diff --git a/SOURCES/kvm-block-Fix-flags-in-reopen-queue.patch b/SOURCES/kvm-block-Fix-flags-in-reopen-queue.patch
new file mode 100644
index 0000000..f3ecaba
--- /dev/null
+++ b/SOURCES/kvm-block-Fix-flags-in-reopen-queue.patch
@@ -0,0 +1,60 @@
+From bf0e9a6374d872bde330fb3c4994697250ef235b Mon Sep 17 00:00:00 2001
+From: Fam Zheng <famz@redhat.com>
+Date: Tue, 13 Mar 2018 15:27:54 +0100
+Subject: [PATCH 1/4] block: Fix flags in reopen queue
+
+RH-Author: Fam Zheng <famz@redhat.com>
+Message-id: <20180313152755.31475-2-famz@redhat.com>
+Patchwork-id: 79273
+O-Subject: [RHV7.5 qemu-kvm-ma PATCH v4 1/2] block: Fix flags in reopen queue
+Bugzilla: 1557206
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Reopen flags are not synchronized according to the
+bdrv_reopen_queue_child precedence until bdrv_reopen_prepare. It is a
+bit too late: we already check the consistency in bdrv_check_perm before
+that.
+
+This fixes the bug that when bdrv_reopen a RO node as RW, the flags for
+backing child are wrong. Before, we could recurse with flags.rw=1; now,
+role->inherit_options + update_flags_from_options will make sure to
+clear the bit when necessary.  Note that this will not clear an
+explicitly set bit, as in the case of parallel block jobs (e.g.
+test_stream_parallel in 030), because the explicit options include
+'read-only=false' (for an intermediate node used by a different job).
+
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Reviewed-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/block.c b/block.c
+index ca8a46b..a1084e7 100644
+--- a/block.c
++++ b/block.c
+@@ -2759,8 +2759,16 @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue,
+ 
+     /* Inherit from parent node */
+     if (parent_options) {
++        QemuOpts *opts;
++        QDict *options_copy;
+         assert(!flags);
+         role->inherit_options(&flags, options, parent_flags, parent_options);
++        options_copy = qdict_clone_shallow(options);
++        opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort);
++        qemu_opts_absorb_qdict(opts, options_copy, NULL);
++        update_flags_from_options(&flags, opts);
++        qemu_opts_del(opts);
++        QDECREF(options_copy);
+     }
+ 
+     /* Old values are used for options that aren't set yet */
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-iotests-Add-regression-test-for-commit-base-locking.patch b/SOURCES/kvm-iotests-Add-regression-test-for-commit-base-locking.patch
new file mode 100644
index 0000000..3effa27
--- /dev/null
+++ b/SOURCES/kvm-iotests-Add-regression-test-for-commit-base-locking.patch
@@ -0,0 +1,64 @@
+From 9cac958ac666c9095490cf6814110c8083ad8929 Mon Sep 17 00:00:00 2001
+From: Fam Zheng <famz@redhat.com>
+Date: Tue, 13 Mar 2018 15:27:55 +0100
+Subject: [PATCH 2/4] iotests: Add regression test for commit base locking
+
+RH-Author: Fam Zheng <famz@redhat.com>
+Message-id: <20180313152755.31475-3-famz@redhat.com>
+Patchwork-id: 79276
+O-Subject: [RHV7.5 qemu-kvm-ma PATCH v4 2/2] iotests: Add regression test for commit base locking
+Bugzilla: 1557206
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Reviewed-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/153     | 11 +++++++++++
+ tests/qemu-iotests/153.out |  4 ++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/tests/qemu-iotests/153 b/tests/qemu-iotests/153
+index fa25eb2..0b62ac9 100755
+--- a/tests/qemu-iotests/153
++++ b/tests/qemu-iotests/153
+@@ -178,6 +178,17 @@ ln -s ${TEST_IMG} "${TEST_IMG}.lnk" || echo "Failed to create link"
+ _run_qemu_with_images "${TEST_IMG}.lnk" "${TEST_IMG}"
+ 
+ echo
++echo "== Active commit to intermediate layer should work when base in use =="
++_launch_qemu -drive format=$IMGFMT,file="${TEST_IMG}.a",id=drive0,if=none \
++             -device virtio-blk,drive=drive0
++
++_send_qemu_cmd $QEMU_HANDLE \
++    "{ 'execute': 'qmp_capabilities' }" \
++    'return'
++_run_cmd $QEMU_IMG commit -b "${TEST_IMG}.b" "${TEST_IMG}.c"
++
++_cleanup_qemu
++
+ echo "== Closing an image should unlock it =="
+ _launch_qemu
+ 
+diff --git a/tests/qemu-iotests/153.out b/tests/qemu-iotests/153.out
+index 5b917b1..3f19afb 100644
+--- a/tests/qemu-iotests/153.out
++++ b/tests/qemu-iotests/153.out
+@@ -373,6 +373,10 @@ Is another process using the image?
+ QEMU_PROG: -drive if=none,file=TEST_DIR/t.qcow2: Failed to get "write" lock
+ Is another process using the image?
+ 
++== Active commit to intermediate layer should work when base in use ==
++{"return": {}}
++
++_qemu_img_wrapper commit -b TEST_DIR/t.qcow2.b TEST_DIR/t.qcow2.c
+ == Closing an image should unlock it ==
+ {"return": {}}
+ Adding drive
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-add-ram_addr_t-cast.patch b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch
new file mode 100644
index 0000000..b7ba905
--- /dev/null
+++ b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch
@@ -0,0 +1,41 @@
+From 1d5aa1e3de92a5ceff6c30e48c10275c5d3ce9ac Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 19 Mar 2018 14:34:58 +0100
+Subject: [PATCH 3/4] vga: add ram_addr_t cast
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20180319143459.15364-2-kraxel@redhat.com>
+Patchwork-id: 79361
+O-Subject: [RHV7.5 qemu-kvm-rhev PATCH 1/2] vga: add ram_addr_t cast
+Bugzilla: 1566878
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Reported by Coverity.
+
+Fixes: CID 1381409
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20171010141323.14049-4-kraxel@redhat.com
+(cherry picked from commit b0898b42ef099bc125db1fbf62b7f02b505ef3a2)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index b1cdf36..b6a3b95 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1488,7 +1488,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     disp_width = width;
+ 
+     region_start = (s->start_addr * 4);
+-    region_end = region_start + s->line_offset * height;
++    region_end = region_start + (ram_addr_t)s->line_offset * height;
+     if (region_end > s->vbe_size) {
+         /* wraps around (can happen with cirrus vbe modes) */
+         region_start = 0;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-fix-region-calculation.patch b/SOURCES/kvm-vga-fix-region-calculation.patch
new file mode 100644
index 0000000..a4d234a
--- /dev/null
+++ b/SOURCES/kvm-vga-fix-region-calculation.patch
@@ -0,0 +1,47 @@
+From a4a396ff1f6bf512d8a1e65f692242d4332c615c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 19 Mar 2018 14:34:59 +0100
+Subject: [PATCH 4/4] vga: fix region calculation
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20180319143459.15364-3-kraxel@redhat.com>
+Patchwork-id: 79360
+O-Subject: [RHV7.5 qemu-kvm-rhev PATCH 2/2] vga: fix region calculation
+Bugzilla: 1566878
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Typically the scanline length and the line offset are identical.  But
+in case they are not our calculation for region_end is incorrect.  Using
+line_offset is fine for all scanlines, except the last one where we have
+to use the actual scanline length.
+
+Fixes: CVE-2018-7550
+Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Message-id: 20180309143704.13420-1-kraxel@redhat.com
+(cherry picked from commit 7cdc61becd095b64a786b2625f321624e7111f3d)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index b6a3b95..f060f26 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1489,6 +1489,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ 
+     region_start = (s->start_addr * 4);
+     region_end = region_start + (ram_addr_t)s->line_offset * height;
++    region_end += width * s->get_bpp(s) / 8; /* scanline length */
++    region_end -= s->line_offset;
+     if (region_end > s->vbe_size) {
+         /* wraps around (can happen with cirrus vbe modes) */
+         region_start = 0;
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index f74896f..9f7889a 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -106,7 +106,7 @@ Obsoletes: %1%{rhel_ma_suffix} < %{obsoletes_version2}                 \
 Summary: QEMU is a machine emulator and virtualizer
 Name: %{pkgname}%{?pkgsuffix}
 Version: 2.10.0
-Release: 21%{?dist}.1
+Release: 21%{?dist}.2
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 10
 License: GPLv2+ and LGPLv2+ and BSD
@@ -1049,6 +1049,14 @@ Patch446: kvm-redhat-Define-the-pseries-rhel7.5-sxxm-machine-type.patch
 Patch447: kvm-redhat-Define-the-pseries-rhel7.4-sxxm-machine-type.patch
 # For bz#1554957 - [CVE-2017-5754] Variant3: POWER {qemu-kvm-ma} Add machine type variants [rhel-7.5.z]
 Patch448: kvm-redhat-Define-the-pseries-rhel7.3-sxxm-machine-type.patch
+# For bz#1557206 - [Regression] Cannot delete VM's snapshot [rhel-7.5.z]
+Patch449: kvm-block-Fix-flags-in-reopen-queue.patch
+# For bz#1557206 - [Regression] Cannot delete VM's snapshot [rhel-7.5.z]
+Patch450: kvm-iotests-Add-regression-test-for-commit-base-locking.patch
+# For bz#1566878 - CVE-2018-7858 qemu-kvm-ma: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]
+Patch451: kvm-vga-add-ram_addr_t-cast.patch
+# For bz#1566878 - CVE-2018-7858 qemu-kvm-ma: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]
+Patch452: kvm-vga-fix-region-calculation.patch
 
 BuildRequires: zlib-devel
 BuildRequires: glib2-devel
@@ -1674,6 +1682,10 @@ cp %{SOURCE29} pc-bios
 %patch446 -p1
 %patch447 -p1
 %patch448 -p1
+%patch449 -p1
+%patch450 -p1
+%patch451 -p1
+%patch452 -p1
 
 # for tscdeadline_latency.flat
 %ifarch x86_64
@@ -2172,6 +2184,16 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Fri Apr 13 2018 Miroslav Rezanina <mrezanin@redhat.com> - ma-2.10.0-21.el7_5.2
+- kvm-block-Fix-flags-in-reopen-queue.patch [bz#1557206]
+- kvm-iotests-Add-regression-test-for-commit-base-locking.patch [bz#1557206]
+- kvm-vga-add-ram_addr_t-cast.patch [bz#1566878]
+- kvm-vga-fix-region-calculation.patch [bz#1566878]
+- Resolves: bz#1557206
+  ([Regression] Cannot delete VM's snapshot [rhel-7.5.z])
+- Resolves: bz#1566878
+  (CVE-2018-7858 qemu-kvm-ma: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z])
+
 * Wed Mar 14 2018 Miroslav Rezanina <mrezanin@redhat.com> - ma-2.10.0-21.el7_5.1
 - kvm-memory-inline-some-performance-sensitive-accessors.patch [bz#1554930]
 - kvm-address_space_write-address_space_to_flatview-needs-.patch [bz#1554930]