1 files changed, 238 insertions, 220 deletions

diff --git a/kernel.spec b/kernel.spec
index 9aef0b5d5..b1e915307 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -49,7 +49,7 @@ Summary: The Linux kernel
 # base_sublevel is the kernel version we're starting with and patching
 # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base,
 # which yields a base_sublevel of 0.
-%define base_sublevel 2
+%define base_sublevel 3
 
 ## If this is a released kernel ##
 %if 0%{?released_kernel}
@@ -58,7 +58,7 @@ Summary: The Linux kernel
 %define stable_rc 0
 
 # Do we have a -stable update to apply?
-%define stable_update 8
+%define stable_update 3
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -408,7 +408,11 @@ BuildRequires: rpm-build, elfutils
 %define debuginfo_args --strict-build-id -r
 %endif
 
-BuildRequires: openssl
+%ifarch %{ix86} x86_64
+# MODULE_SIG is enabled in config-x86-generic and needs these:
+BuildRequires: openssl openssl-devel
+%endif
+
 %if %{signmodules}
 BuildRequires: pesign >= 0.10-4
 %endif
@@ -451,7 +455,7 @@ Source32: config-x86-32-generic
 
 Source40: config-x86_64-generic
 
-Source50: config-powerpc-generic
+Source50: config-powerpc64-generic
 Source53: config-powerpc64
 Source54: config-powerpc64p7
 Source55: config-powerpc64le
@@ -515,134 +519,107 @@ Patch05: kbuild-AFTER_LINK.patch
 
 # Standalone patches
 
-Patch450: input-kill-stupid-messages.patch
-Patch452: no-pcspkr-modalias.patch
+Patch451: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
 
-Patch458: regulator-axp20x-module-alias.patch
-Patch470: die-floppy-die.patch
+Patch452: amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch
 
-Patch510: input-silence-i8042-noise.patch
-Patch530: silence-fbcon-logo.patch
+Patch453: amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch
 
-Patch600: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
+Patch454: arm64-avoid-needing-console-to-enable-serial-console.patch
 
-#rhbz 1126580
-Patch601: Kbuild-Add-an-option-to-enable-GCC-VTA.patch
+Patch455: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch
 
-Patch800: crash-driver.patch
+Patch456: arm64-acpi-drop-expert-patch.patch
 
-# crypto/
+Patch457: ARM-tegra-usb-no-reset.patch
 
-# secure boot
-Patch1000: Add-secure_modules-call.patch
-Patch1001: PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
-Patch1002: x86-Lock-down-IO-port-access-when-module-security-is.patch
-Patch1003: ACPI-Limit-access-to-custom_method.patch
-Patch1004: asus-wmi-Restrict-debugfs-interface-when-module-load.patch
-Patch1005: Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
-Patch1006: acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
-Patch1007: kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
-Patch1008: x86-Restrict-MSR-access-when-module-loading-is-restr.patch
-Patch1009: Add-option-to-automatically-enforce-module-signature.patch
-Patch1010: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
-Patch1011: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
-Patch1012: efi-Add-EFI_SECURE_BOOT-bit.patch
-Patch1013: hibernate-Disable-in-a-signed-modules-environment.patch
+Patch458: ARM-dts-Add-am335x-bonegreen.patch
 
-Patch1014: Add-EFI-signature-data-types.patch
-Patch1015: Add-an-EFI-signature-blob-parser-and-key-loader.patch
-Patch1016: KEYS-Add-a-system-blacklist-keyring.patch
-Patch1017: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
-Patch1018: MODSIGN-Support-not-importing-certs-from-db.patch
+Patch459: 0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch
 
-Patch1019: Add-sysrq-option-to-disable-secure-boot-mode.patch
+Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch
 
-# virt + ksm patches
+Patch463: arm-i.MX6-Utilite-device-dtb.patch
 
-# DRM
+Patch466: input-kill-stupid-messages.patch
 
-# nouveau + drm fixes
-# intel drm is all merged upstream
-Patch1826: drm-i915-hush-check-crtc-state.patch
+Patch467: die-floppy-die.patch
 
-# Quiet boot fixes
+Patch468: no-pcspkr-modalias.patch
 
-# fs fixes
+Patch470: silence-fbcon-logo.patch
 
-# NFSv4
+Patch471: Kbuild-Add-an-option-to-enable-GCC-VTA.patch
 
-# patches headed upstream
-Patch12016: disable-i8042-check-on-apple-mac.patch
+Patch472: crash-driver.patch
 
-Patch14010: lis3-improve-handling-of-null-rate.patch
+Patch473: Add-secure_modules-call.patch
 
-Patch15000: watchdog-Disable-watchdog-on-virtual-machines.patch
+Patch474: PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
 
-# PPC
+Patch475: x86-Lock-down-IO-port-access-when-module-security-is.patch
 
-# ARM64
-Patch16000: amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch
-Patch16001: amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch
-Patch16002: arm64-avoid-needing-console-to-enable-serial-console.patch
-Patch16003: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch
-Patch16004: showmem-cma-correct-reserved-memory-calculation.patch
+Patch476: ACPI-Limit-access-to-custom_method.patch
 
-# ARMv7
-Patch16020: ARM-tegra-usb-no-reset.patch
-Patch16021: arm-dts-am335x-boneblack-lcdc-add-panel-info.patch
-Patch16022: arm-dts-am335x-boneblack-add-cpu0-opp-points.patch
-Patch16025: arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
-Patch16026: pinctrl-pinctrl-single-must-be-initialized-early.patch
+Patch477: asus-wmi-Restrict-debugfs-interface-when-module-load.patch
 
-Patch16028: arm-i.MX6-Utilite-device-dtb.patch
+Patch478: Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
 
-#rhbz 754518
-Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
+Patch479: acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
 
-# https://fedoraproject.org/wiki/Features/Checkpoint_Restore
-Patch21242: criu-no-expert.patch
+Patch480: kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
 
-#rhbz 892811
-Patch21247: ath9k-rx-dma-stop-check.patch
+Patch481: x86-Restrict-MSR-access-when-module-loading-is-restr.patch
 
-#CVE-2015-2150 rhbz 1196266 1200397
-Patch26175: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+Patch482: Add-option-to-automatically-enforce-module-signature.patch
 
-#rhbz 1212230
-Patch26176: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
+Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
 
-#rhbz 1133378
-Patch26219: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
+Patch484: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
 
-#rhbz 1226743
-Patch26221: drm-i915-turn-off-wc-mmaps.patch
+Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch
 
+Patch486: hibernate-Disable-in-a-signed-modules-environment.patch
 
-#rhbz 1244511
-Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
+Patch487: Add-EFI-signature-data-types.patch
 
-Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
+Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch
+
+Patch489: KEYS-Add-a-system-blacklist-keyring.patch
+
+Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+
+Patch491: MODSIGN-Support-not-importing-certs-from-db.patch
+
+Patch492: Add-sysrq-option-to-disable-secure-boot-mode.patch
+
+Patch493: drm-i915-hush-check-crtc-state.patch
+
+Patch494: disable-i8042-check-on-apple-mac.patch
+
+Patch495: lis3-improve-handling-of-null-rate.patch
+
+Patch496: watchdog-Disable-watchdog-on-virtual-machines.patch
+
+Patch497: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
+
+Patch498: criu-no-expert.patch
+
+Patch499: ath9k-rx-dma-stop-check.patch
 
-#rhbz 1239050
-Patch509: ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch
+Patch500: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
 
-#rhbz 1253789
-Patch511: iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch
+Patch501: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
 
-#rhbz 1257534
-Patch515: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
+Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
 
-#rhbz 1257500
-Patch517: vmwgfx-Rework-device-initialization.patch
-Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
+Patch503: drm-i915-turn-off-wc-mmaps.patch
 
-#rhbz 1272172
-Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
-Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
+Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
 
 #CVE-2015-7799 rhbz 1271134 1271135
-Patch543: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
-Patch544: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
+Patch512: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
+Patch513: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
 
 #CVE-2015-8104 rhbz 1278496 1279691
 Patch551: KVM-svm-unconditionally-intercept-DB.patch
@@ -658,11 +635,6 @@ Patch556: netfilter-ipset-Fix-extension-alignment.patch
 Patch557: netfilter-ipset-Fix-hash-type-expiration.patch
 Patch558: netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch
 
-#rhbz 1278688
-Patch560: 0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch
-Patch561: 0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch
-Patch562: 0003-KVM-x86-fix-previous-commit-for-32-bit.patch
-
 #rhbz 1284059
 Patch566: KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
 
@@ -678,14 +650,66 @@ Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch
 #rhbz 1286293
 Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
 
+#rhbz 1288687
+Patch572: alua_fix.patch
+
 #CVE-XXXX-XXXX rhbz 1291329 1291332
 Patch574: ovl-fix-permission-checking-for-setattr.patch
 
 #CVE-2015-7550 rhbz 1291197 1291198
 Patch575: KEYS-Fix-race-between-read-and-revoke.patch
 
-#CVE-2015-8543 rhbz 1290475 1290477
-Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch
+Patch601: vrf-fix-memory-leak-on-registration.patch
+
+#CVE-2015-8709 rhbz 1295287 1295288
+Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
+
+#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
+
+#CVE-2015-7513 rhbz 1284847 1296142
+Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
+
+#rhbz 1296677
+Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
+
+#rhbz 1281368
+Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
+
+#rhbz 1296820
+Patch608: drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch
+
+#rhbz 1083853
+Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
+
+#CVE-2015-7566 rhbz 1296466 1297517
+Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch
+
+#rhbz 1298309
+#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
+
+#rhbz 1298996
+Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch
+
+#rhbz 1298192
+Patch626: selinux-fix-bug-in-conditional-rules-handling.patch
+
+#rhbz 1295272
+Patch627: ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch
+
+Patch628: i915-stable-backports.patch
+Patch635: nouveau-stable-backports.patch
+
+#rhbz 1299810
+Patch629: SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch
+Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
+
+Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
+Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
+
+Patch633: net_43.mbox
+
+#CVE-2016-0728 rhbz 1296623 1297475
+Patch634: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1254,183 +1278,104 @@ ApplyPatch kbuild-AFTER_LINK.patch
 
 %if !%{nopatches}
 
-# Architecture patches
-# x86(-64)
 ApplyPatch lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
 
-# PPC
-
-# ARM64
 ApplyPatch amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch
+
 ApplyPatch amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch
+
 ApplyPatch arm64-avoid-needing-console-to-enable-serial-console.patch
+
 ApplyPatch usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch
 
-ApplyPatch showmem-cma-correct-reserved-memory-calculation.patch
+ApplyPatch arm64-acpi-drop-expert-patch.patch
 
-#
-# ARM
-#
 ApplyPatch ARM-tegra-usb-no-reset.patch
 
-ApplyPatch arm-dts-am335x-boneblack-lcdc-add-panel-info.patch
-ApplyPatch arm-dts-am335x-boneblack-add-cpu0-opp-points.patch
-ApplyPatch arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
-ApplyPatch pinctrl-pinctrl-single-must-be-initialized-early.patch
-
-ApplyPatch arm-i.MX6-Utilite-device-dtb.patch
-
-#
-# bugfixes to drivers and filesystems
-#
-
-# ext4
-
-# xfs
-
-# btrfs
-
-# eCryptfs
-
-# NFSv4
-
-# USB
-
-# WMI
-
-# ACPI
-
-#
-# PCI
-#
-
-#
-# SCSI Bits.
-#
+ApplyPatch ARM-dts-Add-am335x-bonegreen.patch
 
-# ACPI
+ApplyPatch 0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch
 
-# ALSA
+ApplyPatch mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch
 
-# Networking
+ApplyPatch arm-i.MX6-Utilite-device-dtb.patch
 
-# Misc fixes
-# The input layer spews crap no-one cares about.
 ApplyPatch input-kill-stupid-messages.patch
 
-# stop floppy.ko from autoloading during udev...
 ApplyPatch die-floppy-die.patch
 
 ApplyPatch no-pcspkr-modalias.patch
 
-# Silence some useless messages that still get printed with 'quiet'
-ApplyPatch input-silence-i8042-noise.patch
-
-# Make fbcon not show the penguins with 'quiet'
 ApplyPatch silence-fbcon-logo.patch
 
-# Changes to upstream defaults.
-#rhbz 1126580
 ApplyPatch Kbuild-Add-an-option-to-enable-GCC-VTA.patch
 
-# /dev/crash driver.
 ApplyPatch crash-driver.patch
 
-# crypto/
-
-# secure boot
 ApplyPatch Add-secure_modules-call.patch
+
 ApplyPatch PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+
 ApplyPatch x86-Lock-down-IO-port-access-when-module-security-is.patch
+
 ApplyPatch ACPI-Limit-access-to-custom_method.patch
+
 ApplyPatch asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+
 ApplyPatch Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+
 ApplyPatch acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+
 ApplyPatch kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+
 ApplyPatch x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+
 ApplyPatch Add-option-to-automatically-enforce-module-signature.patch
+
 ApplyPatch efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch
+
 ApplyPatch efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
+
 ApplyPatch efi-Add-EFI_SECURE_BOOT-bit.patch
+
 ApplyPatch hibernate-Disable-in-a-signed-modules-environment.patch
 
 ApplyPatch Add-EFI-signature-data-types.patch
+
 ApplyPatch Add-an-EFI-signature-blob-parser-and-key-loader.patch
+
 ApplyPatch KEYS-Add-a-system-blacklist-keyring.patch
+
 ApplyPatch MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+
 ApplyPatch MODSIGN-Support-not-importing-certs-from-db.patch
 
 ApplyPatch Add-sysrq-option-to-disable-secure-boot-mode.patch
 
-# Assorted Virt Fixes
-
-# DRM core
-
-# Nouveau DRM
-
-# Intel DRM
 ApplyPatch drm-i915-hush-check-crtc-state.patch
 
-# Radeon DRM
-
-# Patches headed upstream
 ApplyPatch disable-i8042-check-on-apple-mac.patch
 
 ApplyPatch lis3-improve-handling-of-null-rate.patch
 
-# Disable watchdog on virtual machines.
 ApplyPatch watchdog-Disable-watchdog-on-virtual-machines.patch
 
-#rhbz 754518
 ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
 
-# https://fedoraproject.org/wiki/Features/Checkpoint_Restore
 ApplyPatch criu-no-expert.patch
 
-#rhbz 892811
 ApplyPatch ath9k-rx-dma-stop-check.patch
 
-#CVE-2015-2150 rhbz 1196266 1200397
 ApplyPatch xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
 
-#rhbz 1212230
 ApplyPatch Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
 
-#rhbz 1133378
 ApplyPatch firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch
 
-#rhbz 1226743
 ApplyPatch drm-i915-turn-off-wc-mmaps.patch
 
-#rhbz 1212230
-# pplyPatch Input-Revert-Revert-synaptics-use-dmax-in-input_mt_a.patch
-# pplyPatch Input-synaptics-allocate-3-slots-to-keep-stability-i.patch
-# pplyPatch Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
-
-#rhbz 1244511
-ApplyPatch HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
-
 ApplyPatch kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
 
-#rhbz 1239050
-ApplyPatch ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch
-
-#rhbz 1253789
-ApplyPatch iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch
-
-#rhbz 1257534
-ApplyPatch nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch
-
-#rhbz 1257500
-ApplyPatch vmwgfx-Rework-device-initialization.patch
-ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
-
-ApplyPatch regulator-axp20x-module-alias.patch
-
-#rhbz 1272172
-ApplyPatch 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
-ApplyPatch 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
-
 #CVE-2015-7799 rhbz 1271134 1271135
 ApplyPatch isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
 ApplyPatch ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
@@ -1449,11 +1394,6 @@ ApplyPatch netfilter-ipset-Fix-extension-alignment.patch
 ApplyPatch netfilter-ipset-Fix-hash-type-expiration.patch
 ApplyPatch netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch
 
-#rhbz 1278688
-ApplyPatch 0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch
-ApplyPatch 0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch
-ApplyPatch 0003-KVM-x86-fix-previous-commit-for-32-bit.patch
-
 #rhbz 1284059
 ApplyPatch KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
 
@@ -1469,14 +1409,66 @@ ApplyPatch HID-multitouch-enable-palm-rejection-if-device-imple.patch
 #rhbz 1286293
 ApplyPatch ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
 
+#rhbz 1288687
+ApplyPatch alua_fix.patch
+
 #CVE-XXXX-XXXX rhbz 1291329 1291332
 ApplyPatch ovl-fix-permission-checking-for-setattr.patch
 
 #CVE-2015-7550 rhbz 1291197 1291198
 ApplyPatch KEYS-Fix-race-between-read-and-revoke.patch
 
-#CVE-2015-8543 rhbz 1290475 1290477
-ApplyPatch net-add-validation-for-the-socket-syscall-protocol-a.patch
+ApplyPatch vrf-fix-memory-leak-on-registration.patch
+
+#CVE-2015-8709 rhbz 1295287 1295288
+ApplyPatch ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
+
+#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
+
+#CVE-2015-7513 rhbz 1284847 1296142
+ApplyPatch KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
+
+#rhbz 1296677
+ApplyPatch HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
+
+#rhbz 1281368
+ApplyPatch drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
+
+#rhbz 1296820
+ApplyPatch drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch
+
+#rhbz 1083853
+ApplyPatch PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
+
+#CVE-2015-7566 rhbz 1296466 1297517
+ApplyPatch usb-serial-visor-fix-crash-on-detecting-device-witho.patch
+
+#rhbz 1298309
+#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
+
+#rhbz 1298996
+ApplyPatch block-ensure-to-split-after-potentially-bouncing-a-b.patch
+
+#rhbz 1298192
+ApplyPatch selinux-fix-bug-in-conditional-rules-handling.patch
+
+#rhbz 1295272
+ApplyPatch ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch
+
+ApplyPatch i915-stable-backports.patch
+ApplyPatch nouveau-stable-backports.patch
+
+#rhbz 1299810
+ApplyPatch SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch
+ApplyPatch SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
+
+ApplyPatch btrfs-handle-invalid-num_stripes-in-sys_array.patch
+ApplyPatch Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
+
+ApplyPatch net_43.mbox
+
+#CVE-2016-0728 rhbz 1296623 1297475
+ApplyPatch KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -1597,11 +1589,9 @@ BuildKernel() {
     cp configs/$Config .config
 
     %if %{signmodules}
-    cp %{SOURCE11} .
+    cp %{SOURCE11} certs/.
     %endif
 
-    chmod +x scripts/sign-file
-
     Arch=`head -1 .config | cut -b 3-`
     echo USING ARCH=$Arch
 
@@ -1837,8 +1827,8 @@ BuildKernel() {
 
 %if %{signmodules}
     # Save the signing keys so we can sign the modules in __modsign_install_post
-    cp signing_key.priv signing_key.priv.sign${Flav}
-    cp signing_key.x509 signing_key.x509.sign${Flav}
+    cp certs/signing_key.pem certs/signing_key.pem.sign${Flav}
+    cp certs/signing_key.x509 certs/signing_key.x509.sign${Flav}
 %endif
 
     # Move the devel headers out of the root file system
@@ -1933,16 +1923,16 @@ popd
 %define __modsign_install_post \
   if [ "%{signmodules}" -eq "1" ]; then \
     if [ "%{with_pae}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign+%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
+      %{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
     fi \
     if [ "%{with_debug}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign+debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
+      %{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
     fi \
     if [ "%{with_pae_debug}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign+%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
+      %{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
     fi \
     if [ "%{with_up}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
+      %{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
     fi \
   fi \
   if [ "%{zipmodules}" -eq "1" ]; then \
@@ -2203,6 +2193,7 @@ fi
 %dir %{_libdir}/traceevent/plugins
 %{_libdir}/traceevent/plugins/*
 %dir %{_libexecdir}/perf-core
+%{_datadir}/perf-core/*
 %{_libexecdir}/perf-core/*
 %{_mandir}/man[1-8]/perf*
 %{_sysconfdir}/bash_completion.d/perf
@@ -2328,6 +2319,33 @@ fi
 #
 # 
 %changelog
+* Tue Jan 19 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.3-200
+- Rebase to 4.3.y
+- Backport nouveau stable fixes (rhbz 1299349)
+- CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623 1297475)
+- Add currently queued networking stable patches
+- Add a couple btrfs patches cc'd to stable upstream
+- Add SCSI patches to avoid blacklist false positives (rhbz 1299810)
+
+* Fri Jan 15 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8767 sctp: DoS during timeout (rhbz 1297389 1298437)
+
+* Tue Jan 12 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-7566 usb: visor: Crash on invalid USB dev descriptors (rhbz 1296466 1297517)
+- Fix backtrace from PNP conflict on Broadwell (rhbz 1083853)
+
+* Thu Jan 07 2016 Josh Boyer <jwboyer@fedorparoject.org>
+- CVE-2015-7513 kvm: divide by zero DoS (rhbz 1284847 1296142)
+
+* Tue Jan 05 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8709 ptrace: potential priv escalation with userns (rhbz 1295287 1295288)
+
+* Fri Dec 18 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8575 information leak in sco_sock_bind (rhbz 1292840 1292841)
+
+* Thu Dec 17 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8569 info leak from getsockname (rhbz 1292045 1292047)
+
 * Tue Dec 15 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.8-200
 - Linux v4.2.8