Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux...

Pull security subsystem updates from James Morris:
 "Highlights:

   - PKCS#7 support added to support signed kexec, also utilized for
     module signing.  See comments in 3f1e1bea.

     ** NOTE: this requires linking against the OpenSSL library, which
        must be installed, e.g.  the openssl-devel on Fedora **

   - Smack
      - add IPv6 host labeling; ignore labels on kernel threads
      - support smack labeling mounts which use binary mount data

   - SELinux:
      - add ioctl whitelisting (see
        http://kernsec.org/files/lss2015/vanderstoep.pdf)
      - fix mprotect PROT_EXEC regression caused by mm change

   - Seccomp:
      - add ptrace options for suspend/resume"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (57 commits)
  PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
  Documentation/Changes: Now need OpenSSL devel packages for module signing
  scripts: add extract-cert and sign-file to .gitignore
  modsign: Handle signing key in source tree
  modsign: Use if_changed rule for extracting cert from module signing key
  Move certificate handling to its own directory
  sign-file: Fix warning about BIO_reset() return value
  PKCS#7: Add MODULE_LICENSE() to test module
  Smack - Fix build error with bringup unconfigured
  sign-file: Document dependency on OpenSSL devel libraries
  PKCS#7: Appropriately restrict authenticated attributes and content type
  KEYS: Add a name for PKEY_ID_PKCS7
  PKCS#7: Improve and export the X.509 ASN.1 time object decoder
  modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
  extract-cert: Cope with multiple X.509 certificates in a single file
  sign-file: Generate CMS message as signature instead of PKCS#7
  PKCS#7: Support CMS messages also [RFC5652]
  X.509: Change recorded SKID & AKID to not include Subject or Issuer
  PKCS#7: Check content type and versions
  MAINTAINERS: The keyrings mailing list has moved
  ...

diff --combined MAINTAINERS
index 4d8c8e1,294dc59..6dfc224
--- 1/MAINTAINERS
--- 2/MAINTAINERS
+++ b/MAINTAINERS
@@@ -158,7 -158,6 +158,7 @@@ L: linux-wpan@vger.kernel.or
  S:    Maintained
  F:    net/6lowpan/
  F:    include/net/6lowpan.h
 +F:    Documentation/networking/6lowpan.txt
  
  6PACK NETWORK DRIVER FOR AX.25
  M:    Andreas Koensgen <ajk@comnets.uni-bremen.de>
@@@ -362,7 -361,7 +362,7 @@@ S: Supporte
  F:    drivers/input/touchscreen/ad7879.c
  
  ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR)
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  S:    Maintained
  
  ADM1025 HARDWARE MONITOR DRIVER
@@@ -557,12 -556,6 +557,12 @@@ S:       Maintaine
  F:    Documentation/i2c/busses/i2c-ali1563
  F:    drivers/i2c/busses/i2c-ali1563.c
  
 +ALLWINNER SECURITY SYSTEM
 +M:    Corentin Labbe <clabbe.montjoie@gmail.com>
 +L:    linux-crypto@vger.kernel.org
 +S:    Maintained
 +F:    drivers/crypto/sunxi-ss/
 +
  ALPHA PORT
  M:    Richard Henderson <rth@twiddle.net>
  M:    Ivan Kokshaysky <ink@jurassic.park.msu.ru>
@@@ -643,14 -636,9 +643,14 @@@ M:       Oded Gabbay <oded.gabbay@gmail.com
  L:    dri-devel@lists.freedesktop.org
  T:    git git://people.freedesktop.org/~gabbayo/linux.git
  S:    Supported
 +F:    drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
 +F:    drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
 +F:    drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
 +F:    drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v8.c
  F:    drivers/gpu/drm/amd/amdkfd/
  F:    drivers/gpu/drm/amd/include/cik_structs.h
  F:    drivers/gpu/drm/amd/include/kgd_kfd_interface.h
 +F:    drivers/gpu/drm/amd/include/vi_structs.h
  F:    drivers/gpu/drm/radeon/radeon_kfd.c
  F:    drivers/gpu/drm/radeon/radeon_kfd.h
  F:    include/uapi/linux/kfd_ioctl.h
@@@ -740,12 -728,6 +740,12 @@@ X:       drivers/iio/*/adjd
  F:    drivers/staging/iio/*/ad*
  F:    staging/iio/trigger/iio-trig-bfin-timer.c
  
 +ANALOG DEVICES INC DMA DRIVERS
 +M:    Lars-Peter Clausen <lars@metafoo.de>
 +W:    http://ez.analog.com/community/linux-device-drivers
 +S:    Supported
 +F:    drivers/dma/dma-axi-dmac.c
 +
  ANDROID DRIVERS
  M:    Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  M:    Arve Hjønnevåg <arve@android.com>
@@@ -764,7 -746,7 +764,7 @@@ S: Maintaine
  F:    sound/aoa/
  
  APM DRIVER
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  S:    Odd fixes
  F:    arch/x86/kernel/apm_32.c
  F:    include/linux/apm_bios.h
@@@ -817,13 -799,11 +817,13 @@@ F:      arch/arm/include/asm/floppy.
  ARM PMU PROFILING AND DEBUGGING
  M:    Will Deacon <will.deacon@arm.com>
  S:    Maintained
 -F:    arch/arm/kernel/perf_event*
 +F:    arch/arm/kernel/perf_*
  F:    arch/arm/oprofile/common.c
 -F:    arch/arm/include/asm/pmu.h
  F:    arch/arm/kernel/hw_breakpoint.c
  F:    arch/arm/include/asm/hw_breakpoint.h
 +F:    arch/arm/include/asm/perf_event.h
 +F:    drivers/perf/arm_pmu.c
 +F:    include/linux/perf/arm_pmu.h
  
  ARM PORT
  M:    Russell King <linux@arm.linux.org.uk>
@@@ -947,7 -927,7 +947,7 @@@ M: Sunil Goutham <sgoutham@cavium.com
  M:    Robert Richter <rric@kernel.org>
  L:    linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
  S:    Supported
 -F:    drivers/net/ethernet/cavium/
 +F:    drivers/net/ethernet/cavium/thunder/
  
  ARM/CIRRUS LOGIC CLPS711X ARM ARCHITECTURE
  M:    Alexander Shiyan <shc_work@mail.ru>
@@@ -1485,7 -1465,9 +1485,7 @@@ F:      arch/arm/boot/dts/emev2
  F:    arch/arm/boot/dts/r7s*
  F:    arch/arm/boot/dts/r8a*
  F:    arch/arm/boot/dts/sh*
 -F:    arch/arm/configs/armadillo800eva_defconfig
  F:    arch/arm/configs/bockw_defconfig
 -F:    arch/arm/configs/kzm9g_defconfig
  F:    arch/arm/configs/marzen_defconfig
  F:    arch/arm/configs/shmobile_defconfig
  F:    arch/arm/include/debug/renesas-scif.S
@@@ -1522,10 -1504,8 +1522,10 @@@ S:    Maintaine
  F:    arch/arm/mach-sti/
  F:    arch/arm/boot/dts/sti*
  F:    drivers/clocksource/arm_global_timer.c
 +F:    drivers/clocksource/clksrc_st_lpc.c
  F:    drivers/i2c/busses/i2c-st.c
  F:    drivers/media/rc/st_rc.c
 +F:    drivers/media/platform/sti/c8sectpfe/
  F:    drivers/mmc/host/sdhci-st.c
  F:    drivers/phy/phy-miphy28lp.c
  F:    drivers/phy/phy-miphy365x.c
@@@ -1599,10 -1579,7 +1599,10 @@@ ARM/UNIPHIER ARCHITECTUR
  M:    Masahiro Yamada <yamada.masahiro@socionext.com>
  L:    linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
  S:    Maintained
 +F:    arch/arm/boot/dts/uniphier*
  F:    arch/arm/mach-uniphier/
 +F:    drivers/pinctrl/uniphier/
 +F:    drivers/tty/serial/8250/8250_uniphier.c
  N:    uniphier
  
  ARM/Ux500 ARM ARCHITECTURE
@@@ -1697,7 -1674,7 +1697,7 @@@ M:      Michal Simek <michal.simek@xilinx.co
  R:    Sören Brinkmann <soren.brinkmann@xilinx.com>
  L:    linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
  W:    http://wiki.xilinx.com
 -T:    git git://git.xilinx.com/linux-xlnx.git
 +T:    git https://github.com/Xilinx/linux-xlnx.git
  S:    Supported
  F:    arch/arm/mach-zynq/
  F:    drivers/cpuidle/cpuidle-zynq.c
@@@ -1938,14 -1915,6 +1938,14 @@@ W:    http://atmelwlandriver.sourceforge.n
  S:    Maintained
  F:    drivers/net/wireless/atmel*
  
 +ATMEL MAXTOUCH DRIVER
 +M:    Nick Dyer <nick.dyer@itdev.co.uk>
 +T:    git git://github.com/atmel-maxtouch/linux.git
 +S:    Supported
 +F:    Documentation/devicetree/bindings/input/atmel,maxtouch.txt
 +F:    drivers/input/touchscreen/atmel_mxt_ts.c
 +F:    include/linux/platform_data/atmel_mxt_ts.h
 +
  ATTO EXPRESSSAS SAS/SATA RAID SCSI DRIVER
  M:    Bradley Grove <linuxdrivers@attotech.com>
  L:    linux-scsi@vger.kernel.org
@@@ -2249,9 -2218,7 +2249,9 @@@ F:      drivers/clocksource/bcm_kona_timer.
  BROADCOM BCM2835 ARM ARCHITECTURE
  M:    Stephen Warren <swarren@wwwdotorg.org>
  M:    Lee Jones <lee@kernel.org>
 +M:    Eric Anholt <eric@anholt.net>
  L:    linux-rpi-kernel@lists.infradead.org (moderated for non-subscribers)
 +L:    linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/rpi/linux-rpi.git
  S:    Maintained
  N:    bcm2835
@@@ -2575,6 -2542,7 +2575,6 @@@ M:     Raghu Vatsavayi <raghu.vatsavayi
  L:     netdev@vger.kernel.org
  W:     http://www.cavium.com
  S:     Supported
 -F:     drivers/net/ethernet/cavium/
  F:     drivers/net/ethernet/cavium/liquidio/
  
  CC2520 IEEE-802.15.4 RADIO DRIVER
@@@ -2621,6 -2589,15 +2621,15 @@@ S:    Supporte
  F:    Documentation/filesystems/ceph.txt
  F:    fs/ceph/
  
+ CERTIFICATE HANDLING:
+ M:    David Howells <dhowells@redhat.com>
+ M:    David Woodhouse <dwmw2@infradead.org>
+ L:    keyrings@linux-nfs.org
+ S:    Maintained
+ F:    Documentation/module-signing.txt
+ F:    certs/
+ F:    scripts/extract-cert.c
+ 
  CERTIFIED WIRELESS USB (WUSB) SUBSYSTEM:
  L:    linux-usb@vger.kernel.org
  S:    Orphan
@@@ -3486,7 -3463,6 +3495,7 @@@ X:      Documentation/devicetree
  X:    Documentation/acpi
  X:    Documentation/power
  X:    Documentation/spi
 +X:    Documentation/DocBook/media
  T:    git git://git.lwn.net/linux-2.6.git docs-next
  
  DOUBLETALK DRIVER
@@@ -3583,15 -3559,6 +3592,15 @@@ F:    drivers/gpu/drm/exynos
  F:    include/drm/exynos*
  F:    include/uapi/drm/exynos*
  
 +DRM DRIVERS FOR FREESCALE DCU
 +M:    Jianwei Wang <jianwei.wang.chn@gmail.com>
 +M:    Alison Wang <alison.wang@freescale.com>
 +L:    dri-devel@lists.freedesktop.org
 +S:    Supported
 +F:    drivers/gpu/drm/fsl-dcu/
 +F:    Documentation/devicetree/bindings/video/fsl,dcu.txt
 +F:    Documentation/devicetree/bindings/panel/nec,nl4827hc19_05b.txt
 +
  DRM DRIVERS FOR FREESCALE IMX
  M:    Philipp Zabel <p.zabel@pengutronix.de>
  L:    dri-devel@lists.freedesktop.org
@@@ -3629,15 -3596,6 +3638,15 @@@ S:    Maintaine
  F:    drivers/gpu/drm/rockchip/
  F:    Documentation/devicetree/bindings/video/rockchip*
  
 +DRM DRIVERS FOR STI
 +M:    Benjamin Gaignard <benjamin.gaignard@linaro.org>
 +M:    Vincent Abriou <vincent.abriou@st.com>
 +L:    dri-devel@lists.freedesktop.org
 +T:    git http://git.linaro.org/people/benjamin.gaignard/kernel.git
 +S:    Maintained
 +F:    drivers/gpu/drm/sti
 +F:    Documentation/devicetree/bindings/gpu/st,stih4xx.txt
 +
  DSBR100 USB FM RADIO DRIVER
  M:    Alexey Klimov <klimov.linux@gmail.com>
  L:    linux-media@vger.kernel.org
@@@ -4110,6 -4068,15 +4119,6 @@@ F:     Documentation/filesystems/ext2.tx
  F:    fs/ext2/
  F:    include/linux/ext2*
  
 -EXT3 FILE SYSTEM
 -M:    Jan Kara <jack@suse.com>
 -M:    Andrew Morton <akpm@linux-foundation.org>
 -M:    Andreas Dilger <adilger.kernel@dilger.ca>
 -L:    linux-ext4@vger.kernel.org
 -S:    Maintained
 -F:    Documentation/filesystems/ext3.txt
 -F:    fs/ext3/
 -
  EXT4 FILE SYSTEM
  M:    "Theodore Ts'o" <tytso@mit.edu>
  M:    Andreas Dilger <adilger.kernel@dilger.ca>
@@@ -4287,7 -4254,7 +4296,7 @@@ S:      Maintaine
  F:    drivers/block/rsxx/
  
  FLOPPY DRIVER
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/jikos/floppy.git
  S:    Odd fixes
  F:    drivers/block/floppy.c
@@@ -4448,7 -4415,6 +4457,7 @@@ F:      include/linux/fscache*.
  F2FS FILE SYSTEM
  M:    Jaegeuk Kim <jaegeuk@kernel.org>
  M:    Changman Lee <cm224.lee@samsung.com>
 +R:    Chao Yu <chao2.yu@samsung.com>
  L:    linux-f2fs-devel@lists.sourceforge.net
  W:    http://en.wikipedia.org/wiki/F2FS
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
@@@ -4457,7 -4423,6 +4466,7 @@@ F:      Documentation/filesystems/f2fs.tx
  F:    Documentation/ABI/testing/sysfs-fs-f2fs
  F:    fs/f2fs/
  F:    include/linux/f2fs_fs.h
 +F:    include/trace/events/f2fs.h
  
  FUJITSU FR-V (FRV) PORT
  M:    David Howells <dhowells@redhat.com>
@@@ -4860,7 -4825,7 +4869,7 @@@ F:      include/linux/pm.
  F:    arch/*/include/asm/suspend*.h
  
  HID CORE LAYER
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  L:    linux-input@vger.kernel.org
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid.git
  S:    Maintained
@@@ -4869,7 -4834,7 +4878,7 @@@ F:      include/linux/hid
  F:    include/uapi/linux/hid*
  
  HID SENSOR HUB DRIVERS
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  M:    Jonathan Cameron <jic23@kernel.org>
  M:    Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
  L:    linux-input@vger.kernel.org
@@@ -5001,7 -4966,6 +5010,7 @@@ F:      drivers/scsi/storvsc_drv.
  F:    drivers/video/fbdev/hyperv_fb.c
  F:    include/linux/hyperv.h
  F:    tools/hv/
 +F:    Documentation/ABI/stable/sysfs-bus-vmbus
  
  I2C OVER PARALLEL PORT
  M:    Jean Delvare <jdelvare@suse.com>
@@@ -5112,21 -5076,9 +5121,21 @@@ T:    git git://git.kernel.org/pub/scm/lin
  S:    Maintained
  F:    arch/ia64/
  
 +IBM Power VMX Cryptographic instructions
 +M:    Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
 +M:    Paulo Flabiano Smorigo <pfsmorigo@linux.vnet.ibm.com>
 +L:    linux-crypto@vger.kernel.org
 +S:    Supported
 +F:    drivers/crypto/vmx/Makefile
 +F:    drivers/crypto/vmx/Kconfig
 +F:    drivers/crypto/vmx/vmx.c
 +F:    drivers/crypto/vmx/aes*
 +F:    drivers/crypto/vmx/ghash*
 +F:    drivers/crypto/vmx/ppc-xlate.pl
 +
  IBM Power in-Nest Crypto Acceleration
 -M:    Marcelo Henrique Cerri <mhcerri@linux.vnet.ibm.com>
 -M:    Fionnuala Gunter <fin@linux.vnet.ibm.com>
 +M:    Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
 +M:    Paulo Flabiano Smorigo <pfsmorigo@linux.vnet.ibm.com>
  L:    linux-crypto@vger.kernel.org
  S:    Supported
  F:    drivers/crypto/nx/Makefile
@@@ -5138,7 -5090,7 +5147,7 @@@ F:      drivers/crypto/nx/nx_csbcpb.
  F:    drivers/crypto/nx/nx_debugfs.h
  
  IBM Power 842 compression accelerator
 -M:    Dan Streetman <ddstreet@us.ibm.com>
 +M:    Dan Streetman <ddstreet@ieee.org>
  S:    Supported
  F:    drivers/crypto/nx/Makefile
  F:    drivers/crypto/nx/Kconfig
@@@ -5622,7 -5574,7 +5631,7 @@@ F:      include/uapi/linux/ip_vs.
  F:    net/netfilter/ipvs/
  
  IPWIRELESS DRIVER
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  M:    David Sterba <dsterba@suse.com>
  S:    Odd Fixes
  F:    drivers/tty/ipwireless/
@@@ -5657,7 -5609,6 +5666,7 @@@ F:      kernel/irq
  IRQCHIP DRIVERS
  M:    Thomas Gleixner <tglx@linutronix.de>
  M:    Jason Cooper <jason@lakedaemon.net>
 +M:    Marc Zyngier <marc.zyngier@arm.com>
  L:    linux-kernel@vger.kernel.org
  S:    Maintained
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git irq/core
@@@ -5666,14 -5617,11 +5675,14 @@@ F:   Documentation/devicetree/bindings/in
  F:    drivers/irqchip/
  
  IRQ DOMAINS (IRQ NUMBER MAPPING LIBRARY)
 -M:    Benjamin Herrenschmidt <benh@kernel.crashing.org>
 +M:    Jiang Liu <jiang.liu@linux.intel.com>
 +M:    Marc Zyngier <marc.zyngier@arm.com>
  S:    Maintained
 +T:    git git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git irq/core
  F:    Documentation/IRQ-domain.txt
  F:    include/linux/irqdomain.h
  F:    kernel/irq/irqdomain.c
 +F:    kernel/irq/msi.c
  
  ISAPNP
  M:    Jaroslav Kysela <perex@perex.cz>
@@@ -5812,20 -5760,21 +5821,20 @@@ S:   Maintaine
  F:    fs/jffs2/
  F:    include/uapi/linux/jffs2.h
  
 -JOURNALLING LAYER FOR BLOCK DEVICES (JBD)
 -M:    Andrew Morton <akpm@linux-foundation.org>
 -M:    Jan Kara <jack@suse.com>
 -L:    linux-ext4@vger.kernel.org
 -S:    Maintained
 -F:    fs/jbd/
 -F:    include/linux/jbd.h
 -
  JOURNALLING LAYER FOR BLOCK DEVICES (JBD2)
  M:    "Theodore Ts'o" <tytso@mit.edu>
 +M:    Jan Kara <jack@suse.com>
  L:    linux-ext4@vger.kernel.org
  S:    Maintained
  F:    fs/jbd2/
  F:    include/linux/jbd2.h
  
 +JPU V4L2 MEM2MEM DRIVER FOR RENESAS
 +M:    Mikhail Ulyanov <mikhail.ulyanov@cogentembedded.com>
 +L:    linux-media@vger.kernel.org
 +S:    Maintained
 +F:    drivers/media/platform/rcar_jpu.c
 +
  JSM Neo PCI based serial card
  M:    Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
  L:    linux-serial@vger.kernel.org
@@@ -5896,7 -5845,6 +5905,7 @@@ S:      Odd Fixe
  
  KERNEL NFSD, SUNRPC, AND LOCKD SERVERS
  M:    "J. Bruce Fields" <bfields@fieldses.org>
 +M:    Jeff Layton <jlayton@poochiereds.net>
  L:    linux-nfs@vger.kernel.org
  W:    http://nfs.sourceforge.net/
  S:    Supported
@@@ -5953,12 -5901,14 +5962,12 @@@ F:   arch/powerpc/kvm
  KERNEL VIRTUAL MACHINE for s390 (KVM/s390)
  M:    Christian Borntraeger <borntraeger@de.ibm.com>
  M:    Cornelia Huck <cornelia.huck@de.ibm.com>
 -M:    linux390@de.ibm.com
  L:    linux-s390@vger.kernel.org
  W:    http://www.ibm.com/developerworks/linux/linux390/
  S:    Supported
  F:    Documentation/s390/kvm.txt
  F:    arch/s390/include/asm/kvm*
  F:    arch/s390/kvm/
 -F:    drivers/s390/kvm/
  
  KERNEL VIRTUAL MACHINE (KVM) FOR ARM
  M:    Christoffer Dall <christoffer.dall@linaro.org>
@@@ -5994,7 -5944,7 +6003,7 @@@ F:      kernel/kexec.
  
  KEYS/KEYRINGS:
  M:    David Howells <dhowells@redhat.com>
- L:    keyrings@linux-nfs.org
+ L:    keyrings@vger.kernel.org
  S:    Maintained
  F:    Documentation/security/keys.txt
  F:    include/linux/key.h
@@@ -6006,7 -5956,7 +6015,7 @@@ KEYS-TRUSTE
  M:    David Safford <safford@us.ibm.com>
  M:    Mimi Zohar <zohar@linux.vnet.ibm.com>
  L:    linux-security-module@vger.kernel.org
- L:    keyrings@linux-nfs.org
+ L:    keyrings@vger.kernel.org
  S:    Supported
  F:    Documentation/security/keys-trusted-encrypted.txt
  F:    include/keys/trusted-type.h
@@@ -6017,7 -5967,7 +6026,7 @@@ KEYS-ENCRYPTE
  M:    Mimi Zohar <zohar@linux.vnet.ibm.com>
  M:    David Safford <safford@us.ibm.com>
  L:    linux-security-module@vger.kernel.org
- L:    keyrings@linux-nfs.org
+ L:    keyrings@vger.kernel.org
  S:    Supported
  F:    Documentation/security/keys-trusted-encrypted.txt
  F:    include/keys/encrypted-type.h
@@@ -6087,10 -6037,11 +6096,10 @@@ F:   Documentation/scsi/53c700.tx
  F:    drivers/scsi/53c700*
  
  LED SUBSYSTEM
 -M:    Bryan Wu <cooloney@gmail.com>
  M:    Richard Purdie <rpurdie@rpsys.net>
  M:    Jacek Anaszewski <j.anaszewski@samsung.com>
  L:    linux-leds@vger.kernel.org
 -T:    git git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds.git
 +T:    git git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds.git
  S:    Maintained
  F:    drivers/leds/
  F:    include/linux/leds.h
@@@ -6310,7 -6261,7 +6319,7 @@@ F:      drivers/platform/x86/hp_accel.
  LIVE PATCHING
  M:    Josh Poimboeuf <jpoimboe@redhat.com>
  M:    Seth Jennings <sjenning@redhat.com>
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  M:    Vojtech Pavlik <vojtech@suse.com>
  S:    Maintained
  F:    kernel/livepatch/
@@@ -6565,7 -6516,7 +6574,7 @@@ F:      drivers/net/ethernet/marvell/mvneta.
  
  MARVELL MWIFIEX WIRELESS DRIVER
  M:    Amitkumar Karwar <akarwar@marvell.com>
 -M:    Avinash Patil <patila@marvell.com>
 +M:    Nishant Sarmukadam <nishants@marvell.com>
  L:    linux-wireless@vger.kernel.org
  S:    Maintained
  F:    drivers/net/wireless/mwifiex/
@@@ -6594,13 -6545,6 +6603,13 @@@ S:    Maintaine
  F:    Documentation/hwmon/max16065
  F:    drivers/hwmon/max16065.c
  
 +MAX20751 HARDWARE MONITOR DRIVER
 +M:    Guenter Roeck <linux@roeck-us.net>
 +L:    lm-sensors@lm-sensors.org
 +S:    Maintained
 +F:    Documentation/hwmon/max20751
 +F:    drivers/hwmon/max20751.c
 +
  MAX6650 HARDWARE MONITOR AND FAN CONTROLLER DRIVER
  M:    "Hans J. Koch" <hjk@hansjkoch.de>
  L:    lm-sensors@lm-sensors.org
@@@ -6624,14 -6568,6 +6633,14 @@@ S:    Supporte
  F:    drivers/power/max14577_charger.c
  F:    drivers/power/max77693_charger.c
  
 +MAXIM MAX77802 MULTIFUNCTION PMIC DEVICE DRIVERS
 +M:    Javier Martinez Canillas <javier@osg.samsung.com>
 +L:    linux-kernel@vger.kernel.org
 +S:    Supported
 +F:    drivers/*/*max77802.c
 +F:    Documentation/devicetree/bindings/*/*max77802.txt
 +F:    include/dt-bindings/*/*max77802.h
 +
  MAXIM PMIC AND MUIC DRIVERS FOR EXYNOS BASED BOARDS
  M:    Chanwoo Choi <cw00.choi@samsung.com>
  M:    Krzysztof Kozlowski <k.kozlowski@samsung.com>
@@@ -6645,7 -6581,7 +6654,7 @@@ F:      drivers/extcon/extcon-max77693.
  F:    drivers/rtc/rtc-max77686.c
  F:    drivers/clk/clk-max77686.c
  F:    Documentation/devicetree/bindings/mfd/max14577.txt
 -F:    Documentation/devicetree/bindings/mfd/max77686.txt
 +F:    Documentation/devicetree/bindings/*/max77686.txt
  F:    Documentation/devicetree/bindings/mfd/max77693.txt
  F:    Documentation/devicetree/bindings/clock/maxim,max77686.txt
  F:    include/linux/mfd/max14577*.h
@@@ -6669,51 -6605,6 +6678,51 @@@ S:    Supporte
  F:    Documentation/devicetree/bindings/media/renesas,vsp1.txt
  F:    drivers/media/platform/vsp1/
  
 +MEDIA DRIVERS FOR ASCOT2E
 +M:    Sergey Kozlov <serjk@netup.ru>
 +L:    linux-media@vger.kernel.org
 +W:    http://linuxtv.org
 +W:    http://netup.tv/
 +T:    git git://linuxtv.org/media_tree.git
 +S:    Supported
 +F:    drivers/media/dvb-frontends/ascot2e*
 +
 +MEDIA DRIVERS FOR CXD2841ER
 +M:    Sergey Kozlov <serjk@netup.ru>
 +L:    linux-media@vger.kernel.org
 +W:    http://linuxtv.org/
 +W:    http://netup.tv/
 +T:    git git://linuxtv.org/media_tree.git
 +S:    Supported
 +F:    drivers/media/dvb-frontends/cxd2841er*
 +
 +MEDIA DRIVERS FOR HORUS3A
 +M:    Sergey Kozlov <serjk@netup.ru>
 +L:    linux-media@vger.kernel.org
 +W:    http://linuxtv.org/
 +W:    http://netup.tv/
 +T:    git git://linuxtv.org/media_tree.git
 +S:    Supported
 +F:    drivers/media/dvb-frontends/horus3a*
 +
 +MEDIA DRIVERS FOR LNBH25
 +M:    Sergey Kozlov <serjk@netup.ru>
 +L:    linux-media@vger.kernel.org
 +W:    http://linuxtv.org/
 +W:    http://netup.tv/
 +T:    git git://linuxtv.org/media_tree.git
 +S:    Supported
 +F:    drivers/media/dvb-frontends/lnbh25*
 +
 +MEDIA DRIVERS FOR NETUP PCI UNIVERSAL DVB devices
 +M:    Sergey Kozlov <serjk@netup.ru>
 +L:    linux-media@vger.kernel.org
 +W:    http://linuxtv.org/
 +W:    http://netup.tv/
 +T:    git git://linuxtv.org/media_tree.git
 +S:    Supported
 +F:    drivers/media/pci/netup_unidvb/*
 +
  MEDIA INPUT INFRASTRUCTURE (V4L/DVB)
  M:    Mauro Carvalho Chehab <mchehab@osg.samsung.com>
  P:    LinuxTV.org Project
@@@ -6763,15 -6654,6 +6772,15 @@@ W:    http://www.mellanox.co
  Q:    http://patchwork.ozlabs.org/project/netdev/list/
  F:    drivers/net/ethernet/mellanox/mlx4/en_*
  
 +MELLANOX ETHERNET SWITCH DRIVERS
 +M:    Jiri Pirko <jiri@mellanox.com>
 +M:    Ido Schimmel <idosch@mellanox.com>
 +L:    netdev@vger.kernel.org
 +S:    Supported
 +W:    http://www.mellanox.com
 +Q:    http://patchwork.ozlabs.org/project/netdev/list/
 +F:    drivers/net/ethernet/mellanox/mlxsw/
 +
  MEMORY MANAGEMENT
  L:    linux-mm@kvack.org
  W:    http://www.linux-mm.org
@@@ -6807,7 -6689,6 +6816,7 @@@ M:      Johannes Thumshirn <morbidrsa@gmail.
  S:    Maintained
  F:    drivers/mcb/
  F:    include/linux/mcb.h
 +F:    Documentation/men-chameleon-bus.txt
  
  MEN F21BMC (Board Management Controller)
  M:    Andreas Werner <andreas.werner@men.de>
@@@ -6967,12 -6848,6 +6976,12 @@@ T:    git git://linuxtv.org/anttip/media_t
  S:    Maintained
  F:    drivers/media/usb/msi2500/
  
 +MSYSTEMS DISKONCHIP G3 MTD DRIVER
 +M:    Robert Jarzmik <robert.jarzmik@free.fr>
 +L:    linux-mtd@lists.infradead.org
 +S:    Maintained
 +F:    drivers/mtd/devices/docg3*
 +
  MT9M032 APTINA SENSOR DRIVER
  M:    Laurent Pinchart <laurent.pinchart@ideasonboard.com>
  L:    linux-media@vger.kernel.org
@@@ -7413,15 -7288,6 +7422,15 @@@ S:    Supporte
  F:    drivers/block/nvme*
  F:    include/linux/nvme.h
  
 +NVMEM FRAMEWORK
 +M:    Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
 +M:    Maxime Ripard <maxime.ripard@free-electrons.com>
 +S:    Maintained
 +F:    drivers/nvmem/
 +F:    Documentation/devicetree/bindings/nvmem/
 +F:    include/linux/nvmem-consumer.h
 +F:    include/linux/nvmem-provider.h
 +
  NXP-NCI NFC DRIVER
  M:    Clément Perrochaud <clement.perrochaud@effinnov.com>
  R:    Charles Gorand <charles.gorand@effinnov.com>
@@@ -7659,9 -7525,8 +7668,9 @@@ F:      Documentation/i2c/busses/i2c-ocore
  F:    drivers/i2c/busses/i2c-ocores.c
  
  OPEN FIRMWARE AND FLATTENED DEVICE TREE
 -M:    Grant Likely <grant.likely@linaro.org>
  M:    Rob Herring <robh+dt@kernel.org>
 +M:    Frank Rowand <frowand.list@gmail.com>
 +M:    Grant Likely <grant.likely@linaro.org>
  L:    devicetree@vger.kernel.org
  W:    http://www.devicetree.org/
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/glikely/linux.git
@@@ -8134,6 -7999,7 +8143,6 @@@ F:      drivers/pinctrl/sh-pfc
  
  PIN CONTROLLER - SAMSUNG
  M:    Tomasz Figa <tomasz.figa@gmail.com>
 -M:    Thomas Abraham <thomas.abraham@linaro.org>
  L:    linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
  L:    linux-samsung-soc@vger.kernel.org (moderated for non-subscribers)
  S:    Maintained
@@@ -8148,7 -8014,7 +8157,7 @@@ S:      Maintaine
  F:    drivers/pinctrl/spear/
  
  PKTCDVD DRIVER
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  S:    Maintained
  F:    drivers/block/pktcdvd.c
  F:    include/linux/pktcdvd.h
@@@ -8183,7 -8049,7 +8192,7 @@@ S:      Supporte
  F:    drivers/scsi/pmcraid.*
  
  PMC SIERRA PM8001 DRIVER
 -M:    xjtuwjp@gmail.com
 +M:    Jack Wang <jinpu.wang@profitbricks.com>
  M:    lindar_liu@usish.com
  L:    pmchba@pmcs.com
  L:    linux-scsi@vger.kernel.org
@@@ -8208,16 -8074,6 +8217,16 @@@ T:    git git://git.infradead.org/battery-
  S:    Maintained
  F:    include/linux/power_supply.h
  F:    drivers/power/
 +X:    drivers/power/avs/
 +
 +POWER STATE COORDINATION INTERFACE (PSCI)
 +M:    Mark Rutland <mark.rutland@arm.com>
 +M:    Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
 +L:    linux-arm-kernel@lists.infradead.org
 +S:    Maintained
 +F:    drivers/firmware/psci.c
 +F:    include/linux/psci.h
 +F:    include/uapi/linux/psci.h
  
  PNP SUPPORT
  M:    "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
@@@ -8616,7 -8472,7 +8625,7 @@@ M:      "Paul E. McKenney" <paulmck@linux.vn
  M:    Josh Triplett <josh@joshtriplett.org>
  R:    Steven Rostedt <rostedt@goodmis.org>
  R:    Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
 -R:    Lai Jiangshan <laijs@cn.fujitsu.com>
 +R:    Lai Jiangshan <jiangshanlai@gmail.com>
  L:    linux-kernel@vger.kernel.org
  S:    Supported
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git
@@@ -8643,7 -8499,7 +8652,7 @@@ M:      "Paul E. McKenney" <paulmck@linux.vn
  M:    Josh Triplett <josh@joshtriplett.org>
  R:    Steven Rostedt <rostedt@goodmis.org>
  R:    Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
 -R:    Lai Jiangshan <laijs@cn.fujitsu.com>
 +R:    Lai Jiangshan <jiangshanlai@gmail.com>
  L:    linux-kernel@vger.kernel.org
  W:    http://www.rdrop.com/users/paulmck/RCU/
  S:    Supported
@@@ -8708,7 -8564,6 +8717,7 @@@ M:      Philipp Zabel <p.zabel@pengutronix.d
  S:    Maintained
  F:    drivers/reset/
  F:    Documentation/devicetree/bindings/reset/
 +F:    include/dt-bindings/reset/
  F:    include/linux/reset.h
  F:    include/linux/reset-controller.h
  
@@@ -8843,6 -8698,7 +8852,6 @@@ F:      drivers/video/fbdev/savage
  S390
  M:    Martin Schwidefsky <schwidefsky@de.ibm.com>
  M:    Heiko Carstens <heiko.carstens@de.ibm.com>
 -M:    linux390@de.ibm.com
  L:    linux-s390@vger.kernel.org
  W:    http://www.ibm.com/developerworks/linux/linux390/
  S:    Supported
@@@ -8870,6 -8726,7 +8879,6 @@@ F:      block/partitions/ibm.
  
  S390 NETWORK DRIVERS
  M:    Ursula Braun <ursula.braun@de.ibm.com>
 -M:    linux390@de.ibm.com
  L:    linux-s390@vger.kernel.org
  W:    http://www.ibm.com/developerworks/linux/linux390/
  S:    Supported
@@@ -8886,6 -8743,7 +8895,6 @@@ F:      drivers/pci/hotplug/s390_pci_hpc.
  
  S390 ZCRYPT DRIVER
  M:    Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com>
 -M:    linux390@de.ibm.com
  L:    linux-s390@vger.kernel.org
  W:    http://www.ibm.com/developerworks/linux/linux390/
  S:    Supported
@@@ -8893,6 -8751,7 +8902,6 @@@ F:      drivers/s390/crypto
  
  S390 ZFCP DRIVER
  M:    Steffen Maier <maier@linux.vnet.ibm.com>
 -M:    linux390@de.ibm.com
  L:    linux-s390@vger.kernel.org
  W:    http://www.ibm.com/developerworks/linux/linux390/
  S:    Supported
@@@ -8900,6 -8759,7 +8909,6 @@@ F:      drivers/s390/scsi/zfcp_
  
  S390 IUCV NETWORK LAYER
  M:    Ursula Braun <ursula.braun@de.ibm.com>
 -M:    linux390@de.ibm.com
  L:    linux-s390@vger.kernel.org
  W:    http://www.ibm.com/developerworks/linux/linux390/
  S:    Supported
@@@ -9002,12 -8862,6 +9011,12 @@@ L:    linux-media@vger.kernel.or
  S:    Supported
  F:    drivers/media/i2c/s5k5baf.c
  
 +SAMSUNG S3FWRN5 NFC DRIVER
 +M:    Robert Baldyga <r.baldyga@samsung.com>
 +L:    linux-nfc@lists.01.org (moderated for non-subscribers)
 +S:    Supported
 +F:    drivers/nfc/s3fwrn5
 +
  SAMSUNG SOC CLOCK DRIVERS
  M:    Sylwester Nawrocki <s.nawrocki@samsung.com>
  M:    Tomasz Figa <tomasz.figa@gmail.com>
@@@ -9058,13 -8912,6 +9067,13 @@@ F:    include/linux/dma/dw.
  F:    include/linux/platform_data/dma-dw.h
  F:    drivers/dma/dw/
  
 +SYNOPSYS DESIGNWARE ETHERNET QOS 4.10a driver
 +M: Lars Persson <lars.persson@axis.com>
 +L: netdev@vger.kernel.org
 +S: Supported
 +F: Documentation/devicetree/bindings/net/snps,dwc-qos-ethernet.txt
 +F: drivers/net/ethernet/synopsys/dwc_eth_qos.c
 +
  SYNOPSYS DESIGNWARE MMC/SD/SDIO DRIVER
  M:    Seungwon Jeon <tgih.jun@samsung.com>
  M:    Jaehoon Chung <jh80.chung@samsung.com>
@@@ -9264,6 -9111,12 +9273,12 @@@ T:    git git://git.kernel.org/pub/scm/lin
  S:    Supported
  F:    security/apparmor/
  
+ YAMA SECURITY MODULE
+ M:    Kees Cook <keescook@chromium.org>
+ T:    git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git yama/tip
+ S:    Supported
+ F:    security/yama/
+ 
  SENSABLE PHANTOM
  M:    Jiri Slaby <jirislaby@gmail.com>
  S:    Maintained
@@@ -9481,15 -9334,6 +9496,15 @@@ S:    Maintaine
  F:    drivers/media/i2c/ov2659.c
  F:    include/media/ov2659.h
  
 +SILICON MOTION SM712 FRAME BUFFER DRIVER
 +M:    Sudip Mukherjee <sudipm.mukherjee@gmail.com>
 +M:    Teddy Wang <teddy.wang@siliconmotion.com>
 +M:    Sudip Mukherjee <sudip@vectorindia.org>
 +L:    linux-fbdev@vger.kernel.org
 +S:    Maintained
 +F:    drivers/video/fbdev/sm712*
 +F:    Documentation/fb/sm712fb.txt
 +
  SIS 190 ETHERNET DRIVER
  M:    Francois Romieu <romieu@fr.zoreil.com>
  L:    netdev@vger.kernel.org
@@@ -9529,7 -9373,7 +9544,7 @@@ F:      include/linux/sl?b*.
  F:    mm/sl?b*
  
  SLEEPABLE READ-COPY UPDATE (SRCU)
 -M:    Lai Jiangshan <laijs@cn.fujitsu.com>
 +M:    Lai Jiangshan <jiangshanlai@gmail.com>
  M:    "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
  M:    Josh Triplett <josh@joshtriplett.org>
  R:    Steven Rostedt <rostedt@goodmis.org>
@@@ -9887,6 -9731,11 +9902,6 @@@ W:     http://wiki.laptop.org/go/DCO
  S:    Maintained
  F:    drivers/staging/olpc_dcon/
  
 -STAGING - OZMO DEVICES USB OVER WIFI DRIVER
 -M:    Shigekatsu Tateno <shigekatsu.tateno@atmel.com>
 -S:    Maintained
 -F:    drivers/staging/ozwpan/
 -
  STAGING - PARALLEL LCD/KEYPAD PANEL DRIVER
  M:    Willy Tarreau <willy@meta-x.org>
  S:    Odd Fixes
@@@ -9905,6 -9754,14 +9920,6 @@@ L:     linux-wireless@vger.kernel.or
  S:    Maintained
  F:    drivers/staging/rtl8723au/
  
 -STAGING - SILICON MOTION SM7XX FRAME BUFFER DRIVER
 -M:    Sudip Mukherjee <sudipm.mukherjee@gmail.com>
 -M:    Teddy Wang <teddy.wang@siliconmotion.com>
 -M:    Sudip Mukherjee <sudip@vectorindia.org>
 -L:    linux-fbdev@vger.kernel.org
 -S:    Maintained
 -F:    drivers/staging/sm7xxfb/
 -
  STAGING - SILICON MOTION SM750 FRAME BUFFER DRIVER
  M:    Sudip Mukherjee <sudipm.mukherjee@gmail.com>
  M:    Teddy Wang <teddy.wang@siliconmotion.com>
@@@ -10023,9 -9880,8 +10038,9 @@@ SYNOPSYS ARC ARCHITECTUR
  M:    Vineet Gupta <vgupta@synopsys.com>
  S:    Supported
  F:    arch/arc/
 -F:    Documentation/devicetree/bindings/arc/
 +F:    Documentation/devicetree/bindings/arc/*
  F:    drivers/tty/serial/arc_uart.c
 +T:    git git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc.git
  
  SYNOPSYS ARC SDP platform support
  M:    Alexey Brodkin <abrodkin@synopsys.com>
@@@ -10480,13 -10336,6 +10495,13 @@@ F: drivers/char/toshiba.
  F:    include/linux/toshiba.h
  F:    include/uapi/linux/toshiba.h
  
 +TOSHIBA TC358743 DRIVER
 +M:    Mats Randgaard <matrandg@cisco.com>
 +L:    linux-media@vger.kernel.org
 +S:    Maintained
 +F:    drivers/media/i2c/tc358743*
 +F:    include/media/tc358743.h
 +
  TMIO MMC DRIVER
  M:    Ian Molton <ian@mnementh.co.uk>
  L:    linux-mmc@vger.kernel.org
@@@ -10783,7 -10632,7 +10798,7 @@@ F:   drivers/usb/gadget
  F:    include/linux/usb/gadget*
  
  USB HID/HIDBP DRIVERS (USB KEYBOARDS, MICE, REMOTE CONTROLS, ...)
 -M:    Jiri Kosina <jkosina@suse.com>
 +M:    Jiri Kosina <jikos@kernel.org>
  L:    linux-usb@vger.kernel.org
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid.git
  S:    Maintained
@@@ -11062,15 -10911,6 +11077,15 @@@ F: drivers/block/virtio_blk.
  F:    include/linux/virtio_*.h
  F:    include/uapi/linux/virtio_*.h
  
 +VIRTIO DRIVERS FOR S390
 +M:    Christian Borntraeger <borntraeger@de.ibm.com>
 +M:    Cornelia Huck <cornelia.huck@de.ibm.com>
 +L:    linux-s390@vger.kernel.org
 +L:    virtualization@lists.linux-foundation.org
 +L:    kvm@vger.kernel.org
 +S:    Supported
 +F:    drivers/s390/virtio/
 +
  VIRTIO GPU DRIVER
  M:    David Airlie <airlied@linux.ie>
  M:    Gerd Hoffmann <kraxel@redhat.com>
@@@ -11178,7 -11018,7 +11193,7 @@@ F:   drivers/input/mouse/vmmouse.
  F:    drivers/input/mouse/vmmouse.h
  
  VMWARE VMXNET3 ETHERNET DRIVER
 -M:    Shreyas Bhatewara <sbhatewara@vmware.com>
 +M:    Shrikrishna Khare <skhare@vmware.com>
  M:    "VMware, Inc." <pv-drivers@vmware.com>
  L:    netdev@vger.kernel.org
  S:    Maintained
@@@ -11203,14 -11043,6 +11218,14 @@@ S: Supporte
  F:    drivers/regulator/
  F:    include/linux/regulator/
  
 +VRF
 +M:    David Ahern <dsa@cumulusnetworks.com>
 +M:    Shrijeet Mukherjee <shm@cumulusnetworks.com>
 +L:    netdev@vger.kernel.org
 +S:    Maintained
 +F:    drivers/net/vrf.c
 +F:    include/net/vrf.h
 +
  VT1211 HARDWARE MONITOR DRIVER
  M:    Juerg Haefliger <juergh@gmail.com>
  L:    lm-sensors@lm-sensors.org
@@@ -11366,7 -11198,6 +11381,7 @@@ F:   sound/soc/codecs/wm
  
  WORKQUEUE
  M:    Tejun Heo <tj@kernel.org>
 +R:    Lai Jiangshan <jiangshanlai@gmail.com>
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq.git
  S:    Maintained
  F:    include/linux/workqueue.h

diff --combined Makefile
index c361593,7c90dda..d67856e
--- 1/Makefile
--- 2/Makefile
+++ b/Makefile
@@@ -1,7 -1,7 +1,7 @@@
  VERSION = 4
  PATCHLEVEL = 2
  SUBLEVEL = 0
 -EXTRAVERSION = -rc3
 +EXTRAVERSION =
  NAME = Hurr durr I'ma sheep
  
  # *DOCUMENTATION*
@@@ -597,11 -597,6 +597,11 @@@ endif # $(dot-config
  # Defaults to vmlinux, but the arch makefile usually adds further targets
  all: vmlinux
  
 +# The arch Makefile can set ARCH_{CPP,A,C}FLAGS to override the default
 +# values of the respective KBUILD_* variables
 +ARCH_CPPFLAGS :=
 +ARCH_AFLAGS :=
 +ARCH_CFLAGS :=
  include arch/$(SRCARCH)/Makefile
  
  KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
@@@ -853,10 -848,10 +853,10 @@@ export mod_strip_cm
  mod_compress_cmd = true
  ifdef CONFIG_MODULE_COMPRESS
    ifdef CONFIG_MODULE_COMPRESS_GZIP
 -    mod_compress_cmd = gzip -n
 +    mod_compress_cmd = gzip -n -f
    endif # CONFIG_MODULE_COMPRESS_GZIP
    ifdef CONFIG_MODULE_COMPRESS_XZ
 -    mod_compress_cmd = xz
 +    mod_compress_cmd = xz -f
    endif # CONFIG_MODULE_COMPRESS_XZ
  endif # CONFIG_MODULE_COMPRESS
  export mod_compress_cmd
@@@ -875,10 -870,9 +875,9 @@@ INITRD_COMPRESS-$(CONFIG_RD_LZ4)   := l
  # export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
  
  ifdef CONFIG_MODULE_SIG_ALL
- MODSECKEY = ./signing_key.priv
- MODPUBKEY = ./signing_key.x509
- export MODPUBKEY
- mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
+ $(eval $(call config_filename,MODULE_SIG_KEY))
+ 
+ mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY) certs/signing_key.x509
  else
  mod_sign_cmd = true
  endif
@@@ -886,7 -880,7 +885,7 @@@ export mod_sign_cm
  
  
  ifeq ($(KBUILD_EXTMOD),)
- core-y                += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
+ core-y                += kernel/ certs/ mm/ fs/ ipc/ security/ crypto/ block/
  
  vmlinux-dirs  := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
                     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
@@@ -1178,8 -1172,8 +1177,8 @@@ MRPROPER_DIRS  += include/config usr/in
                  arch/*/include/generated .tmp_objdiff
  MRPROPER_FILES += .config .config.old .version .old_version \
                  Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
-                 signing_key.priv signing_key.x509 x509.genkey         \
-                 extra_certificates signing_key.x509.keyid             \
+                 signing_key.pem signing_key.priv signing_key.x509     \
+                 x509.genkey extra_certificates signing_key.x509.keyid \
                  signing_key.x509.signer vmlinux-gdb.py
  
  # clean - Delete most, but leave enough to build external modules

diff --combined arch/x86/kernel/kexec-bzimage64.c
index 961e51e,fab22e7..0f8a6bb
--- 1/arch/x86/kernel/kexec-bzimage64.c
--- 2/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@@ -223,6 -223,9 +223,6 @@@ setup_boot_parameters(struct kimage *im
        memset(&params->hd0_info, 0, sizeof(params->hd0_info));
        memset(&params->hd1_info, 0, sizeof(params->hd1_info));
  
 -      /* Default sysdesc table */
 -      params->sys_desc_table.length = 0;
 -
        if (image->type == KEXEC_TYPE_CRASH) {
                ret = crash_setup_memmap_entries(image, params);
                if (ret)
@@@ -533,7 -536,9 +533,9 @@@ static int bzImage64_verify_sig(const c
        int ret;
  
        ret = verify_pefile_signature(kernel, kernel_len,
-                                     system_trusted_keyring, &trusted);
+                                     system_trusted_keyring,
+                                     VERIFYING_KEXEC_PE_SIGNATURE,
+                                     &trusted);
        if (ret < 0)
                return ret;
        if (!trusted)

diff --combined crypto/Kconfig
index b582ea7,51b01de..48ee3e1
--- 1/crypto/Kconfig
--- 2/crypto/Kconfig
+++ b/crypto/Kconfig
@@@ -48,8 -48,6 +48,8 @@@ config CRYPTO_AEA
  config CRYPTO_AEAD2
        tristate
        select CRYPTO_ALGAPI2
 +      select CRYPTO_NULL2
 +      select CRYPTO_RNG2
  
  config CRYPTO_BLKCIPHER
        tristate
@@@ -152,16 -150,12 +152,16 @@@ config CRYPTO_GF128MU
  
  config CRYPTO_NULL
        tristate "Null algorithms"
 -      select CRYPTO_ALGAPI
 -      select CRYPTO_BLKCIPHER
 -      select CRYPTO_HASH
 +      select CRYPTO_NULL2
        help
          These are 'Null' algorithms, used by IPsec, which do nothing.
  
 +config CRYPTO_NULL2
 +      tristate
 +      select CRYPTO_ALGAPI2
 +      select CRYPTO_BLKCIPHER2
 +      select CRYPTO_HASH2
 +
  config CRYPTO_PCRYPT
        tristate "Parallel crypto engine"
        depends on SMP
@@@ -206,7 -200,6 +206,7 @@@ config CRYPTO_AUTHEN
        select CRYPTO_BLKCIPHER
        select CRYPTO_MANAGER
        select CRYPTO_HASH
 +      select CRYPTO_NULL
        help
          Authenc: Combined mode wrapper for IPsec.
          This is required for IPSec.
@@@ -477,18 -470,6 +477,18 @@@ config CRYPTO_POLY130
          It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
          in IETF protocols. This is the portable C implementation of Poly1305.
  
 +config CRYPTO_POLY1305_X86_64
 +      tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
 +      depends on X86 && 64BIT
 +      select CRYPTO_POLY1305
 +      help
 +        Poly1305 authenticator algorithm, RFC7539.
 +
 +        Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
 +        It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
 +        in IETF protocols. This is the x86_64 assembler implementation using SIMD
 +        instructions.
 +
  config CRYPTO_MD4
        tristate "MD4 digest algorithm"
        select CRYPTO_HASH
@@@ -1232,21 -1213,6 +1232,21 @@@ config CRYPTO_CHACHA2
          See also:
          <http://cr.yp.to/chacha/chacha-20080128.pdf>
  
 +config CRYPTO_CHACHA20_X86_64
 +      tristate "ChaCha20 cipher algorithm (x86_64/SSSE3/AVX2)"
 +      depends on X86 && 64BIT
 +      select CRYPTO_BLKCIPHER
 +      select CRYPTO_CHACHA20
 +      help
 +        ChaCha20 cipher algorithm, RFC7539.
 +
 +        ChaCha20 is a 256-bit high-speed stream cipher designed by Daniel J.
 +        Bernstein and further specified in RFC7539 for use in IETF protocols.
 +        This is the x86_64 assembler implementation using SIMD instructions.
 +
 +        See also:
 +        <http://cr.yp.to/chacha/chacha-20080128.pdf>
 +
  config CRYPTO_SEED
        tristate "SEED cipher algorithm"
        select CRYPTO_ALGAPI
@@@ -1635,5 -1601,6 +1635,6 @@@ config CRYPTO_HASH_INF
  
  source "drivers/crypto/Kconfig"
  source crypto/asymmetric_keys/Kconfig
+ source certs/Kconfig
  
  endif # if CRYPTO

diff --combined init/Kconfig
index 9cabd86,5526dfa..02da9f1
--- 1/init/Kconfig
--- 2/init/Kconfig
+++ b/init/Kconfig
@@@ -538,6 -538,15 +538,6 @@@ config RCU_STALL_COMMO
  config CONTEXT_TRACKING
         bool
  
 -config RCU_USER_QS
 -      bool
 -      help
 -        This option sets hooks on kernel / userspace boundaries and
 -        puts RCU in extended quiescent state when the CPU runs in
 -        userspace. It means that when a CPU runs in userspace, it is
 -        excluded from the global RCU state machine and thus doesn't
 -        try to keep the timer tick on for RCU.
 -
  config CONTEXT_TRACKING_FORCE
        bool "Force context tracking"
        depends on CONTEXT_TRACKING
@@@ -698,7 -707,6 +698,7 @@@ config RCU_BOOST_DELA
  config RCU_NOCB_CPU
        bool "Offload RCU callback processing from boot-selected CPUs"
        depends on TREE_RCU || PREEMPT_RCU
 +      depends on RCU_EXPERT || NO_HZ_FULL
        default n
        help
          Use this option to reduce OS jitter for aggressive HPC or
@@@ -882,16 -890,6 +882,16 @@@ config GENERIC_SCHED_CLOC
  config ARCH_SUPPORTS_NUMA_BALANCING
        bool
  
 +#
 +# For architectures that prefer to flush all TLBs after a number of pages
 +# are unmapped instead of sending one IPI per page to flush. The architecture
 +# must provide guarantees on what happens if a clean TLB cache entry is
 +# written after the unmap. Details are in mm/rmap.c near the check for
 +# should_defer_flush. The architecture should also consider if the full flush
 +# and the refill costs are offset by the savings of sending fewer IPIs.
 +config ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
 +      bool
 +
  #
  # For architectures that know their GCC __int128 support is sound
  #
@@@ -927,6 -925,7 +927,6 @@@ config NUMA_BALANCING_DEFAULT_ENABLE
  menuconfig CGROUPS
        bool "Control Group support"
        select KERNFS
 -      select PERCPU_RWSEM
        help
          This option adds support for grouping sets of processes together, for
          use with process control subsystems such as Cpusets, CFS, memory
@@@ -956,22 -955,6 +956,22 @@@ config CGROUP_FREEZE
          Provides a way to freeze and unfreeze all tasks in a
          cgroup.
  
 +config CGROUP_PIDS
 +      bool "PIDs cgroup subsystem"
 +      help
 +        Provides enforcement of process number limits in the scope of a
 +        cgroup. Any attempt to fork more processes than is allowed in the
 +        cgroup will fail. PIDs are fundamentally a global resource because it
 +        is fairly trivial to reach PID exhaustion before you reach even a
 +        conservative kmemcg limit. As a result, it is possible to grind a
 +        system to halt without being limited by other cgroup policies. The
 +        PIDs cgroup subsystem is designed to stop this from happening.
 +
 +        It should be noted that organisational operations (such as attaching
 +        to a cgroup hierarchy will *not* be blocked by the PIDs subsystem),
 +        since the PIDs limit only affects a process's ability to fork, not to
 +        attach to a cgroup.
 +
  config CGROUP_DEVICE
        bool "Device controller for cgroups"
        help
@@@ -1585,14 -1568,6 +1585,14 @@@ config ADVISE_SYSCALL
          applications use these syscalls, you can disable this option to save
          space.
  
 +config USERFAULTFD
 +      bool "Enable userfaultfd() system call"
 +      select ANON_INODES
 +      depends on MMU
 +      help
 +        Enable the userfaultfd() system call that allows to intercept and
 +        handle page faults in userland.
 +
  config PCI_QUIRKS
        default y
        bool "Enable PCI quirk workarounds" if EXPERT
@@@ -1765,17 -1740,23 +1765,23 @@@ config MMAP_ALLOW_UNINITIALIZE
  
          See Documentation/nommu-mmap.txt for more information.
  
- config SYSTEM_TRUSTED_KEYRING
-       bool "Provide system-wide ring of trusted keys"
-       depends on KEYS
+ config SYSTEM_DATA_VERIFICATION
+       def_bool n
+       select SYSTEM_TRUSTED_KEYRING
+       select KEYS
+       select CRYPTO
+       select ASYMMETRIC_KEY_TYPE
+       select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+       select PUBLIC_KEY_ALGO_RSA
+       select ASN1
+       select OID_REGISTRY
+       select X509_CERTIFICATE_PARSER
+       select PKCS7_MESSAGE_PARSER
        help
-         Provide a system keyring to which trusted keys can be added.  Keys in
-         the keyring are considered to be trusted.  Keys may be added at will
-         by the kernel from compiled-in data and from hardware key stores, but
-         userspace may only add extra keys if those keys can be verified by
-         keys already in the keyring.
- 
-         Keys in this keyring are used by module signature checking.
+         Provide PKCS#7 message verification using the contents of the system
+         trusted keyring to provide public keys.  This then can be used for
+         module verification, kexec image verification and firmware blob
+         verification.
  
  config PROFILING
        bool "Profiling support"
@@@ -1885,20 -1866,16 +1891,16 @@@ config MODULE_SRCVERSION_AL
  config MODULE_SIG
        bool "Module signature verification"
        depends on MODULES
-       select SYSTEM_TRUSTED_KEYRING
-       select KEYS
-       select CRYPTO
-       select ASYMMETRIC_KEY_TYPE
-       select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
-       select PUBLIC_KEY_ALGO_RSA
-       select ASN1
-       select OID_REGISTRY
-       select X509_CERTIFICATE_PARSER
+       select SYSTEM_DATA_VERIFICATION
        help
          Check modules for valid signatures upon load: the signature
          is simply appended to the module. For more information see
          Documentation/module-signing.txt.
  
+         Note that this option adds the OpenSSL development packages as a
+         kernel build dependency so that the signing tool can use its crypto
+         library.
+ 
          !!!WARNING!!!  If you enable this option, you MUST make sure that the
          module DOES NOT get stripped after being signed.  This includes the
          debuginfo strip done by some packagers (such as rpmbuild) and

diff --combined kernel/Makefile
index 718fb8a,1aa153a..330387c
--- 1/kernel/Makefile
--- 2/kernel/Makefile
+++ b/kernel/Makefile
@@@ -45,7 -45,6 +45,6 @@@ ifneq ($(CONFIG_SMP),y
  obj-y += up.o
  endif
  obj-$(CONFIG_UID16) += uid16.o
- obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
  obj-$(CONFIG_MODULES) += module.o
  obj-$(CONFIG_MODULE_SIG) += module_signing.o
  obj-$(CONFIG_KALLSYMS) += kallsyms.o
@@@ -55,7 -54,6 +54,7 @@@ obj-$(CONFIG_BACKTRACE_SELF_TEST) += ba
  obj-$(CONFIG_COMPAT) += compat.o
  obj-$(CONFIG_CGROUPS) += cgroup.o
  obj-$(CONFIG_CGROUP_FREEZER) += cgroup_freezer.o
 +obj-$(CONFIG_CGROUP_PIDS) += cgroup_pids.o
  obj-$(CONFIG_CPUSETS) += cpuset.o
  obj-$(CONFIG_UTS_NS) += utsname.o
  obj-$(CONFIG_USER_NS) += user_namespace.o
@@@ -112,99 -110,3 +111,3 @@@ $(obj)/config_data.gz: $(KCONFIG_CONFIG
  targets += config_data.h
  $(obj)/config_data.h: $(obj)/config_data.gz FORCE
        $(call filechk,ikconfiggz)
- 
- ###############################################################################
- #
- # Roll all the X.509 certificates that we can find together and pull them into
- # the kernel so that they get loaded into the system trusted keyring during
- # boot.
- #
- # We look in the source root and the build root for all files whose name ends
- # in ".x509".  Unfortunately, this will generate duplicate filenames, so we
- # have make canonicalise the pathnames and then sort them to discard the
- # duplicates.
- #
- ###############################################################################
- ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
- X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
- X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
- X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
-                               $(or $(realpath $(CERT)),$(CERT))))
- X509_CERTIFICATES := $(subst $(realpath $(objtree))/,,$(X509_CERTIFICATES-raw))
- 
- ifeq ($(X509_CERTIFICATES),)
- $(warning *** No X.509 certificates found ***)
- endif
- 
- ifneq ($(wildcard $(obj)/.x509.list),)
- ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES))
- $(warning X.509 certificate list changed to "$(X509_CERTIFICATES)" from "$(shell cat $(obj)/.x509.list)")
- $(shell rm $(obj)/.x509.list)
- endif
- endif
- 
- kernel/system_certificates.o: $(obj)/x509_certificate_list
- 
- quiet_cmd_x509certs  = CERTS   $@
-       cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; $(kecho) "  - Including cert $(X509)")
- 
- targets += $(obj)/x509_certificate_list
- $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
-       $(call if_changed,x509certs)
- 
- targets += $(obj)/.x509.list
- $(obj)/.x509.list:
-       @echo $(X509_CERTIFICATES) >$@
- endif
- 
- clean-files := x509_certificate_list .x509.list
- 
- ifeq ($(CONFIG_MODULE_SIG),y)
- ###############################################################################
- #
- # If module signing is requested, say by allyesconfig, but a key has not been
- # supplied, then one will need to be generated to make sure the build does not
- # fail and that the kernel may be used afterwards.
- #
- ###############################################################################
- ifndef CONFIG_MODULE_SIG_HASH
- $(error Could not determine digest type to use from kernel config)
- endif
- 
- signing_key.priv signing_key.x509: x509.genkey
-       @echo "###"
-       @echo "### Now generating an X.509 key pair to be used for signing modules."
-       @echo "###"
-       @echo "### If this takes a long time, you might wish to run rngd in the"
-       @echo "### background to keep the supply of entropy topped up.  It"
-       @echo "### needs to be run as root, and uses a hardware random"
-       @echo "### number generator if one is available."
-       @echo "###"
-       openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-               -batch -x509 -config x509.genkey \
-               -outform DER -out signing_key.x509 \
-               -keyout signing_key.priv 2>&1
-       @echo "###"
-       @echo "### Key pair generated."
-       @echo "###"
- 
- x509.genkey:
-       @echo Generating X.509 key generation config
-       @echo  >x509.genkey "[ req ]"
-       @echo >>x509.genkey "default_bits = 4096"
-       @echo >>x509.genkey "distinguished_name = req_distinguished_name"
-       @echo >>x509.genkey "prompt = no"
-       @echo >>x509.genkey "string_mask = utf8only"
-       @echo >>x509.genkey "x509_extensions = myexts"
-       @echo >>x509.genkey
-       @echo >>x509.genkey "[ req_distinguished_name ]"
-       @echo >>x509.genkey "#O = Unspecified company"
-       @echo >>x509.genkey "CN = Build time autogenerated kernel key"
-       @echo >>x509.genkey "#emailAddress = unspecified.user@unspecified.company"
-       @echo >>x509.genkey
-       @echo >>x509.genkey "[ myexts ]"
-       @echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
-       @echo >>x509.genkey "keyUsage=digitalSignature"
-       @echo >>x509.genkey "subjectKeyIdentifier=hash"
-       @echo >>x509.genkey "authorityKeyIdentifier=keyid"
- endif

diff --combined security/security.c
index 75b85fd,e693ffc..46f405c
--- 1/security/security.c
--- 2/security/security.c
+++ b/security/security.c
@@@ -56,18 -56,13 +56,13 @@@ int __init security_init(void
        pr_info("Security Framework initialized\n");
  
        /*
-        * Always load the capability module.
+        * Load minor LSMs, with the capability module always first.
         */
        capability_add_hooks();
- #ifdef CONFIG_SECURITY_YAMA_STACKED
-       /*
-        * If Yama is configured for stacking load it next.
-        */
        yama_add_hooks();
- #endif
+ 
        /*
-        * Load the chosen module if there is one.
-        * This will also find yama if it is stacking
+        * Load all the remaining security modules.
         */
        do_security_initcalls();
  
@@@ -380,8 -375,8 +375,8 @@@ int security_inode_init_security(struc
                return 0;
  
        if (!initxattrs)
 -              return call_int_hook(inode_init_security, 0, inode, dir, qstr,
 -                                                       NULL, NULL, NULL);
 +              return call_int_hook(inode_init_security, -EOPNOTSUPP, inode,
 +                                   dir, qstr, NULL, NULL, NULL);
        memset(new_xattrs, 0, sizeof(new_xattrs));
        lsm_xattr = new_xattrs;
        ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr,
@@@ -409,8 -404,8 +404,8 @@@ int security_old_inode_init_security(st
  {
        if (unlikely(IS_PRIVATE(inode)))
                return -EOPNOTSUPP;
 -      return call_int_hook(inode_init_security, 0, inode, dir, qstr,
 -                              name, value, len);
 +      return call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir,
 +                           qstr, name, value, len);
  }
  EXPORT_SYMBOL(security_old_inode_init_security);
  
@@@ -776,7 -771,7 +771,7 @@@ static inline unsigned long mmap_prot(s
         * ditto if it's not on noexec mount, except that on !MMU we need
         * NOMMU_MAP_EXEC (== VM_MAYEXEC) in this case
         */
 -      if (!(file->f_path.mnt->mnt_flags & MNT_NOEXEC)) {
 +      if (!path_noexec(&file->f_path)) {
  #ifndef CONFIG_MMU
                if (file->f_op->mmap_capabilities) {
                        unsigned caps = file->f_op->mmap_capabilities(file);
@@@ -1281,8 -1276,7 +1276,8 @@@ int security_socket_getpeersec_stream(s
  
  int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
  {
 -      return call_int_hook(socket_getpeersec_dgram, 0, sock, skb, secid);
 +      return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
 +                           skb, secid);
  }
  EXPORT_SYMBOL(security_socket_getpeersec_dgram);
  

diff --combined security/selinux/hooks.c
index cdf4c58,5528505..e4369d8
--- 1/security/selinux/hooks.c
--- 2/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@@ -254,10 -254,21 +254,21 @@@ static void inode_free_security(struct 
        struct inode_security_struct *isec = inode->i_security;
        struct superblock_security_struct *sbsec = inode->i_sb->s_security;
  
-       spin_lock(&sbsec->isec_lock);
-       if (!list_empty(&isec->list))
+       /*
+        * As not all inode security structures are in a list, we check for
+        * empty list outside of the lock to make sure that we won't waste
+        * time taking a lock doing nothing.
+        *
+        * The list_del_init() function can be safely called more than once.
+        * It should not be possible for this function to be called with
+        * concurrent list_add(), but for better safety against future changes
+        * in the code, we use list_empty_careful() here.
+        */
+       if (!list_empty_careful(&isec->list)) {
+               spin_lock(&sbsec->isec_lock);
                list_del_init(&isec->list);
-       spin_unlock(&sbsec->isec_lock);
+               spin_unlock(&sbsec->isec_lock);
+       }
  
        /*
         * The inode may still be referenced in a path walk and
@@@ -1100,7 -1111,7 +1111,7 @@@ static void selinux_write_opts(struct s
                seq_puts(m, prefix);
                if (has_comma)
                        seq_putc(m, '\"');
 -              seq_puts(m, opts->mnt_opts[i]);
 +              seq_escape(m, opts->mnt_opts[i], "\"\n\\");
                if (has_comma)
                        seq_putc(m, '\"');
        }
@@@ -1698,6 -1709,32 +1709,32 @@@ out
        return rc;
  }
  
+ /*
+  * Determine the label for an inode that might be unioned.
+  */
+ static int selinux_determine_inode_label(const struct inode *dir,
+                                        const struct qstr *name,
+                                        u16 tclass,
+                                        u32 *_new_isid)
+ {
+       const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
+       const struct inode_security_struct *dsec = dir->i_security;
+       const struct task_security_struct *tsec = current_security();
+ 
+       if ((sbsec->flags & SE_SBINITIALIZED) &&
+           (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
+               *_new_isid = sbsec->mntpoint_sid;
+       } else if ((sbsec->flags & SBLABEL_MNT) &&
+                  tsec->create_sid) {
+               *_new_isid = tsec->create_sid;
+       } else {
+               return security_transition_sid(tsec->sid, dsec->sid, tclass,
+                                              name, _new_isid);
+       }
+ 
+       return 0;
+ }
+ 
  /* Check whether a task can create a file. */
  static int may_create(struct inode *dir,
                      struct dentry *dentry,
@@@ -1714,7 -1751,6 +1751,6 @@@
        sbsec = dir->i_sb->s_security;
  
        sid = tsec->sid;
-       newsid = tsec->create_sid;
  
        ad.type = LSM_AUDIT_DATA_DENTRY;
        ad.u.dentry = dentry;
@@@ -1725,12 -1761,10 +1761,10 @@@
        if (rc)
                return rc;
  
-       if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
-               rc = security_transition_sid(sid, dsec->sid, tclass,
-                                            &dentry->d_name, &newsid);
-               if (rc)
-                       return rc;
-       }
+       rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
+                                          &newsid);
+       if (rc)
+               return rc;
  
        rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
        if (rc)
@@@ -2704,32 -2738,14 +2738,14 @@@ static int selinux_dentry_init_security
                                        struct qstr *name, void **ctx,
                                        u32 *ctxlen)
  {
-       const struct cred *cred = current_cred();
-       struct task_security_struct *tsec;
-       struct inode_security_struct *dsec;
-       struct superblock_security_struct *sbsec;
-       struct inode *dir = d_backing_inode(dentry->d_parent);
        u32 newsid;
        int rc;
  
-       tsec = cred->security;
-       dsec = dir->i_security;
-       sbsec = dir->i_sb->s_security;
- 
-       if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
-               newsid = tsec->create_sid;
-       } else {
-               rc = security_transition_sid(tsec->sid, dsec->sid,
-                                            inode_mode_to_security_class(mode),
-                                            name,
-                                            &newsid);
-               if (rc) {
-                       printk(KERN_WARNING
-                               "%s: security_transition_sid failed, rc=%d\n",
-                              __func__, -rc);
-                       return rc;
-               }
-       }
+       rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
+                                          inode_mode_to_security_class(mode),
+                                          &newsid);
+       if (rc)
+               return rc;
  
        return security_sid_to_context(newsid, (char **)ctx, ctxlen);
  }
@@@ -2752,22 -2768,12 +2768,12 @@@ static int selinux_inode_init_security(
        sid = tsec->sid;
        newsid = tsec->create_sid;
  
-       if ((sbsec->flags & SE_SBINITIALIZED) &&
-           (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
-               newsid = sbsec->mntpoint_sid;
-       else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
-               rc = security_transition_sid(sid, dsec->sid,
-                                            inode_mode_to_security_class(inode->i_mode),
-                                            qstr, &newsid);
-               if (rc) {
-                       printk(KERN_WARNING "%s:  "
-                              "security_transition_sid failed, rc=%d (dev=%s "
-                              "ino=%ld)\n",
-                              __func__,
-                              -rc, inode->i_sb->s_id, inode->i_ino);
-                       return rc;
-               }
-       }
+       rc = selinux_determine_inode_label(
+               dir, qstr,
+               inode_mode_to_security_class(inode->i_mode),
+               &newsid);
+       if (rc)
+               return rc;
  
        /* Possibly defer initialization to selinux_complete_init. */
        if (sbsec->flags & SE_SBINITIALIZED) {
@@@ -3228,6 -3234,46 +3234,46 @@@ static void selinux_file_free_security(
        file_free_security(file);
  }
  
+ /*
+  * Check whether a task has the ioctl permission and cmd
+  * operation to an inode.
+  */
+ int ioctl_has_perm(const struct cred *cred, struct file *file,
+               u32 requested, u16 cmd)
+ {
+       struct common_audit_data ad;
+       struct file_security_struct *fsec = file->f_security;
+       struct inode *inode = file_inode(file);
+       struct inode_security_struct *isec = inode->i_security;
+       struct lsm_ioctlop_audit ioctl;
+       u32 ssid = cred_sid(cred);
+       int rc;
+       u8 driver = cmd >> 8;
+       u8 xperm = cmd & 0xff;
+ 
+       ad.type = LSM_AUDIT_DATA_IOCTL_OP;
+       ad.u.op = &ioctl;
+       ad.u.op->cmd = cmd;
+       ad.u.op->path = file->f_path;
+ 
+       if (ssid != fsec->sid) {
+               rc = avc_has_perm(ssid, fsec->sid,
+                               SECCLASS_FD,
+                               FD__USE,
+                               &ad);
+               if (rc)
+                       goto out;
+       }
+ 
+       if (unlikely(IS_PRIVATE(inode)))
+               return 0;
+ 
+       rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
+                       requested, driver, xperm, &ad);
+ out:
+       return rc;
+ }
+ 
  static int selinux_file_ioctl(struct file *file, unsigned int cmd,
                              unsigned long arg)
  {
@@@ -3270,7 -3316,7 +3316,7 @@@
         * to the file's ioctl() function.
         */
        default:
-               error = file_has_perm(cred, file, FILE__IOCTL);
+               error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
        }
        return error;
  }
@@@ -4520,6 -4566,7 +4566,7 @@@ static int selinux_sk_alloc_security(st
  
        sksec->peer_sid = SECINITSID_UNLABELED;
        sksec->sid = SECINITSID_UNLABELED;
+       sksec->sclass = SECCLASS_SOCKET;
        selinux_netlbl_sk_security_reset(sksec);
        sk->sk_security = sksec;