20 files changed, 300 insertions, 223 deletions
diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index 76ca30cc4791..ae9cf740633e 100644
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -222,6 +222,9 @@ endif
 ifdef CONFIG_RETPOLINE
  objtool_args += --retpoline
 endif
+ifdef CONFIG_X86_SMAP
+  objtool_args += --uaccess
+endif
 # 'OBJECT_FILES_NON_STANDARD := y': skip objtool checking for a directory
 # 'OBJECT_FILES_NON_STANDARD_foo.o := 'y': skip objtool checking for a file
@@ -501,7 +504,7 @@ existing-targets := $(wildcard $(sort $(targets)))
 -include $(foreach f,$(existing-targets),$(dir $(f)).$(notdir $(f)).cmd)
-ifneq ($(KBUILD_SRC),)
+ifneq ($(srctree),.)
 # Create directories for object files if they do not exist
 obj-dirs := $(sort $(obj) $(patsubst %/,%, $(dir $(targets))))
 # If targets exist, their directories apparently exist. Skip mkdir.
diff --git a/scripts/Makefile.host b/scripts/Makefile.host
index a115259b57e7..73b804197fca 100644
--- a/scripts/Makefile.host
+++ b/scripts/Makefile.host
@@ -71,7 +71,7 @@ __hostc_flags	= $(_hostc_flags)
 __hostcxx_flags = $(_hostcxx_flags)
 ifeq ($(KBUILD_EXTMOD),)
-ifneq ($(KBUILD_SRC),)
+ifneq ($(srctree),.)
 __hostc_flags   = -I$(obj) $(call flags,_hostc_flags)
 __hostcxx_flags = -I$(obj) $(call flags,_hostcxx_flags)
 endif
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 8a1f64f17740..41e98fa66b91 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -144,7 +144,7 @@ __cpp_flags     = $(_cpp_flags)
 # If building the kernel in a separate objtree expand all occurrences
 # of -Idir to -I$(srctree)/dir except for absolute paths (starting with '/').
 ifeq ($(KBUILD_EXTMOD),)
-ifneq ($(KBUILD_SRC),)
+ifneq ($(srctree),.)
 # -I$(obj) locates generated .h files
 # $(call addtree,-I$(obj)) locates .h files in srctree, from generated .c files
diff --git a/scripts/Makefile.modbuiltin b/scripts/Makefile.modbuiltin
index a072a4267746..ea90a90b41a0 100644
--- a/scripts/Makefile.modbuiltin
+++ b/scripts/Makefile.modbuiltin
@@ -15,7 +15,7 @@ include include/config/tristate.conf
 include scripts/Kbuild.include
-ifneq ($(KBUILD_SRC),)
+ifneq ($(srctree),.)
 # Create output directory if not already present
 _dummy := $(shell [ -d $(obj) ] || mkdir -p $(obj))
 endif
diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost
index 6b7f354f189a..fec6ec2ffa47 100644
--- a/scripts/Makefile.modpost
+++ b/scripts/Makefile.modpost
@@ -78,7 +78,7 @@ modpost = scripts/mod/modpost                    \
 $(if $(KBUILD_EXTRA_SYMBOLS), $(patsubst %, -e %,$(KBUILD_EXTRA_SYMBOLS))) \
 $(if $(KBUILD_EXTMOD),-o $(modulesymfile))      \
 $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E)  \
- $(if $(KBUILD_EXTMOD)$(KBUILD_MODPOST_WARN),-w)
+ $(if $(KBUILD_MODPOST_WARN),-w)
 MODPOST_OPT=$(subst -i,-n,$(filter -i,$(MAKEFLAGS)))
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index 38b2b4818e8e..019771b845c5 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -3,7 +3,6 @@ ifdef CONFIG_UBSAN
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable)
-      CFLAGS_UBSAN += $(call cc-option, -fsanitize=vla-bound)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
      CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size)
diff --git a/scripts/bpf_helpers_doc.py b/scripts/bpf_helpers_doc.py
index 5010a4d5bfba..894cc58c1a03 100755
--- a/scripts/bpf_helpers_doc.py
+++ b/scripts/bpf_helpers_doc.py
@@ -1,7 +1,7 @@
 #!/usr/bin/python3
 # SPDX-License-Identifier: GPL-2.0-only
 #
-# Copyright (C) 2018 Netronome Systems, Inc.
+# Copyright (C) 2018-2019 Netronome Systems, Inc.
 # In case user attempts to run with Python 2.
 from __future__ import print_function
@@ -39,7 +39,7 @@ class Helper(object):
        Break down helper function protocol into smaller chunks: return type,
        name, distincts arguments.
        """
-        arg_re = re.compile('((const )?(struct )?(\w+|...))( (\**)(\w+))?$')
+        arg_re = re.compile('((\w+ )*?(\w+|...))( (\**)(\w+))?$')
        res = {}
        proto_re = re.compile('(.+) (\**)(\w+)\(((([^,]+)(, )?){1,5})\)$')
@@ -54,8 +54,8 @@ class Helper(object):
            capture = arg_re.match(a)
            res['args'].append({
                'type' : capture.group(1),
-                'star' : capture.group(6),
+                'star' : capture.group(5),
-                'name' : capture.group(7)
+                'name' : capture.group(6)
            })
        return res
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index a09333fd7cef..bb28b178d929 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -2687,6 +2687,24 @@ sub process {
                        } else {
                                $signatures{$sig_nospace} = 1;
                        }
+# Check Co-developed-by: immediately followed by Signed-off-by: with same name and email
+                        if ($sign_off =~ /^co-developed-by:$/i) {
+                                if ($email eq $author) {
+                                        WARN("BAD_SIGN_OFF",
+                                              "Co-developed-by: should not be used to attribute nominal patch author '$author'\n" . "$here\n" . $rawline);
+                                }
+                                if (!defined $lines[$linenr]) {
+                                        WARN("BAD_SIGN_OFF",
+                                             "Co-developed-by: must be immediately followed by Signed-off-by:\n" . "$here\n" . $rawline);
+                                } elsif ($rawlines[$linenr] !~ /^\s*signed-off-by:\s*(.*)/i) {
+                                        WARN("BAD_SIGN_OFF",
+                                             "Co-developed-by: must be immediately followed by Signed-off-by:\n" . "$here\n" . $rawline . "\n" .$rawlines[$linenr]);
+                                } elsif ($1 ne $email) {
+                                        WARN("BAD_SIGN_OFF",
+                                             "Co-developed-by and Signed-off-by: name/email do not match \n" . "$here\n" . $rawline . "\n" .$rawlines[$linenr]);
+                                }
+                        }
                }
 # Check email subject for common tools that don't need to be mentioned
diff --git a/scripts/documentation-file-ref-check b/scripts/documentation-file-ref-check
index ad9db6821824..63e9542656f1 100755
--- a/scripts/documentation-file-ref-check
+++ b/scripts/documentation-file-ref-check
@@ -30,6 +30,34 @@ print "Finding broken references. This may take a while...  " if ($fix);
 my %broken_ref;
+my $doc_fix = 0;
+open IN, "git grep ':doc:\`' Documentation/|"
+     or die "Failed to run git grep";
+while (<IN>) {
+        next if (!m,^([^:]+):.*\:doc\:\`([^\`]+)\`,);
+        my $d = $1;
+        my $doc_ref = $2;
+        my $f = $doc_ref;
+        $d =~ s,(.*/).*,$1,;
+        $f =~ s,.*\<([^\>]+)\>,$1,;
+        $f ="$d$f.rst";
+        next if (grep -e, glob("$f"));
+        if ($fix && !$doc_fix) {
+                print STDERR "\nWARNING: Currently, can't fix broken :doc:`` fields\n";
+        }
+        $doc_fix++;
+        print STDERR "$f: :doc:`$doc_ref`\n";
+}
+close IN;
 open IN, "git grep 'Documentation/'|"
     or die "Failed to run git grep";
 while (<IN>) {
@@ -38,6 +66,9 @@ while (<IN>) {
        my $f = $1;
        my $ln = $2;
+        # On linux-next, discard the Next/ directory
+        next if ($f =~ m,^Next/,);
        # Makefiles and scripts contain nasty expressions to parse docs
        next if ($f =~ m/Makefile/ || $f =~ m/\.sh$/);
@@ -100,6 +131,7 @@ while (<IN>) {
                }
        }
 }
+close IN;
 exit 0 if (!$fix);
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index 74271dba4f94..80220ed26a35 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
          An arch should select this symbol if it supports building with
          GCC plugins.
-menuconfig GCC_PLUGINS
+config GCC_PLUGINS
-        bool "GCC plugins"
+        bool
        depends on HAVE_GCC_PLUGINS
        depends on PLUGIN_HOSTCC != ""
+        default y
        help
          GCC plugins are loadable modules that provide extra features to the
          compiler. They are useful for runtime instrumentation and static analysis.
          See Documentation/gcc-plugins.txt for details.
-if GCC_PLUGINS
+menu "GCC plugins"
+        depends on GCC_PLUGINS
 config GCC_PLUGIN_CYC_COMPLEXITY
        bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
           * https://grsecurity.net/
           * https://pax.grsecurity.net/
-config GCC_PLUGIN_STRUCTLEAK
-        bool "Zero initialize stack variables"
-        help
-          While the kernel is built with warnings enabled for any missed
-          stack variable initializations, this warning is silenced for
-          anything passed by reference to another function, under the
-          occasionally misguided assumption that the function will do
-          the initialization. As this regularly leads to exploitable
-          flaws, this plugin is available to identify and zero-initialize
-          such variables, depending on the chosen level of coverage.
-          This plugin was originally ported from grsecurity/PaX. More
-          information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-choice
-        prompt "Coverage"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-        help
-          This chooses the level of coverage over classes of potentially
-          uninitialized variables. The selected class will be
-          zero-initialized before use.
-        config GCC_PLUGIN_STRUCTLEAK_USER
-                bool "structs marked for userspace"
-                help
-                  Zero-initialize any structures on the stack containing
-                  a __user attribute. This can prevent some classes of
-                  uninitialized stack variable exploits and information
-                  exposures, like CVE-2013-2141:
-                  https://git.kernel.org/linus/b9e146d8eb3b9eca
-        config GCC_PLUGIN_STRUCTLEAK_BYREF
-                bool "structs passed by reference"
-                help
-                  Zero-initialize any structures on the stack that may
-                  be passed by reference and had not already been
-                  explicitly initialized. This can prevent most classes
-                  of uninitialized stack variable exploits and information
-                  exposures, like CVE-2017-1000410:
-                  https://git.kernel.org/linus/06e7e776ca4d3654
-        config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-                bool "anything passed by reference"
-                help
-                  Zero-initialize any stack variables that may be passed
-                  by reference and had not already been explicitly
-                  initialized. This is intended to eliminate all classes
-                  of uninitialized stack variable exploits and information
-                  exposures.
-endchoice
-config GCC_PLUGIN_STRUCTLEAK_VERBOSE
-        bool "Report forcefully initialized variables"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        depends on !COMPILE_TEST        # too noisy
-        help
-          This option will cause a warning to be printed each time the
-          structleak plugin finds a variable it thinks needs to be
-          initialized. Since not all existing initializers are detected
-          by the plugin, this can produce false positive warnings.
 config GCC_PLUGIN_RANDSTRUCT
        bool "Randomize layout of sensitive kernel structures"
        select MODVERSIONS if MODULES
@@ -171,59 +108,8 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
          in structures.  This reduces the performance hit of RANDSTRUCT
          at the cost of weakened randomization.
-config GCC_PLUGIN_STACKLEAK
-        bool "Erase the kernel stack before returning from syscalls"
-        depends on GCC_PLUGINS
-        depends on HAVE_ARCH_STACKLEAK
-        help
-          This option makes the kernel erase the kernel stack before
-          returning from system calls. That reduces the information which
-          kernel stack leak bugs can reveal and blocks some uninitialized
-          stack variable attacks.
-          The tradeoff is the performance impact: on a single CPU system kernel
-          compilation sees a 1% slowdown, other systems and workloads may vary
-          and you are advised to test this feature on your expected workload
-          before deploying it.
-          This plugin was ported from grsecurity/PaX. More information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-config STACKLEAK_TRACK_MIN_SIZE
-        int "Minimum stack frame size of functions tracked by STACKLEAK"
-        default 100
-        range 0 4096
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          The STACKLEAK gcc plugin instruments the kernel code for tracking
-          the lowest border of the kernel stack (and for some other purposes).
-          It inserts the stackleak_track_stack() call for the functions with
-          a stack frame size greater than or equal to this parameter.
-          If unsure, leave the default value 100.
-config STACKLEAK_METRICS
-        bool "Show STACKLEAK metrics in the /proc file system"
-        depends on GCC_PLUGIN_STACKLEAK
-        depends on PROC_FS
-        help
-          If this is set, STACKLEAK metrics for every task are available in
-          the /proc file system. In particular, /proc/<pid>/stack_depth
-          shows the maximum kernel stack consumption for the current and
-          previous syscalls. Although this information is not precise, it
-          can be useful for estimating the STACKLEAK performance impact for
-          your workloads.
-config STACKLEAK_RUNTIME_DISABLE
-        bool "Allow runtime disabling of kernel stack erasing"
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          This option provides 'stack_erasing' sysctl, which can be used in
-          runtime to control kernel stack erasing for kernels built with
-          CONFIG_GCC_PLUGIN_STACKLEAK.
 config GCC_PLUGIN_ARM_SSP_PER_TASK
        bool
        depends on GCC_PLUGINS && ARM
-endif
+endmenu
diff --git a/scripts/gcc-plugins/arm_ssp_per_task_plugin.c b/scripts/gcc-plugins/arm_ssp_per_task_plugin.c
index 89c47f57d1ce..8c1af9bdcb1b 100644
--- a/scripts/gcc-plugins/arm_ssp_per_task_plugin.c
+++ b/scripts/gcc-plugins/arm_ssp_per_task_plugin.c
@@ -36,7 +36,7 @@ static unsigned int arm_pertask_ssp_rtl_execute(void)
                mask = GEN_INT(sext_hwi(sp_mask, GET_MODE_PRECISION(Pmode)));
                masked_sp = gen_reg_rtx(Pmode);
-                emit_insn_before(gen_rtx_SET(masked_sp,
+                emit_insn_before(gen_rtx_set(masked_sp,
                                             gen_rtx_AND(Pmode,
                                                         stack_pointer_rtx,
                                                         mask)),
diff --git a/scripts/gdb/linux/Makefile b/scripts/gdb/linux/Makefile
index 3df395a9c2ce..9fd3d8ed731a 100644
--- a/scripts/gdb/linux/Makefile
+++ b/scripts/gdb/linux/Makefile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: GPL-2.0
-ifneq ($(KBUILD_SRC),)
+ifneq ($(srctree),.)
 symlinks := $(patsubst $(srctree)/$(src)/%,%,$(wildcard $(srctree)/$(src)/*.py))
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
index dc0e8c5a1402..a7124f895b24 100755
--- a/scripts/link-vmlinux.sh
+++ b/scripts/link-vmlinux.sh
@@ -35,7 +35,7 @@ set -e
 info()
 {
        if [ "${quiet}" != "silent_" ]; then
-                printf "  %-7s %s\n" ${1} ${2}
+                printf "  %-7s %s\n" "${1}" "${2}"
        fi
 }
@@ -91,6 +91,25 @@ vmlinux_link()
        fi
 }
+# generate .BTF typeinfo from DWARF debuginfo
+gen_btf()
+{
+        local pahole_ver;
+        if ! [ -x "$(command -v ${PAHOLE})" ]; then
+                info "BTF" "${1}: pahole (${PAHOLE}) is not available"
+                return 0
+        fi
+        pahole_ver=$(${PAHOLE} --version | sed -E 's/v([0-9]+)\.([0-9]+)/\1\2/')
+        if [ "${pahole_ver}" -lt "113" ]; then
+                info "BTF" "${1}: pahole version $(${PAHOLE} --version) is too old, need at least v1.13"
+                return 0
+        fi
+        info "BTF" ${1}
+        LLVM_OBJCOPY=${OBJCOPY} ${PAHOLE} -J ${1}
+}
 # Create ${2} .o file with all symbols from the ${1} object file
 kallsyms()
@@ -193,6 +212,9 @@ modpost_link vmlinux.o
 # modpost vmlinux.o to check for section mismatches
 ${MAKE} -f "${srctree}/scripts/Makefile.modpost" vmlinux.o
+info MODINFO modules.builtin.modinfo
+${OBJCOPY} -j .modinfo -O binary vmlinux.o modules.builtin.modinfo
 kallsymso=""
 kallsyms_vmlinux=""
 if [ -n "${CONFIG_KALLSYMS}" ]; then
@@ -248,6 +270,10 @@ fi
 info LD vmlinux
 vmlinux_link "${kallsymso}" vmlinux
+if [ -n "${CONFIG_DEBUG_INFO_BTF}" ]; then
+        gen_btf vmlinux
+fi
 if [ -n "${CONFIG_BUILDTIME_EXTABLE_SORT}" ]; then
        info SORTEX vmlinux
        sortextable vmlinux
diff --git a/scripts/mkmakefile b/scripts/mkmakefile
index 412f13fdff52..4d0faebb1719 100755
--- a/scripts/mkmakefile
+++ b/scripts/mkmakefile
@@ -7,33 +7,11 @@
 # Usage
 # $1 - Kernel src directory
-# Only overwrite automatically generated Makefiles
-# (so we do not overwrite kernel Makefile)
-if test -e Makefile && ! grep -q Automatically Makefile
-then
-        exit 0
-fi
 if [ "${quiet}" != "silent_" ]; then
        echo "  GEN     Makefile"
 fi
 cat << EOF > Makefile
-# Automatically generated by $0: don't edit
+# Automatically generated by $(realpath $0): don't edit
+include $(realpath $1/Makefile)
-ifeq ("\$(origin V)", "command line")
-VERBOSE := \$(V)
-endif
-ifneq (\$(VERBOSE),1)
-Q := @
-endif
-MAKEFLAGS += --no-print-directory
-.PHONY: __sub-make \$(MAKECMDGOALS)
-__sub-make:
-        \$(Q)\$(MAKE) -C $1 O=\$(CURDIR) \$(MAKECMDGOALS)
-\$(filter-out __sub-make, \$(MAKECMDGOALS)): __sub-make
-        @:
 EOF
diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
index 68841d01162c..d24759214efd 100755
--- a/scripts/recordmcount.pl
+++ b/scripts/recordmcount.pl
@@ -397,6 +397,9 @@ if ($arch eq "x86_64") {
 } elsif ($arch eq "nds32") {
    $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*R_NDS32_HI20_RELA\\s+_mcount\$";
    $alignment = 2;
+} elsif ($arch eq "csky") {
+    $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*R_CKCORE_PCREL_JSR_IMM26BY2\\s+_mcount\$";
+    $alignment = 2;
 } else {
    die "Arch $arch is not supported with CONFIG_FTRACE_MCOUNT_RECORD";
 }
@@ -493,7 +496,7 @@ sub update_funcs
 #
 # Step 2: find the sections and mcount call sites
 #
-open(IN, "$objdump -hdr $inputfile|") || die "error running $objdump";
+open(IN, "LANG=C $objdump -hdr $inputfile|") || die "error running $objdump";
 my $text;
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 0b86c47baf7d..2dccf141241d 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -1,30 +1,61 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
+set -e
 if [ `id -u` -ne 0 ]; then
        echo "$0: must be root to install the selinux policy"
        exit 1
 fi
 SF=`which setfiles`
 if [ $? -eq 1 ]; then
-        if [ -f /sbin/setfiles ]; then
+        echo "Could not find setfiles"
-                SF="/usr/setfiles"
+        echo "Do you have policycoreutils installed?"
-        else
+        exit 1
-                echo "no selinux tools installed: setfiles"
-                exit 1
-        fi
 fi
-cd mdp
 CP=`which checkpolicy`
+if [ $? -eq 1 ]; then
+        echo "Could not find checkpolicy"
+        echo "Do you have checkpolicy installed?"
+        exit 1
+fi
 VERS=`$CP -V | awk '{print $1}'`
-./mdp policy.conf file_contexts
+ENABLED=`which selinuxenabled`
-$CP -o policy.$VERS policy.conf
+if [ $? -eq 1 ]; then
+        echo "Could not find selinuxenabled"
+        echo "Do you have libselinux-utils installed?"
+        exit 1
+fi
+if selinuxenabled; then
+    echo "SELinux is already enabled"
+    echo "This prevents safely relabeling all files."
+    echo "Boot with selinux=0 on the kernel command-line or"
+    echo "SELINUX=disabled in /etc/selinux/config."
+    exit 1
+fi
+cd mdp
+./mdp -m policy.conf file_contexts
+$CP -U allow -M -o policy.$VERS policy.conf
 mkdir -p /etc/selinux/dummy/policy
 mkdir -p /etc/selinux/dummy/contexts/files
+echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
+echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
+echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
+cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
+client * user_u:base_r:base_t:s0
+property * user_u:object_r:base_t:s0
+extension * user_u:object_r:base_t:s0
+selection * user_u:object_r:base_t:s0
+event * user_u:object_r:base_t:s0
+EOF
+touch /etc/selinux/dummy/contexts/virtual_domain_context
+touch /etc/selinux/dummy/contexts/virtual_image_context
 cp file_contexts /etc/selinux/dummy/contexts/files
 cp dbus_contexts /etc/selinux/dummy/contexts
 cp policy.$VERS /etc/selinux/dummy/policy
@@ -33,37 +64,22 @@ FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
 if [ ! -d /etc/selinux ]; then
        mkdir -p /etc/selinux
 fi
-if [ ! -f /etc/selinux/config ]; then
+if [ -f /etc/selinux/config ]; then
-        cat > /etc/selinux/config << EOF
+    echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
-SELINUX=enforcing
+    mv /etc/selinux/config /etc/selinux/config.bak
+fi
+echo "Creating new /etc/selinux/config for dummy policy."
+cat > /etc/selinux/config << EOF
+SELINUX=permissive
 SELINUXTYPE=dummy
 EOF
-else
-        TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
-        if [ "eq$TYPE" != "eqdummy" ]; then
-                selinuxenabled
-                if [ $? -eq 0 ]; then
-                        echo "SELinux already enabled with a non-dummy policy."
-                        echo "Exiting.  Please install policy by hand if that"
-                        echo "is what you REALLY want."
-                        exit 1
-                fi
-                mv /etc/selinux/config /etc/selinux/config.mdpbak
-                grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
-                echo "SELINUXTYPE=dummy" >> /etc/selinux/config
-        fi
-fi
 cd /etc/selinux/dummy/contexts/files
-$SF file_contexts /
+$SF -F file_contexts /
-mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
+mounts=`cat /proc/$$/mounts | \
-$SF file_contexts $mounts
+        egrep "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
+        awk '{ print $2 '}`
+$SF -F file_contexts $mounts
+echo "-F" > /.autorelabel
-dodev=`cat /proc/$$/mounts | grep "/dev "`
-if [ "eq$dodev" != "eq" ]; then
-        mount --move /dev /mnt
-        $SF file_contexts /dev
-        mount --move /mnt /dev
-fi
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
index e9c92db7e2a3..8a1269a9d0ba 100644
--- a/scripts/selinux/mdp/Makefile
+++ b/scripts/selinux/mdp/Makefile
@@ -2,7 +2,7 @@
 hostprogs-y     := mdp
 HOST_EXTRACFLAGS += \
        -I$(srctree)/include/uapi -I$(srctree)/include \
-        -I$(srctree)/security/selinux/include
+        -I$(srctree)/security/selinux/include -I$(objtree)/include
 always          := $(hostprogs-y)
 clean-files     := policy.* file_contexts
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 6d51b74bc679..18fd6143888b 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
+#include <linux/kconfig.h>
 static void usage(char *name)
 {
@@ -94,10 +95,31 @@ int main(int argc, char *argv[])
        }
        fprintf(fout, "\n");
-        /* NOW PRINT OUT MLS STUFF */
+        /* print out mls declarations and constraints */
        if (mls) {
-                printf("MLS not yet implemented\n");
+                fprintf(fout, "sensitivity s0;\n");
-                exit(1);
+                fprintf(fout, "sensitivity s1;\n");
+                fprintf(fout, "dominance { s0 s1 }\n");
+                fprintf(fout, "category c0;\n");
+                fprintf(fout, "category c1;\n");
+                fprintf(fout, "level s0:c0.c1;\n");
+                fprintf(fout, "level s1:c0.c1;\n");
+#define SYSTEMLOW "s0"
+#define SYSTEMHIGH "s1:c0.c1"
+                for (i = 0; secclass_map[i].name; i++) {
+                        struct security_class_mapping *map = &secclass_map[i];
+                        fprintf(fout, "mlsconstrain %s {\n", map->name);
+                        for (j = 0; map->perms[j]; j++)
+                                fprintf(fout, "\t%s\n", map->perms[j]);
+                        /*
+                         * This requires all subjects and objects to be
+                         * single-level (l2 eq h2), and that the subject
+                         * level dominate the object level (h1 dom h2)
+                         * in order to have any permissions to it.
+                         */
+                        fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
+                }
        }
        /* types, roles, and allows */
@@ -107,34 +129,127 @@ int main(int argc, char *argv[])
        for (i = 0; secclass_map[i].name; i++)
                fprintf(fout, "allow base_t base_t:%s *;\n",
                        secclass_map[i].name);
-        fprintf(fout, "user user_u roles { base_r };\n");
+        fprintf(fout, "user user_u roles { base_r }");
-        fprintf(fout, "\n");
+        if (mls)
+                fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
+                        SYSTEMLOW, SYSTEMHIGH);
+        fprintf(fout, ";\n");
+#define SUBJUSERROLETYPE "user_u:base_r:base_t"
+#define OBJUSERROLETYPE "user_u:object_r:base_t"
        /* default sids */
        for (i = 1; i < initial_sid_to_string_len; i++)
-                fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+                fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",
+                        initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");
        fprintf(fout, "\n");
-        fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
+#define FS_USE(behavior, fstype)                            \
-        fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
-        fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
+                behavior, fstype, mls ? ":" SYSTEMLOW : "")
-        fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
+        /*
-        fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+         * Filesystems whose inode labels can be fetched via getxattr.
-        fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+         */
-        fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+#ifdef CONFIG_EXT2_FS_SECURITY
+        FS_USE("xattr", "ext2");
+#endif
+#ifdef CONFIG_EXT4_FS_SECURITY
+#ifdef CONFIG_EXT4_USE_FOR_EXT2
+        FS_USE("xattr", "ext2");
+#endif
+        FS_USE("xattr", "ext3");
+        FS_USE("xattr", "ext4");
+#endif
+#ifdef CONFIG_JFS_SECURITY
+        FS_USE("xattr", "jfs");
+#endif
+#ifdef CONFIG_REISERFS_FS_SECURITY
+        FS_USE("xattr", "reiserfs");
+#endif
+#ifdef CONFIG_JFFS2_FS_SECURITY
+        FS_USE("xattr", "jffs2");
+#endif
+#ifdef CONFIG_XFS_FS
+        FS_USE("xattr", "xfs");
+#endif
+#ifdef CONFIG_GFS2_FS
+        FS_USE("xattr", "gfs2");
+#endif
+#ifdef CONFIG_BTRFS_FS
+        FS_USE("xattr", "btrfs");
+#endif
+#ifdef CONFIG_F2FS_FS_SECURITY
+        FS_USE("xattr", "f2fs");
+#endif
+#ifdef CONFIG_OCFS2_FS
+        FS_USE("xattr", "ocsfs2");
+#endif
+#ifdef CONFIG_OVERLAY_FS
+        FS_USE("xattr", "overlay");
+#endif
+#ifdef CONFIG_SQUASHFS_XATTR
+        FS_USE("xattr", "squashfs");
+#endif
+        /*
+         * Filesystems whose inodes are labeled from allocating task.
+         */
+        FS_USE("task", "pipefs");
+        FS_USE("task", "sockfs");
-        fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
+        /*
-        fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
+         * Filesystems whose inode labels are computed from both
-        fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+         * the allocating task and the superblock label.
+         */
+#ifdef CONFIG_UNIX98_PTYS
+        FS_USE("trans", "devpts");
+#endif
+#ifdef CONFIG_HUGETLBFS
+        FS_USE("trans", "hugetlbfs");
+#endif
+#ifdef CONFIG_TMPFS
+        FS_USE("trans", "tmpfs");
+#endif
+#ifdef CONFIG_DEVTMPFS
+        FS_USE("trans", "devtmpfs");
+#endif
+#ifdef CONFIG_POSIX_MQUEUE
+        FS_USE("trans", "mqueue");
+#endif
-        fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
+#define GENFSCON(fstype, prefix)                             \
-        fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+        fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
-        fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
+                fstype, prefix, mls ? ":" SYSTEMLOW : "")
-        fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
-        fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+        /*
+         * Filesystems whose inodes are labeled from path prefix match
+         * relative to the filesystem root.  Depending on the filesystem,
+         * only a single label for all inodes may be supported.  Here
+         * we list the filesystem types for which per-file labeling is
+         * supported using genfscon; any other filesystem type can also
+         * be added by only with a single entry for all of its inodes.
+         */
+#ifdef CONFIG_PROC_FS
+        GENFSCON("proc", "/");
+#endif
+#ifdef CONFIG_SECURITY_SELINUX
+        GENFSCON("selinuxfs", "/");
+#endif
+#ifdef CONFIG_SYSFS
+        GENFSCON("sysfs", "/");
+#endif
+#ifdef CONFIG_DEBUG_FS
+        GENFSCON("debugfs", "/");
+#endif
+#ifdef CONFIG_TRACING
+        GENFSCON("tracefs", "/");
+#endif
+#ifdef CONFIG_PSTORE
+        GENFSCON("pstore", "/");
+#endif
+        GENFSCON("cgroup", "/");
+        GENFSCON("cgroup2", "/");
        fclose(fout);
@@ -143,8 +258,8 @@ int main(int argc, char *argv[])
                printf("Wrote policy, but cannot open %s for writing\n", ctxout);
                usage(argv[0]);
        }
-        fprintf(fout, "/ user_u:base_r:base_t\n");
+        fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
-        fprintf(fout, "/.* user_u:base_r:base_t\n");
+        fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
        fclose(fout);
        return 0;
diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
index 067459760a7b..f6a5c0bae31e 100755
--- a/scripts/sphinx-pre-install
+++ b/scripts/sphinx-pre-install
@@ -532,6 +532,7 @@ sub check_needs()
        check_program("dot", 1);
        check_program("convert", 1);
        check_program("rsvg-convert", 1) if ($pdf);
+        check_program("latexmk", 1) if ($pdf);
        check_distros();
diff --git a/scripts/tags.sh b/scripts/tags.sh
index f470d9919ed7..70e14c67bde7 100755
--- a/scripts/tags.sh
+++ b/scripts/tags.sh
@@ -19,7 +19,7 @@ ignore="$ignore ( -name *.mod.c ) -prune -o"
 # Do not use full path if we do not use O=.. builds
 # Use make O=. {tags|cscope}
 # to force full paths for a non-O= build
-if [ "${KBUILD_SRC}" = "" ]; then
+if [ "${srctree}" = "." -o -z "${srctree}" ]; then
        tree=
 else
        tree=${srctree}/