diff --git a/patches/ntdll-ForceBottomUpAlloc/0003-ntdll-Force-virtual-memory-allocation-order.patch b/patches/ntdll-ForceBottomUpAlloc/0003-ntdll-Force-virtual-memory-allocation-order.patch
index 61abb5c5..eb830be4 100644
--- a/patches/ntdll-ForceBottomUpAlloc/0003-ntdll-Force-virtual-memory-allocation-order.patch
+++ b/patches/ntdll-ForceBottomUpAlloc/0003-ntdll-Force-virtual-memory-allocation-order.patch
@@ -1,4 +1,4 @@
-From 22f53694277313639b0ca00f6f075407839737e7 Mon Sep 17 00:00:00 2001
+From 8f9e309dc4b3e9c7328c86cc4993b9359f0e6839 Mon Sep 17 00:00:00 2001
 From: Paul Gofman <pgofman@codeweavers.com>
 Date: Mon, 25 Nov 2019 12:19:20 +0300
 Subject: [PATCH] ntdll: Force virtual memory allocation order.
@@ -16,10 +16,10 @@ Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46568
  1 file changed, 164 insertions(+), 246 deletions(-)
 
 diff --git a/dlls/ntdll/unix/virtual.c b/dlls/ntdll/unix/virtual.c
-index 30d0df85fba..a14bbb852f8 100644
+index cd1655d41b2..c0537375ab8 100644
 --- a/dlls/ntdll/unix/virtual.c
 +++ b/dlls/ntdll/unix/virtual.c
-@@ -1246,43 +1246,15 @@ static struct file_view *find_view_range( const void *addr, size_t size )
+@@ -1241,43 +1241,15 @@ static struct file_view *find_view_range( const void *addr, size_t size )
  }
  
  
@@ -71,7 +71,7 @@ index 30d0df85fba..a14bbb852f8 100644
  
  /***********************************************************************
   *           try_map_free_area
-@@ -1317,112 +1289,6 @@ static void* try_map_free_area( void *base, void *end, ptrdiff_t step,
+@@ -1312,112 +1284,6 @@ static void* try_map_free_area( void *base, void *end, ptrdiff_t step,
  }
  
  
@@ -184,7 +184,7 @@ index 30d0df85fba..a14bbb852f8 100644
  /***********************************************************************
   *           remove_reserved_area
   *
-@@ -1532,8 +1398,7 @@ static void free_view( struct file_view *view )
+@@ -1527,8 +1393,7 @@ static void free_view( struct file_view *view )
   */
  static void unregister_view( struct file_view *view )
  {
@@ -194,7 +194,7 @@ index 30d0df85fba..a14bbb852f8 100644
      wine_rb_remove( &views_tree, &view->entry );
  }
  
-@@ -1561,8 +1426,7 @@ static void delete_view( struct file_view *view ) /* [in] View */
+@@ -1556,8 +1421,7 @@ static void delete_view( struct file_view *view ) /* [in] View */
  static void register_view( struct file_view *view )
  {
      wine_rb_put( &views_tree, view->base, &view->entry );
@@ -204,7 +204,7 @@ index 30d0df85fba..a14bbb852f8 100644
  }
  
  
-@@ -1835,89 +1699,176 @@ static inline void *unmap_extra_space( void *ptr, size_t total_size, size_t want
+@@ -1830,89 +1694,176 @@ static inline void *unmap_extra_space( void *ptr, size_t total_size, size_t want
      return ptr;
  }
  
@@ -442,12 +442,12 @@ index 30d0df85fba..a14bbb852f8 100644
  }
  
  /***********************************************************************
-@@ -2020,48 +1971,13 @@ static NTSTATUS map_view( struct file_view **view_ret, void *base, size_t size,
+@@ -2016,48 +1967,13 @@ static NTSTATUS map_view( struct file_view **view_ret, void *base, size_t size,
      }
      else
      {
 -        void *start = address_space_start;
--        void *end = user_space_limit;
+-        void *end = min( user_space_limit, host_addr_space_limit );
 -        size_t view_size, unmap_size;
 -
 +        limit_high = limit_high ? min( limit_high + 1, (UINT_PTR)user_space_limit) : (UINT_PTR)user_space_limit;
@@ -464,7 +464,7 @@ index 30d0df85fba..a14bbb852f8 100644
 -            goto done;
 -        }
  
--        if (start > address_space_start || end < address_space_limit || top_down)
+-        if (start > address_space_start || end < host_addr_space_limit || top_down)
 -        {
 -            if (!(ptr = map_free_area( start, end, size, top_down, get_unix_prot(vprot), align_mask )))
 -                return STATUS_NO_MEMORY;
@@ -495,7 +495,7 @@ index 30d0df85fba..a14bbb852f8 100644
      status = create_view( view_ret, ptr, size, vprot );
      if (status != STATUS_SUCCESS) unmap_area( ptr, size );
      return status;
-@@ -3213,6 +3129,7 @@ static unsigned int virtual_map_section( HANDLE handle, PVOID *addr_ptr, ULONG_P
+@@ -3236,6 +3152,7 @@ static unsigned int virtual_map_section( HANDLE handle, PVOID *addr_ptr, ULONG_P
  done:
      server_leave_uninterrupted_section( &virtual_mutex, &sigset );
      if (needs_close) close( unix_handle );
@@ -503,7 +503,7 @@ index 30d0df85fba..a14bbb852f8 100644
      return res;
  }
  
-@@ -6110,6 +6027,7 @@ NTSTATUS WINAPI NtWow64AllocateVirtualMemory64( HANDLE process, ULONG64 *ret, UL
+@@ -6143,6 +6060,7 @@ NTSTATUS WINAPI NtWow64AllocateVirtualMemory64( HANDLE process, ULONG64 *ret, UL
          *ret = (ULONG_PTR)base;
          *size_ptr = size;
      }
diff --git a/patches/ntdll-ForceBottomUpAlloc/0004-ntdll-Exclude-natively-mapped-areas-from-free-areas-.patch b/patches/ntdll-ForceBottomUpAlloc/0004-ntdll-Exclude-natively-mapped-areas-from-free-areas-.patch
index 5bb20733..16dc1fc4 100644
--- a/patches/ntdll-ForceBottomUpAlloc/0004-ntdll-Exclude-natively-mapped-areas-from-free-areas-.patch
+++ b/patches/ntdll-ForceBottomUpAlloc/0004-ntdll-Exclude-natively-mapped-areas-from-free-areas-.patch
@@ -1,4 +1,4 @@
-From 7c62f566f9b48dacab5cc79dac496f498aaae68b Mon Sep 17 00:00:00 2001
+From d13a3f4498ddc7f10a1d435edb5c59b71dca1efc Mon Sep 17 00:00:00 2001
 From: Paul Gofman <pgofman@codeweavers.com>
 Date: Fri, 1 Dec 2023 14:55:20 -0600
 Subject: [PATCH] ntdll: Exclude natively mapped areas from free areas list.
@@ -8,7 +8,7 @@ Subject: [PATCH] ntdll: Exclude natively mapped areas from free areas list.
  1 file changed, 95 insertions(+), 9 deletions(-)
 
 diff --git a/dlls/ntdll/unix/virtual.c b/dlls/ntdll/unix/virtual.c
-index a14bbb852f8..491597dcb76 100644
+index c0537375ab8..b4d7f6a580d 100644
 --- a/dlls/ntdll/unix/virtual.c
 +++ b/dlls/ntdll/unix/virtual.c
 @@ -127,6 +127,7 @@ struct file_view
@@ -19,8 +19,8 @@ index a14bbb852f8..491597dcb76 100644
  
  /* Conversion from VPROT_* to Win32 flags */
  static const BYTE VIRTUAL_Win32Flags[16] =
-@@ -180,6 +181,8 @@ static void *working_set_limit   = (void *)0x7fff0000;
- #endif
+@@ -175,6 +176,8 @@ static void *working_set_limit   = (void *)0x7fff0000;
+ static void *host_addr_space_limit;  /* top of the host virtual address space */
  
  static struct file_view *arm64ec_view;
 +static const ptrdiff_t max_try_map_step = 0x40000000;
@@ -28,7 +28,7 @@ index a14bbb852f8..491597dcb76 100644
  
  ULONG_PTR user_space_wow_limit = 0;
  struct _KUSER_SHARED_DATA *user_shared_data = (void *)0x7ffe0000;
-@@ -1134,7 +1137,9 @@ static void dump_view( struct file_view *view )
+@@ -1129,7 +1132,9 @@ static void dump_view( struct file_view *view )
      BYTE prot = get_page_vprot( addr );
  
      TRACE( "View: %p - %p", addr, addr + view->size - 1 );
@@ -39,7 +39,7 @@ index a14bbb852f8..491597dcb76 100644
          TRACE( " (builtin image)\n" );
      else if (view->protect & VPROT_FREE_PLACEHOLDER)
          TRACE( " (placeholder)\n" );
-@@ -1254,6 +1259,8 @@ struct alloc_area
+@@ -1249,6 +1254,8 @@ struct alloc_area
      int unix_prot;
      BOOL top_down;
      UINT_PTR align_mask;
@@ -48,7 +48,7 @@ index a14bbb852f8..491597dcb76 100644
  };
  
  /***********************************************************************
-@@ -1262,9 +1269,12 @@ struct alloc_area
+@@ -1257,9 +1264,12 @@ struct alloc_area
   * Try mmaping some expected free memory region, eventually stepping and
   * retrying inside it, and return where it actually succeeded, or NULL.
   */
@@ -63,7 +63,7 @@ index a14bbb852f8..491597dcb76 100644
      void *ptr;
  
      while (start && base <= start && (char*)start + size <= (char*)end)
-@@ -1277,12 +1287,19 @@ static void* try_map_free_area( void *base, void *end, ptrdiff_t step,
+@@ -1272,12 +1282,19 @@ static void* try_map_free_area( void *base, void *end, ptrdiff_t step,
                   strerror(errno), start, (char *)start + size, unix_prot );
              return NULL;
          }
@@ -84,7 +84,7 @@ index a14bbb852f8..491597dcb76 100644
      }
  
      return NULL;
-@@ -1707,11 +1724,11 @@ static void *try_map_free_area_range( struct alloc_area *area, char *start, char
+@@ -1702,11 +1719,11 @@ static void *try_map_free_area_range( struct alloc_area *area, char *start, char
      {
          if (end - start < area->size) return NULL;
          alloc_start = ROUND_ADDR( end - area->size, area->align_mask );
@@ -98,7 +98,7 @@ index a14bbb852f8..491597dcb76 100644
  }
  
  static void *alloc_free_area_in_range( struct alloc_area *area, char *base, char *end )
-@@ -1801,9 +1818,10 @@ static void *alloc_free_area( char *limit_low, char *limit_high, size_t size, BO
+@@ -1796,9 +1813,10 @@ static void *alloc_free_area( char *limit_low, char *limit_high, size_t size, BO
      struct range_entry *range, *ranges_start, *ranges_end;
      char *reserve_start, *reserve_end;
      struct alloc_area area;
@@ -110,7 +110,7 @@ index a14bbb852f8..491597dcb76 100644
  
      TRACE("limit %p-%p, size %p, top_down %#x.\n", limit_low, limit_high, (void *)size, top_down);
  
-@@ -1868,6 +1886,50 @@ static void *alloc_free_area( char *limit_low, char *limit_high, size_t size, BO
+@@ -1863,6 +1881,50 @@ static void *alloc_free_area( char *limit_low, char *limit_high, size_t size, BO
          if ((result = alloc_free_area_in_range( &area, base, end )))
              break;
      }
@@ -161,7 +161,7 @@ index a14bbb852f8..491597dcb76 100644
      return result;
  }
  
-@@ -1927,6 +1989,17 @@ failed:
+@@ -1922,6 +1984,17 @@ failed:
      return status;
  }
  
@@ -179,7 +179,7 @@ index a14bbb852f8..491597dcb76 100644
  /***********************************************************************
   *           map_view
   *
-@@ -1976,7 +2049,15 @@ static NTSTATUS map_view( struct file_view **view_ret, void *base, size_t size,
+@@ -1972,7 +2045,15 @@ static NTSTATUS map_view( struct file_view **view_ret, void *base, size_t size,
          if (!align_mask) align_mask = granularity_mask;
  
          if (!(ptr = alloc_free_area( (void *)limit_low, (void *)limit_high, size, top_down, get_unix_prot( vprot ), align_mask )))
@@ -196,7 +196,7 @@ index a14bbb852f8..491597dcb76 100644
      }
      status = create_view( view_ret, ptr, size, vprot );
      if (status != STATUS_SUCCESS) unmap_area( ptr, size );
-@@ -4255,7 +4336,12 @@ void virtual_set_force_exec( BOOL enable )
+@@ -4287,7 +4368,12 @@ void virtual_set_force_exec( BOOL enable )
          WINE_RB_FOR_EACH_ENTRY( view, &views_tree, struct file_view, entry )
          {
              /* file mappings are always accessible */
diff --git a/staging/upstream-commit b/staging/upstream-commit
index 9259ab5e..69184ba0 100644
--- a/staging/upstream-commit
+++ b/staging/upstream-commit
@@ -1 +1 @@
-a2f98478c36908fd7a368cc633b6064aca053ab6
+d56fc6d318d96bb80495f015e271d485ac41b9d7