diff --git a/0028-XXX-merge-with-segmentation-fault-p.patch b/0028-XXX-merge-with-segmentation-fault-p.patch
new file mode 100644
index 00000000..84d13169
--- /dev/null
+++ b/0028-XXX-merge-with-segmentation-fault-p.patch
@@ -0,0 +1,55 @@
+From 62ae064e6bb8028b2d3f91b8c2e9b44a84d5f3cd Mon Sep 17 00:00:00 2001
+From: Alexander Graf <agraf@suse.de>
+Date: Wed, 11 Jul 2012 23:15:47 +0200
+Subject: [PATCH] XXX merge with segmentation fault passing patch
+
+---
+ user-exec.c |   30 +++++++++++++++++-------------
+ 1 files changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/user-exec.c b/user-exec.c
+index 83d2d44..3710c08 100644
+--- a/user-exec.c
++++ b/user-exec.c
+@@ -97,24 +97,28 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address,
+                 pc, address, is_write, *(unsigned long *)old_set);
+ #endif
+ 
++    if (RESERVED_VA) {
++        /* Convert to guest address space */
++        address = address - GUEST_BASE;
++    }
++
+     /* Maybe we're still holding the TB fiddling lock? */
+     spin_unlock_safe(&tb_lock);
+ 
+-    if (h2g_valid(address)) {
+-        /* XXX: locking issue */
+-        if (is_write && page_unprotect(h2g(address), pc, puc)) {
+-            return 1;
+-        }
++    /* XXX: locking issue */
++    if (is_write && page_unprotect(address, pc, puc)) {
++        return 1;
++    }
+ 
+-        /* see if it is an MMU fault */
+-        ret = cpu_handle_mmu_fault(env, h2g(address), is_write, MMU_USER_IDX);
+-        if (ret < 0) {
+-            return 0; /* not an MMU fault */
+-        }
+-        if (ret == 0) {
+-            return 1; /* the MMU fault was handled without causing real CPU fault */
+-        }
++    /* see if it is an MMU fault */
++    ret = cpu_handle_mmu_fault(env, address, is_write, MMU_USER_IDX);
++    if (ret < 0) {
++        return 0; /* not an MMU fault */
+     }
++    if (ret == 0) {
++        return 1; /* the MMU fault was handled without causing real CPU fault */
++    }
++
+     /* now we have a real cpu fault */
+     tb = tb_find_pc(pc);
+     if (tb) {
diff --git a/qemu.changes b/qemu.changes
index 868994fe..18bc3d9e 100644
--- a/qemu.changes
+++ b/qemu.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Jul 11 21:16:34 UTC 2012 - agraf@suse.com
+
+- fix segfault even better
+
 -------------------------------------------------------------------
 Wed Jul 11 14:52:02 UTC 2012 - agraf@suse.com
 
diff --git a/qemu.spec b/qemu.spec
index 00e95454..91d3b745 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -51,6 +51,7 @@ Patch0024:      0024-linux-user-fix-segmentation-fault-p.patch
 Patch0025:      0025-linux-user-lock-tcg.patch.patch
 Patch0026:      0026-linux-user-Run-multi-threaded-code-.patch
 Patch0027:      0027-linux-user-lock-tb-flushing-too.pat.patch
+Patch0028:      0028-XXX-merge-with-segmentation-fault-p.patch
 # this is to make lint happy
 Source300:      rpmlintrc
 Source302:      bridge.conf
@@ -185,6 +186,7 @@ run cross-architecture builds.
 %patch0025 -p1
 %patch0026 -p1
 %patch0027 -p1
+%patch0028 -p1
 
 %build
 # build QEMU