diff --git a/0002-mokutil-bugfix-del-unused-opt-s.patch b/0002-mokutil-bugfix-del-unused-opt-s.patch
new file mode 100644
index 0000000..a5ad40b
--- /dev/null
+++ b/0002-mokutil-bugfix-del-unused-opt-s.patch
@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: gaoyusong <gaoyusong2@huawei.com>
+Date: Mon, 30 May 2022 17:54:47 +0800
+Subject: [PATCH] mokutil bugfix: del unused opt "-s"
+
+The -s option can cause unexcepted result.
+
+Signed-off-by: gaoyusong <gaoyusong2@huawei.com>
+(cherry picked from commit 04791c29e198b18808bca519267e31c8d3786a08)
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index e8228af..6982ade 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1851,7 +1851,7 @@ main (int argc, char *argv[])
+ 		};
+ 
+ 		int option_index = 0;
+-		c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv",
++		c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv",
+ 				 long_options, &option_index);
+ 
+ 		if (c == -1)
diff --git a/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch b/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
new file mode 100644
index 0000000..23633a8
--- /dev/null
+++ b/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 2 Jun 2022 12:56:31 -0400
+Subject: [PATCH] Fix leak of list in delete_data_from_req_var()
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit d978c18f61b877afaab45a82d260b525423b8248)
+---
+ src/util.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index 621869f..6cd0302 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type,
+ 	}
+ 
+ 	/* the key or hash is not in this list */
+-	if (start == NULL)
+-		return 0;
++	if (start == NULL) {
++		ret = 0;
++		goto done;
++	}
+ 
+ 	/* all keys are removed */
+ 	if (total == 0) {
diff --git a/0004-Fix-leak-of-fd-in-mok_get_variable.patch b/0004-Fix-leak-of-fd-in-mok_get_variable.patch
new file mode 100644
index 0000000..f1a48f6
--- /dev/null
+++ b/0004-Fix-leak-of-fd-in-mok_get_variable.patch
@@ -0,0 +1,70 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 2 Jun 2022 13:00:22 -0400
+Subject: [PATCH] Fix leak of fd in mok_get_variable()
+
+On success, it was never closed.  Refactor the code to use a single
+egress path so its closure is clear.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit e498f6460ff5aea6a7cd61a33087d03e88a2f52a)
+---
+ src/util.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index 6cd0302..f7fc033 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
+ 		return fd;
+ 
+ 	rc = fstat(fd, &sb);
+-	if (rc < 0) {
+-err_close:
+-		close(fd);
+-		return rc;
+-	}
++	if (rc < 0)
++		goto done;
+ 
+ 	if (sb.st_size == 0) {
+ 		errno = ENOENT;
+ 		rc = -1;
+-		goto err_close;
++		goto done;
+ 	}
+ 
+ 	bufsz = sb.st_size;
+ 	buf = calloc(1, bufsz);
+-	if (!buf)
+-		goto err_close;
++	if (!buf) {
++		rc = -1;
++		goto done;
++	}
+ 
+ 	while (pos < bufsz) {
+ 		ssz = read(fd, &buf[pos], bufsz - pos);
+@@ -82,15 +81,18 @@ err_close:
+ 			    errno == EINTR)
+ 				continue;
+ 			free(buf);
+-			goto err_close;
++			rc = -1;
++			goto done;
+ 		}
+ 
+ 		pos += ssz;
+ 	}
+ 	*datap = buf;
+ 	*data_sizep = pos;
+-
+-	return 0;
++	rc = 0;
++done:
++	close(fd);
++	return rc;
+ }
+ 
+ MokListNode*
diff --git a/mokutil.patches b/mokutil.patches
index dc41221..c450456 100644
--- a/mokutil.patches
+++ b/mokutil.patches
@@ -1 +1,4 @@
 Patch0001: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch
+Patch0002: 0002-mokutil-bugfix-del-unused-opt-s.patch
+Patch0003: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
+Patch0004: 0004-Fix-leak-of-fd-in-mok_get_variable.patch
diff --git a/mokutil.spec b/mokutil.spec
index 13ee0ed..56535b7 100644
--- a/mokutil.spec
+++ b/mokutil.spec
@@ -1,6 +1,6 @@
 Name:           mokutil
 Version:        0.6.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Epoch:          2
 Summary:        Tool to manage UEFI Secure Boot MoK Keys
 License:        GPLv3+
@@ -47,6 +47,9 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
 %{_datadir}/bash-completion/completions/mokutil
 
 %changelog
+* Mon Jun 06 2022 Robbie Harwood <rharwood@redhat.com> - 0.6.0-4
+- Fix unused -s option and pull leak fixes
+
 * Wed May 25 2022 Peter Jones <pjones@redhat.com> - 0.6.0-3
 - Fix patch application in the spec file...
 - Resolves: #2087066