diff --git a/kernel.spec b/kernel.spec
index f93df36..f7e608d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -625,6 +625,9 @@ Patch848: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
 #ongoing complaint, full discussion delayed until ksummit/plumbers
 Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
 
+# CVE-2016-9083 CVE-2016-9084 rhbz 1389258 1389259 1389285
+Patch850: v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2152,6 +2155,9 @@ fi
 #
 # 
 %changelog
+* Thu Oct 27 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2016-9083 CVE-2016-9084 vfio multiple flaws (rhbz 1389258 1389259 1389285)
+
 * Mon Oct 24 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.4-200
 - Linux v4.8.4 rebase
 
diff --git a/v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch b/v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
new file mode 100644
index 0000000..5278d44
--- /dev/null
+++ b/v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
@@ -0,0 +1,102 @@
+From patchwork Wed Oct 12 16:51:24 2016
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [v3] vfio/pci: Fix integer overflows, bitmask check
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+X-Patchwork-Id: 9373631
+Message-Id: <1476291084-50737-1-git-send-email-vlad@tsyrklevich.net>
+To: kvm@vger.kernel.org
+Cc: alex.williamson@redhat.com, Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Date: Wed, 12 Oct 2016 18:51:24 +0200
+
+The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
+user-supplied integers, potentially allowing memory corruption. This
+patch adds appropriate integer overflow checks, checks the range bounds
+for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
+in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
+VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
+vfio_pci_set_irqs_ioctl().
+
+Furthermore, a kzalloc is changed to a kcalloc because the use of a
+kzalloc with an integer multiplication allowed an integer overflow
+condition to be reached without this patch. kcalloc checks for overflow
+and should prevent a similar occurrence.
+
+Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+---
+ drivers/vfio/pci/vfio_pci.c       | 33 +++++++++++++++++++++------------
+ drivers/vfio/pci/vfio_pci_intrs.c |  2 +-
+ 2 files changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
+index d624a52..031bc08 100644
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -829,8 +829,9 @@ static long vfio_pci_ioctl(void *device_data,
+ 
+ 	} else if (cmd == VFIO_DEVICE_SET_IRQS) {
+ 		struct vfio_irq_set hdr;
++		size_t size;
+ 		u8 *data = NULL;
+-		int ret = 0;
++		int max, ret = 0;
+ 
+ 		minsz = offsetofend(struct vfio_irq_set, count);
+ 
+@@ -838,23 +839,31 @@ static long vfio_pci_ioctl(void *device_data,
+ 			return -EFAULT;
+ 
+ 		if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
++		    hdr.count >= (U32_MAX - hdr.start) ||
+ 		    hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
+ 				  VFIO_IRQ_SET_ACTION_TYPE_MASK))
+ 			return -EINVAL;
+ 
+-		if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
+-			size_t size;
+-			int max = vfio_pci_get_irq_count(vdev, hdr.index);
++		max = vfio_pci_get_irq_count(vdev, hdr.index);
++		if (hdr.start >= max || hdr.start + hdr.count > max)
++			return -EINVAL;
+ 
+-			if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
+-				size = sizeof(uint8_t);
+-			else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
+-				size = sizeof(int32_t);
+-			else
+-				return -EINVAL;
++		switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
++		case VFIO_IRQ_SET_DATA_NONE:
++			size = 0;
++			break;
++		case VFIO_IRQ_SET_DATA_BOOL:
++			size = sizeof(uint8_t);
++			break;
++		case VFIO_IRQ_SET_DATA_EVENTFD:
++			size = sizeof(int32_t);
++			break;
++		default:
++			return -EINVAL;
++		}
+ 
+-			if (hdr.argsz - minsz < hdr.count * size ||
+-			    hdr.start >= max || hdr.start + hdr.count > max)
++		if (size) {
++			if (hdr.argsz - minsz < hdr.count * size)
+ 				return -EINVAL;
+ 
+ 			data = memdup_user((void __user *)(arg + minsz),
+diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
+index c2e6089..1c46045 100644
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -256,7 +256,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
+ 	if (!is_irq_none(vdev))
+ 		return -EINVAL;
+ 
+-	vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
++	vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
+ 	if (!vdev->ctx)
+ 		return -ENOMEM;
+