diff --git a/0001-unix-password-Fix-file-descriptor-leak.patch b/0001-unix-password-Fix-file-descriptor-leak.patch
new file mode 100644
index 0000000..73811f9
--- /dev/null
+++ b/0001-unix-password-Fix-file-descriptor-leak.patch
@@ -0,0 +1,34 @@
+From 810254093959708aa6a260c59ad3cf3a1d250755 Mon Sep 17 00:00:00 2001
+From: Vladimir Serbinenko <phcoder@gmail.com>
+Date: Mon, 26 Jan 2015 09:53:03 +0100
+Subject: [PATCH] unix/password: Fix file descriptor leak.
+
+Found by: Coverity scan.
+---
+ grub-core/osdep/unix/password.c |    7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+Index: grub-2.02~beta2/grub-core/osdep/unix/password.c
+===================================================================
+--- grub-2.02~beta2.orig/grub-core/osdep/unix/password.c	2013-12-25 00:29:26.000000000 +0800
++++ grub-2.02~beta2/grub-core/osdep/unix/password.c	2015-09-22 17:10:01.109530851 +0800
+@@ -53,7 +53,10 @@
+     tty_changed = 0;
+   grub_memset (buf, 0, buf_size);
+   if (!fgets (buf, buf_size, stdin))
+-    return 0;
++    {
++      fclose (in);
++      return 0;
++    }
+   ptr = buf + strlen (buf) - 1;
+   while (buf <= ptr && (*ptr == '\n' || *ptr == '\r'))
+     *ptr-- = 0;
+@@ -64,5 +67,7 @@
+   grub_xputs ("\n");
+   grub_refresh ();
+ 
++  fclose (in);
++
+   return 1;
+ }
diff --git a/0002-linux-getroot-fix-descriptor-leak.patch b/0002-linux-getroot-fix-descriptor-leak.patch
new file mode 100644
index 0000000..582a1c2
--- /dev/null
+++ b/0002-linux-getroot-fix-descriptor-leak.patch
@@ -0,0 +1,24 @@
+From 6704abade6674a91d8c652a7e4596ca3421411b6 Mon Sep 17 00:00:00 2001
+From: Andrei Borzenkov <arvidjaar@gmail.com>
+Date: Mon, 26 Jan 2015 21:38:40 +0300
+Subject: [PATCH] linux/getroot: fix descriptor leak.
+
+Found by: Coverity scan.
+---
+ grub-core/osdep/linux/getroot.c |    4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+Index: grub-2.02~beta2/grub-core/osdep/linux/getroot.c
+===================================================================
+--- grub-2.02~beta2.orig/grub-core/osdep/linux/getroot.c	2015-09-22 17:10:33.177530851 +0800
++++ grub-2.02~beta2/grub-core/osdep/linux/getroot.c	2015-09-22 17:13:27.269530851 +0800
+@@ -368,7 +368,8 @@
+ 	ret[1+namelen] = '\0';
+     }
+   if (!ret)
+-    return xstrdup ("/");
++    ret = xstrdup ("/");
++  close (fd);
+   return ret;
+ }
+ 
diff --git a/0003-util-grub-mount-fix-descriptor-leak.patch b/0003-util-grub-mount-fix-descriptor-leak.patch
new file mode 100644
index 0000000..26b8339
--- /dev/null
+++ b/0003-util-grub-mount-fix-descriptor-leak.patch
@@ -0,0 +1,22 @@
+From 1a87156e01e3cb873f3479c31c34c97fb690eb71 Mon Sep 17 00:00:00 2001
+From: Andrei Borzenkov <arvidjaar@gmail.com>
+Date: Mon, 26 Jan 2015 22:24:28 +0300
+Subject: [PATCH] util/grub-mount: fix descriptor leak.
+
+Found by: Coverity scan.
+---
+ util/grub-mount.c |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+Index: grub-2.02~beta2/util/grub-mount.c
+===================================================================
+--- grub-2.02~beta2.orig/util/grub-mount.c	2013-12-25 00:29:28.000000000 +0800
++++ grub-2.02~beta2/util/grub-mount.c	2015-09-22 17:15:44.525530851 +0800
+@@ -511,6 +511,7 @@
+ 	      return 0;
+ 	    }
+ 	  grub_zfs_add_key (buf, real_size, 0);
++	  fclose (f);
+ 	}
+       return 0;
+ 
diff --git a/0004-linux-ofpath-fix-descriptor-leak.patch b/0004-linux-ofpath-fix-descriptor-leak.patch
new file mode 100644
index 0000000..d8395a2
--- /dev/null
+++ b/0004-linux-ofpath-fix-descriptor-leak.patch
@@ -0,0 +1,23 @@
+From 637fc62699e7ae3f0057e1c56d330eb193fd40b6 Mon Sep 17 00:00:00 2001
+From: Andrei Borzenkov <arvidjaar@gmail.com>
+Date: Tue, 27 Jan 2015 20:29:00 +0300
+Subject: [PATCH] linux/ofpath: fix descriptor leak
+
+Found by: Coverity scan
+---
+ grub-core/osdep/linux/ofpath.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+Index: grub-2.02~beta2/grub-core/osdep/linux/ofpath.c
+===================================================================
+--- grub-2.02~beta2.orig/grub-core/osdep/linux/ofpath.c	2013-12-25 00:29:26.000000000 +0800
++++ grub-2.02~beta2/grub-core/osdep/linux/ofpath.c	2015-09-22 17:16:06.869530851 +0800
+@@ -122,6 +122,8 @@
+       fd = open(path, O_RDONLY);
+       if (fd < 0 || fstat (fd, &st) < 0)
+ 	{
++	  if (fd >= 0)
++	    close (fd);
+ 	  snprintf(path, path_size, "%s/devspec", sysfs_path);
+ 	  fd = open(path, O_RDONLY);
+ 	}
diff --git a/0005-grub-fstest-fix-descriptor-leak.patch b/0005-grub-fstest-fix-descriptor-leak.patch
new file mode 100644
index 0000000..f89568f
--- /dev/null
+++ b/0005-grub-fstest-fix-descriptor-leak.patch
@@ -0,0 +1,28 @@
+From 151c19a42a8ea76395fdb579221198156da9c026 Mon Sep 17 00:00:00 2001
+From: Andrei Borzenkov <arvidjaar@gmail.com>
+Date: Fri, 30 Jan 2015 22:45:58 +0300
+Subject: [PATCH] grub-fstest: fix descriptor leak
+
+Found by: Coverity scan.
+---
+ util/grub-fstest.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+Index: grub-2.02~beta2/util/grub-fstest.c
+===================================================================
+--- grub-2.02~beta2.orig/util/grub-fstest.c	2013-12-25 00:40:31.000000000 +0800
++++ grub-2.02~beta2/util/grub-fstest.c	2015-09-22 17:16:23.177530851 +0800
+@@ -570,12 +570,12 @@
+ 	    return 0;
+ 	  }
+ 	real_size = fread (buf, 1, 1024, f);
++	fclose (f);
+ 	if (real_size < 0)
+ 	  {
+ 	    printf (_("%s: error:"), program_name);
+ 	    printf (_("cannot read `%s': %s"), arg, strerror (errno));
+ 	    printf ("\n");
+-	    fclose (f);
+ 	    return 0;
+ 	  }
+ 	grub_zfs_add_key (buf, real_size, 0);
diff --git a/grub2-once b/grub2-once
index 464d003..4ea17f2 100644
--- a/grub2-once
+++ b/grub2-once
@@ -89,6 +89,13 @@ while (<MENU>) {
 
 close (MENU);
 
+if (open(MENU, "<$grub2_dir/custom.cfg")) {
+    while (<MENU>) {
+	&parse_menuentry ("", $_);
+    }
+    close (MENU);
+}
+
 my $ret = "";
 my $name = "";
 my $id = -1;
diff --git a/grub2-secureboot-provide-linuxefi-config.patch b/grub2-secureboot-provide-linuxefi-config.patch
index 5f1bd29..d313c9b 100644
--- a/grub2-secureboot-provide-linuxefi-config.patch
+++ b/grub2-secureboot-provide-linuxefi-config.patch
@@ -51,7 +51,7 @@ Index: grub-2.02~beta2/util/grub.d/10_linux.in
 +  if [ -d /sys/firmware/efi ] && [ "x${GRUB_USE_LINUXEFI}" = "xtrue" ]; then
      sed "s/^/$submenu_indentation/" << EOF
  	echo	'$message'
- 	linuxefi ${rel_dirname}/${basename} ${root_device} ro ${args}
+ 	linuxefi ${rel_dirname}/${basename} ${root_device} ${args}
 @@ -147,7 +147,7 @@ EOF
    if test -n "${initrd}" ; then
      # TRANSLATORS: ramdisk isn't identifier. Should be translated.
diff --git a/grub2-secureboot-use-linuxefi-on-uefi.patch b/grub2-secureboot-use-linuxefi-on-uefi.patch
index 49854cc..ce7f8e6 100644
--- a/grub2-secureboot-use-linuxefi-on-uefi.patch
+++ b/grub2-secureboot-use-linuxefi-on-uefi.patch
@@ -23,7 +23,7 @@ Index: grub-2.02~beta2/util/grub.d/10_linux.in
 +  if [ -d /sys/firmware/efi ]; then
 +    sed "s/^/$submenu_indentation/" << EOF
 +	echo	'$message'
-+	linuxefi ${rel_dirname}/${basename} ${root_device} ro ${args}
++	linuxefi ${rel_dirname}/${basename} ${root_device} ${args}
 +EOF
 +  else
 +    sed "s/^/$submenu_indentation/" << EOF
diff --git a/grub2.changes b/grub2.changes
index 087bbc8..b8b1784 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Sun Oct 18 11:45:10 UTC 2015 - eich@suse.com
+
+- Include custom.cfg into the files scanned by grub2-once.
+  Allows to chose manually added entries as well (FATE#319632).
+
+-------------------------------------------------------------------
+Wed Oct  7 09:01:37 UTC 2015 - mchang@suse.com
+
+- Upstream patches for fixing file descriptor leakage (bsc#943784) 
+  * added 0001-unix-password-Fix-file-descriptor-leak.patch
+  * added 0002-linux-getroot-fix-descriptor-leak.patch
+  * added 0003-util-grub-mount-fix-descriptor-leak.patch
+  * added 0004-linux-ofpath-fix-descriptor-leak.patch
+  * added 0005-grub-fstest-fix-descriptor-leak.patch
+
+-------------------------------------------------------------------
+Tue Oct  6 07:59:47 UTC 2015 - mchang@suse.com
+
+- Do not force ro option in linuxefi patch (bsc#948555)
+  * modified grub2-secureboot-use-linuxefi-on-uefi.patch
+  * refrehed grub2-secureboot-provide-linuxefi-config.patch
+
 -------------------------------------------------------------------
 Wed Sep 23 20:02:47 UTC 2015 - dmueller@suse.com
 
diff --git a/grub2.spec b/grub2.spec
index 5686788..250b7f0 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -253,6 +253,12 @@ Patch238:       grub2-arm64-Reduce-timer-event-frequency-by-10.patch
 Patch239:       grub2-arm64-set-correct-length.patch
 Patch240:       grub2-arm64-setjmp-Add-missing-license-macro.patch
 Patch241:       grub2-arm64-efinet-handle-get_status-on-buggy-firmware-properly.patch
+# Upstream patches for fixing file descriptor leakage (bsc#943784)
+Patch260:       0001-unix-password-Fix-file-descriptor-leak.patch
+Patch261:       0002-linux-getroot-fix-descriptor-leak.patch
+Patch262:       0003-util-grub-mount-fix-descriptor-leak.patch
+Patch263:       0004-linux-ofpath-fix-descriptor-leak.patch
+Patch264:       0005-grub-fstest-fix-descriptor-leak.patch
 
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@@ -517,6 +523,11 @@ mv po/grub.pot po/%{name}.pot
 %patch239 -p1
 %patch240 -p1
 %patch241 -p1
+%patch260 -p1
+%patch261 -p1
+%patch262 -p1
+%patch263 -p1
+%patch264 -p1
 
 # Generate po/LINGUAS for message catalogs ...
 ./linguas.sh