diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d047ee316de5f6b6cfdb80de451da6ff232e51c7
--- /dev/null
+++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch
@@ -0,0 +1,45 @@
+From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel@redhat.com>
+Date: Wed, 16 Jun 2021 14:06:00 +0300
+Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma
+ device (CVE-2021-3582)
+
+Ensure mremap boundaries not trusting the guest kernel to
+pass the correct buffer length.
+
+Fixes: CVE-2021-3582
+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+cherry-pick from: 284f191b4abad213aed04cb0458e1600fd18d7c4
+Signed-off-by: yezengruan <yezengruan@huawei.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index 8d70c0d23d..dca8f36693 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -39,6 +39,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
+         return NULL;
+     }
+ 
++    length = ROUND_UP(length, TARGET_PAGE_SIZE);
++    if (nchunks * TARGET_PAGE_SIZE != length) {
++        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
++                          (unsigned long)length);
++        return NULL;
++    }
++
+     dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
+     if (!dir) {
+         rdma_error_report("Failed to map to page directory");
+-- 
+2.27.0
+
diff --git a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
new file mode 100644
index 0000000000000000000000000000000000000000..432e6ccaa200722f2be1c9e18ee742461ae5458f
--- /dev/null
+++ b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
@@ -0,0 +1,50 @@
+From 08438d7975713bbeed2dff8467bd4656b34221ad Mon Sep 17 00:00:00 2001
+From: AlexChen <alex.chen@huawei.com>
+Date: Thu, 4 Nov 2021 17:31:38 +0100
+Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT
+ commands
+
+This avoids an off-by-one read of 'mode_sense_valid' buffer in
+hw/scsi/scsi-disk.c:mode_sense_page().
+
+Fixes: CVE-2021-3930
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
+Fixes: #546
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+cherry-pick from: b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
+Signed-off-by: AlexChen <alex.chen@huawei.com>
+---
+ hw/scsi/scsi-disk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index cd90cd780e..297efd5a72 100644
+--- a/hw/scsi/scsi-disk.c
++++ b/hw/scsi/scsi-disk.c
+@@ -1082,6 +1082,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
+     uint8_t *p = *p_outbuf + 2;
+     int length;
+
++    assert(page < ARRAY_SIZE(mode_sense_valid));
+     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+         return -1;
+     }
+@@ -1423,6 +1424,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
+         return -1;
+     }
+
++    /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
++    if (page == MODE_PAGE_ALLS) {
++        return -1;
++    }
++
+     p = mode_current;
+     memset(mode_current, 0, inlen + 2);
+     len = mode_sense_page(s, page, &p, 0);
+--
+2.27.0
+
diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2be31292ab46766606bb656c8d07cda5dc2438c1
--- /dev/null
+++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch
@@ -0,0 +1,41 @@
+From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:46:34 +0300
+Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607)
+
+Check the guest passed a non zero page count
+for pvrdma device ring buffers.
+
+Fixes: CVE-2021-3607
+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+cherry-pick from: 32e5703cfea07c91e6e84bcb0313f633bb146534
+Signed-off-by: yezengruan <yezengruan@huawei.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index adcf79cd63..1d9f84e89a 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -93,6 +93,11 @@ static int init_dev_ring(PvrdmaRing *ring, struct pvrdma_ring **ring_state,
+     uint64_t *dir, *tbl;
+     int rc = 0;
+ 
++    if (!num_pages) {
++        rdma_error_report("Ring pages count must be strictly positive");
++        return -EINVAL;
++    }
++
+     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+     if (!dir) {
+         rdma_error_report("Failed to map to page directory (ring %s)", name);
+-- 
+2.27.0
+
diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ed54c1b6c9d1ad4e06e38d7d5e66c04d86e83784
--- /dev/null
+++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch
@@ -0,0 +1,41 @@
+From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:52:46 +0300
+Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do not unmap uninitialized dma addresses.
+
+Fixes: CVE-2021-3608
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+cherry-pick from: 66ae37d8cc313f89272e711174a846a229bcdbd3
+Signed-off-by: yezengruan <yezengruan@huawei.com>
+---
+ hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
+index d7bc7f5ccc..2a620ad5bc 100644
+--- a/hw/rdma/vmw/pvrdma_dev_ring.c
++++ b/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
+     atomic_set(&ring->ring_state->cons_head, 0);
+     */
+     ring->npages = npages;
+-    ring->pages = g_malloc(npages * sizeof(void *));
++    ring->pages = g_malloc0(npages * sizeof(void *));
+ 
+     for (i = 0; i < npages; i++) {
+         if (!tbl[i]) {
+-- 
+2.27.0
+
diff --git a/qemu.spec b/qemu.spec
index 39cbeaa31ea561b36eb6e127436aec5923097855..4cbd94828c544c740ae6f6b29f4e6cc20568c419 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 63
+Release: 65
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -344,6 +344,10 @@ Patch0331: fix-cve-2020-35504.patch
 Patch0332: fix-cve-2020-35505.patch
 Patch0333: virtio-balloon-apply-upstream-patch.patch
 Patch0334: add-Phytium-s-CPU-models-FT-2000-and-Tengyun-S2500.patch
+Patch0335: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
+Patch0336: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch
+Patch0337: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch
+Patch0338: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -740,6 +744,14 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Wed Apr 06 2022 yezengruan <yezengruan@huawei.com>
+- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
+- pvrdma: Ensure correct input on ring init (CVE-2021-3607)
+- pvrdma: Fix the ring init error flow (CVE-2021-3608)
+
+* Mon Mar 28 2022 Jinhao Gao <gaojinhao@huawei.com>
+- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands(fix CVE-2021-3930)
+
 * Tue Dec 21 2021 imxcc <xingchaochao@huawei.com>
 - add Phytium's CPU models: FT-2000+ and Tengyun-S2500