diff --git a/block-backend-Stop-retrying-when-draining.patch b/block-backend-Stop-retrying-when-draining.patch
new file mode 100644
index 0000000000000000000000000000000000000000..13f3ad64d1c2d2db02d830ca67ee3f90e893e46a
--- /dev/null
+++ b/block-backend-Stop-retrying-when-draining.patch
@@ -0,0 +1,37 @@
+From da64af4b1e92c345296d937e66136f86027d1ca2 Mon Sep 17 00:00:00 2001
+From: Jiahui Cen <cenjiahui@huawei.com>
+Date: Thu, 25 Feb 2021 18:03:57 +0800
+Subject: [PATCH] block-backend: Stop retrying when draining
+
+Retrying failed requests when draining would make the draining hung. So it
+is better not to trigger the retry timer when draining. And after the
+virtual devices go back to work, they would retry those queued requests.
+
+Signed-off-by: Jiahui Cen <cenjiahui@huawei.com>
+Signed-off-by: Ying Fang <fangying1@huawei.com>
+---
+ block/block-backend.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/block/block-backend.c b/block/block-backend.c
+index 2d812e2254..f6c918f1d9 100644
+--- a/block/block-backend.c
++++ b/block/block-backend.c
+@@ -1741,9 +1741,11 @@ void blk_error_action(BlockBackend *blk, BlockErrorAction action,
+         send_qmp_error_event(blk, action, is_read, error);
+         qemu_system_vmstop_request(RUN_STATE_IO_ERROR);
+     } else if (action == BLOCK_ERROR_ACTION_RETRY) {
+-        timer_mod(blk->retry_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) +
+-                                    blk->retry_interval);
+-        send_qmp_error_event(blk, action, is_read, error);
++        if (!blk->quiesce_counter) {
++            timer_mod(blk->retry_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) +
++                                        blk->retry_interval);
++            send_qmp_error_event(blk, action, is_read, error);
++        }
+     } else {
+         send_qmp_error_event(blk, action, is_read, error);
+     }
+-- 
+2.27.0
+
diff --git a/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch b/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
new file mode 100644
index 0000000000000000000000000000000000000000..da58bb9cc28d6e193d7b55ba530768d69a04324a
--- /dev/null
+++ b/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
@@ -0,0 +1,52 @@
+From 5209fbd340efe3fa7f8ea82f671db2fa04dda19b Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 23 Feb 2021 15:20:03 +0800
+Subject: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
+
+Fix CVE-2020-29443
+
+During data transfer via packet command in 'ide_atapi_cmd_reply_end'
+'s->io_buffer_index' could exceed the 's->io_buffer' length, leading
+to OOB access issue. Add check to avoid it.
+ ...
+ #9  ahci_pio_transfer ../hw/ide/ahci.c:1383
+ #10 ide_transfer_start_norecurse ../hw/ide/core.c:553
+ #11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284
+ #12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329
+ #13 ide_atapi_cmd_read ../hw/ide/atapi.c:442
+ #14 cmd_read ../hw/ide/atapi.c:988
+ #15 ide_atapi_cmd ../hw/ide/atapi.c:1352
+ #16 ide_transfer_start ../hw/ide/core.c:561
+ #17 cmd_packet ../hw/ide/core.c:1729
+ #18 ide_exec_cmd ../hw/ide/core.c:2107
+ #19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267
+ #20 handle_cmd ../hw/ide/ahci.c:1318
+ #21 check_cmd ../hw/ide/ahci.c:592
+ #22 ahci_port_write ../hw/ide/ahci.c:373
+ #23 ahci_mem_write ../hw/ide/ahci.c:513
+
+Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/ide/atapi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 1b0f66cc08..fc9dc87f03 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -300,6 +300,9 @@ void ide_atapi_cmd_reply_end(IDEState *s)
+         s->packet_transfer_size -= size;
+         s->elementary_transfer_size -= size;
+         s->io_buffer_index += size;
++	if (s->io_buffer_index > s->io_buffer_total_len) {
++            return;
++        }
+ 
+         /* Some adapters process PIO data right away.  In that case, we need
+          * to avoid mutual recursion between ide_transfer_start
+-- 
+2.27.0
+
diff --git a/qemu.spec b/qemu.spec
index da3f255f52785be7d391d49ddb881d840e83b3c4..1efb716fa89eaf91d81882785a10923e6338bbc7 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 46
+Release: 47
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -309,6 +309,8 @@ Patch0296: configure-Enable-test-and-libs-for-zstd.patch
 Patch0297: ati-use-vga_read_byte-in-ati_cursor_define.patch
 Patch0298: sd-sdhci-assert-data_count-is-within-fifo_buffer.patch
 Patch0299: msix-add-valid.accepts-methods-to-check-address.patch
+Patch0300: ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
+Patch0301: block-backend-Stop-retrying-when-draining.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -688,6 +690,12 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Fri Feb 26 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
+- block-backend: Stop retrying when draining
+
+* Fri Feb 26 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
+- ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
+
 * Fri Feb 19 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
 - ati: use vga_read_byte in ati_cursor_define
 - sd: sdhci: assert data_count is within fifo_buffer