diff --git a/kvm-hostmem-Apply-merge-property-after-the-memory-region.patch b/kvm-hostmem-Apply-merge-property-after-the-memory-region.patch
new file mode 100644
index 0000000..70e6bcc
--- /dev/null
+++ b/kvm-hostmem-Apply-merge-property-after-the-memory-region.patch
@@ -0,0 +1,61 @@
+From 34266f76ec5c96aceee89d1dd25c338af81f99dc Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Wed, 20 Nov 2024 17:13:44 +1000
+Subject: [PATCH 2/2] hostmem: Apply merge property after the memory region is
+ initialized
+
+RH-Author: Gavin Shan <gshan@redhat.com>
+RH-MergeRequest: 296: hostmem: Apply merge property after the memory region is initialized
+RH-Jira: RHEL-68289
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Eric Auger <eric.auger@redhat.com>
+RH-Acked-by: Sebastian Ott <sebott@redhat.com>
+RH-Commit: [1/1] fc01302c3299a15fd523247e5a3df0957becba6a (gwshan/qemu-centos)
+
+JIRA: https://issues.redhat.com/browse/RHEL-68289
+
+The semantic change has been introduced by commit 5becdc0ab0 ("hostmem:
+simplify the code for merge and dump properties") even it clarifies that
+no senmatic change has been introduced. After the commit, the merge
+property can be applied even the corresponding memory region isn't
+initialized yet. This leads to crash dump by the following command
+lines.
+
+  # /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64  \
+    -accel kvm  -machine virt -cpu host                      \
+    -object memory-backend-ram,id=mem-memN0,size=4096M,merge=off
+    :
+    qemu-system-aarch64: ../system/memory.c:2419: memory_region_get_ram_ptr: \
+    Assertion `mr->ram_block' failed.
+
+Fix it by applying the merge property only when the memory region is
+initialized.
+
+Message-ID: <20240915233117.478169-1-gshan@redhat.com>
+Fixes: 5becdc0ab083 ("hostmem: simplify the code for merge and dump properties")
+Reported-by: Zhenyu Zhang <zhenyzha@redhat.com>
+Tested-by: Zhenyu Zhang <zhenyzha@redhat.com>
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+(cherry picked from commit 78c8f780d3f0d6d17aa93d6f99ff72960080fdd7)
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+---
+ backends/hostmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/backends/hostmem.c b/backends/hostmem.c
+index 4e5576a4ad..181446626a 100644
+--- a/backends/hostmem.c
++++ b/backends/hostmem.c
+@@ -178,7 +178,7 @@ static void host_memory_backend_set_merge(Object *obj, bool value, Error **errp)
+         return;
+     }
+ 
+-    if (!host_memory_backend_mr_inited(backend) &&
++    if (host_memory_backend_mr_inited(backend) &&
+         value != backend->merge) {
+         void *ptr = memory_region_get_ram_ptr(&backend->mr);
+         uint64_t sz = memory_region_size(&backend->mr);
+-- 
+2.45.1
+
diff --git a/kvm-vfio-container-Fix-container-object-destruction.patch b/kvm-vfio-container-Fix-container-object-destruction.patch
new file mode 100644
index 0000000..f82a592
--- /dev/null
+++ b/kvm-vfio-container-Fix-container-object-destruction.patch
@@ -0,0 +1,61 @@
+From 18d64190c2bb43d42e02ea250ffe40b8ba4970f3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>
+Date: Mon, 18 Nov 2024 16:34:30 +0100
+Subject: [PATCH 1/2] vfio/container: Fix container object destruction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Cédric Le Goater <clg@redhat.com>
+RH-MergeRequest: 293: vfio/container: Fix container object destruction
+RH-Jira: RHEL-67935
+RH-Acked-by: Eric Auger <eric.auger@redhat.com>
+RH-Acked-by: Alex Williamson <None>
+RH-Commit: [1/1] cddda9554b1a858a7265d4ed9b81fdac46772a2c (clegoate/qemu-kvm-centos)
+
+JIRA: https://issues.redhat.com/browse/RHEL-67935
+
+commit ebbf7c60bbd1ceedf9faf962e428ceda2388c248
+Author: Cédric Le Goater <clg@redhat.com>
+Date:   Fri Nov 15 09:34:40 2024 +0100
+
+    vfio/container: Fix container object destruction
+
+    When commit 96b7af4388b3 intoduced a .instance_finalize() handler,
+    it did not take into account that the container was not necessarily
+    inserted into the container list of the address space. Hence, if
+    the container object is destroyed, by calling object_unref() for
+    example, before vfio_address_space_insert() is called, QEMU may
+    crash when removing the container from the list as done in
+    vfio_container_instance_finalize(). This was seen with an SEV-SNP
+    guest for which discarding of RAM fails.
+
+    To resolve this issue, use the safe version of QLIST_REMOVE().
+
+    Cc: Zhenzhong Duan <zhenzhong.duan@intel.com>
+    Cc: Eric Auger <eric.auger@redhat.com>
+    Fixes: 96b7af4388b3 ("vfio/container: Move vfio_container_destroy() to an instance_finalize() handler")
+    Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
+    Signed-off-by: Cédric Le Goater <clg@redhat.com>
+
+Signed-off-by: Cédric Le Goater <clg@redhat.com>
+---
+ hw/vfio/container-base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/vfio/container-base.c b/hw/vfio/container-base.c
+index 809b157674..6f86c37d97 100644
+--- a/hw/vfio/container-base.c
++++ b/hw/vfio/container-base.c
+@@ -103,7 +103,7 @@ static void vfio_container_instance_finalize(Object *obj)
+     VFIOContainerBase *bcontainer = VFIO_IOMMU(obj);
+     VFIOGuestIOMMU *giommu, *tmp;
+ 
+-    QLIST_REMOVE(bcontainer, next);
++    QLIST_SAFE_REMOVE(bcontainer, next);
+ 
+     QLIST_FOREACH_SAFE(giommu, &bcontainer->giommu_list, giommu_next, tmp) {
+         memory_region_unregister_iommu_notifier(
+-- 
+2.45.1
+
diff --git a/qemu-kvm.spec b/qemu-kvm.spec
index fe20aba..24f1b5b 100644
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@@ -149,7 +149,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version}                    \
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 9.1.0
-Release: 4%{?rcrel}%{?dist}%{?cc_suffix}
+Release: 5%{?rcrel}%{?dist}%{?cc_suffix}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@@ -270,6 +270,10 @@ Patch64: kvm-KVM-Rename-KVMMemoryListener.nr_used_slots-to-nr_slo.patch
 Patch65: kvm-KVM-Rename-KVMState-nr_slots-to-nr_slots_max.patch
 # For RHEL-67844 - qemu crashed after killed virtiofsd during migration
 Patch66: kvm-migration-Ensure-vmstate_save-sets-errp.patch
+# For RHEL-67935 - QEMU should fail gracefully with passthrough devices in SEV-SNP guests
+Patch67: kvm-vfio-container-Fix-container-object-destruction.patch
+# For RHEL-68289 - [RHEL-9.6] QEMU core dump on applying merge property to memory backend
+Patch68: kvm-hostmem-Apply-merge-property-after-the-memory-region.patch
 
 %if %{have_clang}
 BuildRequires: clang
@@ -1336,6 +1340,14 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Mon Nov 25 2024 Jon Maloy <jmaloy@redhat.com> - 9.1.0-5
+- kvm-vfio-container-Fix-container-object-destruction.patch [RHEL-67935]
+- kvm-hostmem-Apply-merge-property-after-the-memory-region.patch [RHEL-68289]
+- Resolves: RHEL-67935
+  (QEMU should fail gracefully with passthrough devices in SEV-SNP guests)
+- Resolves: RHEL-68289
+  ([RHEL-9.6] QEMU core dump on applying merge property to memory backend)
+
 * Sun Nov 24 2024 Jon Maloy <jmaloy@redhat.com> - 9.1.0-4
 - kvm-migration-Ensure-vmstate_save-sets-errp.patch [RHEL-67844]
 - Resolves: RHEL-67844