diff --git a/xen.spec b/xen.spec
index b08057e..a9884a0 100644
--- a/xen.spec
+++ b/xen.spec
@@ -53,7 +53,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.4.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -109,6 +109,7 @@ Patch28: xsa108.patch
 Patch29: xsa109.patch
 Patch30: xsa110.patch
 Patch31: CVE-2014-0150.patch
+Patch32: xsa113.patch
 
 Patch99: xen.figs.disable.patch
 Patch100: xen-configure-xend.patch
@@ -303,6 +304,7 @@ manage Xen virtual machines.
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
+%patch32 -p1
 
 %patch99 -p1
 %patch100 -p1
@@ -905,6 +907,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Nov 20 2014 Michael Young <m.a.young@durham.ac.uk> - 4.4.1-8
+- Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
+	[XSA-113] (#1166261)
+
 * Tue Nov 18 2014 Michael Young <m.a.young@durham.ac.uk> - 4.4.1-7
 - Insufficient restrictions on certain MMU update hypercalls [XSA-109,
 	CVE-2014-8594] (#1165205)
diff --git a/xsa113.patch b/xsa113.patch
new file mode 100644
index 0000000..adc8bba
--- /dev/null
+++ b/xsa113.patch
@@ -0,0 +1,45 @@
+x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE
+
+Any domain which can pass the XSM check against a translated guest can cause a
+page reference to be leaked.
+
+While shuffling the order of checks, drop the quite-pointless MEM_LOG().  This
+brings the check in line with similar checks in the vicinity.
+
+Discovered while reviewing the XSA-109/110 followup series.
+
+This is XSA-113.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -3619,6 +3619,12 @@ long do_mmu_update(
+ 
+         case MMU_MACHPHYS_UPDATE:
+ 
++            if ( unlikely(paging_mode_translate(pg_owner)) )
++            {
++                rc = -EINVAL;
++                break;
++            }
++
+             mfn = req.ptr >> PAGE_SHIFT;
+             gpfn = req.val;
+ 
+@@ -3638,13 +3644,6 @@ long do_mmu_update(
+                 break;
+             }
+ 
+-            if ( unlikely(paging_mode_translate(pg_owner)) )
+-            {
+-                MEM_LOG("Mach-phys update on auto-translate guest");
+-                rc = -EINVAL;
+-                break;
+-            }
+-
+             set_gpfn_from_mfn(mfn, gpfn);
+ 
+             paging_mark_dirty(pg_owner, mfn);