diff --git a/fix-cve-2020-35504.patch b/fix-cve-2020-35504.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bf03fb5f56ee23b70d2931c956d1e91e89af3d3c
--- /dev/null
+++ b/fix-cve-2020-35504.patch
@@ -0,0 +1,30 @@
+From dc8416b55d69e70912acd2364494a490b02e3198 Mon Sep 17 00:00:00 2001
+From: imxcc <xingchaochao@huawei.com>
+Date: Mon, 21 Jun 2021 17:15:39 +0800
+Subject: [PATCH] fix cve-2020-35504
+
+esp: always check current_req is not NULL before use in DMA callbacks
+
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Signed-off-by: imxcc <xingchaochao@huawei.com>
+---
+ hw/scsi/esp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 7508d035ca..d1f13b350e 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s)
+         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+         return;
+     }
++    if (!s->current_req) {
++        return;
++    }
+     if (s->async_len == 0) {
+         /* Defer until data is available.  */
+         return;
+-- 
+2.27.0
+
diff --git a/fix-cve-2020-35505.patch b/fix-cve-2020-35505.patch
new file mode 100644
index 0000000000000000000000000000000000000000..eb639d926d70554b3663e5dd96105367090a2ba1
--- /dev/null
+++ b/fix-cve-2020-35505.patch
@@ -0,0 +1,46 @@
+From a1c9b6747da5f3d2815a0c186473dc76d9e4f682 Mon Sep 17 00:00:00 2001
+From: imxcc <xingchaochao@huawei.com>
+Date: Mon, 21 Jun 2021 17:20:55 +0800
+Subject: [PATCH] fix cve-2020-35505
+
+esp: ensure cmdfifo is not empty and current_dev is non-NULL
+
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Signed-off-by: imxcc <xingchaochao@huawei.com>
+---
+ hw/scsi/esp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index d1f13b350e..db6bed4f00 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req)
+         scsi_req_unref(s->current_req);
+         s->current_req = NULL;
+         s->current_dev = NULL;
++        s->async_len = 0;
+     }
+ }
+ 
+@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
+     if (s->current_req) {
+         /* Started a new command before the old one finished.  Cancel it.  */
+         scsi_req_cancel(s->current_req);
+-        s->async_len = 0;
+     }
+ 
+     s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
+@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
+ 
+     trace_esp_do_busid_cmd(busid);
+     lun = busid & 7;
++    if (!s->current_dev) {
++        return;
++    }
+     current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+     s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+     datalen = scsi_req_enqueue(s->current_req);
+-- 
+2.27.0
+
diff --git a/qemu.spec b/qemu.spec
index 0e3d75dc1a3a4cbf816f71d0deb6f4be35efdd36..5ddcb5d5a7b72ec10695106aad394bc27a96e02d 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 84
+Release: 85
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -566,6 +566,9 @@ Patch0553: bootp-check-bootp_input-buffer-size.patch
 Patch0554: upd6-check-udp6_input-buffer-size.patch
 Patch0555: tftp-check-tftp_input-buffer-size.patch
 Patch0556: tftp-introduce-a-header-structure.patch
+Patch0557: fix-cve-2020-35504.patch
+Patch0558: fix-cve-2020-35505.patch
+Patch0559: virtio-balloon-apply-upstream-patch.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -970,6 +973,13 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Fri Dec 03 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- virtio-balloon: apply upstream patch.
+
+* Fri Dec 03 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- fix cve-2020-35504
+- fix cve-2020-35505
+
 * Tue Oct 26 2021 imxcc <xingchaochao@huawei.com>
 - fix cve-2021-3592 cve-2021-3593 cve-2021-3595
 
diff --git a/virtio-balloon-apply-upstream-patch.patch b/virtio-balloon-apply-upstream-patch.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a400a49640174f7807007fad16528db087d1b5b6
--- /dev/null
+++ b/virtio-balloon-apply-upstream-patch.patch
@@ -0,0 +1,31 @@
+From 0d86ceed3cef76334c39d879dd8b532ca258eb65 Mon Sep 17 00:00:00 2001
+From: Ming Yang <yangming73@huawei.com>
+Date: Tue, 16 Nov 2021 17:21:09 +0800
+Subject: [PATCH] virtio-balloon: apply upstream patch.
+
+Signed-off-by: Ming Yang <yangming73@huawei.com>
+---
+ hw/virtio/virtio-balloon.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
+index 25de154307..17fa767483 100644
+--- a/hw/virtio/virtio-balloon.c
++++ b/hw/virtio/virtio-balloon.c
+@@ -830,6 +830,13 @@ static void virtio_balloon_device_unrealize(DeviceState *dev, Error **errp)
+     }
+     balloon_stats_destroy_timer(s);
+     qemu_remove_balloon_handler(s);
++    
++    virtio_del_queue(vdev, 0);
++    virtio_del_queue(vdev, 1);
++    virtio_del_queue(vdev, 2);
++    if (s->free_page_vq) {
++        virtio_del_queue(vdev, 3);
++    }
+     virtio_cleanup(vdev);
+ }
+ 
+-- 
+2.27.0
+