--- /dev/null
+From b53dd4495ced2432a0b652ea895e651d07336f7e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 13 Sep 2016 03:20:03 -0700
+Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
+
+If the xhci uses msix, it doesn't free the corresponding
+memory, thus leading a memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 37c1493..726435c 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3715,8 +3715,7 @@ static void usb_xhci_exit(PCIDevice *dev)
+ /* destroy msix memory region */
+ if (dev->msix_table && dev->msix_pba
+ && dev->msix_entry_used) {
+- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
+- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
++ msix_uninit(dev, &xhci->mem, &xhci->mem);
+ }
+
+ usb_bus_release(&xhci->bus);
+--
+2.1.4
+
extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
+extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch