diff -Nru qemu-2.5+dfsg/debian/changelog qemu-2.5+dfsg/debian/changelog
--- qemu-2.5+dfsg/debian/changelog	2021-02-03 17:57:16.000000000 +0000
+++ qemu-2.5+dfsg/debian/changelog	2021-02-17 16:34:35.000000000 +0000
@@ -1,3 +1,14 @@
+qemu (1:2.5+dfsg-5ubuntu10.51) xenial-security; urgency=medium
+
+  * SECURITY REGRESSION: fix multiple regressions caused by CVE-2020-13754
+    security update (LP: #1914883)
+    - debian/patches/CVE-2020-13754-5.patch: allow 64-bit accesses in
+      hw/timer/slavio_timer.c.
+    - debian/patches/CVE-2020-13754-9.patch: fix valid.max_access_size to
+      access address registers in hw/usb/hcd-xhci.c.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 10 Feb 2021 08:40:41 -0500
+
 qemu (1:2.5+dfsg-5ubuntu10.49) xenial-security; urgency=medium
 
   * SECURITY UPDATE: heap overread in iscsi_aio_ioctl_cb
diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2020-13754-5.patch qemu-2.5+dfsg/debian/patches/CVE-2020-13754-5.patch
--- qemu-2.5+dfsg/debian/patches/CVE-2020-13754-5.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.5+dfsg/debian/patches/CVE-2020-13754-5.patch	2021-02-10 13:39:59.000000000 +0000
@@ -0,0 +1,84 @@
+From 62a9b228b5fefe0f9e364dfeaf3c65022c63cdb9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Sat, 5 Dec 2020 16:09:03 +0100
+Subject: [PATCH] hw/timer/slavio_timer: Allow 64-bit accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per the "NCR89C105 Chip Specification" referenced in the header:
+
+                  Chip-level Address Map
+
+  ------------------------------------------------------------------
+  | 1D0 0000 ->   | Counter/Timers                        | W,D    |
+  |   1DF FFFF    |                                       |        |
+  ...
+
+  The address map indicated the allowed accesses at each address.
+  [...] W indicates a word access, and D indicates a double-word
+  access.
+
+The SLAVIO timer controller is implemented expecting 32-bit accesses.
+Commit a3d12d073e1 restricted the memory accesses to 32-bit, while
+the device allows 64-bit accesses.
+
+This was not an issue until commit 5d971f9e67 which reverted
+("memory: accept mismatching sizes in memory_region_access_valid").
+
+Fix by renaming .valid MemoryRegionOps as .impl, and add the valid
+access range (W -> 4, D -> 8).
+
+Since commit 21786c7e598 ("memory: Log invalid memory accesses")
+this class of bug can be quickly debugged displaying 'guest_errors'
+accesses, as:
+
+  $ qemu-system-sparc -M SS-20 -m 256 -bios ss20_v2.25_rom -serial stdio -d guest_errors
+
+  Power-ON Reset
+  Invalid access at addr 0x0, size 8, region 'timer-1', reason: invalid size (min:4 max:4)
+
+  $ qemu-system-sparc -M SS-20 -m 256 -bios ss20_v2.25_rom -monitor stdio -S
+  (qemu) info mtree
+  address-space: memory
+    0000000000000000-ffffffffffffffff (prio 0, i/o): system
+      ...
+      0000000ff1300000-0000000ff130000f (prio 0, i/o): timer-1
+             ^^^^^^^^^                                 ^^^^^^^
+                   \ memory region base address and name /
+
+  (qemu) info qtree
+  bus: main-system-bus
+    dev: slavio_timer, id ""              <-- device type name
+      gpio-out "sysbus-irq" 17
+      num_cpus = 1 (0x1)
+      mmio 0000000ff1310000/0000000000000014
+      mmio 0000000ff1300000/0000000000000010 <--- base address
+      mmio 0000000ff1301000/0000000000000010
+      mmio 0000000ff1302000/0000000000000010
+      ...
+
+Reported-by: Yap KV <yapkv@yahoo.com>
+Buglink: https://bugs.launchpad.net/bugs/1906905
+Fixes: a3d12d073e1 ("slavio_timer: convert to memory API")
+CC: qemu-stable@nongnu.org
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <20201205150903.3062711-1-f4bug@amsat.org>
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+---
+ hw/timer/slavio_timer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/hw/timer/slavio_timer.c
++++ b/hw/timer/slavio_timer.c
+@@ -321,6 +321,10 @@ static const MemoryRegionOps slavio_time
+     .endianness = DEVICE_NATIVE_ENDIAN,
+     .valid = {
+         .min_access_size = 4,
++        .max_access_size = 8,
++    },
++    .impl = {
++        .min_access_size = 4,
+         .max_access_size = 4,
+     },
+ };
diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2020-13754-9.patch qemu-2.5+dfsg/debian/patches/CVE-2020-13754-9.patch
--- qemu-2.5+dfsg/debian/patches/CVE-2020-13754-9.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.5+dfsg/debian/patches/CVE-2020-13754-9.patch	2021-02-10 13:40:36.000000000 +0000
@@ -0,0 +1,55 @@
+From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Tue, 21 Jul 2020 10:33:22 +0200
+Subject: [PATCH] xhci: fix valid.max_access_size to access address registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
+64-bit mode access in "runtime" and "operational" MemoryRegionOps.
+
+Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
+
+XHCI specs:
+"If the xHC supports 64-bit addressing (AC64 = ‘1’), then software
+should write 64-bit registers using only Qword accesses.  If a
+system is incapable of issuing Qword accesses, then writes to the
+64-bit address fields shall be performed using 2 Dword accesses;
+low Dword-first, high-Dword second.  If the xHC supports 32-bit
+addressing (AC64 = ‘0’), then the high Dword of registers containing
+64-bit address fields are unused and software should write addresses
+using only Dword accesses"
+
+The problem has been detected with SLOF, as linux kernel always accesses
+registers using 32-bit access even if AC64 is set and revealed by
+5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
+
+Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Message-id: 20200721083322.90651-1-lvivier@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3413,7 +3413,7 @@ static const MemoryRegionOps xhci_oper_o
+     .read = xhci_oper_read,
+     .write = xhci_oper_write,
+     .valid.min_access_size = 4,
+-    .valid.max_access_size = 4,
++    .valid.max_access_size = sizeof(dma_addr_t),
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+@@ -3429,7 +3429,7 @@ static const MemoryRegionOps xhci_runtim
+     .read = xhci_runtime_read,
+     .write = xhci_runtime_write,
+     .valid.min_access_size = 4,
+-    .valid.max_access_size = 4,
++    .valid.max_access_size = sizeof(dma_addr_t),
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
diff -Nru qemu-2.5+dfsg/debian/patches/series qemu-2.5+dfsg/debian/patches/series
--- qemu-2.5+dfsg/debian/patches/series	2021-02-03 17:54:08.000000000 +0000
+++ qemu-2.5+dfsg/debian/patches/series	2021-02-17 16:34:40.000000000 +0000
@@ -342,3 +342,5 @@
 CVE-2020-29443-1.patch
 CVE-2020-29443-2.patch
 CVE-2021-20181.patch
+CVE-2020-13754-5.patch
+CVE-2020-13754-9.patch