diff --git a/Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch b/Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
new file mode 100644
index 0000000000000000000000000000000000000000..66f2706d5c36e3e02b2e73cb1c83703f3b2bb499
--- /dev/null
+++ b/Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
@@ -0,0 +1,44 @@
+From 477c7aea5f2f9090c016c0a9813dc5901bd1b66a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 24 Apr 2020 11:36:41 +0800
+Subject: [PATCH] Fix use-afte-free in ip_reass() (CVE-2020-1983)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The q pointer is updated when the mbuf data is moved from m_dat to
+m_ext.
+
+m_ext buffer may also be realloc()'ed and moved during m_cat():
+q should also be updated in this case.
+
+Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
+index 89ae04e0..7fdde631 100644
+--- a/slirp/src/ip_input.c
++++ b/slirp/src/ip_input.c
+@@ -333,7 +333,7 @@ insert:
+     q = fp->frag_link.next;
+ 	m = dtom(slirp, q);
+ 
+-	int was_ext = m->m_flags & M_EXT;
++	int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
+ 
+ 	q = (struct ipasfrag *) q->ipf_next;
+ 	while (q != (struct ipasfrag*)&fp->frag_link) {
+@@ -356,8 +356,7 @@ insert:
+ 	 * then an m_ext buffer was alloced. But fp->ipq_next points to the old
+ 	 * buffer (in the mbuf), so we must point ip into the new buffer.
+ 	 */
+-	if (!was_ext && m->m_flags & M_EXT) {
+-	  int delta = (char *)q - m->m_dat;
++	if (m->m_flags & M_EXT) {
+ 	  q = (struct ipasfrag *)(m->m_ext + delta);
+ 	}
+ 
+-- 
+2.23.0
+
diff --git a/qemu.spec b/qemu.spec
index c2a390b06ad96488c8acb43fc007dd97e068c8fa..c5b4d7b1599baf6352172f82296a6af981241690 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -47,7 +47,7 @@ Patch0034: tcp_emu-Fix-oob-access.patch
 Patch0035: slirp-use-correct-size-while-emulating-IRC-commands.patch
 Patch0036: slirp-use-correct-size-while-emulating-commands.patch
 Patch0037: tcp_emu-fix-unsafe-snprintf-usages.patch
-Patch0038: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch 
+Patch0038: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch
 Patch0039: monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
 Patch0040: vhost-Fix-memory-region-section-comparison.patch
 Patch0041: memory-Align-MemoryRegionSections-fields.patch
@@ -63,6 +63,7 @@ Patch0050: pcie-Add-pcie-root-port-fast-plug-unplug-feature.patch
 Patch0051: pcie-Compat-with-devices-which-do-not-support-Link-W.patch
 Patch0052: aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
 Patch0053: async-use-explicit-memory-barriers.patch
+Patch0054: Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -398,7 +399,10 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
-* Sat Apr 11 4 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
+* Fri Apr 24 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
+- Fix use-afte-free in ip_reass() (CVE-2020-1983)
+
+* Sat Apr 11 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - aio-wait: delegate polling of main AioContext if BQL not held
 - async: use explicit memory barriers