3.9.10-200.fc18.gnu

12 files changed, 278 insertions, 163 deletions

diff --git a/freed-ora/current/f18/block-do-not-pass-disk-names-as-format-strings.patch b/freed-ora/current/f18/block-do-not-pass-disk-names-as-format-strings.patch
deleted file mode 100644
index 496111dcd..000000000
--- a/freed-ora/current/f18/block-do-not-pass-disk-names-as-format-strings.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Disk names may contain arbitrary strings, so they must not be interpreted
-as format strings. It seems that only md allows arbitrary strings to be
-used for disk names, but this could allow for a local memory corruption
-from uid 0 into ring 0.
-
-CVE-2013-2851
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Cc: Jens Axboe <axboe@kernel.dk>
----
- block/genhd.c              |    2 +-
- drivers/block/nbd.c        |    3 ++-
- drivers/scsi/osd/osd_uld.c |    2 +-
- 3 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/block/genhd.c b/block/genhd.c
-index 20625ee..cdeb527 100644
---- a/block/genhd.c
-+++ b/block/genhd.c
-@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
- 
- 	ddev->parent = disk->driverfs_dev;
- 
--	dev_set_name(ddev, disk->disk_name);
-+	dev_set_name(ddev, "%s", disk->disk_name);
- 
- 	/* delay uevents, until we scanned partition table */
- 	dev_set_uevent_suppress(ddev, 1);
-diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
-index 037288e..46b35f7 100644
---- a/drivers/block/nbd.c
-+++ b/drivers/block/nbd.c
-@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
- 		else
- 			blk_queue_flush(nbd->disk->queue, 0);
- 
--		thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
-+		thread = kthread_create(nbd_thread, nbd, "%s",
-+					nbd->disk->disk_name);
- 		if (IS_ERR(thread)) {
- 			mutex_lock(&nbd->tx_lock);
- 			return PTR_ERR(thread);
-diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
-index 0fab6b5..9d86947 100644
---- a/drivers/scsi/osd/osd_uld.c
-+++ b/drivers/scsi/osd/osd_uld.c
-@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
- 	oud->class_dev.class = &osd_uld_class;
- 	oud->class_dev.parent = dev;
- 	oud->class_dev.release = __remove;
--	error = dev_set_name(&oud->class_dev, disk->disk_name);
-+	error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
- 	if (error) {
- 		OSD_ERR("dev_set_name failed => %d\n", error);
- 		goto err_put_cdev;
--- 
-1.7.9.5
-
---
-To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html
-Please read the FAQ at  http://www.tux.org/lkml/
\ No newline at end of file
diff --git a/freed-ora/current/f18/cdrom-use-kzalloc-for-failing-hardware.patch b/freed-ora/current/f18/cdrom-use-kzalloc-for-failing-hardware.patch
deleted file mode 100644
index 6afb6c4d8..000000000
--- a/freed-ora/current/f18/cdrom-use-kzalloc-for-failing-hardware.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001
-From: Jonathan Salwan <jonathan.salwan@gmail.com>
-Date: Thu, 06 Jun 2013 00:39:39 +0000
-Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
-
-In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
-area with kmalloc in line 2885.
-
-2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
-2886         if (cgc->buffer == NULL)
-2887                 return -ENOMEM;
-
-In line 2908 we can find the copy_to_user function:
-
-2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
-
-The cgc->buffer is never cleaned and initialized before this function.  If
-ret = 0 with the previous basic block, it's possible to display some
-memory bytes in kernel space from userspace.
-
-When we read a block from the disk it normally fills the ->buffer but if
-the drive is malfunctioning there is a chance that it would only be
-partially filled.  The result is an leak information to userspace.
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Cc: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
----
-(limited to 'drivers/cdrom/cdrom.c')
-
-diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
-index d620b44..8a3aff7 100644
---- a/drivers/cdrom/cdrom.c
-+++ b/drivers/cdrom/cdrom.c
-@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
- 	if (lba < 0)
- 		return -EINVAL;
- 
--	cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
-+	cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
- 	if (cgc->buffer == NULL)
- 		return -ENOMEM;
- 
---
-cgit v0.9.2
diff --git a/freed-ora/current/f18/ceph-fix.patch b/freed-ora/current/f18/ceph-fix.patch
deleted file mode 100644
index 6515e758d..000000000
--- a/freed-ora/current/f18/ceph-fix.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c
-index 925ca58..0ef2458 100644
---- a/net/ceph/auth_none.c
-+++ b/net/ceph/auth_none.c
-@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac)
- 	return xi->starting;
- }
- 
-+static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
-+{
-+       return 0;
-+}
-+
- /*
-  * the generic auth code decode the global_id, and we carry no actual
-  * authenticate state, so nothing happens here.
-@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = {
- 	.destroy = destroy,
- 	.is_authenticated = is_authenticated,
- 	.should_authenticate = should_authenticate,
-+	.build_request = build_request,
- 	.handle_reply = handle_reply,
- 	.create_authorizer = ceph_auth_none_create_authorizer,
- 	.destroy_authorizer = ceph_auth_none_destroy_authorizer,
diff --git a/freed-ora/current/f18/config-debug b/freed-ora/current/f18/config-debug
index 43655a1a1..ad06116c7 100644
--- a/freed-ora/current/f18/config-debug
+++ b/freed-ora/current/f18/config-debug
@@ -115,3 +115,5 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
 CONFIG_MAC80211_MESSAGE_TRACING=y
 
 CONFIG_EDAC_DEBUG=y
+CONFIG_LATENCYTOP=y
+CONFIG_SCHEDSTATS=y
diff --git a/freed-ora/current/f18/config-generic b/freed-ora/current/f18/config-generic
index 3237222e7..4296d3d07 100644
--- a/freed-ora/current/f18/config-generic
+++ b/freed-ora/current/f18/config-generic
@@ -3959,7 +3959,6 @@ CONFIG_HWPOISON_INJECT=m
 CONFIG_CROSS_MEMORY_ATTACH=y
 # CONFIG_DEBUG_SECTION_MISMATCH is not set
 # CONFIG_BACKTRACE_SELF_TEST is not set
-CONFIG_LATENCYTOP=y
 CONFIG_RESOURCE_COUNTERS=y
 # CONFIG_COMPAT_BRK is not set
 # CONFIG_DEBUG_VIRTUAL is not set
@@ -4126,7 +4125,6 @@ CONFIG_BACKLIGHT_LP855X=m
 CONFIG_LCD_CLASS_DEVICE=m
 CONFIG_LCD_PLATFORM=m
 
-CONFIG_SCHEDSTATS=y
 CONFIG_SCHED_DEBUG=y
 CONFIG_FAIR_GROUP_SCHED=y
 CONFIG_CFS_BANDWIDTH=y
diff --git a/freed-ora/current/f18/config-nodebug b/freed-ora/current/f18/config-nodebug
index aa7568c82..6db2dde22 100644
--- a/freed-ora/current/f18/config-nodebug
+++ b/freed-ora/current/f18/config-nodebug
@@ -117,3 +117,5 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
 # CONFIG_EDAC_DEBUG is not set
 
 # CONFIG_SPI_DEBUG is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_SCHEDSTATS is not set
diff --git a/freed-ora/current/f18/fix-ext4-overflows.patch b/freed-ora/current/f18/fix-ext4-overflows.patch
new file mode 100644
index 000000000..f2a08ebc8
--- /dev/null
+++ b/freed-ora/current/f18/fix-ext4-overflows.patch
@@ -0,0 +1,207 @@
+From 93f6b57df5d9dd8c0327cebc01f6c00dbcd6d2ff Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 31 May 2013 19:33:42 -0400
+Subject: [PATCH 1/4] ext4: fix data offset overflow on 32-bit archs in
+ ext4_inline_data_fiemap()
+
+On 32-bit archs when sector_t is defined as 32-bit the logic computing
+data offset in ext4_inline_data_fiemap(). Fix that by properly typing
+the shifted value.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+---
+ fs/ext4/inline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index c0fd1a1..c46a01e 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1702,7 +1702,7 @@ int ext4_inline_data_fiemap(struct inode *inode,
+ 	if (error)
+ 		goto out;
+ 
+-	physical = iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
++	physical = (__u64)iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
+ 	physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data;
+ 	physical += offsetof(struct ext4_inode, i_block);
+ 	length = i_size_read(inode);
+-- 
+1.8.3.1
+
+
+From 4d2cedb535bae3ada76a335540657e948f99d9c0 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 31 May 2013 19:37:56 -0400
+Subject: [PATCH 2/4] ext4: fix overflows in SEEK_HOLE, SEEK_DATA
+ implementations
+
+ext4_lblk_t is just u32 so multiplying it by blocksize can easily
+overflow for files larger than 4 GB. Fix that by properly typing the
+block offsets before shifting.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Zheng Liu <wenqing.lz@taobao.com>
+---
+ fs/ext4/file.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/file.c b/fs/ext4/file.c
+index 64848b5..b47ccf9 100644
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -311,7 +311,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode,
+ 	blkbits = inode->i_sb->s_blocksize_bits;
+ 	startoff = *offset;
+ 	lastoff = startoff;
+-	endoff = (map->m_lblk + map->m_len) << blkbits;
++	endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits;
+ 
+ 	index = startoff >> PAGE_CACHE_SHIFT;
+ 	end = endoff >> PAGE_CACHE_SHIFT;
+@@ -456,7 +456,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
+ 		ret = ext4_map_blocks(NULL, inode, &map, 0);
+ 		if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
+ 			if (last != start)
+-				dataoff = last << blkbits;
++				dataoff = (loff_t)last << blkbits;
+ 			break;
+ 		}
+ 
+@@ -467,7 +467,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
+ 		ext4_es_find_delayed_extent(inode, last, &es);
+ 		if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
+ 			if (last != start)
+-				dataoff = last << blkbits;
++				dataoff = (loff_t)last << blkbits;
+ 			break;
+ 		}
+ 
+@@ -485,7 +485,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
+ 		}
+ 
+ 		last++;
+-		dataoff = last << blkbits;
++		dataoff = (loff_t)last << blkbits;
+ 	} while (last <= end);
+ 
+ 	mutex_unlock(&inode->i_mutex);
+@@ -539,7 +539,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
+ 		ret = ext4_map_blocks(NULL, inode, &map, 0);
+ 		if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
+ 			last += ret;
+-			holeoff = last << blkbits;
++			holeoff = (loff_t)last << blkbits;
+ 			continue;
+ 		}
+ 
+@@ -550,7 +550,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
+ 		ext4_es_find_delayed_extent(inode, last, &es);
+ 		if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
+ 			last = es.es_lblk + es.es_len;
+-			holeoff = last << blkbits;
++			holeoff = (loff_t)last << blkbits;
+ 			continue;
+ 		}
+ 
+@@ -565,7 +565,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
+ 							      &map, &holeoff);
+ 			if (!unwritten) {
+ 				last += ret;
+-				holeoff = last << blkbits;
++				holeoff = (loff_t)last << blkbits;
+ 				continue;
+ 			}
+ 		}
+-- 
+1.8.3.1
+
+
+From 114fe3b7fc9ca3ca00f774dd8705e8c802f39f14 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 31 May 2013 19:38:56 -0400
+Subject: [PATCH 3/4] ext4: fix data offset overflow in ext4_xattr_fiemap() on
+ 32-bit archs
+
+On 32-bit architectures with 32-bit sector_t computation of data offset
+in ext4_xattr_fiemap() can overflow resulting in reporting bogus data
+location. Fix the problem by typing block number to proper type before
+shifting.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+---
+ fs/ext4/extents.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 9c6d06d..6bb303c 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4605,7 +4605,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
+ 		error = ext4_get_inode_loc(inode, &iloc);
+ 		if (error)
+ 			return error;
+-		physical = iloc.bh->b_blocknr << blockbits;
++		physical = (__u64)iloc.bh->b_blocknr << blockbits;
+ 		offset = EXT4_GOOD_OLD_INODE_SIZE +
+ 				EXT4_I(inode)->i_extra_isize;
+ 		physical += offset;
+@@ -4613,7 +4613,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
+ 		flags |= FIEMAP_EXTENT_DATA_INLINE;
+ 		brelse(iloc.bh);
+ 	} else { /* external block */
+-		physical = EXT4_I(inode)->i_file_acl << blockbits;
++		physical = (__u64)EXT4_I(inode)->i_file_acl << blockbits;
+ 		length = inode->i_sb->s_blocksize;
+ 	}
+ 
+-- 
+1.8.3.1
+
+
+From aeb72ff4b7fe084b4373d4a91d77d3bea8089627 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 31 May 2013 19:39:56 -0400
+Subject: [PATCH 4/4] ext4: fix overflow when counting used blocks on 32-bit
+ architectures
+
+The arithmetics adding delalloc blocks to the number of used blocks in
+ext4_getattr() can easily overflow on 32-bit archs as we first multiply
+number of blocks by blocksize and then divide back by 512. Make the
+arithmetics more clever and also use proper type (unsigned long long
+instead of unsigned long).
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+---
+ fs/ext4/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index d69e954..e33e2d2 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4616,7 +4616,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
+ 		 struct kstat *stat)
+ {
+ 	struct inode *inode;
+-	unsigned long delalloc_blocks;
++	unsigned long long delalloc_blocks;
+ 
+ 	inode = dentry->d_inode;
+ 	generic_fillattr(inode, stat);
+@@ -4634,7 +4634,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
+ 	delalloc_blocks = EXT4_C2B(EXT4_SB(inode->i_sb),
+ 				EXT4_I(inode)->i_reserved_data_blocks);
+ 
+-	stat->blocks += (delalloc_blocks << inode->i_sb->s_blocksize_bits)>>9;
++	stat->blocks += delalloc_blocks << (inode->i_sb->s_blocksize_bits-9);
+ 	return 0;
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch b/freed-ora/current/f18/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
new file mode 100644
index 000000000..aa2ca7035
--- /dev/null
+++ b/freed-ora/current/f18/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
@@ -0,0 +1,32 @@
+From 7b29fdb8cd8f92e31f550611a8c031986dba2e8f Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 03 May 2013 16:58:16 +0000
+Subject: iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth
+
+The BT_CONFIG command that is sent to the device during
+startup will enable BT coex unless the module parameter
+turns it off, but on devices without Bluetooth this may
+cause problems, as reported in Redhat BZ 885407.
+
+Fix this by sending the BT_CONFIG command only when the
+device has Bluetooth.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+---
+diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c
+index 3952ddf..1531a4f 100644
+--- a/drivers/net/wireless/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/iwlwifi/dvm/main.c
+@@ -758,7 +758,7 @@ int iwl_alive_start(struct iwl_priv *priv)
+ 					 BT_COEX_PRIO_TBL_EVT_INIT_CALIB2);
+ 		if (ret)
+ 			return ret;
+-	} else {
++	} else if (priv->cfg->bt_params) {
+ 		/*
+ 		 * default is 2-wire BT coexexistence support
+ 		 */
+--
+cgit v0.9.2
diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec
index a9356f64e..ae8ecf0ff 100644
--- a/freed-ora/current/f18/kernel.spec
+++ b/freed-ora/current/f18/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 201
+%global baserelease 200
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -112,7 +112,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -824,12 +824,6 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
 #CVE-2013-2148 rhbz 971258 971261
 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
 
-#CVE-2013-2851 rhbz 969515 971662
-Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
-
-#CVE-2013-2164 rhbz 973100 973109
-Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
-
 #rhbz 969644
 Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
 
@@ -858,9 +852,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch
 #CVE-2013-2234 rhbz 980995 981007
 Patch25058: af_key-fix-info-leaks-in-notify-messages.patch
 
-#CVE-2013-1059 rhbz 977356 980341
-Patch25059: ceph-fix.patch
-
 #CVE-2013-2232 rhbz 981552 981564
 Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
 
@@ -870,6 +861,12 @@ Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch
 #rhbz 959721
 Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
 
+#rhbz 885407
+Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
+
+#rhbz 976837
+Patch25065: fix-ext4-overflows.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1634,12 +1631,6 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
 #CVE-2013-2148 rhbz 971258 971261
 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
 
-#CVE-2013-2851 rhbz 969515 971662
-ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
-
-#CVE-2013-2164 rhbz 973100 973109
-ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
-
 #rhbz 969644
 ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
 
@@ -1667,9 +1658,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
 #CVE-2013-2234 rhbz 980995 981007
 ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch
 
-#CVE-2013-1059 rhbz 977356 980341
-ApplyPatch ceph-fix.patch
-
 #CVE-2013-2232 rhbz 981552 981564
 ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
 
@@ -1679,6 +1667,12 @@ ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch
 #rhbz 959721
 ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
 
+#rhbz 885407
+ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
+
+#rhbz 976837
+ApplyPatch fix-ext4-overflows.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2535,6 +2529,19 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Sat Jul 13 2013 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 3.9.10-gnu.
+
+* Sat Jul 13 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.10-200
+- Linux v3.9.10
+
+* Fri Jul 12 2013 Dave Jones <davej@redhat.com> - 3.9.9-203
+- Disable LATENCYTOP/SCHEDSTATS in non-debug builds.
+
+* Fri Jul 12 2013 Josh Boyer <jwboyer@redhat.com>
+- Fix various overflow issues in ext4 (rhbz 976837)
+- Add iwlwifi fix for connection issue (rhbz 885407)
+
 * Fri Jul 05 2013 Josh Boyer <jwboyer@redhat.com>
 - Add report fixup for Genius Gila mouse from Benjamin Tissoires (rhbz 959721)
 - Add vhost-net use-after-free fix (rhbz 976789 980643)
diff --git a/freed-ora/current/f18/patch-3.9-gnu-3.9.10-gnu.xz.sign b/freed-ora/current/f18/patch-3.9-gnu-3.9.10-gnu.xz.sign
new file mode 100644
index 000000000..ce0aefe99
--- /dev/null
+++ b/freed-ora/current/f18/patch-3.9-gnu-3.9.10-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+iEYEABECAAYFAlHh0fcACgkQvLfPh359R6canQCffcaWxSTSrPWy23wvGPVNQTuY
+XiIAoKbmshQrxXxnT1OEmtYQlyH+MBnD
+=/AyX
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f18/patch-3.9-gnu-3.9.9-gnu.xz.sign b/freed-ora/current/f18/patch-3.9-gnu-3.9.9-gnu.xz.sign
deleted file mode 100644
index 44bf22e97..000000000
--- a/freed-ora/current/f18/patch-3.9-gnu-3.9.9-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.19 (GNU/Linux)
-
-iEYEABECAAYFAlHWNawACgkQvLfPh359R6ecywCgolrCHDKIP0XXRIdqbgJ9eSMW
-lbUAn1PTs9cmfcQBlStJn7qWVmpNX8u3
-=8pW9
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f18/sources b/freed-ora/current/f18/sources
index 65152aeeb..ae877c93a 100644
--- a/freed-ora/current/f18/sources
+++ b/freed-ora/current/f18/sources
@@ -1,2 +1,2 @@
 120df29f88622dabf7015a22c7cc8e25  linux-libre-3.9-gnu.tar.xz
-e143fc381f4d2fdfc18686b867a5e6a5  patch-3.9-gnu-3.9.9-gnu.xz
+b9e86ef0bfd3745bd2c7e55a7e6fa0d8  patch-3.9-gnu-3.9.10-gnu.xz