[PATCH-SERIES qemu/qemu-server 0/6] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend

[PATCH-SERIES qemu/qemu-server 0/6] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend

[Fiona Ebner]

I was able to reproduce the issue for a VM without IO thread busy
with IO on a heavily rate-limited storage.

The fix has two independent parts:

1) increase the QMP timeout:

The 'quit' QMP command itself is fast, since it only records the
shutdown request and notifies the main loop, but getting the response
can take a while. The reason is that qmp_dispatch() yields and must be
woken after executing the command and at that stage, QEMU is already
busy with teardown too.

2) skip VM start after successfully saving state:

When creating a snapshot of the VM state for hibernation, the VM must
not be started again if the snapshot operation was completed
successfully. The VM should remain stopped, so that the QMP 'quit' is
issued without further activity from the VM.

The latter addresses a more fundamental issue, but it still makes
sense to bump the timeout for 'quit' regardless, because the
explanation in 1) still applies.

I also added the rebase to QEMU 11.0.1 as part of this series, since
using the new parameter for 2) needs to be somehow version-guarded.
There would be other ways like extending QMP 'query-proxmox-support',
but since the opportunity with 11.0.1 is there, I felt like it is
easier in this case.

qemu:

Fiona Ebner (3):
  regenerate patches to restore incremental numbering
  async snapshot: allow skipping VM start after successful completion
  update submodule and patches to QEMU 11.0.1

 ...d-support-for-sync-bitmap-mode-never.patch |   6 +-
 ...-support-for-conditional-and-always-.patch |   2 +-
 ...-to-bdrv_dirty_bitmap_merge_internal.patch |   2 +-
 .../0006-mirror-move-some-checks-to-qmp.patch |   2 +-
 ...-to-bounce-buffer-if-BLKZEROOUT-is-.patch} |   0
 ...ial-deadlock-when-draining-during-tr.patch | 100 ------------------
 ...oid-idle-event-loop-being-accounted.patch} |   0
 ...-fix-regression-when-mmap-ing-expor.patch} |   0
 ...-fix-regression-with-block-device-e.patch} |   0
 ...fix-decoding-of-MOVBE-and-CRC32-in-1.patch |  84 ---------------
 ...-accidentally-autofree-existing-virg.patch |  59 -----------
 ...store-IRQ-polling-for-non-kernel-irq.patch |  47 --------
 ...strList-leak-in-x86_cpu_get_unavaila.patch |  36 -------
 ...-missing-PF_INSTR-in-SIGSEGV-context.patch |  43 --------
 ...e_save_state_v-fix-double-error_setg.patch |  46 --------
 ...async-for-background-state-snapshots.patch |  49 ++++++---
 ...add-optional-buffer-size-to-QEMUFile.patch |   6 +-
 ...add-the-zeroinit-block-driver-filter.patch |   4 +-
 ...le-posix-make-locking-optiono-on-cre.patch |   6 +-
 ...VE-Backup-add-vma-backup-format-code.patch |   6 +-
 ...ckup-Proxmox-backup-patches-for-QEMU.patch |   8 +-
 ...estore-new-command-to-restore-from-p.patch |   4 +-
 ...k-driver-to-map-backup-archives-into.patch |   8 +-
 ...ct-stderr-to-journal-when-daemonized.patch |   6 +-
 ...igrate-dirty-bitmap-state-via-savevm.patch |   4 +-
 .../0037-block-add-alloc-track-driver.patch   |   4 +-
 .../0038-PVE-backup-add-fleecing-option.patch |   2 +-
 ...ment-backup-access-setup-and-teardow.patch |   2 +-
 ...se-migration-blocker-check-for-snaps.patch |   6 +-
 debian/patches/series                         |  15 +--
 qemu                                          |   2 +-
 31 files changed, 78 insertions(+), 481 deletions(-)
 rename debian/patches/extra/{0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch => 0002-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch} (100%)
 delete mode 100644 debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 rename debian/patches/extra/{0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch => 0003-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch} (100%)
 rename debian/patches/extra/{0012-block-export-fuse-fix-regression-when-mmap-ing-expor.patch => 0004-block-export-fuse-fix-regression-when-mmap-ing-expor.patch} (100%)
 rename debian/patches/extra/{0013-block-export-fuse-fix-regression-with-block-device-e.patch => 0005-block-export-fuse-fix-regression-with-block-device-e.patch} (100%)
 delete mode 100644 debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
 delete mode 100644 debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
 delete mode 100644 debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
 delete mode 100644 debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
 delete mode 100644 debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
 delete mode 100644 debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch


qemu-server:

Fiona Ebner (3):
  fix #6424: increase timeout for QMP 'quit' to 60s to avoid issue with
    bulk suspend
  run state: use v5.36 and signatures in module
  suspend: skip VM start after successfully saving state

 src/PVE/QMPClient.pm           |  6 ++++++
 src/PVE/QemuServer/RunState.pm | 32 ++++++++++++++++----------------
 2 files changed, 22 insertions(+), 16 deletions(-)


Summary over all repositories:
  33 files changed, 100 insertions(+), 497 deletions(-)

-- 
Generated by git-murpp 0.5.0

[PATCH qemu 1/6] regenerate patches to restore incremental numbering

[Fiona Ebner]

Commit 587d3fa89f ("drop "qcow2: Fix corruption on discard during
write with COW"") dropped a patch directly without regenerating.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...386-fix-strList-leak-in-x86_cpu_get_unavaila.patch} |  0
 ...i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch} |  0
 ...n-vmstate_save_state_v-fix-double-error_setg.patch} |  0
 ...port-fuse-fix-regression-when-mmap-ing-expor.patch} |  0
 ...port-fuse-fix-regression-with-block-device-e.patch} |  0
 debian/patches/series                                  | 10 +++++-----
 6 files changed, 5 insertions(+), 5 deletions(-)
 rename debian/patches/extra/{0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch => 0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch} (100%)
 rename debian/patches/extra/{0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch => 0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch} (100%)
 rename debian/patches/extra/{0011-migration-vmstate_save_state_v-fix-double-error_setg.patch => 0010-migration-vmstate_save_state_v-fix-double-error_setg.patch} (100%)
 rename debian/patches/extra/{0012-block-export-fuse-fix-regression-when-mmap-ing-expor.patch => 0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch} (100%)
 rename debian/patches/extra/{0013-block-export-fuse-fix-regression-with-block-device-e.patch => 0012-block-export-fuse-fix-regression-with-block-device-e.patch} (100%)

diff --git a/debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch b/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
similarity index 100%
rename from debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
rename to debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
diff --git a/debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch b/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
similarity index 100%
rename from debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
rename to debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
diff --git a/debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch b/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
similarity index 100%
rename from debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch
rename to debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
diff --git a/debian/patches/extra/0012-block-export-fuse-fix-regression-when-mmap-ing-expor.patch b/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
similarity index 100%
rename from debian/patches/extra/0012-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
rename to debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
diff --git a/debian/patches/extra/0013-block-export-fuse-fix-regression-with-block-device-e.patch b/debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
similarity index 100%
rename from debian/patches/extra/0013-block-export-fuse-fix-regression-with-block-device-e.patch
rename to debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
diff --git a/debian/patches/series b/debian/patches/series
index 5acd22995e..9ca5887599 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,11 +5,11 @@ extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
 extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
 extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
 extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
-extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
-extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
-extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch
-extra/0012-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
-extra/0013-block-export-fuse-fix-regression-with-block-device-e.patch
+extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
+extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
+extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
+extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
+extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
-- 
2.47.3

[PATCH qemu 2/6] async snapshot: allow skipping VM start after successful completion

[Fiona Ebner]

When creating a snapshot for hibernation, the VM must not be started
again after a successful snapshot operation. The VM should remain
stopped so that the management layer can issue a QMP 'quit' without
further activity from the VM.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...async-for-background-state-snapshots.patch | 49 +++++++++++++------
 ...add-optional-buffer-size-to-QEMUFile.patch |  6 +--
 ...ckup-Proxmox-backup-patches-for-QEMU.patch |  2 +-
 ...se-migration-blocker-check-for-snaps.patch |  4 +-
 4 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch b/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
index 21ebd78182..192f3abf46 100644
--- a/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
+++ b/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
@@ -34,6 +34,7 @@ Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
      improve setting state in savevm-end handler
      improve runstate preservation
      use dedicated iothread for state file to avoid deadlock, bug #6262
+     add parameter to skip vm start to be used for hibernation
      rebase for 11.0.0]
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
@@ -42,13 +43,13 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  include/migration/snapshot.h |   2 +
  include/monitor/hmp.h        |   3 +
  migration/meson.build        |   1 +
- migration/savevm-async.c     | 586 +++++++++++++++++++++++++++++++++++
+ migration/savevm-async.c     | 597 +++++++++++++++++++++++++++++++++++
  monitor/hmp-cmds.c           |  38 +++
  qapi/migration.json          |  34 ++
- qapi/misc.json               |  18 ++
+ qapi/misc.json               |  25 ++
  qemu-options.hx              |  12 +
  system/vl.c                  |  10 +
- 11 files changed, 734 insertions(+)
+ 11 files changed, 752 insertions(+)
  create mode 100644 migration/savevm-async.c
 
 diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
@@ -146,10 +147,10 @@ index 0222d5ea6e..90d62d5723 100644
  ), gnutls, zlib)
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
 new file mode 100644
-index 0000000000..d973d8300c
+index 0000000000..2a860f11a1
 --- /dev/null
 +++ b/migration/savevm-async.c
-@@ -0,0 +1,586 @@
+@@ -0,0 +1,597 @@
 +#include "qemu/osdep.h"
 +#include "migration/channel-savevm-async.h"
 +#include "migration/migration.h"
@@ -204,7 +205,8 @@ index 0000000000..d973d8300c
 +    int state;
 +    Error *error;
 +    Error *blocker;
-+    int vm_needs_start;
++    bool vm_needs_start;
++    bool skip_vm_start;
 +    QEMUFile *file;
 +    int64_t total_time;
 +    QEMUBH *finalize_bh;
@@ -219,6 +221,10 @@ index 0000000000..d973d8300c
 +        snap_state.state == SAVE_STATE_ERROR;
 +}
 +
++static bool should_skip_vm_start(void) {
++    return snap_state.state == SAVE_STATE_COMPLETED && snap_state.skip_vm_start;
++}
++
 +SaveVMInfo *qmp_query_savevm(Error **errp)
 +{
 +    SaveVMInfo *info = g_malloc0(sizeof(*info));
@@ -380,7 +386,9 @@ index 0000000000..d973d8300c
 +                            snap_state.state);
 +    }
 +    if (snap_state.vm_needs_start) {
-+        vm_start();
++        if (!should_skip_vm_start()) {
++            vm_start();
++        }
 +        snap_state.vm_needs_start = false;
 +    }
 +
@@ -490,7 +498,8 @@ index 0000000000..d973d8300c
 +    }
 +}
 +
-+void qmp_savevm_start(const char *statefile, Error **errp)
++void qmp_savevm_start(const char *statefile, bool has_skip_vm_start,
++                      bool skip_vm_start, Error **errp)
 +{
 +    Error *local_err = NULL;
 +    MigrationState *ms = migrate_get_current();
@@ -514,6 +523,7 @@ index 0000000000..d973d8300c
 +    snap_state.total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
 +    snap_state.blocker = NULL;
 +    snap_state.target_close_wait = (QemuCoSleep){ .to_wake = NULL };
++    snap_state.skip_vm_start = has_skip_vm_start && skip_vm_start;
 +
 +    if (snap_state.error) {
 +        error_free(snap_state.error);
@@ -657,7 +667,9 @@ index 0000000000..d973d8300c
 +    }
 +
 +    if (snap_state.vm_needs_start) {
-+        vm_start();
++        if (!should_skip_vm_start()) {
++            vm_start();
++        }
 +        snap_state.vm_needs_start = false;
 +    }
 +
@@ -737,7 +749,7 @@ index 0000000000..d973d8300c
 +    return ret;
 +}
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index bc26b39d70..cbedf13103 100644
+index bc26b39d70..e7afe15e97 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
 @@ -27,6 +27,7 @@
@@ -757,7 +769,7 @@ index bc26b39d70..cbedf13103 100644
 +    Error *errp = NULL;
 +    const char *statefile = qdict_get_try_str(qdict, "statefile");
 +
-+    qmp_savevm_start(statefile, &errp);
++    qmp_savevm_start(statefile, false, false, &errp);
 +    hmp_handle_error(mon, errp);
 +}
 +
@@ -838,22 +850,29 @@ index 7134d4ce47..8dc8d52b23 100644
  # @query-migrate:
  #
 diff --git a/qapi/misc.json b/qapi/misc.json
-index 28c641fe2f..5d2f12259a 100644
+index 28c641fe2f..cfa10c849b 100644
 --- a/qapi/misc.json
 +++ b/qapi/misc.json
-@@ -449,6 +449,24 @@
+@@ -449,6 +449,31 @@
  ##
  { 'command': 'query-fdsets', 'returns': ['FdsetInfo'] }
  
 +##
 +# @savevm-start:
 +#
-+# Prepare for snapshot and halt VM.  Save VM state to statefile.
++# Prepare for snapshot and halt VM.  Save VM state to statefile.  When
++# a @statefile is used, then the VM is only halted before completion.
++# Use @query-savevm to check the state of the operation.
 +#
 +# @statefile: target file that state should be written to.
 +#
++# @skip-vm-start: Do not resume the VM after the snapshot is done
++#                 successfully, even if the VM was running before
++#                 snapshot completion.  Useful for hibernation.
++#
 +##
-+{ 'command': 'savevm-start', 'data': { '*statefile': 'str' } }
++{ 'command': 'savevm-start', 'data': { '*statefile': 'str',
++                                       '*skip-vm-start': 'bool' } }
 +
 +##
 +# @savevm-end:
diff --git a/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch b/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch
index 4c8bb44560..ab8aac16a5 100644
--- a/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch
+++ b/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch
@@ -184,10 +184,10 @@ index a390554208..eda093b16a 100644
  
  G_DEFINE_AUTOPTR_CLEANUP_FUNC(QEMUFile, qemu_fclose)
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
-index d973d8300c..edc4c5b6ac 100644
+index 2a860f11a1..f5a4819e27 100644
 --- a/migration/savevm-async.c
 +++ b/migration/savevm-async.c
-@@ -409,7 +409,7 @@ void qmp_savevm_start(const char *statefile, Error **errp)
+@@ -418,7 +418,7 @@ void qmp_savevm_start(const char *statefile, bool has_skip_vm_start,
  
      QIOChannel *ioc = QIO_CHANNEL(qio_channel_savevm_async_new(snap_state.target,
                                                                 &snap_state.bs_pos));
@@ -196,7 +196,7 @@ index d973d8300c..edc4c5b6ac 100644
  
      if (!snap_state.file) {
          error_setg(errp, "failed to open '%s'", statefile);
-@@ -544,7 +544,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
+@@ -555,7 +555,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
      bdrv_op_block_all(bs, blocker);
  
      /* restore the VM state */
diff --git a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
index 73117a6f3a..a4ac880fa7 100644
--- a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
+++ b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
@@ -275,7 +275,7 @@ index f747bc3cb2..7aa0ed1b5a 100644
  # libselinux
  selinux = dependency('libselinux',
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index cbedf13103..33c1c81b3c 100644
+index e7afe15e97..ce374de2ec 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
 @@ -25,6 +25,7 @@
diff --git a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
index 6bd48361f1..df9f3df96b 100644
--- a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
+++ b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
@@ -136,10 +136,10 @@ index b6888daced..80eb0dcd1f 100644
  bool migration_in_postcopy(void);
  bool migration_postcopy_is_alive(MigrationStatus state);
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
-index edc4c5b6ac..acd1a4de6e 100644
+index f5a4819e27..41376406eb 100644
 --- a/migration/savevm-async.c
 +++ b/migration/savevm-async.c
-@@ -375,7 +375,7 @@ void qmp_savevm_start(const char *statefile, Error **errp)
+@@ -384,7 +384,7 @@ void qmp_savevm_start(const char *statefile, bool has_skip_vm_start,
          return;
      }
  
-- 
2.47.3

[PATCH qemu 3/6] update submodule and patches to QEMU 11.0.1

[Fiona Ebner]

Most notably, patches for fixing the deadlock between trim and drain
with IDE/SATA has finally been applied upstream with the following two
commits, so the stop-gap patch "ide: avoid potential deadlock when
draining during trim" can be dropped:
6e5b03431b ide: Minimal fix for deadlock between TRIM and drain
5044ebfad8 ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...d-support-for-sync-bitmap-mode-never.patch |   6 +-
 ...-support-for-conditional-and-always-.patch |   2 +-
 ...-to-bdrv_dirty_bitmap_merge_internal.patch |   2 +-
 .../0006-mirror-move-some-checks-to-qmp.patch |   2 +-
 ...-to-bounce-buffer-if-BLKZEROOUT-is-.patch} |   0
 ...ial-deadlock-when-draining-during-tr.patch | 100 ------------------
 ...oid-idle-event-loop-being-accounted.patch} |   0
 ...-fix-regression-when-mmap-ing-expor.patch} |   0
 ...-fix-regression-with-block-device-e.patch} |   0
 ...fix-decoding-of-MOVBE-and-CRC32-in-1.patch |  84 ---------------
 ...-accidentally-autofree-existing-virg.patch |  59 -----------
 ...store-IRQ-polling-for-non-kernel-irq.patch |  47 --------
 ...strList-leak-in-x86_cpu_get_unavaila.patch |  36 -------
 ...-missing-PF_INSTR-in-SIGSEGV-context.patch |  43 --------
 ...e_save_state_v-fix-double-error_setg.patch |  46 --------
 ...add-the-zeroinit-block-driver-filter.patch |   4 +-
 ...le-posix-make-locking-optiono-on-cre.patch |   6 +-
 ...VE-Backup-add-vma-backup-format-code.patch |   6 +-
 ...ckup-Proxmox-backup-patches-for-QEMU.patch |   6 +-
 ...estore-new-command-to-restore-from-p.patch |   4 +-
 ...k-driver-to-map-backup-archives-into.patch |   8 +-
 ...ct-stderr-to-journal-when-daemonized.patch |   6 +-
 ...igrate-dirty-bitmap-state-via-savevm.patch |   4 +-
 .../0037-block-add-alloc-track-driver.patch   |   4 +-
 .../0038-PVE-backup-add-fleecing-option.patch |   2 +-
 ...ment-backup-access-setup-and-teardow.patch |   2 +-
 ...se-migration-blocker-check-for-snaps.patch |   2 +-
 debian/patches/series                         |  15 +--
 qemu                                          |   2 +-
 29 files changed, 38 insertions(+), 460 deletions(-)
 rename debian/patches/extra/{0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch => 0002-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch} (100%)
 delete mode 100644 debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 rename debian/patches/extra/{0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch => 0003-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch} (100%)
 rename debian/patches/extra/{0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch => 0004-block-export-fuse-fix-regression-when-mmap-ing-expor.patch} (100%)
 rename debian/patches/extra/{0012-block-export-fuse-fix-regression-with-block-device-e.patch => 0005-block-export-fuse-fix-regression-with-block-device-e.patch} (100%)
 delete mode 100644 debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
 delete mode 100644 debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
 delete mode 100644 debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
 delete mode 100644 debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
 delete mode 100644 debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
 delete mode 100644 debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch

diff --git a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
index 8f196da9e2..0fb45d16e0 100644
--- a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
+++ b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
@@ -38,7 +38,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  5 files changed, 135 insertions(+), 21 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index 2fcded9e93..f34b5fe733 100644
+index 089856f4a8..e6f645e0f2 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -74,6 +74,8 @@ typedef struct MirrorBlockJob {
@@ -333,7 +333,7 @@ index e7c8f1a856..d5aa68caeb 100644
                    BlockdevOnError on_source_error,
                    BlockdevOnError on_target_error,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 508b081ac1..496118bdc7 100644
+index 0efd51787b..50a0af3569 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -2280,6 +2280,15 @@
@@ -390,7 +390,7 @@ index 508b081ac1..496118bdc7 100644
              '*buf-size': 'int', '*on-source-error': 'BlockdevOnError',
              '*on-target-error': 'BlockdevOnError',
 diff --git a/tests/unit/test-block-iothread.c b/tests/unit/test-block-iothread.c
-index e26b3be593..396a53a757 100644
+index 5273ff235a..7055d32686 100644
 --- a/tests/unit/test-block-iothread.c
 +++ b/tests/unit/test-block-iothread.c
 @@ -755,8 +755,8 @@ static void test_propagate_mirror(void)
diff --git a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
index 2c030dc751..468bd94bc5 100644
--- a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
+++ b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
@@ -24,7 +24,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 18 insertions(+), 6 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index f34b5fe733..67d85799f4 100644
+index e6f645e0f2..414737045f 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -735,8 +735,6 @@ static int mirror_exit_common(Job *job)
diff --git a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
index faef2cc4b9..5215b95855 100644
--- a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
+++ b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
@@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+), 7 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index 67d85799f4..b88e8b4c51 100644
+index 414737045f..0f56ad1f54 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -856,8 +856,8 @@ static int mirror_exit_common(Job *job)
diff --git a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
index 9223eefaa5..98c3f7b93d 100644
--- a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
+++ b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
@@ -21,7 +21,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  3 files changed, 70 insertions(+), 59 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index b88e8b4c51..1e143ccab1 100644
+index 0f56ad1f54..75563e6e75 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -1885,31 +1885,13 @@ static BlockJob *mirror_start_job(
diff --git a/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch b/debian/patches/extra/0002-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
similarity index 100%
rename from debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
rename to debian/patches/extra/0002-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
diff --git a/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch b/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
deleted file mode 100644
index 04271fe4fe..0000000000
--- a/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Tue, 7 Mar 2023 15:03:02 +0100
-Subject: [PATCH] ide: avoid potential deadlock when draining during trim
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The deadlock can happen as follows:
-1. ide_issue_trim is called, and increments the in_flight counter.
-2. ide_issue_trim_cb calls blk_aio_pdiscard.
-3. Somebody else starts draining (e.g. backup to insert the cbw node).
-4. ide_issue_trim_cb is called as the completion callback for
-   blk_aio_pdiscard.
-5. ide_issue_trim_cb issues yet another blk_aio_pdiscard request.
-6. The request is added to the wait queue via blk_wait_while_drained,
-   because draining has been started.
-7. Nobody ever decrements the in_flight counter and draining can't
-   finish. This would be done by ide_trim_bh_cb, which is called after
-   ide_issue_trim_cb has issued its last request, but
-   ide_issue_trim_cb is not called anymore, because it's the
-   completion callback of blk_aio_pdiscard, which waits on draining.
-
-Quoting Hanna Czenczek:
-> The point of 7e5cdb345f was that we need any in-flight count to
-> accompany a set s->bus->dma->aiocb. While blk_aio_pdiscard() is
-> happening, we don’t necessarily need another count. But we do need
-> it while there is no blk_aio_pdiscard().
-> ide_issue_trim_cb() returns in two cases (and, recursively through
-> its callers, leaves s->bus->dma->aiocb set):
-> 1. After calling blk_aio_pdiscard(), which will keep an in-flight
->    count,
-> 2. After calling replay_bh_schedule_event() (i.e.
->    qemu_bh_schedule()), which does not keep an in-flight count.
-
-Thus, even after moving the blk_inc_in_flight to above the
-replay_bh_schedule_event call, the invariant "ide_issue_trim_cb
-returns with an accompanying in-flight count" is still satisfied.
-
-However, the issue 7e5cdb345f fixed for canceling resurfaces, because
-ide_cancel_dma_sync assumes that it just needs to drain once. But now
-the in_flight count is not consistently > 0 during the trim operation.
-So, change it to drain until !s->bus->dma->aiocb, which means that the
-operation finished (s->bus->dma->aiocb is cleared by ide_set_inactive
-via the ide_dma_cb when the end of the transfer is reached).
-
-Discussion here:
-https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg02506.html
-
-Fixes: 7e5cdb345f ("ide: Increment BB in-flight counter for TRIM BH")
-Suggested-by: Hanna Czenczek <hreitz@redhat.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/ide/core.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 7a15d6cac9..db44d83f57 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -456,7 +456,7 @@ static void ide_trim_bh_cb(void *opaque)
-     iocb->bh = NULL;
-     qemu_aio_unref(iocb);
- 
--    /* Paired with an increment in ide_issue_trim() */
-+    /* Paired with an increment in ide_issue_trim_cb() */
-     blk_dec_in_flight(blk);
- }
- 
-@@ -516,6 +516,8 @@ static void ide_issue_trim_cb(void *opaque, int ret)
- done:
-     iocb->aiocb = NULL;
-     if (iocb->bh) {
-+        /* Paired with a decrement in ide_trim_bh_cb() */
-+        blk_inc_in_flight(s->blk);
-         replay_bh_schedule_event(iocb->bh);
-     }
- }
-@@ -528,9 +530,6 @@ BlockAIOCB *ide_issue_trim(
-     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
-     TrimAIOCB *iocb;
- 
--    /* Paired with a decrement in ide_trim_bh_cb() */
--    blk_inc_in_flight(s->blk);
--
-     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
-     iocb->s = s;
-     iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb,
-@@ -754,8 +753,9 @@ void ide_cancel_dma_sync(IDEState *s)
-      */
-     if (s->bus->dma->aiocb) {
-         trace_ide_cancel_dma_sync_remaining();
--        blk_drain(s->blk);
--        assert(s->bus->dma->aiocb == NULL);
-+        while (s->bus->dma->aiocb) {
-+            blk_drain(s->blk);
-+        }
-     }
- }
- 
diff --git a/debian/patches/extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch b/debian/patches/extra/0003-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
similarity index 100%
rename from debian/patches/extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
rename to debian/patches/extra/0003-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
diff --git a/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch b/debian/patches/extra/0004-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
similarity index 100%
rename from debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
rename to debian/patches/extra/0004-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
diff --git a/debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch b/debian/patches/extra/0005-block-export-fuse-fix-regression-with-block-device-e.patch
similarity index 100%
rename from debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
rename to debian/patches/extra/0005-block-export-fuse-fix-regression-with-block-device-e.patch
diff --git a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch b/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
deleted file mode 100644
index 9874c26972..0000000000
--- a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 31 Mar 2026 08:32:23 +0200
-Subject: [PATCH] target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit
- mode
-
-Table A-4 of the SDM shows
-
-                    F0                     F1
---------------------------------------------------------
-     NP           MOVBE Gy,My           MOVBE My,Gy
-     66           MOVBE Gw,Mw           MOVBW Mw,Gw
-     F2           CRC32 Gd,Eb           CRC32 Gd,Ey
-  66+F2           CRC32 Gd,Eb           CRC32 Gd,Ew
-
-However, this is incorrect.  Both MOVBE and (for 0xF1) CRC32
-take Gv, Ev or Mv operands.  In 16-bit mode therefore the
-operand is of 16-bit size without prefix and 32-bit mode
-with 0x66 (the data size override).
-
-For example, with NASM you get:
-
-                                 bits 16
-   67 0F 38 F0 02                movbe ax, [edx]
-   66 67 0F 38 F0 02             movbe eax, [edx]
-
-   67 F2 0F 38 F1 02             crc32 ax, word [edx]
-   66 67 F2 0F 38 F1 02          crc32 eax, dword [edx]
-
-versus
-
-                                 bits 32
-   66 0F 38 F0 02                movbe ax, [edx]
-   0F 38 F0 02                   movbe eax, [edx]
-
-   66 F2 0F 38 F1 02             crc32 eax, word [edx]
-   F2 0F 38 F1 02                crc32 eax, dword [edx]
-
-The instruction is listed correctly in the APX documentation
-as "SCALABLE" (which means it has v-size operands).
-
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 76ad26dd172d27aae9f1e76d1165b497167c36c2)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/decode-new.c.inc | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
-index bc105aab9e..c8b5bd6ad2 100644
---- a/target/i386/tcg/decode-new.c.inc
-+++ b/target/i386/tcg/decode-new.c.inc
-@@ -875,19 +875,23 @@ static const X86OpEntry opcodes_0F38_00toEF[240] = {
- 
- /* five rows for no prefix, 66, F3, F2, 66+F2  */
- static const X86OpEntry opcodes_0F38_F0toFF[16][5] = {
-+    /*
-+     * MOVBE and CRC32 are incorrectly listed as always doing 32-bit operation
-+     * without prefix and 16-bit operation with 0x66.
-+     */
-     [0] = {
--        X86_OP_ENTRYwr(MOVBE, G,y, M,y, cpuid(MOVBE)),
--        X86_OP_ENTRYwr(MOVBE, G,w, M,w, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
-         {},
-         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
-         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
-     },
-     [1] = {
--        X86_OP_ENTRYwr(MOVBE, M,y, G,y, cpuid(MOVBE)),
--        X86_OP_ENTRYwr(MOVBE, M,w, G,w, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
-         {},
--        X86_OP_ENTRY2(CRC32, G,d, E,y, cpuid(SSE42)),
--        X86_OP_ENTRY2(CRC32, G,d, E,w, cpuid(SSE42)),
-+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
-+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
-     },
-     [2] = {
-         X86_OP_ENTRY3(ANDN, G,y, B,y, E,y, vex13 cpuid(BMI1)),
diff --git a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch b/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
deleted file mode 100644
index b8f224e9be..0000000000
--- a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
-Date: Fri, 17 Apr 2026 13:27:03 +0100
-Subject: [PATCH] hw/display: don't accidentally autofree existing virgl
- resources
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While sanity checking a create blob operation the use of the auto
-freed res variable could lead to inadvertently freeing an existing
-blob.
-
-Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as
-the value is not needed anyway.
-
-While at it add a comment to the end and use g_steal_pointer to make
-it clearer the object lifetime exceeds the function bounds if we pass
-all the checks.
-
-Fixes: CVE-2026-6502
-Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)
-Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org
-Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
-Cc: qemu-stable@nongnu.org
-Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
-(cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/display/virtio-gpu-virgl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
-index b7a2d160dd..add85bd4e6 100644
---- a/hw/display/virtio-gpu-virgl.c
-+++ b/hw/display/virtio-gpu-virgl.c
-@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
-         return;
-     }
- 
--    res = virtio_gpu_virgl_find_resource(g, cblob.resource_id);
--    if (res) {
-+    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {
-         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
-                       __func__, cblob.resource_id);
-         cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
-@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
- 
-     res->base.dmabuf_fd = info.fd;
- 
-+    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */
-     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);
--    res = NULL;
-+    g_steal_pointer(&res);
- }
- 
- static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
diff --git a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch b/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
deleted file mode 100644
index 88f899f85f..0000000000
--- a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: rickgcn <rickgcn@gmail.com>
-Date: Sat, 18 Apr 2026 14:14:29 +0800
-Subject: [PATCH] hw: i386: vapic: restore IRQ polling for non-kernel irqchip
- backends
-
-69dfc078 extended vAPIC handling for WHPX with user-mode irqchip, but it
-also changed vapic_write() case 4 in a way that excludes TCG from
-apic_poll_irq().
-
-Before that change, IRQ polling happened whenever no in-kernel irqchip
-was active. After the change, it only happened for KVM or WHPX with a
-user-mode irqchip. Under TCG, both kvm_enabled() and whpx_enabled() are
-false, so the poll never happens.
-
-This regresses 32-bit Windows XP guests on a Windows host with
--machine pc-i440fx-10.0,accel=tcg, causing a STOP 0x0000000A during boot.
-
-Fix it by making the decision depend on whether KVM or WHPX is using an
-in-kernel irqchip, instead of whether either accelerator is enabled.
-
-Fixes: 69dfc078a6f0 ("hw: i386: vapic: enable on WHPX with user-mode irqchip")
-
-Signed-off-by: rickgcn <rickgcn@gmail.com>
-Link: https://lore.kernel.org/r/20260418061429.16898-1-rickgcn@gmail.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit c906c2337058bd467e6ac0176c2966d1eeb6f8f5)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/vapic.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/hw/i386/vapic.c b/hw/i386/vapic.c
-index 41e5ca26df..1acb9f91b2 100644
---- a/hw/i386/vapic.c
-+++ b/hw/i386/vapic.c
-@@ -716,8 +716,7 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
-         break;
-     default:
-     case 4:
--        if ((kvm_enabled() && !kvm_irqchip_in_kernel())
--          || (whpx_enabled() && !whpx_irqchip_in_kernel())) {
-+        if (!kvm_irqchip_in_kernel() && !whpx_irqchip_in_kernel()) {
-             apic_poll_irq(cpu->apic_state);
-         }
-         break;
diff --git a/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch b/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
deleted file mode 100644
index a9975bbb3b..0000000000
--- a/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 13 Apr 2026 16:50:40 +0400
-Subject: [PATCH] target/i386: fix strList leak in
- x86_cpu_get_unavailable_features
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The result list built by x86_cpu_list_feature_names() was never freed
-after being visited, causing a memory leak detected by ASan.
-(the getter visitor is VISITOR_OUTPUT kind and doesn't own data)
-
-Fixes: 506174bf8219 ("i386: "unavailable-features" QOM property")
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Link: https://lore.kernel.org/r/20260413125040.3842686-1-marcandre.lureau@redhat.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 87e1226e6f6844845ac407d50198d84205e7ed7f)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/cpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index c6fd1dc00e..9d126600c0 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -7842,6 +7842,7 @@ static void x86_cpu_get_unavailable_features(Object *obj, Visitor *v,
- 
-     x86_cpu_list_feature_names(xc->filtered_features, &result);
-     visit_type_strList(v, "unavailable-features", &result, errp);
-+    qapi_free_strList(result);
- }
- 
- /* Print all cpuid feature names in featureset
diff --git a/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch b/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
deleted file mode 100644
index dfa3f4c20a..0000000000
--- a/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Simon Scherer <scherer.simon89@gmail.com>
-Date: Mon, 13 Apr 2026 13:56:22 +0200
-Subject: [PATCH] target/i386: fix missing PF_INSTR in SIGSEGV context
-
-When running linux-user emulation, the SIGSEGV handler does not
-correctly set the 4th bit (PF_INSTR) in the error_code variable of
-the context argument (context->uc_mcontext.gregs[REG_ERR]).
-
-Because this bit is never set, guest applications cannot distinguish
-if a fault was due to missing executable permissions. This patch
-ensures that when a page fault occurs during an instruction fetch,
-the PF_INSTR flag is properly populated in the signal context.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3384
-Signed-off-by: Simon Scherer <scherer.simon89@gmail.com>
-Link: https://lore.kernel.org/r/20260413115622.160212-1-scherer.simon89@gmail.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 3eae91a8b93a35f194a39ab5b894ae405def9270)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/user/excp_helper.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/target/i386/tcg/user/excp_helper.c b/target/i386/tcg/user/excp_helper.c
-index 98fab4cbc3..6c5df5e0e8 100644
---- a/target/i386/tcg/user/excp_helper.c
-+++ b/target/i386/tcg/user/excp_helper.c
-@@ -36,9 +36,10 @@ void x86_cpu_record_sigsegv(CPUState *cs, vaddr addr,
-      * signal and set exception_index to EXCP_INTERRUPT.
-      */
-     env->cr[2] = addr;
--    env->error_code = ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT)
--                    | (maperr ? 0 : PG_ERROR_P_MASK)
--                    | PG_ERROR_U_MASK;
-+    env->error_code = (maperr ? 0 : PG_ERROR_P_MASK)
-+                    | ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT)
-+                    | PG_ERROR_U_MASK
-+                    | ((access_type == MMU_INST_FETCH) ? PG_ERROR_I_D_MASK : 0);
-     cs->exception_index = EXCP0E_PAGE;
- 
-     /* Disable do_interrupt_user. */
diff --git a/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch b/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
deleted file mode 100644
index a4faa8635c..0000000000
--- a/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
-Date: Thu, 5 Mar 2026 00:22:45 +0300
-Subject: [PATCH] migration: vmstate_save_state_v: fix double error_setg
-
-We may call error_setg twice on same errp if inner
-vmstate_save_state_v() or vmstate_save_state() call fails. Next we will
-crash on assertion in error_setv().
-
-Fixes: 848a0503422d043 "migration: Update error description outside migration.c"
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
-Reviewed-by: Fabiano Rosas <farosas@suse.de>
-Reviewed-by: Peter Xu <peterx@redhat.com>
-Link: https://lore.kernel.org/qemu-devel/20260304212303.667141-2-vsementsov@yandex-team.ru
-Signed-off-by: Fabiano Rosas <farosas@suse.de>
-(cherry picked from commit d41ce10d0f5a3d6e497e4b75807a8e675033c597)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- migration/vmstate.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/migration/vmstate.c b/migration/vmstate.c
-index 4d28364f7b..fccd030dfd 100644
---- a/migration/vmstate.c
-+++ b/migration/vmstate.c
-@@ -539,6 +539,9 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd,
-                 } else {
-                     ret = inner_field->info->put(f, curr_elem, size,
-                                                  inner_field, vmdesc_loop);
-+                    if (ret < 0) {
-+                        error_setg(errp, "put failed");
-+                    }
-                 }
- 
-                 written_bytes = qemu_file_transferred(f) - old_offset;
-@@ -551,8 +554,8 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd,
-                 }
- 
-                 if (ret) {
--                    error_setg(errp, "Save of field %s/%s failed",
--                                vmsd->name, field->name);
-+                    error_prepend(errp, "Save of field %s/%s failed: ",
-+                                  vmsd->name, field->name);
-                     if (vmsd->post_save) {
-                         vmsd->post_save(opaque);
-                     }
diff --git a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
index 76e5fcce71..52e7ed9c50 100644
--- a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
+++ b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
@@ -247,7 +247,7 @@ index 0000000000..036edb17f5
 +
 +block_init(bdrv_zeroinit_init);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 496118bdc7..f0f225a3c2 100644
+index 50a0af3569..4e8bc65bdb 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3381,7 +3381,7 @@
@@ -259,7 +259,7 @@ index 496118bdc7..f0f225a3c2 100644
  
  ##
  # @BlockdevOptionsFile:
-@@ -4936,7 +4936,8 @@
+@@ -4940,7 +4940,8 @@
                        'if': 'CONFIG_BLKIO' },
        'vmdk':       'BlockdevOptionsGenericCOWFormat',
        'vpc':        'BlockdevOptionsGenericFormat',
diff --git a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
index 0701eb7265..f63cc7b27b 100644
--- a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
+++ b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
@@ -119,10 +119,10 @@ index 328ddaa3bd..5fd49844af 100644
      };
      return raw_co_create(&options, errp);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index f0f225a3c2..0c00aabbab 100644
+index 4e8bc65bdb..d5a2bbcff1 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -5155,6 +5155,10 @@
+@@ -5159,6 +5159,10 @@
  # @extent-size-hint: Extent size hint to add to the image file; 0 for
  #     not adding an extent size hint (default: 1 MB, since 5.1)
  #
@@ -133,7 +133,7 @@ index f0f225a3c2..0c00aabbab 100644
  # Since: 2.12
  ##
  { 'struct': 'BlockdevCreateOptionsFile',
-@@ -5162,7 +5166,8 @@
+@@ -5166,7 +5170,8 @@
              'size':                 'size',
              '*preallocation':       'PreallocMode',
              '*nocow':               'bool',
diff --git a/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch b/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
index d116ae3569..814b939bed 100644
--- a/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
+++ b/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
@@ -40,10 +40,10 @@ index a21d9a5411..1373612c10 100644
  system_ss.add(files('block-ram-registrar.c'))
  
 diff --git a/meson.build b/meson.build
-index ab3e97eb9f..f747bc3cb2 100644
+index 51f5f2851a..a88b007017 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2149,6 +2149,8 @@ endif
+@@ -2155,6 +2155,8 @@ endif
  
  has_gettid = cc.has_function('gettid')
  
@@ -52,7 +52,7 @@ index ab3e97eb9f..f747bc3cb2 100644
  # libselinux
  selinux = dependency('libselinux',
                       required: get_option('selinux'),
-@@ -4517,6 +4519,9 @@ if have_tools
+@@ -4523,6 +4525,9 @@ if have_tools
                 dependencies: [blockdev, qemuutil, selinux],
                 install: true)
  
diff --git a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
index a4ac880fa7..74ce2a426e 100644
--- a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
+++ b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
@@ -263,10 +263,10 @@ index abebfea0e2..bc727a3a6a 100644
  void hmp_device_add(Monitor *mon, const QDict *qdict);
  void hmp_device_del(Monitor *mon, const QDict *qdict);
 diff --git a/meson.build b/meson.build
-index f747bc3cb2..7aa0ed1b5a 100644
+index a88b007017..684501a185 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2150,6 +2150,7 @@ endif
+@@ -2156,6 +2156,7 @@ endif
  has_gettid = cc.has_function('gettid')
  
  libuuid = cc.find_library('uuid', required: true)
@@ -1685,7 +1685,7 @@ index 0000000000..177fb851b4
 +    return ret;
 +}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 0c00aabbab..4f407007b9 100644
+index d5a2bbcff1..7f1daf42fe 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -952,6 +952,248 @@
diff --git a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
index 44e42c7f6b..8344e666ed 100644
--- a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
+++ b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
@@ -14,10 +14,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  create mode 100644 pbs-restore.c
 
 diff --git a/meson.build b/meson.build
-index 7aa0ed1b5a..3a57c44ade 100644
+index 684501a185..7111b47319 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -4523,6 +4523,10 @@ if have_tools
+@@ -4529,6 +4529,10 @@ if have_tools
    vma = executable('vma', files('vma.c', 'vma-reader.c') + genh,
                     dependencies: [authz, block, crypto, io, qemuutil, qom], install: true)
  
diff --git a/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch b/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
index 8791b16dbc..1d2396f318 100644
--- a/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
+++ b/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
@@ -348,10 +348,10 @@ index 0000000000..3e41421716
 +
 +block_init(bdrv_pbs_init);
 diff --git a/meson.build b/meson.build
-index 3a57c44ade..eb84d64604 100644
+index 7111b47319..4115c35884 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -4997,7 +4997,7 @@ summary_info += {'Query Processing Library support': qpl}
+@@ -5003,7 +5003,7 @@ summary_info += {'Query Processing Library support': qpl}
  summary_info += {'UADK Library support': uadk}
  summary_info += {'qatzip support':    qatzip}
  summary_info += {'NUMA host support': numa}
@@ -361,7 +361,7 @@ index 3a57c44ade..eb84d64604 100644
  summary_info += {'libdaxctl support': libdaxctl}
  summary_info += {'libcbor support':   libcbor}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 4f407007b9..84a4572625 100644
+index 7f1daf42fe..e1c659310d 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3619,6 +3619,7 @@
@@ -406,7 +406,7 @@ index 4f407007b9..84a4572625 100644
  ##
  # @BlockdevOptionsNVMe:
  #
-@@ -5149,6 +5177,7 @@
+@@ -5153,6 +5181,7 @@
        'nfs':        'BlockdevOptionsNfs',
        'null-aio':   'BlockdevOptionsNull',
        'null-co':    'BlockdevOptionsNull',
diff --git a/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch b/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
index 42759e606b..8c558401c8 100644
--- a/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
+++ b/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index eb84d64604..d71baddfa6 100644
+index 4115c35884..87c765f622 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2150,6 +2150,7 @@ endif
+@@ -2156,6 +2156,7 @@ endif
  has_gettid = cc.has_function('gettid')
  
  libuuid = cc.find_library('uuid', required: true)
@@ -25,7 +25,7 @@ index eb84d64604..d71baddfa6 100644
  libproxmox_backup_qemu = cc.find_library('proxmox_backup_qemu', required: true)
  
  # libselinux
-@@ -3840,7 +3841,7 @@ if have_block
+@@ -3846,7 +3847,7 @@ if have_block
    elif host_os == 'emscripten'
      blockdev_ss.add(files('os-wasm.c'))
    else
diff --git a/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch b/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
index ec8e4e9a4f..adb41f4572 100644
--- a/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
+++ b/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
@@ -58,7 +58,7 @@ index 90d62d5723..6010ccaef0 100644
    'ram.c',
    'savevm.c',
 diff --git a/migration/migration.c b/migration/migration.c
-index 5c9aaa6e58..23b05a64cf 100644
+index dfc60372cf..f415448689 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -329,6 +329,7 @@ void migration_object_init(void)
@@ -192,7 +192,7 @@ index 177fb851b4..7575abab7c 100644
      ret->pbs_masterkey = true;
      ret->backup_max_workers = true;
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 84a4572625..4a6769c053 100644
+index e1c659310d..b314192e30 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1112,6 +1112,11 @@
diff --git a/debian/patches/pve/0037-block-add-alloc-track-driver.patch b/debian/patches/pve/0037-block-add-alloc-track-driver.patch
index 042929c527..ed5e2f5d31 100644
--- a/debian/patches/pve/0037-block-add-alloc-track-driver.patch
+++ b/debian/patches/pve/0037-block-add-alloc-track-driver.patch
@@ -449,7 +449,7 @@ index d023753091..a777c8079c 100644
  
  out:
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 4a6769c053..8af4107bf5 100644
+index b314192e30..a8a7d227a8 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3611,7 +3611,8 @@
@@ -484,7 +484,7 @@ index 4a6769c053..8af4107bf5 100644
  ##
  # @BlockdevOptionsPbs:
  #
-@@ -5155,6 +5171,7 @@
+@@ -5159,6 +5175,7 @@
              '*detect-zeroes': 'BlockdevDetectZeroesOptions' },
    'discriminator': 'driver',
    'data': {
diff --git a/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch b/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
index cd27516275..5e6a4d9791 100644
--- a/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
+++ b/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
@@ -429,7 +429,7 @@ index 7575abab7c..8b83465ebd 100644
      return ret;
  }
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 8af4107bf5..5c8b872000 100644
+index a8a7d227a8..977daf0191 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1054,6 +1054,10 @@
diff --git a/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch b/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
index d30aaf8f23..031eeba6b6 100644
--- a/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
+++ b/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
@@ -740,7 +740,7 @@ index 0000000000..9ebeef7c8f
 +
 +#endif /* PVE_BACKUP_H */
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 5c8b872000..cf4f5ce7f1 100644
+index 977daf0191..ed37a4a22f 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1128,6 +1128,9 @@
diff --git a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
index df9f3df96b..0c4cef7f09 100644
--- a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
+++ b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
@@ -89,7 +89,7 @@ index 80b75ad5cb..f8417347a1 100644
   * @migrate_add_blocker - prevent all modes of migration from proceeding
   *
 diff --git a/migration/migration.c b/migration/migration.c
-index 23b05a64cf..8acd9610de 100644
+index f415448689..979fc7050e 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -1886,6 +1886,30 @@ bool migration_is_blocked(Error **errp)
diff --git a/debian/patches/series b/debian/patches/series
index 9ca5887599..352c8eb278 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,15 +1,8 @@
 extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
-extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
-extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
-extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
-extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
-extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
-extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
-extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
-extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
-extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
-extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
-extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
+extra/0002-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
+extra/0003-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
+extra/0004-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
+extra/0005-block-export-fuse-fix-regression-with-block-device-e.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
diff --git a/qemu b/qemu
index 98b060da3a..6e9a825c1d 160000
--- a/qemu
+++ b/qemu
@@ -1 +1 @@
-Subproject commit 98b060da3a4f92b2a994ead5b16a87e783baf77c
+Subproject commit 6e9a825c1d4e7b62d072e99a89ecd1a74c7f0d55
-- 
2.47.3

[PATCH qemu-server 4/6] fix #6424: increase timeout for QMP 'quit' to 60s to avoid issue with bulk suspend

[Fiona Ebner]

The 'quit' QMP command itself is fast, since it only records the
shutdown request and notifies the main loop, but getting the response
can take a while. The reason is that qmp_dispatch() yields and must be
woken after executing the command and at that stage, QEMU is already
busy with teardown too.

In practice, users can run into the default timeout of 5 seconds when
doing bulk suspend.

The 'quit' QMP command is only used as part of (potentially)
longer-running operations already:
- VM hibernation
- VM stop
- QSD quit:
  - after enrolling EFI disk certs
  - terminating instance for TPM

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QMPClient.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/PVE/QMPClient.pm b/src/PVE/QMPClient.pm
index 7610121a..a43e661b 100644
--- a/src/PVE/QMPClient.pm
+++ b/src/PVE/QMPClient.pm
@@ -156,6 +156,12 @@ sub cmd {
             || $cmd->{execute} eq 'blockdev-snapshot-internal-sync'
         ) {
             $timeout = 60 * 60; # 1 hour
+        } elsif ($cmd->{execute} eq 'quit') {
+            # The 'quit' QMP command itself is fast, since it only records the shutdown request and
+            # notifies the main loop, but getting the response can take a while. The reason is that
+            # qmp_dispatch() yields and must be woken after executing the command and at that stage,
+            # QEMU is already busy with teardown too.
+            $timeout = 60;
         } else {
             #  NOTE: if you came here as user and want to change this, try using IO-Threads first
             # which move out quite some processing of the main thread, leaving more time for QMP
-- 
2.47.3

[PATCH qemu-server 5/6] run state: use v5.36 and signatures in module

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QemuServer/RunState.pm | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/src/PVE/QemuServer/RunState.pm b/src/PVE/QemuServer/RunState.pm
index bbbcc88e..2d98e6bb 100644
--- a/src/PVE/QemuServer/RunState.pm
+++ b/src/PVE/QemuServer/RunState.pm
@@ -1,7 +1,6 @@
 package PVE::QemuServer::RunState;
 
-use strict;
-use warnings;
+use v5.36;
 
 use POSIX qw(strftime);
 
@@ -16,8 +15,7 @@ use PVE::QemuServer::Monitor qw(mon_cmd);
 use PVE::QemuServer::Network;
 
 # note: if using the statestorage parameter, the caller has to check privileges
-sub vm_suspend {
-    my ($vmid, $skiplock, $includestate, $statestorage) = @_;
+sub vm_suspend($vmid, $skiplock = undef, $includestate = undef, $statestorage = undef) {
 
     my $conf;
     my $path;
@@ -127,8 +125,7 @@ sub vm_suspend {
 # $nocheck is set when called as part of a migration - in this context the
 # location of the config file (source or target node) is not deterministic,
 # since migration cannot wait for pmxcfs to process the rename
-sub vm_resume {
-    my ($vmid, $skiplock, $nocheck) = @_;
+sub vm_resume($vmid, $skiplock = undef, $nocheck = undef) {
 
     PVE::QemuConfig->lock_config(
         $vmid,
@@ -184,32 +181,29 @@ sub vm_resume {
     );
 }
 
-sub get_cleanup_flag_path {
-    my ($vmid) = @_;
+sub get_cleanup_flag_path($vmid) {
     return "/run/qemu-server/$vmid.cleanup";
 }
 
-sub create_cleanup_flag {
-    my ($vmid) = @_;
+sub create_cleanup_flag($vmid) {
     # write time so we could check in a timeout if needed
     PVE::File::file_set_contents(get_cleanup_flag_path($vmid), time());
 }
 
-sub clear_cleanup_flag {
-    my ($vmid) = @_;
+sub clear_cleanup_flag($vmid) {
     my $path = get_cleanup_flag_path($vmid);
     unlink $path or $! == POSIX::ENOENT or die "removing cleanup flag for $vmid failed: $!\n";
 }
 
-sub cleanup_flag_exists {
-    my ($vmid) = @_;
+sub cleanup_flag_exists($vmid) {
     return -f get_cleanup_flag_path($vmid);
 }
 
 # checks if /run/qemu-server/force-legacy-cleanup exists that will be created on
 # package update and cleared on bootup so we can be sure the guests were
 # started recently enough
-sub can_use_cleanup_flag {
+sub can_use_cleanup_flag() {
     !-f "/run/qemu-server/force-legacy-cleanup";
 }
+
 1;
-- 
2.47.3

[PATCH qemu-server 6/6] suspend: skip VM start after successfully saving state

[Fiona Ebner]

When creating a snapshot of the VM state for hibernation, the VM must
not be started again if the snapshot operation was completed
successfully. The VM should remain stopped, so that the QMP 'quit' is
issued without further activity from the VM.

The 'skip-vm-start' parameter for 'savevm-start' is available since
QEMU version 11.0.1, so version-guard it.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QemuServer/RunState.pm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/PVE/QemuServer/RunState.pm b/src/PVE/QemuServer/RunState.pm
index 2d98e6bb..157cd1a8 100644
--- a/src/PVE/QemuServer/RunState.pm
+++ b/src/PVE/QemuServer/RunState.pm
@@ -2,6 +2,7 @@ package PVE::QemuServer::RunState;
 
 use v5.36;
 
+use JSON qw();
 use POSIX qw(strftime);
 
 use PVE::Cluster;
@@ -13,6 +14,7 @@ use PVE::QemuConfig;
 use PVE::QemuMigrate::Helpers;
 use PVE::QemuServer::Monitor qw(mon_cmd);
 use PVE::QemuServer::Network;
+use PVE::QemuServer::QMPHelpers;
 
 # note: if using the statestorage parameter, the caller has to check privileges
 sub vm_suspend($vmid, $skiplock = undef, $includestate = undef, $statestorage = undef) {
@@ -72,7 +74,11 @@ sub vm_suspend($vmid, $skiplock = undef, $includestate = undef, $statestorage =
 
         eval {
             PVE::QemuMigrate::Helpers::set_migration_caps($vmid, 1);
-            mon_cmd($vmid, "savevm-start", statefile => $path);
+            my $savevm_start_params = { statefile => $path };
+            if (PVE::QemuServer::QMPHelpers::runs_at_least_qemu_version($vmid, 11, 0, 1)) {
+                $savevm_start_params->{'skip-vm-start'} = JSON::true;
+            }
+            mon_cmd($vmid, "savevm-start", $savevm_start_params->%*);
             for (;;) {
                 my $state = mon_cmd($vmid, "query-savevm");
                 if (!$state->{status}) {
-- 
2.47.3