Accepted qemu 1:11.0.2+ds-1 (source) into unstable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Jun 2026 08:03:05 +0300
Source: qemu
Architecture: source
Version: 1:11.0.2+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 1139923
Changes:
 qemu (1:11.0.2+ds-1) unstable; urgency=medium
 .
   [ Michael Tokarev ]
   * new upstream stable/bugfix release:
     - Update version for 11.0.2 release
     - linux-user: Fix AT_PHDR when program headers are relocated
       into their own segment
     - hw/pci: Replace assert with bounds check and return
     - ppc/pnv_phb3: Error out on invalid config access
     - linux-user/xtensa: fix unlock of uninitialized frame pointer on sigreturn
     - linux-user/xtensa: save/restore FP registers across signal delivery
     - target/xtensa: add cpu_set_fcr/fsr helpers to sync fp_status
     - target/arm/hvf: Stop pre-allocating cpreg_vmstate arrays
     - ui/sdl2: Set GL ES profile before creating initial GL context
     - ui/sdl2: Explicitly specify EGL platform
     - hw/9pfs: reject . and .. in Twstat rename
     - hw/9pfs: fix abort due to illegal name with Twstat rename
     - gdbstub: Update x86 control register bits
     - target/i386: apply mod to immediate count of an RCL/RCR operation
     - hw/uefi: fix parse_hexstr
       (Closes: CVE-2026-48915)
     - target/riscv: mask vxrm csrw write to the low 2 bits
     - disas/riscv.c: fix inst_length()
     - target/riscv/tcg: disable svnapot if satp_mode < sv39
     - target/riscv/cpu_helper.c: add PMA access fault
     - target/riscv/cpu_helper.c: fault with reserved PTE.PBMT val
     - target/riscv/insn_trans/trans_rvzicbo.c.inc: save opcode before helpers
     - disas/riscv.c: add 'cbo' insns to disassembler
     - target/riscv/csr.c: fix mstatus.UXL reserved value
     - target/riscv/csr.c: do not allow mstatus MPV/GVA writes
     - target/riscv/tcg: disable svpbmt if satp_mode < sv39
     - target/riscv/cpu_helper.c: allow LOAD_ADDR_MIS promotion to AMO fault
     - virtio: Allow to fill a whole virtqueue in order
     - amd_iommu: Reject non-decreasing NextLevel in fetch_pte()
     - amd_iommu: Follow root pointer before page walk and use 1-based levels
     - libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()
       (Closes: CVE-2026-6425)
     - libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
       (Closes: CVE-2026-6425)
     - tests/qtest: Add amd-iommu command buffer head wrap test
     - amd_iommu: Update command buffer head ptr in MMIO region after wraparound
     - amd_iommu: restrict command buffer head/tail ranges to ring size
     - linux-user: add preadv2/preadv2
     - system/rtc: Fix a possible year-2038 integer overflow problem
     - linux-user/strace: add fsmount series of syscalls
     - linux-user: implement fsmount(2) series of syscalls
     - fpu: Handle all rounding modes in partsN_uncanon_normal
     - hw/usb/hcd-ohci: Clean up USBPacket before freeing ISO TD packet
     - qed: Don't try to flush during incoming migration
     - iotests: test shared mmap for fuse export
     - block/export/fuse: set FUSE_DIRECT_IO_ALLOW_MMAP flag to fix regression
     - block/export/fuse: use struct fuse_init_in
     - qcow2: Fix data loss on zero write with detect-zeroes=unmap
     - iotests/046: Test that discard/write_zeroes wait for dependencies
     - qcow2: Fix corruption on discard during write with COW
     - qemu-io: Add 'aio_discard' command
     - virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check
       (Closes: #1139923, CVE-2026-48914)
     - block/io: fallback to bounce buffer if BLKZEROOUT is not supported
       because of alignment
     - hw/i3c: fix CMD/data FIFO depth reset values to match real silicon
     - s390x/pci: Fix interrupt forwarding disable for interpreted devices
     - target/s390x: Make container ids in SysIB_15x 1-based
     - lcitool: remove Cirrus CI support
     - gitlab: remove x64-freebsd-14-build Cirrus job
     - gitlab: add initial MacOS 15 on gitlab runner
     - ci: drop cirrus MacOS build
     - tests/unit: add test-envlist covering setenv/unsetenv name matching
     - util/envlist: fix prefix-match in envlist_unsetenv() name lookup
     - 9pfs: fix missing rename lock in v9fs_co_readdir_many
       (Closes: CVE-2026-48004)
     - tests/9pfs: add deep absolute path test
     - tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset
     - hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path()
       handle errors
     - hw/9pfs: add error handling to v9fs_fix_path()
     - hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf()
       return type
     - hw/9pfs: add NULL check in v9fs_path_is_ancestor()
     - linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn
     - linux-user/sh4: restore FP rounding mode on sigreturn
     - linux-user/sh4: preserve T/M/Q bits across signal delivery
     - linux-user/mips: save/restore FCSR across signal delivery
     - linux-user/ppc: restore fp_status from FPSCR on sigreturn
     - hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
     - hw/net/rocker_of_dpa: Check group ID pointers are not NULL
     - target/arm: SME BFCVT, BFCVTN have "Alternate BFloat16 behaviors"
     - target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
     - target/arm: Enable REVD for SVE2.1
     - vfio/container: Restrict dma_map_file() to shared RAM or RAM devices
     - vfio-user: reject zero migration page size capability
     - vfio-user: reject zero DMA page size capability
     - target/arm: Set correct fp flags for FLOGB when FPCR.AH = 1
     - target/arm: Use FPST_A64_F16 for SVE FCVTLT_hs
     - target/arm: SVE2 FMAXP, FMINP must honour AH=1
     - block/linux-aio: bound ioq_submit() recursion depth
     - mc146818rtc: Fix get_guest_rtc_ns() overflow bug
     - apic: fix delivery bitmask with modified xAPIC ids
     - lsi53c895a: clear tag byte when processing messages
     - lsi53c895a: fix use-after-free of cancelled request
     - ui: fix validation of VNC extended clipboard data length
       (Closes: CVE-2026-8343)
     - ui/vnc: fix OOB read updating VNC update frequency stats
       (Closes: CVE-2026-48003)
     - ui/vnc: fix OOB write in lossy rect worker code
       (Closes: CVE-2026-48002)
     - ui/vnc: fix OOB write in VNC stats array
       (Closes: CVE-2026-48002)
     - ui/vnc: fix OOB read access in VNC SASL mechname array
     - linux-user/mips64: fix mipsn32 elf_core_copy_regs entry width
     - linux-user/mips64: fix elf_core_copy_regs register layout in core files
     - target/riscv: Make hpmcounterh return the upper 32-bits
     - target/riscv/csr.c: fix read of pmpaddr(0-63) CSRs
     - target/riscv: clear mseccfg on reset for all dependent extensions
     - target/riscv: Update the local interrupt mask
     - target/riscv: Add mseccfg to VMStateDescription
     - target/riscv/pmp: Fix integer overflow in TOR and NA4 address computation
     - target/riscv: Fix medeleg[11] read-only zero bit for M-mode ECALL
     - hw/char: Check interrupt after txctrl register is written
     - target/riscv: rvv: Handle source overlap of vector widening reduction
       instructions
     - target/riscv: Allow mseccfg access based on ext_zicfilp
     - hw/riscv/riscv-iommu: Fix Svnapot 64KB pages
     - target/riscv: Update MISA.X for non-standard extensions
     - target/riscv: Update MISA.C for Zc* extensions
     - crypto: fix client side anonymous TLS credentials
   * tcg-loongarch64-Fix-cmp_vec-with-TCG_COND_NE.patch
 .
   [ Miao Wang ]
   * tests/test-qemu-user.sh: also test qemu-loong64
   * tests/test-qemu-user.sh: skip armhf when page size is large than 4K
Checksums-Sha1:
 173359d911e5560b89a5b959a36b64fda788197d 10043 qemu_11.0.2+ds-1.dsc
 7b83162c237941bcdfbb3631de732e69ad19d685 38818356 qemu_11.0.2+ds.orig.tar.xz
 b6786db584c5fcaa3345f2ed9ea76e1f5fa998e7 129480 qemu_11.0.2+ds-1.debian.tar.xz
 c35ed23298262edd4a31a550a72497f8aa281459 8327 qemu_11.0.2+ds-1_source.buildinfo
Checksums-Sha256:
 eb43364cb7f89d3275432f64f7574e90194c19e9200a4420361d146e8edab2ea 10043 qemu_11.0.2+ds-1.dsc
 1ebd5dabcf4f279a3a9a0a29fe9c068239cff0c2c1f0f0af222e6d7bc8f59a56 38818356 qemu_11.0.2+ds.orig.tar.xz
 0ee92e89d5255b640e7f3a72d98061ac62d81043a9dad4032389f6c3edb44269 129480 qemu_11.0.2+ds-1.debian.tar.xz
 6e23b69069f2a2d3436b1e6a4d8baab2730a938075ab0630e8bccebfb4c1dfbd 8327 qemu_11.0.2+ds-1_source.buildinfo
Files:
 8b266cba6b0b59b5d7800fc6c36ce195 10043 otherosfs optional qemu_11.0.2+ds-1.dsc
 bc7b9483bf1471ff926a87ec071552d1 38818356 otherosfs optional qemu_11.0.2+ds.orig.tar.xz
 addad74df591d5693142919c66b89a4b 129480 otherosfs optional qemu_11.0.2+ds-1.debian.tar.xz
 72634a886e5743768d303aba32a6c4ca 8327 otherosfs optional qemu_11.0.2+ds-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqQKw/CRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfkHQpZwUWhar7QXvwVjnYEyEkRP+6yDZra3eptSqdI
sxYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AAACkBAAj+psYgB+aNSlxPADmzw7B/tV
B7orrlTQUWO45BOaXszSADOCTM611SsbQnRstiYt9T2wByF+Zbi4RSOupKF7ka/B
VwEke8vt0McMMm7dtpxZ5WASXlyl5DJtf0yDaHei75rzs7HPWMaOvm1M1Rv2VFda
zGdrBWflB5urCGntFPSNkhWEmfEgpOU/2Q6rSTCaJbkkwy4qd9tVkmKycjrPTFCI
9hmlx7vEcpSXqSu5+PFM7suQYWyuGuP4GafHdF0bGuKMzQT4Ph0bfe5m7KlB8uw9
k4/YMCcVkaAfKJIv+am9w6Pmmv0qSYcD1AWIweQxQlChPLJk2+rrPLN6+FkOKxKI
+Gh2yoEHqwHa8BkuFn79K6knICn9sPqIxwME/F0xgOF7PDHzXnxvwyObtAL5AqpN
F1wYYPjjNeP/b6zEZBYDmMM0RtwL4TZFFKU5lQv0Y78Qw59rhF0XFOc9Y1RcjBaj
CedDzSVN8c5S//mCxz0s7PKxVRRF6sruRVuX4rKnbv/wtABPEcxt2Am6XYKWfLxM
X+/EvQe1H4NExUL05+HhrWYP3HCuuYg0TrOTpnRy/uxBUYGXuSAEdmrsDR0aXPWj
h/TzfXEXYglDwSR+mmcSkqzSbEclWG1gXGtWTzdEWHN9xJZn0hOjikgQtjEHzLAQ
UH9S6GDctiQp5klOmLo=
=6EwQ
-----END PGP SIGNATURE-----