public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [PATCH-SERIES qemu/qemu-server v2 0/5] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend
@ 2026-06-29 13:54 Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu v2 1/5] async snapshot: allow skipping VM start after successful completion Fiona Ebner
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Fiona Ebner @ 2026-06-29 13:54 UTC (permalink / raw)
  To: pve-devel

Changes in v2:
* rebase on current master
* use qemu-stable v11.0.2

I was able to reproduce the issue for a VM without IO thread busy
with IO on a heavily rate-limited storage.

The fix has two independent parts:

1) increase the QMP timeout:

The 'quit' QMP command itself is fast, since it only records the
shutdown request and notifies the main loop, but getting the response
can take a while. The reason is that qmp_dispatch() yields and must be
woken after executing the command and at that stage, QEMU is already
busy with teardown too.

2) skip VM start after successfully saving state:

When creating a snapshot of the VM state for hibernation, the VM must
not be started again if the snapshot operation was completed
successfully. The VM should remain stopped, so that the QMP 'quit' is
issued without further activity from the VM.

The latter addresses a more fundamental issue, but it still makes
sense to bump the timeout for 'quit' regardless, because the
explanation in 1) still applies.

I also added the rebase to QEMU 11.0.1 as part of this series, since
using the new parameter for 2) needs to be somehow version-guarded.
There would be other ways like extending QMP 'query-proxmox-support',
but since the opportunity with 11.0.1 is there, I felt like it is
easier in this case.

qemu:

Fiona Ebner (2):
  async snapshot: allow skipping VM start after successful completion
  update submodule and patches to QEMU 11.0.2

 ...d-support-for-sync-bitmap-mode-never.patch |   6 +-
 ...-support-for-conditional-and-always-.patch |   2 +-
 ...-to-bdrv_dirty_bitmap_merge_internal.patch |   2 +-
 .../0006-mirror-move-some-checks-to-qmp.patch |   2 +-
 ...oid-idle-event-loop-being-accounted.patch} |   0
 ...ial-deadlock-when-draining-during-tr.patch | 100 --------------
 ...-fix-regression-with-block-device-e.patch} |  15 +--
 ...k-to-bounce-buffer-if-BLKZEROOUT-is-.patch |  36 -----
 ...fix-decoding-of-MOVBE-and-CRC32-in-1.patch |  84 ------------
 ...-accidentally-autofree-existing-virg.patch |  59 --------
 ...store-IRQ-polling-for-non-kernel-irq.patch |  47 -------
 ...strList-leak-in-x86_cpu_get_unavaila.patch |  36 -----
 ...-missing-PF_INSTR-in-SIGSEGV-context.patch |  43 ------
 ...e_save_state_v-fix-double-error_setg.patch |  46 -------
 ...e-fix-regression-when-mmap-ing-expor.patch |  94 -------------
 ...issing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch |  48 -------
 ...-use-after-free-of-cancelled-request.patch |  82 -----------
 ...ar-tag-byte-when-processing-messages.patch |  40 ------
 ...very-bitmask-with-modified-xAPIC-ids.patch |  63 ---------
 ...aio-bound-ioq_submit-recursion-depth.patch | 127 ------------------
 ...reject-zero-DMA-page-size-capability.patch |  46 -------
 ...-zero-migration-page-size-capability.patch |  44 ------
 ...estrict-dma_map_file-to-shared-RAM-o.patch |  88 ------------
 ...async-for-background-state-snapshots.patch |  49 ++++---
 ...add-optional-buffer-size-to-QEMUFile.patch |   6 +-
 ...add-the-zeroinit-block-driver-filter.patch |   4 +-
 ...le-posix-make-locking-optiono-on-cre.patch |   6 +-
 ...VE-Backup-add-vma-backup-format-code.patch |   6 +-
 ...ckup-Proxmox-backup-patches-for-QEMU.patch |   8 +-
 ...estore-new-command-to-restore-from-p.patch |   4 +-
 ...k-driver-to-map-backup-archives-into.patch |   8 +-
 ...ct-stderr-to-journal-when-daemonized.patch |   6 +-
 ...igrate-dirty-bitmap-state-via-savevm.patch |   4 +-
 .../0037-block-add-alloc-track-driver.patch   |   4 +-
 .../0038-PVE-backup-add-fleecing-option.patch |   2 +-
 ...ment-backup-access-setup-and-teardow.patch |   2 +-
 ...se-migration-blocker-check-for-snaps.patch |   6 +-
 debian/patches/series                         |  21 +--
 qemu                                          |   2 +-
 39 files changed, 83 insertions(+), 1165 deletions(-)
 rename debian/patches/extra/{0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch => 0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch} (100%)
 delete mode 100644 debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 rename debian/patches/extra/{0012-block-export-fuse-fix-regression-with-block-device-e.patch => 0003-block-export-fuse-fix-regression-with-block-device-e.patch} (71%)
 delete mode 100644 debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
 delete mode 100644 debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
 delete mode 100644 debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
 delete mode 100644 debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
 delete mode 100644 debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
 delete mode 100644 debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
 delete mode 100644 debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
 delete mode 100644 debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
 delete mode 100644 debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
 delete mode 100644 debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
 delete mode 100644 debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
 delete mode 100644 debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
 delete mode 100644 debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
 delete mode 100644 debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
 delete mode 100644 debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
 delete mode 100644 debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch


qemu-server:

Fiona Ebner (3):
  fix #6424: increase timeout for QMP 'quit' to 60s to avoid issue with
    bulk suspend
  run state: use v5.36 and signatures in module
  suspend: skip VM start after successfully saving state

 src/PVE/QMPClient.pm           |  6 ++++++
 src/PVE/QemuServer/RunState.pm | 32 ++++++++++++++++----------------
 2 files changed, 22 insertions(+), 16 deletions(-)


Summary over all repositories:
  41 files changed, 105 insertions(+), 1181 deletions(-)

-- 
Generated by git-murpp 0.5.0




^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH qemu v2 1/5] async snapshot: allow skipping VM start after successful completion
  2026-06-29 13:54 [PATCH-SERIES qemu/qemu-server v2 0/5] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend Fiona Ebner
@ 2026-06-29 13:54 ` Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu v2 2/5] update submodule and patches to QEMU 11.0.2 Fiona Ebner
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2026-06-29 13:54 UTC (permalink / raw)
  To: pve-devel

When creating a snapshot for hibernation, the VM must not be started
again after a successful snapshot operation. The VM should remain
stopped so that the management layer can issue a QMP 'quit' without
further activity from the VM.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...async-for-background-state-snapshots.patch | 49 +++++++++++++------
 ...add-optional-buffer-size-to-QEMUFile.patch |  6 +--
 ...ckup-Proxmox-backup-patches-for-QEMU.patch |  2 +-
 ...se-migration-blocker-check-for-snaps.patch |  4 +-
 4 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch b/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
index 21ebd78182..192f3abf46 100644
--- a/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
+++ b/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
@@ -34,6 +34,7 @@ Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
      improve setting state in savevm-end handler
      improve runstate preservation
      use dedicated iothread for state file to avoid deadlock, bug #6262
+     add parameter to skip vm start to be used for hibernation
      rebase for 11.0.0]
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
@@ -42,13 +43,13 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  include/migration/snapshot.h |   2 +
  include/monitor/hmp.h        |   3 +
  migration/meson.build        |   1 +
- migration/savevm-async.c     | 586 +++++++++++++++++++++++++++++++++++
+ migration/savevm-async.c     | 597 +++++++++++++++++++++++++++++++++++
  monitor/hmp-cmds.c           |  38 +++
  qapi/migration.json          |  34 ++
- qapi/misc.json               |  18 ++
+ qapi/misc.json               |  25 ++
  qemu-options.hx              |  12 +
  system/vl.c                  |  10 +
- 11 files changed, 734 insertions(+)
+ 11 files changed, 752 insertions(+)
  create mode 100644 migration/savevm-async.c
 
 diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
@@ -146,10 +147,10 @@ index 0222d5ea6e..90d62d5723 100644
  ), gnutls, zlib)
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
 new file mode 100644
-index 0000000000..d973d8300c
+index 0000000000..2a860f11a1
 --- /dev/null
 +++ b/migration/savevm-async.c
-@@ -0,0 +1,586 @@
+@@ -0,0 +1,597 @@
 +#include "qemu/osdep.h"
 +#include "migration/channel-savevm-async.h"
 +#include "migration/migration.h"
@@ -204,7 +205,8 @@ index 0000000000..d973d8300c
 +    int state;
 +    Error *error;
 +    Error *blocker;
-+    int vm_needs_start;
++    bool vm_needs_start;
++    bool skip_vm_start;
 +    QEMUFile *file;
 +    int64_t total_time;
 +    QEMUBH *finalize_bh;
@@ -219,6 +221,10 @@ index 0000000000..d973d8300c
 +        snap_state.state == SAVE_STATE_ERROR;
 +}
 +
++static bool should_skip_vm_start(void) {
++    return snap_state.state == SAVE_STATE_COMPLETED && snap_state.skip_vm_start;
++}
++
 +SaveVMInfo *qmp_query_savevm(Error **errp)
 +{
 +    SaveVMInfo *info = g_malloc0(sizeof(*info));
@@ -380,7 +386,9 @@ index 0000000000..d973d8300c
 +                            snap_state.state);
 +    }
 +    if (snap_state.vm_needs_start) {
-+        vm_start();
++        if (!should_skip_vm_start()) {
++            vm_start();
++        }
 +        snap_state.vm_needs_start = false;
 +    }
 +
@@ -490,7 +498,8 @@ index 0000000000..d973d8300c
 +    }
 +}
 +
-+void qmp_savevm_start(const char *statefile, Error **errp)
++void qmp_savevm_start(const char *statefile, bool has_skip_vm_start,
++                      bool skip_vm_start, Error **errp)
 +{
 +    Error *local_err = NULL;
 +    MigrationState *ms = migrate_get_current();
@@ -514,6 +523,7 @@ index 0000000000..d973d8300c
 +    snap_state.total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
 +    snap_state.blocker = NULL;
 +    snap_state.target_close_wait = (QemuCoSleep){ .to_wake = NULL };
++    snap_state.skip_vm_start = has_skip_vm_start && skip_vm_start;
 +
 +    if (snap_state.error) {
 +        error_free(snap_state.error);
@@ -657,7 +667,9 @@ index 0000000000..d973d8300c
 +    }
 +
 +    if (snap_state.vm_needs_start) {
-+        vm_start();
++        if (!should_skip_vm_start()) {
++            vm_start();
++        }
 +        snap_state.vm_needs_start = false;
 +    }
 +
@@ -737,7 +749,7 @@ index 0000000000..d973d8300c
 +    return ret;
 +}
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index bc26b39d70..cbedf13103 100644
+index bc26b39d70..e7afe15e97 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
 @@ -27,6 +27,7 @@
@@ -757,7 +769,7 @@ index bc26b39d70..cbedf13103 100644
 +    Error *errp = NULL;
 +    const char *statefile = qdict_get_try_str(qdict, "statefile");
 +
-+    qmp_savevm_start(statefile, &errp);
++    qmp_savevm_start(statefile, false, false, &errp);
 +    hmp_handle_error(mon, errp);
 +}
 +
@@ -838,22 +850,29 @@ index 7134d4ce47..8dc8d52b23 100644
  # @query-migrate:
  #
 diff --git a/qapi/misc.json b/qapi/misc.json
-index 28c641fe2f..5d2f12259a 100644
+index 28c641fe2f..cfa10c849b 100644
 --- a/qapi/misc.json
 +++ b/qapi/misc.json
-@@ -449,6 +449,24 @@
+@@ -449,6 +449,31 @@
  ##
  { 'command': 'query-fdsets', 'returns': ['FdsetInfo'] }
  
 +##
 +# @savevm-start:
 +#
-+# Prepare for snapshot and halt VM.  Save VM state to statefile.
++# Prepare for snapshot and halt VM.  Save VM state to statefile.  When
++# a @statefile is used, then the VM is only halted before completion.
++# Use @query-savevm to check the state of the operation.
 +#
 +# @statefile: target file that state should be written to.
 +#
++# @skip-vm-start: Do not resume the VM after the snapshot is done
++#                 successfully, even if the VM was running before
++#                 snapshot completion.  Useful for hibernation.
++#
 +##
-+{ 'command': 'savevm-start', 'data': { '*statefile': 'str' } }
++{ 'command': 'savevm-start', 'data': { '*statefile': 'str',
++                                       '*skip-vm-start': 'bool' } }
 +
 +##
 +# @savevm-end:
diff --git a/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch b/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch
index 4c8bb44560..ab8aac16a5 100644
--- a/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch
+++ b/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch
@@ -184,10 +184,10 @@ index a390554208..eda093b16a 100644
  
  G_DEFINE_AUTOPTR_CLEANUP_FUNC(QEMUFile, qemu_fclose)
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
-index d973d8300c..edc4c5b6ac 100644
+index 2a860f11a1..f5a4819e27 100644
 --- a/migration/savevm-async.c
 +++ b/migration/savevm-async.c
-@@ -409,7 +409,7 @@ void qmp_savevm_start(const char *statefile, Error **errp)
+@@ -418,7 +418,7 @@ void qmp_savevm_start(const char *statefile, bool has_skip_vm_start,
  
      QIOChannel *ioc = QIO_CHANNEL(qio_channel_savevm_async_new(snap_state.target,
                                                                 &snap_state.bs_pos));
@@ -196,7 +196,7 @@ index d973d8300c..edc4c5b6ac 100644
  
      if (!snap_state.file) {
          error_setg(errp, "failed to open '%s'", statefile);
-@@ -544,7 +544,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
+@@ -555,7 +555,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
      bdrv_op_block_all(bs, blocker);
  
      /* restore the VM state */
diff --git a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
index 73117a6f3a..a4ac880fa7 100644
--- a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
+++ b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
@@ -275,7 +275,7 @@ index f747bc3cb2..7aa0ed1b5a 100644
  # libselinux
  selinux = dependency('libselinux',
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index cbedf13103..33c1c81b3c 100644
+index e7afe15e97..ce374de2ec 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
 @@ -25,6 +25,7 @@
diff --git a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
index 6bd48361f1..df9f3df96b 100644
--- a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
+++ b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
@@ -136,10 +136,10 @@ index b6888daced..80eb0dcd1f 100644
  bool migration_in_postcopy(void);
  bool migration_postcopy_is_alive(MigrationStatus state);
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
-index edc4c5b6ac..acd1a4de6e 100644
+index f5a4819e27..41376406eb 100644
 --- a/migration/savevm-async.c
 +++ b/migration/savevm-async.c
-@@ -375,7 +375,7 @@ void qmp_savevm_start(const char *statefile, Error **errp)
+@@ -384,7 +384,7 @@ void qmp_savevm_start(const char *statefile, bool has_skip_vm_start,
          return;
      }
  
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH qemu v2 2/5] update submodule and patches to QEMU 11.0.2
  2026-06-29 13:54 [PATCH-SERIES qemu/qemu-server v2 0/5] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu v2 1/5] async snapshot: allow skipping VM start after successful completion Fiona Ebner
@ 2026-06-29 13:54 ` Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu-server v2 3/5] fix #6424: increase timeout for QMP 'quit' to 60s to avoid issue with bulk suspend Fiona Ebner
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2026-06-29 13:54 UTC (permalink / raw)
  To: pve-devel

Most notably, patches for fixing the deadlock between trim and drain
with IDE/SATA has finally been applied upstream with the following two
commits, so the stop-gap patch "ide: avoid potential deadlock when
draining during trim" can be dropped:
6e5b03431b ide: Minimal fix for deadlock between TRIM and drain
5044ebfad8 ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code

Drop patches that already landed upstream. Note that patch
"block/export/fuse: fix regression when mmap()-ing export with
MAP_SHARED" landed in a slightly different version upstream, so
"block/export/fuse: fix regression with block device export or
growable=off and O_TRUNC" needed a rebase.

Otherwise, there are some minor fixes in x86 and ARM emulation and
migration code, fixes for rare edge cases in the block layer, memory
check improvements in VNC.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v2:
* update to 11.0.2 instead of 11.0.1

 ...d-support-for-sync-bitmap-mode-never.patch |   6 +-
 ...-support-for-conditional-and-always-.patch |   2 +-
 ...-to-bdrv_dirty_bitmap_merge_internal.patch |   2 +-
 .../0006-mirror-move-some-checks-to-qmp.patch |   2 +-
 ...oid-idle-event-loop-being-accounted.patch} |   0
 ...ial-deadlock-when-draining-during-tr.patch | 100 --------------
 ...-fix-regression-with-block-device-e.patch} |  15 +--
 ...k-to-bounce-buffer-if-BLKZEROOUT-is-.patch |  36 -----
 ...fix-decoding-of-MOVBE-and-CRC32-in-1.patch |  84 ------------
 ...-accidentally-autofree-existing-virg.patch |  59 --------
 ...store-IRQ-polling-for-non-kernel-irq.patch |  47 -------
 ...strList-leak-in-x86_cpu_get_unavaila.patch |  36 -----
 ...-missing-PF_INSTR-in-SIGSEGV-context.patch |  43 ------
 ...e_save_state_v-fix-double-error_setg.patch |  46 -------
 ...e-fix-regression-when-mmap-ing-expor.patch |  94 -------------
 ...issing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch |  48 -------
 ...-use-after-free-of-cancelled-request.patch |  82 -----------
 ...ar-tag-byte-when-processing-messages.patch |  40 ------
 ...very-bitmask-with-modified-xAPIC-ids.patch |  63 ---------
 ...aio-bound-ioq_submit-recursion-depth.patch | 127 ------------------
 ...reject-zero-DMA-page-size-capability.patch |  46 -------
 ...-zero-migration-page-size-capability.patch |  44 ------
 ...estrict-dma_map_file-to-shared-RAM-o.patch |  88 ------------
 ...add-the-zeroinit-block-driver-filter.patch |   4 +-
 ...le-posix-make-locking-optiono-on-cre.patch |   6 +-
 ...VE-Backup-add-vma-backup-format-code.patch |   6 +-
 ...ckup-Proxmox-backup-patches-for-QEMU.patch |   6 +-
 ...estore-new-command-to-restore-from-p.patch |   4 +-
 ...k-driver-to-map-backup-archives-into.patch |   8 +-
 ...ct-stderr-to-journal-when-daemonized.patch |   6 +-
 ...igrate-dirty-bitmap-state-via-savevm.patch |   4 +-
 .../0037-block-add-alloc-track-driver.patch   |   4 +-
 .../0038-PVE-backup-add-fleecing-option.patch |   2 +-
 ...ment-backup-access-setup-and-teardow.patch |   2 +-
 ...se-migration-blocker-check-for-snaps.patch |   2 +-
 debian/patches/series                         |  21 +--
 qemu                                          |   2 +-
 37 files changed, 43 insertions(+), 1144 deletions(-)
 rename debian/patches/extra/{0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch => 0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch} (100%)
 delete mode 100644 debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 rename debian/patches/extra/{0012-block-export-fuse-fix-regression-with-block-device-e.patch => 0003-block-export-fuse-fix-regression-with-block-device-e.patch} (71%)
 delete mode 100644 debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
 delete mode 100644 debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
 delete mode 100644 debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
 delete mode 100644 debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
 delete mode 100644 debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
 delete mode 100644 debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
 delete mode 100644 debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
 delete mode 100644 debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
 delete mode 100644 debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
 delete mode 100644 debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
 delete mode 100644 debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
 delete mode 100644 debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
 delete mode 100644 debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
 delete mode 100644 debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
 delete mode 100644 debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
 delete mode 100644 debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch

diff --git a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
index 8f196da9e2..0fb45d16e0 100644
--- a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
+++ b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
@@ -38,7 +38,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  5 files changed, 135 insertions(+), 21 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index 2fcded9e93..f34b5fe733 100644
+index 089856f4a8..e6f645e0f2 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -74,6 +74,8 @@ typedef struct MirrorBlockJob {
@@ -333,7 +333,7 @@ index e7c8f1a856..d5aa68caeb 100644
                    BlockdevOnError on_source_error,
                    BlockdevOnError on_target_error,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 508b081ac1..496118bdc7 100644
+index 0efd51787b..50a0af3569 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -2280,6 +2280,15 @@
@@ -390,7 +390,7 @@ index 508b081ac1..496118bdc7 100644
              '*buf-size': 'int', '*on-source-error': 'BlockdevOnError',
              '*on-target-error': 'BlockdevOnError',
 diff --git a/tests/unit/test-block-iothread.c b/tests/unit/test-block-iothread.c
-index e26b3be593..396a53a757 100644
+index 5273ff235a..7055d32686 100644
 --- a/tests/unit/test-block-iothread.c
 +++ b/tests/unit/test-block-iothread.c
 @@ -755,8 +755,8 @@ static void test_propagate_mirror(void)
diff --git a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
index 2c030dc751..468bd94bc5 100644
--- a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
+++ b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
@@ -24,7 +24,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 18 insertions(+), 6 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index f34b5fe733..67d85799f4 100644
+index e6f645e0f2..414737045f 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -735,8 +735,6 @@ static int mirror_exit_common(Job *job)
diff --git a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
index faef2cc4b9..5215b95855 100644
--- a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
+++ b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
@@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+), 7 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index 67d85799f4..b88e8b4c51 100644
+index 414737045f..0f56ad1f54 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -856,8 +856,8 @@ static int mirror_exit_common(Job *job)
diff --git a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
index 9223eefaa5..98c3f7b93d 100644
--- a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
+++ b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
@@ -21,7 +21,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  3 files changed, 70 insertions(+), 59 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index b88e8b4c51..1e143ccab1 100644
+index 0f56ad1f54..75563e6e75 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -1885,31 +1885,13 @@ static BlockJob *mirror_start_job(
diff --git a/debian/patches/extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch b/debian/patches/extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
similarity index 100%
rename from debian/patches/extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
rename to debian/patches/extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
diff --git a/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch b/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
deleted file mode 100644
index 04271fe4fe..0000000000
--- a/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Tue, 7 Mar 2023 15:03:02 +0100
-Subject: [PATCH] ide: avoid potential deadlock when draining during trim
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The deadlock can happen as follows:
-1. ide_issue_trim is called, and increments the in_flight counter.
-2. ide_issue_trim_cb calls blk_aio_pdiscard.
-3. Somebody else starts draining (e.g. backup to insert the cbw node).
-4. ide_issue_trim_cb is called as the completion callback for
-   blk_aio_pdiscard.
-5. ide_issue_trim_cb issues yet another blk_aio_pdiscard request.
-6. The request is added to the wait queue via blk_wait_while_drained,
-   because draining has been started.
-7. Nobody ever decrements the in_flight counter and draining can't
-   finish. This would be done by ide_trim_bh_cb, which is called after
-   ide_issue_trim_cb has issued its last request, but
-   ide_issue_trim_cb is not called anymore, because it's the
-   completion callback of blk_aio_pdiscard, which waits on draining.
-
-Quoting Hanna Czenczek:
-> The point of 7e5cdb345f was that we need any in-flight count to
-> accompany a set s->bus->dma->aiocb. While blk_aio_pdiscard() is
-> happening, we don’t necessarily need another count. But we do need
-> it while there is no blk_aio_pdiscard().
-> ide_issue_trim_cb() returns in two cases (and, recursively through
-> its callers, leaves s->bus->dma->aiocb set):
-> 1. After calling blk_aio_pdiscard(), which will keep an in-flight
->    count,
-> 2. After calling replay_bh_schedule_event() (i.e.
->    qemu_bh_schedule()), which does not keep an in-flight count.
-
-Thus, even after moving the blk_inc_in_flight to above the
-replay_bh_schedule_event call, the invariant "ide_issue_trim_cb
-returns with an accompanying in-flight count" is still satisfied.
-
-However, the issue 7e5cdb345f fixed for canceling resurfaces, because
-ide_cancel_dma_sync assumes that it just needs to drain once. But now
-the in_flight count is not consistently > 0 during the trim operation.
-So, change it to drain until !s->bus->dma->aiocb, which means that the
-operation finished (s->bus->dma->aiocb is cleared by ide_set_inactive
-via the ide_dma_cb when the end of the transfer is reached).
-
-Discussion here:
-https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg02506.html
-
-Fixes: 7e5cdb345f ("ide: Increment BB in-flight counter for TRIM BH")
-Suggested-by: Hanna Czenczek <hreitz@redhat.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/ide/core.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 7a15d6cac9..db44d83f57 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -456,7 +456,7 @@ static void ide_trim_bh_cb(void *opaque)
-     iocb->bh = NULL;
-     qemu_aio_unref(iocb);
- 
--    /* Paired with an increment in ide_issue_trim() */
-+    /* Paired with an increment in ide_issue_trim_cb() */
-     blk_dec_in_flight(blk);
- }
- 
-@@ -516,6 +516,8 @@ static void ide_issue_trim_cb(void *opaque, int ret)
- done:
-     iocb->aiocb = NULL;
-     if (iocb->bh) {
-+        /* Paired with a decrement in ide_trim_bh_cb() */
-+        blk_inc_in_flight(s->blk);
-         replay_bh_schedule_event(iocb->bh);
-     }
- }
-@@ -528,9 +530,6 @@ BlockAIOCB *ide_issue_trim(
-     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
-     TrimAIOCB *iocb;
- 
--    /* Paired with a decrement in ide_trim_bh_cb() */
--    blk_inc_in_flight(s->blk);
--
-     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
-     iocb->s = s;
-     iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb,
-@@ -754,8 +753,9 @@ void ide_cancel_dma_sync(IDEState *s)
-      */
-     if (s->bus->dma->aiocb) {
-         trace_ide_cancel_dma_sync_remaining();
--        blk_drain(s->blk);
--        assert(s->bus->dma->aiocb == NULL);
-+        while (s->bus->dma->aiocb) {
-+            blk_drain(s->blk);
-+        }
-     }
- }
- 
diff --git a/debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch b/debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch
similarity index 71%
rename from debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
rename to debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch
index 121e5712cd..37999ac6d4 100644
--- a/debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
+++ b/debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch
@@ -17,20 +17,19 @@ growable=off and/or a block device based export for setting the flag.
 
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
- block/export/fuse.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ block/export/fuse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/block/export/fuse.c b/block/export/fuse.c
-index ef381fd844..7a7386c904 100644
+index c0e8dfb643..8430c73293 100644
 --- a/block/export/fuse.c
 +++ b/block/export/fuse.c
-@@ -816,7 +816,8 @@ static ssize_t coroutine_fn GRAPH_RDLOCK
+@@ -856,7 +856,7 @@ static ssize_t coroutine_fn GRAPH_RDLOCK
  fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
               const struct fuse_init_in *in)
  {
--    const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_INIT_EXT;
-+    const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO
-+        | FUSE_INIT_EXT | FUSE_ATOMIC_O_TRUNC;
-     const uint32_t supported_flags2 = (FUSE_DIRECT_IO_ALLOW_MMAP >> 32);
+-    uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO;
++    uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_ATOMIC_O_TRUNC;
+     uint32_t flags2 = 0;
  
      if (in->major != 7) {
diff --git a/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch b/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
deleted file mode 100644
index 5d7020a11f..0000000000
--- a/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Mon, 5 Jan 2026 13:36:20 +0100
-Subject: [PATCH] block/io: fallback to bounce buffer if BLKZEROOUT is not
- supported because of alignment
-
-Commit 5634622bcb ("file-posix: allow BLKZEROOUT with -t writeback")
-enables the BLKZEROOUT ioctl when using 'writeback' cache, regressing
-certain 'qemu-img convert' invocations, because of a pre-existing
-issue. Namely, the BLKZEROOUT ioctl might fail with errno EINVAL when
-the request is shorter than the block size of the block device.
-Fallback to the bounce buffer, similar to when the ioctl is not
-supported at all, rather than treating such an error as fatal.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3257
-Resolves: https://bugzilla.proxmox.com/show_bug.cgi?id=7197
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/io.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/block/io.c b/block/io.c
-index e8fb4ede4d..82e3383e8d 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -1918,7 +1918,8 @@ bdrv_co_do_pwrite_zeroes(BlockDriverState *bs, int64_t offset, int64_t bytes,
-             assert(!bs->supported_zero_flags);
-         }
- 
--        if (ret == -ENOTSUP && !(flags & BDRV_REQ_NO_FALLBACK)) {
-+        if ((ret == -ENOTSUP || (ret == -EINVAL && num < alignment)) &&
-+            !(flags & BDRV_REQ_NO_FALLBACK)) {
-             /* Fall back to bounce buffer if write zeroes is unsupported */
-             BdrvRequestFlags write_flags = flags & ~BDRV_REQ_ZERO_WRITE;
- 
diff --git a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch b/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
deleted file mode 100644
index 9874c26972..0000000000
--- a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 31 Mar 2026 08:32:23 +0200
-Subject: [PATCH] target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit
- mode
-
-Table A-4 of the SDM shows
-
-                    F0                     F1
---------------------------------------------------------
-     NP           MOVBE Gy,My           MOVBE My,Gy
-     66           MOVBE Gw,Mw           MOVBW Mw,Gw
-     F2           CRC32 Gd,Eb           CRC32 Gd,Ey
-  66+F2           CRC32 Gd,Eb           CRC32 Gd,Ew
-
-However, this is incorrect.  Both MOVBE and (for 0xF1) CRC32
-take Gv, Ev or Mv operands.  In 16-bit mode therefore the
-operand is of 16-bit size without prefix and 32-bit mode
-with 0x66 (the data size override).
-
-For example, with NASM you get:
-
-                                 bits 16
-   67 0F 38 F0 02                movbe ax, [edx]
-   66 67 0F 38 F0 02             movbe eax, [edx]
-
-   67 F2 0F 38 F1 02             crc32 ax, word [edx]
-   66 67 F2 0F 38 F1 02          crc32 eax, dword [edx]
-
-versus
-
-                                 bits 32
-   66 0F 38 F0 02                movbe ax, [edx]
-   0F 38 F0 02                   movbe eax, [edx]
-
-   66 F2 0F 38 F1 02             crc32 eax, word [edx]
-   F2 0F 38 F1 02                crc32 eax, dword [edx]
-
-The instruction is listed correctly in the APX documentation
-as "SCALABLE" (which means it has v-size operands).
-
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 76ad26dd172d27aae9f1e76d1165b497167c36c2)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/decode-new.c.inc | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
-index bc105aab9e..c8b5bd6ad2 100644
---- a/target/i386/tcg/decode-new.c.inc
-+++ b/target/i386/tcg/decode-new.c.inc
-@@ -875,19 +875,23 @@ static const X86OpEntry opcodes_0F38_00toEF[240] = {
- 
- /* five rows for no prefix, 66, F3, F2, 66+F2  */
- static const X86OpEntry opcodes_0F38_F0toFF[16][5] = {
-+    /*
-+     * MOVBE and CRC32 are incorrectly listed as always doing 32-bit operation
-+     * without prefix and 16-bit operation with 0x66.
-+     */
-     [0] = {
--        X86_OP_ENTRYwr(MOVBE, G,y, M,y, cpuid(MOVBE)),
--        X86_OP_ENTRYwr(MOVBE, G,w, M,w, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
-         {},
-         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
-         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
-     },
-     [1] = {
--        X86_OP_ENTRYwr(MOVBE, M,y, G,y, cpuid(MOVBE)),
--        X86_OP_ENTRYwr(MOVBE, M,w, G,w, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
-         {},
--        X86_OP_ENTRY2(CRC32, G,d, E,y, cpuid(SSE42)),
--        X86_OP_ENTRY2(CRC32, G,d, E,w, cpuid(SSE42)),
-+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
-+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
-     },
-     [2] = {
-         X86_OP_ENTRY3(ANDN, G,y, B,y, E,y, vex13 cpuid(BMI1)),
diff --git a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch b/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
deleted file mode 100644
index b8f224e9be..0000000000
--- a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
-Date: Fri, 17 Apr 2026 13:27:03 +0100
-Subject: [PATCH] hw/display: don't accidentally autofree existing virgl
- resources
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While sanity checking a create blob operation the use of the auto
-freed res variable could lead to inadvertently freeing an existing
-blob.
-
-Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as
-the value is not needed anyway.
-
-While at it add a comment to the end and use g_steal_pointer to make
-it clearer the object lifetime exceeds the function bounds if we pass
-all the checks.
-
-Fixes: CVE-2026-6502
-Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)
-Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org
-Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
-Cc: qemu-stable@nongnu.org
-Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
-(cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/display/virtio-gpu-virgl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
-index b7a2d160dd..add85bd4e6 100644
---- a/hw/display/virtio-gpu-virgl.c
-+++ b/hw/display/virtio-gpu-virgl.c
-@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
-         return;
-     }
- 
--    res = virtio_gpu_virgl_find_resource(g, cblob.resource_id);
--    if (res) {
-+    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {
-         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
-                       __func__, cblob.resource_id);
-         cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
-@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
- 
-     res->base.dmabuf_fd = info.fd;
- 
-+    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */
-     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);
--    res = NULL;
-+    g_steal_pointer(&res);
- }
- 
- static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
diff --git a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch b/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
deleted file mode 100644
index 88f899f85f..0000000000
--- a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: rickgcn <rickgcn@gmail.com>
-Date: Sat, 18 Apr 2026 14:14:29 +0800
-Subject: [PATCH] hw: i386: vapic: restore IRQ polling for non-kernel irqchip
- backends
-
-69dfc078 extended vAPIC handling for WHPX with user-mode irqchip, but it
-also changed vapic_write() case 4 in a way that excludes TCG from
-apic_poll_irq().
-
-Before that change, IRQ polling happened whenever no in-kernel irqchip
-was active. After the change, it only happened for KVM or WHPX with a
-user-mode irqchip. Under TCG, both kvm_enabled() and whpx_enabled() are
-false, so the poll never happens.
-
-This regresses 32-bit Windows XP guests on a Windows host with
--machine pc-i440fx-10.0,accel=tcg, causing a STOP 0x0000000A during boot.
-
-Fix it by making the decision depend on whether KVM or WHPX is using an
-in-kernel irqchip, instead of whether either accelerator is enabled.
-
-Fixes: 69dfc078a6f0 ("hw: i386: vapic: enable on WHPX with user-mode irqchip")
-
-Signed-off-by: rickgcn <rickgcn@gmail.com>
-Link: https://lore.kernel.org/r/20260418061429.16898-1-rickgcn@gmail.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit c906c2337058bd467e6ac0176c2966d1eeb6f8f5)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/vapic.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/hw/i386/vapic.c b/hw/i386/vapic.c
-index 41e5ca26df..1acb9f91b2 100644
---- a/hw/i386/vapic.c
-+++ b/hw/i386/vapic.c
-@@ -716,8 +716,7 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
-         break;
-     default:
-     case 4:
--        if ((kvm_enabled() && !kvm_irqchip_in_kernel())
--          || (whpx_enabled() && !whpx_irqchip_in_kernel())) {
-+        if (!kvm_irqchip_in_kernel() && !whpx_irqchip_in_kernel()) {
-             apic_poll_irq(cpu->apic_state);
-         }
-         break;
diff --git a/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch b/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
deleted file mode 100644
index a9975bbb3b..0000000000
--- a/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 13 Apr 2026 16:50:40 +0400
-Subject: [PATCH] target/i386: fix strList leak in
- x86_cpu_get_unavailable_features
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The result list built by x86_cpu_list_feature_names() was never freed
-after being visited, causing a memory leak detected by ASan.
-(the getter visitor is VISITOR_OUTPUT kind and doesn't own data)
-
-Fixes: 506174bf8219 ("i386: "unavailable-features" QOM property")
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Link: https://lore.kernel.org/r/20260413125040.3842686-1-marcandre.lureau@redhat.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 87e1226e6f6844845ac407d50198d84205e7ed7f)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/cpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index c6fd1dc00e..9d126600c0 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -7842,6 +7842,7 @@ static void x86_cpu_get_unavailable_features(Object *obj, Visitor *v,
- 
-     x86_cpu_list_feature_names(xc->filtered_features, &result);
-     visit_type_strList(v, "unavailable-features", &result, errp);
-+    qapi_free_strList(result);
- }
- 
- /* Print all cpuid feature names in featureset
diff --git a/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch b/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
deleted file mode 100644
index dfa3f4c20a..0000000000
--- a/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Simon Scherer <scherer.simon89@gmail.com>
-Date: Mon, 13 Apr 2026 13:56:22 +0200
-Subject: [PATCH] target/i386: fix missing PF_INSTR in SIGSEGV context
-
-When running linux-user emulation, the SIGSEGV handler does not
-correctly set the 4th bit (PF_INSTR) in the error_code variable of
-the context argument (context->uc_mcontext.gregs[REG_ERR]).
-
-Because this bit is never set, guest applications cannot distinguish
-if a fault was due to missing executable permissions. This patch
-ensures that when a page fault occurs during an instruction fetch,
-the PF_INSTR flag is properly populated in the signal context.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3384
-Signed-off-by: Simon Scherer <scherer.simon89@gmail.com>
-Link: https://lore.kernel.org/r/20260413115622.160212-1-scherer.simon89@gmail.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 3eae91a8b93a35f194a39ab5b894ae405def9270)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/user/excp_helper.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/target/i386/tcg/user/excp_helper.c b/target/i386/tcg/user/excp_helper.c
-index 98fab4cbc3..6c5df5e0e8 100644
---- a/target/i386/tcg/user/excp_helper.c
-+++ b/target/i386/tcg/user/excp_helper.c
-@@ -36,9 +36,10 @@ void x86_cpu_record_sigsegv(CPUState *cs, vaddr addr,
-      * signal and set exception_index to EXCP_INTERRUPT.
-      */
-     env->cr[2] = addr;
--    env->error_code = ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT)
--                    | (maperr ? 0 : PG_ERROR_P_MASK)
--                    | PG_ERROR_U_MASK;
-+    env->error_code = (maperr ? 0 : PG_ERROR_P_MASK)
-+                    | ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT)
-+                    | PG_ERROR_U_MASK
-+                    | ((access_type == MMU_INST_FETCH) ? PG_ERROR_I_D_MASK : 0);
-     cs->exception_index = EXCP0E_PAGE;
- 
-     /* Disable do_interrupt_user. */
diff --git a/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch b/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
deleted file mode 100644
index a4faa8635c..0000000000
--- a/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
-Date: Thu, 5 Mar 2026 00:22:45 +0300
-Subject: [PATCH] migration: vmstate_save_state_v: fix double error_setg
-
-We may call error_setg twice on same errp if inner
-vmstate_save_state_v() or vmstate_save_state() call fails. Next we will
-crash on assertion in error_setv().
-
-Fixes: 848a0503422d043 "migration: Update error description outside migration.c"
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
-Reviewed-by: Fabiano Rosas <farosas@suse.de>
-Reviewed-by: Peter Xu <peterx@redhat.com>
-Link: https://lore.kernel.org/qemu-devel/20260304212303.667141-2-vsementsov@yandex-team.ru
-Signed-off-by: Fabiano Rosas <farosas@suse.de>
-(cherry picked from commit d41ce10d0f5a3d6e497e4b75807a8e675033c597)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- migration/vmstate.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/migration/vmstate.c b/migration/vmstate.c
-index 4d28364f7b..fccd030dfd 100644
---- a/migration/vmstate.c
-+++ b/migration/vmstate.c
-@@ -539,6 +539,9 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd,
-                 } else {
-                     ret = inner_field->info->put(f, curr_elem, size,
-                                                  inner_field, vmdesc_loop);
-+                    if (ret < 0) {
-+                        error_setg(errp, "put failed");
-+                    }
-                 }
- 
-                 written_bytes = qemu_file_transferred(f) - old_offset;
-@@ -551,8 +554,8 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd,
-                 }
- 
-                 if (ret) {
--                    error_setg(errp, "Save of field %s/%s failed",
--                                vmsd->name, field->name);
-+                    error_prepend(errp, "Save of field %s/%s failed: ",
-+                                  vmsd->name, field->name);
-                     if (vmsd->post_save) {
-                         vmsd->post_save(opaque);
-                     }
diff --git a/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch b/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
deleted file mode 100644
index 71df0416de..0000000000
--- a/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Tue, 5 May 2026 13:04:29 +0200
-Subject: [PATCH] block/export/fuse: fix regression when mmap()-ing export with
- MAP_SHARED
-
-The swtpm_setup binary will fail accessing a FUSE export from
-qemu-storage-daemon since commit 8599559580 ("fuse: Set direct_io and
-parallel_direct_writes"). It uses mmap() with MAP_SHARED, which fails
-fails when direct IO is used, but the FUSE_DIRECT_IO_ALLOW_MMAP flag
-is not. This is documented behavior [0]. Enable the flag if the kernel
-supports it to fix the regression.
-
-The FUSE_INIT_EXT flag needs to be set to be able to use the flags2
-argument.
-
-This patch bumps the required minimal protocol version to 7.36 for
-availablity of the FUSE_INIT_EXT flag, which is available since kernel
-5.17. A proper upstream submission should try to avoid this.
-Discussion upstream [1].
-
-[0]: https://www.kernel.org/doc/html/next/filesystems/fuse/fuse-io.html
-[1]: https://lore.kernel.org/qemu-devel/e86b82e4-a85d-46d2-bb8f-4e0f59e49a44@proxmox.com/
-
-Fixes: 8599559580 ("fuse: Set direct_io and parallel_direct_writes")
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/export/fuse.c | 27 ++++++++-------------------
- 1 file changed, 8 insertions(+), 19 deletions(-)
-
-diff --git a/block/export/fuse.c b/block/export/fuse.c
-index a2a478d293..ef381fd844 100644
---- a/block/export/fuse.c
-+++ b/block/export/fuse.c
-@@ -51,23 +51,11 @@
- #define FUSE_MAX_READ_BYTES (MIN(BDRV_REQUEST_MAX_BYTES, 1 * 1024 * 1024))
- #define FUSE_MAX_WRITE_BYTES (64 * 1024)
- 
--/*
-- * fuse_init_in structure before 7.36.  We don't need the flags2 field added
-- * there, so we can work with the smaller older structure to stay compatible
-- * with older kernels.
-- */
--struct fuse_init_in_compat {
--    uint32_t major;
--    uint32_t minor;
--    uint32_t max_readahead;
--    uint32_t flags;
--};
--
- typedef struct FuseRequestInHeader {
-     struct fuse_in_header common;
-     /* All supported requests */
-     union {
--        struct fuse_init_in_compat init;
-+        struct fuse_init_in init;
-         struct fuse_open_in open;
-         struct fuse_setattr_in setattr;
-         struct fuse_read_in read;
-@@ -826,9 +814,10 @@ static bool is_regular_file(const char *path, Error **errp)
-  */
- static ssize_t coroutine_fn GRAPH_RDLOCK
- fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
--             const struct fuse_init_in_compat *in)
-+             const struct fuse_init_in *in)
- {
--    const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO;
-+    const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_INIT_EXT;
-+    const uint32_t supported_flags2 = (FUSE_DIRECT_IO_ALLOW_MMAP >> 32);
- 
-     if (in->major != 7) {
-         error_report("FUSE major version mismatch: We have 7, but kernel has %"
-@@ -836,9 +825,9 @@ fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
-         return -EINVAL;
-     }
- 
--    /* 2007's 7.9 added fuse_attr.blksize; working around that would be hard */
--    if (in->minor < 9) {
--        error_report("FUSE minor version too old: 9 required, but kernel has %"
-+    /* Kernel 5.17's 7.36 protocol version added FUSE_INIT_EXT */
-+    if (in->minor < 36) {
-+        error_report("FUSE minor version too old: 36 required, but kernel has %"
-                      PRIu32, in->minor);
-         return -EINVAL;
-     }
-@@ -849,7 +838,7 @@ fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
-         .max_readahead = in->max_readahead,
-         .max_write = FUSE_MAX_WRITE_BYTES,
-         .flags = in->flags & supported_flags,
--        .flags2 = 0,
-+        .flags2 = in->flags2 & supported_flags2,
- 
-         /* libfuse maximum: 2^16 - 1 */
-         .max_background = UINT16_MAX,
diff --git a/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch b/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
deleted file mode 100644
index 7f00682227..0000000000
--- a/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Tue, 26 May 2026 11:49:57 -0400
-Subject: [PATCH] virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check
- (CVE-2026-48914)
-
-Check that the iovec containing struct virtio_scsi_inhdr is large enough
-before storing an error value there.
-
-Feifan Qian <bea1e@proton.me> pointed out that this can be used to
-corrupt heap memory when the descriptor uses an MMIO address and a
-length of 1, forcing QEMU to allocate a 1-byte heap bounce buffer.
-virtio_stl_p() stores 4 bytes and therefore corrupts whatever is beyond
-the bounce buffer.
-
-Fixes: CVE-2026-48914
-Fixes: f34e73cd69bd ("virtio-blk: report non-zero status when failing SG_IO requests")
-Reported-by: Feifan Qian <bea1e@proton.me>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(pick from: https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/block/virtio-blk.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
-index 9cb9f1fb2b..6b92066aff 100644
---- a/hw/block/virtio-blk.c
-+++ b/hw/block/virtio-blk.c
-@@ -199,10 +199,16 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
- 
-     /*
-      * The scsi inhdr is placed in the second-to-last input segment, just
--     * before the regular inhdr.
-+     * before the regular inhdr. VIRTIO implementations normally do not rely on
-+     * the precise message framing, but legacy implementations did and so we do
-+     * too for the legacy virtio-blk SCSI request type.
-      *
-      * Just put anything nonzero so that the ioctl fails in the guest.
-      */
-+    if (elem->in_sg[elem->in_num - 2].iov_len != sizeof(*scsi)) {
-+        status = VIRTIO_BLK_S_IOERR;
-+        goto fail;
-+    }
-     scsi = (void *)elem->in_sg[elem->in_num - 2].iov_base;
-     virtio_stl_p(vdev, &scsi->errors, 255);
-     status = VIRTIO_BLK_S_UNSUPP;
diff --git a/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch b/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
deleted file mode 100644
index 3bf65cb920..0000000000
--- a/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 15 May 2026 11:01:00 +0200
-Subject: [PATCH] lsi53c895a: fix use-after-free of cancelled request
-
-When processing the Message Out phase, the lsi53c895a controller
-can cancel a request and the continue by processing more messages.
-When this happens, it is important that a cancelled request is not
-processed further, because scsi_req_cancel can cause the request
-to be freed.
-
-Right now this is happening in two cases, but not when cancelling
-the entire queue of requests after an ABORT, CLEAR QUEUE or
-BUS DEVICE RESET message.  In that case, a subsequent ABORT TAG
-message can use a dangling current_req.
-
-There are three possible fixes:
-
-- add a missing check inside the loop, clearing current_req
-  if p->req == current_req.  This is obvious but complicates the
-  code inside the foreach loop.
-
-- change the conditional prior to the loop from "if (s->current)"
-  to "if (current_req)".  This would work, because s->current != NULL
-  implies current_req != NULL, and would clear current_req correctly.
-  However it is less obvious because the point of the code
-  is to clear the entire queue, which consists of s->current
-  and s->queue; current_req is not special here.
-
-- delay the retrieval of current_req until an ABORT TAG message
-  is seen.  This is the most correct option, because the SCSI
-  protocol only deals with tags; requests are a QEMU concept
-  that only makes sense for the purpose of calling into the
-  SCSI layer.
-
-Reported-by: Wei Che Kao <skps96g313.cs10@gmail.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 5297a0fc65317ba7f79ef44ce7a44e41d15fdb27)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/scsi/lsi53c895a.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 54123f7757..0843d325ab 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -1000,10 +1000,8 @@ static void lsi_do_msgout(LSIState *s)
- 
-     if (s->current) {
-         current_tag = s->current->tag;
--        current_req = s->current;
-     } else {
-         current_tag = s->select_tag;
--        current_req = lsi_find_by_tag(s, current_tag);
-     }
- 
-     trace_lsi_do_msgout(s->dbc);
-@@ -1058,9 +1056,13 @@ static void lsi_do_msgout(LSIState *s)
-         case 0x0d:
-             /* The ABORT TAG message clears the current I/O process only. */
-             trace_lsi_do_msgout_abort(current_tag);
-+            if (s->current) {
-+                current_req = s->current;
-+            } else {
-+                current_req = lsi_find_by_tag(s, current_tag);
-+            }
-             if (current_req && current_req->req) {
-                 scsi_req_cancel(current_req->req);
--                current_req = NULL;
-             }
-             lsi_disconnect(s);
-             break;
-@@ -1086,7 +1088,6 @@ static void lsi_do_msgout(LSIState *s)
-             /* clear the current I/O process */
-             if (s->current) {
-                 scsi_req_cancel(s->current->req);
--                current_req = NULL;
-             }
- 
-             /* As the current implemented devices scsi_disk and scsi_generic
diff --git a/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch b/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
deleted file mode 100644
index 2581b191f7..0000000000
--- a/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 15 May 2026 11:08:28 +0200
-Subject: [PATCH] lsi53c895a: clear tag byte when processing messages
-
-Instead of simply ORing the message byte, clear what
-was there before.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 4494dec8c2bfd8a5d9b1eabe4a26ab850a4f6700)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/scsi/lsi53c895a.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 0843d325ab..1b7f02fc7c 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -1041,16 +1041,19 @@ static void lsi_do_msgout(LSIState *s)
-             }
-             break;
-         case 0x20: /* SIMPLE queue */
-+            s->select_tag &= ~0xff;
-             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
-             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
-             break;
-         case 0x21: /* HEAD of queue */
-             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
-+            s->select_tag &= ~0xff;
-             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
-             break;
-         case 0x22: /* ORDERED queue */
-             qemu_log_mask(LOG_UNIMP,
-                           "lsi_scsi: ORDERED queue not implemented\n");
-+            s->select_tag &= ~0xff;
-             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
-             break;
-         case 0x0d:
diff --git a/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch b/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
deleted file mode 100644
index 14d0cc9f84..0000000000
--- a/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 15 May 2026 12:10:22 +0200
-Subject: [PATCH] apic: fix delivery bitmask with modified xAPIC ids
-
-Self-IPIs (or all-but-self IPIs) in QEMU can cause a out-of-bounds access
-to deliver_bitmask, because the access uses the APIC ID register which
-is writable by the guest.  However, foreach_apic uses the delivery
-bitmask indexes to look up the local_apics[] array, which is indexed
-by *initial* APIC id.  Using the right id fixes both a possible heap
-write overflow if the modified APIC id is too large for max_apic_words,
-and a mis-delivery of both self and all-but-self IPIs.
-
-Reported-by: Wei Che Kao <skps96g313.cs10@gmail.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 153dc2fa7bbe0491290d22c4bbb6807074f24260)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/intc/apic.c | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/hw/intc/apic.c b/hw/intc/apic.c
-index 8766ed00b9..ced7df49bd 100644
---- a/hw/intc/apic.c
-+++ b/hw/intc/apic.c
-@@ -648,13 +648,6 @@ static void apic_deliver(APICCommonState *s, uint32_t dest, uint8_t dest_mode,
-     APICCommonState *apic_iter;
-     uint32_t deliver_bitmask_size = max_apic_words * sizeof(uint32_t);
-     g_autofree uint32_t *deliver_bitmask = g_new(uint32_t, max_apic_words);
--    uint32_t current_apic_id;
--
--    if (is_x2apic_mode(s)) {
--        current_apic_id = s->initial_apic_id;
--    } else {
--        current_apic_id = s->id;
--    }
- 
-     switch (dest_shorthand) {
-     case 0:
-@@ -662,14 +655,20 @@ static void apic_deliver(APICCommonState *s, uint32_t dest, uint8_t dest_mode,
-         break;
-     case 1:
-         memset(deliver_bitmask, 0x00, deliver_bitmask_size);
--        apic_set_bit(deliver_bitmask, current_apic_id);
-+        /*
-+         * The self and all-but-self cases do not use apic_match_dest() and
-+         * directly fill in deliver_bitmask; the bitmask's indexes in turn
-+         * map to local_apics[] slots which are never changed even if the
-+         * xAPIC id is modified.  So use s->initial_apic_id instead of s->id.
-+         */
-+        apic_set_bit(deliver_bitmask, s->initial_apic_id);
-         break;
-     case 2:
-         memset(deliver_bitmask, 0xff, deliver_bitmask_size);
-         break;
-     case 3:
-         memset(deliver_bitmask, 0xff, deliver_bitmask_size);
--        apic_reset_bit(deliver_bitmask, current_apic_id);
-+        apic_reset_bit(deliver_bitmask, s->initial_apic_id);
-         break;
-     }
- 
diff --git a/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch b/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
deleted file mode 100644
index a3810615c2..0000000000
--- a/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Denis V. Lunev" <den@openvz.org>
-Date: Wed, 20 May 2026 16:25:03 +0200
-Subject: [PATCH] block/linux-aio: bound ioq_submit() recursion depth
-
-qemu_laio_process_completions() wraps its body in defer_call_begin /
-defer_call_end. Inside the section, completion callbacks wake coroutines
-that queue new aiocbs; laio_do_submit() defers laio_deferred_fn. At the
-bottom of qemu_laio_process_completions() the defer_call_end() fires
-laio_deferred_fn, which calls ioq_submit(), closing the cycle:
-
-  ioq_submit
-    -> io_submit(2)                           // some sync completions
-    -> qemu_laio_process_completions          // defer_call_begin
-         -> aio_co_wake                       // resumes coroutine
-              -> laio_do_submit
-                   -> defer_call(laio_deferred_fn, s)   // enqueued
-         -> defer_call_end                    // nesting drops to 0
-              -> laio_deferred_fn
-                   -> ioq_submit              // +1 stack frame, loop
-
-When io_submit(2) returns asynchronously (O_DIRECT) the cycle
-terminates in one extra frame: the fresh aiocb is still in flight, no
-completion is drained, no coroutine wakes, no new submission queues.
-When submissions complete synchronously (non-O_DIRECT, or per-descriptor
-drivers such as vmdk) each level enqueues more work for the next
-defer_call_end() to drain, so recursion grows without bound and QEMU
-crashes with SIGSEGV on the thread guard page.
-
-The cycle was closed by two performance commits, each correct in
-isolation:
-
-  076682885d ("block/linux-aio: convert to blk_io_plug_call() API")
-    -- introduced laio_deferred_fn and wired
-       laio_do_submit -> defer_call(laio_deferred_fn, s).
-
-  84d61e5f36 ("virtio: use defer_call() in virtio_irqfd_notify()")
-    -- added defer_call_begin/end around qemu_laio_process_completions
-       so virtio-irqfd notifications batch across a completion pass.
-
-The supported aio=native + cache=none pairing keeps submissions
-asynchronous, so the cycle stays bounded; nothing in the code enforces
-that contract. Observed in production as a SIGSEGV during a backup job
-configured with --cached + aio=native; reproducible on upstream with
-qemu-io against vmdk.
-
-Cap ioq_submit() recursion with a counter on LaioQueue, which is only
-accessed from the AioContext home thread. On overflow, return without
-submitting. The pending work is drained by s->completion_bh, which
-qemu_laio_process_completions() has already scheduled on entry -- no
-work is lost; one event-loop round-trip of latency is paid only when
-the bound is hit, which cannot happen on a supported configuration.
-
-Signed-off-by: Denis V. Lunev <den@openvz.org>
-CC: Kevin Wolf <kwolf@redhat.com>
-CC: Hanna Reitz <hreitz@redhat.com>
-CC: Stefan Hajnoczi <stefanha@redhat.com>
-CC: Paolo Bonzini <pbonzini@redhat.com>
-Message-ID: <20260520142503.251959-2-den@openvz.org>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 6864bec553b2e37699739615e604fc3c7bae0e1d)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/linux-aio.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/block/linux-aio.c b/block/linux-aio.c
-index 0a7424fbb3..5aaf2e8514 100644
---- a/block/linux-aio.c
-+++ b/block/linux-aio.c
-@@ -36,6 +36,19 @@
- /* Maximum number of requests in a batch. (default value) */
- #define DEFAULT_MAX_BATCH 32
- 
-+/*
-+ * Bound on how deep ioq_submit() may recurse on a single LaioQueue via the
-+ * ioq_submit -> qemu_laio_process_completions -> defer_call_end ->
-+ * laio_deferred_fn -> ioq_submit cycle. The cycle terminates naturally
-+ * when io_submit(2) returns asynchronously (O_DIRECT), but can grow
-+ * without bound when submissions complete synchronously. On overflow
-+ * the caller returns without submitting; the outermost
-+ * qemu_laio_process_completions() has already scheduled s->completion_bh
-+ * (via qemu_bh_schedule() at the top of that function), which resumes
-+ * submission from the next event-loop dispatch.
-+ */
-+#define IOQ_SUBMIT_MAX_DEPTH 8
-+
- struct qemu_laiocb {
-     Coroutine *co;
-     LinuxAioState *ctx;
-@@ -61,6 +74,7 @@ typedef struct {
-     unsigned int in_queue;
-     unsigned int in_flight;
-     bool blocked;
-+    unsigned int submit_depth;
-     QSIMPLEQ_HEAD(, qemu_laiocb) pending;
- } LaioQueue;
- 
-@@ -331,6 +345,7 @@ static void ioq_init(LaioQueue *io_q)
-     io_q->in_queue = 0;
-     io_q->in_flight = 0;
-     io_q->blocked = false;
-+    io_q->submit_depth = 0;
- }
- 
- static void ioq_submit(LinuxAioState *s)
-@@ -340,6 +355,11 @@ static void ioq_submit(LinuxAioState *s)
-     QEMU_UNINITIALIZED struct iocb *iocbs[MAX_EVENTS];
-     QSIMPLEQ_HEAD(, qemu_laiocb) completed;
- 
-+    if (s->io_q.submit_depth >= IOQ_SUBMIT_MAX_DEPTH) {
-+        return;
-+    }
-+    s->io_q.submit_depth++;
-+
-     do {
-         if (s->io_q.in_flight >= MAX_EVENTS) {
-             break;
-@@ -385,6 +405,8 @@ static void ioq_submit(LinuxAioState *s)
-          * pended requests will be submitted from there.
-          */
-     }
-+
-+    s->io_q.submit_depth--;
- }
- 
- static uint64_t laio_max_batch(LinuxAioState *s, uint64_t dev_max_batch)
diff --git a/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch b/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
deleted file mode 100644
index 913e22e486..0000000000
--- a/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: GuoHan Zhao <zhaoguohan@kylinos.cn>
-Date: Fri, 22 May 2026 16:13:05 +0800
-Subject: [PATCH] vfio-user: reject zero DMA page size capability
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-check_pgsizes() validates that no page-size bits smaller than
-VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a
-malformed server overwrite the default page-size mask with zero.
-
-Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device
-realization aborts instead of reporting a version capability error. Reject a
-zero DMA page-size mask during version capability parsing.
-
-Fixes: 36227628d824 (vfio-user: implement message send infrastructure)
-Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
-Reviewed-by: John Levon <john.levon@nutanix.com>
-Link: https://lore.kernel.org/qemu-devel/20260522081306.4186242-1-zhaoguohan@kylinos.cn
-Signed-off-by: Cédric Le Goater <clg@redhat.com>
-(cherry picked from commit ab89d02dac6f0f53e35a689f01099602aa2de816)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/vfio-user/proxy.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c
-index 314dfd23d8..3fe5b0138b 100644
---- a/hw/vfio-user/proxy.c
-+++ b/hw/vfio-user/proxy.c
-@@ -1155,9 +1155,11 @@ static bool check_pgsizes(VFIOUserProxy *proxy, QObject *qobj, Error **errp)
-         return false;
-     }
- 
--    /* must be larger than default */
--    if (pgsizes & (VFIO_USER_DEF_PGSIZE - 1)) {
--        error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsizes);
-+    /* must not be zero or smaller than default */
-+    if (pgsizes < VFIO_USER_DEF_PGSIZE ||
-+        (pgsizes & (VFIO_USER_DEF_PGSIZE - 1))) {
-+        error_setg(errp, "%s 0x%"PRIx64" too small",
-+                   VFIO_USER_CAP_PGSIZES, pgsizes);
-         return false;
-     }
- 
diff --git a/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch b/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
deleted file mode 100644
index 26c0bc433d..0000000000
--- a/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: GuoHan Zhao <zhaoguohan@kylinos.cn>
-Date: Fri, 22 May 2026 16:13:06 +0800
-Subject: [PATCH] vfio-user: reject zero migration page size capability
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-check_migr_pgsize() validates that no page-size bits smaller than
-VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsize=0. This can replace
-the default migration page size with an unusable value.
-
-Reject a zero migration page size during version capability parsing, matching
-the lower-bound check used for the DMA page-size capability.
-
-Fixes: 36227628d824 (vfio-user: implement message send infrastructure)
-Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
-Link: https://lore.kernel.org/qemu-devel/20260522081306.4186242-2-zhaoguohan@kylinos.cn
-Signed-off-by: Cédric Le Goater <clg@redhat.com>
-(cherry picked from commit 497b5c5b05ac2be00ae16c723e2445ebbc486cb2)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/vfio-user/proxy.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c
-index 3fe5b0138b..3167d27b03 100644
---- a/hw/vfio-user/proxy.c
-+++ b/hw/vfio-user/proxy.c
-@@ -1081,9 +1081,11 @@ static bool check_migr_pgsize(VFIOUserProxy *proxy, QObject *qobj, Error **errp)
-         return false;
-     }
- 
--    /* must be larger than default */
--    if (pgsize & (VFIO_USER_DEF_PGSIZE - 1)) {
--        error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsize);
-+    /* must not be zero or smaller than default */
-+    if (pgsize < VFIO_USER_DEF_PGSIZE ||
-+        (pgsize & (VFIO_USER_DEF_PGSIZE - 1))) {
-+        error_setg(errp, "%s 0x%"PRIx64" too small",
-+                   VFIO_USER_CAP_PGSIZE, pgsize);
-         return false;
-     }
- 
diff --git a/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch b/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch
deleted file mode 100644
index a385072bcf..0000000000
--- a/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Chenyi Qiang <chenyi.qiang@intel.com>
-Date: Wed, 27 May 2026 18:11:08 +0800
-Subject: [PATCH] vfio/container: Restrict dma_map_file() to shared RAM or RAM
- devices
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-vfio_container_dma_map() uses dma_map_file() whenever a RAMBlock has an
-fd and the VFIO IOMMU backend supports file-based DMA mapping. That is
-not correct for private file-backed guest RAM.
-
-dma_map_file() resolves PFNs from the backing file, but private guest
-RAM mappings (MAP_PRIVATE) can run on different PFNs than the file
-because they are subject to copy-on-write (COW) anomalies. As a result,
-using dma_map_file() on a privately mapped RAMBlock can program DMA
-against pages that do not back QEMU's actual guest memory.
-
-Fix this by using dma_map_file() only for shared mapped RAMBlocks
-(MAP_SHARED) or RAM device regions.
-
-Fixes: fb32965b6dd8 ("vfio/iommufd: use IOMMU_IOAS_MAP_FILE")
-Reported-by: Farrah Chen <farrah.chen@intel.com>
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220776
-Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
-Suggested-by: Cédric Le Goater <clg@redhat.com>
-Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
-Link: https://lore.kernel.org/qemu-devel/20260527101109.71781-1-chenyi.qiang@intel.com
-Reviewed-by: Cédric Le Goater <clg@redhat.com>
-Signed-off-by: Cédric Le Goater <clg@redhat.com>
-(cherry picked from commit e6c47bebdf8628e635e1ba970919ca96d572dbbe)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/vfio/container.c | 34 +++++++++++++++++++++++++++++++---
- 1 file changed, 31 insertions(+), 3 deletions(-)
-
-diff --git a/hw/vfio/container.c b/hw/vfio/container.c
-index 4c2816b574..56bd9ac009 100644
---- a/hw/vfio/container.c
-+++ b/hw/vfio/container.c
-@@ -74,15 +74,43 @@ void vfio_address_space_insert(VFIOAddressSpace *space,
-     bcontainer->space = space;
- }
- 
-+static bool vfio_container_can_dma_map_file(VFIOContainer *bcontainer,
-+                                            MemoryRegion *mr, int *fd)
-+{
-+    VFIOIOMMUClass *vioc = VFIO_IOMMU_GET_CLASS(bcontainer);
-+    RAMBlock *rb = mr->ram_block;
-+
-+    if (!vioc->dma_map_file || !rb) {
-+        return false;
-+    }
-+
-+    *fd = qemu_ram_get_fd(rb);
-+    if (*fd < 0) {
-+        return false;
-+    }
-+
-+    /*
-+     * We can use IOMMU DMA mapping (IOMMU_IOAS_MAP_FILE) for :
-+     *
-+     * 1) Guest RAM blocks explicitly configured as shared (MAP_SHARED)
-+     * 2) RAM device sub-regions (MMIO BARs)
-+     *
-+     * Private RAM mappings (MAP_PRIVATE) are strictly excluded. Because
-+     * they are subject to copy-on-write (COW) anomalies, their underlying
-+     * PFNs can permanently diverge from the backing file
-+     */
-+    return qemu_ram_is_shared(rb) || memory_region_is_ram_device(mr);
-+}
-+
- int vfio_container_dma_map(VFIOContainer *bcontainer,
-                            hwaddr iova, uint64_t size,
-                            void *vaddr, bool readonly, MemoryRegion *mr)
- {
-     VFIOIOMMUClass *vioc = VFIO_IOMMU_GET_CLASS(bcontainer);
--    RAMBlock *rb = mr->ram_block;
--    int mfd = rb ? qemu_ram_get_fd(rb) : -1;
-+    int mfd;
- 
--    if (mfd >= 0 && vioc->dma_map_file) {
-+    if (vfio_container_can_dma_map_file(bcontainer, mr, &mfd)) {
-+        RAMBlock *rb = mr->ram_block;
-         unsigned long start = vaddr - qemu_ram_get_host_addr(rb);
-         unsigned long offset = qemu_ram_get_fd_offset(rb);
- 
diff --git a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
index 76e5fcce71..52e7ed9c50 100644
--- a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
+++ b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
@@ -247,7 +247,7 @@ index 0000000000..036edb17f5
 +
 +block_init(bdrv_zeroinit_init);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 496118bdc7..f0f225a3c2 100644
+index 50a0af3569..4e8bc65bdb 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3381,7 +3381,7 @@
@@ -259,7 +259,7 @@ index 496118bdc7..f0f225a3c2 100644
  
  ##
  # @BlockdevOptionsFile:
-@@ -4936,7 +4936,8 @@
+@@ -4940,7 +4940,8 @@
                        'if': 'CONFIG_BLKIO' },
        'vmdk':       'BlockdevOptionsGenericCOWFormat',
        'vpc':        'BlockdevOptionsGenericFormat',
diff --git a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
index 0701eb7265..f63cc7b27b 100644
--- a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
+++ b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
@@ -119,10 +119,10 @@ index 328ddaa3bd..5fd49844af 100644
      };
      return raw_co_create(&options, errp);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index f0f225a3c2..0c00aabbab 100644
+index 4e8bc65bdb..d5a2bbcff1 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -5155,6 +5155,10 @@
+@@ -5159,6 +5159,10 @@
  # @extent-size-hint: Extent size hint to add to the image file; 0 for
  #     not adding an extent size hint (default: 1 MB, since 5.1)
  #
@@ -133,7 +133,7 @@ index f0f225a3c2..0c00aabbab 100644
  # Since: 2.12
  ##
  { 'struct': 'BlockdevCreateOptionsFile',
-@@ -5162,7 +5166,8 @@
+@@ -5166,7 +5170,8 @@
              'size':                 'size',
              '*preallocation':       'PreallocMode',
              '*nocow':               'bool',
diff --git a/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch b/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
index d116ae3569..814b939bed 100644
--- a/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
+++ b/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
@@ -40,10 +40,10 @@ index a21d9a5411..1373612c10 100644
  system_ss.add(files('block-ram-registrar.c'))
  
 diff --git a/meson.build b/meson.build
-index ab3e97eb9f..f747bc3cb2 100644
+index 51f5f2851a..a88b007017 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2149,6 +2149,8 @@ endif
+@@ -2155,6 +2155,8 @@ endif
  
  has_gettid = cc.has_function('gettid')
  
@@ -52,7 +52,7 @@ index ab3e97eb9f..f747bc3cb2 100644
  # libselinux
  selinux = dependency('libselinux',
                       required: get_option('selinux'),
-@@ -4517,6 +4519,9 @@ if have_tools
+@@ -4523,6 +4525,9 @@ if have_tools
                 dependencies: [blockdev, qemuutil, selinux],
                 install: true)
  
diff --git a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
index a4ac880fa7..74ce2a426e 100644
--- a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
+++ b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
@@ -263,10 +263,10 @@ index abebfea0e2..bc727a3a6a 100644
  void hmp_device_add(Monitor *mon, const QDict *qdict);
  void hmp_device_del(Monitor *mon, const QDict *qdict);
 diff --git a/meson.build b/meson.build
-index f747bc3cb2..7aa0ed1b5a 100644
+index a88b007017..684501a185 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2150,6 +2150,7 @@ endif
+@@ -2156,6 +2156,7 @@ endif
  has_gettid = cc.has_function('gettid')
  
  libuuid = cc.find_library('uuid', required: true)
@@ -1685,7 +1685,7 @@ index 0000000000..177fb851b4
 +    return ret;
 +}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 0c00aabbab..4f407007b9 100644
+index d5a2bbcff1..7f1daf42fe 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -952,6 +952,248 @@
diff --git a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
index 44e42c7f6b..8344e666ed 100644
--- a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
+++ b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
@@ -14,10 +14,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  create mode 100644 pbs-restore.c
 
 diff --git a/meson.build b/meson.build
-index 7aa0ed1b5a..3a57c44ade 100644
+index 684501a185..7111b47319 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -4523,6 +4523,10 @@ if have_tools
+@@ -4529,6 +4529,10 @@ if have_tools
    vma = executable('vma', files('vma.c', 'vma-reader.c') + genh,
                     dependencies: [authz, block, crypto, io, qemuutil, qom], install: true)
  
diff --git a/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch b/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
index 8791b16dbc..1d2396f318 100644
--- a/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
+++ b/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
@@ -348,10 +348,10 @@ index 0000000000..3e41421716
 +
 +block_init(bdrv_pbs_init);
 diff --git a/meson.build b/meson.build
-index 3a57c44ade..eb84d64604 100644
+index 7111b47319..4115c35884 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -4997,7 +4997,7 @@ summary_info += {'Query Processing Library support': qpl}
+@@ -5003,7 +5003,7 @@ summary_info += {'Query Processing Library support': qpl}
  summary_info += {'UADK Library support': uadk}
  summary_info += {'qatzip support':    qatzip}
  summary_info += {'NUMA host support': numa}
@@ -361,7 +361,7 @@ index 3a57c44ade..eb84d64604 100644
  summary_info += {'libdaxctl support': libdaxctl}
  summary_info += {'libcbor support':   libcbor}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 4f407007b9..84a4572625 100644
+index 7f1daf42fe..e1c659310d 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3619,6 +3619,7 @@
@@ -406,7 +406,7 @@ index 4f407007b9..84a4572625 100644
  ##
  # @BlockdevOptionsNVMe:
  #
-@@ -5149,6 +5177,7 @@
+@@ -5153,6 +5181,7 @@
        'nfs':        'BlockdevOptionsNfs',
        'null-aio':   'BlockdevOptionsNull',
        'null-co':    'BlockdevOptionsNull',
diff --git a/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch b/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
index 42759e606b..8c558401c8 100644
--- a/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
+++ b/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index eb84d64604..d71baddfa6 100644
+index 4115c35884..87c765f622 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2150,6 +2150,7 @@ endif
+@@ -2156,6 +2156,7 @@ endif
  has_gettid = cc.has_function('gettid')
  
  libuuid = cc.find_library('uuid', required: true)
@@ -25,7 +25,7 @@ index eb84d64604..d71baddfa6 100644
  libproxmox_backup_qemu = cc.find_library('proxmox_backup_qemu', required: true)
  
  # libselinux
-@@ -3840,7 +3841,7 @@ if have_block
+@@ -3846,7 +3847,7 @@ if have_block
    elif host_os == 'emscripten'
      blockdev_ss.add(files('os-wasm.c'))
    else
diff --git a/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch b/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
index ec8e4e9a4f..adb41f4572 100644
--- a/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
+++ b/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
@@ -58,7 +58,7 @@ index 90d62d5723..6010ccaef0 100644
    'ram.c',
    'savevm.c',
 diff --git a/migration/migration.c b/migration/migration.c
-index 5c9aaa6e58..23b05a64cf 100644
+index dfc60372cf..f415448689 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -329,6 +329,7 @@ void migration_object_init(void)
@@ -192,7 +192,7 @@ index 177fb851b4..7575abab7c 100644
      ret->pbs_masterkey = true;
      ret->backup_max_workers = true;
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 84a4572625..4a6769c053 100644
+index e1c659310d..b314192e30 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1112,6 +1112,11 @@
diff --git a/debian/patches/pve/0037-block-add-alloc-track-driver.patch b/debian/patches/pve/0037-block-add-alloc-track-driver.patch
index 042929c527..ed5e2f5d31 100644
--- a/debian/patches/pve/0037-block-add-alloc-track-driver.patch
+++ b/debian/patches/pve/0037-block-add-alloc-track-driver.patch
@@ -449,7 +449,7 @@ index d023753091..a777c8079c 100644
  
  out:
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 4a6769c053..8af4107bf5 100644
+index b314192e30..a8a7d227a8 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3611,7 +3611,8 @@
@@ -484,7 +484,7 @@ index 4a6769c053..8af4107bf5 100644
  ##
  # @BlockdevOptionsPbs:
  #
-@@ -5155,6 +5171,7 @@
+@@ -5159,6 +5175,7 @@
              '*detect-zeroes': 'BlockdevDetectZeroesOptions' },
    'discriminator': 'driver',
    'data': {
diff --git a/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch b/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
index cd27516275..5e6a4d9791 100644
--- a/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
+++ b/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
@@ -429,7 +429,7 @@ index 7575abab7c..8b83465ebd 100644
      return ret;
  }
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 8af4107bf5..5c8b872000 100644
+index a8a7d227a8..977daf0191 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1054,6 +1054,10 @@
diff --git a/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch b/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
index d30aaf8f23..031eeba6b6 100644
--- a/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
+++ b/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
@@ -740,7 +740,7 @@ index 0000000000..9ebeef7c8f
 +
 +#endif /* PVE_BACKUP_H */
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 5c8b872000..cf4f5ce7f1 100644
+index 977daf0191..ed37a4a22f 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1128,6 +1128,9 @@
diff --git a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
index df9f3df96b..0c4cef7f09 100644
--- a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
+++ b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
@@ -89,7 +89,7 @@ index 80b75ad5cb..f8417347a1 100644
   * @migrate_add_blocker - prevent all modes of migration from proceeding
   *
 diff --git a/migration/migration.c b/migration/migration.c
-index 23b05a64cf..8acd9610de 100644
+index f415448689..979fc7050e 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -1886,6 +1886,30 @@ bool migration_is_blocked(Error **errp)
diff --git a/debian/patches/series b/debian/patches/series
index 84c066409b..e5fabc3e49 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,23 +1,6 @@
 extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
-extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
-extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
-extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
-extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
-extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
-extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
-extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
-extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
-extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
-extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
-extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
-extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
-extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
-extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
-extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
-extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
-extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
-extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
-extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch
+extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
+extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
diff --git a/qemu b/qemu
index 98b060da3a..e545d8bb9d 160000
--- a/qemu
+++ b/qemu
@@ -1 +1 @@
-Subproject commit 98b060da3a4f92b2a994ead5b16a87e783baf77c
+Subproject commit e545d8bb9d63e9dd61542b88463183314cff9482
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH qemu-server v2 3/5] fix #6424: increase timeout for QMP 'quit' to 60s to avoid issue with bulk suspend
  2026-06-29 13:54 [PATCH-SERIES qemu/qemu-server v2 0/5] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu v2 1/5] async snapshot: allow skipping VM start after successful completion Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu v2 2/5] update submodule and patches to QEMU 11.0.2 Fiona Ebner
@ 2026-06-29 13:54 ` Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu-server v2 4/5] run state: use v5.36 and signatures in module Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu-server v2 5/5] suspend: skip VM start after successfully saving state Fiona Ebner
  4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2026-06-29 13:54 UTC (permalink / raw)
  To: pve-devel

The 'quit' QMP command itself is fast, since it only records the
shutdown request and notifies the main loop, but getting the response
can take a while. The reason is that qmp_dispatch() yields and must be
woken after executing the command and at that stage, QEMU is already
busy with teardown too.

In practice, users can run into the default timeout of 5 seconds when
doing bulk suspend.

The 'quit' QMP command is only used as part of (potentially)
longer-running operations already:
- VM hibernation
- VM stop
- QSD quit:
  - after enrolling EFI disk certs
  - terminating instance for TPM

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QMPClient.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/PVE/QMPClient.pm b/src/PVE/QMPClient.pm
index 7610121a..a43e661b 100644
--- a/src/PVE/QMPClient.pm
+++ b/src/PVE/QMPClient.pm
@@ -156,6 +156,12 @@ sub cmd {
             || $cmd->{execute} eq 'blockdev-snapshot-internal-sync'
         ) {
             $timeout = 60 * 60; # 1 hour
+        } elsif ($cmd->{execute} eq 'quit') {
+            # The 'quit' QMP command itself is fast, since it only records the shutdown request and
+            # notifies the main loop, but getting the response can take a while. The reason is that
+            # qmp_dispatch() yields and must be woken after executing the command and at that stage,
+            # QEMU is already busy with teardown too.
+            $timeout = 60;
         } else {
             #  NOTE: if you came here as user and want to change this, try using IO-Threads first
             # which move out quite some processing of the main thread, leaving more time for QMP
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH qemu-server v2 4/5] run state: use v5.36 and signatures in module
  2026-06-29 13:54 [PATCH-SERIES qemu/qemu-server v2 0/5] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend Fiona Ebner
                   ` (2 preceding siblings ...)
  2026-06-29 13:54 ` [PATCH qemu-server v2 3/5] fix #6424: increase timeout for QMP 'quit' to 60s to avoid issue with bulk suspend Fiona Ebner
@ 2026-06-29 13:54 ` Fiona Ebner
  2026-06-29 13:54 ` [PATCH qemu-server v2 5/5] suspend: skip VM start after successfully saving state Fiona Ebner
  4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2026-06-29 13:54 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QemuServer/RunState.pm | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/src/PVE/QemuServer/RunState.pm b/src/PVE/QemuServer/RunState.pm
index bbbcc88e..2d98e6bb 100644
--- a/src/PVE/QemuServer/RunState.pm
+++ b/src/PVE/QemuServer/RunState.pm
@@ -1,7 +1,6 @@
 package PVE::QemuServer::RunState;
 
-use strict;
-use warnings;
+use v5.36;
 
 use POSIX qw(strftime);
 
@@ -16,8 +15,7 @@ use PVE::QemuServer::Monitor qw(mon_cmd);
 use PVE::QemuServer::Network;
 
 # note: if using the statestorage parameter, the caller has to check privileges
-sub vm_suspend {
-    my ($vmid, $skiplock, $includestate, $statestorage) = @_;
+sub vm_suspend($vmid, $skiplock = undef, $includestate = undef, $statestorage = undef) {
 
     my $conf;
     my $path;
@@ -127,8 +125,7 @@ sub vm_suspend {
 # $nocheck is set when called as part of a migration - in this context the
 # location of the config file (source or target node) is not deterministic,
 # since migration cannot wait for pmxcfs to process the rename
-sub vm_resume {
-    my ($vmid, $skiplock, $nocheck) = @_;
+sub vm_resume($vmid, $skiplock = undef, $nocheck = undef) {
 
     PVE::QemuConfig->lock_config(
         $vmid,
@@ -184,32 +181,29 @@ sub vm_resume {
     );
 }
 
-sub get_cleanup_flag_path {
-    my ($vmid) = @_;
+sub get_cleanup_flag_path($vmid) {
     return "/run/qemu-server/$vmid.cleanup";
 }
 
-sub create_cleanup_flag {
-    my ($vmid) = @_;
+sub create_cleanup_flag($vmid) {
     # write time so we could check in a timeout if needed
     PVE::File::file_set_contents(get_cleanup_flag_path($vmid), time());
 }
 
-sub clear_cleanup_flag {
-    my ($vmid) = @_;
+sub clear_cleanup_flag($vmid) {
     my $path = get_cleanup_flag_path($vmid);
     unlink $path or $! == POSIX::ENOENT or die "removing cleanup flag for $vmid failed: $!\n";
 }
 
-sub cleanup_flag_exists {
-    my ($vmid) = @_;
+sub cleanup_flag_exists($vmid) {
     return -f get_cleanup_flag_path($vmid);
 }
 
 # checks if /run/qemu-server/force-legacy-cleanup exists that will be created on
 # package update and cleared on bootup so we can be sure the guests were
 # started recently enough
-sub can_use_cleanup_flag {
+sub can_use_cleanup_flag() {
     !-f "/run/qemu-server/force-legacy-cleanup";
 }
+
 1;
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH qemu-server v2 5/5] suspend: skip VM start after successfully saving state
  2026-06-29 13:54 [PATCH-SERIES qemu/qemu-server v2 0/5] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend Fiona Ebner
                   ` (3 preceding siblings ...)
  2026-06-29 13:54 ` [PATCH qemu-server v2 4/5] run state: use v5.36 and signatures in module Fiona Ebner
@ 2026-06-29 13:54 ` Fiona Ebner
  4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2026-06-29 13:54 UTC (permalink / raw)
  To: pve-devel

When creating a snapshot of the VM state for hibernation, the VM must
not be started again if the snapshot operation was completed
successfully. The VM should remain stopped, so that the QMP 'quit' is
issued without further activity from the VM.

The 'skip-vm-start' parameter for 'savevm-start' is available since
QEMU version 11.0.2, so version-guard it.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v2:
* check for 11.0.2 instead of 11.0.1

 src/PVE/QemuServer/RunState.pm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/PVE/QemuServer/RunState.pm b/src/PVE/QemuServer/RunState.pm
index 2d98e6bb..889ddd28 100644
--- a/src/PVE/QemuServer/RunState.pm
+++ b/src/PVE/QemuServer/RunState.pm
@@ -2,6 +2,7 @@ package PVE::QemuServer::RunState;
 
 use v5.36;
 
+use JSON qw();
 use POSIX qw(strftime);
 
 use PVE::Cluster;
@@ -13,6 +14,7 @@ use PVE::QemuConfig;
 use PVE::QemuMigrate::Helpers;
 use PVE::QemuServer::Monitor qw(mon_cmd);
 use PVE::QemuServer::Network;
+use PVE::QemuServer::QMPHelpers;
 
 # note: if using the statestorage parameter, the caller has to check privileges
 sub vm_suspend($vmid, $skiplock = undef, $includestate = undef, $statestorage = undef) {
@@ -72,7 +74,11 @@ sub vm_suspend($vmid, $skiplock = undef, $includestate = undef, $statestorage =
 
         eval {
             PVE::QemuMigrate::Helpers::set_migration_caps($vmid, 1);
-            mon_cmd($vmid, "savevm-start", statefile => $path);
+            my $savevm_start_params = { statefile => $path };
+            if (PVE::QemuServer::QMPHelpers::runs_at_least_qemu_version($vmid, 11, 0, 2)) {
+                $savevm_start_params->{'skip-vm-start'} = JSON::true;
+            }
+            mon_cmd($vmid, "savevm-start", $savevm_start_params->%*);
             for (;;) {
                 my $state = mon_cmd($vmid, "query-savevm");
                 if (!$state->{status}) {
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-06-29 13:55 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 13:54 [PATCH-SERIES qemu/qemu-server v2 0/5] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend Fiona Ebner
2026-06-29 13:54 ` [PATCH qemu v2 1/5] async snapshot: allow skipping VM start after successful completion Fiona Ebner
2026-06-29 13:54 ` [PATCH qemu v2 2/5] update submodule and patches to QEMU 11.0.2 Fiona Ebner
2026-06-29 13:54 ` [PATCH qemu-server v2 3/5] fix #6424: increase timeout for QMP 'quit' to 60s to avoid issue with bulk suspend Fiona Ebner
2026-06-29 13:54 ` [PATCH qemu-server v2 4/5] run state: use v5.36 and signatures in module Fiona Ebner
2026-06-29 13:54 ` [PATCH qemu-server v2 5/5] suspend: skip VM start after successfully saving state Fiona Ebner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal