diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index eecd8031cf6c326f1816da179cf104c9c6dfb983..b128d311c27b779f53ff6c028c6aced13789a575 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -2970,7 +2970,7 @@ int kvm_cpu_exec(CPUState *cpu)
 
     if (ret < 0) {
         cpu_dump_state(cpu, stderr, CPU_DUMP_CODE);
-        vm_stop(RUN_STATE_INTERNAL_ERROR);
+        qemu_system_guest_panicked(cpu_get_crash_info(cpu));
     }
 
     qatomic_set(&cpu->exit_request, 0);
diff --git a/block.c b/block.c
index 0ac5b163d2aa19368ff54f2bc04a1f76b626d2dd..91f123a3545da2301735c06d0049609f2cf36ceb 100644
--- a/block.c
+++ b/block.c
@@ -67,6 +67,9 @@
 
 #define NOT_DONE 0x7fffffff /* used while emulated sync operation in progress */
 
+#define DEFAULT_BIOS_BOOT_LOADER_DIR "/usr/share/edk2"
+#define DEFAULT_NVRAM_TEMPLATE_DIR "/var/lib/libvirt/qemu/nvram"
+
 static QTAILQ_HEAD(, BlockDriverState) graph_bdrv_states =
     QTAILQ_HEAD_INITIALIZER(graph_bdrv_states);
 
@@ -6432,7 +6435,13 @@ int coroutine_fn bdrv_co_invalidate_cache(BlockDriverState *bs, Error **errp)
             return ret;
         }
 
-        if (bs->drv->bdrv_co_invalidate_cache) {
+    /*
+     * It's not necessary for bios bootloader and nvram template to drop cache
+     * when migration, skip this step for them to avoid dowtime increase.
+     */
+        if (bs->drv->bdrv_co_invalidate_cache &&
+            !strstr(bs->filename, DEFAULT_BIOS_BOOT_LOADER_DIR) &&
+            !strstr(bs->filename, DEFAULT_NVRAM_TEMPLATE_DIR)) {
             bs->drv->bdrv_co_invalidate_cache(bs, &local_err);
             if (local_err) {
                 bs->open_flags |= BDRV_O_INACTIVE;
diff --git a/hw/input/ps2.c b/hw/input/ps2.c
index 9376a8f4ce53abb15fe57fc929d98407244eb89d..5d82ee3cdf076b4598e483e459b04106a9e6a671 100644
--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
@@ -205,7 +205,7 @@ void ps2_queue_noirq(PS2State *s, int b)
     }
 
     q->data[q->wptr] = b;
-    if (++q->wptr == PS2_BUFFER_SIZE) {
+    if (++q->wptr >= PS2_BUFFER_SIZE) {
         q->wptr = 0;
     }
     q->count++;
@@ -578,7 +578,7 @@ uint32_t ps2_read_data(PS2State *s)
         val = q->data[index];
     } else {
         val = q->data[q->rptr];
-        if (++q->rptr == PS2_BUFFER_SIZE) {
+        if (++q->rptr >= PS2_BUFFER_SIZE) {
             q->rptr = 0;
         }
         q->count--;
diff --git a/monitor/monitor-internal.h b/monitor/monitor-internal.h
index 3da3f86c6ae691d5dfaf7fd587132b96969d4350..5435864add2cb5f4060428b4d9618de5c549e02e 100644
--- a/monitor/monitor-internal.h
+++ b/monitor/monitor-internal.h
@@ -144,6 +144,7 @@ typedef struct {
     const QmpCommandList *commands;
     bool capab_offered[QMP_CAPABILITY__MAX]; /* capabilities offered */
     bool capab[QMP_CAPABILITY__MAX];         /* offered and accepted */
+    uint64_t qmp_client_id; /*qmp client id, update if peer disconnect */
     /*
      * Protects qmp request/response queue.
      * Take monitor_lock first when you need both.
diff --git a/monitor/qmp.c b/monitor/qmp.c
index 092c527b6fc9c6363f4bf81d85736144b656d038..4d1ac66785d673a28521e3e30bfb118dff6191db 100644
--- a/monitor/qmp.c
+++ b/monitor/qmp.c
@@ -125,18 +125,19 @@ void qmp_send_response(MonitorQMP *mon, const QDict *rsp)
  * Null @rsp can only happen for commands with QCO_NO_SUCCESS_RESP.
  * Nothing is emitted then.
  */
-static void monitor_qmp_respond(MonitorQMP *mon, QDict *rsp)
+static void monitor_qmp_respond(MonitorQMP *mon, QDict *rsp, uint64_t req_client_id)
 {
-    if (rsp) {
-        qmp_send_response(mon, rsp);
+    if (!rsp || (mon->qmp_client_id != req_client_id)) {
+        return;
     }
+    qmp_send_response(mon, rsp);
 }
 
 /*
  * Runs outside of coroutine context for OOB commands, but in
  * coroutine context for everything else.
  */
-static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
+static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req, uint64_t req_client_id)
 {
     QDict *rsp;
     QDict *error;
@@ -156,7 +157,7 @@ static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
         }
     }
 
-    monitor_qmp_respond(mon, rsp);
+    monitor_qmp_respond(mon, rsp, req_client_id);
     qobject_unref(rsp);
 }
 
@@ -315,13 +316,13 @@ void coroutine_fn monitor_qmp_dispatcher_co(void *data)
                 trace_monitor_qmp_cmd_in_band(id_json->str);
                 g_string_free(id_json, true);
             }
-            monitor_qmp_dispatch(mon, req_obj->req);
+            monitor_qmp_dispatch(mon, req_obj->req, mon->qmp_client_id);
         } else {
             assert(req_obj->err);
             trace_monitor_qmp_err_in_band(error_get_pretty(req_obj->err));
             rsp = qmp_error_response(req_obj->err);
             req_obj->err = NULL;
-            monitor_qmp_respond(mon, rsp);
+            monitor_qmp_respond(mon, rsp, mon->qmp_client_id);
             qobject_unref(rsp);
         }
 
@@ -366,7 +367,7 @@ static void handle_qmp_command(void *opaque, QObject *req, Error *err)
             trace_monitor_qmp_cmd_out_of_band(id_json->str);
             g_string_free(id_json, true);
         }
-        monitor_qmp_dispatch(mon, req);
+        monitor_qmp_dispatch(mon, req, mon->qmp_client_id);
         qobject_unref(req);
         return;
     }
@@ -452,6 +453,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
         mon_refcount++;
         break;
     case CHR_EVENT_CLOSED:
+        mon->qmp_client_id++;
         /*
          * Note: this is only useful when the output of the chardev
          * backend is still open.  For example, when the backend is
@@ -505,6 +507,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
     }
     qemu_chr_fe_set_echo(&mon->common.chr, true);
 
+    mon->qmp_client_id = 1;
     /* Note: we run QMP monitor in I/O thread when @chr supports that */
     monitor_data_init(&mon->common, true, false,
                       qemu_chr_has_feature(chr, QEMU_CHAR_FEATURE_GCONTEXT));
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index aa9e6368004c7490ea63cc28ee3f9fe498771899..b9690e32508478870a6d814a6e1681156c48bd67 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -4752,6 +4752,7 @@ static void x86_cpu_get_unavailable_features(Object *obj, Visitor *v,
 
     x86_cpu_list_feature_names(xc->filtered_features, &result);
     visit_type_strList(v, "unavailable-features", &result, errp);
+    qapi_free_strList(result);
 }
 
 /* Check for missing features that may prevent the CPU class from
diff --git a/util/oslib-posix.c b/util/oslib-posix.c
index e8bdb02e1d01d35396af49d18680544144fe9cb5..18a38b94643080895dff89f1f22faed6ca9e11b8 100644
--- a/util/oslib-posix.c
+++ b/util/oslib-posix.c
@@ -84,6 +84,7 @@ typedef struct MemsetThread MemsetThread;
 
 static MemsetThread *memset_thread;
 static int memset_num_threads;
+static int started_num_threads;
 static bool memset_thread_failed;
 
 static QemuMutex page_mutex;
@@ -464,6 +465,10 @@ static void *do_touch_pages(void *arg)
     }
     qemu_mutex_unlock(&page_mutex);
 
+    while (started_num_threads != memset_num_threads) {
+        smp_mb();
+    }
+
     /* unblock SIGBUS */
     sigemptyset(&set);
     sigaddset(&set, SIGBUS);
@@ -529,7 +534,7 @@ static bool touch_all_pages(char *area, size_t hpagesize, size_t numpages,
     memset_thread = g_new0(MemsetThread, memset_num_threads);
     numpages_per_thread = numpages / memset_num_threads;
     leftover = numpages % memset_num_threads;
-    for (i = 0; i < memset_num_threads; i++) {
+    for (i = 0, started_num_threads = 0; i < memset_num_threads; i++) {
         memset_thread[i].addr = addr;
         memset_thread[i].numpages = numpages_per_thread + (i < leftover);
         memset_thread[i].hpagesize = hpagesize;
@@ -537,6 +542,7 @@ static bool touch_all_pages(char *area, size_t hpagesize, size_t numpages,
                            do_touch_pages, &memset_thread[i],
                            QEMU_THREAD_JOINABLE);
         addr += memset_thread[i].numpages * hpagesize;
+        started_num_threads++;
     }
 
     qemu_mutex_lock(&page_mutex);