Comment 12 for bug 604872

I've now posted this patchset; it comes in 7 parts:

http://patchwork.ozlabs.org/patch/77887/
http://patchwork.ozlabs.org/patch/77882/
http://patchwork.ozlabs.org/patch/77884/
http://patchwork.ozlabs.org/patch/77885/
http://patchwork.ozlabs.org/patch/77888/
http://patchwork.ozlabs.org/patch/77881/
http://patchwork.ozlabs.org/patch/77883/

An upstream qemu with those patches applied successfully runs the test case given in this bug.

(it is patch 5/7 http://patchwork.ozlabs.org/patch/77888/ in particular which is dealing with the specific case you've hit here, but I haven't tested with that patch alone.)