diff --git a/qemu.bug1389686.patch b/qemu.bug1389686.patch
new file mode 100644
index 0000000..86bc5ec
--- /dev/null
+++ b/qemu.bug1389686.patch
@@ -0,0 +1,89 @@
+From: Li Qiang
+
+The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
+originated offset: they must ensure this offset does not go beyond
+the size of the extended attribute that was set in v9fs_xattrcreate().
+Unfortunately, the current code implement these checks with unsafe
+calculations on 32 and 64 bit values, which may allow a malicious
+guest to cause OOB access anyway.
+
+Fix this by comparing the offset and the xattr size, which are
+both uint64_t, before trying to compute the effective number of bytes
+to read or write.
+
+Suggested-by: Greg Kurz
+Signed-off-by: Li Qiang
+---
+
+Changes since v2:
+-make the solution of 'copied_len/len' in V9fsXattr type issue to a separate patch.
+-add detailed changelog.
+
+Changes since v1:
+-delete 'xattr_len'.
+
+ hw/9pfs/9p.c | 32 ++++++++++++--------------------
+ 1 file changed, 12 insertions(+), 20 deletions(-)
+
+diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
+index e902eed..6df85b8 100644
+--- a/hw/9pfs/virtio-9p.c
++++ b/hw/9pfs/virtio-9p.c
+@@ -1642,18 +1642,15 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+ ssize_t err;
+ size_t offset = 7;
+- int read_count;
+- int64_t xattr_len;
++ uint64_t read_count;
+
+- xattr_len = fidp->fs.xattr.len;
+- read_count = xattr_len - off;
++ if (fidp->fs.xattr.len < off) {
++ read_count = 0;
++ } else {
++ read_count = fidp->fs.xattr.len - off;
++ }
+ if (read_count > max_count) {
+ read_count = max_count;
+- } else if (read_count < 0) {
+- /*
+- * read beyond XATTR value
+- */
+- read_count = 0;
+ }
+ err = pdu_marshal(pdu, offset, "d", read_count);
+ if (err < 0) {
+@@ -1982,23 +1979,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+ int i, to_copy;
+ ssize_t err = 0;
+- int write_count;
+- int64_t xattr_len;
++ uint64_t write_count;
+ size_t offset = 7;
+
+
+- xattr_len = fidp->fs.xattr.len;
+- write_count = xattr_len - off;
+- if (write_count > count) {
+- write_count = count;
+- } else if (write_count < 0) {
+- /*
+- * write beyond XATTR value len specified in
+- * xattrcreate
+- */
++ if (fidp->fs.xattr.len < off) {
+ err = -ENOSPC;
+ goto out;
+ }
++ write_count = fidp->fs.xattr.len - off;
++ if (write_count > count) {
++ write_count = count;
++ }
+ err = pdu_marshal(pdu, offset, "d", write_count);
+ if (err < 0) {
+ return err;
+--
+1.8.3.1
+
diff --git a/qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch b/qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch
new file mode 100644
index 0000000..b570e40
--- /dev/null
+++ b/qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch
@@ -0,0 +1,68 @@
+From 05f43d44e4bc26611ce25fd7d726e483f73363ce Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann
+Date: Mon, 10 Oct 2016 12:46:22 +0200
+Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
+
+Needed to avoid we run in circles forever in case the guest builds
+an endless loop with link trbs.
+
+Reported-by: Li Qiang
+Tested-by: P J P
+Signed-off-by: Gerd Hoffmann
+Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
+---
+ hw/usb/hcd-xhci.c | 10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 726435c..ee4fa48 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -54,6 +54,8 @@
+ * to the specs when it gets them */
+ #define ER_FULL_HACK
+
++#define TRB_LINK_LIMIT 4
++
+ #define LEN_CAP 0x40
+ #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
+ #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
+@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ dma_addr_t *addr)
+ {
+ PCIDevice *pci_dev = PCI_DEVICE(xhci);
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ ring->dequeue += TRB_SIZE;
+ return type;
+ } else {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return 0;
++ }
+ ring->dequeue = xhci_mask64(trb->parameter);
+ if (trb->control & TRB_LK_TC) {
+ ring->ccs = !ring->ccs;
+@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ bool ccs = ring->ccs;
+ /* hack to bundle together the two/three TDs that make a setup transfer */
+ bool control_td_set = 0;
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ type = TRB_TYPE(trb);
+
+ if (type == TR_LINK) {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return -length;
++ }
+ dequeue = xhci_mask64(trb.parameter);
+ if (trb.control & TRB_LK_TC) {
+ ccs = !ccs;
+--
+1.7.0.4
+
diff --git a/qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch b/qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch
new file mode 100644
index 0000000..aac2fa5
--- /dev/null
+++ b/qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch
@@ -0,0 +1,37 @@
+From 3592fe0c919cf27a81d8e9f9b4f269553418bb01 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit
+Date: Wed, 12 Oct 2016 11:28:08 +0530
+Subject: [PATCH] char: serial: check divider value against baud base
+
+16550A UART device uses an oscillator to generate frequencies
+(baud base), which decide communication speed. This speed could
+be changed by dividing it by a divider. If the divider is
+greater than the baud base, speed is set to zero, leading to a
+divide by zero error. Add check to avoid it.
+
+Reported-by: Huawei PSIRT
+Signed-off-by: Prasad J Pandit
+Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini
+---
+ hw/char/serial.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index 3442f47..eec72b7 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
+ int speed, parity, data_bits, stop_bits, frame_size;
+ QEMUSerialSetParams ssp;
+
+- if (s->divider == 0)
++ if (s->divider == 0 || s->divider > s->baudbase) {
+ return;
++ }
+
+ /* Start bit. */
+ frame_size = 1;
+--
+1.7.0.4
+
diff --git a/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch b/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch
new file mode 100644
index 0000000..d06c597
--- /dev/null
+++ b/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch
@@ -0,0 +1,32 @@
+From 4c1586787ff43c9acd18a56c12d720e3e6be9f7c Mon Sep 17 00:00:00 2001
+From: Li Qiang
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: fix memory leak in v9fs_link
+
+The v9fs_link() function keeps a reference on the source fid object. This
+causes a memory leak since the reference never goes down to 0. This patch
+fixes the issue.
+
+Signed-off-by: Li Qiang
+Reviewed-by: Greg Kurz
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz
+---
+ hw/9pfs/9p.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
+index 66135cf..d43a552 100644
+--- a/hw/9pfs/virtio-9p.c
++++ b/hw/9pfs/virtio-9p.c
+@@ -2413,6 +2413,7 @@ static void coroutine_fn v9fs_link(void *opaque)
+ if (!err) {
+ err = offset;
+ }
++ put_fid(pdu, oldfidp);
+ out:
+ put_fid(pdu, dfidp);
+ out_nofid:
+--
+1.7.0.4
+
diff --git a/qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch b/qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch
new file mode 100644
index 0000000..0cda3ac
--- /dev/null
+++ b/qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch
@@ -0,0 +1,51 @@
+From 6be8f5e2626e102433e569d9cece2120baf0c879 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit
+Date: Mon, 24 Oct 2016 16:26:54 +0100
+Subject: [PATCH] timer: a9gtimer: remove loop to auto-increment comparator
+
+ARM A9MP processor has a peripheral timer with an auto-increment
+register, which holds an increment step value. A user could set
+this value to zero. When auto-increment control bit is enabled,
+it leads to an infinite loop in 'a9_gtimer_update' while
+updating comparator value. Remove this loop incrementing the
+comparator value.
+
+Reported-by: Li Qiang
+Signed-off-by: Prasad J Pandit
+Message-id: 1476733226-11635-1-git-send-email-ppandit@redhat.com
+Reviewed-by: Peter Maydell
+Signed-off-by: Peter Maydell
+---
+ hw/timer/a9gtimer.c | 14 +++++++-------
+ 1 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c
+index 772f85f..ce1dc63 100644
+--- a/hw/timer/a9gtimer.c
++++ b/hw/timer/a9gtimer.c
+@@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync)
+ if ((s->control & R_CONTROL_TIMER_ENABLE) &&
+ (gtb->control & R_CONTROL_COMP_ENABLE)) {
+ /* R2p0+, where the compare function is >= */
+- while (gtb->compare < update.new) {
++ if (gtb->compare < update.new) {
+ DB_PRINT("Compare event happened for CPU %d\n", i);
+ gtb->status = 1;
+- if (gtb->control & R_CONTROL_AUTO_INCREMENT) {
+- DB_PRINT("Auto incrementing timer compare by %" PRId32 "\n",
+- gtb->inc);
+- gtb->compare += gtb->inc;
+- } else {
+- break;
++ if (gtb->control & R_CONTROL_AUTO_INCREMENT && gtb->inc) {
++ uint64_t inc =
++ QEMU_ALIGN_UP(update.new - gtb->compare, gtb->inc);
++ DB_PRINT("Auto incrementing timer compare by %"
++ PRId64 "\n", inc);
++ gtb->compare += inc;
+ }
+ }
+ cdiff = (int64_t)gtb->compare - (int64_t)update.new + 1;
+--
+1.7.0.4
+
diff --git a/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch b/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch
new file mode 100644
index 0000000..f217376
--- /dev/null
+++ b/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch
@@ -0,0 +1,58 @@
+From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001
+From: Li Qiang
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
+
+If a guest sends an empty string paramater to any 9P operation, the current
+code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
+
+This is unfortunate because it can cause NULL pointer dereference to happen
+at various locations in the 9pfs code. And we don't want to check str->data
+everywhere we pass it to strcmp() or any other function which expects a
+dereferenceable pointer.
+
+This patch enforces the allocation of genuine C empty strings instead, so
+callers don't have to bother.
+
+Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
+the returned string is empty. It now uses v9fs_string_size() since
+name.data cannot be NULL anymore.
+
+Signed-off-by: Li Qiang
+[groug, rewritten title and changelog,
+ fix empty string check in v9fs_xattrwalk()]
+Signed-off-by: Greg Kurz
+---
+ fsdev/9p-iov-marshal.c | 2 +-
+ hw/9pfs/9p.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fsdev/virtio-9p-marshal.c b/fsdev/9p-iov-marshal.c
+index 663cad5..1d16f8d 100644
+--- a/fsdev/virtio-9p-marshal.c
++++ b/fsdev/virtio-9p-marshal.c
+@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
+ str->data = g_malloc(str->size + 1);
+ copied = v9fs_unpack(str->data, out_sg, out_num, offset,
+ str->size);
+- if (copied > 0) {
++ if (copied >= 0) {
+ str->data[str->size] = 0;
+ } else {
+ v9fs_string_free(str);
+diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/9p.c
+index 119ee58..39a7e1d 100644
+--- a/hw/9pfs/virtio-9p.c
++++ b/hw/9pfs/virtio-9p.c
+@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
+ goto out;
+ }
+ v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
+- if (name.data == NULL) {
++ if (!v9fs_string_size(&name)) {
+ /*
+ * listxattr request. Get the size first
+ */
+--
+1.7.0.4
+
diff --git a/qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch b/qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch
new file mode 100644
index 0000000..b8ecc87
--- /dev/null
+++ b/qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch
@@ -0,0 +1,34 @@
+From c7c35916692fe010fef25ac338443d3fe40be225 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit
+Date: Fri, 21 Oct 2016 17:39:29 +0530
+Subject: [PATCH] net: rtl8139: limit processing of ring descriptors
+
+RTL8139 ethernet controller in C+ mode supports multiple
+descriptor rings, each with maximum of 64 descriptors. While
+processing transmit descriptor ring in 'rtl8139_cplus_transmit',
+it does not limit the descriptor count and runs forever. Add
+check to avoid it.
+
+Reported-by: Andrew Henderson
+Signed-off-by: Prasad J Pandit
+Signed-off-by: Jason Wang
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 3345bc6..f05e59c 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
+ {
+ int txcount = 0;
+
+- while (rtl8139_cplus_transmit_one(s))
++ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
+ {
+ ++txcount;
+ }
+--
+1.7.0.4
+
diff --git a/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch b/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch
new file mode 100644
index 0000000..2e17683
--- /dev/null
+++ b/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch
@@ -0,0 +1,39 @@
+From e95c9a493a5a8d6f969e86c9f19f80ffe6587e19 Mon Sep 17 00:00:00 2001
+From: Li Qiang
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read
+
+In 9pfs read dispatch function, it doesn't free two QEMUIOVector
+object thus causing potential memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang
+Signed-off-by: Greg Kurz
+---
+ hw/9pfs/9p.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
+index 39a7e1d..ff94a62 100644
+--- a/hw/9pfs/virtio-9p.c
++++ b/hw/9pfs/virtio-9p.c
+@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
+ if (len < 0) {
+ /* IO error return the error */
+ err = len;
+- goto out;
++ goto out_free_iovec;
+ }
+ } while (count < max_count && len > 0);
+ err = pdu_marshal(pdu, offset, "d", count);
+ if (err < 0) {
+- goto out;
++ goto out_free_iovec;
+ }
+ err += offset + count;
++out_free_iovec:
+ qemu_iovec_destroy(&qiov);
+ qemu_iovec_destroy(&qiov_full);
+ } else if (fidp->fid_type == P9_FID_XATTR) {
+--
+1.7.0.4
+
diff --git a/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch b/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch
new file mode 100644
index 0000000..5518aae
--- /dev/null
+++ b/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch
@@ -0,0 +1,32 @@
+From eb687602853b4ae656e9236ee4222609f3a6887d Mon Sep 17 00:00:00 2001
+From: Li Qiang
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: fix information leak in xattr read
+
+9pfs uses g_malloc() to allocate the xattr memory space, if the guest
+reads this memory before writing to it, this will leak host heap memory
+to the guest. This patch avoid this.
+
+Signed-off-by: Li Qiang
+Reviewed-by: Greg Kurz
+Signed-off-by: Greg Kurz
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
+index 26aa7d5..bf23b01 100644
+--- a/hw/9pfs/virtio-9p.c
++++ b/hw/9pfs/virtio-9p.c
+@@ -3282,7 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+- xattr_fidp->fs.xattr.value = g_malloc(size);
++ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+ out_nofid:
+--
+1.7.0.4
+
diff --git a/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch b/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch
new file mode 100644
index 0000000..f231197
--- /dev/null
+++ b/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch
@@ -0,0 +1,33 @@
+From fdfcc9aeea1492f4b819a24c94dfb678145b1bf9 Mon Sep 17 00:00:00 2001
+From: Li Qiang
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: fix memory leak in v9fs_write
+
+If an error occurs when marshalling the transfer length to the guest, the
+v9fs_write() function doesn't free an IO vector, thus leading to a memory
+leak. This patch fixes the issue.
+
+Signed-off-by: Li Qiang
+Reviewed-by: Greg Kurz
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
+index d43a552..e88cf25 100644
+--- a/hw/9pfs/virtio-9p.c
++++ b/hw/9pfs/virtio-9p.c
+@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque)
+ offset = 7;
+ err = pdu_marshal(pdu, offset, "d", total);
+ if (err < 0) {
+- goto out;
++ goto out_qiov;
+ }
+ err += offset;
+ trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
+--
+1.7.0.4
+
diff --git a/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch b/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch
new file mode 100644
index 0000000..48b3d5a
--- /dev/null
+++ b/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch
@@ -0,0 +1,34 @@
+From ff55e94d23ae94c8628b0115320157c763eb3e06 Mon Sep 17 00:00:00 2001
+From: Li Qiang
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
+
+The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
+situation that this field has been allocated previously. Every time, it
+will be allocated directly. This leads to a host memory leak issue if
+the client sends another Txattrcreate message with the same fid number
+before the fid from the previous time got clunked.
+
+Signed-off-by: Li Qiang
+Reviewed-by: Greg Kurz
+[groug, updated the changelog to indicate how the leak can occur]
+Signed-off-by: Greg Kurz
+---
+ hw/9pfs/9p.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
+index bf23b01..66135cf 100644
+--- a/hw/9pfs/virtio-9p.c
++++ b/hw/9pfs/virtio-9p.c
+@@ -3282,6 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
++ g_free(xattr_fidp->fs.xattr.value);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+--
+1.7.0.4
+
diff --git a/qemu.trad.CVE-2016-8669.patch b/qemu.trad.CVE-2016-8669.patch
new file mode 100644
index 0000000..05abe36
--- /dev/null
+++ b/qemu.trad.CVE-2016-8669.patch
@@ -0,0 +1,37 @@
+From 3592fe0c919cf27a81d8e9f9b4f269553418bb01 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit
+Date: Wed, 12 Oct 2016 11:28:08 +0530
+Subject: [PATCH] char: serial: check divider value against baud base
+
+16550A UART device uses an oscillator to generate frequencies
+(baud base), which decide communication speed. This speed could
+be changed by dividing it by a divider. If the divider is
+greater than the baud base, speed is set to zero, leading to a
+divide by zero error. Add check to avoid it.
+
+Reported-by: Huawei PSIRT
+Signed-off-by: Prasad J Pandit
+Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini
+---
+ hw/char/serial.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/hw/serial.c b/hw/serial.c
+index 3442f47..eec72b7 100644
+--- a/hw/serial.c
++++ b/hw/serial.c
+@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
+ int speed, parity, data_bits, stop_bits, frame_size;
+ QEMUSerialSetParams ssp;
+
+- if (s->divider == 0)
++ if (s->divider == 0 || s->divider > s->baudbase) {
+ return;
++ }
+
+ frame_size = 1;
+ if (s->lcr & 0x08) {
+--
+1.7.0.4
+
diff --git a/qemu.trad.CVE-2016-8910.patch b/qemu.trad.CVE-2016-8910.patch
new file mode 100644
index 0000000..ddb67b1
--- /dev/null
+++ b/qemu.trad.CVE-2016-8910.patch
@@ -0,0 +1,29 @@
+From: Prasad J Pandit
+
+RTL8139 ethernet controller in C+ mode supports multiple
+descriptor rings, each with maximum of 64 descriptors. While
+processing transmit descriptor ring in 'rtl8139_cplus_transmit',
+it does not limit the descriptor count and runs forever. Add
+check to avoid it.
+
+Reported-by: Andrew Henderson
+Signed-off-by: Prasad J Pandit
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/rtl8139.c b/hw/rtl8139.c
+index 3345bc6..f05e59c 100644
+--- a/hw/rtl8139.c
++++ b/hw/rtl8139.c
+@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
+ {
+ int txcount = 0;
+
+- while (rtl8139_cplus_transmit_one(s))
++ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
+ {
+ ++txcount;
+ }
+--
+2.7.4
diff --git a/xen.spec b/xen.spec
index 049e5a7..35b631e 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.6.3
-Release: 6%{?dist}
+Release: 7%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -158,6 +158,19 @@ Patch179: qemu.git-805b5d98c649d26fc44d2d7755a97f18e62b438a.patch
Patch180: qemu.git-56f101ecce0eafd09e2daf1c4eeb1377d6959261.patch
Patch181: qemu.git-a0d1cbdacff5df4ded16b753b38fdd9da6092968.patch
Patch182: xsa190-4.6.patch
+Patch183: qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch
+Patch184: qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch
+Patch185: qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch
+Patch186: qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch
+Patch187: qemu.trad.CVE-2016-8669.patch
+Patch188: qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch
+Patch189: qemu.trad.CVE-2016-8910.patch
+Patch190: qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch
+Patch191: qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch
+Patch192: qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch
+Patch193: qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch
+Patch194: qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch
+Patch195: qemu.bug1389686.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -413,6 +426,8 @@ manage Xen virtual machines.
pushd tools/qemu-xen-traditional
%patch169 -p1
%patch173 -p1
+%patch187 -p1
+%patch189 -p1
popd
# qemu-xen patches
@@ -424,6 +439,17 @@ pushd tools/qemu-xen
%patch179 -p1
%patch180 -p1
%patch181 -p1
+%patch183 -p1
+%patch184 -p1
+%patch185 -p1
+%patch186 -p1
+%patch188 -p1
+%patch190 -p1
+%patch191 -p1
+%patch192 -p1
+%patch193 -p1
+%patch194 -p1
+%patch195 -p1
popd
# stubdom sources
@@ -954,6 +980,23 @@ rm -rf %{buildroot}
%endif
%changelog
+* Sun Oct 30 2016 Michael Young - 4.6.3-7
+- Qemu: usb: xHCI: infinite loop vulnerability in xhci_ring_fetch
+ [CVE-2016-8576] (#1382323)
+- Qemu: 9pfs: host memory leakage in v9fs_read [CVE-2016-8577] (#1383287)
+- Qemu: 9pfs: allocate space for guest originated empty strings [CVE-2016-8578]
+ (#1383293)
+- Qemu: char: divide by zero error in serial_update_parameters [CVE-2016-8669]
+ (#1384910)
+- Qemu: net: rtl8139: infinite loop while transmit in C+ mode [CVE-2016-8910]
+ (#1388048)
+- qemu-kvm: Infinite loop vulnerability in a9_gtimer_update() (#1388301)
+- Qemu: 9pfs: information leakage via xattr (#1389644)
+- Qemu: 9pfs: memory leakage when creating extended attribute (#1389552)
+- Qemu: 9pfs: memory leakage in v9fs_link (#1389705)
+- Qemu: 9pfs: memory leakage in v9fs_write (#1389714)
+- Qemu: 9pfs: integer overflow leading to OOB access (#1389689)
+
* Tue Oct 04 2016 Michael Young - 4.6.3-6
- qemu-kvm: Directory traversal flaw in 9p virtio backend [CVE-2016-7116]
(#1371400)