diff --git a/qemu.spec b/qemu.spec
index 57dd698e41800c922759438c4a416b0f59fb66e9..410e6767e50ab901876b200231b728712abad306 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 79
+Release: 80
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -557,6 +557,7 @@ Patch0544: vfio-Add-vfio_prereg_listener_global_log_start-stop-.patch
 Patch0545: hw-arm-smmuv3-Post-load-stage-1-configurations-to-th.patch
 Patch0546: usbredir-fix-free-call.patch
 Patch0547: vfio-common-Fix-incorrect-address-alignment-in-vfio_.patch
+Patch0548: vfio-common-Add-address-alignment-check-in-vfio_list.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -960,6 +961,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Sep 14 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- vfio/common: Add address alignment check in vfio_listener_region_del
+
 * Wed Sep 08 2021 Chen Qun <kuhn.chenqun@huawei.com>
 - vfio/common: Fix incorrect address alignment in vfio_dma_map_ram_section
 
diff --git a/vfio-common-Add-address-alignment-check-in-vfio_list.patch b/vfio-common-Add-address-alignment-check-in-vfio_list.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0aacdcd02d3deecc95da91603e06ec7decc924d1
--- /dev/null
+++ b/vfio-common-Add-address-alignment-check-in-vfio_list.patch
@@ -0,0 +1,53 @@
+From 0a6ee00461c784ef547b8f071ad147fcb89875b6 Mon Sep 17 00:00:00 2001
+From: Kunkun Jiang <jiangkunkun@huawei.com>
+Date: Tue, 14 Sep 2021 14:21:46 +0800
+Subject: [PATCH] vfio/common: Add address alignment check in
+ vfio_listener_region_del
+
+Both vfio_listener_region_add and vfio_listener_region_del have
+reference counting operations on ram section->mr. If the 'iova'
+and 'llend' of the ram section do not pass the alignment
+check, the ram section should not be mapped or unmapped. It means
+that the reference counting should not be changed.
+
+However, the address alignment check is missing in
+vfio_listener_region_del. This makes memory_region_unref will
+be unconditional called and causes unintended problems in some
+scenarios.
+
+Signed-off-by: Kunkun Jiang <jiangkunkun@huawei.com>
+---
+ hw/vfio/common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/vfio/common.c b/hw/vfio/common.c
+index de166dd5f9..6d6a4c6dee 100644
+--- a/hw/vfio/common.c
++++ b/hw/vfio/common.c
+@@ -1149,6 +1149,8 @@ static void vfio_listener_region_del(MemoryListener *listener,
+                                      MemoryRegionSection *section)
+ {
+     VFIOContainer *container = container_of(listener, VFIOContainer, listener);
++    hwaddr iova;
++    Int128 llend;
+ 
+     if (vfio_listener_skipped_section(section)) {
+         trace_vfio_listener_region_del_skip(
+@@ -1198,6 +1200,14 @@ static void vfio_listener_region_del(MemoryListener *listener,
+          */
+     }
+ 
++    iova = REAL_HOST_PAGE_ALIGN(section->offset_within_address_space);
++    llend = int128_make64(section->offset_within_address_space);
++    llend = int128_add(llend, section->size);
++    llend = int128_and(llend, int128_exts64(qemu_real_host_page_mask));
++    if (int128_ge(int128_make64(iova), llend)) {
++        return;
++    }
++
+     vfio_dma_unmap_ram_section(container, section);
+ 
+     memory_region_unref(section->mr);
+-- 
+2.27.0
+