diff --git a/0001-loader-Add-load_image_gzipped-function.patch b/0001-loader-Add-load_image_gzipped-function.patch
deleted file mode 100644
index a442e24..0000000
--- a/0001-loader-Add-load_image_gzipped-function.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Tue, 19 Aug 2014 18:56:28 +0100
-Subject: [PATCH] loader: Add load_image_gzipped function.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As the name suggests this lets you load a ROM/disk image that is
-gzipped.  It is uncompressed before storing it in guest memory.
-
-Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 1407831259-2115-2-git-send-email-rjones@redhat.com
-[PMM: removed stray space before ')']
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-
-(cherry picked from commit 235e74afcb85285a8e35e75f0cb6e6811267bb75)
----
- hw/core/loader.c    | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
- include/hw/loader.h |  1 +
- 2 files changed, 49 insertions(+)
-
-diff --git a/hw/core/loader.c b/hw/core/loader.c
-index 2bf6b8f..0fde699 100644
---- a/hw/core/loader.c
-+++ b/hw/core/loader.c
-@@ -577,6 +577,54 @@ int load_ramdisk(const char *filename, hwaddr addr, uint64_t max_sz)
-     return load_uboot_image(filename, NULL, &addr, NULL, IH_TYPE_RAMDISK);
- }
- 
-+/* This simply prevents g_malloc in the function below from allocating
-+ * a huge amount of memory, by placing a limit on the maximum
-+ * uncompressed image size that load_image_gzipped will read.
-+ */
-+#define LOAD_IMAGE_MAX_GUNZIP_BYTES (256 << 20)
-+
-+/* Load a gzip-compressed kernel. */
-+int load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz)
-+{
-+    uint8_t *compressed_data = NULL;
-+    uint8_t *data = NULL;
-+    gsize len;
-+    ssize_t bytes;
-+    int ret = -1;
-+
-+    if (!g_file_get_contents(filename, (char **) &compressed_data, &len,
-+                             NULL)) {
-+        goto out;
-+    }
-+
-+    /* Is it a gzip-compressed file? */
-+    if (len < 2 ||
-+        compressed_data[0] != 0x1f ||
-+        compressed_data[1] != 0x8b) {
-+        goto out;
-+    }
-+
-+    if (max_sz > LOAD_IMAGE_MAX_GUNZIP_BYTES) {
-+        max_sz = LOAD_IMAGE_MAX_GUNZIP_BYTES;
-+    }
-+
-+    data = g_malloc(max_sz);
-+    bytes = gunzip(data, max_sz, compressed_data, len);
-+    if (bytes < 0) {
-+        fprintf(stderr, "%s: unable to decompress gzipped kernel file\n",
-+                filename);
-+        goto out;
-+    }
-+
-+    rom_add_blob_fixed(filename, data, bytes, addr);
-+    ret = bytes;
-+
-+ out:
-+    g_free(compressed_data);
-+    g_free(data);
-+    return ret;
-+}
-+
- /*
-  * Functions for reboot-persistent memory regions.
-  *  - used for vga bios and option roms.
-diff --git a/include/hw/loader.h b/include/hw/loader.h
-index 796cbf9..00c9117 100644
---- a/include/hw/loader.h
-+++ b/include/hw/loader.h
-@@ -15,6 +15,7 @@ int get_image_size(const char *filename);
- int load_image(const char *filename, uint8_t *addr); /* deprecated */
- int load_image_targphys(const char *filename, hwaddr,
-                         uint64_t max_sz);
-+int load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz);
- 
- #define ELF_LOAD_FAILED       -1
- #define ELF_LOAD_NOT_ELF      -2
diff --git a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
deleted file mode 100644
index 3f3f637..0000000
--- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Tue, 19 Aug 2014 18:56:28 +0100
-Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed
- kernel.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-On aarch64 it is the bootloader's job to uncompress the kernel.  UEFI
-and u-boot bootloaders do this automatically when the kernel is
-gzip-compressed.
-
-However the qemu -kernel option does not do this.  The following
-command does not work:
-
-  qemu-system-aarch64 [...] -kernel /boot/vmlinuz
-
-because it tries to execute the gzip-compressed data.
-
-This commit lets gzip-compressed kernels be uncompressed
-transparently.
-
-Currently this is only done when emulating aarch64.
-
-Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 1407831259-2115-3-git-send-email-rjones@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 6f5d3cbe8892367026526a7deed0ceecc700a7ad)
----
- hw/arm/boot.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
-index 3d1f4a2..b7d60aa 100644
---- a/hw/arm/boot.c
-+++ b/hw/arm/boot.c
-@@ -510,6 +510,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
-         kernel_size = load_uimage(info->kernel_filename, &entry, NULL,
-                                   &is_linux);
-     }
-+    /* On aarch64, it's the bootloader's job to uncompress the kernel. */
-+    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) && kernel_size < 0) {
-+        entry = info->loader_start + kernel_load_offset;
-+        kernel_size = load_image_gzipped(info->kernel_filename, entry,
-+                                         info->ram_size - kernel_load_offset);
-+        is_linux = 1;
-+    }
-     if (kernel_size < 0) {
-         entry = info->loader_start + kernel_load_offset;
-         kernel_size = load_image_targphys(info->kernel_filename, entry,
diff --git a/0003-block.curl-adding-timeout-option.patch b/0003-block.curl-adding-timeout-option.patch
deleted file mode 100644
index b003edf..0000000
--- a/0003-block.curl-adding-timeout-option.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
-Date: Wed, 13 Aug 2014 12:44:27 -0300
-Subject: [PATCH] block.curl: adding 'timeout' option
-
-The curl hardcoded timeout (5 seconds) sometimes is not long
-enough depending on the remote server configuration and network
-traffic. The user should be able to set how much long he is
-willing to wait for the connection.
-
-Adding a new option to set this timeout gives the user this
-flexibility. The previous default timeout of 5 seconds will be
-used if this option is not present.
-
-Reviewed-by: Fam Zheng <famz@redhat.com>
-Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
-Reviewed-by: Benoit Canet <benoit.canet@nodalink.com>
-Tested-by: Richard W.M. Jones <rjones@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit 212aefaa53d142baa9a22f5aadd2e72eb916c0c0)
----
- block/curl.c    | 13 ++++++++++++-
- qemu-options.hx | 10 ++++++++--
- 2 files changed, 20 insertions(+), 3 deletions(-)
-
-diff --git a/block/curl.c b/block/curl.c
-index 79ff2f1..6f45547 100644
---- a/block/curl.c
-+++ b/block/curl.c
-@@ -63,6 +63,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
- #define CURL_NUM_ACB    8
- #define SECTOR_SIZE     512
- #define READ_AHEAD_DEFAULT (256 * 1024)
-+#define CURL_TIMEOUT_DEFAULT 5
- 
- #define FIND_RET_NONE   0
- #define FIND_RET_OK     1
-@@ -71,6 +72,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
- #define CURL_BLOCK_OPT_URL       "url"
- #define CURL_BLOCK_OPT_READAHEAD "readahead"
- #define CURL_BLOCK_OPT_SSLVERIFY "sslverify"
-+#define CURL_BLOCK_OPT_TIMEOUT "timeout"
- 
- struct BDRVCURLState;
- 
-@@ -109,6 +111,7 @@ typedef struct BDRVCURLState {
-     char *url;
-     size_t readahead_size;
-     bool sslverify;
-+    int timeout;
-     bool accept_range;
-     AioContext *aio_context;
- } BDRVCURLState;
-@@ -382,7 +385,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
-         curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
-         curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
-                          (long) s->sslverify);
--        curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, 5);
-+        curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout);
-         curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
-                          (void *)curl_read_cb);
-         curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state);
-@@ -489,6 +492,11 @@ static QemuOptsList runtime_opts = {
-             .type = QEMU_OPT_BOOL,
-             .help = "Verify SSL certificate"
-         },
-+        {
-+            .name = CURL_BLOCK_OPT_TIMEOUT,
-+            .type = QEMU_OPT_NUMBER,
-+            .help = "Curl timeout"
-+        },
-         { /* end of list */ }
-     },
- };
-@@ -525,6 +533,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
-         goto out_noclean;
-     }
- 
-+    s->timeout = qemu_opt_get_number(opts, CURL_BLOCK_OPT_TIMEOUT,
-+                                     CURL_TIMEOUT_DEFAULT);
-+
-     s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true);
- 
-     file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
-diff --git a/qemu-options.hx b/qemu-options.hx
-index 1549625..dcb008b 100644
---- a/qemu-options.hx
-+++ b/qemu-options.hx
-@@ -2351,6 +2351,11 @@ multiple of 512 bytes. It defaults to 256k.
- @item sslverify
- Whether to verify the remote server's certificate when connecting over SSL. It
- can have the value 'on' or 'off'. It defaults to 'on'.
-+
-+@item timeout
-+Set the timeout in seconds of the CURL connection. This timeout is the time
-+that CURL waits for a response from the remote server to get the size of the
-+image to be downloaded. If not set, the default timeout of 5 seconds is used.
- @end table
- 
- Note that when passing options to qemu explicitly, @option{driver} is the value
-@@ -2372,9 +2377,10 @@ qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-o
- @end example
- 
- Example: boot from an image stored on a VMware vSphere server with a self-signed
--certificate using a local overlay for writes and a readahead of 64k
-+certificate using a local overlay for writes, a readahead of 64k and a timeout
-+of 10 seconds.
- @example
--qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k"@}' /tmp/test.qcow2
-+qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10@}' /tmp/test.qcow2
- 
- qemu-system-x86_64 -drive file=/tmp/test.qcow2
- @end example
diff --git a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
deleted file mode 100644
index e58b6e4..0000000
--- a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Fri, 29 Aug 2014 16:03:12 +0100
-Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https
- requests.
-
-In order to access VMware ESX efficiently, we need to send a session
-cookie.  This patch is very simple and just allows you to send that
-session cookie.  It punts on the question of how you get the session
-cookie in the first place, but in practice you can just run a `curl'
-command against the server and extract the cookie that way.
-
-To use it, add file.cookie to the curl URL.  For example:
-
-$ qemu-img info 'json: {
-    "file.driver":"https",
-    "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1",
-    "file.sslverify":"off",
-    "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}'
-image: [...]
-file format: raw
-virtual size: 8.0G (8589934592 bytes)
-disk size: unavailable
-
-Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit a94f83d94fdf907680f068f1be7ad13d1f697067)
----
- block/curl.c    | 16 ++++++++++++++++
- qemu-options.hx |  5 +++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/block/curl.c b/block/curl.c
-index 6f45547..537e257 100644
---- a/block/curl.c
-+++ b/block/curl.c
-@@ -73,6 +73,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
- #define CURL_BLOCK_OPT_READAHEAD "readahead"
- #define CURL_BLOCK_OPT_SSLVERIFY "sslverify"
- #define CURL_BLOCK_OPT_TIMEOUT "timeout"
-+#define CURL_BLOCK_OPT_COOKIE    "cookie"
- 
- struct BDRVCURLState;
- 
-@@ -112,6 +113,7 @@ typedef struct BDRVCURLState {
-     size_t readahead_size;
-     bool sslverify;
-     int timeout;
-+    char *cookie;
-     bool accept_range;
-     AioContext *aio_context;
- } BDRVCURLState;
-@@ -385,6 +387,9 @@ static CURLState *curl_init_state(BDRVCURLState *s)
-         curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
-         curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER,
-                          (long) s->sslverify);
-+        if (s->cookie) {
-+            curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie);
-+        }
-         curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout);
-         curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
-                          (void *)curl_read_cb);
-@@ -497,6 +502,11 @@ static QemuOptsList runtime_opts = {
-             .type = QEMU_OPT_NUMBER,
-             .help = "Curl timeout"
-         },
-+        {
-+            .name = CURL_BLOCK_OPT_COOKIE,
-+            .type = QEMU_OPT_STRING,
-+            .help = "Pass the cookie or list of cookies with each request"
-+        },
-         { /* end of list */ }
-     },
- };
-@@ -509,6 +519,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
-     QemuOpts *opts;
-     Error *local_err = NULL;
-     const char *file;
-+    const char *cookie;
-     double d;
- 
-     static int inited = 0;
-@@ -538,6 +549,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
- 
-     s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true);
- 
-+    cookie = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE);
-+    s->cookie = g_strdup(cookie);
-+
-     file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
-     if (file == NULL) {
-         error_setg(errp, "curl block driver requires an 'url' option");
-@@ -593,6 +607,7 @@ out:
-     curl_easy_cleanup(state->curl);
-     state->curl = NULL;
- out_noclean:
-+    g_free(s->cookie);
-     g_free(s->url);
-     qemu_opts_del(opts);
-     return -EINVAL;
-@@ -689,6 +704,7 @@ static void curl_close(BlockDriverState *bs)
-     DPRINTF("CURL: Close\n");
-     curl_detach_aio_context(bs);
- 
-+    g_free(s->cookie);
-     g_free(s->url);
- }
- 
-diff --git a/qemu-options.hx b/qemu-options.hx
-index dcb008b..53b6171 100644
---- a/qemu-options.hx
-+++ b/qemu-options.hx
-@@ -2352,6 +2352,11 @@ multiple of 512 bytes. It defaults to 256k.
- Whether to verify the remote server's certificate when connecting over SSL. It
- can have the value 'on' or 'off'. It defaults to 'on'.
- 
-+@item cookie
-+Send this cookie (it can also be a list of cookies separated by ';') with
-+each outgoing request.  Only supported when using protocols such as HTTP
-+which support cookies, otherwise ignored.
-+
- @item timeout
- Set the timeout in seconds of the CURL connection. This timeout is the time
- that CURL waits for a response from the remote server to get the size of the
diff --git a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
deleted file mode 100644
index b00a751..0000000
--- a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Thu, 28 Aug 2014 09:04:21 +0100
-Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In commit 63f0f45f2e89b60ff8245fec81328ddfde42a303 the following
-mechanical change was made:
-
-         if (!state) {
--            qemu_aio_wait();
-+            aio_poll(state->s->aio_context, true);
-         }
-
-The new code now checks if state is NULL and then dereferences it
-('state->s') which is obviously incorrect.
-
-This commit replaces state->s->aio_context with
-bdrv_get_aio_context(bs), fixing this problem.  The two other hunks
-are concerned with getting the BlockDriverState pointer bs to where it
-is needed.
-
-The original bug causes a segfault when using libguestfs to access a
-VMware vCenter Server and doing any kind of complex read-heavy
-operations.  With this commit the segfault goes away.
-
-Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Benoît Canet <benoit.canet@nodalink.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(cherry picked from commit a2f468e48f8b6559ec9123e94948bc373b788941)
----
- block/curl.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/block/curl.c b/block/curl.c
-index 537e257..d28b701 100644
---- a/block/curl.c
-+++ b/block/curl.c
-@@ -357,7 +357,7 @@ static void curl_multi_timeout_do(void *arg)
- #endif
- }
- 
--static CURLState *curl_init_state(BDRVCURLState *s)
-+static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s)
- {
-     CURLState *state = NULL;
-     int i, j;
-@@ -375,7 +375,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
-             break;
-         }
-         if (!state) {
--            aio_poll(state->s->aio_context, true);
-+            aio_poll(bdrv_get_aio_context(bs), true);
-         }
-     } while(!state);
- 
-@@ -566,7 +566,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
-     DPRINTF("CURL: Opening %s\n", file);
-     s->aio_context = bdrv_get_aio_context(bs);
-     s->url = g_strdup(file);
--    state = curl_init_state(s);
-+    state = curl_init_state(bs, s);
-     if (!state)
-         goto out_noclean;
- 
-@@ -651,7 +651,7 @@ static void curl_readv_bh_cb(void *p)
-     }
- 
-     // No cache found, so let's start a new request
--    state = curl_init_state(s);
-+    state = curl_init_state(acb->common.bs, s);
-     if (!state) {
-         acb->common.cb(acb->common.opaque, -EIO);
-         qemu_aio_release(acb);
diff --git a/0006-virtio-pci-enable-bus-master-for-old-guests.patch b/0006-virtio-pci-enable-bus-master-for-old-guests.patch
deleted file mode 100644
index 24f54e8..0000000
--- a/0006-virtio-pci-enable-bus-master-for-old-guests.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 11 Sep 2014 18:45:33 +0200
-Subject: [PATCH] virtio-pci: enable bus master for old guests
-
-commit cc943c36faa192cd4b32af8fe5edb31894017d35
-    pci: Use bus master address space for delivering MSI/MSI-X messages
-breaks virtio-net for rhel6.[56] x86 guests because they don't
-enable bus mastering for virtio PCI devices. For the same reason,
-rhel6.[56] ppc64 guests cannot boot on a virtio-blk disk anymore.
-
-Old guests forgot to enable bus mastering, enable it automatically on
-DRIVER (guests use some devices before DRIVER_OK).
-
-Reported-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
-Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
-Tested-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit e43c0b2ea5574efb0bedebf6a7d05916eefeba52)
----
- hw/virtio/virtio-pci.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
-index 3007319..58ebbcf 100644
---- a/hw/virtio/virtio-pci.c
-+++ b/hw/virtio/virtio-pci.c
-@@ -314,6 +314,16 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
-             msix_unuse_all_vectors(&proxy->pci_dev);
-         }
- 
-+        /* Linux before 2.6.34 drives the device without enabling
-+           the PCI device bus master bit. Enable it automatically
-+           for the guest. This is a PCI spec violation but so is
-+           initiating DMA with bus master bit clear. */
-+        if (val == (VIRTIO_CONFIG_S_ACKNOWLEDGE | VIRTIO_CONFIG_S_DRIVER)) {
-+            pci_default_write_config(&proxy->pci_dev, PCI_COMMAND,
-+                                     proxy->pci_dev.config[PCI_COMMAND] |
-+                                     PCI_COMMAND_MASTER, 1);
-+        }
-+
-         /* Linux before 2.6.34 sets the device as OK without enabling
-            the PCI device bus master bit. In this case we need to disable
-            some safety checks. */
diff --git a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch
deleted file mode 100644
index 80e9c2e..0000000
--- a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 11 Sep 2014 18:34:29 +0300
-Subject: [PATCH] virtio-pci: fix migration for pci bus master
-
-Current support for bus master (clearing OK bit)
-together with the need to support guests which do not
-enable PCI bus mastering, leads to extra state in
-VIRTIO_PCI_FLAG_BUS_MASTER_BUG bit, which isn't robust
-in case of cross-version migration for the case when
-guests use the device before setting DRIVER_OK.
-
-Rip out VIRTIO_PCI_FLAG_BUS_MASTER_BUG and implement a simpler
-work-around: treat clearing of PCI_COMMAND as a virtio reset.  Old
-guests never touch this bit so they will work.
-
-As reset clears device status, DRIVER and MASTER bits are
-now in sync, so we can fix up cross-version migration simply
-by synchronising them, without need to detect a buggy guest
-explicitly.
-
-Drop tracking VIRTIO_PCI_FLAG_BUS_MASTER_BUG completely.
-
-As reset makes the device quiescent, in the future we'll be able to drop
-checking OK bit in a bunch of places.
-
-Cc: Jason Wang <jasowang@redhat.com>
-Cc: Greg Kurz <gkurz@linux.vnet.ibm.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit 4d43d3f3c8147ade184df9a1e9e82826edd39e19)
----
- hw/virtio/virtio-pci.c | 39 ++++++++++++++++++++-------------------
- 1 file changed, 20 insertions(+), 19 deletions(-)
-
-diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
-index 58ebbcf..c19c4d6 100644
---- a/hw/virtio/virtio-pci.c
-+++ b/hw/virtio/virtio-pci.c
-@@ -86,9 +86,6 @@
-  * 12 is historical, and due to x86 page size. */
- #define VIRTIO_PCI_QUEUE_ADDR_SHIFT    12
- 
--/* Flags track per-device state like workarounds for quirks in older guests. */
--#define VIRTIO_PCI_FLAG_BUS_MASTER_BUG  (1 << 0)
--
- static void virtio_pci_bus_new(VirtioBusState *bus, size_t bus_size,
-                                VirtIOPCIProxy *dev);
- 
-@@ -323,14 +320,6 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
-                                      proxy->pci_dev.config[PCI_COMMAND] |
-                                      PCI_COMMAND_MASTER, 1);
-         }
--
--        /* Linux before 2.6.34 sets the device as OK without enabling
--           the PCI device bus master bit. In this case we need to disable
--           some safety checks. */
--        if ((val & VIRTIO_CONFIG_S_DRIVER_OK) &&
--            !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) {
--            proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
--        }
-         break;
-     case VIRTIO_MSI_CONFIG_VECTOR:
-         msix_vector_unuse(&proxy->pci_dev, vdev->config_vector);
-@@ -480,13 +469,18 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address,
-     VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
-     VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
- 
-+    uint8_t cmd = proxy->pci_dev.config[PCI_COMMAND];
-+
-     pci_default_write_config(pci_dev, address, val, len);
- 
-     if (range_covers_byte(address, len, PCI_COMMAND) &&
-         !(pci_dev->config[PCI_COMMAND] & PCI_COMMAND_MASTER) &&
--        !(proxy->flags & VIRTIO_PCI_FLAG_BUS_MASTER_BUG)) {
-+        (cmd & PCI_COMMAND_MASTER)) {
-+        /* Bus driver disables bus mastering - make it act
-+         * as a kind of reset to render the device quiescent. */
-         virtio_pci_stop_ioeventfd(proxy);
--        virtio_set_status(vdev, vdev->status & ~VIRTIO_CONFIG_S_DRIVER_OK);
-+        virtio_reset(vdev);
-+        msix_unuse_all_vectors(&proxy->pci_dev);
-     }
- }
- 
-@@ -895,11 +889,19 @@ static void virtio_pci_vmstate_change(DeviceState *d, bool running)
-     VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
- 
-     if (running) {
--        /* Try to find out if the guest has bus master disabled, but is
--           in ready state. Then we have a buggy guest OS. */
--        if ((vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
--            !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) {
--            proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
-+        /* Linux before 2.6.34 drives the device without enabling
-+           the PCI device bus master bit. Enable it automatically
-+           for the guest. This is a PCI spec violation but so is
-+           initiating DMA with bus master bit clear.
-+           Note: this only makes a difference when migrating
-+           across QEMU versions from an old QEMU, as for new QEMU
-+           bus master and driver bits are always in sync.
-+           TODO: consider enabling conditionally for compat machine types. */
-+        if (vdev->status & (VIRTIO_CONFIG_S_ACKNOWLEDGE |
-+                            VIRTIO_CONFIG_S_DRIVER)) {
-+            pci_default_write_config(&proxy->pci_dev, PCI_COMMAND,
-+                                     proxy->pci_dev.config[PCI_COMMAND] |
-+                                     PCI_COMMAND_MASTER, 1);
-         }
-         virtio_pci_start_ioeventfd(proxy);
-     } else {
-@@ -1043,7 +1045,6 @@ static void virtio_pci_reset(DeviceState *qdev)
-     virtio_pci_stop_ioeventfd(proxy);
-     virtio_bus_reset(bus);
-     msix_unuse_all_vectors(&proxy->pci_dev);
--    proxy->flags &= ~VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
- }
- 
- static Property virtio_pci_properties[] = {
diff --git a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch b/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
deleted file mode 100644
index 8aa58fe..0000000
--- a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Mon, 29 Sep 2014 11:27:32 +0300
-Subject: [PATCH] Revert "virtio-pci: fix migration for pci bus master"
-
-This reverts commit 4d43d3f3c8147ade184df9a1e9e82826edd39e19.
-
-Reported to break PPC guests.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit 45363e46aeebfc99753389649eac7c7fc22bfe52)
----
- hw/virtio/virtio-pci.c | 39 +++++++++++++++++++--------------------
- 1 file changed, 19 insertions(+), 20 deletions(-)
-
-diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
-index c19c4d6..58ebbcf 100644
---- a/hw/virtio/virtio-pci.c
-+++ b/hw/virtio/virtio-pci.c
-@@ -86,6 +86,9 @@
-  * 12 is historical, and due to x86 page size. */
- #define VIRTIO_PCI_QUEUE_ADDR_SHIFT    12
- 
-+/* Flags track per-device state like workarounds for quirks in older guests. */
-+#define VIRTIO_PCI_FLAG_BUS_MASTER_BUG  (1 << 0)
-+
- static void virtio_pci_bus_new(VirtioBusState *bus, size_t bus_size,
-                                VirtIOPCIProxy *dev);
- 
-@@ -320,6 +323,14 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
-                                      proxy->pci_dev.config[PCI_COMMAND] |
-                                      PCI_COMMAND_MASTER, 1);
-         }
-+
-+        /* Linux before 2.6.34 sets the device as OK without enabling
-+           the PCI device bus master bit. In this case we need to disable
-+           some safety checks. */
-+        if ((val & VIRTIO_CONFIG_S_DRIVER_OK) &&
-+            !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) {
-+            proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
-+        }
-         break;
-     case VIRTIO_MSI_CONFIG_VECTOR:
-         msix_vector_unuse(&proxy->pci_dev, vdev->config_vector);
-@@ -469,18 +480,13 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address,
-     VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
-     VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
- 
--    uint8_t cmd = proxy->pci_dev.config[PCI_COMMAND];
--
-     pci_default_write_config(pci_dev, address, val, len);
- 
-     if (range_covers_byte(address, len, PCI_COMMAND) &&
-         !(pci_dev->config[PCI_COMMAND] & PCI_COMMAND_MASTER) &&
--        (cmd & PCI_COMMAND_MASTER)) {
--        /* Bus driver disables bus mastering - make it act
--         * as a kind of reset to render the device quiescent. */
-+        !(proxy->flags & VIRTIO_PCI_FLAG_BUS_MASTER_BUG)) {
-         virtio_pci_stop_ioeventfd(proxy);
--        virtio_reset(vdev);
--        msix_unuse_all_vectors(&proxy->pci_dev);
-+        virtio_set_status(vdev, vdev->status & ~VIRTIO_CONFIG_S_DRIVER_OK);
-     }
- }
- 
-@@ -889,19 +895,11 @@ static void virtio_pci_vmstate_change(DeviceState *d, bool running)
-     VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
- 
-     if (running) {
--        /* Linux before 2.6.34 drives the device without enabling
--           the PCI device bus master bit. Enable it automatically
--           for the guest. This is a PCI spec violation but so is
--           initiating DMA with bus master bit clear.
--           Note: this only makes a difference when migrating
--           across QEMU versions from an old QEMU, as for new QEMU
--           bus master and driver bits are always in sync.
--           TODO: consider enabling conditionally for compat machine types. */
--        if (vdev->status & (VIRTIO_CONFIG_S_ACKNOWLEDGE |
--                            VIRTIO_CONFIG_S_DRIVER)) {
--            pci_default_write_config(&proxy->pci_dev, PCI_COMMAND,
--                                     proxy->pci_dev.config[PCI_COMMAND] |
--                                     PCI_COMMAND_MASTER, 1);
-+        /* Try to find out if the guest has bus master disabled, but is
-+           in ready state. Then we have a buggy guest OS. */
-+        if ((vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
-+            !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) {
-+            proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
-         }
-         virtio_pci_start_ioeventfd(proxy);
-     } else {
-@@ -1045,6 +1043,7 @@ static void virtio_pci_reset(DeviceState *qdev)
-     virtio_pci_stop_ioeventfd(proxy);
-     virtio_bus_reset(bus);
-     msix_unuse_all_vectors(&proxy->pci_dev);
-+    proxy->flags &= ~VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
- }
- 
- static Property virtio_pci_properties[] = {
diff --git a/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch b/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
deleted file mode 100644
index a6caa18..0000000
--- a/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Petr Matousek <pmatouse@redhat.com>
-Date: Mon, 27 Oct 2014 12:41:44 +0100
-Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
-
-bits_per_pixel that are less than 8 could result in accessing
-non-initialized buffers later in the code due to the expectation
-that bytes_per_pixel value that is used to initialize these buffers is
-never zero.
-
-To fix this check that bits_per_pixel from the client is one of the
-values that the rfb protocol specification allows.
-
-This is CVE-2014-7815.
-
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-
-[ kraxel: apply codestyle fix ]
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
----
- ui/vnc.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/ui/vnc.c b/ui/vnc.c
-index f8d9b7d..87e34ae 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
-         return;
-     }
- 
-+    switch (bits_per_pixel) {
-+    case 8:
-+    case 16:
-+    case 32:
-+        break;
-+    default:
-+        vnc_client_error(vs);
-+        return;
-+    }
-+
-     vs->client_pf.rmax = red_max;
-     vs->client_pf.rbits = hweight_long(red_max);
-     vs->client_pf.rshift = red_shift;
diff --git a/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch b/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
deleted file mode 100644
index 31915be..0000000
--- a/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 29 Oct 2014 12:56:06 +0100
-Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel
-
-Quick & easy stopgap for CVE-2014-3689:  We just compile out the
-hardware acceleration functions which lack sanity checks.  Thankfully
-we have capability bits for them (SVGA_CAP_RECT_COPY and
-SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.
-
-Subsequent patches will add the missing checks and re-enable the
-hardware acceleration emulation.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Don Koch <dkoch@verizon.com>
----
- hw/display/vmware_vga.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 591b645..4a4229b 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -29,8 +29,10 @@
- #include "hw/pci/pci.h"
- 
- #undef VERBOSE
-+#if 0
- #define HW_RECT_ACCEL
- #define HW_FILL_ACCEL
-+#endif
- #define HW_MOUSE_ACCEL
- 
- #include "vga_int.h"
diff --git a/0011-vmware-vga-add-vmsvga_verify_rect.patch b/0011-vmware-vga-add-vmsvga_verify_rect.patch
deleted file mode 100644
index a48878c..0000000
--- a/0011-vmware-vga-add-vmsvga_verify_rect.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 29 Oct 2014 12:56:07 +0100
-Subject: [PATCH] vmware-vga: add vmsvga_verify_rect
-
-Add verification function for rectangles, returning
-true if verification passes and false otherwise.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Don Koch <dkoch@verizon.com>
----
- hw/display/vmware_vga.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 52 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 4a4229b..f0e487f 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -294,8 +294,59 @@ enum {
-     SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
- };
- 
-+static inline bool vmsvga_verify_rect(DisplaySurface *surface,
-+                                      const char *name,
-+                                      int x, int y, int w, int h)
-+{
-+    if (x < 0) {
-+        fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
-+        return false;
-+    }
-+    if (x > SVGA_MAX_WIDTH) {
-+        fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
-+        return false;
-+    }
-+    if (w < 0) {
-+        fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
-+        return false;
-+    }
-+    if (w > SVGA_MAX_WIDTH) {
-+        fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
-+        return false;
-+    }
-+    if (x + w > surface_width(surface)) {
-+        fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
-+                name, surface_width(surface), x, w);
-+        return false;
-+    }
-+
-+    if (y < 0) {
-+        fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
-+        return false;
-+    }
-+    if (y > SVGA_MAX_HEIGHT) {
-+        fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
-+        return false;
-+    }
-+    if (h < 0) {
-+        fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
-+        return false;
-+    }
-+    if (h > SVGA_MAX_HEIGHT) {
-+        fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
-+        return false;
-+    }
-+    if (y + h > surface_height(surface)) {
-+        fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
-+                name, surface_height(surface), y, h);
-+        return false;
-+    }
-+
-+    return true;
-+}
-+
- static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
--                int x, int y, int w, int h)
-+                                      int x, int y, int w, int h)
- {
-     DisplaySurface *surface = qemu_console_surface(s->vga.con);
-     int line;
diff --git a/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch b/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
deleted file mode 100644
index 0605011..0000000
--- a/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 29 Oct 2014 12:56:08 +0100
-Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
-
-Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
-in behavior:  We don't try to automatically fixup rectangles any more.
-In case we find invalid update requests we'll do a full-screen update
-instead.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Don Koch <dkoch@verizon.com>
----
- hw/display/vmware_vga.c | 32 ++++----------------------------
- 1 file changed, 4 insertions(+), 28 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index f0e487f..718746e 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -356,36 +356,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
-     uint8_t *src;
-     uint8_t *dst;
- 
--    if (x < 0) {
--        fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
--        w += x;
-+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
-+        /* go for a fullscreen update as fallback */
-         x = 0;
--    }
--    if (w < 0) {
--        fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
--        w = 0;
--    }
--    if (x + w > surface_width(surface)) {
--        fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
--                __func__, x, w);
--        x = MIN(x, surface_width(surface));
--        w = surface_width(surface) - x;
--    }
--
--    if (y < 0) {
--        fprintf(stderr, "%s: update y was < 0 (%d)\n",  __func__, y);
--        h += y;
-         y = 0;
--    }
--    if (h < 0) {
--        fprintf(stderr, "%s: update h was < 0 (%d)\n",  __func__, h);
--        h = 0;
--    }
--    if (y + h > surface_height(surface)) {
--        fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
--                __func__, y, h);
--        y = MIN(y, surface_height(surface));
--        h = surface_height(surface) - y;
-+        w = surface_width(surface);
-+        h = surface_height(surface);
-     }
- 
-     bypl = surface_stride(surface);
diff --git a/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch b/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
deleted file mode 100644
index a101aca..0000000
--- a/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 29 Oct 2014 12:56:09 +0100
-Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
-
-Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Don Koch <dkoch@verizon.com>
----
- hw/display/vmware_vga.c | 20 ++++++++++++++------
- 1 file changed, 14 insertions(+), 6 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 718746e..c2e0a43 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -29,8 +29,8 @@
- #include "hw/pci/pci.h"
- 
- #undef VERBOSE
--#if 0
- #define HW_RECT_ACCEL
-+#if 0
- #define HW_FILL_ACCEL
- #endif
- #define HW_MOUSE_ACCEL
-@@ -406,7 +406,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
- }
- 
- #ifdef HW_RECT_ACCEL
--static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
-+static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
-                 int x0, int y0, int x1, int y1, int w, int h)
- {
-     DisplaySurface *surface = qemu_console_surface(s->vga.con);
-@@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
-     int line = h;
-     uint8_t *ptr[2];
- 
-+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
-+        return -1;
-+    }
-+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
-+        return -1;
-+    }
-+
-     if (y1 > y0) {
-         ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
-         ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
-@@ -432,6 +439,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
-     }
- 
-     vmsvga_update_rect_delayed(s, x1, y1, w, h);
-+    return 0;
- }
- #endif
- 
-@@ -625,12 +633,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
-             width = vmsvga_fifo_read(s);
-             height = vmsvga_fifo_read(s);
- #ifdef HW_RECT_ACCEL
--            vmsvga_copy_rect(s, x, y, dx, dy, width, height);
--            break;
--#else
-+            if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
-+                break;
-+            }
-+#endif
-             args = 0;
-             goto badcmd;
--#endif
- 
-         case SVGA_CMD_DEFINE_CURSOR:
-             len -= 8;
diff --git a/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch b/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
deleted file mode 100644
index efd5ae3..0000000
--- a/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 29 Oct 2014 12:56:10 +0100
-Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
-
-Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Don Koch <dkoch@verizon.com>
----
- hw/display/vmware_vga.c | 17 ++++++++++-------
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index c2e0a43..d44e3e8 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -30,9 +30,7 @@
- 
- #undef VERBOSE
- #define HW_RECT_ACCEL
--#if 0
- #define HW_FILL_ACCEL
--#endif
- #define HW_MOUSE_ACCEL
- 
- #include "vga_int.h"
-@@ -444,7 +442,7 @@ static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
- #endif
- 
- #ifdef HW_FILL_ACCEL
--static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
-+static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
-                 uint32_t c, int x, int y, int w, int h)
- {
-     DisplaySurface *surface = qemu_console_surface(s->vga.con);
-@@ -457,6 +455,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
-     uint8_t *src;
-     uint8_t col[4];
- 
-+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
-+        return -1;
-+    }
-+
-     col[0] = c;
-     col[1] = c >> 8;
-     col[2] = c >> 16;
-@@ -481,6 +483,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
-     }
- 
-     vmsvga_update_rect_delayed(s, x, y, w, h);
-+    return 0;
- }
- #endif
- 
-@@ -613,12 +616,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
-             width = vmsvga_fifo_read(s);
-             height = vmsvga_fifo_read(s);
- #ifdef HW_FILL_ACCEL
--            vmsvga_fill_rect(s, colour, x, y, width, height);
--            break;
--#else
-+            if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
-+                break;
-+            }
-+#endif
-             args = 0;
-             goto badcmd;
--#endif
- 
-         case SVGA_CMD_RECT_COPY:
-             len -= 7;
diff --git a/qemu.spec b/qemu.spec
index 89d34f3..792c069 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -135,6 +135,7 @@
 %global system_unicore32   system-unicore32
 %global system_moxie   system-moxie
 %global system_aarch64   system-aarch64
+%global system_tricore   system-tricore
 %endif
 
 # libfdt is only needed to build ARM, aarch64, Microblaze or PPC emulators
@@ -151,8 +152,8 @@
 
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
-Version: 2.1.2
-Release: 6%{?dist}
+Version: 2.2.0
+Release: 0.1.rc1%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -167,7 +168,7 @@ ExclusiveArch: %{kvm_archs}
 %define _smp_mflags %{nil}
 %endif
 
-Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2
+Source0: http://wiki.qemu-project.org/download/%{name}-%{version}-rc1.tar.bz2
 
 Source1: qemu.binfmt
 
@@ -192,29 +193,6 @@ Source12: bridge.conf
 # qemu-kvm back compat wrapper
 Source13: qemu-kvm.sh
 
-# Allow aarch64 to boot compressed kernel
-Patch0001: 0001-loader-Add-load_image_gzipped-function.patch
-Patch0002: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
-# Fix crash in curl driver
-Patch0003: 0003-block.curl-adding-timeout-option.patch
-Patch0004: 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
-Patch0005: 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
-# Fix crash on migration/snapshot (bz #1144490)
-Patch0006: 0006-virtio-pci-enable-bus-master-for-old-guests.patch
-Patch0007: 0007-virtio-pci-fix-migration-for-pci-bus-master.patch
-# Fix PPC virtio regression (bz #1144490)
-Patch0008: 0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
-# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client
-# sanitization (bz #1157647, bz #1157641)
-Patch0009: 0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
-# CVE-2014-3689 vmware_vga: insufficient parameter validation in
-# rectangle functions (bz #1153038, bz #1153035)
-Patch0010: 0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
-Patch0011: 0011-vmware-vga-add-vmsvga_verify_rect.patch
-Patch0012: 0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
-Patch0013: 0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
-Patch0014: 0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
-
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
 BuildRequires: which
@@ -368,6 +346,9 @@ Requires: %{name}-%{system_moxie} = %{epoch}:%{version}-%{release}
 %if 0%{?system_aarch64:1}
 Requires: %{name}-%{system_aarch64} = %{epoch}:%{version}-%{release}
 %endif
+%if 0%{?system_tricore:1}
+Requires: %{name}-%{system_tricore} = %{epoch}:%{version}-%{release}
+%endif
 %if %{without separate_kvm}
 Requires: %{name}-img = %{epoch}:%{version}-%{release}
 %else
@@ -700,6 +681,18 @@ emulation speed by using dynamic translation.
 This package provides the system emulator for AArch64.
 %endif
 
+%if 0%{?system_tricore:1}
+%package %{system_tricore}
+Summary: QEMU system emulator for tricore
+Group: Development/Tools
+Requires: %{name}-common = %{epoch}:%{version}-%{release}
+%description %{system_tricore}
+QEMU is a generic and open source processor emulator which achieves a good
+emulation speed by using dynamic translation.
+
+This package provides the system emulator for Tricore.
+%endif
+
 
 %ifarch %{kvm_archs}
 %package kvm-tools
@@ -738,31 +731,7 @@ CAC emulation development files.
 
 
 %prep
-%setup -q
-
-# Allow aarch64 to boot compressed kernel
-%patch0001 -p1
-%patch0002 -p1
-# Fix crash in curl driver
-%patch0003 -p1
-%patch0004 -p1
-%patch0005 -p1
-# Fix crash on migration/snapshot (bz #1144490)
-%patch0006 -p1
-%patch0007 -p1
-# Fix PPC virtio regression (bz #1144490)
-%patch0008 -p1
-# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client
-# sanitization (bz #1157647, bz #1157641)
-%patch0009 -p1
-# CVE-2014-3689 vmware_vga: insufficient parameter validation in
-# rectangle functions (bz #1153038, bz #1153035)
-%patch0010 -p1
-%patch0011 -p1
-%patch0012 -p1
-%patch0013 -p1
-%patch0014 -p1
-
+%setup -q -n qemu-2.2.0-rc1
 
 %build
 %if %{with kvmonly}
@@ -774,6 +743,7 @@ microblazeel-softmmu mips-softmmu mipsel-softmmu mips64-softmmu \
 mips64el-softmmu or32-softmmu ppc-softmmu ppcemb-softmmu ppc64-softmmu \
 s390x-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu sparc64-softmmu \
 xtensa-softmmu xtensaeb-softmmu unicore32-softmmu moxie-softmmu \
+tricore-softmmu \
 i386-linux-user x86_64-linux-user aarch64-linux-user alpha-linux-user \
 arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user \
 microblaze-linux-user microblazeel-linux-user mips-linux-user \
@@ -1191,6 +1161,7 @@ getent passwd qemu >/dev/null || \
 %{_datadir}/%{name}/qemu-icon.bmp
 %{_datadir}/%{name}/qemu_logo_no_text.svg
 %{_datadir}/%{name}/keymaps/
+%{_datadir}/%{name}/trace-events
 %{_mandir}/man1/qemu.1*
 %{_mandir}/man1/virtfs-proxy-helper.1*
 %{_bindir}/virtfs-proxy-helper
@@ -1250,34 +1221,21 @@ getent passwd qemu >/dev/null || \
 %{_bindir}/qemu-sparc32plus
 %{_bindir}/qemu-sparc64
 %{_bindir}/qemu-unicore32
-%{_datadir}/systemtap/tapset/qemu-i386.stp
-%{_datadir}/systemtap/tapset/qemu-x86_64.stp
-%{_datadir}/systemtap/tapset/qemu-aarch64.stp
-%{_datadir}/systemtap/tapset/qemu-alpha.stp
-%{_datadir}/systemtap/tapset/qemu-arm.stp
-%{_datadir}/systemtap/tapset/qemu-armeb.stp
-%{_datadir}/systemtap/tapset/qemu-cris.stp
-%{_datadir}/systemtap/tapset/qemu-m68k.stp
-%{_datadir}/systemtap/tapset/qemu-microblaze.stp
-%{_datadir}/systemtap/tapset/qemu-microblazeel.stp
-%{_datadir}/systemtap/tapset/qemu-mips.stp
-%{_datadir}/systemtap/tapset/qemu-mipsel.stp
-%{_datadir}/systemtap/tapset/qemu-mips64.stp
-%{_datadir}/systemtap/tapset/qemu-mips64el.stp
-%{_datadir}/systemtap/tapset/qemu-mipsn32.stp
-%{_datadir}/systemtap/tapset/qemu-mipsn32el.stp
-%{_datadir}/systemtap/tapset/qemu-or32.stp
-%{_datadir}/systemtap/tapset/qemu-ppc.stp
-%{_datadir}/systemtap/tapset/qemu-ppc64.stp
-%{_datadir}/systemtap/tapset/qemu-ppc64abi32.stp
-%{_datadir}/systemtap/tapset/qemu-ppc64le.stp
-%{_datadir}/systemtap/tapset/qemu-s390x.stp
-%{_datadir}/systemtap/tapset/qemu-sh4.stp
-%{_datadir}/systemtap/tapset/qemu-sh4eb.stp
-%{_datadir}/systemtap/tapset/qemu-sparc.stp
-%{_datadir}/systemtap/tapset/qemu-sparc32plus.stp
-%{_datadir}/systemtap/tapset/qemu-sparc64.stp
-%{_datadir}/systemtap/tapset/qemu-unicore32.stp
+%{_datadir}/systemtap/tapset/qemu-i386*.stp
+%{_datadir}/systemtap/tapset/qemu-x86_64*.stp
+%{_datadir}/systemtap/tapset/qemu-aarch64*.stp
+%{_datadir}/systemtap/tapset/qemu-alpha*.stp
+%{_datadir}/systemtap/tapset/qemu-arm*.stp
+%{_datadir}/systemtap/tapset/qemu-cris*.stp
+%{_datadir}/systemtap/tapset/qemu-m68k*.stp
+%{_datadir}/systemtap/tapset/qemu-microblaze*.stp
+%{_datadir}/systemtap/tapset/qemu-mips*.stp
+%{_datadir}/systemtap/tapset/qemu-or32*.stp
+%{_datadir}/systemtap/tapset/qemu-ppc*.stp
+%{_datadir}/systemtap/tapset/qemu-s390x*.stp
+%{_datadir}/systemtap/tapset/qemu-sh4*.stp
+%{_datadir}/systemtap/tapset/qemu-sparc*.stp
+%{_datadir}/systemtap/tapset/qemu-unicore32*.stp
 %endif
 
 %if 0%{?system_x86:1}
@@ -1286,8 +1244,8 @@ getent passwd qemu >/dev/null || \
 %if %{without kvmonly}
 %{_bindir}/qemu-system-i386
 %{_bindir}/qemu-system-x86_64
-%{_datadir}/systemtap/tapset/qemu-system-i386.stp
-%{_datadir}/systemtap/tapset/qemu-system-x86_64.stp
+%{_datadir}/systemtap/tapset/qemu-system-i386*.stp
+%{_datadir}/systemtap/tapset/qemu-system-x86_64*.stp
 %{_mandir}/man1/qemu-system-i386.1*
 %{_mandir}/man1/qemu-system-x86_64.1*
 %endif
@@ -1333,7 +1291,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_alpha}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-alpha
-%{_datadir}/systemtap/tapset/qemu-system-alpha.stp
+%{_datadir}/systemtap/tapset/qemu-system-alpha*.stp
 %{_mandir}/man1/qemu-system-alpha.1*
 %{_datadir}/%{name}/palcode-clipper
 %endif
@@ -1342,7 +1300,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_arm}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-arm
-%{_datadir}/systemtap/tapset/qemu-system-arm.stp
+%{_datadir}/systemtap/tapset/qemu-system-arm*.stp
 %{_mandir}/man1/qemu-system-arm.1*
 %if %{without separate_kvm}
 %ifarch armv7hl
@@ -1360,10 +1318,7 @@ getent passwd qemu >/dev/null || \
 %{_bindir}/qemu-system-mipsel
 %{_bindir}/qemu-system-mips64
 %{_bindir}/qemu-system-mips64el
-%{_datadir}/systemtap/tapset/qemu-system-mips.stp
-%{_datadir}/systemtap/tapset/qemu-system-mipsel.stp
-%{_datadir}/systemtap/tapset/qemu-system-mips64el.stp
-%{_datadir}/systemtap/tapset/qemu-system-mips64.stp
+%{_datadir}/systemtap/tapset/qemu-system-mips*.stp
 %{_mandir}/man1/qemu-system-mips.1*
 %{_mandir}/man1/qemu-system-mipsel.1*
 %{_mandir}/man1/qemu-system-mips64el.1*
@@ -1374,7 +1329,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_cris}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-cris
-%{_datadir}/systemtap/tapset/qemu-system-cris.stp
+%{_datadir}/systemtap/tapset/qemu-system-cris*.stp
 %{_mandir}/man1/qemu-system-cris.1*
 %endif
 
@@ -1382,7 +1337,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_lm32}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-lm32
-%{_datadir}/systemtap/tapset/qemu-system-lm32.stp
+%{_datadir}/systemtap/tapset/qemu-system-lm32*.stp
 %{_mandir}/man1/qemu-system-lm32.1*
 %endif
 
@@ -1390,7 +1345,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_m68k}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-m68k
-%{_datadir}/systemtap/tapset/qemu-system-m68k.stp
+%{_datadir}/systemtap/tapset/qemu-system-m68k*.stp
 %{_mandir}/man1/qemu-system-m68k.1*
 %endif
 
@@ -1399,8 +1354,7 @@ getent passwd qemu >/dev/null || \
 %defattr(-,root,root)
 %{_bindir}/qemu-system-microblaze
 %{_bindir}/qemu-system-microblazeel
-%{_datadir}/systemtap/tapset/qemu-system-microblaze.stp
-%{_datadir}/systemtap/tapset/qemu-system-microblazeel.stp
+%{_datadir}/systemtap/tapset/qemu-system-microblaze*.stp
 %{_mandir}/man1/qemu-system-microblaze.1*
 %{_mandir}/man1/qemu-system-microblazeel.1*
 %{_datadir}/%{name}/petalogix*.dtb
@@ -1410,7 +1364,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_or32}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-or32
-%{_datadir}/systemtap/tapset/qemu-system-or32.stp
+%{_datadir}/systemtap/tapset/qemu-system-or32*.stp
 %{_mandir}/man1/qemu-system-or32.1*
 %endif
 
@@ -1418,7 +1372,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_s390x}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-s390x
-%{_datadir}/systemtap/tapset/qemu-system-s390x.stp
+%{_datadir}/systemtap/tapset/qemu-system-s390x*.stp
 %{_mandir}/man1/qemu-system-s390x.1*
 %{_datadir}/%{name}/s390-zipl.rom
 %{_datadir}/%{name}/s390-ccw.img
@@ -1433,8 +1387,7 @@ getent passwd qemu >/dev/null || \
 %defattr(-,root,root)
 %{_bindir}/qemu-system-sh4
 %{_bindir}/qemu-system-sh4eb
-%{_datadir}/systemtap/tapset/qemu-system-sh4.stp
-%{_datadir}/systemtap/tapset/qemu-system-sh4eb.stp
+%{_datadir}/systemtap/tapset/qemu-system-sh4*.stp
 %{_mandir}/man1/qemu-system-sh4.1*
 %{_mandir}/man1/qemu-system-sh4eb.1*
 %endif
@@ -1444,8 +1397,7 @@ getent passwd qemu >/dev/null || \
 %defattr(-,root,root)
 %{_bindir}/qemu-system-sparc
 %{_bindir}/qemu-system-sparc64
-%{_datadir}/systemtap/tapset/qemu-system-sparc.stp
-%{_datadir}/systemtap/tapset/qemu-system-sparc64.stp
+%{_datadir}/systemtap/tapset/qemu-system-sparc*.stp
 %{_mandir}/man1/qemu-system-sparc.1*
 %{_mandir}/man1/qemu-system-sparc64.1*
 %{_datadir}/%{name}/QEMU,tcx.bin
@@ -1459,9 +1411,9 @@ getent passwd qemu >/dev/null || \
 %{_bindir}/qemu-system-ppc
 %{_bindir}/qemu-system-ppc64
 %{_bindir}/qemu-system-ppcemb
-%{_datadir}/systemtap/tapset/qemu-system-ppc.stp
-%{_datadir}/systemtap/tapset/qemu-system-ppc64.stp
-%{_datadir}/systemtap/tapset/qemu-system-ppcemb.stp
+%{_datadir}/systemtap/tapset/qemu-system-ppc*.stp
+%{_datadir}/systemtap/tapset/qemu-system-ppc64*.stp
+%{_datadir}/systemtap/tapset/qemu-system-ppcemb*.stp
 %{_mandir}/man1/qemu-system-ppc.1*
 %{_mandir}/man1/qemu-system-ppc64.1*
 %{_mandir}/man1/qemu-system-ppcemb.1*
@@ -1480,7 +1432,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_unicore32}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-unicore32
-%{_datadir}/systemtap/tapset/qemu-system-unicore32.stp
+%{_datadir}/systemtap/tapset/qemu-system-unicore32*.stp
 %{_mandir}/man1/qemu-system-unicore32.1*
 %endif
 
@@ -1489,8 +1441,7 @@ getent passwd qemu >/dev/null || \
 %defattr(-,root,root)
 %{_bindir}/qemu-system-xtensa
 %{_bindir}/qemu-system-xtensaeb
-%{_datadir}/systemtap/tapset/qemu-system-xtensa.stp
-%{_datadir}/systemtap/tapset/qemu-system-xtensaeb.stp
+%{_datadir}/systemtap/tapset/qemu-system-xtensa*.stp
 %{_mandir}/man1/qemu-system-xtensa.1*
 %{_mandir}/man1/qemu-system-xtensaeb.1*
 %endif
@@ -1499,7 +1450,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_moxie}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-moxie
-%{_datadir}/systemtap/tapset/qemu-system-moxie.stp
+%{_datadir}/systemtap/tapset/qemu-system-moxie*.stp
 %{_mandir}/man1/qemu-system-moxie.1*
 %endif
 
@@ -1507,7 +1458,7 @@ getent passwd qemu >/dev/null || \
 %files %{system_aarch64}
 %defattr(-,root,root)
 %{_bindir}/qemu-system-aarch64
-%{_datadir}/systemtap/tapset/qemu-system-aarch64.stp
+%{_datadir}/systemtap/tapset/qemu-system-aarch64*.stp
 %{_mandir}/man1/qemu-system-aarch64.1*
 %ifarch aarch64
 %{?kvm_files:}
@@ -1515,6 +1466,14 @@ getent passwd qemu >/dev/null || \
 %endif
 %endif
 
+%if 0%{?system_tricore:1}
+%files %{system_tricore}
+%defattr(-,root,root)
+%{_bindir}/qemu-system-tricore
+%{_datadir}/systemtap/tapset/qemu-system-tricore*.stp
+%{_mandir}/man1/qemu-system-tricore.1*
+%endif
+
 %if %{without separate_kvm}
 %files img
 %defattr(-,root,root)
@@ -1541,6 +1500,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Sat Nov 15 2014 Cole Robinson <crobinso@redhat.com> - 2:2.2.0-0.1.rc1
+- Update to qemu-2.2.0-rc1
+
 * Wed Oct 29 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.2-6
 - CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization
   (bz #1157647, bz #1157641)
diff --git a/sources b/sources
index 33b62c2..eff7bc0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-0ff197c4ed4b695620bc4734e77c888f  qemu-2.1.2.tar.bz2
+2da53c1c44ee769f9827f68e2412c9c5  qemu-2.2.0-rc1.tar.bz2