diff --git a/0001-net-tap-fix-crash-on-hotplug.patch b/0001-net-tap-fix-crash-on-hotplug.patch
new file mode 100644
index 0000000..38dc0df
--- /dev/null
+++ b/0001-net-tap-fix-crash-on-hotplug.patch
@@ -0,0 +1,51 @@
+From 3f6be9c84782a0943ea21a8a6f8a5d055b65f2d5 Mon Sep 17 00:00:00 2001
+Message-Id: <3f6be9c84782a0943ea21a8a6f8a5d055b65f2d5.1619018363.git.crobinso@redhat.com>
+From: Cole Robinson <crobinso@redhat.com>
+Date: Wed, 21 Apr 2021 11:12:07 -0400
+Subject: [PATCH-for-6.0] net: tap: fix crash on hotplug
+
+Attempting to hotplug a tap nic with libvirt will crash qemu:
+
+$ sudo virsh attach-interface f32 network default
+error: Failed to attach interface
+error: Unable to read from monitor: Connection reset by peer
+
+0x000055875b7f3a99 in tap_send (opaque=0x55875e39eae0) at ../net/tap.c:206
+206	        if (!s->nc.peer->do_not_pad) {
+gdb$ bt
+
+s->nc.peer may not be set at this point. This seems to be an
+expected case, as qemu_send_packet_* explicitly checks for NULL
+s->nc.peer later.
+
+Fix it by checking for s->nc.peer here too. Padding is applied if
+s->nc.peer is not set.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1949786
+Fixes: 969e50b61a2
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+* Or should we skip padding if nc.peer is unset? I didn't dig into it
+* tap-win3.c and slirp.c may need a similar fix, but the slirp case
+  didn't crash in a simple test.
+
+ net/tap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tap.c b/net/tap.c
+index dd42ac6134..937559dbb8 100644
+--- a/net/tap.c
++++ b/net/tap.c
+@@ -203,7 +203,7 @@ static void tap_send(void *opaque)
+             size -= s->host_vnet_hdr_len;
+         }
+ 
+-        if (!s->nc.peer->do_not_pad) {
++        if (!s->nc.peer || !s->nc.peer->do_not_pad) {
+             if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) {
+                 buf = min_pkt;
+                 size = min_pktsz;
+-- 
+2.31.1
+
diff --git a/qemu.spec b/qemu.spec
index 1a66659..6c2ee7d 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -236,7 +236,7 @@
 %{obsoletes_block_rbd}
 
 # Release candidate version tracking
-%global rcver rc2
+%global rcver rc4
 %if 0%{?rcver:1}
 %global rcrel .%{rcver}
 %global rcstr -%{rcver}
@@ -246,7 +246,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 6.0.0
-Release: 0.2%{?rcrel}%{?dist}
+Release: 0.3%{?rcrel}%{?dist}
 Epoch: 2
 License: GPLv2 and BSD and MIT and CC-BY
 URL: http://www.qemu.org/
@@ -265,8 +265,7 @@ Source20: kvm-x86.modprobe.conf
 # /etc/security/limits.d/95-kvm-ppc64-memlock.conf
 Source21: 95-kvm-ppc64-memlock.conf
 
-# Upstream patch to make iotests/qsd-jobs test stable on slow machines.
-Patch1: 0001-iotests-qsd-jobs-Filter-events-in-the-first-test.patch
+Patch0001: 0001-net-tap-fix-crash-on-hotplug.patch
 
 BuildRequires: make
 BuildRequires: meson
@@ -1883,6 +1882,9 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Wed Apr 21 2021 Cole Robinson <crobinso@redhat.com> - 2:6.0.0-0.3.rc4
+- Rebase to qemu 6.0.0-rc4
+
 * Wed Apr 14 2021 Richard W.M. Jones <rjones@redhat.com> - 2:6.0.0-0.2.rc2
 - Rebuild for updated liburing.
 
diff --git a/sources b/sources
index 617b038..d5c4f41 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (qemu-6.0.0-rc2.tar.xz) = ea69b25fe02e29d4c5cb071a8579f0f97d1eb4ee8cb2d3d66f5bd2f00d2e3e85ff6678f9470e017757a5ce39af689347c68eae559a44bfaf7170434c19978e72
+SHA512 (qemu-6.0.0-rc4.tar.xz) = 4435d0b2a23a6108dc884dd6824540b4a855e4de90a02ff2581ec54ee66f3503057e2f8f75839183b5e04e294acb240d766841b6f6e60f1cea6912bc84cdd837