diff --git a/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch b/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
new file mode 100644
index 0000000000000000000000000000000000000000..29227bb15a2e7d92eb8546e12acd336f2fb0fbf8
--- /dev/null
+++ b/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
@@ -0,0 +1,70 @@
+From 1945ba6791d8b47495eb17a934c3fe6ed49fc7a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Mon, 21 Jun 2021 10:12:41 +0800
+Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix CVE-2021-20221
+
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+
+  - 4.3 Distributor register descriptions
+  - 4.3.15 Software Generated Interrupt Register, GICD_SG
+
+    - Table 4-21 GICD_SGIR bit assignments
+
+    The Interrupt ID of the SGI to forward to the specified CPU
+    interfaces. The value of this field is the Interrupt ID, in
+    the range 0-15, for example a value of 0b0011 specifies
+    Interrupt ID 3.
+
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+
+   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+   [I 1612088147.116987] OPENED
+  [R +0.278293] writel 0x8000f00 0xff4affb0
+  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+
+Reported-by: Alexander Bulekov's avatarAlexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé's avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell's avatarPeter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell's avatarPeter Maydell <peter.maydell@linaro.org>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
+index 77427a4188..492dabaa1c 100644
+--- a/hw/intc/arm_gic.c
++++ b/hw/intc/arm_gic.c
+@@ -1454,7 +1454,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
+         int target_cpu;
+ 
+         cpu = gic_get_current_cpu(s);
+-        irq = value & 0x3ff;
++        irq = value & 0xf;
+         switch ((value >> 24) & 3) {
+         case 0:
+             mask = (value >> 16) & ALL_CPU_MASK;
+-- 
+2.27.0
+
diff --git a/ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch b/ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
new file mode 100644
index 0000000000000000000000000000000000000000..89d19e83e2b0028fb269d81108801c9aaa408f4a
--- /dev/null
+++ b/ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
@@ -0,0 +1,40 @@
+From 1e03baec956a0fa1b74cf1a34d811f0a4baefa56 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <address@hidden>
+Date: Mon, 21 Jun 2021 09:22:35 +0800
+Subject: [PATCH] ide: ahci: add check to avoid null dereference
+ (CVE-2019-12067)
+
+Fix CVE-2019-12067
+
+AHCI emulator while committing DMA buffer in ahci_commit_buf()
+may do a NULL dereference if the command header 'ad->cur_cmd'
+is null. Add check to avoid it.
+
+Reported-by: Bugs SysSec <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/ide/ahci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index 6aaf66534a..a7be0ae4fe 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -1455,8 +1455,10 @@ static void ahci_commit_buf(IDEDMA *dma, uint32_t tx_bytes)
+ {
+     AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+ 
+-    tx_bytes += le32_to_cpu(ad->cur_cmd->status);
+-    ad->cur_cmd->status = cpu_to_le32(tx_bytes);
++    if (ad->cur_cmd) {
++        tx_bytes += le32_to_cpu(ad->cur_cmd->status);
++        ad->cur_cmd->status = cpu_to_le32(tx_bytes);
++    }
+ }
+ 
+ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+-- 
+2.27.0
+
diff --git a/qemu.spec b/qemu.spec
index 2fc872e93d1319e272a84db14465a0c2ce389a2c..a272c4ba2010b8e27f1f9841bd4efc70f33a554b 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 48
+Release: 49
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -284,6 +284,9 @@ Patch0271: vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
 Patch0272: vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
 Patch0273: vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
 Patch0274: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
+Patch0275: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
+Patch0276: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
+Patch0277: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -672,6 +675,11 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Mon Jun 21 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- ide: ahci: add check to avoid null dereference (CVE-2019-12067)
+- hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+- usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
 * Tue Jun 15 2021 Chen Qun <kuhn.chenqun@huawei.com>
 - vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
 - vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
diff --git a/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch b/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3cf740e9da7e7d50fe9f243b20a7a78c94d1fe0d
--- /dev/null
+++ b/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
@@ -0,0 +1,39 @@
+From 0051b6aa0ec0ba6f029643af9b961a29528be0f9 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 21 Jun 2021 10:19:58 +0800
+Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
+Fix CVE-2021-3527
+
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dc..e56802f89a 100644
+--- a/hw/usb/combined-packet.c
++++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+         if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+                 next == NULL ||
+                 /* Work around for Linux usbfs bulk splitting + migration */
+-                (totalsize == (16 * KiB - 36) && p->int_req)) {
++                (totalsize == (16 * KiB - 36) && p->int_req) ||
++                /* Next package may grow combined package over 1MiB */
++                totalsize > 1 * MiB - ep->max_packet_size) {
+             usb_device_handle_data(ep->dev, first);
+             assert(first->status == USB_RET_ASYNC);
+             if (first->combined) {
+-- 
+2.27.0
+