public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH qemu v2 2/5] update submodule and patches to QEMU 11.0.2
Date: Mon, 29 Jun 2026 15:54:18 +0200	[thread overview]
Message-ID: <20260629135438.172004-3-f.ebner@proxmox.com> (raw)
In-Reply-To: <20260629135438.172004-1-f.ebner@proxmox.com>

Most notably, patches for fixing the deadlock between trim and drain
with IDE/SATA has finally been applied upstream with the following two
commits, so the stop-gap patch "ide: avoid potential deadlock when
draining during trim" can be dropped:
6e5b03431b ide: Minimal fix for deadlock between TRIM and drain
5044ebfad8 ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code

Drop patches that already landed upstream. Note that patch
"block/export/fuse: fix regression when mmap()-ing export with
MAP_SHARED" landed in a slightly different version upstream, so
"block/export/fuse: fix regression with block device export or
growable=off and O_TRUNC" needed a rebase.

Otherwise, there are some minor fixes in x86 and ARM emulation and
migration code, fixes for rare edge cases in the block layer, memory
check improvements in VNC.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v2:
* update to 11.0.2 instead of 11.0.1

 ...d-support-for-sync-bitmap-mode-never.patch |   6 +-
 ...-support-for-conditional-and-always-.patch |   2 +-
 ...-to-bdrv_dirty_bitmap_merge_internal.patch |   2 +-
 .../0006-mirror-move-some-checks-to-qmp.patch |   2 +-
 ...oid-idle-event-loop-being-accounted.patch} |   0
 ...ial-deadlock-when-draining-during-tr.patch | 100 --------------
 ...-fix-regression-with-block-device-e.patch} |  15 +--
 ...k-to-bounce-buffer-if-BLKZEROOUT-is-.patch |  36 -----
 ...fix-decoding-of-MOVBE-and-CRC32-in-1.patch |  84 ------------
 ...-accidentally-autofree-existing-virg.patch |  59 --------
 ...store-IRQ-polling-for-non-kernel-irq.patch |  47 -------
 ...strList-leak-in-x86_cpu_get_unavaila.patch |  36 -----
 ...-missing-PF_INSTR-in-SIGSEGV-context.patch |  43 ------
 ...e_save_state_v-fix-double-error_setg.patch |  46 -------
 ...e-fix-regression-when-mmap-ing-expor.patch |  94 -------------
 ...issing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch |  48 -------
 ...-use-after-free-of-cancelled-request.patch |  82 -----------
 ...ar-tag-byte-when-processing-messages.patch |  40 ------
 ...very-bitmask-with-modified-xAPIC-ids.patch |  63 ---------
 ...aio-bound-ioq_submit-recursion-depth.patch | 127 ------------------
 ...reject-zero-DMA-page-size-capability.patch |  46 -------
 ...-zero-migration-page-size-capability.patch |  44 ------
 ...estrict-dma_map_file-to-shared-RAM-o.patch |  88 ------------
 ...add-the-zeroinit-block-driver-filter.patch |   4 +-
 ...le-posix-make-locking-optiono-on-cre.patch |   6 +-
 ...VE-Backup-add-vma-backup-format-code.patch |   6 +-
 ...ckup-Proxmox-backup-patches-for-QEMU.patch |   6 +-
 ...estore-new-command-to-restore-from-p.patch |   4 +-
 ...k-driver-to-map-backup-archives-into.patch |   8 +-
 ...ct-stderr-to-journal-when-daemonized.patch |   6 +-
 ...igrate-dirty-bitmap-state-via-savevm.patch |   4 +-
 .../0037-block-add-alloc-track-driver.patch   |   4 +-
 .../0038-PVE-backup-add-fleecing-option.patch |   2 +-
 ...ment-backup-access-setup-and-teardow.patch |   2 +-
 ...se-migration-blocker-check-for-snaps.patch |   2 +-
 debian/patches/series                         |  21 +--
 qemu                                          |   2 +-
 37 files changed, 43 insertions(+), 1144 deletions(-)
 rename debian/patches/extra/{0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch => 0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch} (100%)
 delete mode 100644 debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 rename debian/patches/extra/{0012-block-export-fuse-fix-regression-with-block-device-e.patch => 0003-block-export-fuse-fix-regression-with-block-device-e.patch} (71%)
 delete mode 100644 debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
 delete mode 100644 debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
 delete mode 100644 debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
 delete mode 100644 debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
 delete mode 100644 debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
 delete mode 100644 debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
 delete mode 100644 debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
 delete mode 100644 debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
 delete mode 100644 debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
 delete mode 100644 debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
 delete mode 100644 debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
 delete mode 100644 debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
 delete mode 100644 debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
 delete mode 100644 debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
 delete mode 100644 debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
 delete mode 100644 debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch

diff --git a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
index 8f196da9e2..0fb45d16e0 100644
--- a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
+++ b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
@@ -38,7 +38,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  5 files changed, 135 insertions(+), 21 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index 2fcded9e93..f34b5fe733 100644
+index 089856f4a8..e6f645e0f2 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -74,6 +74,8 @@ typedef struct MirrorBlockJob {
@@ -333,7 +333,7 @@ index e7c8f1a856..d5aa68caeb 100644
                    BlockdevOnError on_source_error,
                    BlockdevOnError on_target_error,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 508b081ac1..496118bdc7 100644
+index 0efd51787b..50a0af3569 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -2280,6 +2280,15 @@
@@ -390,7 +390,7 @@ index 508b081ac1..496118bdc7 100644
              '*buf-size': 'int', '*on-source-error': 'BlockdevOnError',
              '*on-target-error': 'BlockdevOnError',
 diff --git a/tests/unit/test-block-iothread.c b/tests/unit/test-block-iothread.c
-index e26b3be593..396a53a757 100644
+index 5273ff235a..7055d32686 100644
 --- a/tests/unit/test-block-iothread.c
 +++ b/tests/unit/test-block-iothread.c
 @@ -755,8 +755,8 @@ static void test_propagate_mirror(void)
diff --git a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
index 2c030dc751..468bd94bc5 100644
--- a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
+++ b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
@@ -24,7 +24,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 18 insertions(+), 6 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index f34b5fe733..67d85799f4 100644
+index e6f645e0f2..414737045f 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -735,8 +735,6 @@ static int mirror_exit_common(Job *job)
diff --git a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
index faef2cc4b9..5215b95855 100644
--- a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
+++ b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
@@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+), 7 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index 67d85799f4..b88e8b4c51 100644
+index 414737045f..0f56ad1f54 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -856,8 +856,8 @@ static int mirror_exit_common(Job *job)
diff --git a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
index 9223eefaa5..98c3f7b93d 100644
--- a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
+++ b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
@@ -21,7 +21,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  3 files changed, 70 insertions(+), 59 deletions(-)
 
 diff --git a/block/mirror.c b/block/mirror.c
-index b88e8b4c51..1e143ccab1 100644
+index 0f56ad1f54..75563e6e75 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
 @@ -1885,31 +1885,13 @@ static BlockJob *mirror_start_job(
diff --git a/debian/patches/extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch b/debian/patches/extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
similarity index 100%
rename from debian/patches/extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
rename to debian/patches/extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
diff --git a/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch b/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
deleted file mode 100644
index 04271fe4fe..0000000000
--- a/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Tue, 7 Mar 2023 15:03:02 +0100
-Subject: [PATCH] ide: avoid potential deadlock when draining during trim
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The deadlock can happen as follows:
-1. ide_issue_trim is called, and increments the in_flight counter.
-2. ide_issue_trim_cb calls blk_aio_pdiscard.
-3. Somebody else starts draining (e.g. backup to insert the cbw node).
-4. ide_issue_trim_cb is called as the completion callback for
-   blk_aio_pdiscard.
-5. ide_issue_trim_cb issues yet another blk_aio_pdiscard request.
-6. The request is added to the wait queue via blk_wait_while_drained,
-   because draining has been started.
-7. Nobody ever decrements the in_flight counter and draining can't
-   finish. This would be done by ide_trim_bh_cb, which is called after
-   ide_issue_trim_cb has issued its last request, but
-   ide_issue_trim_cb is not called anymore, because it's the
-   completion callback of blk_aio_pdiscard, which waits on draining.
-
-Quoting Hanna Czenczek:
-> The point of 7e5cdb345f was that we need any in-flight count to
-> accompany a set s->bus->dma->aiocb. While blk_aio_pdiscard() is
-> happening, we don’t necessarily need another count. But we do need
-> it while there is no blk_aio_pdiscard().
-> ide_issue_trim_cb() returns in two cases (and, recursively through
-> its callers, leaves s->bus->dma->aiocb set):
-> 1. After calling blk_aio_pdiscard(), which will keep an in-flight
->    count,
-> 2. After calling replay_bh_schedule_event() (i.e.
->    qemu_bh_schedule()), which does not keep an in-flight count.
-
-Thus, even after moving the blk_inc_in_flight to above the
-replay_bh_schedule_event call, the invariant "ide_issue_trim_cb
-returns with an accompanying in-flight count" is still satisfied.
-
-However, the issue 7e5cdb345f fixed for canceling resurfaces, because
-ide_cancel_dma_sync assumes that it just needs to drain once. But now
-the in_flight count is not consistently > 0 during the trim operation.
-So, change it to drain until !s->bus->dma->aiocb, which means that the
-operation finished (s->bus->dma->aiocb is cleared by ide_set_inactive
-via the ide_dma_cb when the end of the transfer is reached).
-
-Discussion here:
-https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg02506.html
-
-Fixes: 7e5cdb345f ("ide: Increment BB in-flight counter for TRIM BH")
-Suggested-by: Hanna Czenczek <hreitz@redhat.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/ide/core.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 7a15d6cac9..db44d83f57 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -456,7 +456,7 @@ static void ide_trim_bh_cb(void *opaque)
-     iocb->bh = NULL;
-     qemu_aio_unref(iocb);
- 
--    /* Paired with an increment in ide_issue_trim() */
-+    /* Paired with an increment in ide_issue_trim_cb() */
-     blk_dec_in_flight(blk);
- }
- 
-@@ -516,6 +516,8 @@ static void ide_issue_trim_cb(void *opaque, int ret)
- done:
-     iocb->aiocb = NULL;
-     if (iocb->bh) {
-+        /* Paired with a decrement in ide_trim_bh_cb() */
-+        blk_inc_in_flight(s->blk);
-         replay_bh_schedule_event(iocb->bh);
-     }
- }
-@@ -528,9 +530,6 @@ BlockAIOCB *ide_issue_trim(
-     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
-     TrimAIOCB *iocb;
- 
--    /* Paired with a decrement in ide_trim_bh_cb() */
--    blk_inc_in_flight(s->blk);
--
-     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
-     iocb->s = s;
-     iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb,
-@@ -754,8 +753,9 @@ void ide_cancel_dma_sync(IDEState *s)
-      */
-     if (s->bus->dma->aiocb) {
-         trace_ide_cancel_dma_sync_remaining();
--        blk_drain(s->blk);
--        assert(s->bus->dma->aiocb == NULL);
-+        while (s->bus->dma->aiocb) {
-+            blk_drain(s->blk);
-+        }
-     }
- }
- 
diff --git a/debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch b/debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch
similarity index 71%
rename from debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
rename to debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch
index 121e5712cd..37999ac6d4 100644
--- a/debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
+++ b/debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch
@@ -17,20 +17,19 @@ growable=off and/or a block device based export for setting the flag.
 
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
- block/export/fuse.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ block/export/fuse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/block/export/fuse.c b/block/export/fuse.c
-index ef381fd844..7a7386c904 100644
+index c0e8dfb643..8430c73293 100644
 --- a/block/export/fuse.c
 +++ b/block/export/fuse.c
-@@ -816,7 +816,8 @@ static ssize_t coroutine_fn GRAPH_RDLOCK
+@@ -856,7 +856,7 @@ static ssize_t coroutine_fn GRAPH_RDLOCK
  fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
               const struct fuse_init_in *in)
  {
--    const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_INIT_EXT;
-+    const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO
-+        | FUSE_INIT_EXT | FUSE_ATOMIC_O_TRUNC;
-     const uint32_t supported_flags2 = (FUSE_DIRECT_IO_ALLOW_MMAP >> 32);
+-    uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO;
++    uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_ATOMIC_O_TRUNC;
+     uint32_t flags2 = 0;
  
      if (in->major != 7) {
diff --git a/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch b/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
deleted file mode 100644
index 5d7020a11f..0000000000
--- a/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Mon, 5 Jan 2026 13:36:20 +0100
-Subject: [PATCH] block/io: fallback to bounce buffer if BLKZEROOUT is not
- supported because of alignment
-
-Commit 5634622bcb ("file-posix: allow BLKZEROOUT with -t writeback")
-enables the BLKZEROOUT ioctl when using 'writeback' cache, regressing
-certain 'qemu-img convert' invocations, because of a pre-existing
-issue. Namely, the BLKZEROOUT ioctl might fail with errno EINVAL when
-the request is shorter than the block size of the block device.
-Fallback to the bounce buffer, similar to when the ioctl is not
-supported at all, rather than treating such an error as fatal.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3257
-Resolves: https://bugzilla.proxmox.com/show_bug.cgi?id=7197
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/io.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/block/io.c b/block/io.c
-index e8fb4ede4d..82e3383e8d 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -1918,7 +1918,8 @@ bdrv_co_do_pwrite_zeroes(BlockDriverState *bs, int64_t offset, int64_t bytes,
-             assert(!bs->supported_zero_flags);
-         }
- 
--        if (ret == -ENOTSUP && !(flags & BDRV_REQ_NO_FALLBACK)) {
-+        if ((ret == -ENOTSUP || (ret == -EINVAL && num < alignment)) &&
-+            !(flags & BDRV_REQ_NO_FALLBACK)) {
-             /* Fall back to bounce buffer if write zeroes is unsupported */
-             BdrvRequestFlags write_flags = flags & ~BDRV_REQ_ZERO_WRITE;
- 
diff --git a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch b/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
deleted file mode 100644
index 9874c26972..0000000000
--- a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 31 Mar 2026 08:32:23 +0200
-Subject: [PATCH] target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit
- mode
-
-Table A-4 of the SDM shows
-
-                    F0                     F1
---------------------------------------------------------
-     NP           MOVBE Gy,My           MOVBE My,Gy
-     66           MOVBE Gw,Mw           MOVBW Mw,Gw
-     F2           CRC32 Gd,Eb           CRC32 Gd,Ey
-  66+F2           CRC32 Gd,Eb           CRC32 Gd,Ew
-
-However, this is incorrect.  Both MOVBE and (for 0xF1) CRC32
-take Gv, Ev or Mv operands.  In 16-bit mode therefore the
-operand is of 16-bit size without prefix and 32-bit mode
-with 0x66 (the data size override).
-
-For example, with NASM you get:
-
-                                 bits 16
-   67 0F 38 F0 02                movbe ax, [edx]
-   66 67 0F 38 F0 02             movbe eax, [edx]
-
-   67 F2 0F 38 F1 02             crc32 ax, word [edx]
-   66 67 F2 0F 38 F1 02          crc32 eax, dword [edx]
-
-versus
-
-                                 bits 32
-   66 0F 38 F0 02                movbe ax, [edx]
-   0F 38 F0 02                   movbe eax, [edx]
-
-   66 F2 0F 38 F1 02             crc32 eax, word [edx]
-   F2 0F 38 F1 02                crc32 eax, dword [edx]
-
-The instruction is listed correctly in the APX documentation
-as "SCALABLE" (which means it has v-size operands).
-
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 76ad26dd172d27aae9f1e76d1165b497167c36c2)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/decode-new.c.inc | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
-index bc105aab9e..c8b5bd6ad2 100644
---- a/target/i386/tcg/decode-new.c.inc
-+++ b/target/i386/tcg/decode-new.c.inc
-@@ -875,19 +875,23 @@ static const X86OpEntry opcodes_0F38_00toEF[240] = {
- 
- /* five rows for no prefix, 66, F3, F2, 66+F2  */
- static const X86OpEntry opcodes_0F38_F0toFF[16][5] = {
-+    /*
-+     * MOVBE and CRC32 are incorrectly listed as always doing 32-bit operation
-+     * without prefix and 16-bit operation with 0x66.
-+     */
-     [0] = {
--        X86_OP_ENTRYwr(MOVBE, G,y, M,y, cpuid(MOVBE)),
--        X86_OP_ENTRYwr(MOVBE, G,w, M,w, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
-         {},
-         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
-         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
-     },
-     [1] = {
--        X86_OP_ENTRYwr(MOVBE, M,y, G,y, cpuid(MOVBE)),
--        X86_OP_ENTRYwr(MOVBE, M,w, G,w, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
-+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
-         {},
--        X86_OP_ENTRY2(CRC32, G,d, E,y, cpuid(SSE42)),
--        X86_OP_ENTRY2(CRC32, G,d, E,w, cpuid(SSE42)),
-+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
-+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
-     },
-     [2] = {
-         X86_OP_ENTRY3(ANDN, G,y, B,y, E,y, vex13 cpuid(BMI1)),
diff --git a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch b/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
deleted file mode 100644
index b8f224e9be..0000000000
--- a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
-Date: Fri, 17 Apr 2026 13:27:03 +0100
-Subject: [PATCH] hw/display: don't accidentally autofree existing virgl
- resources
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While sanity checking a create blob operation the use of the auto
-freed res variable could lead to inadvertently freeing an existing
-blob.
-
-Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as
-the value is not needed anyway.
-
-While at it add a comment to the end and use g_steal_pointer to make
-it clearer the object lifetime exceeds the function bounds if we pass
-all the checks.
-
-Fixes: CVE-2026-6502
-Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)
-Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org
-Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
-Cc: qemu-stable@nongnu.org
-Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
-(cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/display/virtio-gpu-virgl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
-index b7a2d160dd..add85bd4e6 100644
---- a/hw/display/virtio-gpu-virgl.c
-+++ b/hw/display/virtio-gpu-virgl.c
-@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
-         return;
-     }
- 
--    res = virtio_gpu_virgl_find_resource(g, cblob.resource_id);
--    if (res) {
-+    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {
-         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
-                       __func__, cblob.resource_id);
-         cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
-@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
- 
-     res->base.dmabuf_fd = info.fd;
- 
-+    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */
-     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);
--    res = NULL;
-+    g_steal_pointer(&res);
- }
- 
- static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
diff --git a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch b/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
deleted file mode 100644
index 88f899f85f..0000000000
--- a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: rickgcn <rickgcn@gmail.com>
-Date: Sat, 18 Apr 2026 14:14:29 +0800
-Subject: [PATCH] hw: i386: vapic: restore IRQ polling for non-kernel irqchip
- backends
-
-69dfc078 extended vAPIC handling for WHPX with user-mode irqchip, but it
-also changed vapic_write() case 4 in a way that excludes TCG from
-apic_poll_irq().
-
-Before that change, IRQ polling happened whenever no in-kernel irqchip
-was active. After the change, it only happened for KVM or WHPX with a
-user-mode irqchip. Under TCG, both kvm_enabled() and whpx_enabled() are
-false, so the poll never happens.
-
-This regresses 32-bit Windows XP guests on a Windows host with
--machine pc-i440fx-10.0,accel=tcg, causing a STOP 0x0000000A during boot.
-
-Fix it by making the decision depend on whether KVM or WHPX is using an
-in-kernel irqchip, instead of whether either accelerator is enabled.
-
-Fixes: 69dfc078a6f0 ("hw: i386: vapic: enable on WHPX with user-mode irqchip")
-
-Signed-off-by: rickgcn <rickgcn@gmail.com>
-Link: https://lore.kernel.org/r/20260418061429.16898-1-rickgcn@gmail.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit c906c2337058bd467e6ac0176c2966d1eeb6f8f5)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/vapic.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/hw/i386/vapic.c b/hw/i386/vapic.c
-index 41e5ca26df..1acb9f91b2 100644
---- a/hw/i386/vapic.c
-+++ b/hw/i386/vapic.c
-@@ -716,8 +716,7 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
-         break;
-     default:
-     case 4:
--        if ((kvm_enabled() && !kvm_irqchip_in_kernel())
--          || (whpx_enabled() && !whpx_irqchip_in_kernel())) {
-+        if (!kvm_irqchip_in_kernel() && !whpx_irqchip_in_kernel()) {
-             apic_poll_irq(cpu->apic_state);
-         }
-         break;
diff --git a/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch b/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
deleted file mode 100644
index a9975bbb3b..0000000000
--- a/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 13 Apr 2026 16:50:40 +0400
-Subject: [PATCH] target/i386: fix strList leak in
- x86_cpu_get_unavailable_features
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The result list built by x86_cpu_list_feature_names() was never freed
-after being visited, causing a memory leak detected by ASan.
-(the getter visitor is VISITOR_OUTPUT kind and doesn't own data)
-
-Fixes: 506174bf8219 ("i386: "unavailable-features" QOM property")
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Link: https://lore.kernel.org/r/20260413125040.3842686-1-marcandre.lureau@redhat.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 87e1226e6f6844845ac407d50198d84205e7ed7f)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/cpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index c6fd1dc00e..9d126600c0 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -7842,6 +7842,7 @@ static void x86_cpu_get_unavailable_features(Object *obj, Visitor *v,
- 
-     x86_cpu_list_feature_names(xc->filtered_features, &result);
-     visit_type_strList(v, "unavailable-features", &result, errp);
-+    qapi_free_strList(result);
- }
- 
- /* Print all cpuid feature names in featureset
diff --git a/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch b/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
deleted file mode 100644
index dfa3f4c20a..0000000000
--- a/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Simon Scherer <scherer.simon89@gmail.com>
-Date: Mon, 13 Apr 2026 13:56:22 +0200
-Subject: [PATCH] target/i386: fix missing PF_INSTR in SIGSEGV context
-
-When running linux-user emulation, the SIGSEGV handler does not
-correctly set the 4th bit (PF_INSTR) in the error_code variable of
-the context argument (context->uc_mcontext.gregs[REG_ERR]).
-
-Because this bit is never set, guest applications cannot distinguish
-if a fault was due to missing executable permissions. This patch
-ensures that when a page fault occurs during an instruction fetch,
-the PF_INSTR flag is properly populated in the signal context.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3384
-Signed-off-by: Simon Scherer <scherer.simon89@gmail.com>
-Link: https://lore.kernel.org/r/20260413115622.160212-1-scherer.simon89@gmail.com
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 3eae91a8b93a35f194a39ab5b894ae405def9270)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/user/excp_helper.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/target/i386/tcg/user/excp_helper.c b/target/i386/tcg/user/excp_helper.c
-index 98fab4cbc3..6c5df5e0e8 100644
---- a/target/i386/tcg/user/excp_helper.c
-+++ b/target/i386/tcg/user/excp_helper.c
-@@ -36,9 +36,10 @@ void x86_cpu_record_sigsegv(CPUState *cs, vaddr addr,
-      * signal and set exception_index to EXCP_INTERRUPT.
-      */
-     env->cr[2] = addr;
--    env->error_code = ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT)
--                    | (maperr ? 0 : PG_ERROR_P_MASK)
--                    | PG_ERROR_U_MASK;
-+    env->error_code = (maperr ? 0 : PG_ERROR_P_MASK)
-+                    | ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT)
-+                    | PG_ERROR_U_MASK
-+                    | ((access_type == MMU_INST_FETCH) ? PG_ERROR_I_D_MASK : 0);
-     cs->exception_index = EXCP0E_PAGE;
- 
-     /* Disable do_interrupt_user. */
diff --git a/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch b/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
deleted file mode 100644
index a4faa8635c..0000000000
--- a/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
-Date: Thu, 5 Mar 2026 00:22:45 +0300
-Subject: [PATCH] migration: vmstate_save_state_v: fix double error_setg
-
-We may call error_setg twice on same errp if inner
-vmstate_save_state_v() or vmstate_save_state() call fails. Next we will
-crash on assertion in error_setv().
-
-Fixes: 848a0503422d043 "migration: Update error description outside migration.c"
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
-Reviewed-by: Fabiano Rosas <farosas@suse.de>
-Reviewed-by: Peter Xu <peterx@redhat.com>
-Link: https://lore.kernel.org/qemu-devel/20260304212303.667141-2-vsementsov@yandex-team.ru
-Signed-off-by: Fabiano Rosas <farosas@suse.de>
-(cherry picked from commit d41ce10d0f5a3d6e497e4b75807a8e675033c597)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- migration/vmstate.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/migration/vmstate.c b/migration/vmstate.c
-index 4d28364f7b..fccd030dfd 100644
---- a/migration/vmstate.c
-+++ b/migration/vmstate.c
-@@ -539,6 +539,9 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd,
-                 } else {
-                     ret = inner_field->info->put(f, curr_elem, size,
-                                                  inner_field, vmdesc_loop);
-+                    if (ret < 0) {
-+                        error_setg(errp, "put failed");
-+                    }
-                 }
- 
-                 written_bytes = qemu_file_transferred(f) - old_offset;
-@@ -551,8 +554,8 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd,
-                 }
- 
-                 if (ret) {
--                    error_setg(errp, "Save of field %s/%s failed",
--                                vmsd->name, field->name);
-+                    error_prepend(errp, "Save of field %s/%s failed: ",
-+                                  vmsd->name, field->name);
-                     if (vmsd->post_save) {
-                         vmsd->post_save(opaque);
-                     }
diff --git a/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch b/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
deleted file mode 100644
index 71df0416de..0000000000
--- a/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Tue, 5 May 2026 13:04:29 +0200
-Subject: [PATCH] block/export/fuse: fix regression when mmap()-ing export with
- MAP_SHARED
-
-The swtpm_setup binary will fail accessing a FUSE export from
-qemu-storage-daemon since commit 8599559580 ("fuse: Set direct_io and
-parallel_direct_writes"). It uses mmap() with MAP_SHARED, which fails
-fails when direct IO is used, but the FUSE_DIRECT_IO_ALLOW_MMAP flag
-is not. This is documented behavior [0]. Enable the flag if the kernel
-supports it to fix the regression.
-
-The FUSE_INIT_EXT flag needs to be set to be able to use the flags2
-argument.
-
-This patch bumps the required minimal protocol version to 7.36 for
-availablity of the FUSE_INIT_EXT flag, which is available since kernel
-5.17. A proper upstream submission should try to avoid this.
-Discussion upstream [1].
-
-[0]: https://www.kernel.org/doc/html/next/filesystems/fuse/fuse-io.html
-[1]: https://lore.kernel.org/qemu-devel/e86b82e4-a85d-46d2-bb8f-4e0f59e49a44@proxmox.com/
-
-Fixes: 8599559580 ("fuse: Set direct_io and parallel_direct_writes")
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/export/fuse.c | 27 ++++++++-------------------
- 1 file changed, 8 insertions(+), 19 deletions(-)
-
-diff --git a/block/export/fuse.c b/block/export/fuse.c
-index a2a478d293..ef381fd844 100644
---- a/block/export/fuse.c
-+++ b/block/export/fuse.c
-@@ -51,23 +51,11 @@
- #define FUSE_MAX_READ_BYTES (MIN(BDRV_REQUEST_MAX_BYTES, 1 * 1024 * 1024))
- #define FUSE_MAX_WRITE_BYTES (64 * 1024)
- 
--/*
-- * fuse_init_in structure before 7.36.  We don't need the flags2 field added
-- * there, so we can work with the smaller older structure to stay compatible
-- * with older kernels.
-- */
--struct fuse_init_in_compat {
--    uint32_t major;
--    uint32_t minor;
--    uint32_t max_readahead;
--    uint32_t flags;
--};
--
- typedef struct FuseRequestInHeader {
-     struct fuse_in_header common;
-     /* All supported requests */
-     union {
--        struct fuse_init_in_compat init;
-+        struct fuse_init_in init;
-         struct fuse_open_in open;
-         struct fuse_setattr_in setattr;
-         struct fuse_read_in read;
-@@ -826,9 +814,10 @@ static bool is_regular_file(const char *path, Error **errp)
-  */
- static ssize_t coroutine_fn GRAPH_RDLOCK
- fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
--             const struct fuse_init_in_compat *in)
-+             const struct fuse_init_in *in)
- {
--    const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO;
-+    const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_INIT_EXT;
-+    const uint32_t supported_flags2 = (FUSE_DIRECT_IO_ALLOW_MMAP >> 32);
- 
-     if (in->major != 7) {
-         error_report("FUSE major version mismatch: We have 7, but kernel has %"
-@@ -836,9 +825,9 @@ fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
-         return -EINVAL;
-     }
- 
--    /* 2007's 7.9 added fuse_attr.blksize; working around that would be hard */
--    if (in->minor < 9) {
--        error_report("FUSE minor version too old: 9 required, but kernel has %"
-+    /* Kernel 5.17's 7.36 protocol version added FUSE_INIT_EXT */
-+    if (in->minor < 36) {
-+        error_report("FUSE minor version too old: 36 required, but kernel has %"
-                      PRIu32, in->minor);
-         return -EINVAL;
-     }
-@@ -849,7 +838,7 @@ fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
-         .max_readahead = in->max_readahead,
-         .max_write = FUSE_MAX_WRITE_BYTES,
-         .flags = in->flags & supported_flags,
--        .flags2 = 0,
-+        .flags2 = in->flags2 & supported_flags2,
- 
-         /* libfuse maximum: 2^16 - 1 */
-         .max_background = UINT16_MAX,
diff --git a/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch b/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
deleted file mode 100644
index 7f00682227..0000000000
--- a/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Tue, 26 May 2026 11:49:57 -0400
-Subject: [PATCH] virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check
- (CVE-2026-48914)
-
-Check that the iovec containing struct virtio_scsi_inhdr is large enough
-before storing an error value there.
-
-Feifan Qian <bea1e@proton.me> pointed out that this can be used to
-corrupt heap memory when the descriptor uses an MMIO address and a
-length of 1, forcing QEMU to allocate a 1-byte heap bounce buffer.
-virtio_stl_p() stores 4 bytes and therefore corrupts whatever is beyond
-the bounce buffer.
-
-Fixes: CVE-2026-48914
-Fixes: f34e73cd69bd ("virtio-blk: report non-zero status when failing SG_IO requests")
-Reported-by: Feifan Qian <bea1e@proton.me>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(pick from: https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/block/virtio-blk.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
-index 9cb9f1fb2b..6b92066aff 100644
---- a/hw/block/virtio-blk.c
-+++ b/hw/block/virtio-blk.c
-@@ -199,10 +199,16 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
- 
-     /*
-      * The scsi inhdr is placed in the second-to-last input segment, just
--     * before the regular inhdr.
-+     * before the regular inhdr. VIRTIO implementations normally do not rely on
-+     * the precise message framing, but legacy implementations did and so we do
-+     * too for the legacy virtio-blk SCSI request type.
-      *
-      * Just put anything nonzero so that the ioctl fails in the guest.
-      */
-+    if (elem->in_sg[elem->in_num - 2].iov_len != sizeof(*scsi)) {
-+        status = VIRTIO_BLK_S_IOERR;
-+        goto fail;
-+    }
-     scsi = (void *)elem->in_sg[elem->in_num - 2].iov_base;
-     virtio_stl_p(vdev, &scsi->errors, 255);
-     status = VIRTIO_BLK_S_UNSUPP;
diff --git a/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch b/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
deleted file mode 100644
index 3bf65cb920..0000000000
--- a/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 15 May 2026 11:01:00 +0200
-Subject: [PATCH] lsi53c895a: fix use-after-free of cancelled request
-
-When processing the Message Out phase, the lsi53c895a controller
-can cancel a request and the continue by processing more messages.
-When this happens, it is important that a cancelled request is not
-processed further, because scsi_req_cancel can cause the request
-to be freed.
-
-Right now this is happening in two cases, but not when cancelling
-the entire queue of requests after an ABORT, CLEAR QUEUE or
-BUS DEVICE RESET message.  In that case, a subsequent ABORT TAG
-message can use a dangling current_req.
-
-There are three possible fixes:
-
-- add a missing check inside the loop, clearing current_req
-  if p->req == current_req.  This is obvious but complicates the
-  code inside the foreach loop.
-
-- change the conditional prior to the loop from "if (s->current)"
-  to "if (current_req)".  This would work, because s->current != NULL
-  implies current_req != NULL, and would clear current_req correctly.
-  However it is less obvious because the point of the code
-  is to clear the entire queue, which consists of s->current
-  and s->queue; current_req is not special here.
-
-- delay the retrieval of current_req until an ABORT TAG message
-  is seen.  This is the most correct option, because the SCSI
-  protocol only deals with tags; requests are a QEMU concept
-  that only makes sense for the purpose of calling into the
-  SCSI layer.
-
-Reported-by: Wei Che Kao <skps96g313.cs10@gmail.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 5297a0fc65317ba7f79ef44ce7a44e41d15fdb27)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/scsi/lsi53c895a.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 54123f7757..0843d325ab 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -1000,10 +1000,8 @@ static void lsi_do_msgout(LSIState *s)
- 
-     if (s->current) {
-         current_tag = s->current->tag;
--        current_req = s->current;
-     } else {
-         current_tag = s->select_tag;
--        current_req = lsi_find_by_tag(s, current_tag);
-     }
- 
-     trace_lsi_do_msgout(s->dbc);
-@@ -1058,9 +1056,13 @@ static void lsi_do_msgout(LSIState *s)
-         case 0x0d:
-             /* The ABORT TAG message clears the current I/O process only. */
-             trace_lsi_do_msgout_abort(current_tag);
-+            if (s->current) {
-+                current_req = s->current;
-+            } else {
-+                current_req = lsi_find_by_tag(s, current_tag);
-+            }
-             if (current_req && current_req->req) {
-                 scsi_req_cancel(current_req->req);
--                current_req = NULL;
-             }
-             lsi_disconnect(s);
-             break;
-@@ -1086,7 +1088,6 @@ static void lsi_do_msgout(LSIState *s)
-             /* clear the current I/O process */
-             if (s->current) {
-                 scsi_req_cancel(s->current->req);
--                current_req = NULL;
-             }
- 
-             /* As the current implemented devices scsi_disk and scsi_generic
diff --git a/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch b/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
deleted file mode 100644
index 2581b191f7..0000000000
--- a/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 15 May 2026 11:08:28 +0200
-Subject: [PATCH] lsi53c895a: clear tag byte when processing messages
-
-Instead of simply ORing the message byte, clear what
-was there before.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 4494dec8c2bfd8a5d9b1eabe4a26ab850a4f6700)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/scsi/lsi53c895a.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 0843d325ab..1b7f02fc7c 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -1041,16 +1041,19 @@ static void lsi_do_msgout(LSIState *s)
-             }
-             break;
-         case 0x20: /* SIMPLE queue */
-+            s->select_tag &= ~0xff;
-             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
-             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
-             break;
-         case 0x21: /* HEAD of queue */
-             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
-+            s->select_tag &= ~0xff;
-             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
-             break;
-         case 0x22: /* ORDERED queue */
-             qemu_log_mask(LOG_UNIMP,
-                           "lsi_scsi: ORDERED queue not implemented\n");
-+            s->select_tag &= ~0xff;
-             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
-             break;
-         case 0x0d:
diff --git a/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch b/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
deleted file mode 100644
index 14d0cc9f84..0000000000
--- a/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 15 May 2026 12:10:22 +0200
-Subject: [PATCH] apic: fix delivery bitmask with modified xAPIC ids
-
-Self-IPIs (or all-but-self IPIs) in QEMU can cause a out-of-bounds access
-to deliver_bitmask, because the access uses the APIC ID register which
-is writable by the guest.  However, foreach_apic uses the delivery
-bitmask indexes to look up the local_apics[] array, which is indexed
-by *initial* APIC id.  Using the right id fixes both a possible heap
-write overflow if the modified APIC id is too large for max_apic_words,
-and a mis-delivery of both self and all-but-self IPIs.
-
-Reported-by: Wei Che Kao <skps96g313.cs10@gmail.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 153dc2fa7bbe0491290d22c4bbb6807074f24260)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/intc/apic.c | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/hw/intc/apic.c b/hw/intc/apic.c
-index 8766ed00b9..ced7df49bd 100644
---- a/hw/intc/apic.c
-+++ b/hw/intc/apic.c
-@@ -648,13 +648,6 @@ static void apic_deliver(APICCommonState *s, uint32_t dest, uint8_t dest_mode,
-     APICCommonState *apic_iter;
-     uint32_t deliver_bitmask_size = max_apic_words * sizeof(uint32_t);
-     g_autofree uint32_t *deliver_bitmask = g_new(uint32_t, max_apic_words);
--    uint32_t current_apic_id;
--
--    if (is_x2apic_mode(s)) {
--        current_apic_id = s->initial_apic_id;
--    } else {
--        current_apic_id = s->id;
--    }
- 
-     switch (dest_shorthand) {
-     case 0:
-@@ -662,14 +655,20 @@ static void apic_deliver(APICCommonState *s, uint32_t dest, uint8_t dest_mode,
-         break;
-     case 1:
-         memset(deliver_bitmask, 0x00, deliver_bitmask_size);
--        apic_set_bit(deliver_bitmask, current_apic_id);
-+        /*
-+         * The self and all-but-self cases do not use apic_match_dest() and
-+         * directly fill in deliver_bitmask; the bitmask's indexes in turn
-+         * map to local_apics[] slots which are never changed even if the
-+         * xAPIC id is modified.  So use s->initial_apic_id instead of s->id.
-+         */
-+        apic_set_bit(deliver_bitmask, s->initial_apic_id);
-         break;
-     case 2:
-         memset(deliver_bitmask, 0xff, deliver_bitmask_size);
-         break;
-     case 3:
-         memset(deliver_bitmask, 0xff, deliver_bitmask_size);
--        apic_reset_bit(deliver_bitmask, current_apic_id);
-+        apic_reset_bit(deliver_bitmask, s->initial_apic_id);
-         break;
-     }
- 
diff --git a/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch b/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
deleted file mode 100644
index a3810615c2..0000000000
--- a/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Denis V. Lunev" <den@openvz.org>
-Date: Wed, 20 May 2026 16:25:03 +0200
-Subject: [PATCH] block/linux-aio: bound ioq_submit() recursion depth
-
-qemu_laio_process_completions() wraps its body in defer_call_begin /
-defer_call_end. Inside the section, completion callbacks wake coroutines
-that queue new aiocbs; laio_do_submit() defers laio_deferred_fn. At the
-bottom of qemu_laio_process_completions() the defer_call_end() fires
-laio_deferred_fn, which calls ioq_submit(), closing the cycle:
-
-  ioq_submit
-    -> io_submit(2)                           // some sync completions
-    -> qemu_laio_process_completions          // defer_call_begin
-         -> aio_co_wake                       // resumes coroutine
-              -> laio_do_submit
-                   -> defer_call(laio_deferred_fn, s)   // enqueued
-         -> defer_call_end                    // nesting drops to 0
-              -> laio_deferred_fn
-                   -> ioq_submit              // +1 stack frame, loop
-
-When io_submit(2) returns asynchronously (O_DIRECT) the cycle
-terminates in one extra frame: the fresh aiocb is still in flight, no
-completion is drained, no coroutine wakes, no new submission queues.
-When submissions complete synchronously (non-O_DIRECT, or per-descriptor
-drivers such as vmdk) each level enqueues more work for the next
-defer_call_end() to drain, so recursion grows without bound and QEMU
-crashes with SIGSEGV on the thread guard page.
-
-The cycle was closed by two performance commits, each correct in
-isolation:
-
-  076682885d ("block/linux-aio: convert to blk_io_plug_call() API")
-    -- introduced laio_deferred_fn and wired
-       laio_do_submit -> defer_call(laio_deferred_fn, s).
-
-  84d61e5f36 ("virtio: use defer_call() in virtio_irqfd_notify()")
-    -- added defer_call_begin/end around qemu_laio_process_completions
-       so virtio-irqfd notifications batch across a completion pass.
-
-The supported aio=native + cache=none pairing keeps submissions
-asynchronous, so the cycle stays bounded; nothing in the code enforces
-that contract. Observed in production as a SIGSEGV during a backup job
-configured with --cached + aio=native; reproducible on upstream with
-qemu-io against vmdk.
-
-Cap ioq_submit() recursion with a counter on LaioQueue, which is only
-accessed from the AioContext home thread. On overflow, return without
-submitting. The pending work is drained by s->completion_bh, which
-qemu_laio_process_completions() has already scheduled on entry -- no
-work is lost; one event-loop round-trip of latency is paid only when
-the bound is hit, which cannot happen on a supported configuration.
-
-Signed-off-by: Denis V. Lunev <den@openvz.org>
-CC: Kevin Wolf <kwolf@redhat.com>
-CC: Hanna Reitz <hreitz@redhat.com>
-CC: Stefan Hajnoczi <stefanha@redhat.com>
-CC: Paolo Bonzini <pbonzini@redhat.com>
-Message-ID: <20260520142503.251959-2-den@openvz.org>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 6864bec553b2e37699739615e604fc3c7bae0e1d)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/linux-aio.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/block/linux-aio.c b/block/linux-aio.c
-index 0a7424fbb3..5aaf2e8514 100644
---- a/block/linux-aio.c
-+++ b/block/linux-aio.c
-@@ -36,6 +36,19 @@
- /* Maximum number of requests in a batch. (default value) */
- #define DEFAULT_MAX_BATCH 32
- 
-+/*
-+ * Bound on how deep ioq_submit() may recurse on a single LaioQueue via the
-+ * ioq_submit -> qemu_laio_process_completions -> defer_call_end ->
-+ * laio_deferred_fn -> ioq_submit cycle. The cycle terminates naturally
-+ * when io_submit(2) returns asynchronously (O_DIRECT), but can grow
-+ * without bound when submissions complete synchronously. On overflow
-+ * the caller returns without submitting; the outermost
-+ * qemu_laio_process_completions() has already scheduled s->completion_bh
-+ * (via qemu_bh_schedule() at the top of that function), which resumes
-+ * submission from the next event-loop dispatch.
-+ */
-+#define IOQ_SUBMIT_MAX_DEPTH 8
-+
- struct qemu_laiocb {
-     Coroutine *co;
-     LinuxAioState *ctx;
-@@ -61,6 +74,7 @@ typedef struct {
-     unsigned int in_queue;
-     unsigned int in_flight;
-     bool blocked;
-+    unsigned int submit_depth;
-     QSIMPLEQ_HEAD(, qemu_laiocb) pending;
- } LaioQueue;
- 
-@@ -331,6 +345,7 @@ static void ioq_init(LaioQueue *io_q)
-     io_q->in_queue = 0;
-     io_q->in_flight = 0;
-     io_q->blocked = false;
-+    io_q->submit_depth = 0;
- }
- 
- static void ioq_submit(LinuxAioState *s)
-@@ -340,6 +355,11 @@ static void ioq_submit(LinuxAioState *s)
-     QEMU_UNINITIALIZED struct iocb *iocbs[MAX_EVENTS];
-     QSIMPLEQ_HEAD(, qemu_laiocb) completed;
- 
-+    if (s->io_q.submit_depth >= IOQ_SUBMIT_MAX_DEPTH) {
-+        return;
-+    }
-+    s->io_q.submit_depth++;
-+
-     do {
-         if (s->io_q.in_flight >= MAX_EVENTS) {
-             break;
-@@ -385,6 +405,8 @@ static void ioq_submit(LinuxAioState *s)
-          * pended requests will be submitted from there.
-          */
-     }
-+
-+    s->io_q.submit_depth--;
- }
- 
- static uint64_t laio_max_batch(LinuxAioState *s, uint64_t dev_max_batch)
diff --git a/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch b/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
deleted file mode 100644
index 913e22e486..0000000000
--- a/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: GuoHan Zhao <zhaoguohan@kylinos.cn>
-Date: Fri, 22 May 2026 16:13:05 +0800
-Subject: [PATCH] vfio-user: reject zero DMA page size capability
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-check_pgsizes() validates that no page-size bits smaller than
-VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a
-malformed server overwrite the default page-size mask with zero.
-
-Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device
-realization aborts instead of reporting a version capability error. Reject a
-zero DMA page-size mask during version capability parsing.
-
-Fixes: 36227628d824 (vfio-user: implement message send infrastructure)
-Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
-Reviewed-by: John Levon <john.levon@nutanix.com>
-Link: https://lore.kernel.org/qemu-devel/20260522081306.4186242-1-zhaoguohan@kylinos.cn
-Signed-off-by: Cédric Le Goater <clg@redhat.com>
-(cherry picked from commit ab89d02dac6f0f53e35a689f01099602aa2de816)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/vfio-user/proxy.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c
-index 314dfd23d8..3fe5b0138b 100644
---- a/hw/vfio-user/proxy.c
-+++ b/hw/vfio-user/proxy.c
-@@ -1155,9 +1155,11 @@ static bool check_pgsizes(VFIOUserProxy *proxy, QObject *qobj, Error **errp)
-         return false;
-     }
- 
--    /* must be larger than default */
--    if (pgsizes & (VFIO_USER_DEF_PGSIZE - 1)) {
--        error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsizes);
-+    /* must not be zero or smaller than default */
-+    if (pgsizes < VFIO_USER_DEF_PGSIZE ||
-+        (pgsizes & (VFIO_USER_DEF_PGSIZE - 1))) {
-+        error_setg(errp, "%s 0x%"PRIx64" too small",
-+                   VFIO_USER_CAP_PGSIZES, pgsizes);
-         return false;
-     }
- 
diff --git a/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch b/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
deleted file mode 100644
index 26c0bc433d..0000000000
--- a/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: GuoHan Zhao <zhaoguohan@kylinos.cn>
-Date: Fri, 22 May 2026 16:13:06 +0800
-Subject: [PATCH] vfio-user: reject zero migration page size capability
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-check_migr_pgsize() validates that no page-size bits smaller than
-VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsize=0. This can replace
-the default migration page size with an unusable value.
-
-Reject a zero migration page size during version capability parsing, matching
-the lower-bound check used for the DMA page-size capability.
-
-Fixes: 36227628d824 (vfio-user: implement message send infrastructure)
-Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
-Link: https://lore.kernel.org/qemu-devel/20260522081306.4186242-2-zhaoguohan@kylinos.cn
-Signed-off-by: Cédric Le Goater <clg@redhat.com>
-(cherry picked from commit 497b5c5b05ac2be00ae16c723e2445ebbc486cb2)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/vfio-user/proxy.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c
-index 3fe5b0138b..3167d27b03 100644
---- a/hw/vfio-user/proxy.c
-+++ b/hw/vfio-user/proxy.c
-@@ -1081,9 +1081,11 @@ static bool check_migr_pgsize(VFIOUserProxy *proxy, QObject *qobj, Error **errp)
-         return false;
-     }
- 
--    /* must be larger than default */
--    if (pgsize & (VFIO_USER_DEF_PGSIZE - 1)) {
--        error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsize);
-+    /* must not be zero or smaller than default */
-+    if (pgsize < VFIO_USER_DEF_PGSIZE ||
-+        (pgsize & (VFIO_USER_DEF_PGSIZE - 1))) {
-+        error_setg(errp, "%s 0x%"PRIx64" too small",
-+                   VFIO_USER_CAP_PGSIZE, pgsize);
-         return false;
-     }
- 
diff --git a/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch b/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch
deleted file mode 100644
index a385072bcf..0000000000
--- a/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Chenyi Qiang <chenyi.qiang@intel.com>
-Date: Wed, 27 May 2026 18:11:08 +0800
-Subject: [PATCH] vfio/container: Restrict dma_map_file() to shared RAM or RAM
- devices
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-vfio_container_dma_map() uses dma_map_file() whenever a RAMBlock has an
-fd and the VFIO IOMMU backend supports file-based DMA mapping. That is
-not correct for private file-backed guest RAM.
-
-dma_map_file() resolves PFNs from the backing file, but private guest
-RAM mappings (MAP_PRIVATE) can run on different PFNs than the file
-because they are subject to copy-on-write (COW) anomalies. As a result,
-using dma_map_file() on a privately mapped RAMBlock can program DMA
-against pages that do not back QEMU's actual guest memory.
-
-Fix this by using dma_map_file() only for shared mapped RAMBlocks
-(MAP_SHARED) or RAM device regions.
-
-Fixes: fb32965b6dd8 ("vfio/iommufd: use IOMMU_IOAS_MAP_FILE")
-Reported-by: Farrah Chen <farrah.chen@intel.com>
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220776
-Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
-Suggested-by: Cédric Le Goater <clg@redhat.com>
-Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
-Link: https://lore.kernel.org/qemu-devel/20260527101109.71781-1-chenyi.qiang@intel.com
-Reviewed-by: Cédric Le Goater <clg@redhat.com>
-Signed-off-by: Cédric Le Goater <clg@redhat.com>
-(cherry picked from commit e6c47bebdf8628e635e1ba970919ca96d572dbbe)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/vfio/container.c | 34 +++++++++++++++++++++++++++++++---
- 1 file changed, 31 insertions(+), 3 deletions(-)
-
-diff --git a/hw/vfio/container.c b/hw/vfio/container.c
-index 4c2816b574..56bd9ac009 100644
---- a/hw/vfio/container.c
-+++ b/hw/vfio/container.c
-@@ -74,15 +74,43 @@ void vfio_address_space_insert(VFIOAddressSpace *space,
-     bcontainer->space = space;
- }
- 
-+static bool vfio_container_can_dma_map_file(VFIOContainer *bcontainer,
-+                                            MemoryRegion *mr, int *fd)
-+{
-+    VFIOIOMMUClass *vioc = VFIO_IOMMU_GET_CLASS(bcontainer);
-+    RAMBlock *rb = mr->ram_block;
-+
-+    if (!vioc->dma_map_file || !rb) {
-+        return false;
-+    }
-+
-+    *fd = qemu_ram_get_fd(rb);
-+    if (*fd < 0) {
-+        return false;
-+    }
-+
-+    /*
-+     * We can use IOMMU DMA mapping (IOMMU_IOAS_MAP_FILE) for :
-+     *
-+     * 1) Guest RAM blocks explicitly configured as shared (MAP_SHARED)
-+     * 2) RAM device sub-regions (MMIO BARs)
-+     *
-+     * Private RAM mappings (MAP_PRIVATE) are strictly excluded. Because
-+     * they are subject to copy-on-write (COW) anomalies, their underlying
-+     * PFNs can permanently diverge from the backing file
-+     */
-+    return qemu_ram_is_shared(rb) || memory_region_is_ram_device(mr);
-+}
-+
- int vfio_container_dma_map(VFIOContainer *bcontainer,
-                            hwaddr iova, uint64_t size,
-                            void *vaddr, bool readonly, MemoryRegion *mr)
- {
-     VFIOIOMMUClass *vioc = VFIO_IOMMU_GET_CLASS(bcontainer);
--    RAMBlock *rb = mr->ram_block;
--    int mfd = rb ? qemu_ram_get_fd(rb) : -1;
-+    int mfd;
- 
--    if (mfd >= 0 && vioc->dma_map_file) {
-+    if (vfio_container_can_dma_map_file(bcontainer, mr, &mfd)) {
-+        RAMBlock *rb = mr->ram_block;
-         unsigned long start = vaddr - qemu_ram_get_host_addr(rb);
-         unsigned long offset = qemu_ram_get_fd_offset(rb);
- 
diff --git a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
index 76e5fcce71..52e7ed9c50 100644
--- a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
+++ b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
@@ -247,7 +247,7 @@ index 0000000000..036edb17f5
 +
 +block_init(bdrv_zeroinit_init);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 496118bdc7..f0f225a3c2 100644
+index 50a0af3569..4e8bc65bdb 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3381,7 +3381,7 @@
@@ -259,7 +259,7 @@ index 496118bdc7..f0f225a3c2 100644
  
  ##
  # @BlockdevOptionsFile:
-@@ -4936,7 +4936,8 @@
+@@ -4940,7 +4940,8 @@
                        'if': 'CONFIG_BLKIO' },
        'vmdk':       'BlockdevOptionsGenericCOWFormat',
        'vpc':        'BlockdevOptionsGenericFormat',
diff --git a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
index 0701eb7265..f63cc7b27b 100644
--- a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
+++ b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
@@ -119,10 +119,10 @@ index 328ddaa3bd..5fd49844af 100644
      };
      return raw_co_create(&options, errp);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index f0f225a3c2..0c00aabbab 100644
+index 4e8bc65bdb..d5a2bbcff1 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -5155,6 +5155,10 @@
+@@ -5159,6 +5159,10 @@
  # @extent-size-hint: Extent size hint to add to the image file; 0 for
  #     not adding an extent size hint (default: 1 MB, since 5.1)
  #
@@ -133,7 +133,7 @@ index f0f225a3c2..0c00aabbab 100644
  # Since: 2.12
  ##
  { 'struct': 'BlockdevCreateOptionsFile',
-@@ -5162,7 +5166,8 @@
+@@ -5166,7 +5170,8 @@
              'size':                 'size',
              '*preallocation':       'PreallocMode',
              '*nocow':               'bool',
diff --git a/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch b/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
index d116ae3569..814b939bed 100644
--- a/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
+++ b/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch
@@ -40,10 +40,10 @@ index a21d9a5411..1373612c10 100644
  system_ss.add(files('block-ram-registrar.c'))
  
 diff --git a/meson.build b/meson.build
-index ab3e97eb9f..f747bc3cb2 100644
+index 51f5f2851a..a88b007017 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2149,6 +2149,8 @@ endif
+@@ -2155,6 +2155,8 @@ endif
  
  has_gettid = cc.has_function('gettid')
  
@@ -52,7 +52,7 @@ index ab3e97eb9f..f747bc3cb2 100644
  # libselinux
  selinux = dependency('libselinux',
                       required: get_option('selinux'),
-@@ -4517,6 +4519,9 @@ if have_tools
+@@ -4523,6 +4525,9 @@ if have_tools
                 dependencies: [blockdev, qemuutil, selinux],
                 install: true)
  
diff --git a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
index a4ac880fa7..74ce2a426e 100644
--- a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
+++ b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
@@ -263,10 +263,10 @@ index abebfea0e2..bc727a3a6a 100644
  void hmp_device_add(Monitor *mon, const QDict *qdict);
  void hmp_device_del(Monitor *mon, const QDict *qdict);
 diff --git a/meson.build b/meson.build
-index f747bc3cb2..7aa0ed1b5a 100644
+index a88b007017..684501a185 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2150,6 +2150,7 @@ endif
+@@ -2156,6 +2156,7 @@ endif
  has_gettid = cc.has_function('gettid')
  
  libuuid = cc.find_library('uuid', required: true)
@@ -1685,7 +1685,7 @@ index 0000000000..177fb851b4
 +    return ret;
 +}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 0c00aabbab..4f407007b9 100644
+index d5a2bbcff1..7f1daf42fe 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -952,6 +952,248 @@
diff --git a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
index 44e42c7f6b..8344e666ed 100644
--- a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
+++ b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
@@ -14,10 +14,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  create mode 100644 pbs-restore.c
 
 diff --git a/meson.build b/meson.build
-index 7aa0ed1b5a..3a57c44ade 100644
+index 684501a185..7111b47319 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -4523,6 +4523,10 @@ if have_tools
+@@ -4529,6 +4529,10 @@ if have_tools
    vma = executable('vma', files('vma.c', 'vma-reader.c') + genh,
                     dependencies: [authz, block, crypto, io, qemuutil, qom], install: true)
  
diff --git a/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch b/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
index 8791b16dbc..1d2396f318 100644
--- a/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
+++ b/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
@@ -348,10 +348,10 @@ index 0000000000..3e41421716
 +
 +block_init(bdrv_pbs_init);
 diff --git a/meson.build b/meson.build
-index 3a57c44ade..eb84d64604 100644
+index 7111b47319..4115c35884 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -4997,7 +4997,7 @@ summary_info += {'Query Processing Library support': qpl}
+@@ -5003,7 +5003,7 @@ summary_info += {'Query Processing Library support': qpl}
  summary_info += {'UADK Library support': uadk}
  summary_info += {'qatzip support':    qatzip}
  summary_info += {'NUMA host support': numa}
@@ -361,7 +361,7 @@ index 3a57c44ade..eb84d64604 100644
  summary_info += {'libdaxctl support': libdaxctl}
  summary_info += {'libcbor support':   libcbor}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 4f407007b9..84a4572625 100644
+index 7f1daf42fe..e1c659310d 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3619,6 +3619,7 @@
@@ -406,7 +406,7 @@ index 4f407007b9..84a4572625 100644
  ##
  # @BlockdevOptionsNVMe:
  #
-@@ -5149,6 +5177,7 @@
+@@ -5153,6 +5181,7 @@
        'nfs':        'BlockdevOptionsNfs',
        'null-aio':   'BlockdevOptionsNull',
        'null-co':    'BlockdevOptionsNull',
diff --git a/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch b/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
index 42759e606b..8c558401c8 100644
--- a/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
+++ b/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch
@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index eb84d64604..d71baddfa6 100644
+index 4115c35884..87c765f622 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2150,6 +2150,7 @@ endif
+@@ -2156,6 +2156,7 @@ endif
  has_gettid = cc.has_function('gettid')
  
  libuuid = cc.find_library('uuid', required: true)
@@ -25,7 +25,7 @@ index eb84d64604..d71baddfa6 100644
  libproxmox_backup_qemu = cc.find_library('proxmox_backup_qemu', required: true)
  
  # libselinux
-@@ -3840,7 +3841,7 @@ if have_block
+@@ -3846,7 +3847,7 @@ if have_block
    elif host_os == 'emscripten'
      blockdev_ss.add(files('os-wasm.c'))
    else
diff --git a/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch b/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
index ec8e4e9a4f..adb41f4572 100644
--- a/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
+++ b/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
@@ -58,7 +58,7 @@ index 90d62d5723..6010ccaef0 100644
    'ram.c',
    'savevm.c',
 diff --git a/migration/migration.c b/migration/migration.c
-index 5c9aaa6e58..23b05a64cf 100644
+index dfc60372cf..f415448689 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -329,6 +329,7 @@ void migration_object_init(void)
@@ -192,7 +192,7 @@ index 177fb851b4..7575abab7c 100644
      ret->pbs_masterkey = true;
      ret->backup_max_workers = true;
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 84a4572625..4a6769c053 100644
+index e1c659310d..b314192e30 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1112,6 +1112,11 @@
diff --git a/debian/patches/pve/0037-block-add-alloc-track-driver.patch b/debian/patches/pve/0037-block-add-alloc-track-driver.patch
index 042929c527..ed5e2f5d31 100644
--- a/debian/patches/pve/0037-block-add-alloc-track-driver.patch
+++ b/debian/patches/pve/0037-block-add-alloc-track-driver.patch
@@ -449,7 +449,7 @@ index d023753091..a777c8079c 100644
  
  out:
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 4a6769c053..8af4107bf5 100644
+index b314192e30..a8a7d227a8 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3611,7 +3611,8 @@
@@ -484,7 +484,7 @@ index 4a6769c053..8af4107bf5 100644
  ##
  # @BlockdevOptionsPbs:
  #
-@@ -5155,6 +5171,7 @@
+@@ -5159,6 +5175,7 @@
              '*detect-zeroes': 'BlockdevDetectZeroesOptions' },
    'discriminator': 'driver',
    'data': {
diff --git a/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch b/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
index cd27516275..5e6a4d9791 100644
--- a/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
+++ b/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch
@@ -429,7 +429,7 @@ index 7575abab7c..8b83465ebd 100644
      return ret;
  }
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 8af4107bf5..5c8b872000 100644
+index a8a7d227a8..977daf0191 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1054,6 +1054,10 @@
diff --git a/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch b/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
index d30aaf8f23..031eeba6b6 100644
--- a/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
+++ b/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch
@@ -740,7 +740,7 @@ index 0000000000..9ebeef7c8f
 +
 +#endif /* PVE_BACKUP_H */
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 5c8b872000..cf4f5ce7f1 100644
+index 977daf0191..ed37a4a22f 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1128,6 +1128,9 @@
diff --git a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
index df9f3df96b..0c4cef7f09 100644
--- a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
+++ b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch
@@ -89,7 +89,7 @@ index 80b75ad5cb..f8417347a1 100644
   * @migrate_add_blocker - prevent all modes of migration from proceeding
   *
 diff --git a/migration/migration.c b/migration/migration.c
-index 23b05a64cf..8acd9610de 100644
+index f415448689..979fc7050e 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -1886,6 +1886,30 @@ bool migration_is_blocked(Error **errp)
diff --git a/debian/patches/series b/debian/patches/series
index 84c066409b..e5fabc3e49 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,23 +1,6 @@
 extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
-extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
-extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch
-extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
-extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch
-extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch
-extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch
-extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch
-extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch
-extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch
-extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch
-extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch
-extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch
-extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch
-extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch
-extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch
-extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch
-extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch
-extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch
-extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch
+extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch
+extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
diff --git a/qemu b/qemu
index 98b060da3a..e545d8bb9d 160000
--- a/qemu
+++ b/qemu
@@ -1 +1 @@
-Subproject commit 98b060da3a4f92b2a994ead5b16a87e783baf77c
+Subproject commit e545d8bb9d63e9dd61542b88463183314cff9482
-- 
2.47.3





  parent reply	other threads:[~2026-06-29 13:55 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 13:54 [PATCH-SERIES qemu/qemu-server v2 0/5] fix #6424: avoid timeout issue for QMP 'quit' for bulk suspend Fiona Ebner
2026-06-29 13:54 ` [PATCH qemu v2 1/5] async snapshot: allow skipping VM start after successful completion Fiona Ebner
2026-06-29 13:54 ` Fiona Ebner [this message]
2026-06-29 13:54 ` [PATCH qemu-server v2 3/5] fix #6424: increase timeout for QMP 'quit' to 60s to avoid issue with bulk suspend Fiona Ebner
2026-06-29 13:54 ` [PATCH qemu-server v2 4/5] run state: use v5.36 and signatures in module Fiona Ebner
2026-06-29 13:54 ` [PATCH qemu-server v2 5/5] suspend: skip VM start after successfully saving state Fiona Ebner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629135438.172004-3-f.ebner@proxmox.com \
    --to=f.ebner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal