diff --git a/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch b/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
new file mode 100644
index 0000000..8c37954
--- /dev/null
+++ b/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
@@ -0,0 +1,42 @@
+From a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 6 Dec 2016 16:18:14 -0800
+Subject: [PATCH] Don't feed anything but regular iovec's to
+ blk_rq_map_user_iov
+
+In theory we could map other things, but there's a reason that function
+is called "user_iov".  Using anything else (like splice can do) just
+confuses it.
+
+Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ block/blk-map.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index b8657fa..27fd8d92 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ 	struct iov_iter i;
+ 	int ret;
+
++	if (!iter_is_iovec(iter))
++		goto fail;
++
+ 	if (map_data)
+ 		copy = true;
+ 	else if (iov_iter_alignment(iter) & align)
+@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+
+ unmap_rq:
+ 	__blk_rq_unmap_user(bio);
++fail:
+ 	rq->bio = NULL;
+ 	return -EINVAL;
+ }
+-- 
+2.9.3
+
diff --git a/kernel.spec b/kernel.spec
index 2d8325f..ff0b5d5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 12
+%define stable_update 13
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -643,6 +643,9 @@ Patch857: 0001-packet-fix-race-condition-in-packet_set_ring.patch
 # CVE-2016-9793 rhbz 1402013 1402014
 Patch858: 0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
 
+# CVE-2016-9576 rhbz 1403145 1403146
+Patch859: 0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2165,6 +2168,10 @@ fi
 #
 # 
 %changelog
+* Fri Dec 09 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.13-100
+- Linux v4.8.13
+- CVE-2016-9576 fix use after free in SCSI generic device interface (rhbz 1403145 1403146)
+
 * Wed Dec 07 2016 Laura Abbott <labbott@fedoraproject.org>
 - Disable CONFIG_AF_KCM (rhbz 1402489)
 
diff --git a/sources b/sources
index f4f05af..b175e7f 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 c1af0afbd3df35c1ccdc7a5118cd2d07  linux-4.8.tar.xz
 0dad03f586e835d538d3e0d2cbdb9a28  perf-man-4.8.tar.gz
-9a938fd7a82d8b390f957657947fe673  patch-4.8.12.xz
+bc208ac66340464839ee61a4621d9384  patch-4.8.13.xz