diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index d370aedb47..5698292749 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -1075,10 +1075,8 @@ static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
 
 /*
  * Save a potentially trashed IOTLB entry for later lookup by plugin.
- *
- * We also need to track the thread storage address because the RCU
- * cleanup that runs when we leave the critical region (the current
- * execution) is actually in a different thread.
+ * This is read by tlb_plugin_lookup if the iotlb entry doesn't match
+ * because of the side effect of io_writex changing memory layout.
  */
 static void save_iotlb_data(CPUState *cs, hwaddr addr,
                             MemoryRegionSection *section, hwaddr mr_offset)
@@ -1408,8 +1406,9 @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
  * This almost never fails as the memory access being instrumented
  * should have just filled the TLB. The one corner case is io_writex
  * which can cause TLB flushes and potential resizing of the TLBs
- * loosing the information we need. In those cases we need to recover
- * data from a copy of the io_tlb entry.
+ * losing the information we need. In those cases we need to recover
+ * data from a copy of the iotlbentry. As long as this always occurs
+ * from the same thread (which a mem callback will be) this is safe.
  */
 
 bool tlb_plugin_lookup(CPUState *cpu, target_ulong addr, int mmu_idx,
diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index 52d7bea1ea..4bd22d4820 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -1294,6 +1294,8 @@ static void do_sub(DisasContext *ctx, unsigned rt, TCGv_reg in1,
     save_or_nullify(ctx, cpu_psw_cb_msb, cb_msb);
     save_gpr(ctx, rt, dest);
     tcg_temp_free(dest);
+    tcg_temp_free(cb);
+    tcg_temp_free(cb_msb);
 
     /* Install the new nullification.  */
     cond_free(&ctx->null_cond);
diff --git a/target/i386/translate.c b/target/i386/translate.c
index a1d31f09c1..caea6f5fb1 100644
--- a/target/i386/translate.c
+++ b/target/i386/translate.c
@@ -7148,6 +7148,7 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
             l1 = gen_new_label();
             l2 = gen_new_label();
             l3 = gen_new_label();
+            gen_update_cc_op(s);
             b &= 3;
             switch(b) {
             case 0: /* loopnz */