diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 6aaf66534a50a2483ab83846b7d4b6aaaa8f2bc5..a7be0ae4fecb8cd407daec0a7af5017d7093f232 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1455,8 +1455,10 @@ static void ahci_commit_buf(IDEDMA *dma, uint32_t tx_bytes)
 {
     AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
 
-    tx_bytes += le32_to_cpu(ad->cur_cmd->status);
-    ad->cur_cmd->status = cpu_to_le32(tx_bytes);
+    if (ad->cur_cmd) {
+        tx_bytes += le32_to_cpu(ad->cur_cmd->status);
+        ad->cur_cmd->status = cpu_to_le32(tx_bytes);
+    }
 }
 
 static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index 77427a418815da464eec00221642d33c73832ff6..492dabaa1c85d520050ea438c44f55f874bd3dd2 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -1454,7 +1454,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
         int target_cpu;
 
         cpu = gic_get_current_cpu(s);
-        irq = value & 0x3ff;
+        irq = value & 0xf;
         switch ((value >> 24) & 3) {
         case 0:
             mask = (value >> 16) & ALL_CPU_MASK;
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
index 5d57e883dcb515c9b8acc58d97b46c90ed617139..e56802f89a32f44bc94f3b3dbda249d23406d4a8 100644
--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
         if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
                 next == NULL ||
                 /* Work around for Linux usbfs bulk splitting + migration */
-                (totalsize == (16 * KiB - 36) && p->int_req)) {
+                (totalsize == (16 * KiB - 36) && p->int_req) ||
+                /* Next package may grow combined package over 1MiB */
+                totalsize > 1 * MiB - ep->max_packet_size) {
             usb_device_handle_data(ep->dev, first);
             assert(first->status == USB_RET_ASYNC);
             if (first->combined) {