diff --git a/meta/packages/qemu/qemu-0.9.1+svn/fix_brk.patch b/meta/packages/qemu/qemu-0.9.1+svn/fix_brk.patch
new file mode 100644
index 0000000000..783198d9e3
--- /dev/null
+++ b/meta/packages/qemu/qemu-0.9.1+svn/fix_brk.patch
@@ -0,0 +1,55 @@
+--- qemu/linux-user/syscall.c1	(revision 16)
++++ qemu/linux-user/syscall.c	(working copy)
+@@ -441,7 +441,7 @@
+     if (!new_brk)
+         return target_brk;
+     if (new_brk < target_original_brk)
+-        return -TARGET_ENOMEM;
++        return target_brk;
+ 
+     brk_page = HOST_PAGE_ALIGN(target_brk);
+ 
+@@ -456,12 +456,11 @@
+     mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size,
+                                         PROT_READ|PROT_WRITE,
+                                         MAP_ANON|MAP_FIXED|MAP_PRIVATE, 0, 0));
+-    if (is_error(mapped_addr)) {
+-	return mapped_addr;
+-    } else {
++
++    if (!is_error(mapped_addr))
+ 	target_brk = new_brk;
+-    	return target_brk;
+-    }
++    
++    return target_brk;
+ }
+ 
+ static inline abi_long copy_from_user_fdset(fd_set *fds,
+--- qemu/linux-user/mmap.c1	(revision 16)
++++ qemu/linux-user/mmap.c	(working copy)
+@@ -260,6 +259,9 @@
+             host_start += offset - host_offset;
+         start = h2g(host_start);
+     } else {
++        int flg;
++        target_ulong addr;
++
+         if (start & ~TARGET_PAGE_MASK) {
+             errno = EINVAL;
+             return -1;
+@@ -267,6 +269,14 @@
+         end = start + len;
+         real_end = HOST_PAGE_ALIGN(end);
+         
++        for(addr = real_start; addr < real_end; addr += TARGET_PAGE_SIZE) {
++            flg = page_get_flags(addr);
++            if( flg & PAGE_RESERVED ) {
++                errno = ENXIO;
++                return -1;
++            }
++        }
++
+         /* worst case: we cannot map the file because the offset is not
+            aligned, so we read it */
+         if (!(flags & MAP_ANONYMOUS) &&
diff --git a/meta/packages/qemu/qemu-0.9.1+svn/fix_protection_bits.patch b/meta/packages/qemu/qemu-0.9.1+svn/fix_protection_bits.patch
new file mode 100644
index 0000000000..ee2b077602
--- /dev/null
+++ b/meta/packages/qemu/qemu-0.9.1+svn/fix_protection_bits.patch
@@ -0,0 +1,14 @@
+Index: qemu-0.9.1/linux-user/mmap.c
+===================================================================
+--- qemu-0.9.1.orig/linux-user/mmap.c	2008-04-16 14:10:26.000000000 +0100
++++ qemu-0.9.1/linux-user/mmap.c	2008-04-16 14:10:51.000000000 +0100
+@@ -49,8 +49,7 @@
+     end = start + len;
+     if (end < start)
+         return -EINVAL;
+-    if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
+-        return -EINVAL;
++    prot = prot & (PROT_READ | PROT_WRITE | PROT_EXEC);
+     if (len == 0)
+         return 0;
+ 
diff --git a/meta/packages/qemu/qemu_svn.bb b/meta/packages/qemu/qemu_svn.bb
index 0a55ba8736..802d47b71b 100644
--- a/meta/packages/qemu/qemu_svn.bb
+++ b/meta/packages/qemu/qemu_svn.bb
@@ -1,7 +1,7 @@
 LICENSE = "GPL"
 DEPENDS = "zlib"
 PV = "0.9.1+svnr${SRCREV}"
-PR = "r2"
+PR = "r3"
 
 FILESPATH = "${FILE_DIRNAME}/qemu-0.9.1+svn/"
 
@@ -31,6 +31,8 @@ SRC_URI = "\
     file://workaround_bad_futex_headers.patch;patch=1 \
     file://fix_segfault.patch;patch=1 \
     file://no-strip.patch;patch=1 \
+    file://fix_brk.patch;patch=1 \
+    file://fix_protection_bits.patch;patch=1 \
     file://qemu-n800-support.patch;patch=1"
 
 S = "${WORKDIR}/trunk"