diff --git a/0001-virtio-9p-use-accessor-to-get-thread-pool.patch b/0001-virtio-9p-use-accessor-to-get-thread-pool.patch
deleted file mode 100644
index 655297a..0000000
--- a/0001-virtio-9p-use-accessor-to-get-thread-pool.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Greg Kurz <gkurz@linux.vnet.ibm.com>
-Subject: [PATCH] virtio-9p: use accessor to get thread_pool
-Date: Sun, 20 Dec 2015 12:19:05 +0100
-
-The aio_context_new() function does not allocate a thread pool. This is
-deferred to the first call to the aio_get_thread_pool() accessor. It is
-hence forbidden to access the thread_pool field directly, as it may be
-NULL. The accessor *must* be used always.
-
-Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
-Tested-by: Michael Tokarev <mjt@tls.msk.ru>
-Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
-
- hw/9pfs/virtio-9p-coth.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
-index fb6e8f80e0f4..ab9425c60fd2 100644
---- a/hw/9pfs/virtio-9p-coth.c
-+++ b/hw/9pfs/virtio-9p-coth.c
-@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
- void co_run_in_worker_bh(void *opaque)
- {
-     Coroutine *co = opaque;
--    thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
-+    thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
-                            coroutine_enter_func, co, coroutine_enter_cb, co);
- }
-
-
-
-
diff --git a/0001-virtio-9p-use-accessor-to-get-thread_pool.patch b/0001-virtio-9p-use-accessor-to-get-thread_pool.patch
new file mode 100644
index 0000000..83da7db
--- /dev/null
+++ b/0001-virtio-9p-use-accessor-to-get-thread_pool.patch
@@ -0,0 +1,31 @@
+From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Wed, 23 Dec 2015 10:56:58 +0100
+Subject: [PATCH] virtio-9p: use accessor to get thread_pool
+
+The aio_context_new() function does not allocate a thread pool. This is
+deferred to the first call to the aio_get_thread_pool() accessor. It is
+hence forbidden to access the thread_pool field directly, as it may be
+NULL. The accessor *must* be used always.
+
+Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Tested-by: Michael Tokarev <mjt@tls.msk.ru>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+(cherry picked from commit 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6)
+---
+ hw/9pfs/virtio-9p-coth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
+index fb6e8f8..ab9425c 100644
+--- a/hw/9pfs/virtio-9p-coth.c
++++ b/hw/9pfs/virtio-9p-coth.c
+@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
+ void co_run_in_worker_bh(void *opaque)
+ {
+     Coroutine *co = opaque;
+-    thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
++    thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
+                            coroutine_enter_func, co, coroutine_enter_cb, co);
+ }
diff --git a/0002-ehci-make-idt-processing-more-robust.patch b/0002-ehci-make-idt-processing-more-robust.patch
new file mode 100644
index 0000000..d8caaff
--- /dev/null
+++ b/0002-ehci-make-idt-processing-more-robust.patch
@@ -0,0 +1,45 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 14 Dec 2015 09:21:23 +0100
+Subject: [PATCH] ehci: make idt processing more robust
+
+Make ehci_process_itd return an error in case we didn't do any actual
+iso transfer because we've found no active transaction.  That'll avoid
+ehci happily run in circles forever if the guest builds a loop out of
+idts.
+
+This is CVE-2015-8558.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Tested-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
+---
+ hw/usb/hcd-ehci.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 4e2161b..d07f228 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ {
+     USBDevice *dev;
+     USBEndpoint *ep;
+-    uint32_t i, len, pid, dir, devaddr, endp;
++    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
+     uint32_t pg, off, ptr1, ptr2, max, mult;
+ 
+     ehci->periodic_sched_active = PERIODIC_ACTIVE;
+@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
+                 ehci_raise_irq(ehci, USBSTS_INT);
+             }
+             itd->transact[i] &= ~ITD_XACT_ACTIVE;
++            xfers++;
+         }
+     }
+-    return 0;
++    return xfers ? 0 : -1;
+ }
+ 
+ 
diff --git a/qemu.spec b/qemu.spec
index ea984ae..aa553e2 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -40,7 +40,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.5.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -71,7 +71,10 @@ Source13: qemu-kvm.sh
 # For modprobe.d
 Source20: kvm.conf
 
-Patch0001: 0001-virtio-9p-use-accessor-to-get-thread-pool.patch
+# Fix virtio 9p thread pool usage
+Patch0001: 0001-virtio-9p-use-accessor-to-get-thread_pool.patch
+# CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
+Patch0002: 0002-ehci-make-idt-processing-more-robust.patch
 
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@@ -1166,6 +1169,11 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Sat Jan 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.5.0-3
+- Fix virtio 9p thread pool usage
+- CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
+- Re-add dist tag
+
 * Thu Jan 7 2016 Paolo Bonzini <pbonzini@redhat.com> - 2:2.5.0-2
 - add /etc/modprobe.d/kvm.conf
 - add 0001-virtio-9p-use-accessor-to-get-thread-pool.patch