diff --git a/xen.spec b/xen.spec
index 9ed202f..e703b86 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -87,6 +87,7 @@ Patch110: xsa108.patch
 Patch111: xsa109-4.2.patch
 Patch112: xsa110-4.3-and-4.2.patch
 Patch113: CVE-2014-0150.patch
+Patch114: xsa113.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -264,6 +265,7 @@ manage Xen virtual machines.
 %patch111 -p1
 %patch112 -p1
 %patch113 -p1
+%patch114 -p1
 
 %patch100 -p1
 
@@ -757,6 +759,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Nov 20 2014 Michael Young <m.a.young@durham.ac.uk> - 4.2.5-5
+- Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
+	[XSA-113] (#1166261)
+
 * Wed Nov 19 2014 Michael Young <m.a.young@durham.ac.uk> - 4.2.5-4
 - Insufficient restrictions on certain MMU update hypercalls [XSA-109,
 	CVE-2014-8594] (#1165205)
diff --git a/xsa113.patch b/xsa113.patch
new file mode 100644
index 0000000..adc8bba
--- /dev/null
+++ b/xsa113.patch
@@ -0,0 +1,45 @@
+x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE
+
+Any domain which can pass the XSM check against a translated guest can cause a
+page reference to be leaked.
+
+While shuffling the order of checks, drop the quite-pointless MEM_LOG().  This
+brings the check in line with similar checks in the vicinity.
+
+Discovered while reviewing the XSA-109/110 followup series.
+
+This is XSA-113.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -3619,6 +3619,12 @@ long do_mmu_update(
+ 
+         case MMU_MACHPHYS_UPDATE:
+ 
++            if ( unlikely(paging_mode_translate(pg_owner)) )
++            {
++                rc = -EINVAL;
++                break;
++            }
++
+             mfn = req.ptr >> PAGE_SHIFT;
+             gpfn = req.val;
+ 
+@@ -3638,13 +3644,6 @@ long do_mmu_update(
+                 break;
+             }
+ 
+-            if ( unlikely(paging_mode_translate(pg_owner)) )
+-            {
+-                MEM_LOG("Mach-phys update on auto-translate guest");
+-                rc = -EINVAL;
+-                break;
+-            }
+-
+             set_gpfn_from_mfn(mfn, gpfn);
+ 
+             paging_mark_dirty(pg_owner, mfn);