
 		ID: "auth-id",

vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md

@@ -1,3 +1,32 @@
+## Changed
+
+  - Defined a custom error, ErrUnexpectedSignatureAlgorithm, returned when a JWS
+    header contains an unsupported signature algorithm.
+
+# v4.0.4
+
+## Fixed
+
+ - Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
+   breaking change. See #136 / #137.
+
+# v4.0.3
+
+## Changed
+
+ - Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
+ - Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
+ - Dependency updates
+
+# v4.0.2
+
+## Changed
+
+ - Improved documentation of Verify() to note that JSONWebKeySet is a supported
+   argument type (#104)
+ - Defined exported error values for missing x5c header and unsupported elliptic
+   curves error cases (#117)
+
 # v4.0.1
 
 ## Fixed

vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md

@@ -7,9 +7,3 @@ When submitting code, please make every effort to follow existing conventions
 and style in order to keep the code as readable as possible. Please also make
 sure all tests pass by running `go test`, and format your code with `go fmt`.
 We also recommend using `golint` and `errcheck`.
-
-Before your code can be accepted into the project you must also sign the
-Individual Contributor License Agreement.  We use [cla-assistant.io][1] and you
-will be prompted to sign once a pull request is opened.
-
-[1]: https://cla-assistant.io/

vendor/github.com/go-jose/go-jose/v4/README.md

@@ -9,14 +9,6 @@ Package jose aims to provide an implementation of the Javascript Object Signing
 and Encryption set of standards. This includes support for JSON Web Encryption,
 JSON Web Signature, and JSON Web Token standards.
 
-**Disclaimer**: This library contains encryption software that is subject to
-the U.S. Export Administration Regulations. You may not export, re-export,
-transfer or download this code or any part of it in violation of any United
-States law, directive or regulation. In particular this software may not be
-exported or re-exported in any form or on any media to Iran, North Sudan,
-Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any
-US maintained blocked list.
-
 ## Overview
 
 The implementation follows the
@@ -109,6 +101,6 @@ allows attaching a key id.
 
 Examples can be found in the Godoc
 reference for this package. The
-[`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
+[`jose-util`](https://github.com/go-jose/go-jose/tree/main/jose-util)
 subdirectory also contains a small command-line utility which might be useful
 as an example as well.

vendor/github.com/go-jose/go-jose/v4/crypter.go

@@ -459,7 +459,10 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
 		return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
 	}
 
-	key := tryJWKS(decryptionKey, obj.Header)
+	key, err := tryJWKS(decryptionKey, obj.Header)
+	if err != nil {
+		return nil, err
+	}
 	decrypter, err := newDecrypter(key)
 	if err != nil {
 		return nil, err
@@ -529,7 +532,10 @@ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Heade
 		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
 	}
 
-	key := tryJWKS(decryptionKey, obj.Header)
+	key, err := tryJWKS(decryptionKey, obj.Header)
+	if err != nil {
+		return -1, Header{}, nil, err
+	}
 	decrypter, err := newDecrypter(key)
 	if err != nil {
 		return -1, Header{}, nil, err

vendor/github.com/go-jose/go-jose/v4/jwe.go

@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
 	keyAlgorithms []KeyAlgorithm,
 	contentEncryption []ContentEncryption,
 ) (*JSONWebEncryption, error) {
-	parts := strings.Split(input, ".")
-	if len(parts) != 5 {
+	// Five parts is four separators
+	if strings.Count(input, ".") != 4 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
 	}
+	parts := strings.SplitN(input, ".", 5)
 
 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
 	if err != nil {

vendor/github.com/go-jose/go-jose/v4/jwk.go

@@ -239,10 +239,10 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
 				keyPub = key
 			}
 		} else {
-			err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
+			return fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
 		}
 	default:
-		err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
+		return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
 	}
 
 	if err != nil {
@@ -779,7 +779,13 @@ func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
 	return key.K.bytes(), nil
 }
 
-func tryJWKS(key interface{}, headers ...Header) interface{} {
+var (
+	// ErrJWKSKidNotFound is returned when a JWKS does not contain a JWK with a
+	// key ID which matches one in the provided tokens headers.
+	ErrJWKSKidNotFound = errors.New("go-jose/go-jose: JWK with matching kid not found in JWK Set")
+)
+
+func tryJWKS(key interface{}, headers ...Header) (interface{}, error) {
 	var jwks JSONWebKeySet
 
 	switch jwksType := key.(type) {
@@ -788,9 +794,11 @@ func tryJWKS(key interface{}, headers ...Header) interface{} {
 	case JSONWebKeySet:
 		jwks = jwksType
 	default:
-		return key
+		// If the specified key is not a JWKS, return as is.
+		return key, nil
 	}
 
+	// Determine the KID to search for from the headers.
 	var kid string
 	for _, header := range headers {
 		if header.KeyID != "" {
@@ -799,14 +807,17 @@ func tryJWKS(key interface{}, headers ...Header) interface{} {
 		}
 	}
 
+	// If no KID is specified in the headers, reject.
 	if kid == "" {
-		return key
+		return nil, ErrJWKSKidNotFound
 	}
 
+	// Find the JWK with the matching KID. If no JWK with the specified KID is
+	// found, reject.
 	keys := jwks.Key(kid)
 	if len(keys) == 0 {
-		return key
+		return nil, ErrJWKSKidNotFound
 	}
 
-	return keys[0].Key
+	return keys[0].Key, nil
 }

vendor/github.com/go-jose/go-jose/v4/jws.go

@@ -75,7 +75,14 @@ type Signature struct {
 	original  *rawSignatureInfo
 }
 
-// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
+// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization. Validation fails if
+// the JWS is signed with an algorithm that isn't in the provided list of signature algorithms.
+// Applications should decide for themselves which signature algorithms are acceptable. If you're
+// not sure which signature algorithms your application might receive, consult the documentation of
+// the program which provides them or the protocol that you are implementing. You can also try
+// getting an example JWS and decoding it with a tool like https://jwt.io to see what its "alg"
+// header parameter indicates. The signature on the JWS does not get validated during parsing. Call
+// Verify() after parsing to validate the signature and obtain the payload.
 //
 // https://datatracker.ietf.org/doc/html/rfc7515#section-7
 func ParseSigned(
@@ -90,7 +97,14 @@ func ParseSigned(
 	return parseSignedCompact(signature, nil, signatureAlgorithms)
 }
 
-// ParseSignedCompact parses a message in JWS Compact Serialization.
+// ParseSignedCompact parses a message in JWS Compact Serialization. Validation fails if the JWS is
+// signed with an algorithm that isn't in the provided list of signature algorithms. Applications
+// should decide for themselves which signature algorithms are acceptable.If you're not sure which
+// signature algorithms your application might receive, consult the documentation of the program
+// which provides them or the protocol that you are implementing. You can also try getting an
+// example JWS and decoding it with a tool like https://jwt.io to see what its "alg" header
+// parameter indicates. The signature on the JWS does not get validated during parsing. Call
+// Verify() after parsing to validate the signature and obtain the payload.
 //
 // https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
 func ParseSignedCompact(
@@ -101,6 +115,15 @@ func ParseSignedCompact(
 }
 
 // ParseDetached parses a signed message in compact serialization format with detached payload.
+// Validation fails if the JWS is signed with an algorithm that isn't in the provided list of
+// signature algorithms. Applications should decide for themselves which signature algorithms are
+// acceptable. If you're not sure which signature algorithms your application might receive, consult
+// the documentation of the program which provides them or the protocol that you are implementing.
+// You can also try getting an example JWS and decoding it with a tool like https://jwt.io to see
+// what its "alg" header parameter indicates. The signature on the JWS does not get validated during
+// parsing. Call Verify() after parsing to validate the signature and obtain the payload.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#appendix-F
 func ParseDetached(
 	signature string,
 	payload []byte,
@@ -181,6 +204,25 @@ func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureA
 	return false
 }
 
+// ErrUnexpectedSignatureAlgorithm is returned when the signature algorithm in
+// the JWS header does not match one of the expected algorithms.
+type ErrUnexpectedSignatureAlgorithm struct {
+	// Got is the signature algorithm found in the JWS header.
+	Got      SignatureAlgorithm
+	expected []SignatureAlgorithm
+}
+
+func (e *ErrUnexpectedSignatureAlgorithm) Error() string {
+	return fmt.Sprintf("unexpected signature algorithm %q; expected %q", e.Got, e.expected)
+}
+
+func newErrUnexpectedSignatureAlgorithm(got SignatureAlgorithm, expected []SignatureAlgorithm) error {
+	return &ErrUnexpectedSignatureAlgorithm{
+		Got:      got,
+		expected: expected,
+	}
+}
+
 // sanitized produces a cleaned-up JWS object from the raw JSON.
 func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
 	if len(signatureAlgorithms) == 0 {
@@ -236,8 +278,7 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
 
 		alg := SignatureAlgorithm(signature.Header.Algorithm)
 		if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
-			return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
-				alg, signatureAlgorithms)
+			return nil, newErrUnexpectedSignatureAlgorithm(alg, signatureAlgorithms)
 		}
 
 		if signature.header != nil {
@@ -285,8 +326,7 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
 
 		alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
 		if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
-			return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
-				alg, signatureAlgorithms)
+			return nil, newErrUnexpectedSignatureAlgorithm(alg, signatureAlgorithms)
 		}
 
 		if obj.Signatures[i].header != nil {
@@ -327,10 +367,11 @@ func parseSignedCompact(
 	payload []byte,
 	signatureAlgorithms []SignatureAlgorithm,
 ) (*JSONWebSignature, error) {
-	parts := strings.Split(input, ".")
-	if len(parts) != 3 {
+	// Three parts is two separators
+	if strings.Count(input, ".") != 2 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
 	}
+	parts := strings.SplitN(input, ".", 3)
 
 	if parts[1] != "" && payload != nil {
 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")

vendor/github.com/go-jose/go-jose/v4/opaque.go

@@ -83,6 +83,9 @@ func (o *opaqueVerifier) verifyPayload(payload []byte, signature []byte, alg Sig
 }
 
 // OpaqueKeyEncrypter is an interface that supports encrypting keys with an opaque key.
+//
+// Note: this cannot currently be implemented outside this package because of its
+// unexported method.
 type OpaqueKeyEncrypter interface {
 	// KeyID returns the kid
 	KeyID() string

vendor/github.com/go-jose/go-jose/v4/shared.go

@@ -71,6 +71,12 @@ var (
 	// ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a
 	// nonce header parameter was included in an unprotected header object.
 	ErrUnprotectedNonce = errors.New("go-jose/go-jose: Nonce parameter included in unprotected header")
+
+	// ErrMissingX5cHeader indicates that the JWT header is missing x5c headers.
+	ErrMissingX5cHeader = errors.New("go-jose/go-jose: no x5c header present in message")
+
+	// ErrUnsupportedEllipticCurve indicates unsupported or unknown elliptic curve has been found.
+	ErrUnsupportedEllipticCurve = errors.New("go-jose/go-jose: unsupported/unknown elliptic curve")
 )
 
 // Key management algorithms
@@ -199,7 +205,7 @@ type Header struct {
 // not be validated with the given verify options.
 func (h Header) Certificates(opts x509.VerifyOptions) ([][]*x509.Certificate, error) {
 	if len(h.certificates) == 0 {
-		return nil, errors.New("go-jose/go-jose: no x5c header present in message")
+		return nil, ErrMissingX5cHeader
 	}
 
 	leaf := h.certificates[0]
@@ -501,7 +507,7 @@ func curveName(crv elliptic.Curve) (string, error) {
 	case elliptic.P521():
 		return "P-521", nil
 	default:
-		return "", fmt.Errorf("go-jose/go-jose: unsupported/unknown elliptic curve")
+		return "", ErrUnsupportedEllipticCurve
 	}
 }
 

vendor/github.com/go-jose/go-jose/v4/signing.go

@@ -358,6 +358,8 @@ func (ctx *genericSigner) Options() SignerOptions {
 //   - *rsa.PublicKey
 //   - *JSONWebKey
 //   - JSONWebKey
+//   - *JSONWebKeySet
+//   - JSONWebKeySet
 //   - []byte (an HMAC key)
 //   - Any type that implements the OpaqueVerifier interface.
 //
@@ -388,7 +390,10 @@ func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
 // The verificationKey argument must have one of the types allowed for the
 // verificationKey argument of JSONWebSignature.Verify().
 func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error {
-	key := tryJWKS(verificationKey, obj.headers()...)
+	key, err := tryJWKS(verificationKey, obj.headers()...)
+	if err != nil {
+		return err
+	}
 	verifier, err := newVerifier(key)
 	if err != nil {
 		return err
@@ -453,7 +458,10 @@ func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signa
 // The verificationKey argument must have one of the types allowed for the
 // verificationKey argument of JSONWebSignature.Verify().
 func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) {
-	key := tryJWKS(verificationKey, obj.headers()...)
+	key, err := tryJWKS(verificationKey, obj.headers()...)
+	if err != nil {
+		return -1, Signature{}, err
+	}
 	verifier, err := newVerifier(key)
 	if err != nil {
 		return -1, Signature{}, err

vendor/github.com/go-jose/go-jose/v4/symmetric.go

@@ -21,6 +21,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/hmac"
+	"crypto/pbkdf2"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/sha512"
@@ -30,8 +31,6 @@ import (
 	"hash"
 	"io"
 
-	"golang.org/x/crypto/pbkdf2"
-
 	josecipher "github.com/go-jose/go-jose/v4/cipher"
 )
 
@@ -330,7 +329,10 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
 
 		// derive key
 		keyLen, h := getPbkdf2Params(alg)
-		key := pbkdf2.Key(ctx.key, salt, ctx.p2c, keyLen, h)
+		key, err := pbkdf2.Key(h, string(ctx.key), salt, ctx.p2c, keyLen)
+		if err != nil {
+			return recipientInfo{}, nil
+		}
 
 		// use AES cipher with derived key
 		block, err := aes.NewCipher(key)
@@ -432,7 +434,10 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
 
 		// derive key
 		keyLen, h := getPbkdf2Params(alg)
-		key := pbkdf2.Key(ctx.key, salt, p2c, keyLen, h)
+		key, err := pbkdf2.Key(h, string(ctx.key), salt, p2c, keyLen)
+		if err != nil {
+			return nil, err
+		}
 
 		// use AES cipher with derived key
 		block, err := aes.NewCipher(key)

vendor/github.com/miekg/dns/README.md

@@ -83,6 +83,8 @@ A not-so-up-to-date-list-that-may-be-actually-current:
 * https://github.com/egbakou/domainverifier
 * https://github.com/semihalev/sdns
 * https://github.com/wintbiit/NineDNS
+* https://linuxcontainers.org/incus/
+* https://ifconfig.es
 
 
 Send pull request if you want to be listed here.
@@ -146,6 +148,7 @@ Example programs can be found in the `github.com/miekg/exdns` repository.
 * 3225 - DO bit (DNSSEC OK)
 * 340{1,2,3} - NAPTR record
 * 3445 - Limiting the scope of (DNS)KEY
+* 3596 - AAAA record
 * 3597 - Unknown RRs
 * 4025 - A Method for Storing IPsec Keying Material in DNS
 * 403{3,4,5} - DNSSEC + validation functions
@@ -186,6 +189,9 @@ Example programs can be found in the `github.com/miekg/exdns` repository.
 * 8777 - DNS Reverse IP Automatic Multicast Tunneling (AMT) Discovery
 * 8914 - Extended DNS Errors
 * 8976 - Message Digest for DNS Zones (ZONEMD RR)
+* 9460 - Service Binding and Parameter Specification via the DNS
+* 9461 - Service Binding Mapping for DNS Servers
+* 9462 - Discovery of Designated Resolvers
 
 ## Loosely Based Upon
 

vendor/github.com/miekg/dns/defaults.go

@@ -198,10 +198,12 @@ func IsDomainName(s string) (labels int, ok bool) {
 		off    int
 		begin  int
 		wasDot bool
+		escape bool
 	)
 	for i := 0; i < len(s); i++ {
 		switch s[i] {
 		case '\\':
+			escape = !escape
 			if off+1 > lenmsg {
 				return labels, false
 			}
@@ -217,6 +219,7 @@ func IsDomainName(s string) (labels int, ok bool) {
 
 			wasDot = false
 		case '.':
+			escape = false
 			if i == 0 && len(s) > 1 {
 				// leading dots are not legal except for the root zone
 				return labels, false
@@ -243,10 +246,13 @@ func IsDomainName(s string) (labels int, ok bool) {
 			labels++
 			begin = i + 1
 		default:
+			escape = false
 			wasDot = false
 		}
 	}
-
+	if escape {
+		return labels, false
+	}
 	return labels, true
 }
 

vendor/github.com/miekg/dns/edns.go

@@ -756,36 +756,48 @@ const (
 	ExtendedErrorCodeNoReachableAuthority
 	ExtendedErrorCodeNetworkError
 	ExtendedErrorCodeInvalidData
+	ExtendedErrorCodeSignatureExpiredBeforeValid
+	ExtendedErrorCodeTooEarly
+	ExtendedErrorCodeUnsupportedNSEC3IterValue
+	ExtendedErrorCodeUnableToConformToPolicy
+	ExtendedErrorCodeSynthesized
+	ExtendedErrorCodeInvalidQueryType
 )
 
 // ExtendedErrorCodeToString maps extended error info codes to a human readable
 // description.
 var ExtendedErrorCodeToString = map[uint16]string{
-	ExtendedErrorCodeOther:                      "Other",
-	ExtendedErrorCodeUnsupportedDNSKEYAlgorithm: "Unsupported DNSKEY Algorithm",
-	ExtendedErrorCodeUnsupportedDSDigestType:    "Unsupported DS Digest Type",
-	ExtendedErrorCodeStaleAnswer:                "Stale Answer",
-	ExtendedErrorCodeForgedAnswer:               "Forged Answer",
-	ExtendedErrorCodeDNSSECIndeterminate:        "DNSSEC Indeterminate",
-	ExtendedErrorCodeDNSBogus:                   "DNSSEC Bogus",
-	ExtendedErrorCodeSignatureExpired:           "Signature Expired",
-	ExtendedErrorCodeSignatureNotYetValid:       "Signature Not Yet Valid",
-	ExtendedErrorCodeDNSKEYMissing:              "DNSKEY Missing",
-	ExtendedErrorCodeRRSIGsMissing:              "RRSIGs Missing",
-	ExtendedErrorCodeNoZoneKeyBitSet:            "No Zone Key Bit Set",
-	ExtendedErrorCodeNSECMissing:                "NSEC Missing",
-	ExtendedErrorCodeCachedError:                "Cached Error",
-	ExtendedErrorCodeNotReady:                   "Not Ready",
-	ExtendedErrorCodeBlocked:                    "Blocked",
-	ExtendedErrorCodeCensored:                   "Censored",
-	ExtendedErrorCodeFiltered:                   "Filtered",
-	ExtendedErrorCodeProhibited:                 "Prohibited",
-	ExtendedErrorCodeStaleNXDOMAINAnswer:        "Stale NXDOMAIN Answer",
-	ExtendedErrorCodeNotAuthoritative:           "Not Authoritative",
-	ExtendedErrorCodeNotSupported:               "Not Supported",
-	ExtendedErrorCodeNoReachableAuthority:       "No Reachable Authority",
-	ExtendedErrorCodeNetworkError:               "Network Error",
-	ExtendedErrorCodeInvalidData:                "Invalid Data",
+	ExtendedErrorCodeOther:                       "Other",
+	ExtendedErrorCodeUnsupportedDNSKEYAlgorithm:  "Unsupported DNSKEY Algorithm",
+	ExtendedErrorCodeUnsupportedDSDigestType:     "Unsupported DS Digest Type",
+	ExtendedErrorCodeStaleAnswer:                 "Stale Answer",
+	ExtendedErrorCodeForgedAnswer:                "Forged Answer",
+	ExtendedErrorCodeDNSSECIndeterminate:         "DNSSEC Indeterminate",
+	ExtendedErrorCodeDNSBogus:                    "DNSSEC Bogus",
+	ExtendedErrorCodeSignatureExpired:            "Signature Expired",
+	ExtendedErrorCodeSignatureNotYetValid:        "Signature Not Yet Valid",
+	ExtendedErrorCodeDNSKEYMissing:               "DNSKEY Missing",
+	ExtendedErrorCodeRRSIGsMissing:               "RRSIGs Missing",
+	ExtendedErrorCodeNoZoneKeyBitSet:             "No Zone Key Bit Set",
+	ExtendedErrorCodeNSECMissing:                 "NSEC Missing",
+	ExtendedErrorCodeCachedError:                 "Cached Error",
+	ExtendedErrorCodeNotReady:                    "Not Ready",
+	ExtendedErrorCodeBlocked:                     "Blocked",
+	ExtendedErrorCodeCensored:                    "Censored",
+	ExtendedErrorCodeFiltered:                    "Filtered",
+	ExtendedErrorCodeProhibited:                  "Prohibited",
+	ExtendedErrorCodeStaleNXDOMAINAnswer:         "Stale NXDOMAIN Answer",
+	ExtendedErrorCodeNotAuthoritative:            "Not Authoritative",
+	ExtendedErrorCodeNotSupported:                "Not Supported",
+	ExtendedErrorCodeNoReachableAuthority:        "No Reachable Authority",
+	ExtendedErrorCodeNetworkError:                "Network Error",
+	ExtendedErrorCodeInvalidData:                 "Invalid Data",
+	ExtendedErrorCodeSignatureExpiredBeforeValid: "Signature Expired Before Valid",
+	ExtendedErrorCodeTooEarly:                    "Too Early",
+	ExtendedErrorCodeUnsupportedNSEC3IterValue:   "Unsupported NSEC3 Iterations Value",
+	ExtendedErrorCodeUnableToConformToPolicy:     "Unable To Conform To Policy",
+	ExtendedErrorCodeSynthesized:                 "Synthesized",
+	ExtendedErrorCodeInvalidQueryType:            "Invalid Query Type",
 }
 
 // StringToExtendedErrorCode is a map from human readable descriptions to

vendor/github.com/miekg/dns/msg.go

@@ -714,7 +714,7 @@ func (h *MsgHdr) String() string {
 	return s
 }
 
-// Pack packs a Msg: it is converted to to wire format.
+// Pack packs a Msg: it is converted to wire format.
 // If the dns.Compress is true the message will be in compressed wire format.
 func (dns *Msg) Pack() (msg []byte, err error) {
 	return dns.PackBuffer(nil)

vendor/github.com/miekg/dns/scan.go

@@ -101,12 +101,13 @@ type ttlState struct {
 	isByDirective bool   // isByDirective indicates whether ttl was set by a $TTL directive
 }
 
-// NewRR reads the RR contained in the string s. Only the first RR is returned.
+// NewRR reads a string s and returns the first RR.
 // If s contains no records, NewRR will return nil with no error.
 //
-// The class defaults to IN and TTL defaults to 3600. The full zone file syntax
-// like $TTL, $ORIGIN, etc. is supported. All fields of the returned RR are
-// set, except RR.Header().Rdlength which is set to 0.
+// The class defaults to IN, TTL defaults to 3600, and
+// origin for resolving relative domain names defaults to the DNS root (.).
+// Full zone file syntax is supported, including directives like $TTL and $ORIGIN.
+// All fields of the returned RR are set from the read data, except RR.Header().Rdlength which is set to 0.
 func NewRR(s string) (RR, error) {
 	if len(s) > 0 && s[len(s)-1] != '\n' { // We need a closing newline
 		return ReadRR(strings.NewReader(s+"\n"), "")
@@ -1282,7 +1283,7 @@ func stringToCm(token string) (e, m uint8, ok bool) {
 			cmeters *= 10
 		}
 	}
-	// This slighly ugly condition will allow omitting the 'meter' part, like .01 (meaning 0.01m = 1cm).
+	// This slightly ugly condition will allow omitting the 'meter' part, like .01 (meaning 0.01m = 1cm).
 	if !hasCM || mStr != "" {
 		meters, err = strconv.Atoi(mStr)
 		// RFC1876 states the max value is 90000000.00.  The latter two conditions enforce it.

vendor/github.com/miekg/dns/scan_rr.go

@@ -51,25 +51,24 @@ func endingToTxtSlice(c *zlexer, errstr string) ([]string, *ParseError) {
 		switch l.value {
 		case zString:
 			empty = false
-			if len(l.token) > 255 {
-				// split up tokens that are larger than 255 into 255-chunks
-				sx := []string{}
-				p, i := 0, 255
-				for {
-					if i <= len(l.token) {
-						sx = append(sx, l.token[p:i])
-					} else {
-						sx = append(sx, l.token[p:])
-						break
-
-					}
-					p, i = p+255, i+255
+			// split up tokens that are larger than 255 into 255-chunks
+			sx := []string{}
+			p := 0
+			for {
+				i, ok := escapedStringOffset(l.token[p:], 255)
+				if !ok {
+					return nil, &ParseError{err: errstr, lex: l}
 				}
-				s = append(s, sx...)
-				break
-			}
+				if i != -1 && p+i != len(l.token) {
+					sx = append(sx, l.token[p:p+i])
+				} else {
+					sx = append(sx, l.token[p:])
+					break
 
-			s = append(s, l.token)
+				}
+				p += i
+			}
+			s = append(s, sx...)
 		case zBlank:
 			if quote {
 				// zBlank can only be seen in between txt parts.
@@ -1920,3 +1919,39 @@ func (rr *APL) parse(c *zlexer, o string) *ParseError {
 	rr.Prefixes = prefixes
 	return nil
 }
+
+// escapedStringOffset finds the offset within a string (which may contain escape
+// sequences) that corresponds to a certain byte offset. If the input offset is
+// out of bounds, -1 is returned (which is *not* considered an error).
+func escapedStringOffset(s string, desiredByteOffset int) (int, bool) {
+	if desiredByteOffset == 0 {
+		return 0, true
+	}
+
+	currentByteOffset, i := 0, 0
+
+	for i < len(s) {
+		currentByteOffset += 1
+
+		// Skip escape sequences
+		if s[i] != '\\' {
+			// Single plain byte, not an escape sequence.
+			i++
+		} else if isDDD(s[i+1:]) {
+			// Skip backslash and DDD.
+			i += 4
+		} else if len(s[i+1:]) < 1 {
+			// No character following the backslash; that's an error.
+			return 0, false
+		} else {
+			// Skip backslash and following byte.
+			i += 2
+		}
+
+		if currentByteOffset >= desiredByteOffset {
+			return i, true
+		}
+	}
+
+	return -1, true
+}

vendor/github.com/miekg/dns/server.go

@@ -188,6 +188,14 @@ type DecorateReader func(Reader) Reader
 // Implementations should never return a nil Writer.
 type DecorateWriter func(Writer) Writer
 
+// MsgInvalidFunc is a listener hook for observing incoming messages that were discarded
+// because they could not be parsed.
+// Every message that is read by a Reader will eventually be provided to the Handler,
+// rejected (or ignored) by the MsgAcceptFunc, or passed to this function.
+type MsgInvalidFunc func(m []byte, err error)
+
+func DefaultMsgInvalidFunc(m []byte, err error) {}
+
 // A Server defines parameters for running an DNS server.
 type Server struct {
 	// Address to listen on, ":dns" if empty.
@@ -233,6 +241,8 @@ type Server struct {
 	// AcceptMsgFunc will check the incoming message and will reject it early in the process.
 	// By default DefaultMsgAcceptFunc will be used.
 	MsgAcceptFunc MsgAcceptFunc
+	// MsgInvalidFunc is optional, will be called if a message is received but cannot be parsed.
+	MsgInvalidFunc MsgInvalidFunc
 
 	// Shutdown handling
 	lock     sync.RWMutex
@@ -277,6 +287,9 @@ func (srv *Server) init() {
 	if srv.MsgAcceptFunc == nil {
 		srv.MsgAcceptFunc = DefaultMsgAcceptFunc
 	}
+	if srv.MsgInvalidFunc == nil {
+		srv.MsgInvalidFunc = DefaultMsgInvalidFunc
+	}
 	if srv.Handler == nil {
 		srv.Handler = DefaultServeMux
 	}
@@ -531,6 +544,7 @@ func (srv *Server) serveUDP(l net.PacketConn) error {
 			if cap(m) == srv.UDPSize {
 				srv.udpPool.Put(m[:srv.UDPSize])
 			}
+			srv.MsgInvalidFunc(m, ErrShortRead)
 			continue
 		}
 		wg.Add(1)
@@ -611,6 +625,7 @@ func (srv *Server) serveUDPPacket(wg *sync.WaitGroup, m []byte, u net.PacketConn
 func (srv *Server) serveDNS(m []byte, w *response) {
 	dh, off, err := unpackMsgHdr(m, 0)
 	if err != nil {
+		srv.MsgInvalidFunc(m, err)
 		// Let client hang, they are sending crap; any reply can be used to amplify.
 		return
 	}
@@ -620,10 +635,12 @@ func (srv *Server) serveDNS(m []byte, w *response) {
 
 	switch action := srv.MsgAcceptFunc(dh); action {
 	case MsgAccept:
-		if req.unpack(dh, m, off) == nil {
+		err := req.unpack(dh, m, off)
+		if err == nil {
 			break
 		}
 
+		srv.MsgInvalidFunc(m, err)
 		fallthrough
 	case MsgReject, MsgRejectNotImplemented:
 		opcode := req.Opcode

vendor/github.com/miekg/dns/svcb.go

@@ -14,7 +14,7 @@ import (
 // SVCBKey is the type of the keys used in the SVCB RR.
 type SVCBKey uint16
 
-// Keys defined in draft-ietf-dnsop-svcb-https-08 Section 14.3.2.
+// Keys defined in rfc9460
 const (
 	SVCB_MANDATORY SVCBKey = iota
 	SVCB_ALPN
@@ -23,7 +23,8 @@ const (
 	SVCB_IPV4HINT
 	SVCB_ECHCONFIG
 	SVCB_IPV6HINT
-	SVCB_DOHPATH // draft-ietf-add-svcb-dns-02 Section 9
+	SVCB_DOHPATH // rfc9461 Section 5
+	SVCB_OHTTP   // rfc9540 Section 8
 
 	svcb_RESERVED SVCBKey = 65535
 )
@@ -37,6 +38,7 @@ var svcbKeyToStringMap = map[SVCBKey]string{
 	SVCB_ECHCONFIG:       "ech",
 	SVCB_IPV6HINT:        "ipv6hint",
 	SVCB_DOHPATH:         "dohpath",
+	SVCB_OHTTP:           "ohttp",
 }
 
 var svcbStringToKeyMap = reverseSVCBKeyMap(svcbKeyToStringMap)
@@ -201,6 +203,8 @@ func makeSVCBKeyValue(key SVCBKey) SVCBKeyValue {
 		return new(SVCBIPv6Hint)
 	case SVCB_DOHPATH:
 		return new(SVCBDoHPath)
+	case SVCB_OHTTP:
+		return new(SVCBOhttp)
 	case svcb_RESERVED:
 		return nil
 	default:
@@ -771,8 +775,8 @@ func (s *SVCBIPv6Hint) copy() SVCBKeyValue {
 // SVCBDoHPath pair is used to indicate the URI template that the
 // clients may use to construct a DNS over HTTPS URI.
 //
-// See RFC xxxx (https://datatracker.ietf.org/doc/html/draft-ietf-add-svcb-dns-02)
-// and RFC yyyy (https://datatracker.ietf.org/doc/html/draft-ietf-add-ddr-06).
+// See RFC 9461 (https://datatracker.ietf.org/doc/html/rfc9461)
+// and RFC 9462 (https://datatracker.ietf.org/doc/html/rfc9462).
 //
 // A basic example of using the dohpath option together with the alpn
 // option to indicate support for DNS over HTTPS on a certain path:
@@ -816,6 +820,44 @@ func (s *SVCBDoHPath) copy() SVCBKeyValue {
 	}
 }
 
+// The "ohttp" SvcParamKey is used to indicate that a service described in a SVCB RR
+// can be accessed as a target using an associated gateway.
+// Both the presentation and wire-format values for the "ohttp" parameter MUST be empty.
+//
+// See RFC 9460 (https://datatracker.ietf.org/doc/html/rfc9460/)
+// and RFC 9230 (https://datatracker.ietf.org/doc/html/rfc9230/)
+//
+// A basic example of using the dohpath option together with the alpn
+// option to indicate support for DNS over HTTPS on a certain path:
+//
+//	s := new(dns.SVCB)
+//	s.Hdr = dns.RR_Header{Name: ".", Rrtype: dns.TypeSVCB, Class: dns.ClassINET}
+//	e := new(dns.SVCBAlpn)
+//	e.Alpn = []string{"h2", "h3"}
+//	p := new(dns.SVCBOhttp)
+//	s.Value = append(s.Value, e, p)
+type SVCBOhttp struct{}
+
+func (*SVCBOhttp) Key() SVCBKey          { return SVCB_OHTTP }
+func (*SVCBOhttp) copy() SVCBKeyValue    { return &SVCBOhttp{} }
+func (*SVCBOhttp) pack() ([]byte, error) { return []byte{}, nil }
+func (*SVCBOhttp) String() string        { return "" }
+func (*SVCBOhttp) len() int              { return 0 }
+
+func (*SVCBOhttp) unpack(b []byte) error {
+	if len(b) != 0 {
+		return errors.New("dns: svcbotthp: svcbotthp must have no value")
+	}
+	return nil
+}
+
+func (*SVCBOhttp) parse(b string) error {
+	if b != "" {
+		return errors.New("dns: svcbotthp: svcbotthp must have no value")
+	}
+	return nil
+}
+
 // SVCBLocal pair is intended for experimental/private use. The key is recommended
 // to be in the range [SVCB_PRIVATE_LOWER, SVCB_PRIVATE_UPPER].
 // Basic use pattern for creating a keyNNNNN option:

vendor/github.com/miekg/dns/types.go

@@ -96,6 +96,7 @@ const (
 	TypeLP         uint16 = 107
 	TypeEUI48      uint16 = 108
 	TypeEUI64      uint16 = 109
+	TypeNXNAME     uint16 = 128
 	TypeURI        uint16 = 256
 	TypeCAA        uint16 = 257
 	TypeAVC        uint16 = 258
@@ -294,6 +295,19 @@ func (*NULL) parse(c *zlexer, origin string) *ParseError {
 	return &ParseError{err: "NULL records do not have a presentation format"}
 }
 
+// NXNAME is a meta record. See https://www.iana.org/go/draft-ietf-dnsop-compact-denial-of-existence-04
+// Reference: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
+type NXNAME struct {
+	Hdr RR_Header
+	// Does not have any rdata
+}
+
+func (rr *NXNAME) String() string { return rr.Hdr.String() }
+
+func (*NXNAME) parse(c *zlexer, origin string) *ParseError {
+	return &ParseError{err: "NXNAME records do not have a presentation format"}
+}
+
 // CNAME RR. See RFC 1034.
 type CNAME struct {
 	Hdr    RR_Header

vendor/github.com/miekg/dns/version.go

@@ -3,7 +3,7 @@ package dns
 import "fmt"
 
 // Version is current version of this library.
-var Version = v{1, 1, 58}
+var Version = v{1, 1, 62}
 
 // v holds the version of this library.
 type v struct {

vendor/github.com/miekg/dns/xfr.go

@@ -1,6 +1,7 @@
 package dns
 
 import (
+	"crypto/tls"
 	"fmt"
 	"time"
 )
@@ -20,6 +21,7 @@ type Transfer struct {
 	TsigProvider   TsigProvider      // An implementation of the TsigProvider interface. If defined it replaces TsigSecret and is used for all TSIG operations.
 	TsigSecret     map[string]string // Secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2)
 	tsigTimersOnly bool
+	TLS            *tls.Config // TLS config. If Xfr over TLS will be attempted
 }
 
 func (t *Transfer) tsigProvider() TsigProvider {
@@ -57,7 +59,11 @@ func (t *Transfer) In(q *Msg, a string) (env chan *Envelope, err error) {
 	}
 
 	if t.Conn == nil {
-		t.Conn, err = DialTimeout("tcp", a, timeout)
+		if t.TLS != nil {
+			t.Conn, err = DialTimeoutWithTLS("tcp-tls", a, t.TLS, timeout)
+		} else {
+			t.Conn, err = DialTimeout("tcp", a, timeout)
+		}
 		if err != nil {
 			return nil, err
 		}
@@ -182,7 +188,7 @@ func (t *Transfer) inIxfr(q *Msg, c chan *Envelope) {
 			if v, ok := rr.(*SOA); ok {
 				if v.Serial == serial {
 					n++
-					// quit if it's a full axfr or the the servers' SOA is repeated the third time
+					// quit if it's a full axfr or the servers' SOA is repeated the third time
 					if axfr && n == 2 || n == 3 {
 						c <- &Envelope{in.Answer, nil}
 						return
@@ -203,6 +209,7 @@ func (t *Transfer) inIxfr(q *Msg, c chan *Envelope) {
 //	ch := make(chan *dns.Envelope)
 //	tr := new(dns.Transfer)
 //	var wg sync.WaitGroup
+//	wg.Add(1)
 //	go func() {
 //		tr.Out(w, r, ch)
 //		wg.Done()

vendor/github.com/miekg/dns/zduplicate.go

@@ -886,6 +886,15 @@ func (r1 *NULL) isDuplicate(_r2 RR) bool {
 	return true
 }
 
+func (r1 *NXNAME) isDuplicate(_r2 RR) bool {
+	r2, ok := _r2.(*NXNAME)
+	if !ok {
+		return false
+	}
+	_ = r2
+	return true
+}
+
 func (r1 *NXT) isDuplicate(_r2 RR) bool {
 	r2, ok := _r2.(*NXT)
 	if !ok {

vendor/github.com/miekg/dns/zmsg.go

@@ -706,6 +706,10 @@ func (rr *NULL) pack(msg []byte, off int, compression compressionMap, compress b
 	return off, nil
 }
 
+func (rr *NXNAME) pack(msg []byte, off int, compression compressionMap, compress bool) (off1 int, err error) {
+	return off, nil
+}
+
 func (rr *NXT) pack(msg []byte, off int, compression compressionMap, compress bool) (off1 int, err error) {
 	off, err = packDomainName(rr.NextDomain, msg, off, compression, false)
 	if err != nil {
@@ -2266,6 +2270,13 @@ func (rr *NULL) unpack(msg []byte, off int) (off1 int, err error) {
 	return off, nil
 }
 
+func (rr *NXNAME) unpack(msg []byte, off int) (off1 int, err error) {
+	rdStart := off
+	_ = rdStart
+
+	return off, nil
+}
+
 func (rr *NXT) unpack(msg []byte, off int) (off1 int, err error) {
 	rdStart := off
 	_ = rdStart

vendor/github.com/miekg/dns/ztypes.go

@@ -60,6 +60,7 @@ var TypeToRR = map[uint16]func() RR{
 	TypeNSEC3:      func() RR { return new(NSEC3) },
 	TypeNSEC3PARAM: func() RR { return new(NSEC3PARAM) },
 	TypeNULL:       func() RR { return new(NULL) },
+	TypeNXNAME:     func() RR { return new(NXNAME) },
 	TypeNXT:        func() RR { return new(NXT) },
 	TypeOPENPGPKEY: func() RR { return new(OPENPGPKEY) },
 	TypeOPT:        func() RR { return new(OPT) },
@@ -146,6 +147,7 @@ var TypeToString = map[uint16]string{
 	TypeNSEC3:      "NSEC3",
 	TypeNSEC3PARAM: "NSEC3PARAM",
 	TypeNULL:       "NULL",
+	TypeNXNAME:     "NXNAME",
 	TypeNXT:        "NXT",
 	TypeNone:       "None",
 	TypeOPENPGPKEY: "OPENPGPKEY",
@@ -230,6 +232,7 @@ func (rr *NSEC) Header() *RR_Header       { return &rr.Hdr }
 func (rr *NSEC3) Header() *RR_Header      { return &rr.Hdr }
 func (rr *NSEC3PARAM) Header() *RR_Header { return &rr.Hdr }
 func (rr *NULL) Header() *RR_Header       { return &rr.Hdr }
+func (rr *NXNAME) Header() *RR_Header     { return &rr.Hdr }
 func (rr *NXT) Header() *RR_Header        { return &rr.Hdr }
 func (rr *OPENPGPKEY) Header() *RR_Header { return &rr.Hdr }
 func (rr *OPT) Header() *RR_Header        { return &rr.Hdr }
@@ -594,6 +597,11 @@ func (rr *NULL) len(off int, compression map[string]struct{}) int {
 	return l
 }
 
+func (rr *NXNAME) len(off int, compression map[string]struct{}) int {
+	l := rr.Hdr.len(off, compression)
+	return l
+}
+
 func (rr *OPENPGPKEY) len(off int, compression map[string]struct{}) int {
 	l := rr.Hdr.len(off, compression)
 	l += base64.StdEncoding.DecodedLen(len(rr.PublicKey))
@@ -1107,6 +1115,10 @@ func (rr *NULL) copy() RR {
 	return &NULL{rr.Hdr, rr.Data}
 }
 
+func (rr *NXNAME) copy() RR {
+	return &NXNAME{rr.Hdr}
+}
+
 func (rr *NXT) copy() RR {
 	return &NXT{*rr.NSEC.copy().(*NSEC)}
 }

vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go

@@ -1,77 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
-2898 / PKCS #5 v2.0.
-
-A key derivation function is useful when encrypting data based on a password
-or any other not-fully-random data. It uses a pseudorandom function to derive
-a secure encryption key based on the password.
-
-While v2.0 of the standard defines only one pseudorandom function to use,
-HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
-Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
-choose, you can pass the `New` functions from the different SHA packages to
-pbkdf2.Key.
-*/
-package pbkdf2 // import "golang.org/x/crypto/pbkdf2"
-
-import (
-	"crypto/hmac"
-	"hash"
-)
-
-// Key derives a key from the password, salt and iteration count, returning a
-// []byte of length keylen that can be used as cryptographic key. The key is
-// derived based on the method described as PBKDF2 with the HMAC variant using
-// the supplied hash function.
-//
-// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
-// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
-// doing:
-//
-//	dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
-//
-// Remember to get a good random salt. At least 8 bytes is recommended by the
-// RFC.
-//
-// Using a higher iteration count will increase the cost of an exhaustive
-// search but will also make derivation proportionally slower.
-func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
-	prf := hmac.New(h, password)
-	hashLen := prf.Size()
-	numBlocks := (keyLen + hashLen - 1) / hashLen
-
-	var buf [4]byte
-	dk := make([]byte, 0, numBlocks*hashLen)
-	U := make([]byte, hashLen)
-	for block := 1; block <= numBlocks; block++ {
-		// N.B.: || means concatenation, ^ means XOR
-		// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
-		// U_1 = PRF(password, salt || uint(i))
-		prf.Reset()
-		prf.Write(salt)
-		buf[0] = byte(block >> 24)
-		buf[1] = byte(block >> 16)
-		buf[2] = byte(block >> 8)
-		buf[3] = byte(block)
-		prf.Write(buf[:4])
-		dk = prf.Sum(dk)
-		T := dk[len(dk)-hashLen:]
-		copy(U, T)
-
-		// U_n = PRF(password, U_(n-1))
-		for n := 2; n <= iter; n++ {
-			prf.Reset()
-			prf.Write(U)
-			U = U[:0]
-			U = prf.Sum(U)
-			for x := range U {
-				T[x] ^= U[x]
-			}
-		}
-	}
-	return dk[:keyLen]
-}

vendor/golang.org/x/mod/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 

vendor/golang.org/x/net/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 

vendor/golang.org/x/net/internal/socket/zsys_openbsd_ppc64.go

@@ -4,27 +4,27 @@
 package socket
 
 type iovec struct {
-	Base	*byte
-	Len	uint64
+	Base *byte
+	Len  uint64
 }
 
 type msghdr struct {
-	Name		*byte
-	Namelen		uint32
-	Iov		*iovec
-	Iovlen		uint32
-	Control		*byte
-	Controllen	uint32
-	Flags		int32
+	Name       *byte
+	Namelen    uint32
+	Iov        *iovec
+	Iovlen     uint32
+	Control    *byte
+	Controllen uint32
+	Flags      int32
 }
 
 type cmsghdr struct {
-	Len	uint32
-	Level	int32
-	Type	int32
+	Len   uint32
+	Level int32
+	Type  int32
 }
 
 const (
-	sizeofIovec	= 0x10
-	sizeofMsghdr	= 0x30
+	sizeofIovec  = 0x10
+	sizeofMsghdr = 0x30
 )

vendor/golang.org/x/net/internal/socket/zsys_openbsd_riscv64.go

@@ -4,27 +4,27 @@
 package socket
 
 type iovec struct {
-	Base	*byte
-	Len	uint64
+	Base *byte
+	Len  uint64
 }
 
 type msghdr struct {
-	Name		*byte
-	Namelen		uint32
-	Iov		*iovec
-	Iovlen		uint32
-	Control		*byte
-	Controllen	uint32
-	Flags		int32
+	Name       *byte
+	Namelen    uint32
+	Iov        *iovec
+	Iovlen     uint32
+	Control    *byte
+	Controllen uint32
+	Flags      int32
 }
 
 type cmsghdr struct {
-	Len	uint32
-	Level	int32
-	Type	int32
+	Len   uint32
+	Level int32
+	Type  int32
 }
 
 const (
-	sizeofIovec	= 0x10
-	sizeofMsghdr	= 0x30
+	sizeofIovec  = 0x10
+	sizeofMsghdr = 0x30
 )

vendor/golang.org/x/sync/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 

vendor/golang.org/x/sync/errgroup/errgroup.go

@@ -0,0 +1,208 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package errgroup provides synchronization, error propagation, and Context
+// cancelation for groups of goroutines working on subtasks of a common task.
+//
+// [errgroup.Group] is related to [sync.WaitGroup] but adds handling of tasks
+// returning errors.
+package errgroup
+
+import (
+	"context"
+	"fmt"
+	"runtime"
+	"runtime/debug"
+	"sync"
+)
+
+type token struct{}
+
+// A Group is a collection of goroutines working on subtasks that are part of
+// the same overall task. A Group should not be reused for different tasks.
+//
+// A zero Group is valid, has no limit on the number of active goroutines,
+// and does not cancel on error.
+type Group struct {
+	cancel func(error)
+
+	wg sync.WaitGroup
+
+	sem chan token
+
+	errOnce sync.Once
+	err     error
+
+	mu         sync.Mutex
+	panicValue any  // = PanicError | PanicValue; non-nil if some Group.Go goroutine panicked.
+	abnormal   bool // some Group.Go goroutine terminated abnormally (panic or goexit).
+}
+
+func (g *Group) done() {
+	if g.sem != nil {
+		<-g.sem
+	}
+	g.wg.Done()
+}
+
+// WithContext returns a new Group and an associated Context derived from ctx.
+//
+// The derived Context is canceled the first time a function passed to Go
+// returns a non-nil error or the first time Wait returns, whichever occurs
+// first.
+func WithContext(ctx context.Context) (*Group, context.Context) {
+	ctx, cancel := context.WithCancelCause(ctx)
+	return &Group{cancel: cancel}, ctx
+}
+
+// Wait blocks until all function calls from the Go method have returned
+// normally, then returns the first non-nil error (if any) from them.
+//
+// If any of the calls panics, Wait panics with a [PanicValue];
+// and if any of them calls [runtime.Goexit], Wait calls runtime.Goexit.
+func (g *Group) Wait() error {
+	g.wg.Wait()
+	if g.cancel != nil {
+		g.cancel(g.err)
+	}
+	if g.panicValue != nil {
+		panic(g.panicValue)
+	}
+	if g.abnormal {
+		runtime.Goexit()
+	}
+	return g.err
+}
+
+// Go calls the given function in a new goroutine.
+// The first call to Go must happen before a Wait.
+// It blocks until the new goroutine can be added without the number of
+// active goroutines in the group exceeding the configured limit.
+//
+// It blocks until the new goroutine can be added without the number of
+// goroutines in the group exceeding the configured limit.
+//
+// The first goroutine in the group that returns a non-nil error, panics, or
+// invokes [runtime.Goexit] will cancel the associated Context, if any.
+func (g *Group) Go(f func() error) {
+	if g.sem != nil {
+		g.sem <- token{}
+	}
+
+	g.add(f)
+}
+
+func (g *Group) add(f func() error) {
+	g.wg.Add(1)
+	go func() {
+		defer g.done()
+		normalReturn := false
+		defer func() {
+			if normalReturn {
+				return
+			}
+			v := recover()
+			g.mu.Lock()
+			defer g.mu.Unlock()
+			if !g.abnormal {
+				if g.cancel != nil {
+					g.cancel(g.err)
+				}
+				g.abnormal = true
+			}
+			if v != nil && g.panicValue == nil {
+				switch v := v.(type) {
+				case error:
+					g.panicValue = PanicError{
+						Recovered: v,
+						Stack:     debug.Stack(),
+					}
+				default:
+					g.panicValue = PanicValue{
+						Recovered: v,
+						Stack:     debug.Stack(),
+					}
+				}
+			}
+		}()
+
+		err := f()
+		normalReturn = true
+		if err != nil {
+			g.errOnce.Do(func() {
+				g.err = err
+				if g.cancel != nil {
+					g.cancel(g.err)
+				}
+			})
+		}
+	}()
+}
+
+// TryGo calls the given function in a new goroutine only if the number of
+// active goroutines in the group is currently below the configured limit.
+//
+// The return value reports whether the goroutine was started.
+func (g *Group) TryGo(f func() error) bool {
+	if g.sem != nil {
+		select {
+		case g.sem <- token{}:
+			// Note: this allows barging iff channels in general allow barging.
+		default:
+			return false
+		}
+	}
+
+	g.add(f)
+	return true
+}
+
+// SetLimit limits the number of active goroutines in this group to at most n.
+// A negative value indicates no limit.
+// A limit of zero will prevent any new goroutines from being added.
+//
+// Any subsequent call to the Go method will block until it can add an active
+// goroutine without exceeding the configured limit.
+//
+// The limit must not be modified while any goroutines in the group are active.
+func (g *Group) SetLimit(n int) {
+	if n < 0 {
+		g.sem = nil
+		return
+	}
+	if len(g.sem) != 0 {
+		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", len(g.sem)))
+	}
+	g.sem = make(chan token, n)
+}
+
+// PanicError wraps an error recovered from an unhandled panic
+// when calling a function passed to Go or TryGo.
+type PanicError struct {
+	Recovered error
+	Stack     []byte // result of call to [debug.Stack]
+}
+
+func (p PanicError) Error() string {
+	// A Go Error method conventionally does not include a stack dump, so omit it
+	// here. (Callers who care can extract it from the Stack field.)
+	return fmt.Sprintf("recovered from errgroup.Group: %v", p.Recovered)
+}
+
+func (p PanicError) Unwrap() error { return p.Recovered }
+
+// PanicValue wraps a value that does not implement the error interface,
+// recovered from an unhandled panic when calling a function passed to Go or
+// TryGo.
+type PanicValue struct {
+	Recovered any
+	Stack     []byte // result of call to [debug.Stack]
+}
+
+func (p PanicValue) String() string {
+	if len(p.Stack) > 0 {
+		return fmt.Sprintf("recovered from errgroup.Group: %v\n%s", p.Recovered, p.Stack)
+	}
+	return fmt.Sprintf("recovered from errgroup.Group: %v", p.Recovered)
+}

vendor/golang.org/x/sys/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 

vendor/golang.org/x/sys/unix/README.md

@@ -156,7 +156,7 @@ from the generated architecture-specific files listed below, and merge these
 into a common file for each OS.
 
 The merge is performed in the following steps:
-1. Construct the set of common code that is idential in all architecture-specific files.
+1. Construct the set of common code that is identical in all architecture-specific files.
 2. Write this common code to the merged file.
 3. Remove the common code from all architecture-specific files.
 

vendor/golang.org/x/sys/unix/aliases.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build (aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos) && go1.9
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos
 
 package unix
 

vendor/golang.org/x/sys/unix/asm_zos_s390x.s

@@ -9,9 +9,11 @@
 #define PSALAA            1208(R0)
 #define GTAB64(x)           80(x)
 #define LCA64(x)            88(x)
+#define SAVSTACK_ASYNC(x)  336(x) // in the LCA
 #define CAA(x)               8(x)
-#define EDCHPXV(x)        1016(x)       // in the CAA
-#define SAVSTACK_ASYNC(x)  336(x)       // in the LCA
+#define CEECAATHDID(x)     976(x) // in the CAA
+#define EDCHPXV(x)        1016(x) // in the CAA
+#define GOCB(x)           1104(x) // in the CAA
 
 // SS_*, where x=SAVSTACK_ASYNC
 #define SS_LE(x)             0(x)
@@ -19,394 +21,125 @@
 #define SS_ERRNO(x)         16(x)
 #define SS_ERRNOJR(x)       20(x)
 
-#define LE_CALL BYTE $0x0D; BYTE $0x76; // BL R7, R6
+// Function Descriptor Offsets
+#define __errno  0x156*16
+#define __err2ad 0x16C*16
 
-TEXT ·clearErrno(SB),NOSPLIT,$0-0
-	BL	addrerrno<>(SB)
-	MOVD	$0, 0(R3)
+// Call Instructions
+#define LE_CALL    BYTE $0x0D; BYTE $0x76 // BL R7, R6
+#define SVC_LOAD   BYTE $0x0A; BYTE $0x08 // SVC 08 LOAD
+#define SVC_DELETE BYTE $0x0A; BYTE $0x09 // SVC 09 DELETE
+
+DATA zosLibVec<>(SB)/8, $0
+GLOBL zosLibVec<>(SB), NOPTR, $8
+
+TEXT ·initZosLibVec(SB), NOSPLIT|NOFRAME, $0-0
+	MOVW PSALAA, R8
+	MOVD LCA64(R8), R8
+	MOVD CAA(R8), R8
+	MOVD EDCHPXV(R8), R8
+	MOVD R8, zosLibVec<>(SB)
+	RET
+
+TEXT ·GetZosLibVec(SB), NOSPLIT|NOFRAME, $0-0
+	MOVD zosLibVec<>(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·clearErrno(SB), NOSPLIT, $0-0
+	BL   addrerrno<>(SB)
+	MOVD $0, 0(R3)
 	RET
 
 // Returns the address of errno in R3.
-TEXT addrerrno<>(SB),NOSPLIT|NOFRAME,$0-0
+TEXT addrerrno<>(SB), NOSPLIT|NOFRAME, $0-0
 	// Get library control area (LCA).
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
+	MOVW PSALAA, R8
+	MOVD LCA64(R8), R8
 
 	// Get __errno FuncDesc.
-	MOVD	CAA(R8), R9
-	MOVD	EDCHPXV(R9), R9
-	ADD	$(0x156*16), R9
-	LMG	0(R9), R5, R6
+	MOVD CAA(R8), R9
+	MOVD EDCHPXV(R9), R9
+	ADD  $(__errno), R9
+	LMG  0(R9), R5, R6
 
 	// Switch to saved LE stack.
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	0(R9), R4
-	MOVD	$0, 0(R9)
+	MOVD SAVSTACK_ASYNC(R8), R9
+	MOVD 0(R9), R4
+	MOVD $0, 0(R9)
 
 	// Call __errno function.
 	LE_CALL
 	NOPH
 
 	// Switch back to Go stack.
-	XOR	R0, R0      // Restore R0 to $0.
-	MOVD	R4, 0(R9)   // Save stack pointer.
-	RET
-
-TEXT ·syscall_syscall(SB),NOSPLIT,$0-56
-	BL	runtime·entersyscall(SB)
-	MOVD	a1+8(FP), R1
-	MOVD	a2+16(FP), R2
-	MOVD	a3+24(FP), R3
-
-	// Get library control area (LCA).
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
-
-	// Get function.
-	MOVD	CAA(R8), R9
-	MOVD	EDCHPXV(R9), R9
-	MOVD	trap+0(FP), R5
-	SLD	$4, R5
-	ADD	R5, R9
-	LMG	0(R9), R5, R6
-
-	// Restore LE stack.
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	0(R9), R4
-	MOVD	$0, 0(R9)
-
-	// Call function.
-	LE_CALL
-	NOPH
-	XOR	R0, R0      // Restore R0 to $0.
-	MOVD	R4, 0(R9)   // Save stack pointer.
-
-	MOVD	R3, r1+32(FP)
-	MOVD	R0, r2+40(FP)
-	MOVD	R0, err+48(FP)
-	MOVW	R3, R4
-	CMP	R4, $-1
-	BNE	done
-	BL	addrerrno<>(SB)
-	MOVWZ	0(R3), R3
-	MOVD	R3, err+48(FP)
-done:
-	BL	runtime·exitsyscall(SB)
-	RET
-
-TEXT ·syscall_rawsyscall(SB),NOSPLIT,$0-56
-	MOVD	a1+8(FP), R1
-	MOVD	a2+16(FP), R2
-	MOVD	a3+24(FP), R3
-
-	// Get library control area (LCA).
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
-
-	// Get function.
-	MOVD	CAA(R8), R9
-	MOVD	EDCHPXV(R9), R9
-	MOVD	trap+0(FP), R5
-	SLD	$4, R5
-	ADD	R5, R9
-	LMG	0(R9), R5, R6
-
-	// Restore LE stack.
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	0(R9), R4
-	MOVD	$0, 0(R9)
-
-	// Call function.
-	LE_CALL
-	NOPH
-	XOR	R0, R0      // Restore R0 to $0.
-	MOVD	R4, 0(R9)   // Save stack pointer.
-
-	MOVD	R3, r1+32(FP)
-	MOVD	R0, r2+40(FP)
-	MOVD	R0, err+48(FP)
-	MOVW	R3, R4
-	CMP	R4, $-1
-	BNE	done
-	BL	addrerrno<>(SB)
-	MOVWZ	0(R3), R3
-	MOVD	R3, err+48(FP)
-done:
-	RET
-
-TEXT ·syscall_syscall6(SB),NOSPLIT,$0-80
-	BL	runtime·entersyscall(SB)
-	MOVD	a1+8(FP), R1
-	MOVD	a2+16(FP), R2
-	MOVD	a3+24(FP), R3
-
-	// Get library control area (LCA).
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
-
-	// Get function.
-	MOVD	CAA(R8), R9
-	MOVD	EDCHPXV(R9), R9
-	MOVD	trap+0(FP), R5
-	SLD	$4, R5
-	ADD	R5, R9
-	LMG	0(R9), R5, R6
-
-	// Restore LE stack.
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	0(R9), R4
-	MOVD	$0, 0(R9)
-
-	// Fill in parameter list.
-	MOVD	a4+32(FP), R12
-	MOVD	R12, (2176+24)(R4)
-	MOVD	a5+40(FP), R12
-	MOVD	R12, (2176+32)(R4)
-	MOVD	a6+48(FP), R12
-	MOVD	R12, (2176+40)(R4)
-
-	// Call function.
-	LE_CALL
-	NOPH
-	XOR	R0, R0      // Restore R0 to $0.
-	MOVD	R4, 0(R9)   // Save stack pointer.
-
-	MOVD	R3, r1+56(FP)
-	MOVD	R0, r2+64(FP)
-	MOVD	R0, err+72(FP)
-	MOVW	R3, R4
-	CMP	R4, $-1
-	BNE	done
-	BL	addrerrno<>(SB)
-	MOVWZ	0(R3), R3
-	MOVD	R3, err+72(FP)
-done:
-	BL	runtime·exitsyscall(SB)
-	RET
-
-TEXT ·syscall_rawsyscall6(SB),NOSPLIT,$0-80
-	MOVD	a1+8(FP), R1
-	MOVD	a2+16(FP), R2
-	MOVD	a3+24(FP), R3
-
-	// Get library control area (LCA).
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
-
-	// Get function.
-	MOVD	CAA(R8), R9
-	MOVD	EDCHPXV(R9), R9
-	MOVD	trap+0(FP), R5
-	SLD	$4, R5
-	ADD	R5, R9
-	LMG	0(R9), R5, R6
-
-	// Restore LE stack.
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	0(R9), R4
-	MOVD	$0, 0(R9)
-
-	// Fill in parameter list.
-	MOVD	a4+32(FP), R12
-	MOVD	R12, (2176+24)(R4)
-	MOVD	a5+40(FP), R12
-	MOVD	R12, (2176+32)(R4)
-	MOVD	a6+48(FP), R12
-	MOVD	R12, (2176+40)(R4)
-
-	// Call function.
-	LE_CALL
-	NOPH
-	XOR	R0, R0      // Restore R0 to $0.
-	MOVD	R4, 0(R9)   // Save stack pointer.
-
-	MOVD	R3, r1+56(FP)
-	MOVD	R0, r2+64(FP)
-	MOVD	R0, err+72(FP)
-	MOVW	R3, R4
-	CMP	R4, $-1
-	BNE	done
-	BL	·rrno<>(SB)
-	MOVWZ	0(R3), R3
-	MOVD	R3, err+72(FP)
-done:
-	RET
-
-TEXT ·syscall_syscall9(SB),NOSPLIT,$0
-	BL	runtime·entersyscall(SB)
-	MOVD	a1+8(FP), R1
-	MOVD	a2+16(FP), R2
-	MOVD	a3+24(FP), R3
-
-	// Get library control area (LCA).
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
-
-	// Get function.
-	MOVD	CAA(R8), R9
-	MOVD	EDCHPXV(R9), R9
-	MOVD	trap+0(FP), R5
-	SLD	$4, R5
-	ADD	R5, R9
-	LMG	0(R9), R5, R6
-
-	// Restore LE stack.
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	0(R9), R4
-	MOVD	$0, 0(R9)
-
-	// Fill in parameter list.
-	MOVD	a4+32(FP), R12
-	MOVD	R12, (2176+24)(R4)
-	MOVD	a5+40(FP), R12
-	MOVD	R12, (2176+32)(R4)
-	MOVD	a6+48(FP), R12
-	MOVD	R12, (2176+40)(R4)
-	MOVD	a7+56(FP), R12
-	MOVD	R12, (2176+48)(R4)
-	MOVD	a8+64(FP), R12
-	MOVD	R12, (2176+56)(R4)
-	MOVD	a9+72(FP), R12
-	MOVD	R12, (2176+64)(R4)
-
-	// Call function.
-	LE_CALL
-	NOPH
-	XOR	R0, R0      // Restore R0 to $0.
-	MOVD	R4, 0(R9)   // Save stack pointer.
-
-	MOVD	R3, r1+80(FP)
-	MOVD	R0, r2+88(FP)
-	MOVD	R0, err+96(FP)
-	MOVW	R3, R4
-	CMP	R4, $-1
-	BNE	done
-	BL	addrerrno<>(SB)
-	MOVWZ	0(R3), R3
-	MOVD	R3, err+96(FP)
-done:
-        BL	runtime·exitsyscall(SB)
-        RET
-
-TEXT ·syscall_rawsyscall9(SB),NOSPLIT,$0
-	MOVD	a1+8(FP), R1
-	MOVD	a2+16(FP), R2
-	MOVD	a3+24(FP), R3
-
-	// Get library control area (LCA).
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
-
-	// Get function.
-	MOVD	CAA(R8), R9
-	MOVD	EDCHPXV(R9), R9
-	MOVD	trap+0(FP), R5
-	SLD	$4, R5
-	ADD	R5, R9
-	LMG	0(R9), R5, R6
-
-	// Restore LE stack.
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	0(R9), R4
-	MOVD	$0, 0(R9)
-
-	// Fill in parameter list.
-	MOVD	a4+32(FP), R12
-	MOVD	R12, (2176+24)(R4)
-	MOVD	a5+40(FP), R12
-	MOVD	R12, (2176+32)(R4)
-	MOVD	a6+48(FP), R12
-	MOVD	R12, (2176+40)(R4)
-	MOVD	a7+56(FP), R12
-	MOVD	R12, (2176+48)(R4)
-	MOVD	a8+64(FP), R12
-	MOVD	R12, (2176+56)(R4)
-	MOVD	a9+72(FP), R12
-	MOVD	R12, (2176+64)(R4)
-
-	// Call function.
-	LE_CALL
-	NOPH
-	XOR	R0, R0      // Restore R0 to $0.
-	MOVD	R4, 0(R9)   // Save stack pointer.
-
-	MOVD	R3, r1+80(FP)
-	MOVD	R0, r2+88(FP)
-	MOVD	R0, err+96(FP)
-	MOVW	R3, R4
-	CMP	R4, $-1
-	BNE	done
-	BL	addrerrno<>(SB)
-	MOVWZ	0(R3), R3
-	MOVD	R3, err+96(FP)
-done:
+	XOR  R0, R0    // Restore R0 to $0.
+	MOVD R4, 0(R9) // Save stack pointer.
 	RET
 
 // func svcCall(fnptr unsafe.Pointer, argv *unsafe.Pointer, dsa *uint64)
-TEXT ·svcCall(SB),NOSPLIT,$0
-	BL	runtime·save_g(SB)   // Save g and stack pointer
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	R15, 0(R9)
+TEXT ·svcCall(SB), NOSPLIT, $0
+	BL   runtime·save_g(SB)     // Save g and stack pointer
+	MOVW PSALAA, R8
+	MOVD LCA64(R8), R8
+	MOVD SAVSTACK_ASYNC(R8), R9
+	MOVD R15, 0(R9)
 
-	MOVD	argv+8(FP), R1       // Move function arguments into registers
-	MOVD	dsa+16(FP), g
-	MOVD	fnptr+0(FP), R15
+	MOVD argv+8(FP), R1   // Move function arguments into registers
+	MOVD dsa+16(FP), g
+	MOVD fnptr+0(FP), R15
 
-	BYTE	$0x0D                // Branch to function
-	BYTE	$0xEF
+	BYTE $0x0D // Branch to function
+	BYTE $0xEF
 
-	BL	runtime·load_g(SB)   // Restore g and stack pointer
-	MOVW	PSALAA, R8
-	MOVD	LCA64(R8), R8
-	MOVD	SAVSTACK_ASYNC(R8), R9
-	MOVD	0(R9), R15
+	BL   runtime·load_g(SB)     // Restore g and stack pointer
+	MOVW PSALAA, R8
+	MOVD LCA64(R8), R8
+	MOVD SAVSTACK_ASYNC(R8), R9
+	MOVD 0(R9), R15
 
 	RET
 
 // func svcLoad(name *byte) unsafe.Pointer
-TEXT ·svcLoad(SB),NOSPLIT,$0
-	MOVD	R15, R2          // Save go stack pointer
-	MOVD	name+0(FP), R0   // Move SVC args into registers
-	MOVD	$0x80000000, R1
-	MOVD	$0, R15
-	BYTE	$0x0A            // SVC 08 LOAD
-	BYTE	$0x08
-	MOVW	R15, R3          // Save return code from SVC
-	MOVD	R2, R15          // Restore go stack pointer
-	CMP	R3, $0           // Check SVC return code
-	BNE	error
+TEXT ·svcLoad(SB), NOSPLIT, $0
+	MOVD R15, R2         // Save go stack pointer
+	MOVD name+0(FP), R0  // Move SVC args into registers
+	MOVD $0x80000000, R1
+	MOVD $0, R15
+	SVC_LOAD
+	MOVW R15, R3         // Save return code from SVC
+	MOVD R2, R15         // Restore go stack pointer
+	CMP  R3, $0          // Check SVC return code
+	BNE  error
 
-	MOVD	$-2, R3          // Reset last bit of entry point to zero
-	AND	R0, R3
-	MOVD	R3, addr+8(FP)   // Return entry point returned by SVC
-	CMP	R0, R3           // Check if last bit of entry point was set
-	BNE	done
+	MOVD $-2, R3       // Reset last bit of entry point to zero
+	AND  R0, R3
+	MOVD R3, ret+8(FP) // Return entry point returned by SVC
+	CMP  R0, R3        // Check if last bit of entry point was set
+	BNE  done
 
-	MOVD	R15, R2          // Save go stack pointer
-	MOVD	$0, R15          // Move SVC args into registers (entry point still in r0 from SVC 08)
-	BYTE	$0x0A            // SVC 09 DELETE
-	BYTE	$0x09
-	MOVD	R2, R15          // Restore go stack pointer
+	MOVD R15, R2 // Save go stack pointer
+	MOVD $0, R15 // Move SVC args into registers (entry point still in r0 from SVC 08)
+	SVC_DELETE
+	MOVD R2, R15 // Restore go stack pointer
 
 error:
-	MOVD	$0, addr+8(FP)   // Return 0 on failure
+	MOVD $0, ret+8(FP) // Return 0 on failure
+
 done:
-	XOR	R0, R0           // Reset r0 to 0
+	XOR R0, R0 // Reset r0 to 0
 	RET
 
 // func svcUnload(name *byte, fnptr unsafe.Pointer) int64
-TEXT ·svcUnload(SB),NOSPLIT,$0
-	MOVD	R15, R2          // Save go stack pointer
-	MOVD	name+0(FP), R0   // Move SVC args into registers
-	MOVD	addr+8(FP), R15
-	BYTE	$0x0A            // SVC 09
-	BYTE	$0x09
-	XOR	R0, R0           // Reset r0 to 0
-	MOVD	R15, R1          // Save SVC return code
-	MOVD	R2, R15          // Restore go stack pointer
-	MOVD	R1, rc+0(FP)     // Return SVC return code
+TEXT ·svcUnload(SB), NOSPLIT, $0
+	MOVD R15, R2          // Save go stack pointer
+	MOVD name+0(FP), R0   // Move SVC args into registers
+	MOVD fnptr+8(FP), R15
+	SVC_DELETE
+	XOR  R0, R0           // Reset r0 to 0
+	MOVD R15, R1          // Save SVC return code
+	MOVD R2, R15          // Restore go stack pointer
+	MOVD R1, ret+16(FP)   // Return SVC return code
 	RET
 
 // func gettid() uint64
@@ -417,7 +150,233 @@ TEXT ·gettid(SB), NOSPLIT, $0
 
 	// Get CEECAATHDID
 	MOVD CAA(R8), R9
-	MOVD 0x3D0(R9), R9
+	MOVD CEECAATHDID(R9), R9
 	MOVD R9, ret+0(FP)
 
 	RET
+
+//
+// Call LE function, if the return is -1
+// errno and errno2 is retrieved
+//
+TEXT ·CallLeFuncWithErr(SB), NOSPLIT, $0
+	MOVW PSALAA, R8
+	MOVD LCA64(R8), R8
+	MOVD CAA(R8), R9
+	MOVD g, GOCB(R9)
+
+	// Restore LE stack.
+	MOVD SAVSTACK_ASYNC(R8), R9 // R9-> LE stack frame saving address
+	MOVD 0(R9), R4              // R4-> restore previously saved stack frame pointer
+
+	MOVD parms_base+8(FP), R7 // R7 -> argument array
+	MOVD parms_len+16(FP), R8 // R8 number of arguments
+
+	//  arg 1 ---> R1
+	CMP  R8, $0
+	BEQ  docall
+	SUB  $1, R8
+	MOVD 0(R7), R1
+
+	//  arg 2 ---> R2
+	CMP  R8, $0
+	BEQ  docall
+	SUB  $1, R8
+	ADD  $8, R7
+	MOVD 0(R7), R2
+
+	//  arg 3 --> R3
+	CMP  R8, $0
+	BEQ  docall
+	SUB  $1, R8
+	ADD  $8, R7
+	MOVD 0(R7), R3
+
+	CMP  R8, $0
+	BEQ  docall
+	MOVD $2176+16, R6 // starting LE stack address-8 to store 4th argument
+
+repeat:
+	ADD  $8, R7
+	MOVD 0(R7), R0      // advance arg pointer by 8 byte
+	ADD  $8, R6         // advance LE argument address by 8 byte
+	MOVD R0, (R4)(R6*1) // copy argument from go-slice to le-frame
+	SUB  $1, R8
+	CMP  R8, $0
+	BNE  repeat
+
+docall:
+	MOVD funcdesc+0(FP), R8 // R8-> function descriptor
+	LMG  0(R8), R5, R6
+	MOVD $0, 0(R9)          // R9 address of SAVSTACK_ASYNC
+	LE_CALL                 // balr R7, R6 (return #1)
+	NOPH
+	MOVD R3, ret+32(FP)
+	CMP  R3, $-1            // compare result to -1
+	BNE  done
+
+	// retrieve errno and errno2
+	MOVD  zosLibVec<>(SB), R8
+	ADD   $(__errno), R8
+	LMG   0(R8), R5, R6
+	LE_CALL                   // balr R7, R6 __errno (return #3)
+	NOPH
+	MOVWZ 0(R3), R3
+	MOVD  R3, err+48(FP)
+	MOVD  zosLibVec<>(SB), R8
+	ADD   $(__err2ad), R8
+	LMG   0(R8), R5, R6
+	LE_CALL                   // balr R7, R6 __err2ad (return #2)
+	NOPH
+	MOVW  (R3), R2            // retrieve errno2
+	MOVD  R2, errno2+40(FP)   // store in return area
+
+done:
+	MOVD R4, 0(R9)            // Save stack pointer.
+	RET
+
+//
+// Call LE function, if the return is 0
+// errno and errno2 is retrieved
+//
+TEXT ·CallLeFuncWithPtrReturn(SB), NOSPLIT, $0
+	MOVW PSALAA, R8
+	MOVD LCA64(R8), R8
+	MOVD CAA(R8), R9
+	MOVD g, GOCB(R9)
+
+	// Restore LE stack.
+	MOVD SAVSTACK_ASYNC(R8), R9 // R9-> LE stack frame saving address
+	MOVD 0(R9), R4              // R4-> restore previously saved stack frame pointer
+
+	MOVD parms_base+8(FP), R7 // R7 -> argument array
+	MOVD parms_len+16(FP), R8 // R8 number of arguments
+
+	//  arg 1 ---> R1
+	CMP  R8, $0
+	BEQ  docall
+	SUB  $1, R8
+	MOVD 0(R7), R1
+
+	//  arg 2 ---> R2
+	CMP  R8, $0
+	BEQ  docall
+	SUB  $1, R8
+	ADD  $8, R7
+	MOVD 0(R7), R2
+
+	//  arg 3 --> R3
+	CMP  R8, $0
+	BEQ  docall
+	SUB  $1, R8
+	ADD  $8, R7
+	MOVD 0(R7), R3
+
+	CMP  R8, $0
+	BEQ  docall
+	MOVD $2176+16, R6 // starting LE stack address-8 to store 4th argument
+
+repeat:
+	ADD  $8, R7
+	MOVD 0(R7), R0      // advance arg pointer by 8 byte
+	ADD  $8, R6         // advance LE argument address by 8 byte
+	MOVD R0, (R4)(R6*1) // copy argument from go-slice to le-frame
+	SUB  $1, R8
+	CMP  R8, $0
+	BNE  repeat
+
+docall:
+	MOVD funcdesc+0(FP), R8 // R8-> function descriptor
+	LMG  0(R8), R5, R6
+	MOVD $0, 0(R9)          // R9 address of SAVSTACK_ASYNC
+	LE_CALL                 // balr R7, R6 (return #1)
+	NOPH
+	MOVD R3, ret+32(FP)
+	CMP  R3, $0             // compare result to 0
+	BNE  done
+
+	// retrieve errno and errno2
+	MOVD  zosLibVec<>(SB), R8
+	ADD   $(__errno), R8
+	LMG   0(R8), R5, R6
+	LE_CALL                   // balr R7, R6 __errno (return #3)
+	NOPH
+	MOVWZ 0(R3), R3
+	MOVD  R3, err+48(FP)
+	MOVD  zosLibVec<>(SB), R8
+	ADD   $(__err2ad), R8
+	LMG   0(R8), R5, R6
+	LE_CALL                   // balr R7, R6 __err2ad (return #2)
+	NOPH
+	MOVW  (R3), R2            // retrieve errno2
+	MOVD  R2, errno2+40(FP)   // store in return area
+	XOR   R2, R2
+	MOVWZ R2, (R3)            // clear errno2
+
+done:
+	MOVD R4, 0(R9)            // Save stack pointer.
+	RET
+
+//
+// function to test if a pointer can be safely dereferenced (content read)
+// return 0 for succces
+//
+TEXT ·ptrtest(SB), NOSPLIT, $0-16
+	MOVD arg+0(FP), R10 // test pointer in R10
+
+	// set up R2 to point to CEECAADMC
+	BYTE $0xE3; BYTE $0x20; BYTE $0x04; BYTE $0xB8; BYTE $0x00; BYTE $0x17 // llgt  2,1208
+	BYTE $0xB9; BYTE $0x17; BYTE $0x00; BYTE $0x22                         // llgtr 2,2
+	BYTE $0xA5; BYTE $0x26; BYTE $0x7F; BYTE $0xFF                         // nilh  2,32767
+	BYTE $0xE3; BYTE $0x22; BYTE $0x00; BYTE $0x58; BYTE $0x00; BYTE $0x04 // lg    2,88(2)
+	BYTE $0xE3; BYTE $0x22; BYTE $0x00; BYTE $0x08; BYTE $0x00; BYTE $0x04 // lg    2,8(2)
+	BYTE $0x41; BYTE $0x22; BYTE $0x03; BYTE $0x68                         // la    2,872(2)
+
+	// set up R5 to point to the "shunt" path which set 1 to R3 (failure)
+	BYTE $0xB9; BYTE $0x82; BYTE $0x00; BYTE $0x33 // xgr   3,3
+	BYTE $0xA7; BYTE $0x55; BYTE $0x00; BYTE $0x04 // bras  5,lbl1
+	BYTE $0xA7; BYTE $0x39; BYTE $0x00; BYTE $0x01 // lghi  3,1
+
+	// if r3 is not zero (failed) then branch to finish
+	BYTE $0xB9; BYTE $0x02; BYTE $0x00; BYTE $0x33 // lbl1     ltgr  3,3
+	BYTE $0xA7; BYTE $0x74; BYTE $0x00; BYTE $0x08 // brc   b'0111',lbl2
+
+	// stomic store shunt address in R5 into CEECAADMC
+	BYTE $0xE3; BYTE $0x52; BYTE $0x00; BYTE $0x00; BYTE $0x00; BYTE $0x24 // stg   5,0(2)
+
+	// now try reading from the test pointer in R10, if it fails it branches to the "lghi" instruction above
+	BYTE $0xE3; BYTE $0x9A; BYTE $0x00; BYTE $0x00; BYTE $0x00; BYTE $0x04 // lg    9,0(10)
+
+	// finish here, restore 0 into CEECAADMC
+	BYTE $0xB9; BYTE $0x82; BYTE $0x00; BYTE $0x99                         // lbl2     xgr   9,9
+	BYTE $0xE3; BYTE $0x92; BYTE $0x00; BYTE $0x00; BYTE $0x00; BYTE $0x24 // stg   9,0(2)
+	MOVD R3, ret+8(FP)                                                     // result in R3
+	RET
+
+//
+// function to test if a untptr can be loaded from a pointer
+// return 1: the 8-byte content
+//        2: 0 for success, 1 for failure
+//
+// func safeload(ptr uintptr) ( value uintptr, error uintptr)
+TEXT ·safeload(SB), NOSPLIT, $0-24
+	MOVD ptr+0(FP), R10                                                    // test pointer in R10
+	MOVD $0x0, R6
+	BYTE $0xE3; BYTE $0x20; BYTE $0x04; BYTE $0xB8; BYTE $0x00; BYTE $0x17 // llgt  2,1208
+	BYTE $0xB9; BYTE $0x17; BYTE $0x00; BYTE $0x22                         // llgtr 2,2
+	BYTE $0xA5; BYTE $0x26; BYTE $0x7F; BYTE $0xFF                         // nilh  2,32767
+	BYTE $0xE3; BYTE $0x22; BYTE $0x00; BYTE $0x58; BYTE $0x00; BYTE $0x04 // lg    2,88(2)
+	BYTE $0xE3; BYTE $0x22; BYTE $0x00; BYTE $0x08; BYTE $0x00; BYTE $0x04 // lg    2,8(2)
+	BYTE $0x41; BYTE $0x22; BYTE $0x03; BYTE $0x68                         // la    2,872(2)
+	BYTE $0xB9; BYTE $0x82; BYTE $0x00; BYTE $0x33                         // xgr   3,3
+	BYTE $0xA7; BYTE $0x55; BYTE $0x00; BYTE $0x04                         // bras  5,lbl1
+	BYTE $0xA7; BYTE $0x39; BYTE $0x00; BYTE $0x01                         // lghi  3,1
+	BYTE $0xB9; BYTE $0x02; BYTE $0x00; BYTE $0x33                         // lbl1     ltgr  3,3
+	BYTE $0xA7; BYTE $0x74; BYTE $0x00; BYTE $0x08                         // brc   b'0111',lbl2
+	BYTE $0xE3; BYTE $0x52; BYTE $0x00; BYTE $0x00; BYTE $0x00; BYTE $0x24 // stg 5,0(2)
+	BYTE $0xE3; BYTE $0x6A; BYTE $0x00; BYTE $0x00; BYTE $0x00; BYTE $0x04 // lg    6,0(10)
+	BYTE $0xB9; BYTE $0x82; BYTE $0x00; BYTE $0x99                         // lbl2     xgr   9,9
+	BYTE $0xE3; BYTE $0x92; BYTE $0x00; BYTE $0x00; BYTE $0x00; BYTE $0x24 // stg   9,0(2)
+	MOVD R6, value+8(FP)                                                   // result in R6
+	MOVD R3, error+16(FP)                                                  // error in R3
+	RET

vendor/golang.org/x/sys/unix/auxv.go

@@ -0,0 +1,36 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.21 && (aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos)
+
+package unix
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+//go:linkname runtime_getAuxv runtime.getAuxv
+func runtime_getAuxv() []uintptr
+
+// Auxv returns the ELF auxiliary vector as a sequence of key/value pairs.
+// The returned slice is always a fresh copy, owned by the caller.
+// It returns an error on non-ELF platforms, or if the auxiliary vector cannot be accessed,
+// which happens in some locked-down environments and build modes.
+func Auxv() ([][2]uintptr, error) {
+	vec := runtime_getAuxv()
+	vecLen := len(vec)
+
+	if vecLen == 0 {
+		return nil, syscall.ENOENT
+	}
+
+	if vecLen%2 != 0 {
+		return nil, syscall.EINVAL
+	}
+
+	result := make([]uintptr, vecLen)
+	copy(result, vec)
+	return unsafe.Slice((*[2]uintptr)(unsafe.Pointer(&result[0])), vecLen/2), nil
+}

vendor/golang.org/x/sys/unix/auxv_unsupported.go

@@ -0,0 +1,13 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.21 && (aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos)
+
+package unix
+
+import "syscall"
+
+func Auxv() ([][2]uintptr, error) {
+	return nil, syscall.ENOTSUP
+}

vendor/golang.org/x/sys/unix/bpxsvc_zos.go

@@ -0,0 +1,657 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build zos
+
+package unix
+
+import (
+	"bytes"
+	"fmt"
+	"unsafe"
+)
+
+//go:noescape
+func bpxcall(plist []unsafe.Pointer, bpx_offset int64)
+
+//go:noescape
+func A2e([]byte)
+
+//go:noescape
+func E2a([]byte)
+
+const (
+	BPX4STA = 192  // stat
+	BPX4FST = 104  // fstat
+	BPX4LST = 132  // lstat
+	BPX4OPN = 156  // open
+	BPX4CLO = 72   // close
+	BPX4CHR = 500  // chattr
+	BPX4FCR = 504  // fchattr
+	BPX4LCR = 1180 // lchattr
+	BPX4CTW = 492  // cond_timed_wait
+	BPX4GTH = 1056 // __getthent
+	BPX4PTQ = 412  // pthread_quiesc
+	BPX4PTR = 320  // ptrace
+)
+
+const (
+	//options
+	//byte1
+	BPX_OPNFHIGH = 0x80
+	//byte2
+	BPX_OPNFEXEC = 0x80
+	//byte3
+	BPX_O_NOLARGEFILE = 0x08
+	BPX_O_LARGEFILE   = 0x04
+	BPX_O_ASYNCSIG    = 0x02
+	BPX_O_SYNC        = 0x01
+	//byte4
+	BPX_O_CREXCL   = 0xc0
+	BPX_O_CREAT    = 0x80
+	BPX_O_EXCL     = 0x40
+	BPX_O_NOCTTY   = 0x20
+	BPX_O_TRUNC    = 0x10
+	BPX_O_APPEND   = 0x08
+	BPX_O_NONBLOCK = 0x04
+	BPX_FNDELAY    = 0x04
+	BPX_O_RDWR     = 0x03
+	BPX_O_RDONLY   = 0x02
+	BPX_O_WRONLY   = 0x01
+	BPX_O_ACCMODE  = 0x03
+	BPX_O_GETFL    = 0x0f
+
+	//mode
+	// byte1 (file type)
+	BPX_FT_DIR      = 1
+	BPX_FT_CHARSPEC = 2
+	BPX_FT_REGFILE  = 3
+	BPX_FT_FIFO     = 4
+	BPX_FT_SYMLINK  = 5
+	BPX_FT_SOCKET   = 6
+	//byte3
+	BPX_S_ISUID  = 0x08
+	BPX_S_ISGID  = 0x04
+	BPX_S_ISVTX  = 0x02
+	BPX_S_IRWXU1 = 0x01
+	BPX_S_IRUSR  = 0x01
+	//byte4
+	BPX_S_IRWXU2 = 0xc0
+	BPX_S_IWUSR  = 0x80
+	BPX_S_IXUSR  = 0x40
+	BPX_S_IRWXG  = 0x38
+	BPX_S_IRGRP  = 0x20
+	BPX_S_IWGRP  = 0x10
+	BPX_S_IXGRP  = 0x08
+	BPX_S_IRWXOX = 0x07
+	BPX_S_IROTH  = 0x04
+	BPX_S_IWOTH  = 0x02
+	BPX_S_IXOTH  = 0x01
+
+	CW_INTRPT  = 1
+	CW_CONDVAR = 32
+	CW_TIMEOUT = 64
+
+	PGTHA_NEXT        = 2
+	PGTHA_CURRENT     = 1
+	PGTHA_FIRST       = 0
+	PGTHA_LAST        = 3
+	PGTHA_PROCESS     = 0x80
+	PGTHA_CONTTY      = 0x40
+	PGTHA_PATH        = 0x20
+	PGTHA_COMMAND     = 0x10
+	PGTHA_FILEDATA    = 0x08
+	PGTHA_THREAD      = 0x04
+	PGTHA_PTAG        = 0x02
+	PGTHA_COMMANDLONG = 0x01
+	PGTHA_THREADFAST  = 0x80
+	PGTHA_FILEPATH    = 0x40
+	PGTHA_THDSIGMASK  = 0x20
+	// thread quiece mode
+	QUIESCE_TERM       int32 = 1
+	QUIESCE_FORCE      int32 = 2
+	QUIESCE_QUERY      int32 = 3
+	QUIESCE_FREEZE     int32 = 4
+	QUIESCE_UNFREEZE   int32 = 5
+	FREEZE_THIS_THREAD int32 = 6
+	FREEZE_EXIT        int32 = 8
+	QUIESCE_SRB        int32 = 9
+)
+
+type Pgtha struct {
+	Pid        uint32 // 0
+	Tid0       uint32 // 4
+	Tid1       uint32
+	Accesspid  byte    // C
+	Accesstid  byte    // D
+	Accessasid uint16  // E
+	Loginname  [8]byte // 10
+	Flag1      byte    // 18
+	Flag1b2    byte    // 19
+}
+
+type Bpxystat_t struct { // DSECT BPXYSTAT
+	St_id           [4]uint8  // 0
+	St_length       uint16    // 0x4
+	St_version      uint16    // 0x6
+	St_mode         uint32    // 0x8
+	St_ino          uint32    // 0xc
+	St_dev          uint32    // 0x10
+	St_nlink        uint32    // 0x14
+	St_uid          uint32    // 0x18
+	St_gid          uint32    // 0x1c
+	St_size         uint64    // 0x20
+	St_atime        uint32    // 0x28
+	St_mtime        uint32    // 0x2c
+	St_ctime        uint32    // 0x30
+	St_rdev         uint32    // 0x34
+	St_auditoraudit uint32    // 0x38
+	St_useraudit    uint32    // 0x3c
+	St_blksize      uint32    // 0x40
+	St_createtime   uint32    // 0x44
+	St_auditid      [4]uint32 // 0x48
+	St_res01        uint32    // 0x58
+	Ft_ccsid        uint16    // 0x5c
+	Ft_flags        uint16    // 0x5e
+	St_res01a       [2]uint32 // 0x60
+	St_res02        uint32    // 0x68
+	St_blocks       uint32    // 0x6c
+	St_opaque       [3]uint8  // 0x70
+	St_visible      uint8     // 0x73
+	St_reftime      uint32    // 0x74
+	St_fid          uint64    // 0x78
+	St_filefmt      uint8     // 0x80
+	St_fspflag2     uint8     // 0x81
+	St_res03        [2]uint8  // 0x82
+	St_ctimemsec    uint32    // 0x84
+	St_seclabel     [8]uint8  // 0x88
+	St_res04        [4]uint8  // 0x90
+	// end of version 1
+	_               uint32    // 0x94
+	St_atime64      uint64    // 0x98
+	St_mtime64      uint64    // 0xa0
+	St_ctime64      uint64    // 0xa8
+	St_createtime64 uint64    // 0xb0
+	St_reftime64    uint64    // 0xb8
+	_               uint64    // 0xc0
+	St_res05        [16]uint8 // 0xc8
+	// end of version 2
+}
+
+type BpxFilestatus struct {
+	Oflag1 byte
+	Oflag2 byte
+	Oflag3 byte
+	Oflag4 byte
+}
+
+type BpxMode struct {
+	Ftype byte
+	Mode1 byte
+	Mode2 byte
+	Mode3 byte
+}
+
+// Thr attribute structure for extended attributes
+type Bpxyatt_t struct { // DSECT BPXYATT
+	Att_id           [4]uint8
+	Att_version      uint16
+	Att_res01        [2]uint8
+	Att_setflags1    uint8
+	Att_setflags2    uint8
+	Att_setflags3    uint8
+	Att_setflags4    uint8
+	Att_mode         uint32
+	Att_uid          uint32
+	Att_gid          uint32
+	Att_opaquemask   [3]uint8
+	Att_visblmaskres uint8
+	Att_opaque       [3]uint8
+	Att_visibleres   uint8
+	Att_size_h       uint32
+	Att_size_l       uint32
+	Att_atime        uint32
+	Att_mtime        uint32
+	Att_auditoraudit uint32
+	Att_useraudit    uint32
+	Att_ctime        uint32
+	Att_reftime      uint32
+	// end of version 1
+	Att_filefmt uint8
+	Att_res02   [3]uint8
+	Att_filetag uint32
+	Att_res03   [8]uint8
+	// end of version 2
+	Att_atime64   uint64
+	Att_mtime64   uint64
+	Att_ctime64   uint64
+	Att_reftime64 uint64
+	Att_seclabel  [8]uint8
+	Att_ver3res02 [8]uint8
+	// end of version 3
+}
+
+func BpxOpen(name string, options *BpxFilestatus, mode *BpxMode) (rv int32, rc int32, rn int32) {
+	if len(name) < 1024 {
+		var namebuf [1024]byte
+		sz := int32(copy(namebuf[:], name))
+		A2e(namebuf[:sz])
+		var parms [7]unsafe.Pointer
+		parms[0] = unsafe.Pointer(&sz)
+		parms[1] = unsafe.Pointer(&namebuf[0])
+		parms[2] = unsafe.Pointer(options)
+		parms[3] = unsafe.Pointer(mode)
+		parms[4] = unsafe.Pointer(&rv)
+		parms[5] = unsafe.Pointer(&rc)
+		parms[6] = unsafe.Pointer(&rn)
+		bpxcall(parms[:], BPX4OPN)
+		return rv, rc, rn
+	}
+	return -1, -1, -1
+}
+
+func BpxClose(fd int32) (rv int32, rc int32, rn int32) {
+	var parms [4]unsafe.Pointer
+	parms[0] = unsafe.Pointer(&fd)
+	parms[1] = unsafe.Pointer(&rv)
+	parms[2] = unsafe.Pointer(&rc)
+	parms[3] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4CLO)
+	return rv, rc, rn
+}
+
+func BpxFileFStat(fd int32, st *Bpxystat_t) (rv int32, rc int32, rn int32) {
+	st.St_id = [4]uint8{0xe2, 0xe3, 0xc1, 0xe3}
+	st.St_version = 2
+	stat_sz := uint32(unsafe.Sizeof(*st))
+	var parms [6]unsafe.Pointer
+	parms[0] = unsafe.Pointer(&fd)
+	parms[1] = unsafe.Pointer(&stat_sz)
+	parms[2] = unsafe.Pointer(st)
+	parms[3] = unsafe.Pointer(&rv)
+	parms[4] = unsafe.Pointer(&rc)
+	parms[5] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4FST)
+	return rv, rc, rn
+}
+
+func BpxFileStat(name string, st *Bpxystat_t) (rv int32, rc int32, rn int32) {
+	if len(name) < 1024 {
+		var namebuf [1024]byte
+		sz := int32(copy(namebuf[:], name))
+		A2e(namebuf[:sz])
+		st.St_id = [4]uint8{0xe2, 0xe3, 0xc1, 0xe3}
+		st.St_version = 2
+		stat_sz := uint32(unsafe.Sizeof(*st))
+		var parms [7]unsafe.Pointer
+		parms[0] = unsafe.Pointer(&sz)
+		parms[1] = unsafe.Pointer(&namebuf[0])
+		parms[2] = unsafe.Pointer(&stat_sz)
+		parms[3] = unsafe.Pointer(st)
+		parms[4] = unsafe.Pointer(&rv)
+		parms[5] = unsafe.Pointer(&rc)
+		parms[6] = unsafe.Pointer(&rn)
+		bpxcall(parms[:], BPX4STA)
+		return rv, rc, rn
+	}
+	return -1, -1, -1
+}
+
+func BpxFileLStat(name string, st *Bpxystat_t) (rv int32, rc int32, rn int32) {
+	if len(name) < 1024 {
+		var namebuf [1024]byte
+		sz := int32(copy(namebuf[:], name))
+		A2e(namebuf[:sz])
+		st.St_id = [4]uint8{0xe2, 0xe3, 0xc1, 0xe3}
+		st.St_version = 2
+		stat_sz := uint32(unsafe.Sizeof(*st))
+		var parms [7]unsafe.Pointer
+		parms[0] = unsafe.Pointer(&sz)
+		parms[1] = unsafe.Pointer(&namebuf[0])
+		parms[2] = unsafe.Pointer(&stat_sz)
+		parms[3] = unsafe.Pointer(st)
+		parms[4] = unsafe.Pointer(&rv)
+		parms[5] = unsafe.Pointer(&rc)
+		parms[6] = unsafe.Pointer(&rn)
+		bpxcall(parms[:], BPX4LST)
+		return rv, rc, rn
+	}
+	return -1, -1, -1
+}
+
+func BpxChattr(path string, attr *Bpxyatt_t) (rv int32, rc int32, rn int32) {
+	if len(path) >= 1024 {
+		return -1, -1, -1
+	}
+	var namebuf [1024]byte
+	sz := int32(copy(namebuf[:], path))
+	A2e(namebuf[:sz])
+	attr_sz := uint32(unsafe.Sizeof(*attr))
+	var parms [7]unsafe.Pointer
+	parms[0] = unsafe.Pointer(&sz)
+	parms[1] = unsafe.Pointer(&namebuf[0])
+	parms[2] = unsafe.Pointer(&attr_sz)
+	parms[3] = unsafe.Pointer(attr)
+	parms[4] = unsafe.Pointer(&rv)
+	parms[5] = unsafe.Pointer(&rc)
+	parms[6] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4CHR)
+	return rv, rc, rn
+}
+
+func BpxLchattr(path string, attr *Bpxyatt_t) (rv int32, rc int32, rn int32) {
+	if len(path) >= 1024 {
+		return -1, -1, -1
+	}
+	var namebuf [1024]byte
+	sz := int32(copy(namebuf[:], path))
+	A2e(namebuf[:sz])
+	attr_sz := uint32(unsafe.Sizeof(*attr))
+	var parms [7]unsafe.Pointer
+	parms[0] = unsafe.Pointer(&sz)
+	parms[1] = unsafe.Pointer(&namebuf[0])
+	parms[2] = unsafe.Pointer(&attr_sz)
+	parms[3] = unsafe.Pointer(attr)
+	parms[4] = unsafe.Pointer(&rv)
+	parms[5] = unsafe.Pointer(&rc)
+	parms[6] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4LCR)
+	return rv, rc, rn
+}
+
+func BpxFchattr(fd int32, attr *Bpxyatt_t) (rv int32, rc int32, rn int32) {
+	attr_sz := uint32(unsafe.Sizeof(*attr))
+	var parms [6]unsafe.Pointer
+	parms[0] = unsafe.Pointer(&fd)
+	parms[1] = unsafe.Pointer(&attr_sz)
+	parms[2] = unsafe.Pointer(attr)
+	parms[3] = unsafe.Pointer(&rv)
+	parms[4] = unsafe.Pointer(&rc)
+	parms[5] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4FCR)
+	return rv, rc, rn
+}
+
+func BpxCondTimedWait(sec uint32, nsec uint32, events uint32, secrem *uint32, nsecrem *uint32) (rv int32, rc int32, rn int32) {
+	var parms [8]unsafe.Pointer
+	parms[0] = unsafe.Pointer(&sec)
+	parms[1] = unsafe.Pointer(&nsec)
+	parms[2] = unsafe.Pointer(&events)
+	parms[3] = unsafe.Pointer(secrem)
+	parms[4] = unsafe.Pointer(nsecrem)
+	parms[5] = unsafe.Pointer(&rv)
+	parms[6] = unsafe.Pointer(&rc)
+	parms[7] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4CTW)
+	return rv, rc, rn
+}
+func BpxGetthent(in *Pgtha, outlen *uint32, out unsafe.Pointer) (rv int32, rc int32, rn int32) {
+	var parms [7]unsafe.Pointer
+	inlen := uint32(26) // nothing else will work. Go says Pgtha is 28-byte because of alignment, but Pgtha is "packed" and must be 26-byte
+	parms[0] = unsafe.Pointer(&inlen)
+	parms[1] = unsafe.Pointer(&in)
+	parms[2] = unsafe.Pointer(outlen)
+	parms[3] = unsafe.Pointer(&out)
+	parms[4] = unsafe.Pointer(&rv)
+	parms[5] = unsafe.Pointer(&rc)
+	parms[6] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4GTH)
+	return rv, rc, rn
+}
+func ZosJobname() (jobname string, err error) {
+	var pgtha Pgtha
+	pgtha.Pid = uint32(Getpid())
+	pgtha.Accesspid = PGTHA_CURRENT
+	pgtha.Flag1 = PGTHA_PROCESS
+	var out [256]byte
+	var outlen uint32
+	outlen = 256
+	rv, rc, rn := BpxGetthent(&pgtha, &outlen, unsafe.Pointer(&out[0]))
+	if rv == 0 {
+		gthc := []byte{0x87, 0xa3, 0x88, 0x83} // 'gthc' in ebcdic
+		ix := bytes.Index(out[:], gthc)
+		if ix == -1 {
+			err = fmt.Errorf("BPX4GTH: gthc return data not found")
+			return
+		}
+		jn := out[ix+80 : ix+88] // we didn't declare Pgthc, but jobname is 8-byte at offset 80
+		E2a(jn)
+		jobname = string(bytes.TrimRight(jn, " "))
+
+	} else {
+		err = fmt.Errorf("BPX4GTH: rc=%d errno=%d reason=code=0x%x", rv, rc, rn)
+	}
+	return
+}
+func Bpx4ptq(code int32, data string) (rv int32, rc int32, rn int32) {
+	var userdata [8]byte
+	var parms [5]unsafe.Pointer
+	copy(userdata[:], data+"        ")
+	A2e(userdata[:])
+	parms[0] = unsafe.Pointer(&code)
+	parms[1] = unsafe.Pointer(&userdata[0])
+	parms[2] = unsafe.Pointer(&rv)
+	parms[3] = unsafe.Pointer(&rc)
+	parms[4] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4PTQ)
+	return rv, rc, rn
+}
+
+const (
+	PT_TRACE_ME             = 0  // Debug this process
+	PT_READ_I               = 1  // Read a full word
+	PT_READ_D               = 2  // Read a full word
+	PT_READ_U               = 3  // Read control info
+	PT_WRITE_I              = 4  //Write a full word
+	PT_WRITE_D              = 5  //Write a full word
+	PT_CONTINUE             = 7  //Continue the process
+	PT_KILL                 = 8  //Terminate the process
+	PT_READ_GPR             = 11 // Read GPR, CR, PSW
+	PT_READ_FPR             = 12 // Read FPR
+	PT_READ_VR              = 13 // Read VR
+	PT_WRITE_GPR            = 14 // Write GPR, CR, PSW
+	PT_WRITE_FPR            = 15 // Write FPR
+	PT_WRITE_VR             = 16 // Write VR
+	PT_READ_BLOCK           = 17 // Read storage
+	PT_WRITE_BLOCK          = 19 // Write storage
+	PT_READ_GPRH            = 20 // Read GPRH
+	PT_WRITE_GPRH           = 21 // Write GPRH
+	PT_REGHSET              = 22 // Read all GPRHs
+	PT_ATTACH               = 30 // Attach to a process
+	PT_DETACH               = 31 // Detach from a process
+	PT_REGSET               = 32 // Read all GPRs
+	PT_REATTACH             = 33 // Reattach to a process
+	PT_LDINFO               = 34 // Read loader info
+	PT_MULTI                = 35 // Multi process mode
+	PT_LD64INFO             = 36 // RMODE64 Info Area
+	PT_BLOCKREQ             = 40 // Block request
+	PT_THREAD_INFO          = 60 // Read thread info
+	PT_THREAD_MODIFY        = 61
+	PT_THREAD_READ_FOCUS    = 62
+	PT_THREAD_WRITE_FOCUS   = 63
+	PT_THREAD_HOLD          = 64
+	PT_THREAD_SIGNAL        = 65
+	PT_EXPLAIN              = 66
+	PT_EVENTS               = 67
+	PT_THREAD_INFO_EXTENDED = 68
+	PT_REATTACH2            = 71
+	PT_CAPTURE              = 72
+	PT_UNCAPTURE            = 73
+	PT_GET_THREAD_TCB       = 74
+	PT_GET_ALET             = 75
+	PT_SWAPIN               = 76
+	PT_EXTENDED_EVENT       = 98
+	PT_RECOVER              = 99  // Debug a program check
+	PT_GPR0                 = 0   // General purpose register 0
+	PT_GPR1                 = 1   // General purpose register 1
+	PT_GPR2                 = 2   // General purpose register 2
+	PT_GPR3                 = 3   // General purpose register 3
+	PT_GPR4                 = 4   // General purpose register 4
+	PT_GPR5                 = 5   // General purpose register 5
+	PT_GPR6                 = 6   // General purpose register 6
+	PT_GPR7                 = 7   // General purpose register 7
+	PT_GPR8                 = 8   // General purpose register 8
+	PT_GPR9                 = 9   // General purpose register 9
+	PT_GPR10                = 10  // General purpose register 10
+	PT_GPR11                = 11  // General purpose register 11
+	PT_GPR12                = 12  // General purpose register 12
+	PT_GPR13                = 13  // General purpose register 13
+	PT_GPR14                = 14  // General purpose register 14
+	PT_GPR15                = 15  // General purpose register 15
+	PT_FPR0                 = 16  // Floating point register 0
+	PT_FPR1                 = 17  // Floating point register 1
+	PT_FPR2                 = 18  // Floating point register 2
+	PT_FPR3                 = 19  // Floating point register 3
+	PT_FPR4                 = 20  // Floating point register 4
+	PT_FPR5                 = 21  // Floating point register 5
+	PT_FPR6                 = 22  // Floating point register 6
+	PT_FPR7                 = 23  // Floating point register 7
+	PT_FPR8                 = 24  // Floating point register 8
+	PT_FPR9                 = 25  // Floating point register 9
+	PT_FPR10                = 26  // Floating point register 10
+	PT_FPR11                = 27  // Floating point register 11
+	PT_FPR12                = 28  // Floating point register 12
+	PT_FPR13                = 29  // Floating point register 13
+	PT_FPR14                = 30  // Floating point register 14
+	PT_FPR15                = 31  // Floating point register 15
+	PT_FPC                  = 32  // Floating point control register
+	PT_PSW                  = 40  // PSW
+	PT_PSW0                 = 40  // Left half of the PSW
+	PT_PSW1                 = 41  // Right half of the PSW
+	PT_CR0                  = 42  // Control register 0
+	PT_CR1                  = 43  // Control register 1
+	PT_CR2                  = 44  // Control register 2
+	PT_CR3                  = 45  // Control register 3
+	PT_CR4                  = 46  // Control register 4
+	PT_CR5                  = 47  // Control register 5
+	PT_CR6                  = 48  // Control register 6
+	PT_CR7                  = 49  // Control register 7
+	PT_CR8                  = 50  // Control register 8
+	PT_CR9                  = 51  // Control register 9
+	PT_CR10                 = 52  // Control register 10
+	PT_CR11                 = 53  // Control register 11
+	PT_CR12                 = 54  // Control register 12
+	PT_CR13                 = 55  // Control register 13
+	PT_CR14                 = 56  // Control register 14
+	PT_CR15                 = 57  // Control register 15
+	PT_GPRH0                = 58  // GP High register 0
+	PT_GPRH1                = 59  // GP High register 1
+	PT_GPRH2                = 60  // GP High register 2
+	PT_GPRH3                = 61  // GP High register 3
+	PT_GPRH4                = 62  // GP High register 4
+	PT_GPRH5                = 63  // GP High register 5
+	PT_GPRH6                = 64  // GP High register 6
+	PT_GPRH7                = 65  // GP High register 7
+	PT_GPRH8                = 66  // GP High register 8
+	PT_GPRH9                = 67  // GP High register 9
+	PT_GPRH10               = 68  // GP High register 10
+	PT_GPRH11               = 69  // GP High register 11
+	PT_GPRH12               = 70  // GP High register 12
+	PT_GPRH13               = 71  // GP High register 13
+	PT_GPRH14               = 72  // GP High register 14
+	PT_GPRH15               = 73  // GP High register 15
+	PT_VR0                  = 74  // Vector register 0
+	PT_VR1                  = 75  // Vector register 1
+	PT_VR2                  = 76  // Vector register 2
+	PT_VR3                  = 77  // Vector register 3
+	PT_VR4                  = 78  // Vector register 4
+	PT_VR5                  = 79  // Vector register 5
+	PT_VR6                  = 80  // Vector register 6
+	PT_VR7                  = 81  // Vector register 7
+	PT_VR8                  = 82  // Vector register 8
+	PT_VR9                  = 83  // Vector register 9
+	PT_VR10                 = 84  // Vector register 10
+	PT_VR11                 = 85  // Vector register 11
+	PT_VR12                 = 86  // Vector register 12
+	PT_VR13                 = 87  // Vector register 13
+	PT_VR14                 = 88  // Vector register 14
+	PT_VR15                 = 89  // Vector register 15
+	PT_VR16                 = 90  // Vector register 16
+	PT_VR17                 = 91  // Vector register 17
+	PT_VR18                 = 92  // Vector register 18
+	PT_VR19                 = 93  // Vector register 19
+	PT_VR20                 = 94  // Vector register 20
+	PT_VR21                 = 95  // Vector register 21
+	PT_VR22                 = 96  // Vector register 22
+	PT_VR23                 = 97  // Vector register 23
+	PT_VR24                 = 98  // Vector register 24
+	PT_VR25                 = 99  // Vector register 25
+	PT_VR26                 = 100 // Vector register 26
+	PT_VR27                 = 101 // Vector register 27
+	PT_VR28                 = 102 // Vector register 28
+	PT_VR29                 = 103 // Vector register 29
+	PT_VR30                 = 104 // Vector register 30
+	PT_VR31                 = 105 // Vector register 31
+	PT_PSWG                 = 106 // PSWG
+	PT_PSWG0                = 106 // Bytes 0-3
+	PT_PSWG1                = 107 // Bytes 4-7
+	PT_PSWG2                = 108 // Bytes 8-11 (IA high word)
+	PT_PSWG3                = 109 // Bytes 12-15 (IA low word)
+)
+
+func Bpx4ptr(request int32, pid int32, addr unsafe.Pointer, data unsafe.Pointer, buffer unsafe.Pointer) (rv int32, rc int32, rn int32) {
+	var parms [8]unsafe.Pointer
+	parms[0] = unsafe.Pointer(&request)
+	parms[1] = unsafe.Pointer(&pid)
+	parms[2] = unsafe.Pointer(&addr)
+	parms[3] = unsafe.Pointer(&data)
+	parms[4] = unsafe.Pointer(&buffer)
+	parms[5] = unsafe.Pointer(&rv)
+	parms[6] = unsafe.Pointer(&rc)
+	parms[7] = unsafe.Pointer(&rn)
+	bpxcall(parms[:], BPX4PTR)
+	return rv, rc, rn
+}
+
+func copyU8(val uint8, dest []uint8) int {
+	if len(dest) < 1 {
+		return 0
+	}
+	dest[0] = val
+	return 1
+}
+
+func copyU8Arr(src, dest []uint8) int {
+	if len(dest) < len(src) {
+		return 0
+	}
+	for i, v := range src {
+		dest[i] = v
+	}
+	return len(src)
+}
+
+func copyU16(val uint16, dest []uint16) int {
+	if len(dest) < 1 {
+		return 0
+	}
+	dest[0] = val
+	return 1
+}
+
+func copyU32(val uint32, dest []uint32) int {
+	if len(dest) < 1 {
+		return 0
+	}
+	dest[0] = val
+	return 1
+}
+
+func copyU32Arr(src, dest []uint32) int {
+	if len(dest) < len(src) {
+		return 0
+	}
+	for i, v := range src {
+		dest[i] = v
+	}
+	return len(src)
+}
+
+func copyU64(val uint64, dest []uint64) int {
+	if len(dest) < 1 {
+		return 0
+	}
+	dest[0] = val
+	return 1
+}

vendor/golang.org/x/sys/unix/bpxsvc_zos.s

@@ -0,0 +1,192 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+#include "go_asm.h"
+#include "textflag.h"
+
+// function to call USS assembly language services
+//
+// doc: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_3.1.0/com.ibm.zos.v3r1.bpxb100/bit64env.htm
+//
+//   arg1 unsafe.Pointer array that ressembles an OS PLIST
+//
+//   arg2 function offset as in
+//       doc: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_3.1.0/com.ibm.zos.v3r1.bpxb100/bpx2cr_List_of_offsets.htm
+//
+// func bpxcall(plist []unsafe.Pointer, bpx_offset int64)
+
+TEXT ·bpxcall(SB), NOSPLIT|NOFRAME, $0
+	MOVD  plist_base+0(FP), R1  // r1 points to plist
+	MOVD  bpx_offset+24(FP), R2 // r2 offset to BPX vector table
+	MOVD  R14, R7               // save r14
+	MOVD  R15, R8               // save r15
+	MOVWZ 16(R0), R9
+	MOVWZ 544(R9), R9
+	MOVWZ 24(R9), R9            // call vector in r9
+	ADD   R2, R9                // add offset to vector table
+	MOVWZ (R9), R9              // r9 points to entry point
+	BYTE  $0x0D                 // BL R14,R9 --> basr r14,r9
+	BYTE  $0xE9                 // clobbers 0,1,14,15
+	MOVD  R8, R15               // restore 15
+	JMP   R7                    // return via saved return address
+
+//   func A2e(arr [] byte)
+//   code page conversion from  819 to 1047
+TEXT ·A2e(SB), NOSPLIT|NOFRAME, $0
+	MOVD arg_base+0(FP), R2                        // pointer to arry of characters
+	MOVD arg_len+8(FP), R3                         // count
+	XOR  R0, R0
+	XOR  R1, R1
+	BYTE $0xA7; BYTE $0x15; BYTE $0x00; BYTE $0x82 // BRAS 1,(2+(256/2))
+
+	// ASCII -> EBCDIC conversion table:
+	BYTE $0x00; BYTE $0x01; BYTE $0x02; BYTE $0x03
+	BYTE $0x37; BYTE $0x2d; BYTE $0x2e; BYTE $0x2f
+	BYTE $0x16; BYTE $0x05; BYTE $0x15; BYTE $0x0b
+	BYTE $0x0c; BYTE $0x0d; BYTE $0x0e; BYTE $0x0f
+	BYTE $0x10; BYTE $0x11; BYTE $0x12; BYTE $0x13
+	BYTE $0x3c; BYTE $0x3d; BYTE $0x32; BYTE $0x26
+	BYTE $0x18; BYTE $0x19; BYTE $0x3f; BYTE $0x27
+	BYTE $0x1c; BYTE $0x1d; BYTE $0x1e; BYTE $0x1f
+	BYTE $0x40; BYTE $0x5a; BYTE $0x7f; BYTE $0x7b
+	BYTE $0x5b; BYTE $0x6c; BYTE $0x50; BYTE $0x7d
+	BYTE $0x4d; BYTE $0x5d; BYTE $0x5c; BYTE $0x4e
+	BYTE $0x6b; BYTE $0x60; BYTE $0x4b; BYTE $0x61
+	BYTE $0xf0; BYTE $0xf1; BYTE $0xf2; BYTE $0xf3
+	BYTE $0xf4; BYTE $0xf5; BYTE $0xf6; BYTE $0xf7
+	BYTE $0xf8; BYTE $0xf9; BYTE $0x7a; BYTE $0x5e
+	BYTE $0x4c; BYTE $0x7e; BYTE $0x6e; BYTE $0x6f
+	BYTE $0x7c; BYTE $0xc1; BYTE $0xc2; BYTE $0xc3
+	BYTE $0xc4; BYTE $0xc5; BYTE $0xc6; BYTE $0xc7
+	BYTE $0xc8; BYTE $0xc9; BYTE $0xd1; BYTE $0xd2
+	BYTE $0xd3; BYTE $0xd4; BYTE $0xd5; BYTE $0xd6
+	BYTE $0xd7; BYTE $0xd8; BYTE $0xd9; BYTE $0xe2
+	BYTE $0xe3; BYTE $0xe4; BYTE $0xe5; BYTE $0xe6
+	BYTE $0xe7; BYTE $0xe8; BYTE $0xe9; BYTE $0xad
+	BYTE $0xe0; BYTE $0xbd; BYTE $0x5f; BYTE $0x6d
+	BYTE $0x79; BYTE $0x81; BYTE $0x82; BYTE $0x83
+	BYTE $0x84; BYTE $0x85; BYTE $0x86; BYTE $0x87
+	BYTE $0x88; BYTE $0x89; BYTE $0x91; BYTE $0x92
+	BYTE $0x93; BYTE $0x94; BYTE $0x95; BYTE $0x96
+	BYTE $0x97; BYTE $0x98; BYTE $0x99; BYTE $0xa2
+	BYTE $0xa3; BYTE $0xa4; BYTE $0xa5; BYTE $0xa6
+	BYTE $0xa7; BYTE $0xa8; BYTE $0xa9; BYTE $0xc0
+	BYTE $0x4f; BYTE $0xd0; BYTE $0xa1; BYTE $0x07
+	BYTE $0x20; BYTE $0x21; BYTE $0x22; BYTE $0x23
+	BYTE $0x24; BYTE $0x25; BYTE $0x06; BYTE $0x17
+	BYTE $0x28; BYTE $0x29; BYTE $0x2a; BYTE $0x2b
+	BYTE $0x2c; BYTE $0x09; BYTE $0x0a; BYTE $0x1b
+	BYTE $0x30; BYTE $0x31; BYTE $0x1a; BYTE $0x33
+	BYTE $0x34; BYTE $0x35; BYTE $0x36; BYTE $0x08
+	BYTE $0x38; BYTE $0x39; BYTE $0x3a; BYTE $0x3b
+	BYTE $0x04; BYTE $0x14; BYTE $0x3e; BYTE $0xff
+	BYTE $0x41; BYTE $0xaa; BYTE $0x4a; BYTE $0xb1
+	BYTE $0x9f; BYTE $0xb2; BYTE $0x6a; BYTE $0xb5
+	BYTE $0xbb; BYTE $0xb4; BYTE $0x9a; BYTE $0x8a
+	BYTE $0xb0; BYTE $0xca; BYTE $0xaf; BYTE $0xbc
+	BYTE $0x90; BYTE $0x8f; BYTE $0xea; BYTE $0xfa
+	BYTE $0xbe; BYTE $0xa0; BYTE $0xb6; BYTE $0xb3
+	BYTE $0x9d; BYTE $0xda; BYTE $0x9b; BYTE $0x8b
+	BYTE $0xb7; BYTE $0xb8; BYTE $0xb9; BYTE $0xab
+	BYTE $0x64; BYTE $0x65; BYTE $0x62; BYTE $0x66
+	BYTE $0x63; BYTE $0x67; BYTE $0x9e; BYTE $0x68
+	BYTE $0x74; BYTE $0x71; BYTE $0x72; BYTE $0x73
+	BYTE $0x78; BYTE $0x75; BYTE $0x76; BYTE $0x77
+	BYTE $0xac; BYTE $0x69; BYTE $0xed; BYTE $0xee
+	BYTE $0xeb; BYTE $0xef; BYTE $0xec; BYTE $0xbf
+	BYTE $0x80; BYTE $0xfd; BYTE $0xfe; BYTE $0xfb
+	BYTE $0xfc; BYTE $0xba; BYTE $0xae; BYTE $0x59
+	BYTE $0x44; BYTE $0x45; BYTE $0x42; BYTE $0x46
+	BYTE $0x43; BYTE $0x47; BYTE $0x9c; BYTE $0x48
+	BYTE $0x54; BYTE $0x51; BYTE $0x52; BYTE $0x53
+	BYTE $0x58; BYTE $0x55; BYTE $0x56; BYTE $0x57
+	BYTE $0x8c; BYTE $0x49; BYTE $0xcd; BYTE $0xce
+	BYTE $0xcb; BYTE $0xcf; BYTE $0xcc; BYTE $0xe1
+	BYTE $0x70; BYTE $0xdd; BYTE $0xde; BYTE $0xdb
+	BYTE $0xdc; BYTE $0x8d; BYTE $0x8e; BYTE $0xdf
+
+retry:
+	WORD $0xB9931022 // TROO 2,2,b'0001'
+	BVS  retry
+	RET
+
+//   func e2a(arr [] byte)
+//   code page conversion from  1047 to 819
+TEXT ·E2a(SB), NOSPLIT|NOFRAME, $0
+	MOVD arg_base+0(FP), R2                        // pointer to arry of characters
+	MOVD arg_len+8(FP), R3                         // count
+	XOR  R0, R0
+	XOR  R1, R1
+	BYTE $0xA7; BYTE $0x15; BYTE $0x00; BYTE $0x82 // BRAS 1,(2+(256/2))
+
+	// EBCDIC -> ASCII conversion table:
+	BYTE $0x00; BYTE $0x01; BYTE $0x02; BYTE $0x03
+	BYTE $0x9c; BYTE $0x09; BYTE $0x86; BYTE $0x7f
+	BYTE $0x97; BYTE $0x8d; BYTE $0x8e; BYTE $0x0b
+	BYTE $0x0c; BYTE $0x0d; BYTE $0x0e; BYTE $0x0f
+	BYTE $0x10; BYTE $0x11; BYTE $0x12; BYTE $0x13
+	BYTE $0x9d; BYTE $0x0a; BYTE $0x08; BYTE $0x87
+	BYTE $0x18; BYTE $0x19; BYTE $0x92; BYTE $0x8f
+	BYTE $0x1c; BYTE $0x1d; BYTE $0x1e; BYTE $0x1f
+	BYTE $0x80; BYTE $0x81; BYTE $0x82; BYTE $0x83
+	BYTE $0x84; BYTE $0x85; BYTE $0x17; BYTE $0x1b
+	BYTE $0x88; BYTE $0x89; BYTE $0x8a; BYTE $0x8b
+	BYTE $0x8c; BYTE $0x05; BYTE $0x06; BYTE $0x07
+	BYTE $0x90; BYTE $0x91; BYTE $0x16; BYTE $0x93
+	BYTE $0x94; BYTE $0x95; BYTE $0x96; BYTE $0x04
+	BYTE $0x98; BYTE $0x99; BYTE $0x9a; BYTE $0x9b
+	BYTE $0x14; BYTE $0x15; BYTE $0x9e; BYTE $0x1a
+	BYTE $0x20; BYTE $0xa0; BYTE $0xe2; BYTE $0xe4
+	BYTE $0xe0; BYTE $0xe1; BYTE $0xe3; BYTE $0xe5
+	BYTE $0xe7; BYTE $0xf1; BYTE $0xa2; BYTE $0x2e
+	BYTE $0x3c; BYTE $0x28; BYTE $0x2b; BYTE $0x7c
+	BYTE $0x26; BYTE $0xe9; BYTE $0xea; BYTE $0xeb
+	BYTE $0xe8; BYTE $0xed; BYTE $0xee; BYTE $0xef
+	BYTE $0xec; BYTE $0xdf; BYTE $0x21; BYTE $0x24
+	BYTE $0x2a; BYTE $0x29; BYTE $0x3b; BYTE $0x5e
+	BYTE $0x2d; BYTE $0x2f; BYTE $0xc2; BYTE $0xc4
+	BYTE $0xc0; BYTE $0xc1; BYTE $0xc3; BYTE $0xc5
+	BYTE $0xc7; BYTE $0xd1; BYTE $0xa6; BYTE $0x2c
+	BYTE $0x25; BYTE $0x5f; BYTE $0x3e; BYTE $0x3f
+	BYTE $0xf8; BYTE $0xc9; BYTE $0xca; BYTE $0xcb
+	BYTE $0xc8; BYTE $0xcd; BYTE $0xce; BYTE $0xcf
+	BYTE $0xcc; BYTE $0x60; BYTE $0x3a; BYTE $0x23
+	BYTE $0x40; BYTE $0x27; BYTE $0x3d; BYTE $0x22
+	BYTE $0xd8; BYTE $0x61; BYTE $0x62; BYTE $0x63
+	BYTE $0x64; BYTE $0x65; BYTE $0x66; BYTE $0x67
+	BYTE $0x68; BYTE $0x69; BYTE $0xab; BYTE $0xbb
+	BYTE $0xf0; BYTE $0xfd; BYTE $0xfe; BYTE $0xb1
+	BYTE $0xb0; BYTE $0x6a; BYTE $0x6b; BYTE $0x6c
+	BYTE $0x6d; BYTE $0x6e; BYTE $0x6f; BYTE $0x70
+	BYTE $0x71; BYTE $0x72; BYTE $0xaa; BYTE $0xba
+	BYTE $0xe6; BYTE $0xb8; BYTE $0xc6; BYTE $0xa4
+	BYTE $0xb5; BYTE $0x7e; BYTE $0x73; BYTE $0x74
+	BYTE $0x75; BYTE $0x76; BYTE $0x77; BYTE $0x78
+	BYTE $0x79; BYTE $0x7a; BYTE $0xa1; BYTE $0xbf
+	BYTE $0xd0; BYTE $0x5b; BYTE $0xde; BYTE $0xae
+	BYTE $0xac; BYTE $0xa3; BYTE $0xa5; BYTE $0xb7
+	BYTE $0xa9; BYTE $0xa7; BYTE $0xb6; BYTE $0xbc
+	BYTE $0xbd; BYTE $0xbe; BYTE $0xdd; BYTE $0xa8
+	BYTE $0xaf; BYTE $0x5d; BYTE $0xb4; BYTE $0xd7
+	BYTE $0x7b; BYTE $0x41; BYTE $0x42; BYTE $0x43
+	BYTE $0x44; BYTE $0x45; BYTE $0x46; BYTE $0x47
+	BYTE $0x48; BYTE $0x49; BYTE $0xad; BYTE $0xf4
+	BYTE $0xf6; BYTE $0xf2; BYTE $0xf3; BYTE $0xf5
+	BYTE $0x7d; BYTE $0x4a; BYTE $0x4b; BYTE $0x4c
+	BYTE $0x4d; BYTE $0x4e; BYTE $0x4f; BYTE $0x50
+	BYTE $0x51; BYTE $0x52; BYTE $0xb9; BYTE $0xfb
+	BYTE $0xfc; BYTE $0xf9; BYTE $0xfa; BYTE $0xff
+	BYTE $0x5c; BYTE $0xf7; BYTE $0x53; BYTE $0x54
+	BYTE $0x55; BYTE $0x56; BYTE $0x57; BYTE $0x58
+	BYTE $0x59; BYTE $0x5a; BYTE $0xb2; BYTE $0xd4
+	BYTE $0xd6; BYTE $0xd2; BYTE $0xd3; BYTE $0xd5
+	BYTE $0x30; BYTE $0x31; BYTE $0x32; BYTE $0x33
+	BYTE $0x34; BYTE $0x35; BYTE $0x36; BYTE $0x37
+	BYTE $0x38; BYTE $0x39; BYTE $0xb3; BYTE $0xdb
+	BYTE $0xdc; BYTE $0xd9; BYTE $0xda; BYTE $0x9f
+
+retry:
+	WORD $0xB9931022 // TROO 2,2,b'0001'
+	BVS  retry
+	RET

vendor/golang.org/x/sys/unix/epoll_zos.go

@@ -1,220 +0,0 @@
-// Copyright 2020 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build zos && s390x
-
-package unix
-
-import (
-	"sync"
-)
-
-// This file simulates epoll on z/OS using poll.
-
-// Analogous to epoll_event on Linux.
-// TODO(neeilan): Pad is because the Linux kernel expects a 96-bit struct. We never pass this to the kernel; remove?
-type EpollEvent struct {
-	Events uint32
-	Fd     int32
-	Pad    int32
-}
-
-const (
-	EPOLLERR      = 0x8
-	EPOLLHUP      = 0x10
-	EPOLLIN       = 0x1
-	EPOLLMSG      = 0x400
-	EPOLLOUT      = 0x4
-	EPOLLPRI      = 0x2
-	EPOLLRDBAND   = 0x80
-	EPOLLRDNORM   = 0x40
-	EPOLLWRBAND   = 0x200
-	EPOLLWRNORM   = 0x100
-	EPOLL_CTL_ADD = 0x1
-	EPOLL_CTL_DEL = 0x2
-	EPOLL_CTL_MOD = 0x3
-	// The following constants are part of the epoll API, but represent
-	// currently unsupported functionality on z/OS.
-	// EPOLL_CLOEXEC  = 0x80000
-	// EPOLLET        = 0x80000000
-	// EPOLLONESHOT   = 0x40000000
-	// EPOLLRDHUP     = 0x2000     // Typically used with edge-triggered notis
-	// EPOLLEXCLUSIVE = 0x10000000 // Exclusive wake-up mode
-	// EPOLLWAKEUP    = 0x20000000 // Relies on Linux's BLOCK_SUSPEND capability
-)
-
-// TODO(neeilan): We can eliminate these epToPoll / pToEpoll calls by using identical mask values for POLL/EPOLL
-// constants where possible The lower 16 bits of epoll events (uint32) can fit any system poll event (int16).
-
-// epToPollEvt converts epoll event field to poll equivalent.
-// In epoll, Events is a 32-bit field, while poll uses 16 bits.
-func epToPollEvt(events uint32) int16 {
-	var ep2p = map[uint32]int16{
-		EPOLLIN:  POLLIN,
-		EPOLLOUT: POLLOUT,
-		EPOLLHUP: POLLHUP,
-		EPOLLPRI: POLLPRI,
-		EPOLLERR: POLLERR,
-	}
-
-	var pollEvts int16 = 0
-	for epEvt, pEvt := range ep2p {
-		if (events & epEvt) != 0 {
-			pollEvts |= pEvt
-		}
-	}
-
-	return pollEvts
-}
-
-// pToEpollEvt converts 16 bit poll event bitfields to 32-bit epoll event fields.
-func pToEpollEvt(revents int16) uint32 {
-	var p2ep = map[int16]uint32{
-		POLLIN:  EPOLLIN,
-		POLLOUT: EPOLLOUT,
-		POLLHUP: EPOLLHUP,
-		POLLPRI: EPOLLPRI,
-		POLLERR: EPOLLERR,
-	}
-
-	var epollEvts uint32 = 0
-	for pEvt, epEvt := range p2ep {
-		if (revents & pEvt) != 0 {
-			epollEvts |= epEvt
-		}
-	}
-
-	return epollEvts
-}
-
-// Per-process epoll implementation.
-type epollImpl struct {
-	mu       sync.Mutex
-	epfd2ep  map[int]*eventPoll
-	nextEpfd int
-}
-
-// eventPoll holds a set of file descriptors being watched by the process. A process can have multiple epoll instances.
-// On Linux, this is an in-kernel data structure accessed through a fd.
-type eventPoll struct {
-	mu  sync.Mutex
-	fds map[int]*EpollEvent
-}
-
-// epoll impl for this process.
-var impl epollImpl = epollImpl{
-	epfd2ep:  make(map[int]*eventPoll),
-	nextEpfd: 0,
-}
-
-func (e *epollImpl) epollcreate(size int) (epfd int, err error) {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-	epfd = e.nextEpfd
-	e.nextEpfd++
-
-	e.epfd2ep[epfd] = &eventPoll{
-		fds: make(map[int]*EpollEvent),
-	}
-	return epfd, nil
-}
-
-func (e *epollImpl) epollcreate1(flag int) (fd int, err error) {
-	return e.epollcreate(4)
-}
-
-func (e *epollImpl) epollctl(epfd int, op int, fd int, event *EpollEvent) (err error) {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	ep, ok := e.epfd2ep[epfd]
-	if !ok {
-
-		return EBADF
-	}
-
-	switch op {
-	case EPOLL_CTL_ADD:
-		// TODO(neeilan): When we make epfds and fds disjoint, detect epoll
-		// loops here (instances watching each other) and return ELOOP.
-		if _, ok := ep.fds[fd]; ok {
-			return EEXIST
-		}
-		ep.fds[fd] = event
-	case EPOLL_CTL_MOD:
-		if _, ok := ep.fds[fd]; !ok {
-			return ENOENT
-		}
-		ep.fds[fd] = event
-	case EPOLL_CTL_DEL:
-		if _, ok := ep.fds[fd]; !ok {
-			return ENOENT
-		}
-		delete(ep.fds, fd)
-
-	}
-	return nil
-}
-
-// Must be called while holding ep.mu
-func (ep *eventPoll) getFds() []int {
-	fds := make([]int, len(ep.fds))
-	for fd := range ep.fds {
-		fds = append(fds, fd)
-	}
-	return fds
-}
-
-func (e *epollImpl) epollwait(epfd int, events []EpollEvent, msec int) (n int, err error) {
-	e.mu.Lock() // in [rare] case of concurrent epollcreate + epollwait
-	ep, ok := e.epfd2ep[epfd]
-
-	if !ok {
-		e.mu.Unlock()
-		return 0, EBADF
-	}
-
-	pollfds := make([]PollFd, 4)
-	for fd, epollevt := range ep.fds {
-		pollfds = append(pollfds, PollFd{Fd: int32(fd), Events: epToPollEvt(epollevt.Events)})
-	}
-	e.mu.Unlock()
-
-	n, err = Poll(pollfds, msec)
-	if err != nil {
-		return n, err
-	}
-
-	i := 0
-	for _, pFd := range pollfds {
-		if pFd.Revents != 0 {
-			events[i] = EpollEvent{Fd: pFd.Fd, Events: pToEpollEvt(pFd.Revents)}
-			i++
-		}
-
-		if i == n {
-			break
-		}
-	}
-
-	return n, nil
-}
-
-func EpollCreate(size int) (fd int, err error) {
-	return impl.epollcreate(size)
-}
-
-func EpollCreate1(flag int) (fd int, err error) {
-	return impl.epollcreate1(flag)
-}
-
-func EpollCtl(epfd int, op int, fd int, event *EpollEvent) (err error) {
-	return impl.epollctl(epfd, op, fd, event)
-}
-
-// Because EpollWait mutates events, the caller is expected to coordinate
-// concurrent access if calling with the same epfd from multiple goroutines.
-func EpollWait(epfd int, events []EpollEvent, msec int) (n int, err error) {
-	return impl.epollwait(epfd, events, msec)
-}

vendor/golang.org/x/sys/unix/fstatfs_zos.go

@@ -1,163 +0,0 @@
-// Copyright 2020 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build zos && s390x
-
-package unix
-
-import (
-	"unsafe"
-)
-
-// This file simulates fstatfs on z/OS using fstatvfs and w_getmntent.
-
-func Fstatfs(fd int, stat *Statfs_t) (err error) {
-	var stat_v Statvfs_t
-	err = Fstatvfs(fd, &stat_v)
-	if err == nil {
-		// populate stat
-		stat.Type = 0
-		stat.Bsize = stat_v.Bsize
-		stat.Blocks = stat_v.Blocks
-		stat.Bfree = stat_v.Bfree
-		stat.Bavail = stat_v.Bavail
-		stat.Files = stat_v.Files
-		stat.Ffree = stat_v.Ffree
-		stat.Fsid = stat_v.Fsid
-		stat.Namelen = stat_v.Namemax
-		stat.Frsize = stat_v.Frsize
-		stat.Flags = stat_v.Flag
-		for passn := 0; passn < 5; passn++ {
-			switch passn {
-			case 0:
-				err = tryGetmntent64(stat)
-				break
-			case 1:
-				err = tryGetmntent128(stat)
-				break
-			case 2:
-				err = tryGetmntent256(stat)
-				break
-			case 3:
-				err = tryGetmntent512(stat)
-				break
-			case 4:
-				err = tryGetmntent1024(stat)
-				break
-			default:
-				break
-			}
-			//proceed to return if: err is nil (found), err is nonnil but not ERANGE (another error occurred)
-			if err == nil || err != nil && err != ERANGE {
-				break
-			}
-		}
-	}
-	return err
-}
-
-func tryGetmntent64(stat *Statfs_t) (err error) {
-	var mnt_ent_buffer struct {
-		header       W_Mnth
-		filesys_info [64]W_Mntent
-	}
-	var buffer_size int = int(unsafe.Sizeof(mnt_ent_buffer))
-	fs_count, err := W_Getmntent((*byte)(unsafe.Pointer(&mnt_ent_buffer)), buffer_size)
-	if err != nil {
-		return err
-	}
-	err = ERANGE //return ERANGE if no match is found in this batch
-	for i := 0; i < fs_count; i++ {
-		if stat.Fsid == uint64(mnt_ent_buffer.filesys_info[i].Dev) {
-			stat.Type = uint32(mnt_ent_buffer.filesys_info[i].Fstname[0])
-			err = nil
-			break
-		}
-	}
-	return err
-}
-
-func tryGetmntent128(stat *Statfs_t) (err error) {
-	var mnt_ent_buffer struct {
-		header       W_Mnth
-		filesys_info [128]W_Mntent
-	}
-	var buffer_size int = int(unsafe.Sizeof(mnt_ent_buffer))
-	fs_count, err := W_Getmntent((*byte)(unsafe.Pointer(&mnt_ent_buffer)), buffer_size)
-	if err != nil {
-		return err
-	}
-	err = ERANGE //return ERANGE if no match is found in this batch
-	for i := 0; i < fs_count; i++ {
-		if stat.Fsid == uint64(mnt_ent_buffer.filesys_info[i].Dev) {
-			stat.Type = uint32(mnt_ent_buffer.filesys_info[i].Fstname[0])
-			err = nil
-			break
-		}
-	}
-	return err
-}
-
-func tryGetmntent256(stat *Statfs_t) (err error) {
-	var mnt_ent_buffer struct {
-		header       W_Mnth
-		filesys_info [256]W_Mntent
-	}
-	var buffer_size int = int(unsafe.Sizeof(mnt_ent_buffer))
-	fs_count, err := W_Getmntent((*byte)(unsafe.Pointer(&mnt_ent_buffer)), buffer_size)
-	if err != nil {
-		return err
-	}
-	err = ERANGE //return ERANGE if no match is found in this batch
-	for i := 0; i < fs_count; i++ {
-		if stat.Fsid == uint64(mnt_ent_buffer.filesys_info[i].Dev) {
-			stat.Type = uint32(mnt_ent_buffer.filesys_info[i].Fstname[0])
-			err = nil
-			break
-		}
-	}
-	return err
-}
-
-func tryGetmntent512(stat *Statfs_t) (err error) {
-	var mnt_ent_buffer struct {
-		header       W_Mnth
-		filesys_info [512]W_Mntent
-	}
-	var buffer_size int = int(unsafe.Sizeof(mnt_ent_buffer))
-	fs_count, err := W_Getmntent((*byte)(unsafe.Pointer(&mnt_ent_buffer)), buffer_size)
-	if err != nil {
-		return err
-	}
-	err = ERANGE //return ERANGE if no match is found in this batch
-	for i := 0; i < fs_count; i++ {
-		if stat.Fsid == uint64(mnt_ent_buffer.filesys_info[i].Dev) {
-			stat.Type = uint32(mnt_ent_buffer.filesys_info[i].Fstname[0])
-			err = nil
-			break
-		}
-	}
-	return err
-}
-
-func tryGetmntent1024(stat *Statfs_t) (err error) {
-	var mnt_ent_buffer struct {
-		header       W_Mnth
-		filesys_info [1024]W_Mntent
-	}
-	var buffer_size int = int(unsafe.Sizeof(mnt_ent_buffer))
-	fs_count, err := W_Getmntent((*byte)(unsafe.Pointer(&mnt_ent_buffer)), buffer_size)
-	if err != nil {
-		return err
-	}
-	err = ERANGE //return ERANGE if no match is found in this batch
-	for i := 0; i < fs_count; i++ {
-		if stat.Fsid == uint64(mnt_ent_buffer.filesys_info[i].Dev) {
-			stat.Type = uint32(mnt_ent_buffer.filesys_info[i].Fstname[0])
-			err = nil
-			break
-		}
-	}
-	return err
-}

vendor/golang.org/x/sys/unix/ioctl_linux.go

@@ -58,6 +58,102 @@ func IoctlGetEthtoolDrvinfo(fd int, ifname string) (*EthtoolDrvinfo, error) {
 	return &value, err
 }
 
+// IoctlGetEthtoolTsInfo fetches ethtool timestamping and PHC
+// association for the network device specified by ifname.
+func IoctlGetEthtoolTsInfo(fd int, ifname string) (*EthtoolTsInfo, error) {
+	ifr, err := NewIfreq(ifname)
+	if err != nil {
+		return nil, err
+	}
+
+	value := EthtoolTsInfo{Cmd: ETHTOOL_GET_TS_INFO}
+	ifrd := ifr.withData(unsafe.Pointer(&value))
+
+	err = ioctlIfreqData(fd, SIOCETHTOOL, &ifrd)
+	return &value, err
+}
+
+// IoctlGetHwTstamp retrieves the hardware timestamping configuration
+// for the network device specified by ifname.
+func IoctlGetHwTstamp(fd int, ifname string) (*HwTstampConfig, error) {
+	ifr, err := NewIfreq(ifname)
+	if err != nil {
+		return nil, err
+	}
+
+	value := HwTstampConfig{}
+	ifrd := ifr.withData(unsafe.Pointer(&value))
+
+	err = ioctlIfreqData(fd, SIOCGHWTSTAMP, &ifrd)
+	return &value, err
+}
+
+// IoctlSetHwTstamp updates the hardware timestamping configuration for
+// the network device specified by ifname.
+func IoctlSetHwTstamp(fd int, ifname string, cfg *HwTstampConfig) error {
+	ifr, err := NewIfreq(ifname)
+	if err != nil {
+		return err
+	}
+	ifrd := ifr.withData(unsafe.Pointer(cfg))
+	return ioctlIfreqData(fd, SIOCSHWTSTAMP, &ifrd)
+}
+
+// FdToClockID derives the clock ID from the file descriptor number
+// - see clock_gettime(3), FD_TO_CLOCKID macros. The resulting ID is
+// suitable for system calls like ClockGettime.
+func FdToClockID(fd int) int32 { return int32((int(^fd) << 3) | 3) }
+
+// IoctlPtpClockGetcaps returns the description of a given PTP device.
+func IoctlPtpClockGetcaps(fd int) (*PtpClockCaps, error) {
+	var value PtpClockCaps
+	err := ioctlPtr(fd, PTP_CLOCK_GETCAPS2, unsafe.Pointer(&value))
+	return &value, err
+}
+
+// IoctlPtpSysOffsetPrecise returns a description of the clock
+// offset compared to the system clock.
+func IoctlPtpSysOffsetPrecise(fd int) (*PtpSysOffsetPrecise, error) {
+	var value PtpSysOffsetPrecise
+	err := ioctlPtr(fd, PTP_SYS_OFFSET_PRECISE2, unsafe.Pointer(&value))
+	return &value, err
+}
+
+// IoctlPtpSysOffsetExtended returns an extended description of the
+// clock offset compared to the system clock. The samples parameter
+// specifies the desired number of measurements.
+func IoctlPtpSysOffsetExtended(fd int, samples uint) (*PtpSysOffsetExtended, error) {
+	value := PtpSysOffsetExtended{Samples: uint32(samples)}
+	err := ioctlPtr(fd, PTP_SYS_OFFSET_EXTENDED2, unsafe.Pointer(&value))
+	return &value, err
+}
+
+// IoctlPtpPinGetfunc returns the configuration of the specified
+// I/O pin on given PTP device.
+func IoctlPtpPinGetfunc(fd int, index uint) (*PtpPinDesc, error) {
+	value := PtpPinDesc{Index: uint32(index)}
+	err := ioctlPtr(fd, PTP_PIN_GETFUNC2, unsafe.Pointer(&value))
+	return &value, err
+}
+
+// IoctlPtpPinSetfunc updates configuration of the specified PTP
+// I/O pin.
+func IoctlPtpPinSetfunc(fd int, pd *PtpPinDesc) error {
+	return ioctlPtr(fd, PTP_PIN_SETFUNC2, unsafe.Pointer(pd))
+}
+
+// IoctlPtpPeroutRequest configures the periodic output mode of the
+// PTP I/O pins.
+func IoctlPtpPeroutRequest(fd int, r *PtpPeroutRequest) error {
+	return ioctlPtr(fd, PTP_PEROUT_REQUEST2, unsafe.Pointer(r))
+}
+
+// IoctlPtpExttsRequest configures the external timestamping mode
+// of the PTP I/O pins.
+func IoctlPtpExttsRequest(fd int, r *PtpExttsRequest) error {
+	return ioctlPtr(fd, PTP_EXTTS_REQUEST2, unsafe.Pointer(r))
+}
+
 // IoctlGetWatchdogInfo fetches information about a watchdog device from the
 // Linux watchdog API. For more information, see:
 // https://www.kernel.org/doc/html/latest/watchdog/watchdog-api.html.

vendor/golang.org/x/sys/unix/mkerrors.sh

@@ -58,6 +58,7 @@ includes_Darwin='
 #define _DARWIN_USE_64_BIT_INODE
 #define __APPLE_USE_RFC_3542
 #include <stdint.h>
+#include <sys/stdio.h>
 #include <sys/attr.h>
 #include <sys/clonefile.h>
 #include <sys/kern_control.h>
@@ -157,6 +158,16 @@ includes_Linux='
 #endif
 #define _GNU_SOURCE
 
+// See the description in unix/linux/types.go
+#if defined(__ARM_EABI__) || \
+	(defined(__mips__) && (_MIPS_SIM == _ABIO32)) || \
+	(defined(__powerpc__) && (!defined(__powerpc64__)))
+# ifdef   _TIME_BITS
+#  undef  _TIME_BITS
+# endif
+# define  _TIME_BITS 32
+#endif
+
 // <sys/ioctl.h> is broken on powerpc64, as it fails to include definitions of
 // these structures. We just include them copied from <bits/termios.h>.
 #if defined(__powerpc__)
@@ -255,6 +266,7 @@ struct ltchars {
 #include <linux/nsfs.h>
 #include <linux/perf_event.h>
 #include <linux/pps.h>
+#include <linux/ptp_clock.h>
 #include <linux/ptrace.h>
 #include <linux/random.h>
 #include <linux/reboot.h>
@@ -263,6 +275,7 @@ struct ltchars {
 #include <linux/sched.h>
 #include <linux/seccomp.h>
 #include <linux/serial.h>
+#include <linux/sock_diag.h>
 #include <linux/sockios.h>
 #include <linux/taskstats.h>
 #include <linux/tipc.h>
@@ -525,6 +538,7 @@ ccflags="$@"
 		$2 ~ /^(AF|SOCK|SO|SOL|IPPROTO|IP|IPV6|TCP|MCAST|EVFILT|NOTE|SHUT|PROT|MAP|MREMAP|MFD|T?PACKET|MSG|SCM|MCL|DT|MADV|PR|LOCAL|TCPOPT|UDP)_/ ||
 		$2 ~ /^NFC_(GENL|PROTO|COMM|RF|SE|DIRECTION|LLCP|SOCKPROTO)_/ ||
 		$2 ~ /^NFC_.*_(MAX)?SIZE$/ ||
+		$2 ~ /^PTP_/ ||
 		$2 ~ /^RAW_PAYLOAD_/ ||
 		$2 ~ /^[US]F_/ ||
 		$2 ~ /^TP_STATUS_/ ||
@@ -549,6 +563,8 @@ ccflags="$@"
 		$2 !~ "NLA_TYPE_MASK" &&
 		$2 !~ /^RTC_VL_(ACCURACY|BACKUP|DATA)/ &&
 		$2 ~ /^(NETLINK|NLM|NLMSG|NLA|IFA|IFAN|RT|RTC|RTCF|RTN|RTPROT|RTNH|ARPHRD|ETH_P|NETNSA)_/ ||
+		$2 ~ /^SOCK_|SK_DIAG_|SKNLGRP_$/ ||
+		$2 ~ /^(CONNECT|SAE)_/ ||
 		$2 ~ /^FIORDCHK$/ ||
 		$2 ~ /^SIOC/ ||
 		$2 ~ /^TIOC/ ||
@@ -652,7 +668,7 @@ errors=$(
 signals=$(
 	echo '#include <signal.h>' | $CC -x c - -E -dM $ccflags |
 	awk '$1=="#define" && $2 ~ /^SIG[A-Z0-9]+$/ { print $2 }' |
-	grep -v 'SIGSTKSIZE\|SIGSTKSZ\|SIGRT\|SIGMAX64' |
+	grep -E -v '(SIGSTKSIZE|SIGSTKSZ|SIGRT|SIGMAX64)' |
 	sort
 )
 
@@ -662,7 +678,7 @@ echo '#include <errno.h>' | $CC -x c - -E -dM $ccflags |
 	sort >_error.grep
 echo '#include <signal.h>' | $CC -x c - -E -dM $ccflags |
 	awk '$1=="#define" && $2 ~ /^SIG[A-Z0-9]+$/ { print "^\t" $2 "[ \t]*=" }' |
-	grep -v 'SIGSTKSIZE\|SIGSTKSZ\|SIGRT\|SIGMAX64' |
+	grep -E -v '(SIGSTKSIZE|SIGSTKSZ|SIGRT|SIGMAX64)' |
 	sort >_signal.grep
 
 echo '// mkerrors.sh' "$@"

vendor/golang.org/x/sys/unix/mmap_nomremap.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build aix || darwin || dragonfly || freebsd || openbsd || solaris
+//go:build aix || darwin || dragonfly || freebsd || openbsd || solaris || zos
 
 package unix
 

vendor/golang.org/x/sys/unix/mremap.go

@@ -50,3 +50,8 @@ func (m *mremapMmapper) Mremap(oldData []byte, newLength int, flags int) (data [
 func Mremap(oldData []byte, newLength int, flags int) (data []byte, err error) {
 	return mapper.Mremap(oldData, newLength, flags)
 }
+
+func MremapPtr(oldAddr unsafe.Pointer, oldSize uintptr, newAddr unsafe.Pointer, newSize uintptr, flags int) (ret unsafe.Pointer, err error) {
+	xaddr, err := mapper.mremap(uintptr(oldAddr), oldSize, newSize, flags, uintptr(newAddr))
+	return unsafe.Pointer(xaddr), err
+}

vendor/golang.org/x/sys/unix/pagesize_unix.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos
 
 // For Unix, get the pagesize from the runtime.
 

vendor/golang.org/x/sys/unix/readdirent_getdirentries.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build darwin
+//go:build darwin || zos
 
 package unix
 

vendor/golang.org/x/sys/unix/sockcmsg_zos.go

@@ -0,0 +1,58 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Socket control messages
+
+package unix
+
+import "unsafe"
+
+// UnixCredentials encodes credentials into a socket control message
+// for sending to another process. This can be used for
+// authentication.
+func UnixCredentials(ucred *Ucred) []byte {
+	b := make([]byte, CmsgSpace(SizeofUcred))
+	h := (*Cmsghdr)(unsafe.Pointer(&b[0]))
+	h.Level = SOL_SOCKET
+	h.Type = SCM_CREDENTIALS
+	h.SetLen(CmsgLen(SizeofUcred))
+	*(*Ucred)(h.data(0)) = *ucred
+	return b
+}
+
+// ParseUnixCredentials decodes a socket control message that contains
+// credentials in a Ucred structure. To receive such a message, the
+// SO_PASSCRED option must be enabled on the socket.
+func ParseUnixCredentials(m *SocketControlMessage) (*Ucred, error) {
+	if m.Header.Level != SOL_SOCKET {
+		return nil, EINVAL
+	}
+	if m.Header.Type != SCM_CREDENTIALS {
+		return nil, EINVAL
+	}
+	ucred := *(*Ucred)(unsafe.Pointer(&m.Data[0]))
+	return &ucred, nil
+}
+
+// PktInfo4 encodes Inet4Pktinfo into a socket control message of type IP_PKTINFO.
+func PktInfo4(info *Inet4Pktinfo) []byte {
+	b := make([]byte, CmsgSpace(SizeofInet4Pktinfo))
+	h := (*Cmsghdr)(unsafe.Pointer(&b[0]))
+	h.Level = SOL_IP
+	h.Type = IP_PKTINFO
+	h.SetLen(CmsgLen(SizeofInet4Pktinfo))
+	*(*Inet4Pktinfo)(h.data(0)) = *info
+	return b
+}
+
+// PktInfo6 encodes Inet6Pktinfo into a socket control message of type IPV6_PKTINFO.
+func PktInfo6(info *Inet6Pktinfo) []byte {
+	b := make([]byte, CmsgSpace(SizeofInet6Pktinfo))
+	h := (*Cmsghdr)(unsafe.Pointer(&b[0]))
+	h.Level = SOL_IPV6
+	h.Type = IPV6_PKTINFO
+	h.SetLen(CmsgLen(SizeofInet6Pktinfo))
+	*(*Inet6Pktinfo)(h.data(0)) = *info
+	return b
+}

vendor/golang.org/x/sys/unix/symaddr_zos_s390x.s

@@ -0,0 +1,75 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build zos && s390x && gc
+
+#include "textflag.h"
+
+//  provide the address of function variable to be fixed up.
+
+TEXT ·getPipe2Addr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Pipe2(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_FlockAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Flock(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_GetxattrAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Getxattr(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_NanosleepAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Nanosleep(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_SetxattrAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Setxattr(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_Wait4Addr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Wait4(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_MountAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Mount(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_UnmountAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Unmount(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_UtimesNanoAtAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·UtimesNanoAt(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_UtimesNanoAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·UtimesNano(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_MkfifoatAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Mkfifoat(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_ChtagAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Chtag(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+
+TEXT ·get_ReadlinkatAddr(SB), NOSPLIT|NOFRAME, $0-8
+	MOVD $·Readlinkat(SB), R8
+	MOVD R8, ret+0(FP)
+	RET
+	

vendor/golang.org/x/sys/unix/syscall_aix.go

@@ -360,7 +360,7 @@ func Wait4(pid int, wstatus *WaitStatus, options int, rusage *Rusage) (wpid int,
 	var status _C_int
 	var r Pid_t
 	err = ERESTART
-	// AIX wait4 may return with ERESTART errno, while the processus is still
+	// AIX wait4 may return with ERESTART errno, while the process is still
 	// active.
 	for err == ERESTART {
 		r, err = wait4(Pid_t(pid), &status, options, rusage)

vendor/golang.org/x/sys/unix/syscall_darwin.go

@@ -402,6 +402,18 @@ func IoctlSetIfreqMTU(fd int, ifreq *IfreqMTU) error {
 	return ioctlPtr(fd, SIOCSIFMTU, unsafe.Pointer(ifreq))
 }
 
+//sys	renamexNp(from string, to string, flag uint32) (err error)
+
+func RenamexNp(from string, to string, flag uint32) (err error) {
+	return renamexNp(from, to, flag)
+}
+
+//sys	renameatxNp(fromfd int, from string, tofd int, to string, flag uint32) (err error)
+
+func RenameatxNp(fromfd int, from string, tofd int, to string, flag uint32) (err error) {
+	return renameatxNp(fromfd, from, tofd, to, flag)
+}
+
 //sys	sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS_SYSCTL
 
 func Uname(uname *Utsname) error {
@@ -542,6 +554,198 @@ func SysctlKinfoProcSlice(name string, args ...int) ([]KinfoProc, error) {
 	}
 }
 
+//sys	pthread_chdir_np(path string) (err error)
+
+func PthreadChdir(path string) (err error) {
+	return pthread_chdir_np(path)
+}
+
+//sys	pthread_fchdir_np(fd int) (err error)
+
+func PthreadFchdir(fd int) (err error) {
+	return pthread_fchdir_np(fd)
+}
+
+// Connectx calls connectx(2) to initiate a connection on a socket.
+//
+// srcIf, srcAddr, and dstAddr are filled into a [SaEndpoints] struct and passed as the endpoints argument.
+//
+//   - srcIf is the optional source interface index. 0 means unspecified.
+//   - srcAddr is the optional source address. nil means unspecified.
+//   - dstAddr is the destination address.
+//
+// On success, Connectx returns the number of bytes enqueued for transmission.
+func Connectx(fd int, srcIf uint32, srcAddr, dstAddr Sockaddr, associd SaeAssocID, flags uint32, iov []Iovec, connid *SaeConnID) (n uintptr, err error) {
+	endpoints := SaEndpoints{
+		Srcif: srcIf,
+	}
+
+	if srcAddr != nil {
+		addrp, addrlen, err := srcAddr.sockaddr()
+		if err != nil {
+			return 0, err
+		}
+		endpoints.Srcaddr = (*RawSockaddr)(addrp)
+		endpoints.Srcaddrlen = uint32(addrlen)
+	}
+
+	if dstAddr != nil {
+		addrp, addrlen, err := dstAddr.sockaddr()
+		if err != nil {
+			return 0, err
+		}
+		endpoints.Dstaddr = (*RawSockaddr)(addrp)
+		endpoints.Dstaddrlen = uint32(addrlen)
+	}
+
+	err = connectx(fd, &endpoints, associd, flags, iov, &n, connid)
+	return
+}
+
+// sys	connectx(fd int, endpoints *SaEndpoints, associd SaeAssocID, flags uint32, iov []Iovec, n *uintptr, connid *SaeConnID) (err error)
+const minIovec = 8
+
+func Readv(fd int, iovs [][]byte) (n int, err error) {
+	if !darwinKernelVersionMin(11, 0, 0) {
+		return 0, ENOSYS
+	}
+
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	n, err = readv(fd, iovecs)
+	readvRacedetect(iovecs, n, err)
+	return n, err
+}
+
+func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
+	if !darwinKernelVersionMin(11, 0, 0) {
+		return 0, ENOSYS
+	}
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	n, err = preadv(fd, iovecs, offset)
+	readvRacedetect(iovecs, n, err)
+	return n, err
+}
+
+func Writev(fd int, iovs [][]byte) (n int, err error) {
+	if !darwinKernelVersionMin(11, 0, 0) {
+		return 0, ENOSYS
+	}
+
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	if raceenabled {
+		raceReleaseMerge(unsafe.Pointer(&ioSync))
+	}
+	n, err = writev(fd, iovecs)
+	writevRacedetect(iovecs, n)
+	return n, err
+}
+
+func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
+	if !darwinKernelVersionMin(11, 0, 0) {
+		return 0, ENOSYS
+	}
+
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	if raceenabled {
+		raceReleaseMerge(unsafe.Pointer(&ioSync))
+	}
+	n, err = pwritev(fd, iovecs, offset)
+	writevRacedetect(iovecs, n)
+	return n, err
+}
+
+func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
+	for _, b := range bs {
+		var v Iovec
+		v.SetLen(len(b))
+		if len(b) > 0 {
+			v.Base = &b[0]
+		} else {
+			v.Base = (*byte)(unsafe.Pointer(&_zero))
+		}
+		vecs = append(vecs, v)
+	}
+	return vecs
+}
+
+func writevRacedetect(iovecs []Iovec, n int) {
+	if !raceenabled {
+		return
+	}
+	for i := 0; n > 0 && i < len(iovecs); i++ {
+		m := int(iovecs[i].Len)
+		if m > n {
+			m = n
+		}
+		n -= m
+		if m > 0 {
+			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
+		}
+	}
+}
+
+func readvRacedetect(iovecs []Iovec, n int, err error) {
+	if !raceenabled {
+		return
+	}
+	for i := 0; n > 0 && i < len(iovecs); i++ {
+		m := int(iovecs[i].Len)
+		if m > n {
+			m = n
+		}
+		n -= m
+		if m > 0 {
+			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
+		}
+	}
+	if err == nil {
+		raceAcquire(unsafe.Pointer(&ioSync))
+	}
+}
+
+func darwinMajorMinPatch() (maj, min, patch int, err error) {
+	var un Utsname
+	err = Uname(&un)
+	if err != nil {
+		return
+	}
+
+	var mmp [3]int
+	c := 0
+Loop:
+	for _, b := range un.Release[:] {
+		switch {
+		case b >= '0' && b <= '9':
+			mmp[c] = 10*mmp[c] + int(b-'0')
+		case b == '.':
+			c++
+			if c > 2 {
+				return 0, 0, 0, ENOTSUP
+			}
+		case b == 0:
+			break Loop
+		default:
+			return 0, 0, 0, ENOTSUP
+		}
+	}
+	if c != 2 {
+		return 0, 0, 0, ENOTSUP
+	}
+	return mmp[0], mmp[1], mmp[2], nil
+}
+
+func darwinKernelVersionMin(maj, min, patch int) bool {
+	actualMaj, actualMin, actualPatch, err := darwinMajorMinPatch()
+	if err != nil {
+		return false
+	}
+	return actualMaj > maj || actualMaj == maj && (actualMin > min || actualMin == min && actualPatch >= patch)
+}
+
 //sys	sendfile(infd int, outfd int, offset int64, len *int64, hdtr unsafe.Pointer, flags int) (err error)
 
 //sys	shmat(id int, addr uintptr, flag int) (ret uintptr, err error)
@@ -644,3 +848,7 @@ func SysctlKinfoProcSlice(name string, args ...int) ([]KinfoProc, error) {
 //sys	write(fd int, p []byte) (n int, err error)
 //sys	mmap(addr uintptr, length uintptr, prot int, flag int, fd int, pos int64) (ret uintptr, err error)
 //sys	munmap(addr uintptr, length uintptr) (err error)
+//sys	readv(fd int, iovecs []Iovec) (n int, err error)
+//sys	preadv(fd int, iovecs []Iovec, offset int64) (n int, err error)
+//sys	writev(fd int, iovecs []Iovec) (n int, err error)
+//sys	pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error)

vendor/golang.org/x/sys/unix/syscall_darwin_libSystem.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build darwin && go1.12
+//go:build darwin
 
 package unix
 

vendor/golang.org/x/sys/unix/syscall_dragonfly.go

@@ -246,6 +246,18 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
 	return sendfile(outfd, infd, offset, count)
 }
 
+func Dup3(oldfd, newfd, flags int) error {
+	if oldfd == newfd || flags&^O_CLOEXEC != 0 {
+		return EINVAL
+	}
+	how := F_DUP2FD
+	if flags&O_CLOEXEC != 0 {
+		how = F_DUP2FD_CLOEXEC
+	}
+	_, err := fcntl(oldfd, how, newfd)
+	return err
+}
+
 /*
  * Exposed directly
  */

vendor/golang.org/x/sys/unix/syscall_freebsd.go

@@ -13,6 +13,7 @@
 package unix
 
 import (
+	"errors"
 	"sync"
 	"unsafe"
 )
@@ -169,25 +170,26 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 func Uname(uname *Utsname) error {
 	mib := []_C_int{CTL_KERN, KERN_OSTYPE}
 	n := unsafe.Sizeof(uname.Sysname)
-	if err := sysctl(mib, &uname.Sysname[0], &n, nil, 0); err != nil {
+	// Suppress ENOMEM errors to be compatible with the C library __xuname() implementation.
+	if err := sysctl(mib, &uname.Sysname[0], &n, nil, 0); err != nil && !errors.Is(err, ENOMEM) {
 		return err
 	}
 
 	mib = []_C_int{CTL_KERN, KERN_HOSTNAME}
 	n = unsafe.Sizeof(uname.Nodename)
-	if err := sysctl(mib, &uname.Nodename[0], &n, nil, 0); err != nil {
+	if err := sysctl(mib, &uname.Nodename[0], &n, nil, 0); err != nil && !errors.Is(err, ENOMEM) {
 		return err
 	}
 
 	mib = []_C_int{CTL_KERN, KERN_OSRELEASE}
 	n = unsafe.Sizeof(uname.Release)
-	if err := sysctl(mib, &uname.Release[0], &n, nil, 0); err != nil {
+	if err := sysctl(mib, &uname.Release[0], &n, nil, 0); err != nil && !errors.Is(err, ENOMEM) {
 		return err
 	}
 
 	mib = []_C_int{CTL_KERN, KERN_VERSION}
 	n = unsafe.Sizeof(uname.Version)
-	if err := sysctl(mib, &uname.Version[0], &n, nil, 0); err != nil {
+	if err := sysctl(mib, &uname.Version[0], &n, nil, 0); err != nil && !errors.Is(err, ENOMEM) {
 		return err
 	}
 
@@ -205,7 +207,7 @@ func Uname(uname *Utsname) error {
 
 	mib = []_C_int{CTL_HW, HW_MACHINE}
 	n = unsafe.Sizeof(uname.Machine)
-	if err := sysctl(mib, &uname.Machine[0], &n, nil, 0); err != nil {
+	if err := sysctl(mib, &uname.Machine[0], &n, nil, 0); err != nil && !errors.Is(err, ENOMEM) {
 		return err
 	}
 

vendor/golang.org/x/sys/unix/syscall_hurd.go

@@ -11,6 +11,7 @@ package unix
 int ioctl(int, unsigned long int, uintptr_t);
 */
 import "C"
+import "unsafe"
 
 func ioctl(fd int, req uint, arg uintptr) (err error) {
 	r0, er := C.ioctl(C.int(fd), C.ulong(req), C.uintptr_t(arg))

vendor/golang.org/x/sys/unix/syscall_linux.go

@@ -13,6 +13,7 @@ package unix
 
 import (
 	"encoding/binary"
+	"slices"
 	"strconv"
 	"syscall"
 	"time"
@@ -417,7 +418,7 @@ func (sa *SockaddrUnix) sockaddr() (unsafe.Pointer, _Socklen, error) {
 		return nil, 0, EINVAL
 	}
 	sa.raw.Family = AF_UNIX
-	for i := 0; i < n; i++ {
+	for i := range n {
 		sa.raw.Path[i] = int8(name[i])
 	}
 	// length is family (uint16), name, NUL.
@@ -507,7 +508,7 @@ func (sa *SockaddrL2) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	psm := (*[2]byte)(unsafe.Pointer(&sa.raw.Psm))
 	psm[0] = byte(sa.PSM)
 	psm[1] = byte(sa.PSM >> 8)
-	for i := 0; i < len(sa.Addr); i++ {
+	for i := range len(sa.Addr) {
 		sa.raw.Bdaddr[i] = sa.Addr[len(sa.Addr)-1-i]
 	}
 	cid := (*[2]byte)(unsafe.Pointer(&sa.raw.Cid))
@@ -589,11 +590,11 @@ func (sa *SockaddrCAN) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	sa.raw.Family = AF_CAN
 	sa.raw.Ifindex = int32(sa.Ifindex)
 	rx := (*[4]byte)(unsafe.Pointer(&sa.RxID))
-	for i := 0; i < 4; i++ {
+	for i := range 4 {
 		sa.raw.Addr[i] = rx[i]
 	}
 	tx := (*[4]byte)(unsafe.Pointer(&sa.TxID))
-	for i := 0; i < 4; i++ {
+	for i := range 4 {
 		sa.raw.Addr[i+4] = tx[i]
 	}
 	return unsafe.Pointer(&sa.raw), SizeofSockaddrCAN, nil
@@ -618,11 +619,11 @@ func (sa *SockaddrCANJ1939) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	sa.raw.Family = AF_CAN
 	sa.raw.Ifindex = int32(sa.Ifindex)
 	n := (*[8]byte)(unsafe.Pointer(&sa.Name))
-	for i := 0; i < 8; i++ {
+	for i := range 8 {
 		sa.raw.Addr[i] = n[i]
 	}
 	p := (*[4]byte)(unsafe.Pointer(&sa.PGN))
-	for i := 0; i < 4; i++ {
+	for i := range 4 {
 		sa.raw.Addr[i+8] = p[i]
 	}
 	sa.raw.Addr[12] = sa.Addr
@@ -911,7 +912,7 @@ func (sa *SockaddrIUCV) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	// These are EBCDIC encoded by the kernel, but we still need to pad them
 	// with blanks. Initializing with blanks allows the caller to feed in either
 	// a padded or an unpadded string.
-	for i := 0; i < 8; i++ {
+	for i := range 8 {
 		sa.raw.Nodeid[i] = ' '
 		sa.raw.User_id[i] = ' '
 		sa.raw.Name[i] = ' '
@@ -1148,7 +1149,7 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
 		var user [8]byte
 		var name [8]byte
 
-		for i := 0; i < 8; i++ {
+		for i := range 8 {
 			user[i] = byte(pp.User_id[i])
 			name[i] = byte(pp.Name[i])
 		}
@@ -1173,11 +1174,11 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
 				Ifindex: int(pp.Ifindex),
 			}
 			name := (*[8]byte)(unsafe.Pointer(&sa.Name))
-			for i := 0; i < 8; i++ {
+			for i := range 8 {
 				name[i] = pp.Addr[i]
 			}
 			pgn := (*[4]byte)(unsafe.Pointer(&sa.PGN))
-			for i := 0; i < 4; i++ {
+			for i := range 4 {
 				pgn[i] = pp.Addr[i+8]
 			}
 			addr := (*[1]byte)(unsafe.Pointer(&sa.Addr))
@@ -1188,11 +1189,11 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
 				Ifindex: int(pp.Ifindex),
 			}
 			rx := (*[4]byte)(unsafe.Pointer(&sa.RxID))
-			for i := 0; i < 4; i++ {
+			for i := range 4 {
 				rx[i] = pp.Addr[i]
 			}
 			tx := (*[4]byte)(unsafe.Pointer(&sa.TxID))
-			for i := 0; i < 4; i++ {
+			for i := range 4 {
 				tx[i] = pp.Addr[i+4]
 			}
 			return sa, nil
@@ -1295,6 +1296,48 @@ func GetsockoptTCPInfo(fd, level, opt int) (*TCPInfo, error) {
 	return &value, err
 }
 
+// GetsockoptTCPCCVegasInfo returns algorithm specific congestion control information for a socket using the "vegas"
+// algorithm.
+//
+// The socket's congestion control algorighm can be retrieved via [GetsockoptString] with the [TCP_CONGESTION] option:
+//
+//	algo, err := unix.GetsockoptString(fd, unix.IPPROTO_TCP, unix.TCP_CONGESTION)
+func GetsockoptTCPCCVegasInfo(fd, level, opt int) (*TCPVegasInfo, error) {
+	var value [SizeofTCPCCInfo / 4]uint32 // ensure proper alignment
+	vallen := _Socklen(SizeofTCPCCInfo)
+	err := getsockopt(fd, level, opt, unsafe.Pointer(&value[0]), &vallen)
+	out := (*TCPVegasInfo)(unsafe.Pointer(&value[0]))
+	return out, err
+}
+
+// GetsockoptTCPCCDCTCPInfo returns algorithm specific congestion control information for a socket using the "dctp"
+// algorithm.
+//
+// The socket's congestion control algorighm can be retrieved via [GetsockoptString] with the [TCP_CONGESTION] option:
+//
+//	algo, err := unix.GetsockoptString(fd, unix.IPPROTO_TCP, unix.TCP_CONGESTION)
+func GetsockoptTCPCCDCTCPInfo(fd, level, opt int) (*TCPDCTCPInfo, error) {
+	var value [SizeofTCPCCInfo / 4]uint32 // ensure proper alignment
+	vallen := _Socklen(SizeofTCPCCInfo)
+	err := getsockopt(fd, level, opt, unsafe.Pointer(&value[0]), &vallen)
+	out := (*TCPDCTCPInfo)(unsafe.Pointer(&value[0]))
+	return out, err
+}
+
+// GetsockoptTCPCCBBRInfo returns algorithm specific congestion control information for a socket using the "bbr"
+// algorithm.
+//
+// The socket's congestion control algorighm can be retrieved via [GetsockoptString] with the [TCP_CONGESTION] option:
+//
+//	algo, err := unix.GetsockoptString(fd, unix.IPPROTO_TCP, unix.TCP_CONGESTION)
+func GetsockoptTCPCCBBRInfo(fd, level, opt int) (*TCPBBRInfo, error) {
+	var value [SizeofTCPCCInfo / 4]uint32 // ensure proper alignment
+	vallen := _Socklen(SizeofTCPCCInfo)
+	err := getsockopt(fd, level, opt, unsafe.Pointer(&value[0]), &vallen)
+	out := (*TCPBBRInfo)(unsafe.Pointer(&value[0]))
+	return out, err
+}
+
 // GetsockoptString returns the string value of the socket option opt for the
 // socket associated with fd at the given socket level.
 func GetsockoptString(fd, level, opt int) (string, error) {
@@ -1818,6 +1861,7 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
 //sys	ClockAdjtime(clockid int32, buf *Timex) (state int, err error)
 //sys	ClockGetres(clockid int32, res *Timespec) (err error)
 //sys	ClockGettime(clockid int32, time *Timespec) (err error)
+//sys	ClockSettime(clockid int32, time *Timespec) (err error)
 //sys	ClockNanosleep(clockid int32, flags int, request *Timespec, remain *Timespec) (err error)
 //sys	Close(fd int) (err error)
 //sys	CloseRange(first uint, last uint, flags uint) (err error)
@@ -1849,6 +1893,105 @@ func Dup2(oldfd, newfd int) error {
 //sys	Fsmount(fd int, flags int, mountAttrs int) (fsfd int, err error)
 //sys	Fsopen(fsName string, flags int) (fd int, err error)
 //sys	Fspick(dirfd int, pathName string, flags int) (fd int, err error)
+
+//sys	fsconfig(fd int, cmd uint, key *byte, value *byte, aux int) (err error)
+
+func fsconfigCommon(fd int, cmd uint, key string, value *byte, aux int) (err error) {
+	var keyp *byte
+	if keyp, err = BytePtrFromString(key); err != nil {
+		return
+	}
+	return fsconfig(fd, cmd, keyp, value, aux)
+}
+
+// FsconfigSetFlag is equivalent to fsconfig(2) called
+// with cmd == FSCONFIG_SET_FLAG.
+//
+// fd is the filesystem context to act upon.
+// key the parameter key to set.
+func FsconfigSetFlag(fd int, key string) (err error) {
+	return fsconfigCommon(fd, FSCONFIG_SET_FLAG, key, nil, 0)
+}
+
+// FsconfigSetString is equivalent to fsconfig(2) called
+// with cmd == FSCONFIG_SET_STRING.
+//
+// fd is the filesystem context to act upon.
+// key the parameter key to set.
+// value is the parameter value to set.
+func FsconfigSetString(fd int, key string, value string) (err error) {
+	var valuep *byte
+	if valuep, err = BytePtrFromString(value); err != nil {
+		return
+	}
+	return fsconfigCommon(fd, FSCONFIG_SET_STRING, key, valuep, 0)
+}
+
+// FsconfigSetBinary is equivalent to fsconfig(2) called
+// with cmd == FSCONFIG_SET_BINARY.
+//
+// fd is the filesystem context to act upon.
+// key the parameter key to set.
+// value is the parameter value to set.
+func FsconfigSetBinary(fd int, key string, value []byte) (err error) {
+	if len(value) == 0 {
+		return EINVAL
+	}
+	return fsconfigCommon(fd, FSCONFIG_SET_BINARY, key, &value[0], len(value))
+}
+
+// FsconfigSetPath is equivalent to fsconfig(2) called
+// with cmd == FSCONFIG_SET_PATH.
+//
+// fd is the filesystem context to act upon.
+// key the parameter key to set.
+// path is a non-empty path for specified key.
+// atfd is a file descriptor at which to start lookup from or AT_FDCWD.
+func FsconfigSetPath(fd int, key string, path string, atfd int) (err error) {
+	var valuep *byte
+	if valuep, err = BytePtrFromString(path); err != nil {
+		return
+	}
+	return fsconfigCommon(fd, FSCONFIG_SET_PATH, key, valuep, atfd)
+}
+
+// FsconfigSetPathEmpty is equivalent to fsconfig(2) called
+// with cmd == FSCONFIG_SET_PATH_EMPTY. The same as
+// FconfigSetPath but with AT_PATH_EMPTY implied.
+func FsconfigSetPathEmpty(fd int, key string, path string, atfd int) (err error) {
+	var valuep *byte
+	if valuep, err = BytePtrFromString(path); err != nil {
+		return
+	}
+	return fsconfigCommon(fd, FSCONFIG_SET_PATH_EMPTY, key, valuep, atfd)
+}
+
+// FsconfigSetFd is equivalent to fsconfig(2) called
+// with cmd == FSCONFIG_SET_FD.
+//
+// fd is the filesystem context to act upon.
+// key the parameter key to set.
+// value is a file descriptor to be assigned to specified key.
+func FsconfigSetFd(fd int, key string, value int) (err error) {
+	return fsconfigCommon(fd, FSCONFIG_SET_FD, key, nil, value)
+}
+
+// FsconfigCreate is equivalent to fsconfig(2) called
+// with cmd == FSCONFIG_CMD_CREATE.
+//
+// fd is the filesystem context to act upon.
+func FsconfigCreate(fd int) (err error) {
+	return fsconfig(fd, FSCONFIG_CMD_CREATE, nil, nil, 0)
+}
+
+// FsconfigReconfigure is equivalent to fsconfig(2) called
+// with cmd == FSCONFIG_CMD_RECONFIGURE.
+//
+// fd is the filesystem context to act upon.
+func FsconfigReconfigure(fd int) (err error) {
+	return fsconfig(fd, FSCONFIG_CMD_RECONFIGURE, nil, nil, 0)
+}
+
 //sys	Getdents(fd int, buf []byte) (n int, err error) = SYS_GETDENTS64
 //sysnb	Getpgid(pid int) (pgid int, err error)
 
@@ -1860,7 +2003,26 @@ func Getpgrp() (pid int) {
 //sysnb	Getpid() (pid int)
 //sysnb	Getppid() (ppid int)
 //sys	Getpriority(which int, who int) (prio int, err error)
-//sys	Getrandom(buf []byte, flags int) (n int, err error)
+
+func Getrandom(buf []byte, flags int) (n int, err error) {
+	vdsoRet, supported := vgetrandom(buf, uint32(flags))
+	if supported {
+		if vdsoRet < 0 {
+			return 0, errnoErr(syscall.Errno(-vdsoRet))
+		}
+		return vdsoRet, nil
+	}
+	var p *byte
+	if len(buf) > 0 {
+		p = &buf[0]
+	}
+	r, _, e := Syscall(SYS_GETRANDOM, uintptr(unsafe.Pointer(p)), uintptr(len(buf)), uintptr(flags))
+	if e != 0 {
+		return 0, errnoErr(e)
+	}
+	return int(r), nil
+}
+
 //sysnb	Getrusage(who int, rusage *Rusage) (err error)
 //sysnb	Getsid(pid int) (sid int, err error)
 //sysnb	Gettid() (tid int)
@@ -2055,10 +2217,7 @@ func readvRacedetect(iovecs []Iovec, n int, err error) {
 		return
 	}
 	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := int(iovecs[i].Len)
-		if m > n {
-			m = n
-		}
+		m := min(int(iovecs[i].Len), n)
 		n -= m
 		if m > 0 {
 			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
@@ -2109,10 +2268,7 @@ func writevRacedetect(iovecs []Iovec, n int) {
 		return
 	}
 	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := int(iovecs[i].Len)
-		if m > n {
-			m = n
-		}
+		m := min(int(iovecs[i].Len), n)
 		n -= m
 		if m > 0 {
 			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
@@ -2159,12 +2315,7 @@ func isGroupMember(gid int) bool {
 		return false
 	}
 
-	for _, g := range groups {
-		if g == gid {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(groups, gid)
 }
 
 func isCapDacOverrideSet() bool {
@@ -2493,3 +2644,4 @@ func SchedGetAttr(pid int, flags uint) (*SchedAttr, error) {
 }
 
 //sys	Cachestat(fd uint, crange *CachestatRange, cstat *Cachestat_t, flags uint) (err error)
+//sys	Mseal(b []byte, flags uint) (err error)

vendor/golang.org/x/sys/unix/syscall_linux_arm64.go

@@ -182,3 +182,5 @@ func KexecFileLoad(kernelFd int, initrdFd int, cmdline string, flags int) error
 	}
 	return kexecFileLoad(kernelFd, initrdFd, cmdlineLen, cmdline, flags)
 }
+
+const SYS_FSTATAT = SYS_NEWFSTATAT

vendor/golang.org/x/sys/unix/syscall_linux_loong64.go

@@ -214,3 +214,5 @@ func KexecFileLoad(kernelFd int, initrdFd int, cmdline string, flags int) error
 	}
 	return kexecFileLoad(kernelFd, initrdFd, cmdlineLen, cmdline, flags)
 }
+
+const SYS_FSTATAT = SYS_NEWFSTATAT

vendor/golang.org/x/sys/unix/syscall_linux_riscv64.go

@@ -187,3 +187,5 @@ func RISCVHWProbe(pairs []RISCVHWProbePairs, set *CPUSet, flags uint) (err error
 	}
 	return riscvHWProbe(pairs, setSize, set, flags)
 }
+
+const SYS_FSTATAT = SYS_NEWFSTATAT

vendor/golang.org/x/sys/unix/syscall_openbsd.go

@@ -293,6 +293,7 @@ func Uname(uname *Utsname) error {
 //sys	Mkfifoat(dirfd int, path string, mode uint32) (err error)
 //sys	Mknod(path string, mode uint32, dev int) (err error)
 //sys	Mknodat(dirfd int, path string, mode uint32, dev int) (err error)
+//sys	Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error)
 //sys	Nanosleep(time *Timespec, leftover *Timespec) (err error)
 //sys	Open(path string, mode int, perm uint32) (fd int, err error)
 //sys	Openat(dirfd int, path string, mode int, perm uint32) (fd int, err error)

vendor/golang.org/x/sys/unix/syscall_solaris.go

@@ -1102,3 +1102,90 @@ func (s *Strioctl) SetInt(i int) {
 func IoctlSetStrioctlRetInt(fd int, req int, s *Strioctl) (int, error) {
 	return ioctlPtrRet(fd, req, unsafe.Pointer(s))
 }
+
+// Ucred Helpers
+// See ucred(3c) and getpeerucred(3c)
+
+//sys	getpeerucred(fd uintptr, ucred *uintptr) (err error)
+//sys	ucredFree(ucred uintptr) = ucred_free
+//sys	ucredGet(pid int) (ucred uintptr, err error) = ucred_get
+//sys	ucredGeteuid(ucred uintptr) (uid int) = ucred_geteuid
+//sys	ucredGetegid(ucred uintptr) (gid int) = ucred_getegid
+//sys	ucredGetruid(ucred uintptr) (uid int) = ucred_getruid
+//sys	ucredGetrgid(ucred uintptr) (gid int) = ucred_getrgid
+//sys	ucredGetsuid(ucred uintptr) (uid int) = ucred_getsuid
+//sys	ucredGetsgid(ucred uintptr) (gid int) = ucred_getsgid
+//sys	ucredGetpid(ucred uintptr) (pid int) = ucred_getpid
+
+// Ucred is an opaque struct that holds user credentials.
+type Ucred struct {
+	ucred uintptr
+}
+
+// We need to ensure that ucredFree is called on the underlying ucred
+// when the Ucred is garbage collected.
+func ucredFinalizer(u *Ucred) {
+	ucredFree(u.ucred)
+}
+
+func GetPeerUcred(fd uintptr) (*Ucred, error) {
+	var ucred uintptr
+	err := getpeerucred(fd, &ucred)
+	if err != nil {
+		return nil, err
+	}
+	result := &Ucred{
+		ucred: ucred,
+	}
+	// set the finalizer on the result so that the ucred will be freed
+	runtime.SetFinalizer(result, ucredFinalizer)
+	return result, nil
+}
+
+func UcredGet(pid int) (*Ucred, error) {
+	ucred, err := ucredGet(pid)
+	if err != nil {
+		return nil, err
+	}
+	result := &Ucred{
+		ucred: ucred,
+	}
+	// set the finalizer on the result so that the ucred will be freed
+	runtime.SetFinalizer(result, ucredFinalizer)
+	return result, nil
+}
+
+func (u *Ucred) Geteuid() int {
+	defer runtime.KeepAlive(u)
+	return ucredGeteuid(u.ucred)
+}
+
+func (u *Ucred) Getruid() int {
+	defer runtime.KeepAlive(u)
+	return ucredGetruid(u.ucred)
+}
+
+func (u *Ucred) Getsuid() int {
+	defer runtime.KeepAlive(u)
+	return ucredGetsuid(u.ucred)
+}
+
+func (u *Ucred) Getegid() int {
+	defer runtime.KeepAlive(u)
+	return ucredGetegid(u.ucred)
+}
+
+func (u *Ucred) Getrgid() int {
+	defer runtime.KeepAlive(u)
+	return ucredGetrgid(u.ucred)
+}
+
+func (u *Ucred) Getsgid() int {
+	defer runtime.KeepAlive(u)
+	return ucredGetsgid(u.ucred)
+}
+
+func (u *Ucred) Getpid() int {
+	defer runtime.KeepAlive(u)
+	return ucredGetpid(u.ucred)
+}

vendor/golang.org/x/sys/unix/syscall_unix.go

@@ -154,6 +154,15 @@ func Munmap(b []byte) (err error) {
 	return mapper.Munmap(b)
 }
 
+func MmapPtr(fd int, offset int64, addr unsafe.Pointer, length uintptr, prot int, flags int) (ret unsafe.Pointer, err error) {
+	xaddr, err := mapper.mmap(uintptr(addr), length, prot, flags, fd, offset)
+	return unsafe.Pointer(xaddr), err
+}
+
+func MunmapPtr(addr unsafe.Pointer, length uintptr) (err error) {
+	return mapper.munmap(uintptr(addr), length)
+}
+
 func Read(fd int, p []byte) (n int, err error) {
 	n, err = read(fd, p)
 	if raceenabled {

vendor/golang.org/x/sys/unix/sysvshm_unix.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build (darwin && !ios) || linux
+//go:build (darwin && !ios) || linux || zos
 
 package unix
 

vendor/golang.org/x/sys/unix/sysvshm_unix_other.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build darwin && !ios
+//go:build (darwin && !ios) || zos
 
 package unix
 

vendor/golang.org/x/sys/unix/vgetrandom_linux.go

@@ -0,0 +1,13 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.24
+
+package unix
+
+import _ "unsafe"
+
+//go:linkname vgetrandom runtime.vgetrandom
+//go:noescape
+func vgetrandom(p []byte, flags uint32) (ret int, supported bool)

vendor/golang.org/x/sys/unix/vgetrandom_unsupported.go

@@ -0,0 +1,11 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !linux || !go1.24
+
+package unix
+
+func vgetrandom(p []byte, flags uint32) (ret int, supported bool) {
+	return -1, false
+}

vendor/golang.org/x/sys/unix/zerrors_darwin_amd64.go

@@ -237,6 +237,9 @@ const (
 	CLOCK_UPTIME_RAW_APPROX                 = 0x9
 	CLONE_NOFOLLOW                          = 0x1
 	CLONE_NOOWNERCOPY                       = 0x2
+	CONNECT_DATA_AUTHENTICATED              = 0x4
+	CONNECT_DATA_IDEMPOTENT                 = 0x2
+	CONNECT_RESUME_ON_READ_WRITE            = 0x1
 	CR0                                     = 0x0
 	CR1                                     = 0x1000
 	CR2                                     = 0x2000
@@ -1169,6 +1172,11 @@ const (
 	PT_WRITE_D                              = 0x5
 	PT_WRITE_I                              = 0x4
 	PT_WRITE_U                              = 0x6
+	RENAME_EXCL                             = 0x4
+	RENAME_NOFOLLOW_ANY                     = 0x10
+	RENAME_RESERVED1                        = 0x8
+	RENAME_SECLUDE                          = 0x1
+	RENAME_SWAP                             = 0x2
 	RLIMIT_AS                               = 0x5
 	RLIMIT_CORE                             = 0x4
 	RLIMIT_CPU                              = 0x0
@@ -1260,6 +1268,10 @@ const (
 	RTV_SSTHRESH                            = 0x20
 	RUSAGE_CHILDREN                         = -0x1
 	RUSAGE_SELF                             = 0x0
+	SAE_ASSOCID_ALL                         = 0xffffffff
+	SAE_ASSOCID_ANY                         = 0x0
+	SAE_CONNID_ALL                          = 0xffffffff
+	SAE_CONNID_ANY                          = 0x0
 	SCM_CREDS                               = 0x3
 	SCM_RIGHTS                              = 0x1
 	SCM_TIMESTAMP                           = 0x2

vendor/golang.org/x/sys/unix/zerrors_darwin_arm64.go

@@ -237,6 +237,9 @@ const (
 	CLOCK_UPTIME_RAW_APPROX                 = 0x9
 	CLONE_NOFOLLOW                          = 0x1
 	CLONE_NOOWNERCOPY                       = 0x2
+	CONNECT_DATA_AUTHENTICATED              = 0x4
+	CONNECT_DATA_IDEMPOTENT                 = 0x2
+	CONNECT_RESUME_ON_READ_WRITE            = 0x1
 	CR0                                     = 0x0
 	CR1                                     = 0x1000
 	CR2                                     = 0x2000
@@ -1169,6 +1172,11 @@ const (
 	PT_WRITE_D                              = 0x5
 	PT_WRITE_I                              = 0x4
 	PT_WRITE_U                              = 0x6
+	RENAME_EXCL                             = 0x4
+	RENAME_NOFOLLOW_ANY                     = 0x10
+	RENAME_RESERVED1                        = 0x8
+	RENAME_SECLUDE                          = 0x1
+	RENAME_SWAP                             = 0x2
 	RLIMIT_AS                               = 0x5
 	RLIMIT_CORE                             = 0x4
 	RLIMIT_CPU                              = 0x0
@@ -1260,6 +1268,10 @@ const (
 	RTV_SSTHRESH                            = 0x20
 	RUSAGE_CHILDREN                         = -0x1
 	RUSAGE_SELF                             = 0x0
+	SAE_ASSOCID_ALL                         = 0xffffffff
+	SAE_ASSOCID_ANY                         = 0x0
+	SAE_CONNID_ALL                          = 0xffffffff
+	SAE_CONNID_ANY                          = 0x0
 	SCM_CREDS                               = 0x3
 	SCM_RIGHTS                              = 0x1
 	SCM_TIMESTAMP                           = 0x2

vendor/golang.org/x/sys/unix/zerrors_linux.go

@@ -321,6 +321,9 @@ const (
 	AUDIT_INTEGRITY_STATUS                      = 0x70a
 	AUDIT_IPC                                   = 0x517
 	AUDIT_IPC_SET_PERM                          = 0x51f
+	AUDIT_IPE_ACCESS                            = 0x58c
+	AUDIT_IPE_CONFIG_CHANGE                     = 0x58d
+	AUDIT_IPE_POLICY_LOAD                       = 0x58e
 	AUDIT_KERNEL                                = 0x7d0
 	AUDIT_KERNEL_OTHER                          = 0x524
 	AUDIT_KERN_MODULE                           = 0x532
@@ -457,6 +460,7 @@ const (
 	B600                                        = 0x8
 	B75                                         = 0x2
 	B9600                                       = 0xd
+	BCACHEFS_SUPER_MAGIC                        = 0xca451a4e
 	BDEVFS_MAGIC                                = 0x62646576
 	BINDERFS_SUPER_MAGIC                        = 0x6c6f6f70
 	BINFMTFS_MAGIC                              = 0x42494e4d
@@ -488,11 +492,14 @@ const (
 	BPF_F_ID                                    = 0x20
 	BPF_F_NETFILTER_IP_DEFRAG                   = 0x1
 	BPF_F_QUERY_EFFECTIVE                       = 0x1
+	BPF_F_REDIRECT_FLAGS                        = 0x19
 	BPF_F_REPLACE                               = 0x4
 	BPF_F_SLEEPABLE                             = 0x10
 	BPF_F_STRICT_ALIGNMENT                      = 0x1
+	BPF_F_TEST_REG_INVARIANTS                   = 0x80
 	BPF_F_TEST_RND_HI32                         = 0x4
 	BPF_F_TEST_RUN_ON_CPU                       = 0x1
+	BPF_F_TEST_SKB_CHECKSUM_COMPLETE            = 0x4
 	BPF_F_TEST_STATE_FREQ                       = 0x8
 	BPF_F_TEST_XDP_LIVE_FRAMES                  = 0x2
 	BPF_F_XDP_DEV_BOUND_ONLY                    = 0x40
@@ -501,6 +508,7 @@ const (
 	BPF_IMM                                     = 0x0
 	BPF_IND                                     = 0x40
 	BPF_JA                                      = 0x0
+	BPF_JCOND                                   = 0xe0
 	BPF_JEQ                                     = 0x10
 	BPF_JGE                                     = 0x30
 	BPF_JGT                                     = 0x20
@@ -656,6 +664,9 @@ const (
 	CAN_NPROTO                                  = 0x8
 	CAN_RAW                                     = 0x1
 	CAN_RAW_FILTER_MAX                          = 0x200
+	CAN_RAW_XL_VCID_RX_FILTER                   = 0x4
+	CAN_RAW_XL_VCID_TX_PASS                     = 0x2
+	CAN_RAW_XL_VCID_TX_SET                      = 0x1
 	CAN_RTR_FLAG                                = 0x40000000
 	CAN_SFF_ID_BITS                             = 0xb
 	CAN_SFF_MASK                                = 0x7ff
@@ -923,6 +934,7 @@ const (
 	EPOLL_CTL_ADD                               = 0x1
 	EPOLL_CTL_DEL                               = 0x2
 	EPOLL_CTL_MOD                               = 0x3
+	EPOLL_IOC_TYPE                              = 0x8a
 	EROFS_SUPER_MAGIC_V1                        = 0xe0f5e1e2
 	ESP_V4_FLOW                                 = 0xa
 	ESP_V6_FLOW                                 = 0xc
@@ -936,9 +948,6 @@ const (
 	ETHTOOL_FEC_OFF                             = 0x4
 	ETHTOOL_FEC_RS                              = 0x8
 	ETHTOOL_FLAG_ALL                            = 0x7
-	ETHTOOL_FLAG_COMPACT_BITSETS                = 0x1
-	ETHTOOL_FLAG_OMIT_REPLY                     = 0x2
-	ETHTOOL_FLAG_STATS                          = 0x4
 	ETHTOOL_FLASHDEV                            = 0x33
 	ETHTOOL_FLASH_MAX_FILENAME                  = 0x80
 	ETHTOOL_FWVERS_LEN                          = 0x20
@@ -1161,6 +1170,7 @@ const (
 	EXTA                                        = 0xe
 	EXTB                                        = 0xf
 	F2FS_SUPER_MAGIC                            = 0xf2f52010
+	FALLOC_FL_ALLOCATE_RANGE                    = 0x0
 	FALLOC_FL_COLLAPSE_RANGE                    = 0x8
 	FALLOC_FL_INSERT_RANGE                      = 0x20
 	FALLOC_FL_KEEP_SIZE                         = 0x1
@@ -1235,6 +1245,7 @@ const (
 	FAN_REPORT_DFID_NAME                        = 0xc00
 	FAN_REPORT_DFID_NAME_TARGET                 = 0x1e00
 	FAN_REPORT_DIR_FID                          = 0x400
+	FAN_REPORT_FD_ERROR                         = 0x2000
 	FAN_REPORT_FID                              = 0x200
 	FAN_REPORT_NAME                             = 0x800
 	FAN_REPORT_PIDFD                            = 0x80
@@ -1320,8 +1331,10 @@ const (
 	FUSE_SUPER_MAGIC                            = 0x65735546
 	FUTEXFS_SUPER_MAGIC                         = 0xbad1dea
 	F_ADD_SEALS                                 = 0x409
+	F_CREATED_QUERY                             = 0x404
 	F_DUPFD                                     = 0x0
 	F_DUPFD_CLOEXEC                             = 0x406
+	F_DUPFD_QUERY                               = 0x403
 	F_EXLCK                                     = 0x4
 	F_GETFD                                     = 0x1
 	F_GETFL                                     = 0x3
@@ -1338,6 +1351,7 @@ const (
 	F_OFD_SETLK                                 = 0x25
 	F_OFD_SETLKW                                = 0x26
 	F_OK                                        = 0x0
+	F_SEAL_EXEC                                 = 0x20
 	F_SEAL_FUTURE_WRITE                         = 0x10
 	F_SEAL_GROW                                 = 0x4
 	F_SEAL_SEAL                                 = 0x1
@@ -1540,6 +1554,7 @@ const (
 	IPPROTO_ROUTING                             = 0x2b
 	IPPROTO_RSVP                                = 0x2e
 	IPPROTO_SCTP                                = 0x84
+	IPPROTO_SMC                                 = 0x100
 	IPPROTO_TCP                                 = 0x6
 	IPPROTO_TP                                  = 0x1d
 	IPPROTO_UDP                                 = 0x11
@@ -1612,6 +1627,8 @@ const (
 	IPV6_UNICAST_IF                             = 0x4c
 	IPV6_USER_FLOW                              = 0xe
 	IPV6_V6ONLY                                 = 0x1a
+	IPV6_VERSION                                = 0x60
+	IPV6_VERSION_MASK                           = 0xf0
 	IPV6_XFRM_POLICY                            = 0x23
 	IP_ADD_MEMBERSHIP                           = 0x23
 	IP_ADD_SOURCE_MEMBERSHIP                    = 0x27
@@ -1626,6 +1643,7 @@ const (
 	IP_FREEBIND                                 = 0xf
 	IP_HDRINCL                                  = 0x3
 	IP_IPSEC_POLICY                             = 0x10
+	IP_LOCAL_PORT_RANGE                         = 0x33
 	IP_MAXPACKET                                = 0xffff
 	IP_MAX_MEMBERSHIPS                          = 0x14
 	IP_MF                                       = 0x2000
@@ -1652,6 +1670,7 @@ const (
 	IP_PMTUDISC_OMIT                            = 0x5
 	IP_PMTUDISC_PROBE                           = 0x3
 	IP_PMTUDISC_WANT                            = 0x1
+	IP_PROTOCOL                                 = 0x34
 	IP_RECVERR                                  = 0xb
 	IP_RECVERR_RFC4884                          = 0x1a
 	IP_RECVFRAGSIZE                             = 0x19
@@ -1697,6 +1716,8 @@ const (
 	KEXEC_ARCH_S390                             = 0x160000
 	KEXEC_ARCH_SH                               = 0x2a0000
 	KEXEC_ARCH_X86_64                           = 0x3e0000
+	KEXEC_CRASH_HOTPLUG_SUPPORT                 = 0x8
+	KEXEC_FILE_DEBUG                            = 0x8
 	KEXEC_FILE_NO_INITRAMFS                     = 0x4
 	KEXEC_FILE_ON_CRASH                         = 0x2
 	KEXEC_FILE_UNLOAD                           = 0x1
@@ -1771,6 +1792,7 @@ const (
 	KEY_SPEC_USER_KEYRING                       = -0x4
 	KEY_SPEC_USER_SESSION_KEYRING               = -0x5
 	LANDLOCK_ACCESS_FS_EXECUTE                  = 0x1
+	LANDLOCK_ACCESS_FS_IOCTL_DEV                = 0x8000
 	LANDLOCK_ACCESS_FS_MAKE_BLOCK               = 0x800
 	LANDLOCK_ACCESS_FS_MAKE_CHAR                = 0x40
 	LANDLOCK_ACCESS_FS_MAKE_DIR                 = 0x80
@@ -1788,6 +1810,8 @@ const (
 	LANDLOCK_ACCESS_NET_BIND_TCP                = 0x1
 	LANDLOCK_ACCESS_NET_CONNECT_TCP             = 0x2
 	LANDLOCK_CREATE_RULESET_VERSION             = 0x1
+	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET         = 0x1
+	LANDLOCK_SCOPE_SIGNAL                       = 0x2
 	LINUX_REBOOT_CMD_CAD_OFF                    = 0x0
 	LINUX_REBOOT_CMD_CAD_ON                     = 0x89abcdef
 	LINUX_REBOOT_CMD_HALT                       = 0xcdef0123
@@ -1849,9 +1873,23 @@ const (
 	MADV_UNMERGEABLE                            = 0xd
 	MADV_WILLNEED                               = 0x3
 	MADV_WIPEONFORK                             = 0x12
+	MAP_DROPPABLE                               = 0x8
 	MAP_FILE                                    = 0x0
 	MAP_FIXED                                   = 0x10
 	MAP_FIXED_NOREPLACE                         = 0x100000
+	MAP_HUGE_16GB                               = 0x88000000
+	MAP_HUGE_16KB                               = 0x38000000
+	MAP_HUGE_16MB                               = 0x60000000
+	MAP_HUGE_1GB                                = 0x78000000
+	MAP_HUGE_1MB                                = 0x50000000
+	MAP_HUGE_256MB                              = 0x70000000
+	MAP_HUGE_2GB                                = 0x7c000000
+	MAP_HUGE_2MB                                = 0x54000000
+	MAP_HUGE_32MB                               = 0x64000000
+	MAP_HUGE_512KB                              = 0x4c000000
+	MAP_HUGE_512MB                              = 0x74000000
+	MAP_HUGE_64KB                               = 0x40000000
+	MAP_HUGE_8MB                                = 0x5c000000
 	MAP_HUGE_MASK                               = 0x3f
 	MAP_HUGE_SHIFT                              = 0x1a
 	MAP_PRIVATE                                 = 0x2
@@ -1898,6 +1936,9 @@ const (
 	MNT_DETACH                                  = 0x2
 	MNT_EXPIRE                                  = 0x4
 	MNT_FORCE                                   = 0x1
+	MNT_ID_REQ_SIZE_VER0                        = 0x18
+	MNT_ID_REQ_SIZE_VER1                        = 0x20
+	MNT_NS_INFO_SIZE_VER0                       = 0x10
 	MODULE_INIT_COMPRESSED_FILE                 = 0x4
 	MODULE_INIT_IGNORE_MODVERSIONS              = 0x1
 	MODULE_INIT_IGNORE_VERMAGIC                 = 0x2
@@ -1933,6 +1974,7 @@ const (
 	MSG_PEEK                                    = 0x2
 	MSG_PROXY                                   = 0x10
 	MSG_RST                                     = 0x1000
+	MSG_SOCK_DEVMEM                             = 0x2000000
 	MSG_SYN                                     = 0x400
 	MSG_TRUNC                                   = 0x20
 	MSG_TRYHARD                                 = 0x4
@@ -2049,6 +2091,7 @@ const (
 	NFC_ATR_REQ_MAXSIZE                         = 0x40
 	NFC_ATR_RES_GB_MAXSIZE                      = 0x2f
 	NFC_ATR_RES_MAXSIZE                         = 0x40
+	NFC_ATS_MAXSIZE                             = 0x14
 	NFC_COMM_ACTIVE                             = 0x0
 	NFC_COMM_PASSIVE                            = 0x1
 	NFC_DEVICE_NAME_MAXSIZE                     = 0x8
@@ -2129,6 +2172,7 @@ const (
 	NFNL_SUBSYS_QUEUE                           = 0x3
 	NFNL_SUBSYS_ULOG                            = 0x4
 	NFS_SUPER_MAGIC                             = 0x6969
+	NFT_BITWISE_BOOL                            = 0x0
 	NFT_CHAIN_FLAGS                             = 0x7
 	NFT_CHAIN_MAXNAMELEN                        = 0x100
 	NFT_CT_MAX                                  = 0x17
@@ -2163,10 +2207,10 @@ const (
 	NFT_REG_SIZE                                = 0x10
 	NFT_REJECT_ICMPX_MAX                        = 0x3
 	NFT_RT_MAX                                  = 0x4
-	NFT_SECMARK_CTX_MAXLEN                      = 0x100
+	NFT_SECMARK_CTX_MAXLEN                      = 0x1000
 	NFT_SET_MAXNAMELEN                          = 0x100
 	NFT_SOCKET_MAX                              = 0x3
-	NFT_TABLE_F_MASK                            = 0x3
+	NFT_TABLE_F_MASK                            = 0x7
 	NFT_TABLE_MAXNAMELEN                        = 0x100
 	NFT_TRACETYPE_MAX                           = 0x3
 	NFT_TUNNEL_F_MASK                           = 0x7
@@ -2302,6 +2346,7 @@ const (
 	PERF_AUX_FLAG_PARTIAL                       = 0x4
 	PERF_AUX_FLAG_PMU_FORMAT_TYPE_MASK          = 0xff00
 	PERF_AUX_FLAG_TRUNCATED                     = 0x1
+	PERF_BRANCH_ENTRY_INFO_BITS_MAX             = 0x21
 	PERF_BR_ARM64_DEBUG_DATA                    = 0x7
 	PERF_BR_ARM64_DEBUG_EXIT                    = 0x5
 	PERF_BR_ARM64_DEBUG_HALT                    = 0x4
@@ -2331,9 +2376,11 @@ const (
 	PERF_MEM_LVLNUM_IO                          = 0xa
 	PERF_MEM_LVLNUM_L1                          = 0x1
 	PERF_MEM_LVLNUM_L2                          = 0x2
+	PERF_MEM_LVLNUM_L2_MHB                      = 0x5
 	PERF_MEM_LVLNUM_L3                          = 0x3
 	PERF_MEM_LVLNUM_L4                          = 0x4
 	PERF_MEM_LVLNUM_LFB                         = 0xc
+	PERF_MEM_LVLNUM_MSC                         = 0x6
 	PERF_MEM_LVLNUM_NA                          = 0xf
 	PERF_MEM_LVLNUM_PMEM                        = 0xe
 	PERF_MEM_LVLNUM_RAM                         = 0xd
@@ -2399,12 +2446,14 @@ const (
 	PERF_RECORD_MISC_USER                       = 0x2
 	PERF_SAMPLE_BRANCH_PLM_ALL                  = 0x7
 	PERF_SAMPLE_WEIGHT_TYPE                     = 0x1004000
+	PID_FS_MAGIC                                = 0x50494446
 	PIPEFS_MAGIC                                = 0x50495045
 	PPPIOCGNPMODE                               = 0xc008744c
 	PPPIOCNEWUNIT                               = 0xc004743e
 	PRIO_PGRP                                   = 0x1
 	PRIO_PROCESS                                = 0x0
 	PRIO_USER                                   = 0x2
+	PROCFS_IOCTL_MAGIC                          = 'f'
 	PROC_SUPER_MAGIC                            = 0x9fa0
 	PROT_EXEC                                   = 0x4
 	PROT_GROWSDOWN                              = 0x1000000
@@ -2452,6 +2501,7 @@ const (
 	PR_GET_PDEATHSIG                            = 0x2
 	PR_GET_SECCOMP                              = 0x15
 	PR_GET_SECUREBITS                           = 0x1b
+	PR_GET_SHADOW_STACK_STATUS                  = 0x4a
 	PR_GET_SPECULATION_CTRL                     = 0x34
 	PR_GET_TAGGED_ADDR_CTRL                     = 0x38
 	PR_GET_THP_DISABLE                          = 0x2a
@@ -2460,6 +2510,7 @@ const (
 	PR_GET_TIMING                               = 0xd
 	PR_GET_TSC                                  = 0x19
 	PR_GET_UNALIGN                              = 0x5
+	PR_LOCK_SHADOW_STACK_STATUS                 = 0x4c
 	PR_MCE_KILL                                 = 0x21
 	PR_MCE_KILL_CLEAR                           = 0x0
 	PR_MCE_KILL_DEFAULT                         = 0x2
@@ -2486,6 +2537,25 @@ const (
 	PR_PAC_GET_ENABLED_KEYS                     = 0x3d
 	PR_PAC_RESET_KEYS                           = 0x36
 	PR_PAC_SET_ENABLED_KEYS                     = 0x3c
+	PR_PMLEN_MASK                               = 0x7f000000
+	PR_PMLEN_SHIFT                              = 0x18
+	PR_PPC_DEXCR_CTRL_CLEAR                     = 0x4
+	PR_PPC_DEXCR_CTRL_CLEAR_ONEXEC              = 0x10
+	PR_PPC_DEXCR_CTRL_EDITABLE                  = 0x1
+	PR_PPC_DEXCR_CTRL_MASK                      = 0x1f
+	PR_PPC_DEXCR_CTRL_SET                       = 0x2
+	PR_PPC_DEXCR_CTRL_SET_ONEXEC                = 0x8
+	PR_PPC_DEXCR_IBRTPD                         = 0x1
+	PR_PPC_DEXCR_NPHIE                          = 0x3
+	PR_PPC_DEXCR_SBHE                           = 0x0
+	PR_PPC_DEXCR_SRAPD                          = 0x2
+	PR_PPC_GET_DEXCR                            = 0x48
+	PR_PPC_SET_DEXCR                            = 0x49
+	PR_RISCV_CTX_SW_FENCEI_OFF                  = 0x1
+	PR_RISCV_CTX_SW_FENCEI_ON                   = 0x0
+	PR_RISCV_SCOPE_PER_PROCESS                  = 0x0
+	PR_RISCV_SCOPE_PER_THREAD                   = 0x1
+	PR_RISCV_SET_ICACHE_FLUSH_CTX               = 0x47
 	PR_RISCV_V_GET_CONTROL                      = 0x46
 	PR_RISCV_V_SET_CONTROL                      = 0x45
 	PR_RISCV_V_VSTATE_CTRL_CUR_MASK             = 0x3
@@ -2536,6 +2606,7 @@ const (
 	PR_SET_PTRACER                              = 0x59616d61
 	PR_SET_SECCOMP                              = 0x16
 	PR_SET_SECUREBITS                           = 0x1c
+	PR_SET_SHADOW_STACK_STATUS                  = 0x4b
 	PR_SET_SPECULATION_CTRL                     = 0x35
 	PR_SET_SYSCALL_USER_DISPATCH                = 0x3b
 	PR_SET_TAGGED_ADDR_CTRL                     = 0x37
@@ -2546,6 +2617,9 @@ const (
 	PR_SET_UNALIGN                              = 0x6
 	PR_SET_VMA                                  = 0x53564d41
 	PR_SET_VMA_ANON_NAME                        = 0x0
+	PR_SHADOW_STACK_ENABLE                      = 0x1
+	PR_SHADOW_STACK_PUSH                        = 0x4
+	PR_SHADOW_STACK_WRITE                       = 0x2
 	PR_SME_GET_VL                               = 0x40
 	PR_SME_SET_VL                               = 0x3f
 	PR_SME_SET_VL_ONEXEC                        = 0x40000
@@ -2577,6 +2651,28 @@ const (
 	PR_UNALIGN_NOPRINT                          = 0x1
 	PR_UNALIGN_SIGBUS                           = 0x2
 	PSTOREFS_MAGIC                              = 0x6165676c
+	PTP_CLK_MAGIC                               = '='
+	PTP_ENABLE_FEATURE                          = 0x1
+	PTP_EXTTS_EDGES                             = 0x6
+	PTP_EXTTS_EVENT_VALID                       = 0x1
+	PTP_EXTTS_V1_VALID_FLAGS                    = 0x7
+	PTP_EXTTS_VALID_FLAGS                       = 0x1f
+	PTP_EXT_OFFSET                              = 0x10
+	PTP_FALLING_EDGE                            = 0x4
+	PTP_MAX_SAMPLES                             = 0x19
+	PTP_PEROUT_DUTY_CYCLE                       = 0x2
+	PTP_PEROUT_ONE_SHOT                         = 0x1
+	PTP_PEROUT_PHASE                            = 0x4
+	PTP_PEROUT_V1_VALID_FLAGS                   = 0x0
+	PTP_PEROUT_VALID_FLAGS                      = 0x7
+	PTP_PIN_GETFUNC                             = 0xc0603d06
+	PTP_PIN_GETFUNC2                            = 0xc0603d0f
+	PTP_RISING_EDGE                             = 0x2
+	PTP_STRICT_FLAGS                            = 0x8
+	PTP_SYS_OFFSET_EXTENDED                     = 0xc4c03d09
+	PTP_SYS_OFFSET_EXTENDED2                    = 0xc4c03d12
+	PTP_SYS_OFFSET_PRECISE                      = 0xc0403d08
+	PTP_SYS_OFFSET_PRECISE2                     = 0xc0403d11
 	PTRACE_ATTACH                               = 0x10
 	PTRACE_CONT                                 = 0x7
 	PTRACE_DETACH                               = 0x11
@@ -2833,7 +2929,6 @@ const (
 	RTM_NEWNEXTHOP                              = 0x68
 	RTM_NEWNEXTHOPBUCKET                        = 0x74
 	RTM_NEWNSID                                 = 0x58
-	RTM_NEWNVLAN                                = 0x70
 	RTM_NEWPREFIX                               = 0x34
 	RTM_NEWQDISC                                = 0x24
 	RTM_NEWROUTE                                = 0x18
@@ -2842,6 +2937,7 @@ const (
 	RTM_NEWTCLASS                               = 0x28
 	RTM_NEWTFILTER                              = 0x2c
 	RTM_NEWTUNNEL                               = 0x78
+	RTM_NEWVLAN                                 = 0x70
 	RTM_NR_FAMILIES                             = 0x1b
 	RTM_NR_MSGTYPES                             = 0x6c
 	RTM_SETDCB                                  = 0x4f
@@ -2890,14 +2986,17 @@ const (
 	RUSAGE_SELF                                 = 0x0
 	RUSAGE_THREAD                               = 0x1
 	RWF_APPEND                                  = 0x10
+	RWF_ATOMIC                                  = 0x40
 	RWF_DSYNC                                   = 0x2
 	RWF_HIPRI                                   = 0x1
+	RWF_NOAPPEND                                = 0x20
 	RWF_NOWAIT                                  = 0x8
-	RWF_SUPPORTED                               = 0x1f
+	RWF_SUPPORTED                               = 0x7f
 	RWF_SYNC                                    = 0x4
 	RWF_WRITE_LIFE_NOT_SET                      = 0x0
 	SCHED_BATCH                                 = 0x3
 	SCHED_DEADLINE                              = 0x6
+	SCHED_EXT                                   = 0x7
 	SCHED_FIFO                                  = 0x1
 	SCHED_FLAG_ALL                              = 0x7f
 	SCHED_FLAG_DL_OVERRUN                       = 0x4
@@ -2914,7 +3013,9 @@ const (
 	SCHED_RESET_ON_FORK                         = 0x40000000
 	SCHED_RR                                    = 0x2
 	SCM_CREDENTIALS                             = 0x2
+	SCM_PIDFD                                   = 0x4
 	SCM_RIGHTS                                  = 0x1
+	SCM_SECURITY                                = 0x3
 	SCM_TIMESTAMP                               = 0x1d
 	SC_LOG_FLUSH                                = 0x100000
 	SECCOMP_ADDFD_FLAG_SEND                     = 0x2
@@ -3047,6 +3148,8 @@ const (
 	SIOCSMIIREG                                 = 0x8949
 	SIOCSRARP                                   = 0x8962
 	SIOCWANDEV                                  = 0x894a
+	SK_DIAG_BPF_STORAGE_MAX                     = 0x3
+	SK_DIAG_BPF_STORAGE_REQ_MAX                 = 0x1
 	SMACK_MAGIC                                 = 0x43415d53
 	SMART_AUTOSAVE                              = 0xd2
 	SMART_AUTO_OFFLINE                          = 0xdb
@@ -3067,6 +3170,8 @@ const (
 	SOCKFS_MAGIC                                = 0x534f434b
 	SOCK_BUF_LOCK_MASK                          = 0x3
 	SOCK_DCCP                                   = 0x6
+	SOCK_DESTROY                                = 0x15
+	SOCK_DIAG_BY_FAMILY                         = 0x14
 	SOCK_IOC_TYPE                               = 0x89
 	SOCK_PACKET                                 = 0xa
 	SOCK_RAW                                    = 0x3
@@ -3160,6 +3265,7 @@ const (
 	STATX_ATTR_MOUNT_ROOT                       = 0x2000
 	STATX_ATTR_NODUMP                           = 0x40
 	STATX_ATTR_VERITY                           = 0x100000
+	STATX_ATTR_WRITE_ATOMIC                     = 0x400000
 	STATX_BASIC_STATS                           = 0x7ff
 	STATX_BLOCKS                                = 0x400
 	STATX_BTIME                                 = 0x800
@@ -3168,12 +3274,15 @@ const (
 	STATX_GID                                   = 0x10
 	STATX_INO                                   = 0x100
 	STATX_MNT_ID                                = 0x1000
+	STATX_MNT_ID_UNIQUE                         = 0x4000
 	STATX_MODE                                  = 0x2
 	STATX_MTIME                                 = 0x40
 	STATX_NLINK                                 = 0x4
 	STATX_SIZE                                  = 0x200
+	STATX_SUBVOL                                = 0x8000
 	STATX_TYPE                                  = 0x1
 	STATX_UID                                   = 0x8
+	STATX_WRITE_ATOMIC                          = 0x10000
 	STATX__RESERVED                             = 0x80000000
 	SYNC_FILE_RANGE_WAIT_AFTER                  = 0x4
 	SYNC_FILE_RANGE_WAIT_BEFORE                 = 0x1
@@ -3255,6 +3364,7 @@ const (
 	TCP_MAX_WINSHIFT                            = 0xe
 	TCP_MD5SIG                                  = 0xe
 	TCP_MD5SIG_EXT                              = 0x20
+	TCP_MD5SIG_FLAG_IFINDEX                     = 0x2
 	TCP_MD5SIG_FLAG_PREFIX                      = 0x1
 	TCP_MD5SIG_MAXKEYLEN                        = 0x50
 	TCP_MSS                                     = 0x200
@@ -3562,12 +3672,17 @@ const (
 	XDP_RX_RING                                 = 0x2
 	XDP_SHARED_UMEM                             = 0x1
 	XDP_STATISTICS                              = 0x7
+	XDP_TXMD_FLAGS_CHECKSUM                     = 0x2
+	XDP_TXMD_FLAGS_TIMESTAMP                    = 0x1
+	XDP_TX_METADATA                             = 0x2
 	XDP_TX_RING                                 = 0x3
 	XDP_UMEM_COMPLETION_RING                    = 0x6
 	XDP_UMEM_FILL_RING                          = 0x5
 	XDP_UMEM_PGOFF_COMPLETION_RING              = 0x180000000
 	XDP_UMEM_PGOFF_FILL_RING                    = 0x100000000
 	XDP_UMEM_REG                                = 0x4
+	XDP_UMEM_TX_METADATA_LEN                    = 0x4
+	XDP_UMEM_TX_SW_CSUM                         = 0x2
 	XDP_UMEM_UNALIGNED_CHUNK_FLAG               = 0x1
 	XDP_USE_NEED_WAKEUP                         = 0x8
 	XDP_USE_SG                                  = 0x10

vendor/golang.org/x/sys/unix/zerrors_linux_386.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
@@ -107,17 +109,21 @@ const (
 	HIDIOCGRAWINFO                   = 0x80084803
 	HIDIOCGRDESC                     = 0x90044802
 	HIDIOCGRDESCSIZE                 = 0x80044801
+	HIDIOCREVOKE                     = 0x4004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
+	IPV6_FLOWINFO_MASK               = 0xffffff0f
+	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
 	IXON                             = 0x400
 	MAP_32BIT                        = 0x40
+	MAP_ABOVE4G                      = 0x80
 	MAP_ANON                         = 0x20
 	MAP_ANONYMOUS                    = 0x20
 	MAP_DENYWRITE                    = 0x800
@@ -150,9 +156,14 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
 	NS_GET_PARENT                    = 0xb702
+	NS_GET_PID_FROM_PIDNS            = 0x8004b706
+	NS_GET_PID_IN_PIDNS              = 0x8004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x8004b707
+	NS_GET_TGID_IN_PIDNS             = 0x8004b709
 	NS_GET_USERNS                    = 0xb701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -229,6 +240,20 @@ const (
 	PPPIOCUNBRIDGECHAN               = 0x7434
 	PPPIOCXFERUNIT                   = 0x744e
 	PR_SET_PTRACER_ANY               = 0xffffffff
+	PTP_CLOCK_GETCAPS                = 0x80503d01
+	PTP_CLOCK_GETCAPS2               = 0x80503d0a
+	PTP_ENABLE_PPS                   = 0x40043d04
+	PTP_ENABLE_PPS2                  = 0x40043d0d
+	PTP_EXTTS_REQUEST                = 0x40103d02
+	PTP_EXTTS_REQUEST2               = 0x40103d0b
+	PTP_MASK_CLEAR_ALL               = 0x3d13
+	PTP_MASK_EN_SINGLE               = 0x40043d14
+	PTP_PEROUT_REQUEST               = 0x40383d03
+	PTP_PEROUT_REQUEST2              = 0x40383d0c
+	PTP_PIN_SETFUNC                  = 0x40603d07
+	PTP_PIN_SETFUNC2                 = 0x40603d10
+	PTP_SYS_OFFSET                   = 0x43403d05
+	PTP_SYS_OFFSET2                  = 0x43403d0e
 	PTRACE_GETFPREGS                 = 0xe
 	PTRACE_GETFPXREGS                = 0x12
 	PTRACE_GET_THREAD_AREA           = 0x19
@@ -275,10 +300,13 @@ const (
 	RTC_WIE_ON                       = 0x700f
 	RTC_WKALM_RD                     = 0x80287010
 	RTC_WKALM_SET                    = 0x4028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
@@ -313,6 +341,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x27
 	SO_DONTROUTE                     = 0x5
 	SO_ERROR                         = 0x4

vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
@@ -107,17 +109,21 @@ const (
 	HIDIOCGRAWINFO                   = 0x80084803
 	HIDIOCGRDESC                     = 0x90044802
 	HIDIOCGRDESCSIZE                 = 0x80044801
+	HIDIOCREVOKE                     = 0x4004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
+	IPV6_FLOWINFO_MASK               = 0xffffff0f
+	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
 	IXON                             = 0x400
 	MAP_32BIT                        = 0x40
+	MAP_ABOVE4G                      = 0x80
 	MAP_ANON                         = 0x20
 	MAP_ANONYMOUS                    = 0x20
 	MAP_DENYWRITE                    = 0x800
@@ -150,9 +156,14 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
 	NS_GET_PARENT                    = 0xb702
+	NS_GET_PID_FROM_PIDNS            = 0x8004b706
+	NS_GET_PID_IN_PIDNS              = 0x8004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x8004b707
+	NS_GET_TGID_IN_PIDNS             = 0x8004b709
 	NS_GET_USERNS                    = 0xb701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -229,6 +240,20 @@ const (
 	PPPIOCUNBRIDGECHAN               = 0x7434
 	PPPIOCXFERUNIT                   = 0x744e
 	PR_SET_PTRACER_ANY               = 0xffffffffffffffff
+	PTP_CLOCK_GETCAPS                = 0x80503d01
+	PTP_CLOCK_GETCAPS2               = 0x80503d0a
+	PTP_ENABLE_PPS                   = 0x40043d04
+	PTP_ENABLE_PPS2                  = 0x40043d0d
+	PTP_EXTTS_REQUEST                = 0x40103d02
+	PTP_EXTTS_REQUEST2               = 0x40103d0b
+	PTP_MASK_CLEAR_ALL               = 0x3d13
+	PTP_MASK_EN_SINGLE               = 0x40043d14
+	PTP_PEROUT_REQUEST               = 0x40383d03
+	PTP_PEROUT_REQUEST2              = 0x40383d0c
+	PTP_PIN_SETFUNC                  = 0x40603d07
+	PTP_PIN_SETFUNC2                 = 0x40603d10
+	PTP_SYS_OFFSET                   = 0x43403d05
+	PTP_SYS_OFFSET2                  = 0x43403d0e
 	PTRACE_ARCH_PRCTL                = 0x1e
 	PTRACE_GETFPREGS                 = 0xe
 	PTRACE_GETFPXREGS                = 0x12
@@ -276,10 +301,13 @@ const (
 	RTC_WIE_ON                       = 0x700f
 	RTC_WKALM_RD                     = 0x80287010
 	RTC_WKALM_SET                    = 0x4028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
@@ -314,6 +342,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x27
 	SO_DONTROUTE                     = 0x5
 	SO_ERROR                         = 0x4

vendor/golang.org/x/sys/unix/zerrors_linux_arm.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
@@ -106,12 +108,15 @@ const (
 	HIDIOCGRAWINFO                   = 0x80084803
 	HIDIOCGRDESC                     = 0x90044802
 	HIDIOCGRDESCSIZE                 = 0x80044801
+	HIDIOCREVOKE                     = 0x4004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
+	IPV6_FLOWINFO_MASK               = 0xffffff0f
+	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -148,9 +153,14 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
 	NS_GET_PARENT                    = 0xb702
+	NS_GET_PID_FROM_PIDNS            = 0x8004b706
+	NS_GET_PID_IN_PIDNS              = 0x8004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x8004b707
+	NS_GET_TGID_IN_PIDNS             = 0x8004b709
 	NS_GET_USERNS                    = 0xb701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -227,6 +237,20 @@ const (
 	PPPIOCUNBRIDGECHAN               = 0x7434
 	PPPIOCXFERUNIT                   = 0x744e
 	PR_SET_PTRACER_ANY               = 0xffffffff
+	PTP_CLOCK_GETCAPS                = 0x80503d01
+	PTP_CLOCK_GETCAPS2               = 0x80503d0a
+	PTP_ENABLE_PPS                   = 0x40043d04
+	PTP_ENABLE_PPS2                  = 0x40043d0d
+	PTP_EXTTS_REQUEST                = 0x40103d02
+	PTP_EXTTS_REQUEST2               = 0x40103d0b
+	PTP_MASK_CLEAR_ALL               = 0x3d13
+	PTP_MASK_EN_SINGLE               = 0x40043d14
+	PTP_PEROUT_REQUEST               = 0x40383d03
+	PTP_PEROUT_REQUEST2              = 0x40383d0c
+	PTP_PIN_SETFUNC                  = 0x40603d07
+	PTP_PIN_SETFUNC2                 = 0x40603d10
+	PTP_SYS_OFFSET                   = 0x43403d05
+	PTP_SYS_OFFSET2                  = 0x43403d0e
 	PTRACE_GETCRUNCHREGS             = 0x19
 	PTRACE_GETFDPIC                  = 0x1f
 	PTRACE_GETFDPIC_EXEC             = 0x0
@@ -282,10 +306,13 @@ const (
 	RTC_WIE_ON                       = 0x700f
 	RTC_WKALM_RD                     = 0x80287010
 	RTC_WKALM_SET                    = 0x4028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
@@ -320,6 +347,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x27
 	SO_DONTROUTE                     = 0x5
 	SO_ERROR                         = 0x4

vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	ESR_MAGIC                        = 0x45535201
 	EXTPROC                          = 0x10000
@@ -87,6 +89,7 @@ const (
 	FICLONE                          = 0x40049409
 	FICLONERANGE                     = 0x4020940d
 	FLUSHO                           = 0x1000
+	FPMR_MAGIC                       = 0x46504d52
 	FPSIMD_MAGIC                     = 0x46508001
 	FS_IOC_ENABLE_VERITY             = 0x40806685
 	FS_IOC_GETFLAGS                  = 0x80086601
@@ -106,15 +109,19 @@ const (
 	F_SETOWN                         = 0x8
 	F_UNLCK                          = 0x2
 	F_WRLCK                          = 0x1
+	GCS_MAGIC                        = 0x47435300
 	HIDIOCGRAWINFO                   = 0x80084803
 	HIDIOCGRDESC                     = 0x90044802
 	HIDIOCGRDESCSIZE                 = 0x80044801
+	HIDIOCREVOKE                     = 0x4004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
+	IPV6_FLOWINFO_MASK               = 0xffffff0f
+	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -151,9 +158,14 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
 	NS_GET_PARENT                    = 0xb702
+	NS_GET_PID_FROM_PIDNS            = 0x8004b706
+	NS_GET_PID_IN_PIDNS              = 0x8004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x8004b707
+	NS_GET_TGID_IN_PIDNS             = 0x8004b709
 	NS_GET_USERNS                    = 0xb701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -197,6 +209,7 @@ const (
 	PERF_EVENT_IOC_SET_BPF           = 0x40042408
 	PERF_EVENT_IOC_SET_FILTER        = 0x40082406
 	PERF_EVENT_IOC_SET_OUTPUT        = 0x2405
+	POE_MAGIC                        = 0x504f4530
 	PPPIOCATTACH                     = 0x4004743d
 	PPPIOCATTCHAN                    = 0x40047438
 	PPPIOCBRIDGECHAN                 = 0x40047435
@@ -232,6 +245,20 @@ const (
 	PROT_BTI                         = 0x10
 	PROT_MTE                         = 0x20
 	PR_SET_PTRACER_ANY               = 0xffffffffffffffff
+	PTP_CLOCK_GETCAPS                = 0x80503d01
+	PTP_CLOCK_GETCAPS2               = 0x80503d0a
+	PTP_ENABLE_PPS                   = 0x40043d04
+	PTP_ENABLE_PPS2                  = 0x40043d0d
+	PTP_EXTTS_REQUEST                = 0x40103d02
+	PTP_EXTTS_REQUEST2               = 0x40103d0b
+	PTP_MASK_CLEAR_ALL               = 0x3d13
+	PTP_MASK_EN_SINGLE               = 0x40043d14
+	PTP_PEROUT_REQUEST               = 0x40383d03
+	PTP_PEROUT_REQUEST2              = 0x40383d0c
+	PTP_PIN_SETFUNC                  = 0x40603d07
+	PTP_PIN_SETFUNC2                 = 0x40603d10
+	PTP_SYS_OFFSET                   = 0x43403d05
+	PTP_SYS_OFFSET2                  = 0x43403d0e
 	PTRACE_PEEKMTETAGS               = 0x21
 	PTRACE_POKEMTETAGS               = 0x22
 	PTRACE_SYSEMU                    = 0x1f
@@ -272,10 +299,13 @@ const (
 	RTC_WIE_ON                       = 0x700f
 	RTC_WKALM_RD                     = 0x80287010
 	RTC_WKALM_SET                    = 0x4028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
@@ -310,6 +340,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x27
 	SO_DONTROUTE                     = 0x5
 	SO_ERROR                         = 0x4

vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
@@ -107,12 +109,15 @@ const (
 	HIDIOCGRAWINFO                   = 0x80084803
 	HIDIOCGRDESC                     = 0x90044802
 	HIDIOCGRDESCSIZE                 = 0x80044801
+	HIDIOCREVOKE                     = 0x4004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
+	IPV6_FLOWINFO_MASK               = 0xffffff0f
+	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -152,9 +157,14 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
 	NS_GET_PARENT                    = 0xb702
+	NS_GET_PID_FROM_PIDNS            = 0x8004b706
+	NS_GET_PID_IN_PIDNS              = 0x8004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x8004b707
+	NS_GET_TGID_IN_PIDNS             = 0x8004b709
 	NS_GET_USERNS                    = 0xb701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -231,6 +241,20 @@ const (
 	PPPIOCUNBRIDGECHAN               = 0x7434
 	PPPIOCXFERUNIT                   = 0x744e
 	PR_SET_PTRACER_ANY               = 0xffffffffffffffff
+	PTP_CLOCK_GETCAPS                = 0x80503d01
+	PTP_CLOCK_GETCAPS2               = 0x80503d0a
+	PTP_ENABLE_PPS                   = 0x40043d04
+	PTP_ENABLE_PPS2                  = 0x40043d0d
+	PTP_EXTTS_REQUEST                = 0x40103d02
+	PTP_EXTTS_REQUEST2               = 0x40103d0b
+	PTP_MASK_CLEAR_ALL               = 0x3d13
+	PTP_MASK_EN_SINGLE               = 0x40043d14
+	PTP_PEROUT_REQUEST               = 0x40383d03
+	PTP_PEROUT_REQUEST2              = 0x40383d0c
+	PTP_PIN_SETFUNC                  = 0x40603d07
+	PTP_PIN_SETFUNC2                 = 0x40603d10
+	PTP_SYS_OFFSET                   = 0x43403d05
+	PTP_SYS_OFFSET2                  = 0x43403d0e
 	PTRACE_SYSEMU                    = 0x1f
 	PTRACE_SYSEMU_SINGLESTEP         = 0x20
 	RLIMIT_AS                        = 0x9
@@ -269,10 +293,13 @@ const (
 	RTC_WIE_ON                       = 0x700f
 	RTC_WKALM_RD                     = 0x80287010
 	RTC_WKALM_SET                    = 0x4028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
@@ -307,6 +334,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x27
 	SO_DONTROUTE                     = 0x5
 	SO_ERROR                         = 0x4

vendor/golang.org/x/sys/unix/zerrors_linux_mips.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x80
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
@@ -106,12 +108,15 @@ const (
 	HIDIOCGRAWINFO                   = 0x40084803
 	HIDIOCGRDESC                     = 0x50044802
 	HIDIOCGRDESCSIZE                 = 0x40044801
+	HIDIOCREVOKE                     = 0x8004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
+	IPV6_FLOWINFO_MASK               = 0xfffffff
+	IPV6_FLOWLABEL_MASK              = 0xfffff
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -148,9 +153,14 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
 	NS_GET_PARENT                    = 0x2000b702
+	NS_GET_PID_FROM_PIDNS            = 0x4004b706
+	NS_GET_PID_IN_PIDNS              = 0x4004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x4004b707
+	NS_GET_TGID_IN_PIDNS             = 0x4004b709
 	NS_GET_USERNS                    = 0x2000b701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -227,6 +237,20 @@ const (
 	PPPIOCUNBRIDGECHAN               = 0x20007434
 	PPPIOCXFERUNIT                   = 0x2000744e
 	PR_SET_PTRACER_ANY               = 0xffffffff
+	PTP_CLOCK_GETCAPS                = 0x40503d01
+	PTP_CLOCK_GETCAPS2               = 0x40503d0a
+	PTP_ENABLE_PPS                   = 0x80043d04
+	PTP_ENABLE_PPS2                  = 0x80043d0d
+	PTP_EXTTS_REQUEST                = 0x80103d02
+	PTP_EXTTS_REQUEST2               = 0x80103d0b
+	PTP_MASK_CLEAR_ALL               = 0x20003d13
+	PTP_MASK_EN_SINGLE               = 0x80043d14
+	PTP_PEROUT_REQUEST               = 0x80383d03
+	PTP_PEROUT_REQUEST2              = 0x80383d0c
+	PTP_PIN_SETFUNC                  = 0x80603d07
+	PTP_PIN_SETFUNC2                 = 0x80603d10
+	PTP_SYS_OFFSET                   = 0x83403d05
+	PTP_SYS_OFFSET2                  = 0x83403d0e
 	PTRACE_GETFPREGS                 = 0xe
 	PTRACE_GET_THREAD_AREA           = 0x19
 	PTRACE_GET_THREAD_AREA_3264      = 0xc4
@@ -275,10 +299,13 @@ const (
 	RTC_WIE_ON                       = 0x2000700f
 	RTC_WKALM_RD                     = 0x40287010
 	RTC_WKALM_SET                    = 0x8028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
@@ -313,6 +340,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x1029
 	SO_DONTROUTE                     = 0x10
 	SO_ERROR                         = 0x1007

vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x80
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
@@ -106,12 +108,15 @@ const (
 	HIDIOCGRAWINFO                   = 0x40084803
 	HIDIOCGRDESC                     = 0x50044802
 	HIDIOCGRDESCSIZE                 = 0x40044801
+	HIDIOCREVOKE                     = 0x8004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
+	IPV6_FLOWINFO_MASK               = 0xfffffff
+	IPV6_FLOWLABEL_MASK              = 0xfffff
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -148,9 +153,14 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
 	NS_GET_PARENT                    = 0x2000b702
+	NS_GET_PID_FROM_PIDNS            = 0x4004b706
+	NS_GET_PID_IN_PIDNS              = 0x4004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x4004b707
+	NS_GET_TGID_IN_PIDNS             = 0x4004b709
 	NS_GET_USERNS                    = 0x2000b701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -227,6 +237,20 @@ const (
 	PPPIOCUNBRIDGECHAN               = 0x20007434
 	PPPIOCXFERUNIT                   = 0x2000744e
 	PR_SET_PTRACER_ANY               = 0xffffffffffffffff
+	PTP_CLOCK_GETCAPS                = 0x40503d01
+	PTP_CLOCK_GETCAPS2               = 0x40503d0a
+	PTP_ENABLE_PPS                   = 0x80043d04
+	PTP_ENABLE_PPS2                  = 0x80043d0d
+	PTP_EXTTS_REQUEST                = 0x80103d02
+	PTP_EXTTS_REQUEST2               = 0x80103d0b
+	PTP_MASK_CLEAR_ALL               = 0x20003d13
+	PTP_MASK_EN_SINGLE               = 0x80043d14
+	PTP_PEROUT_REQUEST               = 0x80383d03
+	PTP_PEROUT_REQUEST2              = 0x80383d0c
+	PTP_PIN_SETFUNC                  = 0x80603d07
+	PTP_PIN_SETFUNC2                 = 0x80603d10
+	PTP_SYS_OFFSET                   = 0x83403d05
+	PTP_SYS_OFFSET2                  = 0x83403d0e
 	PTRACE_GETFPREGS                 = 0xe
 	PTRACE_GET_THREAD_AREA           = 0x19
 	PTRACE_GET_THREAD_AREA_3264      = 0xc4
@@ -275,10 +299,13 @@ const (
 	RTC_WIE_ON                       = 0x2000700f
 	RTC_WKALM_RD                     = 0x40287010
 	RTC_WKALM_SET                    = 0x8028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
@@ -313,6 +340,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x1029
 	SO_DONTROUTE                     = 0x10
 	SO_ERROR                         = 0x1007

vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x80
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
@@ -106,12 +108,15 @@ const (
 	HIDIOCGRAWINFO                   = 0x40084803
 	HIDIOCGRDESC                     = 0x50044802
 	HIDIOCGRDESCSIZE                 = 0x40044801
+	HIDIOCREVOKE                     = 0x8004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
+	IPV6_FLOWINFO_MASK               = 0xffffff0f
+	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -148,9 +153,14 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
 	NS_GET_PARENT                    = 0x2000b702
+	NS_GET_PID_FROM_PIDNS            = 0x4004b706
+	NS_GET_PID_IN_PIDNS              = 0x4004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x4004b707
+	NS_GET_TGID_IN_PIDNS             = 0x4004b709
 	NS_GET_USERNS                    = 0x2000b701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -227,6 +237,20 @@ const (
 	PPPIOCUNBRIDGECHAN               = 0x20007434
 	PPPIOCXFERUNIT                   = 0x2000744e
 	PR_SET_PTRACER_ANY               = 0xffffffffffffffff
+	PTP_CLOCK_GETCAPS                = 0x40503d01
+	PTP_CLOCK_GETCAPS2               = 0x40503d0a
+	PTP_ENABLE_PPS                   = 0x80043d04
+	PTP_ENABLE_PPS2                  = 0x80043d0d
+	PTP_EXTTS_REQUEST                = 0x80103d02
+	PTP_EXTTS_REQUEST2               = 0x80103d0b
+	PTP_MASK_CLEAR_ALL               = 0x20003d13
+	PTP_MASK_EN_SINGLE               = 0x80043d14
+	PTP_PEROUT_REQUEST               = 0x80383d03
+	PTP_PEROUT_REQUEST2              = 0x80383d0c
+	PTP_PIN_SETFUNC                  = 0x80603d07
+	PTP_PIN_SETFUNC2                 = 0x80603d10
+	PTP_SYS_OFFSET                   = 0x83403d05
+	PTP_SYS_OFFSET2                  = 0x83403d0e
 	PTRACE_GETFPREGS                 = 0xe
 	PTRACE_GET_THREAD_AREA           = 0x19
 	PTRACE_GET_THREAD_AREA_3264      = 0xc4
@@ -275,10 +299,13 @@ const (
 	RTC_WIE_ON                       = 0x2000700f
 	RTC_WKALM_RD                     = 0x40287010
 	RTC_WKALM_SET                    = 0x8028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
@@ -313,6 +340,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x1029
 	SO_DONTROUTE                     = 0x10
 	SO_ERROR                         = 0x1007

vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go

@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x80
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
@@ -106,12 +108,15 @@ const (
 	HIDIOCGRAWINFO                   = 0x40084803
 	HIDIOCGRDESC                     = 0x50044802
 	HIDIOCGRDESCSIZE                 = 0x40044801
+	HIDIOCREVOKE                     = 0x8004480d
 	HUPCL                            = 0x400
 	ICANON                           = 0x2
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
+	IPV6_FLOWINFO_MASK               = 0xffffff0f
+	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -148,9 +153,14 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
 	NS_GET_PARENT                    = 0x2000b702
+	NS_GET_PID_FROM_PIDNS            = 0x4004b706
+	NS_GET_PID_IN_PIDNS              = 0x4004b708
+	NS_GET_TGID_FROM_PIDNS           = 0x4004b707
+	NS_GET_TGID_IN_PIDNS             = 0x4004b709
 	NS_GET_USERNS                    = 0x2000b701
 	OLCUC                            = 0x2
 	ONLCR                            = 0x4
@@ -227,6 +237,20 @@ const (
 	PPPIOCUNBRIDGECHAN               = 0x20007434
 	PPPIOCXFERUNIT                   = 0x2000744e
 	PR_SET_PTRACER_ANY               = 0xffffffff
+	PTP_CLOCK_GETCAPS                = 0x40503d01
+	PTP_CLOCK_GETCAPS2               = 0x40503d0a
+	PTP_ENABLE_PPS                   = 0x80043d04
+	PTP_ENABLE_PPS2                  = 0x80043d0d
+	PTP_EXTTS_REQUEST                = 0x80103d02
+	PTP_EXTTS_REQUEST2               = 0x80103d0b
+	PTP_MASK_CLEAR_ALL               = 0x20003d13
+	PTP_MASK_EN_SINGLE               = 0x80043d14
+	PTP_PEROUT_REQUEST               = 0x80383d03
+	PTP_PEROUT_REQUEST2              = 0x80383d0c
+	PTP_PIN_SETFUNC                  = 0x80603d07
+	PTP_PIN_SETFUNC2                 = 0x80603d10
+	PTP_SYS_OFFSET                   = 0x83403d05
+	PTP_SYS_OFFSET2                  = 0x83403d0e
 	PTRACE_GETFPREGS                 = 0xe
 	PTRACE_GET_THREAD_AREA           = 0x19
 	PTRACE_GET_THREAD_AREA_3264      = 0xc4
@@ -275,10 +299,13 @@ const (
 	RTC_WIE_ON                       = 0x2000700f
 	RTC_WKALM_RD                     = 0x40287010
 	RTC_WKALM_SET                    = 0x8028700f
+	SCM_DEVMEM_DMABUF                = 0x4f
+	SCM_DEVMEM_LINEAR                = 0x4e
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
+	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
@@ -313,6 +340,9 @@ const (
 	SO_CNX_ADVICE                    = 0x35
 	SO_COOKIE                        = 0x39
 	SO_DETACH_REUSEPORT_BPF          = 0x44
+	SO_DEVMEM_DMABUF                 = 0x4f
+	SO_DEVMEM_DONTNEED               = 0x50
+	SO_DEVMEM_LINEAR                 = 0x4e
 	SO_DOMAIN                        = 0x1029
 	SO_DONTROUTE                     = 0x10
 	SO_ERROR                         = 0x1007