diff --git a/SOURCES/libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch b/SOURCES/libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch
new file mode 100644
index 0000000..818b558
--- /dev/null
+++ b/SOURCES/libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch
@@ -0,0 +1,51 @@
+From a102eb9c707bb28506f2ff68716122e306c5be55 Mon Sep 17 00:00:00 2001
+Message-Id: <a102eb9c707bb28506f2ff68716122e306c5be55@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 17 Sep 2014 23:17:23 +0200
+Subject: [PATCH] CVE-2014-3633: qemu: blkiotune: Use correct definition when
+ looking up disk
+
+Live definition was used to look up the disk index while persistent one
+was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the
+correct def and report a nice error.
+
+Unfortunately it's accessible via read-only connection, though it can
+only crash libvirtd in the cases where the guest is hot-plugging disks
+without reflecting those changes to the persistent definition.  So
+avoiding hotplug, or doing hotplug where persistent is always modified
+alongside live definition, will avoid the out-of-bounds access.
+
+Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8)
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724
+Reported-by: Luyao Huang <lhuang@redhat.com>
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+
+(cherry picked from commit 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_driver.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 475b752..ebdbfd7 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -15688,9 +15688,13 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
+     }
+ 
+     if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
+-        int idx = virDomainDiskIndexByName(vm->def, disk, true);
+-        if (idx < 0)
++        int idx = virDomainDiskIndexByName(persistentDef, disk, true);
++        if (idx < 0) {
++            virReportError(VIR_ERR_INVALID_ARG,
++                           _("disk '%s' was not found in the domain config"),
++                           disk);
+             goto endjob;
++        }
+         reply = persistentDef->disks[idx]->blkdeviotune;
+     }
+ 
+-- 
+2.1.0
+
diff --git a/SOURCES/libvirt-domain_conf-fix-domain-deadlock.patch b/SOURCES/libvirt-domain_conf-fix-domain-deadlock.patch
new file mode 100644
index 0000000..77ba5d3
--- /dev/null
+++ b/SOURCES/libvirt-domain_conf-fix-domain-deadlock.patch
@@ -0,0 +1,36 @@
+From 4843e53175b76c8a3676756db314354a696e2785 Mon Sep 17 00:00:00 2001
+Message-Id: <4843e53175b76c8a3676756db314354a696e2785@dist-git>
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Tue, 23 Sep 2014 15:43:37 +0200
+Subject: [PATCH] domain_conf: fix domain deadlock
+
+CVE-2014-3657
+
+If you use public api virConnectListAllDomains() with second parameter
+set to NULL to get only the number of domains you will lock out all
+other operations with domains.
+
+Introduced by commit 2c680804.
+
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/conf/domain_conf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
+index d1617b8..bb2e7ef 100644
+--- a/src/conf/domain_conf.c
++++ b/src/conf/domain_conf.c
+@@ -18748,7 +18748,7 @@ virDomainListPopulate(void *payload,
+     /* just count the machines */
+     if (!data->domains) {
+         data->ndomains++;
+-        return;
++        goto cleanup;
+     }
+ 
+     if (!(dom = virGetDomain(data->conn, vm->def->name, vm->def->uuid))) {
+-- 
+2.1.0
+
diff --git a/SOURCES/libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch b/SOURCES/libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch
new file mode 100644
index 0000000..89cf36e
--- /dev/null
+++ b/SOURCES/libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch
@@ -0,0 +1,95 @@
+From b3aac82848c6c8d56dca714b3b359253d74fbceb Mon Sep 17 00:00:00 2001
+Message-Id: <b3aac82848c6c8d56dca714b3b359253d74fbceb@dist-git>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Mon, 1 Sep 2014 14:02:23 +0200
+Subject: [PATCH] qemu: leave restricting cpuset.mems after initialization
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1135871
+
+When domain is started with numatune memory mode strict and the
+nodeset does not include host NUMA node with DMA and DMA32 zones, KVM
+initialization fails.  This is because cgroup restrict even kernel
+allocations.  We are already doing numa_set_membind() which does the
+same thing, only it does not restrict kernel allocations.
+
+This patch leaves the userspace numa_set_membind() in place and moves
+the cpuset.mems setting after the point where monitor comes up, but
+before vcpu and emulator sub-groups are created.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 7e72ac787848b7434c9359a57c1e2789d92350f8)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_cgroup.c  | 10 +++++++---
+ src/qemu/qemu_cgroup.h  |  4 +++-
+ src/qemu/qemu_process.c |  4 ++++
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
+index 7e60c19..dfe98be 100644
+--- a/src/qemu/qemu_cgroup.c
++++ b/src/qemu/qemu_cgroup.c
+@@ -592,9 +592,6 @@ qemuSetupCpusetCgroup(virDomainObjPtr vm,
+     if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
+         return 0;
+ 
+-    if (qemuSetupCpusetMems(vm, nodemask) < 0)
+-        goto cleanup;
+-
+     if (vm->def->cpumask ||
+         (vm->def->placement_mode == VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO)) {
+ 
+@@ -786,6 +783,13 @@ cleanup:
+ }
+ 
+ int
++qemuSetupCgroupPostInit(virDomainObjPtr vm,
++                        virBitmapPtr nodemask)
++{
++    return qemuSetupCpusetMems(vm, nodemask);
++}
++
++int
+ qemuSetupCgroupVcpuBW(virCgroupPtr cgroup,
+                       unsigned long long period,
+                       long long quota)
+diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h
+index 14404d1..40a031e 100644
+--- a/src/qemu/qemu_cgroup.h
++++ b/src/qemu/qemu_cgroup.h
+@@ -1,7 +1,7 @@
+ /*
+  * qemu_cgroup.h: QEMU cgroup management
+  *
+- * Copyright (C) 2006-2007, 2009-2013 Red Hat, Inc.
++ * Copyright (C) 2006-2007, 2009-2014 Red Hat, Inc.
+  * Copyright (C) 2006 Daniel P. Berrange
+  *
+  * This library is free software; you can redistribute it and/or
+@@ -44,6 +44,8 @@ int qemuConnectCgroup(virQEMUDriverPtr driver,
+ int qemuSetupCgroup(virQEMUDriverPtr driver,
+                     virDomainObjPtr vm,
+                     virBitmapPtr nodemask);
++int qemuSetupCgroupPostInit(virDomainObjPtr vm,
++                            virBitmapPtr nodemask);
+ int qemuSetupCgroupVcpuBW(virCgroupPtr cgroup,
+                           unsigned long long period,
+                           long long quota);
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index af66e0d..3eda15b 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -4028,6 +4028,10 @@ int qemuProcessStart(virConnectPtr conn,
+     if (!qemuProcessVerifyGuestCPU(driver, vm))
+         goto cleanup;
+ 
++    VIR_DEBUG("Setting up post-init cgroup restrictions");
++    if (qemuSetupCgroupPostInit(vm, nodemask) < 0)
++        goto cleanup;
++
+     VIR_DEBUG("Detecting VCPU PIDs");
+     if (qemuProcessDetectVcpuPIDs(driver, vm) < 0)
+         goto cleanup;
+-- 
+2.1.0
+
diff --git a/SOURCES/libvirt-qemu-split-out-cpuset.mems-setting.patch b/SOURCES/libvirt-qemu-split-out-cpuset.mems-setting.patch
new file mode 100644
index 0000000..f6617fc
--- /dev/null
+++ b/SOURCES/libvirt-qemu-split-out-cpuset.mems-setting.patch
@@ -0,0 +1,78 @@
+From 118598c04ba4dc1128ca475199551b6645c83736 Mon Sep 17 00:00:00 2001
+Message-Id: <118598c04ba4dc1128ca475199551b6645c83736@dist-git>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Mon, 1 Sep 2014 14:02:22 +0200
+Subject: [PATCH] qemu: split out cpuset.mems setting
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1135871
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit aa668fccf078bf9833047776549a5a06435cf470)
+
+Conflicts:
+	src/qemu/qemu_cgroup.c -- whitespace before 'cleanup:'
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_cgroup.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
+index e0e1041..7e60c19 100644
+--- a/src/qemu/qemu_cgroup.c
++++ b/src/qemu/qemu_cgroup.c
+@@ -542,13 +542,11 @@ cleanup:
+ 
+ 
+ static int
+-qemuSetupCpusetCgroup(virDomainObjPtr vm,
+-                      virBitmapPtr nodemask,
+-                      virCapsPtr caps)
++qemuSetupCpusetMems(virDomainObjPtr vm,
++                    virBitmapPtr nodemask)
+ {
+     qemuDomainObjPrivatePtr priv = vm->privateData;
+     char *mem_mask = NULL;
+-    char *cpu_mask = NULL;
+     int ret = -1;
+ 
+     if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
+@@ -575,6 +573,28 @@ qemuSetupCpusetCgroup(virDomainObjPtr vm,
+             goto cleanup;
+     }
+ 
++    ret = 0;
++ cleanup:
++    VIR_FREE(mem_mask);
++    return ret;
++}
++
++
++static int
++qemuSetupCpusetCgroup(virDomainObjPtr vm,
++                      virBitmapPtr nodemask,
++                      virCapsPtr caps)
++{
++    qemuDomainObjPrivatePtr priv = vm->privateData;
++    char *cpu_mask = NULL;
++    int ret = -1;
++
++    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
++        return 0;
++
++    if (qemuSetupCpusetMems(vm, nodemask) < 0)
++        goto cleanup;
++
+     if (vm->def->cpumask ||
+         (vm->def->placement_mode == VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO)) {
+ 
+@@ -600,7 +620,6 @@ qemuSetupCpusetCgroup(virDomainObjPtr vm,
+ 
+     ret = 0;
+ cleanup:
+-    VIR_FREE(mem_mask);
+     VIR_FREE(cpu_mask);
+     return ret;
+ }
+-- 
+2.1.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 6f8b47e..678f294 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -379,7 +379,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 1.1.1
-Release: 29%{?dist}.1%{?extra_release}
+Release: 29%{?dist}.3%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -902,6 +902,10 @@ Patch509: libvirt-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
 Patch510: libvirt-virNetClientSetTLSSession-Restore-original-signal-mask.patch
 Patch511: libvirt-Don-t-use-AI_ADDRCONFIG-when-binding-to-wildcard-addresses.patch
 Patch512: libvirt-qemu-Unlock-the-NWFilter-update-lock-by-leaving-via-the-cleanup-label.patch
+Patch513: libvirt-qemu-split-out-cpuset.mems-setting.patch
+Patch514: libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch
+Patch515: libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch
+Patch516: libvirt-domain_conf-fix-domain-deadlock.patch
 
 
 %if %{with_libvirtd}
@@ -2695,6 +2699,14 @@ exit 0
 %endif
 
 %changelog
+* Tue Sep 23 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.3
+- domain_conf: fix domain deadlock (CVE-2014-3657)
+
+* Mon Sep 22 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.2
+- qemu: split out cpuset.mems setting (rhbz#1135871)
+- qemu: leave restricting cpuset.mems after initialization (rhbz#1135871)
+- qemu: blkiotune: Use correct definition when looking up disk (CVE-2014-3633)
+
 * Thu Jul  3 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.1
 - LSN-2014-0003: Don't expand entities when parsing XML (CVE-2014-0179)
 - virNetClientSetTLSSession: Restore original signal mask (rhbz#1112689)