diff --git a/0026-e1000-bounds-packet-size-against-buffer-size.patch b/0026-e1000-bounds-packet-size-against-buffer-size.patch
new file mode 100644
index 0000000..bd2bdc7
--- /dev/null
+++ b/0026-e1000-bounds-packet-size-against-buffer-size.patch
@@ -0,0 +1,37 @@
+From d0ed2d2e8e863a9a64c9fc9c08fa68bee546ad00 Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori@us.ibm.com>
+Date: Mon, 23 Jan 2012 07:30:43 -0600
+Subject: [PATCH 26/26] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+---
+ hw/e1000.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 986ed9c..e164d79 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
+-- 
+1.7.7.6
+
diff --git a/enable_architectural_PMU_cpuid_leaf.patch b/enable_architectural_PMU_cpuid_leaf.patch
new file mode 100644
index 0000000..f0a7415
--- /dev/null
+++ b/enable_architectural_PMU_cpuid_leaf.patch
@@ -0,0 +1,37 @@
+commit a0fa82085e175bf8ce6d69a3f83695f81af2a649
+Author: Gleb Natapov <gleb@redhat.com>
+Date:   Thu Dec 15 12:44:05 2011 +0200
+
+    enable architectural PMU cpuid leaf for kvm
+    
+    Signed-off-by: Gleb Natapov <gleb@redhat.com>
+    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
+index 0b3af90..91a104b 100644
+--- a/target-i386/cpuid.c
++++ b/target-i386/cpuid.c
+@@ -1180,10 +1180,19 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+         break;
+     case 0xA:
+         /* Architectural Performance Monitoring Leaf */
+-        *eax = 0;
+-        *ebx = 0;
+-        *ecx = 0;
+-        *edx = 0;
++        if (kvm_enabled()) {
++            KVMState *s = env->kvm_state;
++
++            *eax = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EAX);
++            *ebx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EBX);
++            *ecx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_ECX);
++            *edx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EDX);
++        } else {
++            *eax = 0;
++            *ebx = 0;
++            *ecx = 0;
++            *edx = 0;
++        }
+         break;
+     case 0xD:
+         /* Processor Extended State */
diff --git a/qemu.spec b/qemu.spec
index c9d4686..62e8d03 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,7 +1,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 1.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 # Epoch because we pushed a qemu-1.0 package
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -64,7 +64,8 @@ Patch22: 0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch
 Patch23: 0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch
 Patch24: 0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch
 Patch25: 0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch
-Patch26: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
+Patch26: 0026-e1000-bounds-packet-size-against-buffer-size.patch
+Patch27: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
 
 # USB Redirect patches should go upstream soon!
 Patch101: 0101-usb-redir-Clear-iso-irq-error-when-stopping-the-stre.patch
@@ -89,6 +90,9 @@ Patch118: 0118-char-Disable-write-callback-if-throttled-chardev-is-.patch
 # General bug fixes
 Patch201: Fix_save-restore_of_in-kernel_i8259.patch
 
+# Feature patches, should be in 1.1 before release
+Patch301: enable_architectural_PMU_cpuid_leaf.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
 BuildRequires: libaio-devel
@@ -333,6 +337,7 @@ such as kvm_stat.
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
+%patch27 -p1
 
 %patch101 -p1
 %patch102 -p1
@@ -355,6 +360,8 @@ such as kvm_stat.
 
 %patch201 -p1
 
+%patch301 -p1
+
 %build
 # By default we build everything, but allow x86 to build a minimal version
 # with only similar arch target support
@@ -733,6 +740,10 @@ fi
 %{_mandir}/man1/qemu-img.1*
 
 %changelog
+* Tue Jan 24 2012 Justin M. Forbes <jforbes@redhat.com> - 2:1.0-3
+- Add support for vPMU
+- e1000: bounds packet size against buffer size CVE-2012-0029
+
 * Fri Jan 13 2012 Justin M. Forbes <jforbes@redhat.com> - 2:1.0-2
 - Add patches for USB redirect bits
 - Remove palcode-clipper, we don't build it