diff --git a/kernel.spec b/kernel.spec
index 07673d61f..8bbe22510 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -2317,7 +2317,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
-* Tue Oct 30 2012 Josh Boyer <jwboyer@gmail.com> - 3.7.0-0.rc3.git0.1
+* Tue Oct 30 2012 Josh Boyer <jwboyer@redhat.com>
+- Fix module blacklist patch to not leak a reference to the blacklist keyring
+
+* Tue Oct 30 2012 Josh Boyer <jwboyer@redhat.com> - 3.7.0-0.rc3.git0.1
 - Disable debugging options.
 - Linux v3.7-rc3
 - enable CONFIG_MEDIA_{USB,PCI}_SUPPORT (rhbz 870457)
diff --git a/secure-boot-20121026.patch b/secure-boot-20121026.patch
index 36ef7ba1d..1c5059431 100644
--- a/secure-boot-20121026.patch
+++ b/secure-boot-20121026.patch
@@ -1118,7 +1118,7 @@ index ea1b1df..602aa24 100644
 +	if (!IS_ERR(blacklist)) {
 +		/* module is signed with a cert in the blacklist.  reject */
 +		pr_err("Module key '%s' is in blacklist\n", id);
-+		/*key_put(blacklist);*/
++		key_ref_put(blacklist);
 +		kfree(id);
 +		return ERR_PTR(-EKEYREJECTED);
 +	}
@@ -1227,7 +1227,7 @@ index 0000000..049669d
 +#include <keys/asymmetric-type.h>
 +#include "module-internal.h"
 +
-+static void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
++static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
 +{
 +	efi_status_t status;
 +	unsigned long lsize = 4;