diff --git a/0001-riscv-sifive_u-fix-a-memory-leak-in-soc_realize.patch b/0001-riscv-sifive_u-fix-a-memory-leak-in-soc_realize.patch
new file mode 100644
index 0000000..3f0e784
--- /dev/null
+++ b/0001-riscv-sifive_u-fix-a-memory-leak-in-soc_realize.patch
@@ -0,0 +1,34 @@
+From bb8136df698bd565ee4f6c18d26c50dee320bfe4 Mon Sep 17 00:00:00 2001
+From: Pan Nengyuan <pannengyuan@huawei.com>
+Date: Tue, 10 Dec 2019 15:14:37 +0800
+Subject: [PATCH 1/5] riscv/sifive_u: fix a memory leak in soc_realize()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix a minor memory leak in riscv_sifive_u_soc_realize()
+
+Reported-by: Euler Robot <euler.robot@huawei.com>
+Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+---
+ hw/riscv/sifive_u.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
+index 0140e95732..0e12b3ccef 100644
+--- a/hw/riscv/sifive_u.c
++++ b/hw/riscv/sifive_u.c
+@@ -542,6 +542,7 @@ static void riscv_sifive_u_soc_realize(DeviceState *dev, Error **errp)
+         SIFIVE_U_PLIC_CONTEXT_BASE,
+         SIFIVE_U_PLIC_CONTEXT_STRIDE,
+         memmap[SIFIVE_U_PLIC].size);
++    g_free(plic_hart_config);
+     sifive_uart_create(system_memory, memmap[SIFIVE_U_UART0].base,
+         serial_hd(0), qdev_get_gpio_in(DEVICE(s->plic), SIFIVE_U_UART0_IRQ));
+     sifive_uart_create(system_memory, memmap[SIFIVE_U_UART1].base,
+-- 
+2.24.1
+
diff --git a/0002-riscv-Set-xPIE-to-1-after-xRET.patch b/0002-riscv-Set-xPIE-to-1-after-xRET.patch
new file mode 100644
index 0000000..4bd340a
--- /dev/null
+++ b/0002-riscv-Set-xPIE-to-1-after-xRET.patch
@@ -0,0 +1,43 @@
+From a37f21c27d3e2342c2080aafd4cfe7e949612428 Mon Sep 17 00:00:00 2001
+From: Yiting Wang <yiting.wang@windriver.com>
+Date: Fri, 3 Jan 2020 11:53:42 +0800
+Subject: [PATCH 2/5] riscv: Set xPIE to 1 after xRET
+
+When executing an xRET instruction, supposing xPP holds the
+value y, xIE is set to xPIE; the privilege mode is changed to y;
+xPIE is set to 1. But QEMU sets xPIE to 0 incorrectly.
+
+Signed-off-by: Yiting Wang <yiting.wang@windriver.com>
+Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
+Tested-by: Bin Meng <bmeng.cn@gmail.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+---
+ target/riscv/op_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
+index 331cc36232..e87c9115bc 100644
+--- a/target/riscv/op_helper.c
++++ b/target/riscv/op_helper.c
+@@ -93,7 +93,7 @@ target_ulong helper_sret(CPURISCVState *env, target_ulong cpu_pc_deb)
+         env->priv_ver >= PRIV_VERSION_1_10_0 ?
+         MSTATUS_SIE : MSTATUS_UIE << prev_priv,
+         get_field(mstatus, MSTATUS_SPIE));
+-    mstatus = set_field(mstatus, MSTATUS_SPIE, 0);
++    mstatus = set_field(mstatus, MSTATUS_SPIE, 1);
+     mstatus = set_field(mstatus, MSTATUS_SPP, PRV_U);
+     riscv_cpu_set_mode(env, prev_priv);
+     env->mstatus = mstatus;
+@@ -118,7 +118,7 @@ target_ulong helper_mret(CPURISCVState *env, target_ulong cpu_pc_deb)
+         env->priv_ver >= PRIV_VERSION_1_10_0 ?
+         MSTATUS_MIE : MSTATUS_UIE << prev_priv,
+         get_field(mstatus, MSTATUS_MPIE));
+-    mstatus = set_field(mstatus, MSTATUS_MPIE, 0);
++    mstatus = set_field(mstatus, MSTATUS_MPIE, 1);
+     mstatus = set_field(mstatus, MSTATUS_MPP, PRV_U);
+     riscv_cpu_set_mode(env, prev_priv);
+     env->mstatus = mstatus;
+-- 
+2.24.1
+
diff --git a/0003-target-riscv-Fix-tb-flags-FS-status.patch b/0003-target-riscv-Fix-tb-flags-FS-status.patch
new file mode 100644
index 0000000..93e5287
--- /dev/null
+++ b/0003-target-riscv-Fix-tb-flags-FS-status.patch
@@ -0,0 +1,48 @@
+From 613fa160e19abe8e1fe44423fcfa8ec73d3d48e5 Mon Sep 17 00:00:00 2001
+From: ShihPo Hung <shihpo.hung@sifive.com>
+Date: Tue, 14 Jan 2020 22:17:31 -0800
+Subject: [PATCH 3/5] target/riscv: Fix tb->flags FS status
+
+It was found that running libquantum on riscv-linux qemu produced an
+incorrect result. After investigation, FP registers are not saved
+during context switch due to incorrect mstatus.FS.
+
+In current implementation tb->flags merges all non-disabled state to
+dirty. This means the code in mark_fs_dirty in translate.c that
+handles initial and clean states is unreachable.
+
+This patch fixes it and is successfully tested with:
+  libquantum
+
+Thanks to Richard for pointing out the actual bug.
+
+v3: remove the redundant condition
+v2: root cause FS problem
+
+Suggested-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: ShihPo Hung <shihpo.hung@sifive.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+---
+ target/riscv/cpu.h | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
+index e59343e13c..de0a8d893a 100644
+--- a/target/riscv/cpu.h
++++ b/target/riscv/cpu.h
+@@ -293,10 +293,7 @@ static inline void cpu_get_tb_cpu_state(CPURISCVState *env, target_ulong *pc,
+ #ifdef CONFIG_USER_ONLY
+     *flags = TB_FLAGS_MSTATUS_FS;
+ #else
+-    *flags = cpu_mmu_index(env, 0);
+-    if (riscv_cpu_fp_enabled(env)) {
+-        *flags |= TB_FLAGS_MSTATUS_FS;
+-    }
++    *flags = cpu_mmu_index(env, 0) | (env->mstatus & MSTATUS_FS);
+ #endif
+ }
+ 
+-- 
+2.24.1
+
diff --git a/0004-target-riscv-fsd-fsw-doesn-t-dirty-FP-state.patch b/0004-target-riscv-fsd-fsw-doesn-t-dirty-FP-state.patch
new file mode 100644
index 0000000..6b5a896
--- /dev/null
+++ b/0004-target-riscv-fsd-fsw-doesn-t-dirty-FP-state.patch
@@ -0,0 +1,41 @@
+From a59796eb6d59bbd74ce28ddbddb1b83e60674e96 Mon Sep 17 00:00:00 2001
+From: ShihPo Hung <shihpo.hung@sifive.com>
+Date: Tue, 14 Jan 2020 22:17:32 -0800
+Subject: [PATCH 4/5] target/riscv: fsd/fsw doesn't dirty FP state
+
+Signed-off-by: ShihPo Hung <shihpo.hung@sifive.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+---
+ target/riscv/insn_trans/trans_rvd.inc.c | 1 -
+ target/riscv/insn_trans/trans_rvf.inc.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/target/riscv/insn_trans/trans_rvd.inc.c b/target/riscv/insn_trans/trans_rvd.inc.c
+index 393fa0248c..ea1044f13b 100644
+--- a/target/riscv/insn_trans/trans_rvd.inc.c
++++ b/target/riscv/insn_trans/trans_rvd.inc.c
+@@ -43,7 +43,6 @@ static bool trans_fsd(DisasContext *ctx, arg_fsd *a)
+ 
+     tcg_gen_qemu_st_i64(cpu_fpr[a->rs2], t0, ctx->mem_idx, MO_TEQ);
+ 
+-    mark_fs_dirty(ctx);
+     tcg_temp_free(t0);
+     return true;
+ }
+diff --git a/target/riscv/insn_trans/trans_rvf.inc.c b/target/riscv/insn_trans/trans_rvf.inc.c
+index 172dbfa919..e23cd639a6 100644
+--- a/target/riscv/insn_trans/trans_rvf.inc.c
++++ b/target/riscv/insn_trans/trans_rvf.inc.c
+@@ -52,7 +52,6 @@ static bool trans_fsw(DisasContext *ctx, arg_fsw *a)
+     tcg_gen_qemu_st_i64(cpu_fpr[a->rs2], t0, ctx->mem_idx, MO_TEUL);
+ 
+     tcg_temp_free(t0);
+-    mark_fs_dirty(ctx);
+     return true;
+ }
+ 
+-- 
+2.24.1
+
diff --git a/0005-target-riscv-update-mstatus.SD-when-FS-is-set-dirty.patch b/0005-target-riscv-update-mstatus.SD-when-FS-is-set-dirty.patch
new file mode 100644
index 0000000..b3733a6
--- /dev/null
+++ b/0005-target-riscv-update-mstatus.SD-when-FS-is-set-dirty.patch
@@ -0,0 +1,47 @@
+From 82f014671cf057de51c4a577c9e2ad637dcec6f9 Mon Sep 17 00:00:00 2001
+From: ShihPo Hung <shihpo.hung@sifive.com>
+Date: Tue, 14 Jan 2020 22:17:33 -0800
+Subject: [PATCH 5/5] target/riscv: update mstatus.SD when FS is set dirty
+
+remove the check becuase SD bit should summarize FS and XS fields
+unconditionally.
+
+Signed-off-by: ShihPo Hung <shihpo.hung@sifive.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+---
+ target/riscv/csr.c       | 3 +--
+ target/riscv/translate.c | 2 +-
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/target/riscv/csr.c b/target/riscv/csr.c
+index da02f9f0b1..0e34c292c5 100644
+--- a/target/riscv/csr.c
++++ b/target/riscv/csr.c
+@@ -341,8 +341,7 @@ static int write_mstatus(CPURISCVState *env, int csrno, target_ulong val)
+ 
+     mstatus = (mstatus & ~mask) | (val & mask);
+ 
+-    dirty = (riscv_cpu_fp_enabled(env) &&
+-             ((mstatus & MSTATUS_FS) == MSTATUS_FS)) |
++    dirty = ((mstatus & MSTATUS_FS) == MSTATUS_FS) |
+             ((mstatus & MSTATUS_XS) == MSTATUS_XS);
+     mstatus = set_field(mstatus, MSTATUS_SD, dirty);
+     env->mstatus = mstatus;
+diff --git a/target/riscv/translate.c b/target/riscv/translate.c
+index ab6a891dc3..8e40ed3ac4 100644
+--- a/target/riscv/translate.c
++++ b/target/riscv/translate.c
+@@ -394,7 +394,7 @@ static void mark_fs_dirty(DisasContext *ctx)
+ 
+     tmp = tcg_temp_new();
+     tcg_gen_ld_tl(tmp, cpu_env, offsetof(CPURISCVState, mstatus));
+-    tcg_gen_ori_tl(tmp, tmp, MSTATUS_FS);
++    tcg_gen_ori_tl(tmp, tmp, MSTATUS_FS | MSTATUS_SD);
+     tcg_gen_st_tl(tmp, cpu_env, offsetof(CPURISCVState, mstatus));
+     tcg_temp_free(tmp);
+ }
+-- 
+2.24.1
+
diff --git a/qemu.spec b/qemu.spec
index 76a7077..eb965e5 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -161,7 +161,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 4.2.0
-Release: 2%{?rcrel}%{?dist}
+Release: 3%{?rcrel}%{?dist}
 Epoch: 2
 License: GPLv2 and BSD and MIT and CC-BY
 URL: http://www.qemu.org/
@@ -171,6 +171,14 @@ Source0: http://wiki.qemu-project.org/download/%{name}-%{version}%{?rcstr}.tar.x
 # Fix a test suite error
 Patch1: 0001-tests-fix-modules-test-duplicate-test-case-error.patch
 
+# Miscellaneous fixes for RISC-V, merged upstream in commit
+# ba2ed84fe6a78f64b2da441750fc6e925d94106a.
+Patch2: 0001-riscv-sifive_u-fix-a-memory-leak-in-soc_realize.patch
+Patch3: 0002-riscv-Set-xPIE-to-1-after-xRET.patch
+Patch4: 0003-target-riscv-Fix-tb-flags-FS-status.patch
+Patch5: 0004-target-riscv-fsd-fsw-doesn-t-dirty-FP-state.patch
+Patch6: 0005-target-riscv-update-mstatus.SD-when-FS-is-set-dirty.patch
+
 # guest agent service
 Source10: qemu-guest-agent.service
 Source17: qemu-ga.sysconfig
@@ -1887,6 +1895,9 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Sat Jan 25 2019 Mohan Boddu <mboddu@bhujji.com> - 4.2.0-3
+- Add miscellaneous fixes for RISC-V (RHBZ#1794902).
+
 * Thu Dec 19 2019 Mohan Boddu <mboddu@bhujji.com> - 4.2.0-2
 - Rebuild for xen 4.13