[PATCH qemu 2/3] stable fixes for QEMU 11.0.0

[Fiona Ebner <f.ebner@proxmox.com>]

Most notably, a qcow2 corruption fix.

Otherwise, some fixes for x86 HW/CPU targets, fix for a crash in a
certain error path for migration, and a fix for a memory safety issue
with VirGL display.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...fix-decoding-of-MOVBE-and-CRC32-in-1.patch |  84 ++++++++++
 ...-accidentally-autofree-existing-virg.patch |  59 +++++++
 ...store-IRQ-polling-for-non-kernel-irq.patch |  47 ++++++
 ...tion-on-discard-during-write-with-CO.patch | 147 ++++++++++++++++++
 ...strList-leak-in-x86_cpu_get_unavaila.patch |  36 +++++
 ...-missing-PF_INSTR-in-SIGSEGV-context.patch |  43 +++++
 ...e_save_state_v-fix-double-error_setg.patch |  46 ++++++
 debian/patches/series                         |   7 +
 8 files changed, 469 insertions(+)
 create mode 100644 debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
 create mode 100644 debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
 create mode 100644 debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
 create mode 100644 debian/patches/extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch
 create mode 100644 debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
 create mode 100644 debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
 create mode 100644 debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch

diff --git a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch b/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
new file mode 100644
index 0000000000..9874c26972
--- /dev/null
+++ b/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
@@ -0,0 +1,84 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 31 Mar 2026 08:32:23 +0200
+Subject: [PATCH] target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit
+ mode
+
+Table A-4 of the SDM shows
+
+                    F0                     F1
+--------------------------------------------------------
+     NP           MOVBE Gy,My           MOVBE My,Gy
+     66           MOVBE Gw,Mw           MOVBW Mw,Gw
+     F2           CRC32 Gd,Eb           CRC32 Gd,Ey
+  66+F2           CRC32 Gd,Eb           CRC32 Gd,Ew
+
+However, this is incorrect.  Both MOVBE and (for 0xF1) CRC32
+take Gv, Ev or Mv operands.  In 16-bit mode therefore the
+operand is of 16-bit size without prefix and 32-bit mode
+with 0x66 (the data size override).
+
+For example, with NASM you get:
+
+                                 bits 16
+   67 0F 38 F0 02                movbe ax, [edx]
+   66 67 0F 38 F0 02             movbe eax, [edx]
+
+   67 F2 0F 38 F1 02             crc32 ax, word [edx]
+   66 67 F2 0F 38 F1 02          crc32 eax, dword [edx]
+
+versus
+
+                                 bits 32
+   66 0F 38 F0 02                movbe ax, [edx]
+   0F 38 F0 02                   movbe eax, [edx]
+
+   66 F2 0F 38 F1 02             crc32 eax, word [edx]
+   F2 0F 38 F1 02                crc32 eax, dword [edx]
+
+The instruction is listed correctly in the APX documentation
+as "SCALABLE" (which means it has v-size operands).
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 76ad26dd172d27aae9f1e76d1165b497167c36c2)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/decode-new.c.inc | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
+index bc105aab9e..c8b5bd6ad2 100644
+--- a/target/i386/tcg/decode-new.c.inc
++++ b/target/i386/tcg/decode-new.c.inc
+@@ -875,19 +875,23 @@ static const X86OpEntry opcodes_0F38_00toEF[240] = {
+ 
+ /* five rows for no prefix, 66, F3, F2, 66+F2  */
+ static const X86OpEntry opcodes_0F38_F0toFF[16][5] = {
++    /*
++     * MOVBE and CRC32 are incorrectly listed as always doing 32-bit operation
++     * without prefix and 16-bit operation with 0x66.
++     */
+     [0] = {
+-        X86_OP_ENTRYwr(MOVBE, G,y, M,y, cpuid(MOVBE)),
+-        X86_OP_ENTRYwr(MOVBE, G,w, M,w, cpuid(MOVBE)),
++        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
++        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
+         {},
+         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
+         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
+     },
+     [1] = {
+-        X86_OP_ENTRYwr(MOVBE, M,y, G,y, cpuid(MOVBE)),
+-        X86_OP_ENTRYwr(MOVBE, M,w, G,w, cpuid(MOVBE)),
++        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
++        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
+         {},
+-        X86_OP_ENTRY2(CRC32, G,d, E,y, cpuid(SSE42)),
+-        X86_OP_ENTRY2(CRC32, G,d, E,w, cpuid(SSE42)),
++        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
++        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
+     },
+     [2] = {
+         X86_OP_ENTRY3(ANDN, G,y, B,y, E,y, vex13 cpuid(BMI1)),
diff --git a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch b/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
new file mode 100644
index 0000000000..b8f224e9be
--- /dev/null
+++ b/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
@@ -0,0 +1,59 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
+Date: Fri, 17 Apr 2026 13:27:03 +0100
+Subject: [PATCH] hw/display: don't accidentally autofree existing virgl
+ resources
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While sanity checking a create blob operation the use of the auto
+freed res variable could lead to inadvertently freeing an existing
+blob.
+
+Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as
+the value is not needed anyway.
+
+While at it add a comment to the end and use g_steal_pointer to make
+it clearer the object lifetime exceeds the function bounds if we pass
+all the checks.
+
+Fixes: CVE-2026-6502
+Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)
+Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org
+Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
+Cc: qemu-stable@nongnu.org
+Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+(cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/display/virtio-gpu-virgl.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
+index b7a2d160dd..add85bd4e6 100644
+--- a/hw/display/virtio-gpu-virgl.c
++++ b/hw/display/virtio-gpu-virgl.c
+@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
+         return;
+     }
+ 
+-    res = virtio_gpu_virgl_find_resource(g, cblob.resource_id);
+-    if (res) {
++    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {
+         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
+                       __func__, cblob.resource_id);
+         cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
+@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
+ 
+     res->base.dmabuf_fd = info.fd;
+ 
++    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */
+     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);
+-    res = NULL;
++    g_steal_pointer(&res);
+ }
+ 
+ static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
diff --git a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch b/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
new file mode 100644
index 0000000000..88f899f85f
--- /dev/null
+++ b/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: rickgcn <rickgcn@gmail.com>
+Date: Sat, 18 Apr 2026 14:14:29 +0800
+Subject: [PATCH] hw: i386: vapic: restore IRQ polling for non-kernel irqchip
+ backends
+
+69dfc078 extended vAPIC handling for WHPX with user-mode irqchip, but it
+also changed vapic_write() case 4 in a way that excludes TCG from
+apic_poll_irq().
+
+Before that change, IRQ polling happened whenever no in-kernel irqchip
+was active. After the change, it only happened for KVM or WHPX with a
+user-mode irqchip. Under TCG, both kvm_enabled() and whpx_enabled() are
+false, so the poll never happens.
+
+This regresses 32-bit Windows XP guests on a Windows host with
+-machine pc-i440fx-10.0,accel=tcg, causing a STOP 0x0000000A during boot.
+
+Fix it by making the decision depend on whether KVM or WHPX is using an
+in-kernel irqchip, instead of whether either accelerator is enabled.
+
+Fixes: 69dfc078a6f0 ("hw: i386: vapic: enable on WHPX with user-mode irqchip")
+
+Signed-off-by: rickgcn <rickgcn@gmail.com>
+Link: https://lore.kernel.org/r/20260418061429.16898-1-rickgcn@gmail.com
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit c906c2337058bd467e6ac0176c2966d1eeb6f8f5)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/i386/vapic.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/hw/i386/vapic.c b/hw/i386/vapic.c
+index 41e5ca26df..1acb9f91b2 100644
+--- a/hw/i386/vapic.c
++++ b/hw/i386/vapic.c
+@@ -716,8 +716,7 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
+         break;
+     default:
+     case 4:
+-        if ((kvm_enabled() && !kvm_irqchip_in_kernel())
+-          || (whpx_enabled() && !whpx_irqchip_in_kernel())) {
++        if (!kvm_irqchip_in_kernel() && !whpx_irqchip_in_kernel()) {
+             apic_poll_irq(cpu->apic_state);
+         }
+         break;
diff --git a/debian/patches/extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch b/debian/patches/extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch
new file mode 100644
index 0000000000..2bc59ea236
--- /dev/null
+++ b/debian/patches/extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch
@@ -0,0 +1,147 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Mon, 27 Apr 2026 19:05:19 +0200
+Subject: [PATCH] qcow2: Fix corruption on discard during write with COW
+
+Most code in qcow2 that accesses (and potentially modifies) L2 tables
+does so while holding s->lock.
+
+There is one exception, which is allocating writes. They hold the lock
+initially while allocating clusters, but drop it for writing the guest
+payload before taking the lock again for updating the L2 tables. This
+allows concurrent requests that touch other parts of the image file to
+continue in parallel and is an important performance optimisation.
+
+However, this means that other requests that run while the lock is
+dropped for writing guest data must synchronise with the list of
+allocating requests in s->cluster_allocs and wait if they would overlap.
+For writes, this is done in handle_dependencies(), but discard and write
+zeros operations neglect to synchronise with s->cluster_allocs.
+
+This means that discard can free a cluster whose L2 entry will already
+be modified in qcow2_alloc_cluster_link_l2() by a previously started
+write. In the case of a pre-allocated zero cluster that is in the
+process of being overwritten, this means that discard can lead to a
+situation where the cluster is still mapped (because the write will
+restore the L2 entry just without the zero flag), but its refcount has
+been decreased, resulting in a corrupted image.
+
+Add the missing synchronisation to qcow2_cluster_discard() and
+qcow2_subcluster_zeroize() to fix the problem.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Denis V. Lunev <den@openvz.org>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Denis V. Lunev <den@openvz.org>
+Tested-by: Denis V. Lunev <den@openvz.org>
+(picked from https://lore.kernel.org/qemu-devel/20260427170520.101242-4-kwolf@redhat.com/)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ block/qcow2-cluster.c | 52 ++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
+index c655bf6df4..8b1e80bd0b 100644
+--- a/block/qcow2-cluster.c
++++ b/block/qcow2-cluster.c
+@@ -1392,6 +1392,9 @@ count_single_write_clusters(BlockDriverState *bs, int nb_clusters,
+  * the same cluster. In this case we need to wait until the previous
+  * request has completed and updated the L2 table accordingly.
+  *
++ * If allow_shortening == true, instead of waiting for a dependency, *cur_bytes
++ * can be shortened so that the cluster allocations don't overlap.
++ *
+  * Returns:
+  *   0       if there was no dependency. *cur_bytes indicates the number of
+  *           bytes from guest_offset that can be read before the next
+@@ -1403,7 +1406,9 @@ count_single_write_clusters(BlockDriverState *bs, int nb_clusters,
+  */
+ static int coroutine_fn handle_dependencies(BlockDriverState *bs,
+                                             uint64_t guest_offset,
+-                                            uint64_t *cur_bytes, QCowL2Meta **m)
++                                            uint64_t *cur_bytes,
++                                            bool allow_shortening,
++                                            QCowL2Meta **m)
+ {
+     BDRVQcow2State *s = bs->opaque;
+     QCowL2Meta *old_alloc;
+@@ -1434,7 +1439,7 @@ static int coroutine_fn handle_dependencies(BlockDriverState *bs,
+ 
+         /* Conflict */
+ 
+-        if (start < old_start) {
++        if (start < old_start && allow_shortening) {
+             /* Stop at the start of a running allocation */
+             bytes = old_start - start;
+         } else {
+@@ -1469,6 +1474,29 @@ static int coroutine_fn handle_dependencies(BlockDriverState *bs,
+     return 0;
+ }
+ 
++static void coroutine_mixed_fn wait_for_dependencies(BlockDriverState *bs,
++                                                     uint64_t guest_offset,
++                                                     uint64_t bytes)
++{
++    BDRVQcow2State *s = bs->opaque;
++    QCowL2Meta *m = NULL;
++    int ret;
++
++    /*
++     * Discard has some non-coroutine callers (creating internal snapshots and
++     * make empty). They are calling from qemu-img or in a drained section, so
++     * we know that no writes can be in progress.
++     */
++    if (!qemu_in_coroutine()) {
++        assert(QLIST_EMPTY(&s->cluster_allocs));
++        return;
++    }
++
++    do {
++        ret = handle_dependencies(bs, guest_offset, &bytes, false, &m);
++    } while (ret == -EAGAIN);
++}
++
+ /*
+  * Checks how many already allocated clusters that don't require a new
+  * allocation there are at the given guest_offset (up to *bytes).
+@@ -1840,7 +1868,7 @@ again:
+          *         the right synchronisation between the in-flight request and
+          *         the new one.
+          */
+-        ret = handle_dependencies(bs, start, &cur_bytes, m);
++        ret = handle_dependencies(bs, start, &cur_bytes, true, m);
+         if (ret == -EAGAIN) {
+             /* Currently handle_dependencies() doesn't yield if we already had
+              * an allocation. If it did, we would have to clean up the L2Meta
+@@ -2000,6 +2028,15 @@ int qcow2_cluster_discard(BlockDriverState *bs, uint64_t offset,
+     int64_t cleared;
+     int ret;
+ 
++    /*
++     * If we're touching a cluster for which allocating writes are in flight,
++     * wait for them to complete to avoid conflicting metadata updates.
++     *
++     * We don't need to allocate a QCowL2Meta for the discard operation because
++     * s->lock is held for the duration of the whole operation.
++     */
++    wait_for_dependencies(bs, offset, bytes);
++
+     /* Caller must pass aligned values, except at image end */
+     assert(QEMU_IS_ALIGNED(offset, s->cluster_size));
+     assert(QEMU_IS_ALIGNED(end_offset, s->cluster_size) ||
+@@ -2160,6 +2197,15 @@ int coroutine_fn qcow2_subcluster_zeroize(BlockDriverState *bs, uint64_t offset,
+     int64_t cleared;
+     int ret;
+ 
++    /*
++     * If we're touching a cluster for which allocating writes are in flight,
++     * wait for them to complete to avoid conflicting metadata updates.
++     *
++     * We don't need to allocate a QCowL2Meta for the zeroize operation because
++     * s->lock is held for the duration of the whole operation.
++     */
++    wait_for_dependencies(bs, offset, bytes);
++
+     /* If we have to stay in sync with an external data file, zero out
+      * s->data_file first. */
+     if (data_file_is_raw(bs)) {
diff --git a/debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch b/debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
new file mode 100644
index 0000000000..a9975bbb3b
--- /dev/null
+++ b/debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 13 Apr 2026 16:50:40 +0400
+Subject: [PATCH] target/i386: fix strList leak in
+ x86_cpu_get_unavailable_features
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The result list built by x86_cpu_list_feature_names() was never freed
+after being visited, causing a memory leak detected by ASan.
+(the getter visitor is VISITOR_OUTPUT kind and doesn't own data)
+
+Fixes: 506174bf8219 ("i386: "unavailable-features" QOM property")
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Link: https://lore.kernel.org/r/20260413125040.3842686-1-marcandre.lureau@redhat.com
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 87e1226e6f6844845ac407d50198d84205e7ed7f)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/cpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index c6fd1dc00e..9d126600c0 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -7842,6 +7842,7 @@ static void x86_cpu_get_unavailable_features(Object *obj, Visitor *v,
+ 
+     x86_cpu_list_feature_names(xc->filtered_features, &result);
+     visit_type_strList(v, "unavailable-features", &result, errp);
++    qapi_free_strList(result);
+ }
+ 
+ /* Print all cpuid feature names in featureset
diff --git a/debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch b/debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
new file mode 100644
index 0000000000..dfa3f4c20a
--- /dev/null
+++ b/debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Simon Scherer <scherer.simon89@gmail.com>
+Date: Mon, 13 Apr 2026 13:56:22 +0200
+Subject: [PATCH] target/i386: fix missing PF_INSTR in SIGSEGV context
+
+When running linux-user emulation, the SIGSEGV handler does not
+correctly set the 4th bit (PF_INSTR) in the error_code variable of
+the context argument (context->uc_mcontext.gregs[REG_ERR]).
+
+Because this bit is never set, guest applications cannot distinguish
+if a fault was due to missing executable permissions. This patch
+ensures that when a page fault occurs during an instruction fetch,
+the PF_INSTR flag is properly populated in the signal context.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3384
+Signed-off-by: Simon Scherer <scherer.simon89@gmail.com>
+Link: https://lore.kernel.org/r/20260413115622.160212-1-scherer.simon89@gmail.com
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 3eae91a8b93a35f194a39ab5b894ae405def9270)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/user/excp_helper.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/target/i386/tcg/user/excp_helper.c b/target/i386/tcg/user/excp_helper.c
+index 98fab4cbc3..6c5df5e0e8 100644
+--- a/target/i386/tcg/user/excp_helper.c
++++ b/target/i386/tcg/user/excp_helper.c
+@@ -36,9 +36,10 @@ void x86_cpu_record_sigsegv(CPUState *cs, vaddr addr,
+      * signal and set exception_index to EXCP_INTERRUPT.
+      */
+     env->cr[2] = addr;
+-    env->error_code = ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT)
+-                    | (maperr ? 0 : PG_ERROR_P_MASK)
+-                    | PG_ERROR_U_MASK;
++    env->error_code = (maperr ? 0 : PG_ERROR_P_MASK)
++                    | ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT)
++                    | PG_ERROR_U_MASK
++                    | ((access_type == MMU_INST_FETCH) ? PG_ERROR_I_D_MASK : 0);
+     cs->exception_index = EXCP0E_PAGE;
+ 
+     /* Disable do_interrupt_user. */
diff --git a/debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch b/debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch
new file mode 100644
index 0000000000..a4faa8635c
--- /dev/null
+++ b/debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Date: Thu, 5 Mar 2026 00:22:45 +0300
+Subject: [PATCH] migration: vmstate_save_state_v: fix double error_setg
+
+We may call error_setg twice on same errp if inner
+vmstate_save_state_v() or vmstate_save_state() call fails. Next we will
+crash on assertion in error_setv().
+
+Fixes: 848a0503422d043 "migration: Update error description outside migration.c"
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Reviewed-by: Fabiano Rosas <farosas@suse.de>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Link: https://lore.kernel.org/qemu-devel/20260304212303.667141-2-vsementsov@yandex-team.ru
+Signed-off-by: Fabiano Rosas <farosas@suse.de>
+(cherry picked from commit d41ce10d0f5a3d6e497e4b75807a8e675033c597)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ migration/vmstate.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/migration/vmstate.c b/migration/vmstate.c
+index 4d28364f7b..fccd030dfd 100644
+--- a/migration/vmstate.c
++++ b/migration/vmstate.c
+@@ -539,6 +539,9 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd,
+                 } else {
+                     ret = inner_field->info->put(f, curr_elem, size,
+                                                  inner_field, vmdesc_loop);
++                    if (ret < 0) {
++                        error_setg(errp, "put failed");
++                    }
+                 }
+ 
+                 written_bytes = qemu_file_transferred(f) - old_offset;
+@@ -551,8 +554,8 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd,
+                 }
+ 
+                 if (ret) {
+-                    error_setg(errp, "Save of field %s/%s failed",
+-                                vmsd->name, field->name);
++                    error_prepend(errp, "Save of field %s/%s failed: ",
++                                  vmsd->name, field->name);
+                     if (vmsd->post_save) {
+                         vmsd->post_save(opaque);
+                     }
diff --git a/debian/patches/series b/debian/patches/series
index e33133ff90..8553c8ed8c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,6 +2,13 @@ extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
 extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
 extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
+extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
+extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
+extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
+extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch
+extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
+extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
+extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
-- 
2.47.3