The following patches are queued for QEMU stable v10.2.3: https://gitlab.com/qemu-project/qemu/-/commits/staging-10.2
Patch freeze is 2026-05-22, and the release is planned for 2026-05-24: https://wiki.qemu.org/Planning/10.2 Please respond here or CC [email protected] on any additional patches you think should (or shouldn't) be included in the release. The changes which are staging for inclusion, with the original commit hash from master branch, are given below the bottom line. Thanks! /mjt -------------------------------------- 01* b83a42dc779a Peter Maydell: hw/net/rtl8319: Work around GCC sanitizer / -Wstringop-overflow bug 02* 2ff529c6f64b Razvan Ghiorghe: linux-user: Fix zero_bss for RX PT_LOAD segments 03* 5e5b278d2b1b Razvan Ghiorghe: linux-user: fix mremap with old_size=0 for shared mappings 04* 37c9f6fce5c5 Peter Maydell: hw/dma/pl080: Handle bogus swidth and dwidth in transfers 05* b6e61d1cc3bf Tao Ding: hw/dma/pl080: Update interrupts after pl080_run() 06* f9b16f791502 Tao Ding: hw/dma/pl080: Ignore bottom 2 bits of LLI register 07* 2741d2cc3903 Sergei Heifetz: target/i386: fix NULL pointer dereference in legacy-cache=off handling 08* 48221e371686 Pierrick Bouvier: contrib/plugins/uftrace.c: fix depth for exit events 09* 9c8430f5d651 Alberto Garcia: throttle-group: Fix race condition in throttle_group_restart_queue() 10* 9ac85f4cc799 Fiona Ebner: block/mirror: fix assertion failure upon duplicate complete for job using 'replaces' 11* a16d4c2f162a Shivang Upadhyay: ppc/pnv: fix dumpdtb option 12* ba48bff09fa1 Shivang Upadhyay: ppc/pnv: generate dtb after machine initialization is complete 13* c20f143cc9fb Fabiano Rosas: io: Fix TLS bye task leak 14* 6f23dde620ef Fiona Ebner: ui/vdagent: add migration blocker when machine version < 10.1 15* c035d5eadf40 Marc-André Lureau: virtio-gpu: fix overflow check when allocating 2d image 16* 556817773849 Max Chou: target/riscv: rvv: Fix missing flags merge in probe_pages for cross-page accesses 17* 0e8ad6a8460f Max Chou: target/riscv: rvv: Fix page probe issues in vext_ldff 18* 6257754bb9b0 Paolo Bonzini: rust: suggest passing --locked to "cargo install" 19* 129922c2bc39 Jenny Guanni Qu: hw/usb/hcd-ohci: check for MPS=0 to avoid infinite loop 20* bc72b2996c0b Davidlohr Bueso: hw/cxl: Respect Media Operation max ops discovery semantics 21* 20beec283b95 Davidlohr Bueso: hw/cxl: Exclude Discovery from Media Operation Discovery output 22* fa4a759fc1e1 Cédric Le Goater: hw/net/ftgmac100: Improve DMA error handling 23* 80c5be945877 Cédric Le Goater: hw/ssi/aspeed_smc: Convert mem ops to read/write_with_attrs for error handling 24* 32ebd6c09c18 Jose Martins: target/arm: fix s2prot not set for two-stage PMSA translations 25* 0376e9c2dd1f Peter Maydell: linux-user/i386/signal.c: Correct definition of target_fpstate_32 26* 5a2fa06b0957 Tao Ding: hw/dma/pl080: Fix transfer logic in PL080 27* cc03b62df47a Hanna Czenczek: linux-aio: Put all parameters into qemu_laiocb 28* 7eca3d4883be Hanna Czenczek: linux-aio: Resubmit tails of short reads/writes 29* 51fc8443c122 GuoHan Zhao: block/curl: free s->password in cleanup paths 30* f093ee7ac3af Paolo Bonzini: tdx: fix use-after-free in tdx_fetch_cpuid 31* cb1e8c18df62 Jenny Guanni Qu: hw/audio/sb16: validate VMState fields in post_load 32* 539421a428fd Richard Henderson: tcg: Pass host-endian values to plugin_gen_mem_callbacks_* 33* 55720ba97d21 Pankaj Raghav: hw/nvme: re-enable wzds bit in namespace dlfeat 34* eb5cc99aff17 Kaixuan Li: hw/nvme: fix heap-buffer-overflow in nvme_abort 35* b5abb655fab6 Peter Maydell: scripts/qemu-guest-agent/fsfreeze-hook: Avoid bash-isms 36* 65b9f4791c24 Peter Maydell: scripts/qemu-guest-agent/fsfreeze-hook: Avoid use of PIPESTATUS 37* 08497afcb2a7 Peter Maydell: scripts/qemu-guest-agent/fsfreeze-hook: Fix syslog-fallback logic 38* 4862d2c95104 Paolo Bonzini: lsi53c895a: keep a reference to the device while SCRIPTS execute 39* 64807c84e83f Paolo Bonzini: lsi53c895a: do not do anything else if a reset is requested by writing ISTAT0 40* 1ca38f84e194 Paolo Bonzini: lsi53c895a: keep lsi_request and SCSIRequest in local variables 41* 7c7aaaa342b5 Paolo Bonzini: lsi53c895a: keep lsi_request alive as long as the SCSIRequest 42* d459131ff590 Paolo Bonzini: lsi53c895a: keep SCSIRequest alive during DMA 43* 31b8d287b7fe Zenghui Yu: target/arm: Don't skip access flag fault for AccessType_AT 44* a0721c099b71 Peter Maydell: hw/net/rocker: Avoid double-free of l2_flood.group_ids 45* 3cae0b46be54 Marc-André Lureau: ui/vnc-jobs: fix VncRectEntry leak on job cleanup 46* 59c1d3113668 Kevin Wolf: ide: Fix potential assertion failure on VM stop for PIO read error 47* ccc613f96c66 Kevin Wolf: scsi: Don't consider LOGICAL UNIT NOT SUPPORTED guest recoverable 48* fc1a2ec7da53 hongmianquan: monitor: Fix deadlock in monitor_cleanup 49* 17fbf3e18c3d Daniel P. Berrangé: util: fix missing aio_wait sym in qemu guest agent only build 50* 813dbe869f4f Richard Henderson: accel/tcg: Don't pass NULL to get_page_addr_code_hostp 51* 0039e5fd2234 Richard Henderson: accel/tcg: Fix uninitialized hostp in get_page_addr_code_hostp 52* ad7a005d672a Peter Maydell: include: Don't include guest-host.h in cpu-ldst.h 53* 8330da591ef6 Peter Maydell: include/user/guest-host.h: Provide g2h etc for both abi_ptr and vaddr 54* 22966937f413 Clayton Craft: linux-user: fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set 55* 9b7d64686b82 Sun Haoyu: linux-user: update select timeout writeback 56* fa6dfcc373c2 Sun Haoyu: linux-user: Make openat2() use -L for absolute paths 57* 7e966ef38f58 Nicholas Piggin: bsd-user, linux-user: signal: recursive signal delivery fix 58* 84771c64a5ae Peter Maydell: target/arm: do_ats_write(): avoid assertion when ptw failed 59* 566594f10873 Alex Bennée: target/arm: fix fault_s1ns for stage 2 faults 60* 4e4832dd72db Nguyen Dinh Phi: util/readline: Fix out-of-bounds access in readline_insert_char(). 61* 34f66fdfd285 Paolo Bonzini: rust: hide panicking default associated constants from rustdoc 62* 799713029354 Paolo Bonzini: virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare 63* af74c9e46bb5 Gerd Hoffmann: hw/uefi: fix heap overflow (CVE-2026-5744) 64* 4e6fb62fb0f3 Dietmar Maurer: qemu-keymap: fix altgr modifier lookup for newer xkeyboard-config 65* 4913ae36f979 Stefan Hajnoczi: virtio-blk: fix zone report buffer out-of-memory (CVE-2026-5761) 66* f1b1db98cc3b Bernhard Beschow: util/cutils: Fix heap corruption under Windows 67* 7437b3eab6af Werner de Carne: serial COM: windows serial COM PollingFunc don't sleep 68* 52cf667ed228 GuoHan Zhao: ui/spice-app: detect runtime directory creation failures 69* 181fdf8a7e13 Marc-André Lureau: ui/console-vc: fix off-by-one in CSI J 2 (clear entire screen) 70* 027ad866bd29 Pierrick Bouvier: target/arm/tcg/translate.c: remove MO_TE usage 71* 87e1226e6f68 Marc-André Lureau: target/i386: fix strList leak in x86_cpu_get_unavailable_features 72* 3eae91a8b93a Simon Scherer: target/i386: fix missing PF_INSTR in SIGSEGV context 73* 76ad26dd172d Paolo Bonzini: target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit mode 74* 79bc17718677 Stepan Popov: meson: add missing semicolon in pthread_condattr_setclock test 75* 30fad722ce68 Alex Bennée: hw/display: don't accidentally autofree existing virgl resources 76* d41ce10d0f5a Vladimir Sementsov-Ogievskiy: migration: vmstate_save_state_v: fix double error_setg 77* c0306d2b8f45 Thomas Huth: hw/misc: Fix the valid access size to the avr-power device 78* 3ab47a47d716 Thomas Huth: hw/sh4/sh7750: Remove forgotten abort() in the MM_ITLB_DATA handler 79* 654dce6c5236 Matt Turner: linux-user/ppc: Fix ppc64 rt_sigframe stack offset 80* 029f10e85278 Yixin Wei: linux-user: fix off-by-one in host_to_target_for_each_rtattr() 81* 93484c768f2b Gyorgy Tamasi: linux-user: Don't define target_stat64 struct for loongarch64 82* c8ea1759009a Richard Henderson: linux-user/arm/nwfpe: Replace user_registers with current_cpu 83* 784f1dde90df Richard Henderson: linux-user/arm/nwfpe: Use thread-local storage for qemufpa 84* 1730e6f33f97 Alistair Francis: linux-user/strace: Use pointer type for read and write values 85* 4c681ba3b82d James Hilliard: linux-user/mips: sync k0 TLS for EF_MIPS_MACH_OCTEON userlands 86* 8b60ed835478 Helge Deller: linux-user: Define SO_TIMESTAMP*_NEW and SO_RCVTIMEIO_NEW 87* edb4588309a7 Helge Deller: linux-user: Add setsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW 88* 07c7decaa54a Helge Deller: linux-user: Add getsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW 89* b03a6ac6fa5d Helge Deller: linux-user: Fix CLONE_PARENT_SETTID when using fork-like clone 90* e2af3eadc09b Helge Deller: linux-user: Use abi_int for imr_ifindex in ip_mreqn struct 91* 9e7734ead149 Helge Deller: linux-user: Flush errors by using exit() instead of _exit() in error path 92* 4cb2f91773e8 Yicong Yang: hw/riscv/virt-acpi-build.c: Use kvm timer frequency when kvm enabled 93* b2e874bfec59 Sebastián Alba Vives: target/riscv: fix stale ptshift and base on page walk restart 94* d5b33fc180f5 Sebastián Alba Vives: hw/intc: fix heap OOB in ACLINT MTIMER multi-socket 95* 14808578ccbc Munkhbaatar Enkhbaatar: riscv_htif: reject invalid signature ranges (end <= begin) 96* d107b748072c Alistair Francis: target/riscv: Generate access fault if sc comparison fails 97* 175afdb0d155 Alistair Francis: target/riscv: Don't OR mip.SEIP when mvien is one 98* 5dcc64828dc7 Alistair Francis: target/riscv: Use ELEN for Fractional LMUL check 99* dcb6e96257ee Helge Deller: linux-user: Add missing CDROM ioctls 100 9fb681792d65 Helge Deller: linux-user: Flush errors by using exit() instead of _exit() in error path 101 08dc3e240fc0 Helge Deller: linux-user: Allow getsockopt() with NULL optval address 102 9667bf324925 Helge Deller: linux-user: Translate errno in IP_RECVERR and IPV6_RECVERR 103 1aee8067fce9 kiki: hw/intc/xics: Add a check for an invalid server id 104 7a05be8c70bb Cédric Le Goater: tests/rcutorture: Fix build error 105 774e6f5c1533 Vivien LEGER: hw/ppc/e500: fix bus-frequency property hardcoded to zero in CPU FDT node 106 a7f27d6903b3 宋文武: hw/net/allwinner-sun8i-emac: Flush queued packets when rx is enabled 107 f35f0f1ca121 liugan1: hw/intc/arm_gicv3: Fix NS write to ICC_AP1Rn_EL1 when prebits < 7 108 455a6167f254 Peter Xu: migration: Fix low possibility downtime violation 109 41c417290df9 Philippe Mathieu-Daudé: target/microblaze: Fix endianness used to disassemble 110 f443b6876362 Peter Maydell: target/arm: Report IL=0 for Thumb 16-bit BKPT insn 111 18b664c90085 Peter Maydell: hw/misc/bcm2835_rng: Specify valid memory access sizes 112 f252769a23e6 Gerd Hoffmann: hw/uefi: fix buffer overruns 113 94d9a8b2c9e6 Gerd Hoffmann: hw/uefi: verify pio_xfer_offset before calculating buffer checksum 114 5247b3034c23 Gerd Hoffmann: hw/uefi: fix ucs2 string helper functions 115 c45b460d16f9 Gerd Hoffmann: hw/uefi: add name_size check to uefi_vars_mm_lock_variable() 116 22b7b222d8f5 Gerd Hoffmann: hw/uefi: verify data size before accessing it in wrap_pkcs7 117 b4680c02b8e8 Gerd Hoffmann: hw/uefi: avoid possibly unaligned variable_auth_2 struct field access 118 b33fd8ab1caa Gerd Hoffmann: hw/uefi: check auth.hdr_length minimum size 119 332ea2978780 Jeuk Kim: hw/ufs: Validate MCQ SQ references before use 120 283d921e771e Jeuk Kim: hw/ufs: Guard MCQ CQ accesses against missing queues 121 4a909c00b9e1 Jeuk Kim: hw/ufs: Reject zero-depth MCQ queues 122 619c2da19a05 Jeuk Kim: hw/ufs: Keep MCQ SQs alive while requests are outstanding 123 042dbcff8382 Jeuk Kim: hw/ufs: Zero reserved bytes in REPORT LUNS response header 124 aefeecb413a8 Peter Maydell: hw/display/cirrus_vga: Fix packed-24 color-expansion transparent pattern fills 125 27d14251b904 Peter Maydell: hw/display/cirrus_vga: Fix packed-24 color-expansion transparent copies 126 ff36712da5ae Kane Chen: hw/misc/aspeed_sbc: Add bounds checking for OTP write operations 127 534a52755bef Cédric Le Goater: aspeed/hace: Fix out-of-bounds read in has_padding() 128 c6aa2d0ac161 Cédric Le Goater: aspeed/hace: Prevent total_req_len overflow 129 a824f3531a44 Peter Maydell: hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[] 130 a163fc1f864b Peter Maydell: meson.build: Add -fzero-init-padding-bits=all 131 039b057c09c6 Peter Maydell: tests/functional/qemu_test/asset.py: Don't use setxattr when it doesn't exist 132 2293d8b4bd88 Klaus Jensen: hw/nvme: fix admin cq msix setup 133 6b5aef7cac9d Helge Deller: linux-user: Fix AT_EXECFN in AUXV for symlinked programs 134 c3176e645774 Matt Turner: linux-user/sh4: Fix target_ucontext tuc_link field type 135 9ac5aa722721 Matt Turner: linux-user/sh4: Fix setup_sigtramp to match Linux kernel trampoline pattern 136 d5e4090177ad Kevin Wolf: blkdebug: Add 'delay-ns' option 137 34a67637767d Kevin Wolf: block: Add blk_co_start/end_request() and BDRV_REQ_NO_QUEUE 138 53074ba0330a Kevin Wolf: block: Add flags parameter to blk_*_pdiscard() 139 095c08a7ba68 Kevin Wolf: ide: Minimal fix for deadlock between TRIM and drain 140 c1c71a7e167f Kevin Wolf: ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code 141 92854c9c7539 Kevin Wolf: ide-test: Factor out wait_dma_completion() 142 2fa24e975599 Kevin Wolf: ide-test: Test reset during TRIM 143 a1310cc6281d Kevin Wolf: block: Create DEFAULT_BLOCK_CONF macro 144 f27aea189633 Kevin Wolf: block: Add more defaults to DEFAULT_BLOCK_CONF 145 f0d9ccd46cf8 Kevin Wolf: commit: Drain nodes across all of bdrv_commit() 146 7f8466e2ce62 Kevin Wolf: qemu-io: Add 'aio_discard' command 147 b8bfb1478d61 Kevin Wolf: qcow2: Fix corruption on discard during write with COW 148 389f5bcc744d Kevin Wolf: iotests/046: Test that discard/write_zeroes wait for dependencies 149 e3082ab3b385 Denis V. Lunev: block/graph-lock: fix missed wakeup in bdrv_graph_co_rdunlock() (commit(s) marked with * were in previous series and are not resent)
