[Stable-7.2.21 v2 00/18] Patch Round-up for stable 7.2.21, freeze on 2025-10-06 (frozen)

[Stable-7.2.21 v2 00/18] Patch Round-up for stable 7.2.21, freeze on 2025-10-06 (frozen)

[Michael Tokarev]

The following patches are queued for QEMU stable v7.2.21:

  https://gitlab.com/qemu-project/qemu/-/commits/staging-7.2

Patch freeze is 2025-10-06 (frozen), and the release is planned for 2025-10-08:

  https://wiki.qemu.org/Planning/7.2

Please respond here or CC qemu-stable@nongnu.org on any additional patches
you think should (or shouldn't) be included in the release.

The changes which are staging for inclusion, with the original commit hash
from master branch, are given below the bottom line.

Thanks!

/mjt

--------------------------------------
01* 3c3c233677d4 David Hubbard:
   hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT
02* a11d1847d5ef Alex Bennée:
   .gitmodules: move u-boot mirrors to qemu-project-mirrors
03* 3ee7f21ed292 Paolo Bonzini:
   tests: vhost-user-test: release mutex on protocol violation
04* f72fc16910c8 Yuxue Liu:
   vhost-user-test: no set non-blocking for cal fd less than 0.
05* c9a1ea9c52e6 Markus Armbruster:
   Revert "tests/qtest: use qos_printf instead of g_test_message"
06* dee66bc9691a Fabiano Rosas:
   tests/qtest: Do not run lsi53c895a test if device is not present
07* ae4b01b34979 Richard W.M. Jones:
   tests: Ensure TAP version is printed before other messages
08* aaf042299acf Stéphane Graber:
   hw/usb/network: Remove hardcoded 0x40 prefix in STRING_ETHADDR response
09* a1499a8a94 Michael Tokarev:
   use fedora:37 for python container instead of :latest
10* f9922937d173 Peter Delevoryas:
   python/machine: Fix AF_UNIX path too long on macOS
11* a3cfea92e203 Marc-André Lureau:
   python/qmp/protocol: add open_with_socket()
12* 603a3bad4b9a Marc-André Lureau:
   python/qmp/legacy: make QEMUMonitorProtocol accept a socket
13* bd4c0ef40914 Marc-André Lureau:
   python/qemu/machine: use socketpair() for QMP by default
14* 4c8f69b94839 Xiaoyao Li:
   multiboot: Fix the split lock
15* 03fe6659803f Richard Henderson:
   accel/tcg: Properly unlink a TB linked to itself
16* e13e1195db8a Richard Henderson:
   tests/tcg/multiarch: Add tb-link test
17 d0af3cd0274e Peter Maydell:
   hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint
18 9163424c5098 Thomas Huth:
   ui/icons/qemu.svg: Add metadata information (author, license) to the logo

(commit(s) marked with * were in previous series and are not resent)

[Stable-7.2.21 17/18] hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint

[Michael Tokarev]

From: Peter Maydell <peter.maydell@linaro.org>

If the guest feeds invalid data to the UHCI controller, we
can assert:
qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.

(see issue 2548 for the repro case).  This happens because the guest
attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not
valid.  The controller code doesn't catch this guest error, so
instead we hit the assertion in the USB core code.

Catch the case of SETUP to non-zero endpoint, and treat it as a fatal
error in the TD, in the same way we do for an invalid PID value in
the TD.

This is the UHCI equivalent of the same bug in OHCI that we fixed in
commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or
OUT").

This bug has been tracked as CVE-2024-8354.

Cc: qemu-stable@nongnu.org
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit d0af3cd0274e265435170a583c72b9f0a4100dff)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
index ef967c42a1..1e7fc728a0 100644
--- a/hw/usb/hcd-uhci.c
+++ b/hw/usb/hcd-uhci.c
@@ -724,6 +724,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
     bool spd;
     bool queuing = (q != NULL);
     uint8_t pid = td->token & 0xff;
+    uint8_t ep_id = (td->token >> 15) & 0xf;
     UHCIAsync *async;
 
     async = uhci_async_find_td(s, td_addr);
@@ -767,9 +768,14 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
 
     switch (pid) {
     case USB_TOKEN_OUT:
-    case USB_TOKEN_SETUP:
     case USB_TOKEN_IN:
         break;
+    case USB_TOKEN_SETUP:
+        /* SETUP is only valid to endpoint 0 */
+        if (ep_id == 0) {
+            break;
+        }
+        /* fallthrough */
     default:
         /* invalid pid : frame interrupted */
         s->status |= UHCI_STS_HCPERR;
@@ -816,7 +822,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
             return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV,
                                         int_mask);
         }
-        ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf);
+        ep = usb_ep_get(dev, pid, ep_id);
         q = uhci_queue_new(s, qh_addr, td, ep);
     }
     async = uhci_async_alloc(q, td_addr);
-- 
2.47.3

[Stable-7.2.21 18/18] ui/icons/qemu.svg: Add metadata information (author, license) to the logo

[Michael Tokarev]

From: Thomas Huth <thuth@redhat.com>

We've got two versions of the QEMU logo in the repository, one with
the whole word "QEMU" (pc-bios/qemu_logo.svg) and one that only contains
the letter "Q" (ui/icons/qemu.svg). While qemu_logo.svg contains the
proper metadata with license and author information, this is missing
from the ui/icons/qemu.svg file. Copy the meta data there so that
people have a chance to know the license of the file if they only
look at the qemu.svg file.

Closes: https://gitlab.com/qemu-project/qemu/-/issues/3139
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20250930071419.117592-1-thuth@redhat.com>
(cherry picked from commit 9163424c50981dbc4ded9990228ac01a3b193656)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/ui/icons/qemu.svg b/ui/icons/qemu.svg
index 24ca23a1e9..f2500de339 100644
--- a/ui/icons/qemu.svg
+++ b/ui/icons/qemu.svg
@@ -918,7 +918,26 @@
         <dc:format>image/svg+xml</dc:format>
         <dc:type
            rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title />
+        <dc:title>Kew the Angry Emu</dc:title>
+        <dc:creator>
+          <cc:Agent>
+            <dc:title>Benoît Canet</dc:title>
+          </cc:Agent>
+        </dc:creator>
+        <dc:rights>
+          <cc:Agent>
+            <dc:title>CC BY 3.0</dc:title>
+          </cc:Agent>
+        </dc:rights>
+        <dc:publisher>
+          <cc:Agent>
+            <dc:title>QEMU Community</dc:title>
+          </cc:Agent>
+        </dc:publisher>
+        <dc:date>2012-02-15</dc:date>
+        <cc:license
+           rdf:resource="http://creativecommons.org/licenses/by/3.0/" />
+        <dc:source>https://lists.gnu.org/archive/html/qemu-devel/2012-02/msg02865.html</dc:source>
       </cc:Work>
     </rdf:RDF>
   </metadata>
-- 
2.47.3