Linux v3.10-rc6

8 files changed, 6 insertions, 754 deletions

diff --git a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch b/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
deleted file mode 100644
index 7197f7f7a..000000000
--- a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
+++ /dev/null
@@ -1,228 +0,0 @@
-To fix /dev/kmsg, let's compare the existing interfaces and what they allow:
-
-- /proc/kmsg allows:
- - open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive
-   single-reader interface (SYSLOG_ACTION_READ).
- - everything, after an open.
-
-- syslog syscall allows:
- - anything, if CAP_SYSLOG.
- - SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if dmesg_restrict==0.
- - nothing else (EPERM).
-
-The use-cases were:
-- dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs.
-- sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the
-  destructive SYSLOG_ACTION_READs.
-
-AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't
-clear the ring buffer.
-
-Based on the comments in devkmsg_llseek, it sounds like actions besides
-reading aren't going to be supported by /dev/kmsg (i.e. SYSLOG_ACTION_CLEAR),
-so we have a strict subset of the non-destructive syslog syscall actions.
-
-To this end, move the check as Josh had done, but also rename the constants
-to reflect their new uses (SYSLOG_FROM_CALL becomes SYSLOG_FROM_READER, and
-SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC). SYSLOG_FROM_READER allows
-non-destructive actions, and SYSLOG_FROM_PROC allows destructive actions
-after a capabilities-constrained SYSLOG_ACTION_OPEN check.
-
-- /dev/kmsg allows:
- - open if CAP_SYSLOG or dmesg_restrict==0
- - reading/polling, after open
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Reported-by: Christian Kujau <lists@nerdbynature.de>
-Cc: Josh Boyer <jwboyer@redhat.com>
-Cc: Kay Sievers <kay@vrfy.org>
-Cc: stable@vger.kernel.org
----
- fs/proc/kmsg.c         |   10 +++---
- include/linux/syslog.h |    4 +--
- kernel/printk.c        |   91 ++++++++++++++++++++++++++----------------------
- 3 files changed, 57 insertions(+), 48 deletions(-)
-
-diff --git a/fs/proc/kmsg.c b/fs/proc/kmsg.c
-index bd4b5a7..bdfabda 100644
---- a/fs/proc/kmsg.c
-+++ b/fs/proc/kmsg.c
-@@ -21,12 +21,12 @@ extern wait_queue_head_t log_wait;
- 
- static int kmsg_open(struct inode * inode, struct file * file)
- {
--	return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE);
-+	return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_PROC);
- }
- 
- static int kmsg_release(struct inode * inode, struct file * file)
- {
--	(void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE);
-+	(void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_PROC);
- 	return 0;
- }
- 
-@@ -34,15 +34,15 @@ static ssize_t kmsg_read(struct file *file, char __user *buf,
- 			 size_t count, loff_t *ppos)
- {
- 	if ((file->f_flags & O_NONBLOCK) &&
--	    !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE))
-+	    !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC))
- 		return -EAGAIN;
--	return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE);
-+	return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_PROC);
- }
- 
- static unsigned int kmsg_poll(struct file *file, poll_table *wait)
- {
- 	poll_wait(file, &log_wait, wait);
--	if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE))
-+	if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC))
- 		return POLLIN | POLLRDNORM;
- 	return 0;
- }
-diff --git a/include/linux/syslog.h b/include/linux/syslog.h
-index 3891139..98a3153 100644
---- a/include/linux/syslog.h
-+++ b/include/linux/syslog.h
-@@ -44,8 +44,8 @@
- /* Return size of the log buffer */
- #define SYSLOG_ACTION_SIZE_BUFFER   10
- 
--#define SYSLOG_FROM_CALL 0
--#define SYSLOG_FROM_FILE 1
-+#define SYSLOG_FROM_READER           0
-+#define SYSLOG_FROM_PROC             1
- 
- int do_syslog(int type, char __user *buf, int count, bool from_file);
- 
-diff --git a/kernel/printk.c b/kernel/printk.c
-index abbdd9e..53b5c5e 100644
---- a/kernel/printk.c
-+++ b/kernel/printk.c
-@@ -368,6 +368,53 @@ static void log_store(int facility, int level,
- 	log_next_seq++;
- }
- 
-+#ifdef CONFIG_SECURITY_DMESG_RESTRICT
-+int dmesg_restrict = 1;
-+#else
-+int dmesg_restrict;
-+#endif
-+
-+static int syslog_action_restricted(int type)
-+{
-+	if (dmesg_restrict)
-+		return 1;
-+	/*
-+	 * Unless restricted, we allow "read all" and "get buffer size"
-+	 * for everybody.
-+	 */
-+	return type != SYSLOG_ACTION_READ_ALL &&
-+	       type != SYSLOG_ACTION_SIZE_BUFFER;
-+}
-+
-+static int check_syslog_permissions(int type, bool from_file)
-+{
-+	/*
-+	 * If this is from /proc/kmsg and we've already opened it, then we've
-+	 * already done the capabilities checks at open time.
-+	 */
-+	if (from_file && type != SYSLOG_ACTION_OPEN)
-+		return 0;
-+
-+	if (syslog_action_restricted(type)) {
-+		if (capable(CAP_SYSLOG))
-+			return 0;
-+		/*
-+		 * For historical reasons, accept CAP_SYS_ADMIN too, with
-+		 * a warning.
-+		 */
-+		if (capable(CAP_SYS_ADMIN)) {
-+			printk_once(KERN_WARNING "%s (%d): "
-+				 "Attempt to access syslog with CAP_SYS_ADMIN "
-+				 "but no CAP_SYSLOG (deprecated).\n",
-+				 current->comm, task_pid_nr(current));
-+			return 0;
-+		}
-+		return -EPERM;
-+	}
-+	return security_syslog(type);
-+}
-+
-+
- /* /dev/kmsg - userspace message inject/listen interface */
- struct devkmsg_user {
- 	u64 seq;
-@@ -624,7 +671,8 @@ static int devkmsg_open(struct inode *inode, struct file *file)
- 	if ((file->f_flags & O_ACCMODE) == O_WRONLY)
- 		return 0;
- 
--	err = security_syslog(SYSLOG_ACTION_READ_ALL);
-+	err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL,
-+				       SYSLOG_FROM_READER);
- 	if (err)
- 		return err;
- 
-@@ -817,45 +865,6 @@ static inline void boot_delay_msec(int level)
- }
- #endif
- 
--#ifdef CONFIG_SECURITY_DMESG_RESTRICT
--int dmesg_restrict = 1;
--#else
--int dmesg_restrict;
--#endif
--
--static int syslog_action_restricted(int type)
--{
--	if (dmesg_restrict)
--		return 1;
--	/* Unless restricted, we allow "read all" and "get buffer size" for everybody */
--	return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER;
--}
--
--static int check_syslog_permissions(int type, bool from_file)
--{
--	/*
--	 * If this is from /proc/kmsg and we've already opened it, then we've
--	 * already done the capabilities checks at open time.
--	 */
--	if (from_file && type != SYSLOG_ACTION_OPEN)
--		return 0;
--
--	if (syslog_action_restricted(type)) {
--		if (capable(CAP_SYSLOG))
--			return 0;
--		/* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
--		if (capable(CAP_SYS_ADMIN)) {
--			printk_once(KERN_WARNING "%s (%d): "
--				 "Attempt to access syslog with CAP_SYS_ADMIN "
--				 "but no CAP_SYSLOG (deprecated).\n",
--				 current->comm, task_pid_nr(current));
--			return 0;
--		}
--		return -EPERM;
--	}
--	return 0;
--}
--
- #if defined(CONFIG_PRINTK_TIME)
- static bool printk_time = 1;
- #else
-@@ -1253,7 +1262,7 @@ out:
- 
- SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
- {
--	return do_syslog(type, buf, len, SYSLOG_FROM_CALL);
-+	return do_syslog(type, buf, len, SYSLOG_FROM_READER);
- }
- 
- /*
--- 
-1.7.9.5
-
-
--- 
-Kees Cook
-Chrome OS Security
diff --git a/Modify-UEFI-anti-bricking-code.patch b/Modify-UEFI-anti-bricking-code.patch
deleted file mode 100644
index 269359f40..000000000
--- a/Modify-UEFI-anti-bricking-code.patch
+++ /dev/null
@@ -1,384 +0,0 @@
-From: Matthew Garrett <matthew.garrett@nebula.com>
-To: rja@sgi.com
-Cc: mingo@kernel.org, torvalds@linux-foundation.org, bp@alien8.de,
-        jkosina@suse.cz, jlee@suse.com, matt.fleming@intel.com,
-        linux-efi@vger.kernel.org, x86@kernel.org,
-        linux-kernel@vger.kernel.org, tglx@linutronix.de, hpa@linux.intel.com,
-        akpm@linux-foundation.org,
-        Matthew Garrett <matthew.garrett@nebula.com>
-Subject: [PATCH] Modify UEFI anti-bricking code
-Date:	Sat,  1 Jun 2013 16:06:20 -0400
-Message-Id: <1370117180-1712-1-git-send-email-matthew.garrett@nebula.com>
-
-This patch reworks the UEFI anti-bricking code, including an effective
-reversion of cc5a080c and 31ff2f20. It turns out that calling
-QueryVariableInfo() from boot services results in some firmware
-implementations jumping to physical addresses even after entering virtual
-mode, so until we have 1:1 mappings for UEFI runtime space this isn't
-going to work so well.
-
-Reverting these gets us back to the situation where we'd refuse to create
-variables on some systems because they classify deleted variables as "used"
-until the firmware triggers a garbage collection run, which they won't do
-until they reach a lower threshold. This results in it being impossible to
-install a bootloader, which is unhelpful.
-
-Feedback from Samsung indicates that the firmware doesn't need more than
-5KB of storage space for its own purposes, so that seems like a reasonable
-threshold. However, there's still no guarantee that a platform will attempt
-garbage collection merely because it drops below this threshold. It seems
-that this is often only triggered if an attempt to write generates a
-genuine EFI_OUT_OF_RESOURCES error. We can force that by attempting to
-create a variable larger than the remaining space. This should fail, but if
-it somehow succeeds we can then immediately delete it.
-
-I've tested this on the UEFI machines I have available, but I don't have
-a Samsung and so can't verify that it avoids the bricking problem.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- arch/x86/boot/compressed/eboot.c      |  47 ----------
- arch/x86/include/asm/efi.h            |   7 --
- arch/x86/include/uapi/asm/bootparam.h |   1 -
- arch/x86/platform/efi/efi.c           | 169 +++++++++-------------------------
- 4 files changed, 45 insertions(+), 179 deletions(-)
-
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 35ee62f..c205035 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -251,51 +251,6 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size)
- 	*size = len;
- }
- 
--static efi_status_t setup_efi_vars(struct boot_params *params)
--{
--	struct setup_data *data;
--	struct efi_var_bootdata *efidata;
--	u64 store_size, remaining_size, var_size;
--	efi_status_t status;
--
--	if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION)
--		return EFI_UNSUPPORTED;
--
--	data = (struct setup_data *)(unsigned long)params->hdr.setup_data;
--
--	while (data && data->next)
--		data = (struct setup_data *)(unsigned long)data->next;
--
--	status = efi_call_phys4((void *)sys_table->runtime->query_variable_info,
--				EFI_VARIABLE_NON_VOLATILE |
--				EFI_VARIABLE_BOOTSERVICE_ACCESS |
--				EFI_VARIABLE_RUNTIME_ACCESS, &store_size,
--				&remaining_size, &var_size);
--
--	if (status != EFI_SUCCESS)
--		return status;
--
--	status = efi_call_phys3(sys_table->boottime->allocate_pool,
--				EFI_LOADER_DATA, sizeof(*efidata), &efidata);
--
--	if (status != EFI_SUCCESS)
--		return status;
--
--	efidata->data.type = SETUP_EFI_VARS;
--	efidata->data.len = sizeof(struct efi_var_bootdata) -
--		sizeof(struct setup_data);
--	efidata->data.next = 0;
--	efidata->store_size = store_size;
--	efidata->remaining_size = remaining_size;
--	efidata->max_var_size = var_size;
--
--	if (data)
--		data->next = (unsigned long)efidata;
--	else
--		params->hdr.setup_data = (unsigned long)efidata;
--
--}
--
- static efi_status_t setup_efi_pci(struct boot_params *params)
- {
- 	efi_pci_io_protocol *pci;
-@@ -1202,8 +1157,6 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
- 
- 	setup_graphics(boot_params);
- 
--	setup_efi_vars(boot_params);
--
- 	setup_efi_pci(boot_params);
- 
- 	status = efi_call_phys3(sys_table->boottime->allocate_pool,
-diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
-index 2fb5d58..60c89f3 100644
---- a/arch/x86/include/asm/efi.h
-+++ b/arch/x86/include/asm/efi.h
-@@ -102,13 +102,6 @@ extern void efi_call_phys_epilog(void);
- extern void efi_unmap_memmap(void);
- extern void efi_memory_uc(u64 addr, unsigned long size);
- 
--struct efi_var_bootdata {
--	struct setup_data data;
--	u64 store_size;
--	u64 remaining_size;
--	u64 max_var_size;
--};
--
- #ifdef CONFIG_EFI
- 
- static inline bool efi_is_native(void)
-diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index 0874424..c15ddaf 100644
---- a/arch/x86/include/uapi/asm/bootparam.h
-+++ b/arch/x86/include/uapi/asm/bootparam.h
-@@ -6,7 +6,6 @@
- #define SETUP_E820_EXT			1
- #define SETUP_DTB			2
- #define SETUP_PCI			3
--#define SETUP_EFI_VARS			4
- 
- /* ram_size flags */
- #define RAMDISK_IMAGE_START_MASK	0x07FF
-diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
-index 82089d8..63e167a 100644
---- a/arch/x86/platform/efi/efi.c
-+++ b/arch/x86/platform/efi/efi.c
-@@ -42,7 +42,6 @@
- #include <linux/io.h>
- #include <linux/reboot.h>
- #include <linux/bcd.h>
--#include <linux/ucs2_string.h>
- 
- #include <asm/setup.h>
- #include <asm/efi.h>
-@@ -54,13 +53,6 @@
- 
- #define EFI_DEBUG	1
- 
--/*
-- * There's some additional metadata associated with each
-- * variable. Intel's reference implementation is 60 bytes - bump that
-- * to account for potential alignment constraints
-- */
--#define VAR_METADATA_SIZE 64
--
- struct efi __read_mostly efi = {
- 	.mps        = EFI_INVALID_TABLE_ADDR,
- 	.acpi       = EFI_INVALID_TABLE_ADDR,
-@@ -79,13 +71,6 @@ struct efi_memory_map memmap;
- static struct efi efi_phys __initdata;
- static efi_system_table_t efi_systab __initdata;
- 
--static u64 efi_var_store_size;
--static u64 efi_var_remaining_size;
--static u64 efi_var_max_var_size;
--static u64 boot_used_size;
--static u64 boot_var_size;
--static u64 active_size;
--
- unsigned long x86_efi_facility;
- 
- /*
-@@ -188,53 +173,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
- 					       efi_char16_t *name,
- 					       efi_guid_t *vendor)
- {
--	efi_status_t status;
--	static bool finished = false;
--	static u64 var_size;
--
--	status = efi_call_virt3(get_next_variable,
--				name_size, name, vendor);
--
--	if (status == EFI_NOT_FOUND) {
--		finished = true;
--		if (var_size < boot_used_size) {
--			boot_var_size = boot_used_size - var_size;
--			active_size += boot_var_size;
--		} else {
--			printk(KERN_WARNING FW_BUG  "efi: Inconsistent initial sizes\n");
--		}
--	}
--
--	if (boot_used_size && !finished) {
--		unsigned long size = 0;
--		u32 attr;
--		efi_status_t s;
--		void *tmp;
--
--		s = virt_efi_get_variable(name, vendor, &attr, &size, NULL);
--
--		if (s != EFI_BUFFER_TOO_SMALL || !size)
--			return status;
--
--		tmp = kmalloc(size, GFP_ATOMIC);
--
--		if (!tmp)
--			return status;
--
--		s = virt_efi_get_variable(name, vendor, &attr, &size, tmp);
--
--		if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) {
--			var_size += size;
--			var_size += ucs2_strsize(name, 1024);
--			active_size += size;
--			active_size += VAR_METADATA_SIZE;
--			active_size += ucs2_strsize(name, 1024);
--		}
--
--		kfree(tmp);
--	}
--
--	return status;
-+	return efi_call_virt3(get_next_variable,
-+			      name_size, name, vendor);
- }
- 
- static efi_status_t virt_efi_set_variable(efi_char16_t *name,
-@@ -243,34 +183,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
- 					  unsigned long data_size,
- 					  void *data)
- {
--	efi_status_t status;
--	u32 orig_attr = 0;
--	unsigned long orig_size = 0;
--
--	status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size,
--				       NULL);
--
--	if (status != EFI_BUFFER_TOO_SMALL)
--		orig_size = 0;
--
--	status = efi_call_virt5(set_variable,
--				name, vendor, attr,
--				data_size, data);
--
--	if (status == EFI_SUCCESS) {
--		if (orig_size) {
--			active_size -= orig_size;
--			active_size -= ucs2_strsize(name, 1024);
--			active_size -= VAR_METADATA_SIZE;
--		}
--		if (data_size) {
--			active_size += data_size;
--			active_size += ucs2_strsize(name, 1024);
--			active_size += VAR_METADATA_SIZE;
--		}
--	}
--
--	return status;
-+	return efi_call_virt5(set_variable,
-+			      name, vendor, attr,
-+			      data_size, data);
- }
- 
- static efi_status_t virt_efi_query_variable_info(u32 attr,
-@@ -786,9 +701,6 @@ void __init efi_init(void)
- 	char vendor[100] = "unknown";
- 	int i = 0;
- 	void *tmp;
--	struct setup_data *data;
--	struct efi_var_bootdata *efi_var_data;
--	u64 pa_data;
- 
- #ifdef CONFIG_X86_32
- 	if (boot_params.efi_info.efi_systab_hi ||
-@@ -806,22 +718,6 @@ void __init efi_init(void)
- 	if (efi_systab_init(efi_phys.systab))
- 		return;
- 
--	pa_data = boot_params.hdr.setup_data;
--	while (pa_data) {
--		data = early_ioremap(pa_data, sizeof(*efi_var_data));
--		if (data->type == SETUP_EFI_VARS) {
--			efi_var_data = (struct efi_var_bootdata *)data;
--
--			efi_var_store_size = efi_var_data->store_size;
--			efi_var_remaining_size = efi_var_data->remaining_size;
--			efi_var_max_var_size = efi_var_data->max_var_size;
--		}
--		pa_data = data->next;
--		early_iounmap(data, sizeof(*efi_var_data));
--	}
--
--	boot_used_size = efi_var_store_size - efi_var_remaining_size;
--
- 	set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
- 
- 	/*
-@@ -1141,28 +1037,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
- 	if (status != EFI_SUCCESS)
- 		return status;
- 
--	if (!max_size && remaining_size > size)
--		printk_once(KERN_ERR FW_BUG "Broken EFI implementation"
--			    " is returning MaxVariableSize=0\n");
- 	/*
- 	 * Some firmware implementations refuse to boot if there's insufficient
- 	 * space in the variable store. We account for that by refusing the
- 	 * write if permitting it would reduce the available space to under
--	 * 50%. However, some firmware won't reclaim variable space until
--	 * after the used (not merely the actively used) space drops below
--	 * a threshold. We can approximate that case with the value calculated
--	 * above. If both the firmware and our calculations indicate that the
--	 * available space would drop below 50%, refuse the write.
-+	 * 5KB. This figure was provided by Samsung, so should be safe.
- 	 */
-+	if ((remaining_size - size < 5120) && !efi_no_storage_paranoia) {
-+		/*
-+		 * Triggering garbage collection may require that the firmware
-+		 * generate a real EFI_OUT_OF_RESOURCES error. We can force
-+		 * that by attempting to use more space than is available.
-+		 */
-+		unsigned long dummy_size = remaining_size + 1024;
-+		void *dummy = kmalloc(dummy_size, GFP_ATOMIC);
-+		efi_char16_t efi_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 };
-+		efi_guid_t guid = EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e,
-+					   0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92,
-+					   0xa9);
-+
-+		status = efi.set_variable(efi_name, &guid, attributes,
-+					  dummy_size, dummy);
-+
-+		if (status == EFI_SUCCESS) {
-+			/*
-+			 * This should have failed, so if it didn't make sure
-+			 * that we delete it...
-+			 */
-+			efi.set_variable(efi_name, &guid, attributes, 0,
-+					 dummy);
-+		}
- 
--	if (!storage_size || size > remaining_size ||
--	    (max_size && size > max_size))
--		return EFI_OUT_OF_RESOURCES;
-+		/*
-+		 * The runtime code may now have triggered a garbage collection
-+		 * run, so check the variable info again
-+		 */
-+		status = efi.query_variable_info(attributes, &storage_size,
-+						 &remaining_size, &max_size);
- 
--	if (!efi_no_storage_paranoia &&
--	    ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) &&
--	     (remaining_size - size < storage_size / 2)))
--		return EFI_OUT_OF_RESOURCES;
-+		if (status != EFI_SUCCESS)
-+			return status;
-+
-+		/*
-+		 * There still isn't enough room, so return an error
-+		 */
-+		if (remaining_size - size < 5120)
-+			return EFI_OUT_OF_RESOURCES;
-+	}
- 
- 	return EFI_SUCCESS;
- }
--- 
-1.8.1.4
-
---
-To unsubscribe from this list: send the line "unsubscribe linux-efi" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html
-
diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch
deleted file mode 100644
index 84249e5eb..000000000
--- a/b43-stop-format-string-leaking-into-error-msgs.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Fri, 10 May 2013 21:48:21 +0000
-Subject: b43: stop format string leaking into error msgs
-
-The module parameter "fwpostfix" is userspace controllable, unfiltered,
-and is used to define the firmware filename. b43_do_request_fw() populates
-ctx->errors[] on error, containing the firmware filename. b43err()
-parses its arguments as a format string. For systems with b43 hardware,
-this could lead to a uid-0 to ring-0 escalation.
-
-CVE-2013-2852
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
----
-diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
-index 6dd07e2..a95b77a 100644
---- a/drivers/net/wireless/b43/main.c
-+++ b/drivers/net/wireless/b43/main.c
-@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work)
- 	for (i = 0; i < B43_NR_FWTYPES; i++) {
- 		errmsg = ctx->errors[i];
- 		if (strlen(errmsg))
--			b43err(dev->wl, errmsg);
-+			b43err(dev->wl, "%s", errmsg);
- 	}
- 	b43_print_fw_helptext(dev->wl, 1);
- 	goto out;
---
-cgit v0.9.2
diff --git a/config-generic b/config-generic
index 7861b43ba..20b21d68c 100644
--- a/config-generic
+++ b/config-generic
@@ -1554,7 +1554,7 @@ CONFIG_ATH9K_DEBUGFS=y
 CONFIG_ATH9K_HTC=m
 CONFIG_ATH9K_BTCOEX_SUPPORT=y
 # CONFIG_ATH9K_HTC_DEBUGFS is not set
-CONFIG_ATH9K_RATE_CONTROL=y
+# CONFIG_ATH9K_LEGACY_RATE_CONTROL is not set
 CONFIG_WIL6210=m
 CONFIG_WIL6210_ISR_COR=y
 CONFIG_CARL9170=m
diff --git a/kernel.spec b/kernel.spec
index 71fe323da..398637404 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -93,7 +93,7 @@ Summary: The Linux kernel
 # The next upstream release sublevel (base_sublevel+1)
 %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
 # The rc snapshot level
-%define rcrev 5
+%define rcrev 6
 # The git snapshot level
 %define gitrev 0
 # Set rpm version accordingly
@@ -744,9 +744,6 @@ Patch21242: criu-no-expert.patch
 #rhbz 892811
 Patch21247: ath9k_rx_dma_stop_check.patch
 
-#rhbz 903192
-Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
-
 Patch22000: weird-root-dentry-name-debug.patch
 
 #selinux ptrace child permissions
@@ -758,9 +755,6 @@ Patch23006: fix-child-thread-introspection.patch
 #rhbz 948262
 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
 
-#rhbz 964335
-Patch25026: Modify-UEFI-anti-bricking-code.patch
-
 #CVE-2013-2140 rhbz 971146 971148
 Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch
 
@@ -770,19 +764,12 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
 #CVE-2013-2148 rhbz 971258 971261
 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
 
-#CVE-2013-2852 rhbz 969518 971665
-Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
-
 #CVE-2013-2851 rhbz 969515 971662
 Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
 
 #CVE-2013-2164 rhbz 973100 973109
 Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
 
-#rhbz 954181
-Patch25039: vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch
-Patch25040: tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch
-
 #rhbz 973185
 Patch25041: x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch
 Patch25042: x86-range-make-add_range-use-blank-slot.patch
@@ -1470,18 +1457,12 @@ ApplyPatch criu-no-expert.patch
 #rhbz 892811
 ApplyPatch ath9k_rx_dma_stop_check.patch
 
-#rhbz 903192
-ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
-
 #rhbz 927469
 ApplyPatch fix-child-thread-introspection.patch
 
 #rhbz 948262
 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
 
-#rhbz 964335
-ApplyPatch Modify-UEFI-anti-bricking-code.patch
-
 #CVE-2013-2140 rhbz 971146 971148
 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch
 
@@ -1491,19 +1472,12 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
 #CVE-2013-2148 rhbz 971258 971261
 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
 
-#CVE-2013-2852 rhbz 969518 971665
-ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
-
 #CVE-2013-2851 rhbz 969515 971662
 ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
 
 #CVE-2013-2164 rhbz 973100 973109
 ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
 
-#rhbz 954181
-ApplyPatch vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch
-ApplyPatch tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch
-
 #rhbz 973185
 ApplyPatch x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch
 ApplyPatch x86-range-make-add_range-use-blank-slot.patch
@@ -2310,6 +2284,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Jun 17 2013 Josh Boyer <jwboyer@redhat.com> - 3.10.0-0.rc6.git0.1
+- Linux v3.10-rc6
+
 * Fri Jun 14 2013 Kyle McMartin <kyle@redhat.com>
 - ARM64 support (config-arm64)
   Split out some config-armv7-generic options common between 32-bit and 64-bit
diff --git a/sources b/sources
index c75c05d1c..35df96ad9 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 4348c9b6b2eb3144d601e87c19d5d909  linux-3.9.tar.xz
-e421ee4d1379ba381bccc5c6bfe54385  patch-3.10-rc5.xz
+b364407a81f244408835c93ea3e23478  patch-3.10-rc6.xz
diff --git a/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch b/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch
deleted file mode 100644
index 75de6ccce..000000000
--- a/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-tuntap: set SOCK_ZEROCOPY flag during open
-
-Commit 54f968d6efdbf7dec36faa44fc11f01b0e4d1990
-(tuntap: move socket to tun_file) forgets to set SOCK_ZEROCOPY flag, which will
-prevent vhost_net from doing zercopy w/ tap. This patch fixes this by setting
-it during file open.
-
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-
----
-
-diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 89776c5..ff5312d 100644
---- a/drivers/net/tun.c
-+++ b/drivers/net/tun.c
-@@ -2159,6 +2159,8 @@ static int tun_chr_open(struct inode *inode, struct file * file)
- 	set_bit(SOCK_EXTERNALLY_ALLOCATED, &tfile->socket.flags);
- 	INIT_LIST_HEAD(&tfile->next);
- 
-+	sock_set_flag(&tfile->sk, SOCK_ZEROCOPY);
-+
- 	return 0;
- }
- 
diff --git a/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch b/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch
deleted file mode 100644
index af1bc77de..000000000
--- a/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 4364d5f96eed7994a2c625bd9216656e55fba0cb Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 05 Jun 2013 07:40:46 +0000
-Subject: vhost_net: clear msg.control for non-zerocopy case during tx
-
-When we decide not use zero-copy, msg.control should be set to NULL otherwise
-macvtap/tap may set zerocopy callbacks which may decrease the kref of ubufs
-wrongly.
-
-Bug were introduced by commit cedb9bdce099206290a2bdd02ce47a7b253b6a84
-(vhost-net: skip head management if no outstanding).
-
-This solves the following warnings:
-
-WARNING: at include/linux/kref.h:47 handle_tx+0x477/0x4b0 [vhost_net]()
-Modules linked in: vhost_net macvtap macvlan tun nfsd exportfs bridge stp llc openvswitch kvm_amd kvm bnx2 megaraid_sas [last unloaded: tun]
-CPU: 5 PID: 8670 Comm: vhost-8668 Not tainted 3.10.0-rc2+ #1566
-Hardware name: Dell Inc. PowerEdge R715/00XHKG, BIOS 1.5.2 04/19/2011
-ffffffffa0198323 ffff88007c9ebd08 ffffffff81796b73 ffff88007c9ebd48
-ffffffff8103d66b 000000007b773e20 ffff8800779f0000 ffff8800779f43f0
-ffff8800779f8418 000000000000015c 0000000000000062 ffff88007c9ebd58
-Call Trace:
-[<ffffffff81796b73>] dump_stack+0x19/0x1e
-[<ffffffff8103d66b>] warn_slowpath_common+0x6b/0xa0
-[<ffffffff8103d6b5>] warn_slowpath_null+0x15/0x20
-[<ffffffffa0197627>] handle_tx+0x477/0x4b0 [vhost_net]
-[<ffffffffa0197690>] handle_tx_kick+0x10/0x20 [vhost_net]
-[<ffffffffa019541e>] vhost_worker+0xfe/0x1a0 [vhost_net]
-[<ffffffffa0195320>] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net]
-[<ffffffffa0195320>] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net]
-[<ffffffff81061f46>] kthread+0xc6/0xd0
-[<ffffffff81061e80>] ? kthread_freezable_should_stop+0x70/0x70
-[<ffffffff817a1aec>] ret_from_fork+0x7c/0xb0
-[<ffffffff81061e80>] ? kthread_freezable_should_stop+0x70/0x70
-
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
-diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
-index 2b51e23..b07d96b 100644
---- a/drivers/vhost/net.c
-+++ b/drivers/vhost/net.c
-@@ -436,7 +436,8 @@ static void handle_tx(struct vhost_net *net)
- 				kref_get(&ubufs->kref);
- 			}
- 			nvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV;
--		}
-+		} else
-+			msg.msg_control = NULL;
- 		/* TODO: Check specific error and bomb out unless ENOBUFS? */
- 		err = sock->ops->sendmsg(NULL, sock, &msg, len);
- 		if (unlikely(err < 0)) {
---
-cgit v0.9.2