diff --git a/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch b/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
new file mode 100644
index 0000000..57b7b9b
--- /dev/null
+++ b/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
@@ -0,0 +1,82 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 31 Aug 2016 12:19:29 +0530
+Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
+ rings
+
+Vmware Paravirtual SCSI emulation uses command descriptors to
+process SCSI commands. These descriptors come with their ring
+buffers. A guest could set the page count for these rings to
+an arbitrary value, leading to infinite loop or OOB access.
+Add check to avoid it.
+
+Reported-by: Tom Victor <vv474172261@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
+---
+ hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 5116f4a..4245c15 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
+ return log;
+ }
+
+-static int
++static void
+ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ {
+ int i;
+@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ uint32_t req_ring_size, cmp_ring_size;
+ m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
+
+- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
+- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
+- return -1;
+- }
+ req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+ cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
+ txr_len_log2 = pvscsi_log2(req_ring_size - 1);
+@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+
+ /* Flush ring state page changes */
+ smp_wmb();
+-
+- return 0;
+ }
+
+ static int
+@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
+
+ trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
+ for (i = 0; i < rc->cmpRingNumPages; i++) {
+- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
++ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
+ }
+ }
+
+@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
+
+ trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
+
+- pvscsi_dbg_dump_tx_rings_config(rc);
+- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
++ if (!rc->reqRingNumPages
++ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
++ || !rc->cmpRingNumPages
++ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
+ }
+
++ pvscsi_dbg_dump_tx_rings_config(rc);
++ pvscsi_ring_init_data(&s->rings, rc);
++
+ s->rings_info_valid = TRUE;
+ return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
+ }
diff --git a/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch b/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
new file mode 100644
index 0000000..89ae98d
--- /dev/null
+++ b/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
@@ -0,0 +1,61 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 6 Sep 2016 02:20:43 +0530
+Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
+
+In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
+long time or go into an infinite loop due to two different bugs:
+
+1) the request descriptor data length is defined to be 64 bit. While
+building SG list from a request descriptor, it gets truncated to 32bit
+in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
+situation large 'dataLen' values when data_length is cast to uint32_t and
+chunk_size becomes always zero. Fix this by removing the incorrect cast.
+
+2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
+element has a zero length. Get out of the loop early when this happens,
+by introducing an upper limit on the number of SG list elements.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
+---
+ hw/scsi/vmw_pvscsi.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 4245c15..babac5a 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -40,6 +40,8 @@
+ #define PVSCSI_MAX_DEVS (64)
+ #define PVSCSI_MSIX_NUM_VECTORS (1)
+
++#define PVSCSI_MAX_SG_ELEM 2048
++
+ #define PVSCSI_MAX_CMD_DATA_WORDS \
+ (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
+
+@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
+ static void
+ pvscsi_convert_sglist(PVSCSIRequest *r)
+ {
+- int chunk_size;
++ uint32_t chunk_size, elmcnt = 0;
+ uint64_t data_length = r->req.dataLen;
+ PVSCSISGState sg = r->sg;
+- while (data_length) {
+- while (!sg.resid) {
++ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
++ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
+ pvscsi_get_next_sg_elem(&sg);
+ trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
+ r->sg.resid);
+ }
+- assert(data_length > 0);
+- chunk_size = MIN((unsigned) data_length, sg.resid);
++ chunk_size = MIN(data_length, sg.resid);
+ if (chunk_size) {
+ qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
+ }
diff --git a/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
new file mode 100644
index 0000000..9280e15
--- /dev/null
+++ b/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
@@ -0,0 +1,35 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 14 Sep 2016 15:09:12 +0530
+Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
+
+Vmware Paravirtual SCSI emulator while processing IO requests
+could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
+always returned positive value. Limit IO loop to the ring size.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
+---
+ hw/scsi/vmw_pvscsi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index babac5a..a5ce7de 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -247,8 +247,11 @@ static hwaddr
+ pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
+ {
+ uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
++ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
++ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+
+- if (ready_ptr != mgr->consumed_ptr) {
++ if (ready_ptr != mgr->consumed_ptr
++ && ready_ptr - mgr->consumed_ptr < ring_size) {
+ uint32_t next_ready_ptr =
+ mgr->consumed_ptr++ & mgr->txr_len_mask;
+ uint32_t next_ready_page =
diff --git a/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch b/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
new file mode 100644
index 0000000..91a9b52
--- /dev/null
+++ b/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
@@ -0,0 +1,42 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 8 Sep 2016 18:15:54 +0530
+Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
+
+When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
+the computed BITMAP and PIXMAP size are checked against the
+'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
+Correct these checks to avoid OOB memory access.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
+---
+ hw/display/vmware_vga.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index e51a05e..6599cf0 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ cursor.bpp = vmsvga_fifo_read(s);
+
+ args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+- if (cursor.width > 256 ||
+- cursor.height > 256 ||
+- cursor.bpp > 32 ||
+- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
++ if (cursor.width > 256
++ || cursor.height > 256
++ || cursor.bpp > 32
++ || SVGA_BITMAP_SIZE(x, y)
++ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
++ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
+ goto badcmd;
+ }
+
diff --git a/0005-scsi-mptconfig-fix-an-assert-expression.patch b/0005-scsi-mptconfig-fix-an-assert-expression.patch
new file mode 100644
index 0000000..75ba430
--- /dev/null
+++ b/0005-scsi-mptconfig-fix-an-assert-expression.patch
@@ -0,0 +1,33 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 31 Aug 2016 17:36:07 +0530
+Subject: [PATCH] scsi: mptconfig: fix an assert expression
+
+When LSI SAS1068 Host Bus emulator builds configuration page
+headers, mptsas_config_pack() should assert that the size
+fits in a byte. However, the size is expressed in 32-bit
+units, so up to 1020 bytes fit. The assertion was only
+allowing replies up to 252 bytes, so fix it.
+
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
+---
+ hw/scsi/mptconfig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
+index 7071854..3e4f400 100644
+--- a/hw/scsi/mptconfig.c
++++ b/hw/scsi/mptconfig.c
+@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
+ va_end(ap);
+
+ if (data) {
+- assert(ret < 256 && (ret % 4) == 0);
++ assert(ret / 4 < 256 && (ret % 4) == 0);
+ stb_p(*data + 1, ret / 4);
+ }
+ return ret;
diff --git a/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch b/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
new file mode 100644
index 0000000..8be70e0
--- /dev/null
+++ b/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
@@ -0,0 +1,37 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 29 Aug 2016 11:35:37 +0200
+Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
+
+These issues cause respectively a QEMU crash and a leak of 2 bytes of
+stack. They were discovered by VictorV of 360 Marvel Team.
+
+Reported-by: Tom Victor <i-tangtianwen@360.cm>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
+---
+ hw/scsi/mptconfig.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
+index 3e4f400..87a416a 100644
+--- a/hw/scsi/mptconfig.c
++++ b/hw/scsi/mptconfig.c
+@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
+ {
+ /* VPD - all zeros */
+ return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
+- "s256");
++ "*s256");
+ }
+
+ static
+@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
+ return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
+ "*l*lwwb*b*b*blww",
+ pcic->vendor_id, pcic->device_id, pcic->revision,
+- pcic->subsystem_vendor_id,
++ pcic->class_id, pcic->subsystem_vendor_id,
+ pcic->subsystem_id);
+ }
+
diff --git a/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch b/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
new file mode 100644
index 0000000..d47fccf
--- /dev/null
+++ b/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
@@ -0,0 +1,29 @@
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 13 Sep 2016 03:20:03 -0700
+Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
+
+If the xhci uses msix, it doesn't free the corresponding
+memory, thus leading a memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
+---
+ hw/usb/hcd-xhci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 188f954..281a2a5 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
+ /* destroy msix memory region */
+ if (dev->msix_table && dev->msix_pba
+ && dev->msix_entry_used) {
+- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
+- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
++ msix_uninit(dev, &xhci->mem, &xhci->mem);
+ }
+
+ usb_bus_release(&xhci->bus);
diff --git a/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
new file mode 100644
index 0000000..41c48b3
--- /dev/null
+++ b/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
@@ -0,0 +1,32 @@
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 12 Sep 2016 18:14:11 +0530
+Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
+
+When processing IO request in mptsas, it uses g_new to allocate
+a 'req' object. If an error occurs before 'req->sreq' is
+allocated, It could lead to an OOB write in mptsas_free_request
+function. Use g_new0 to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
+---
+ hw/scsi/mptsas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index 0e0a22f..eaae1bb 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
+ goto bad;
+ }
+
+- req = g_new(MPTSASRequest, 1);
++ req = g_new0(MPTSASRequest, 1);
+ QTAILQ_INSERT_TAIL(&s->pending, req, next);
+ req->scsi_io = *scsi_io;
+ req->dev = s;
diff --git a/0009-virtio-add-check-for-descriptor-s-mapped-address.patch b/0009-virtio-add-check-for-descriptor-s-mapped-address.patch
new file mode 100644
index 0000000..d663896
--- /dev/null
+++ b/0009-virtio-add-check-for-descriptor-s-mapped-address.patch
@@ -0,0 +1,35 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 19 Sep 2016 23:55:45 +0530
+Subject: [PATCH] virtio: add check for descriptor's mapped address
+
+virtio back end uses set of buffers to facilitate I/O operations.
+If its size is too large, 'cpu_physical_memory_map' could return
+a null address. This would result in a null dereference while
+un-mapping descriptors. Add check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 74c085c..eabe573 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
+ }
+
+ iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
++ if (!iov[num_sg].iov_base) {
++ error_report("virtio: bogus descriptor or out of resources");
++ exit(1);
++ }
++
+ iov[num_sg].iov_len = len;
+ addr[num_sg] = pa;
+
diff --git a/0010-net-mcf-limit-buffer-descriptor-count.patch b/0010-net-mcf-limit-buffer-descriptor-count.patch
new file mode 100644
index 0000000..ae05c63
--- /dev/null
+++ b/0010-net-mcf-limit-buffer-descriptor-count.patch
@@ -0,0 +1,49 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 22 Sep 2016 16:02:37 +0530
+Subject: [PATCH] net: mcf: limit buffer descriptor count
+
+ColdFire Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
+---
+ hw/net/mcf_fec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
+index 0ee8ad9..d31fea1 100644
+--- a/hw/net/mcf_fec.c
++++ b/hw/net/mcf_fec.c
+@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
+ #define DPRINTF(fmt, ...) do {} while(0)
+ #endif
+
++#define FEC_MAX_DESC 1024
+ #define FEC_MAX_FRAME_SIZE 2032
+
+ typedef struct {
+@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
+ uint32_t addr;
+ mcf_fec_bd bd;
+ int frame_size;
+- int len;
++ int len, descnt = 0;
+ uint8_t frame[FEC_MAX_FRAME_SIZE];
+ uint8_t *ptr;
+
+@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
+ ptr = frame;
+ frame_size = 0;
+ addr = s->tx_descriptor;
+- while (1) {
++ while (descnt++ < FEC_MAX_DESC) {
+ mcf_fec_read_bd(&bd, addr);
+ DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
+ addr, bd.flags, bd.length, bd.data);
diff --git a/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch b/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
new file mode 100644
index 0000000..03b7429
--- /dev/null
+++ b/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
@@ -0,0 +1,65 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 10 Oct 2016 12:46:22 +0200
+Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
+
+Needed to avoid we run in circles forever in case the guest builds
+an endless loop with link trbs.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Tested-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
+(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
+---
+ hw/usb/hcd-xhci.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 281a2a5..8a9a31a 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -54,6 +54,8 @@
+ * to the specs when it gets them */
+ #define ER_FULL_HACK
+
++#define TRB_LINK_LIMIT 4
++
+ #define LEN_CAP 0x40
+ #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
+ #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
+@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ dma_addr_t *addr)
+ {
+ PCIDevice *pci_dev = PCI_DEVICE(xhci);
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ ring->dequeue += TRB_SIZE;
+ return type;
+ } else {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return 0;
++ }
+ ring->dequeue = xhci_mask64(trb->parameter);
+ if (trb->control & TRB_LK_TC) {
+ ring->ccs = !ring->ccs;
+@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ bool ccs = ring->ccs;
+ /* hack to bundle together the two/three TDs that make a setup transfer */
+ bool control_td_set = 0;
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ type = TRB_TYPE(trb);
+
+ if (type == TR_LINK) {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return -length;
++ }
+ dequeue = xhci_mask64(trb.parameter);
+ if (trb.control & TRB_LK_TC) {
+ ccs = !ccs;
diff --git a/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch b/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
new file mode 100644
index 0000000..e7c7aa3
--- /dev/null
+++ b/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
@@ -0,0 +1,29 @@
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Sun, 18 Sep 2016 19:48:35 -0700
+Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
+
+While processing isochronous transfer descriptors(iTD), if the page
+select(PG) field value is out of bands it will return. In this
+situation the ehci's sg list is not freed thus leading to a memory
+leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
+---
+ hw/usb/hcd-ehci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index b093db7..f4ece9a 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ if (off + len > 4096) {
+ /* transfer crosses page border */
+ if (pg == 6) {
++ qemu_sglist_destroy(&ehci->isgl);
+ return -1; /* avoid page pg + 1 */
+ }
+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
diff --git a/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch b/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
new file mode 100644
index 0000000..521e879
--- /dev/null
+++ b/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
@@ -0,0 +1,50 @@
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 10 Oct 2016 12:45:13 +0200
+Subject: [PATCH] usb-redir: allocate buffers before waking up the host adapter
+
+Needed to make sure usb redirection is prepared to actually handle the
+callback from the usb host adapter. Without this interrupt endpoints
+don't work on xhci.
+
+Note: On ehci the usb_wakeup() call only schedules a BH for the actual
+work, which hides this bug because the allocation happens before ehci
+calls back even without this patch.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Message-id: 1476096313-7730-1-git-send-email-kraxel@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit d5c42857d6b0c35028897df8dfc3749eba6f6de3)
+---
+ hw/usb/redirect.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 444672a..d4ca026 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id,
+ }
+
+ if (ep & USB_DIR_IN) {
++ bool q_was_empty;
++
+ if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
+ DPRINTF("received int packet while not started ep %02X\n", ep);
+ free(data);
+ return;
+ }
+
+- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
+- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
+- }
++ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
+
+ /* bufp_alloc also adds the packet to the ep queue */
+ bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
++
++ if (q_was_empty) {
++ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
++ }
+ } else {
+ /*
+ * We report output interrupt packets as completed directly upon
diff --git a/qemu-2.7.0-usb-redirect-wakeup.patch b/qemu-2.7.0-usb-redirect-wakeup.patch
deleted file mode 100644
index e8e4a47..0000000
--- a/qemu-2.7.0-usb-redirect-wakeup.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -up qemu-2.7.0/hw/usb/redirect.c~ qemu-2.7.0/hw/usb/redirect.c
---- qemu-2.7.0/hw/usb/redirect.c~ 2016-09-02 17:34:20.000000000 +0200
-+++ qemu-2.7.0/hw/usb/redirect.c 2016-10-10 09:18:35.319562664 +0200
-@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(vo
- }
-
- if (ep & USB_DIR_IN) {
-+ bool q_was_empty;
-+
- if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
- DPRINTF("received int packet while not started ep %02X\n", ep);
- free(data);
- return;
- }
-
-- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
-- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
-- }
-+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
-
- /* bufp_alloc also adds the packet to the ep queue */
- bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
-+
-+ if (q_was_empty) {
-+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
-+ }
- } else {
- /*
- * We report output interrupt packets as completed directly upon
diff --git a/qemu.spec b/qemu.spec
index db22bae..5757eb5 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -68,7 +68,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.7.0
-Release: 3%{?rcrel}%{?dist}
+Release: 4%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -100,7 +100,33 @@ Source20: kvm.conf
# /etc/sysctl.d/50-kvm-s390x.conf
Source21: 50-kvm-s390x.conf
-Patch1: qemu-2.7.0-usb-redirect-wakeup.patch
+# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
+Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
+# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
+Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
+# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
+# #1373480)
+Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
+# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
+Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
+# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
+Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
+Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
+# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
+Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
+# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
+Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
+# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
+Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
+# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
+Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
+# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
+Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
+# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
+Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
+# Fix interrupt endpoints not working with network/spice USB redirection on
+# guest with an emulated xhci controller (bz #1382331)
+Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
# documentation deps
BuildRequires: texi2html
@@ -1565,6 +1591,20 @@ getent passwd qemu >/dev/null || \
%changelog
+* Sat Oct 15 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-4
+- CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
+- CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
+- CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
+ #1373480)
+- CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
+- CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
+- CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
+- CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
+- CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
+- CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
+- CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
+- CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
+
* Mon Oct 10 2016 Hans de Goede <hdegoede@redhat.com> - 2:2.7.0-3
- Fix interrupt endpoints not working with network/spice USB redirection
on guest with an emulated xhci controller (rhbz#1382331)