diff --git a/SOURCES/openvswitch-2.16.0.patch b/SOURCES/openvswitch-2.16.0.patch
index a4e81cc..7e738f9 100644
--- a/SOURCES/openvswitch-2.16.0.patch
+++ b/SOURCES/openvswitch-2.16.0.patch
@@ -688,6 +688,40 @@ index 239d210b96..4d23dbc4ec 100644
  openvswitch (2.16.0-1) unstable; urgency=low
  
     * New upstream version
+diff --git a/dpdk/lib/librte_vhost/vhost_user.c b/dpdk/lib/librte_vhost/vhost_user.c
+index 45c8ac09da..70d206dcf8 100644
+--- a/dpdk/lib/librte_vhost/vhost_user.c
++++ b/dpdk/lib/librte_vhost/vhost_user.c
+@@ -1416,6 +1416,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev,
+ 	int fd, i, j;
+ 	void *addr;
+ 
++	if (validate_msg_fds(msg, 0) != 0)
++		return RTE_VHOST_MSG_RESULT_ERR;
++
+ 	if (msg->size != sizeof(msg->payload.inflight)) {
+ 		VHOST_LOG_CONFIG(ERR,
+ 			"invalid get_inflight_fd message size is %d\n",
+@@ -1509,6 +1512,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg,
+ 	void *addr;
+ 	int fd, i;
+ 
++	if (validate_msg_fds(msg, 1) != 0)
++		return RTE_VHOST_MSG_RESULT_ERR;
++
+ 	fd = msg->fds[0];
+ 	if (msg->size != sizeof(msg->payload.inflight) || fd < 0) {
+ 		VHOST_LOG_CONFIG(ERR,
+@@ -2652,6 +2658,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
+ 	case VHOST_USER_SET_VRING_ADDR:
+ 		vring_idx = msg->payload.addr.index;
+ 		break;
++	case VHOST_USER_SET_INFLIGHT_FD:
++		vring_idx = msg->payload.inflight.num_queues - 1;
++		break;
+ 	default:
+ 		return 0;
+ 	}
 diff --git a/include/linux/automake.mk b/include/linux/automake.mk
 index 8f063f482e..f857c7e088 100644
 --- a/include/linux/automake.mk
diff --git a/SPECS/openvswitch2.16.spec b/SPECS/openvswitch2.16.spec
index bc763ac..e8f61aa 100644
--- a/SPECS/openvswitch2.16.spec
+++ b/SPECS/openvswitch2.16.spec
@@ -57,7 +57,7 @@ Summary: Open vSwitch
 Group: System Environment/Daemons daemon/database/utilities
 URL: http://www.openvswitch.org/
 Version: 2.16.0
-Release: 72%{?dist}
+Release: 74%{?dist}
 
 # Nearly all of openvswitch is ASL 2.0.  The bugtool is LGPLv2+, and the
 # lib/sflow*.[ch] files are SISSL
@@ -699,6 +699,37 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 28 2022 Timothy Redaelli <tredaelli@redhat.com> - 2.16.0-74
+- vhost: fix queue number check when setting inflight FD [RH git: d084ce15a7]
+    [ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ]
+    
+    In function vhost_user_set_inflight_fd, queue number in inflight
+    message is used to access virtqueue. However, queue number could
+    be larger than VHOST_MAX_VRING and cause write OOB as this number
+    will be used to write inflight info in virtqueue structure. This
+    patch checks the queue number to avoid the issue and also make
+    sure virtqueues are allocated before setting inflight information.
+    
+    Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information")
+    
+    Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+    Signed-off-by: Chenbo Xia <chenbo.xia@intel.com>
+    Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+
+
+* Thu Apr 28 2022 Timothy Redaelli <tredaelli@redhat.com> - 2.16.0-73
+- vhost: fix FD leak with inflight messages [RH git: fafbd8f642]
+    [ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ]
+    
+    Even if unlikely, a buggy vhost-user master might attach fds to inflight
+    messages. Add checks like for other types of vhost-user messages.
+    
+    Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing")
+    
+    Signed-off-by: David Marchand <david.marchand@redhat.com>
+    Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+
+
 * Wed Apr 27 2022 Open vSwitch CI <ovs-ci@redhat.com> - 2.16.0-72
 - Merging upstream branch-2.16 [RH git: 1c2e3ff275]
     Commit list: