245 files changed, 2474 insertions, 1307 deletions
diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
index bc1acdda7a5e..9503a4be40f6 100644
--- a/arch/alpha/kernel/osf_sys.c
+++ b/arch/alpha/kernel/osf_sys.c
@@ -278,8 +278,8 @@ linux_to_osf_stat(struct kstat *lstat, struct osf_stat __user *osf_stat)
        tmp.st_dev      = lstat->dev;
        tmp.st_mode     = lstat->mode;
        tmp.st_nlink    = lstat->nlink;
-        tmp.st_uid      = lstat->uid;
+        tmp.st_uid      = from_kuid_munged(current_user_ns(), lstat->uid);
-        tmp.st_gid      = lstat->gid;
+        tmp.st_gid      = from_kgid_munged(current_user_ns(), lstat->gid);
        tmp.st_rdev     = lstat->rdev;
        tmp.st_ldev     = lstat->rdev;
        tmp.st_size     = lstat->size;
diff --git a/arch/ia64/kernel/mca_drv.c b/arch/ia64/kernel/mca_drv.c
index 1c2e89406721..9392e021c93b 100644
--- a/arch/ia64/kernel/mca_drv.c
+++ b/arch/ia64/kernel/mca_drv.c
@@ -158,7 +158,8 @@ mca_handler_bh(unsigned long paddr, void *iip, unsigned long ipsr)
        ia64_mlogbuf_dump();
        printk(KERN_ERR "OS_MCA: process [cpu %d, pid: %d, uid: %d, "
                "iip: %p, psr: 0x%lx,paddr: 0x%lx](%s) encounters MCA.\n",
-               raw_smp_processor_id(), current->pid, current_uid(),
+               raw_smp_processor_id(), current->pid,
+                from_kuid(&init_user_ns, current_uid()),
                iip, ipsr, paddr, current->comm);
        spin_lock(&mca_bh_lock);
diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c
index 3fa4bc536953..5a5c22245dee 100644
--- a/arch/ia64/kernel/perfmon.c
+++ b/arch/ia64/kernel/perfmon.c
@@ -2380,8 +2380,8 @@ static int
 pfm_bad_permissions(struct task_struct *task)
 {
        const struct cred *tcred;
-        uid_t uid = current_uid();
+        kuid_t uid = current_uid();
-        gid_t gid = current_gid();
+        kgid_t gid = current_gid();
        int ret;
        rcu_read_lock();
@@ -2389,20 +2389,20 @@ pfm_bad_permissions(struct task_struct *task)
        /* inspired by ptrace_attach() */
        DPRINT(("cur: uid=%d gid=%d task: euid=%d suid=%d uid=%d egid=%d sgid=%d\n",
-                uid,
+                from_kuid(&init_user_ns, uid),
-                gid,
+                from_kgid(&init_user_ns, gid),
-                tcred->euid,
+                from_kuid(&init_user_ns, tcred->euid),
-                tcred->suid,
+                from_kuid(&init_user_ns, tcred->suid),
-                tcred->uid,
+                from_kuid(&init_user_ns, tcred->uid),
-                tcred->egid,
+                from_kgid(&init_user_ns, tcred->egid),
-                tcred->sgid));
+                from_kgid(&init_user_ns, tcred->sgid)));
-        ret = ((uid != tcred->euid)
+        ret = ((!uid_eq(uid, tcred->euid))
-               || (uid != tcred->suid)
+               || (!uid_eq(uid, tcred->suid))
-               || (uid != tcred->uid)
+               || (!uid_eq(uid, tcred->uid))
-               || (gid != tcred->egid)
+               || (!gid_eq(gid, tcred->egid))
-               || (gid != tcred->sgid)
+               || (!gid_eq(gid, tcred->sgid))
-               || (gid != tcred->gid)) && !capable(CAP_SYS_PTRACE);
+               || (!gid_eq(gid, tcred->gid))) && !capable(CAP_SYS_PTRACE);
        rcu_read_unlock();
        return ret;
diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
index a199be1fe619..37dd79511cbe 100644
--- a/arch/ia64/kernel/signal.c
+++ b/arch/ia64/kernel/signal.c
@@ -220,7 +220,7 @@ ia64_rt_sigreturn (struct sigscratch *scr)
        si.si_errno = 0;
        si.si_code = SI_KERNEL;
        si.si_pid = task_pid_vnr(current);
-        si.si_uid = current_uid();
+        si.si_uid = from_kuid_munged(current_user_ns(), current_uid());
        si.si_addr = sc;
        force_sig_info(SIGSEGV, &si, current);
        return retval;
@@ -317,7 +317,7 @@ force_sigsegv_info (int sig, void __user *addr)
        si.si_errno = 0;
        si.si_code = SI_KERNEL;
        si.si_pid = task_pid_vnr(current);
-        si.si_uid = current_uid();
+        si.si_uid = from_kuid_munged(current_user_ns(), current_uid());
        si.si_addr = addr;
        force_sig_info(SIGSEGV, &si, current);
        return 0;
diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index 08ffcf52a856..e5f028b5794e 100644
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -470,7 +470,7 @@ bad_area_nosemaphore:
        if (is_exec && (error_code & DSISR_PROTFAULT))
                printk_ratelimited(KERN_CRIT "kernel tried to execute NX-protected"
                                   " page (%lx) - exploit attempt? (uid: %d)\n",
-                                   address, current_uid());
+                                   address, from_kuid(&init_user_ns, current_uid()));
        return SIGSEGV;
diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c
index 6767b437a103..124ec1a55cc9 100644
--- a/arch/s390/hypfs/inode.c
+++ b/arch/s390/hypfs/inode.c
@@ -31,8 +31,8 @@ static struct dentry *hypfs_create_update_file(struct super_block *sb,
                                               struct dentry *dir);
 struct hypfs_sb_info {
-        uid_t uid;                      /* uid used for files and dirs */
+        kuid_t uid;                     /* uid used for files and dirs */
-        gid_t gid;                      /* gid used for files and dirs */
+        kgid_t gid;                     /* gid used for files and dirs */
        struct dentry *update_file;     /* file to trigger update */
        time_t last_update;             /* last update time in secs since 1970 */
        struct mutex lock;              /* lock to protect update process */
@@ -229,6 +229,8 @@ static int hypfs_parse_options(char *options, struct super_block *sb)
 {
        char *str;
        substring_t args[MAX_OPT_ARGS];
+        kuid_t uid;
+        kgid_t gid;
        if (!options)
                return 0;
@@ -243,12 +245,18 @@ static int hypfs_parse_options(char *options, struct super_block *sb)
                case opt_uid:
                        if (match_int(&args[0], &option))
                                return -EINVAL;
-                        hypfs_info->uid = option;
+                        uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(uid))
+                                return -EINVAL;
+                        hypfs_info->uid = uid;
                        break;
                case opt_gid:
                        if (match_int(&args[0], &option))
                                return -EINVAL;
-                        hypfs_info->gid = option;
+                        gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(gid))
+                                return -EINVAL;
+                        hypfs_info->gid = gid;
                        break;
                case opt_err:
                default:
@@ -263,8 +271,8 @@ static int hypfs_show_options(struct seq_file *s, struct dentry *root)
 {
        struct hypfs_sb_info *hypfs_info = root->d_sb->s_fs_info;
-        seq_printf(s, ",uid=%u", hypfs_info->uid);
+        seq_printf(s, ",uid=%u", from_kuid_munged(&init_user_ns, hypfs_info->uid));
-        seq_printf(s, ",gid=%u", hypfs_info->gid);
+        seq_printf(s, ",gid=%u", from_kgid_munged(&init_user_ns, hypfs_info->gid));
        return 0;
 }
diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c
index f606d935f495..189963c90c6e 100644
--- a/arch/s390/kernel/compat_linux.c
+++ b/arch/s390/kernel/compat_linux.c
@@ -131,13 +131,19 @@ asmlinkage long sys32_setresuid16(u16 ruid, u16 euid, u16 suid)
                low2highuid(suid));
 }
-asmlinkage long sys32_getresuid16(u16 __user *ruid, u16 __user *euid, u16 __user *suid)
+asmlinkage long sys32_getresuid16(u16 __user *ruidp, u16 __user *euidp, u16 __user *suidp)
 {
+        const struct cred *cred = current_cred();
        int retval;
+        u16 ruid, euid, suid;
-        if (!(retval = put_user(high2lowuid(current->cred->uid), ruid)) &&
+        ruid = high2lowuid(from_kuid_munged(cred->user_ns, cred->uid));
-            !(retval = put_user(high2lowuid(current->cred->euid), euid)))
+        euid = high2lowuid(from_kuid_munged(cred->user_ns, cred->euid));
-                retval = put_user(high2lowuid(current->cred->suid), suid);
+        suid = high2lowuid(from_kuid_munged(cred->user_ns, cred->suid));
+        if (!(retval   = put_user(ruid, ruidp)) &&
+            !(retval   = put_user(euid, euidp)))
+                retval = put_user(suid, suidp);
        return retval;
 }
@@ -148,13 +154,19 @@ asmlinkage long sys32_setresgid16(u16 rgid, u16 egid, u16 sgid)
                low2highgid(sgid));
 }
-asmlinkage long sys32_getresgid16(u16 __user *rgid, u16 __user *egid, u16 __user *sgid)
+asmlinkage long sys32_getresgid16(u16 __user *rgidp, u16 __user *egidp, u16 __user *sgidp)
 {
+        const struct cred *cred = current_cred();
        int retval;
+        u16 rgid, egid, sgid;
+        rgid = high2lowgid(from_kgid_munged(cred->user_ns, cred->gid));
+        egid = high2lowgid(from_kgid_munged(cred->user_ns, cred->egid));
+        sgid = high2lowgid(from_kgid_munged(cred->user_ns, cred->sgid));
-        if (!(retval = put_user(high2lowgid(current->cred->gid), rgid)) &&
+        if (!(retval   = put_user(rgid, rgidp)) &&
-            !(retval = put_user(high2lowgid(current->cred->egid), egid)))
+            !(retval   = put_user(egid, egidp)))
-                retval = put_user(high2lowgid(current->cred->sgid), sgid);
+                retval = put_user(sgid, sgidp);
        return retval;
 }
@@ -258,22 +270,22 @@ asmlinkage long sys32_setgroups16(int gidsetsize, u16 __user *grouplist)
 asmlinkage long sys32_getuid16(void)
 {
-        return high2lowuid(current->cred->uid);
+        return high2lowuid(from_kuid_munged(current_user_ns(), current_uid()));
 }
 asmlinkage long sys32_geteuid16(void)
 {
-        return high2lowuid(current->cred->euid);
+        return high2lowuid(from_kuid_munged(current_user_ns(), current_euid()));
 }
 asmlinkage long sys32_getgid16(void)
 {
-        return high2lowgid(current->cred->gid);
+        return high2lowgid(from_kgid_munged(current_user_ns(), current_gid()));
 }
 asmlinkage long sys32_getegid16(void)
 {
-        return high2lowgid(current->cred->egid);
+        return high2lowgid(from_kgid_munged(current_user_ns(), current_egid()));
 }
 /*
diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
index deb4a456cf83..147d1a4dd269 100644
--- a/drivers/base/devtmpfs.c
+++ b/drivers/base/devtmpfs.c
@@ -309,8 +309,8 @@ static int handle_remove(const char *nodename, struct device *dev)
                         * before unlinking this node, reset permissions
                         * of possible references like hardlinks
                         */
-                        newattrs.ia_uid = 0;
+                        newattrs.ia_uid = GLOBAL_ROOT_UID;
-                        newattrs.ia_gid = 0;
+                        newattrs.ia_gid = GLOBAL_ROOT_GID;
                        newattrs.ia_mode = stat.mode & ~0777;
                        newattrs.ia_valid =
                                ATTR_UID|ATTR_GID|ATTR_MODE;
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 3bba65510d23..e9d594fd12cb 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1038,10 +1038,10 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
 {
        int err;
        struct loop_func_table *xfer;
-        uid_t uid = current_uid();
+        kuid_t uid = current_uid();
        if (lo->lo_encrypt_key_size &&
-            lo->lo_key_owner != uid &&
+            !uid_eq(lo->lo_key_owner, uid) &&
            !capable(CAP_SYS_ADMIN))
                return -EPERM;
        if (lo->lo_state != Lo_bound)
diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
index 3e92b7d3fcd2..fce2000eec31 100644
--- a/drivers/connector/cn_proc.c
+++ b/drivers/connector/cn_proc.c
@@ -30,6 +30,7 @@
 #include <linux/gfp.h>
 #include <linux/ptrace.h>
 #include <linux/atomic.h>
+#include <linux/pid_namespace.h>
 #include <asm/unaligned.h>
@@ -127,11 +128,11 @@ void proc_id_connector(struct task_struct *task, int which_id)
        rcu_read_lock();
        cred = __task_cred(task);
        if (which_id == PROC_EVENT_UID) {
-                ev->event_data.id.r.ruid = cred->uid;
+                ev->event_data.id.r.ruid = from_kuid_munged(&init_user_ns, cred->uid);
-                ev->event_data.id.e.euid = cred->euid;
+                ev->event_data.id.e.euid = from_kuid_munged(&init_user_ns, cred->euid);
        } else if (which_id == PROC_EVENT_GID) {
-                ev->event_data.id.r.rgid = cred->gid;
+                ev->event_data.id.r.rgid = from_kgid_munged(&init_user_ns, cred->gid);
-                ev->event_data.id.e.egid = cred->egid;
+                ev->event_data.id.e.egid = from_kgid_munged(&init_user_ns, cred->egid);
        } else {
                rcu_read_unlock();
                return;
@@ -303,6 +304,15 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
        if (msg->len != sizeof(*mc_op))
                return;
+        /* 
+         * Events are reported with respect to the initial pid
+         * and user namespaces so ignore requestors from
+         * other namespaces.
+         */
+        if ((current_user_ns() != &init_user_ns) ||
+            (task_active_pid_ns(current) != &init_pid_ns))
+                return;
        mc_op = (enum proc_cn_mcast_op *)msg->data;
        switch (*mc_op) {
        case PROC_CN_MCAST_LISTEN:
diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
index 5062eec673f1..433d2fad1fe6 100644
--- a/drivers/gpu/drm/drm_fops.c
+++ b/drivers/gpu/drm/drm_fops.c
@@ -251,7 +251,7 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
        filp->private_data = priv;
        priv->filp = filp;
        priv->uid = current_euid();
-        priv->pid = task_pid_nr(current);
+        priv->pid = get_pid(task_pid(current));
        priv->minor = idr_find(&drm_minors_idr, minor_id);
        priv->ioctl_count = 0;
        /* for compatibility root is always authenticated */
@@ -524,6 +524,7 @@ int drm_release(struct inode *inode, struct file *filp)
        if (drm_core_check_feature(dev, DRIVER_PRIME))
                drm_prime_destroy_file_private(&file_priv->prime);
+        put_pid(file_priv->pid);
        kfree(file_priv);
        /* ========================================================
diff --git a/drivers/gpu/drm/drm_info.c b/drivers/gpu/drm/drm_info.c
index 8928edbb94c7..eb0af393e6e2 100644
--- a/drivers/gpu/drm/drm_info.c
+++ b/drivers/gpu/drm/drm_info.c
@@ -191,8 +191,9 @@ int drm_clients_info(struct seq_file *m, void *data)
                seq_printf(m, "%c %3d %5d %5d %10u %10lu\n",
                           priv->authenticated ? 'y' : 'n',
                           priv->minor->index,
-                           priv->pid,
+                           pid_vnr(priv->pid),
-                           priv->uid, priv->magic, priv->ioctl_count);
+                           from_kuid_munged(seq_user_ns(m), priv->uid),
+                           priv->magic, priv->ioctl_count);
        }
        mutex_unlock(&dev->struct_mutex);
        return 0;
diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
index 64a62c697313..39a43834cef9 100644
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -215,8 +215,8 @@ int drm_getclient(struct drm_device *dev, void *data,
        list_for_each_entry(pt, &dev->filelist, lhead) {
                if (i++ >= idx) {
                        client->auth = pt->authenticated;
-                        client->pid = pt->pid;
+                        client->pid = pid_vnr(pt->pid);
-                        client->uid = pt->uid;
+                        client->uid = from_kuid_munged(current_user_ns(), pt->uid);
                        client->magic = pt->magic;
                        client->iocs = pt->ioctl_count;
                        mutex_unlock(&dev->struct_mutex);
diff --git a/drivers/infiniband/hw/qib/qib_fs.c b/drivers/infiniband/hw/qib/qib_fs.c
index cff8a6c32161..65a2a23f6f8a 100644
--- a/drivers/infiniband/hw/qib/qib_fs.c
+++ b/drivers/infiniband/hw/qib/qib_fs.c
@@ -61,8 +61,8 @@ static int qibfs_mknod(struct inode *dir, struct dentry *dentry,
        inode->i_ino = get_next_ino();
        inode->i_mode = mode;
-        inode->i_uid = 0;
+        inode->i_uid = GLOBAL_ROOT_UID;
-        inode->i_gid = 0;
+        inode->i_gid = GLOBAL_ROOT_GID;
        inode->i_blocks = 0;
        inode->i_atime = CURRENT_TIME;
        inode->i_mtime = inode->i_atime;
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 9336b829cc81..0873cdcf39be 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -121,8 +121,8 @@ struct tun_sock;
 struct tun_struct {
        struct tun_file         *tfile;
        unsigned int            flags;
-        uid_t                   owner;
+        kuid_t                  owner;
-        gid_t                   group;
+        kgid_t                  group;
        struct net_device       *dev;
        netdev_features_t       set_features;
@@ -1032,8 +1032,8 @@ static void tun_setup(struct net_device *dev)
 {
        struct tun_struct *tun = netdev_priv(dev);
-        tun->owner = -1;
+        tun->owner = INVALID_UID;
-        tun->group = -1;
+        tun->group = INVALID_GID;
        dev->ethtool_ops = &tun_ethtool_ops;
        dev->destructor = tun_free_netdev;
@@ -1156,14 +1156,20 @@ static ssize_t tun_show_owner(struct device *dev, struct device_attribute *attr,
                              char *buf)
 {
        struct tun_struct *tun = netdev_priv(to_net_dev(dev));
-        return sprintf(buf, "%d\n", tun->owner);
+        return uid_valid(tun->owner)?
+                sprintf(buf, "%u\n",
+                        from_kuid_munged(current_user_ns(), tun->owner)):
+                sprintf(buf, "-1\n");
 }
 static ssize_t tun_show_group(struct device *dev, struct device_attribute *attr,
                              char *buf)
 {
        struct tun_struct *tun = netdev_priv(to_net_dev(dev));
-        return sprintf(buf, "%d\n", tun->group);
+        return gid_valid(tun->group) ?
+                sprintf(buf, "%u\n",
+                        from_kgid_munged(current_user_ns(), tun->group)):
+                sprintf(buf, "-1\n");
 }
 static DEVICE_ATTR(tun_flags, 0444, tun_show_flags, NULL);
@@ -1190,8 +1196,8 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
                else
                        return -EINVAL;
-                if (((tun->owner != -1 && cred->euid != tun->owner) ||
+                if (((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) ||
-                     (tun->group != -1 && !in_egroup_p(tun->group))) &&
+                     (gid_valid(tun->group) && !in_egroup_p(tun->group))) &&
                    !capable(CAP_NET_ADMIN))
                        return -EPERM;
                err = security_tun_dev_attach(tun->socket.sk);
@@ -1375,6 +1381,8 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
        void __user* argp = (void __user*)arg;
        struct sock_fprog fprog;
        struct ifreq ifr;
+        kuid_t owner;
+        kgid_t group;
        int sndbuf;
        int vnet_hdr_sz;
        int ret;
@@ -1448,16 +1456,26 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
        case TUNSETOWNER:
                /* Set owner of the device */
-                tun->owner = (uid_t) arg;
+                owner = make_kuid(current_user_ns(), arg);
+                if (!uid_valid(owner)) {
-                tun_debug(KERN_INFO, tun, "owner set to %d\n", tun->owner);
+                        ret = -EINVAL;
+                        break;
+                }
+                tun->owner = owner;
+                tun_debug(KERN_INFO, tun, "owner set to %d\n",
+                          from_kuid(&init_user_ns, tun->owner));
                break;
        case TUNSETGROUP:
                /* Set group of the device */
-                tun->group= (gid_t) arg;
+                group = make_kgid(current_user_ns(), arg);
+                if (!gid_valid(group)) {
-                tun_debug(KERN_INFO, tun, "group set to %d\n", tun->group);
+                        ret = -EINVAL;
+                        break;
+                }
+                tun->group = group;
+                tun_debug(KERN_INFO, tun, "group set to %d\n",
+                          from_kgid(&init_user_ns, tun->group));
                break;
        case TUNSETLINK:
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
index f9f15bb3f03a..c586f78c307f 100644
--- a/drivers/net/wireless/airo.c
+++ b/drivers/net/wireless/airo.c
@@ -232,8 +232,10 @@ static int adhoc;
 static int probe = 1;
+static kuid_t proc_kuid;
 static int proc_uid /* = 0 */;
+static kgid_t proc_kgid;
 static int proc_gid /* = 0 */;
 static int airo_perm = 0555;
@@ -4499,78 +4501,79 @@ struct proc_data {
 static int setup_proc_entry( struct net_device *dev,
                             struct airo_info *apriv ) {
        struct proc_dir_entry *entry;
        /* First setup the device directory */
        strcpy(apriv->proc_name,dev->name);
        apriv->proc_entry = proc_mkdir_mode(apriv->proc_name, airo_perm,
                                            airo_entry);
        if (!apriv->proc_entry)
                goto fail;
-        apriv->proc_entry->uid = proc_uid;
+        apriv->proc_entry->uid = proc_kuid;
-        apriv->proc_entry->gid = proc_gid;
+        apriv->proc_entry->gid = proc_kgid;
        /* Setup the StatsDelta */
        entry = proc_create_data("StatsDelta", S_IRUGO & proc_perm,
                                 apriv->proc_entry, &proc_statsdelta_ops, dev);
        if (!entry)
                goto fail_stats_delta;
-        entry->uid = proc_uid;
+        entry->uid = proc_kuid;
-        entry->gid = proc_gid;
+        entry->gid = proc_kgid;
        /* Setup the Stats */
        entry = proc_create_data("Stats", S_IRUGO & proc_perm,
                                 apriv->proc_entry, &proc_stats_ops, dev);
        if (!entry)
                goto fail_stats;
-        entry->uid = proc_uid;
+        entry->uid = proc_kuid;
-        entry->gid = proc_gid;
+        entry->gid = proc_kgid;
        /* Setup the Status */
        entry = proc_create_data("Status", S_IRUGO & proc_perm,
                                 apriv->proc_entry, &proc_status_ops, dev);
        if (!entry)
                goto fail_status;
-        entry->uid = proc_uid;
+        entry->uid = proc_kuid;
-        entry->gid = proc_gid;
+        entry->gid = proc_kgid;
        /* Setup the Config */
        entry = proc_create_data("Config", proc_perm,
                                 apriv->proc_entry, &proc_config_ops, dev);
        if (!entry)
                goto fail_config;
-        entry->uid = proc_uid;
+        entry->uid = proc_kuid;
-        entry->gid = proc_gid;
+        entry->gid = proc_kgid;
        /* Setup the SSID */
        entry = proc_create_data("SSID", proc_perm,
                                 apriv->proc_entry, &proc_SSID_ops, dev);
        if (!entry)
                goto fail_ssid;
-        entry->uid = proc_uid;
+        entry->uid = proc_kuid;
-        entry->gid = proc_gid;
+        entry->gid = proc_kgid;
        /* Setup the APList */
        entry = proc_create_data("APList", proc_perm,
                                 apriv->proc_entry, &proc_APList_ops, dev);
        if (!entry)
                goto fail_aplist;
-        entry->uid = proc_uid;
+        entry->uid = proc_kuid;
-        entry->gid = proc_gid;
+        entry->gid = proc_kgid;
        /* Setup the BSSList */
        entry = proc_create_data("BSSList", proc_perm,
                                 apriv->proc_entry, &proc_BSSList_ops, dev);
        if (!entry)
                goto fail_bsslist;
-        entry->uid = proc_uid;
+        entry->uid = proc_kuid;
-        entry->gid = proc_gid;
+        entry->gid = proc_kgid;
        /* Setup the WepKey */
        entry = proc_create_data("WepKey", proc_perm,
                                 apriv->proc_entry, &proc_wepkey_ops, dev);
        if (!entry)
                goto fail_wepkey;
-        entry->uid = proc_uid;
+        entry->uid = proc_kuid;
-        entry->gid = proc_gid;
+        entry->gid = proc_kgid;
        return 0;
@@ -5697,11 +5700,16 @@ static int __init airo_init_module( void )
 {
        int i;
+        proc_kuid = make_kuid(&init_user_ns, proc_uid);
+        proc_kgid = make_kgid(&init_user_ns, proc_gid);
+        if (!uid_valid(proc_kuid) || !gid_valid(proc_kgid))
+                return -EINVAL;
        airo_entry = proc_mkdir_mode("driver/aironet", airo_perm, NULL);
        if (airo_entry) {
-                airo_entry->uid = proc_uid;
+                airo_entry->uid = proc_kuid;
-                airo_entry->gid = proc_gid;
+                airo_entry->gid = proc_kgid;
        }
        for (i = 0; i < 4 && io[i] && irq[i]; i++) {
diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
index a807129c7b5a..b1937ca13575 100644
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -47,7 +47,7 @@ static HLIST_HEAD(binder_dead_nodes);
 static struct dentry *binder_debugfs_dir_entry_root;
 static struct dentry *binder_debugfs_dir_entry_proc;
 static struct binder_node *binder_context_mgr_node;
-static uid_t binder_context_mgr_uid = -1;
+static kuid_t binder_context_mgr_uid = INVALID_UID;
 static int binder_last_id;
 static struct workqueue_struct *binder_deferred_workqueue;
@@ -356,7 +356,7 @@ struct binder_transaction {
        unsigned int    flags;
        long    priority;
        long    saved_priority;
-        uid_t   sender_euid;
+        kuid_t  sender_euid;
 };
 static void
@@ -2427,7 +2427,7 @@ retry:
                }
                tr.code = t->code;
                tr.flags = t->flags;
-                tr.sender_euid = t->sender_euid;
+                tr.sender_euid = from_kuid(current_user_ns(), t->sender_euid);
                if (t->from) {
                        struct task_struct *sender = t->from->proc->tsk;
@@ -2705,12 +2705,12 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
                        ret = -EBUSY;
                        goto err;
                }
-                if (binder_context_mgr_uid != -1) {
+                if (uid_valid(binder_context_mgr_uid)) {
-                        if (binder_context_mgr_uid != current->cred->euid) {
+                        if (!uid_eq(binder_context_mgr_uid, current->cred->euid)) {
                                pr_err("binder: BINDER_SET_"
                                       "CONTEXT_MGR bad uid %d != %d\n",
-                                       current->cred->euid,
+                                       from_kuid(&init_user_ns, current->cred->euid),
-                                       binder_context_mgr_uid);
+                                       from_kuid(&init_user_ns, binder_context_mgr_uid));
                                ret = -EPERM;
                                goto err;
                        }
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 7c5866920622..b0b39b823ccf 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -61,7 +61,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
 }
 static void tty_audit_log(const char *description, struct task_struct *tsk,
-                          uid_t loginuid, unsigned sessionid, int major,
+                          kuid_t loginuid, unsigned sessionid, int major,
                          int minor, unsigned char *data, size_t size)
 {
        struct audit_buffer *ab;
@@ -69,11 +69,14 @@ static void tty_audit_log(const char *description, struct task_struct *tsk,
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY);
        if (ab) {
                char name[sizeof(tsk->comm)];
-                uid_t uid = task_uid(tsk);
+                kuid_t uid = task_uid(tsk);
                audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u "
                                 "major=%d minor=%d comm=", description,
-                                 tsk->pid, uid, loginuid, sessionid,
+                                 tsk->pid,
+                                 from_kuid(&init_user_ns, uid),
+                                 from_kuid(&init_user_ns, loginuid),
+                                 sessionid,
                                 major, minor);
                get_task_comm(name, tsk);
                audit_log_untrustedstring(ab, name);
@@ -89,7 +92,7 @@ static void tty_audit_log(const char *description, struct task_struct *tsk,
 *      Generate an audit message from the contents of @buf, which is owned by
 *      @tsk with @loginuid.  @buf->mutex must be locked.
 */
-static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
+static void tty_audit_buf_push(struct task_struct *tsk, kuid_t loginuid,
                               unsigned int sessionid,
                               struct tty_audit_buf *buf)
 {
@@ -112,7 +115,7 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
 */
 static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
 {
-        uid_t auid = audit_get_loginuid(current);
+        kuid_t auid = audit_get_loginuid(current);
        unsigned int sessionid = audit_get_sessionid(current);
        tty_audit_buf_push(current, auid, sessionid, buf);
 }
@@ -179,7 +182,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
        }
        if (should_audit && audit_enabled) {
-                uid_t auid;
+                kuid_t auid;
                unsigned int sessionid;
                auid = audit_get_loginuid(current);
@@ -199,7 +202,7 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
 * reference to the tty audit buffer if available.
 * Flush the buffer or return an appropriate error code.
 */
-int tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)
+int tty_audit_push_task(struct task_struct *tsk, kuid_t loginuid, u32 sessionid)
 {
        struct tty_audit_buf *buf = ERR_PTR(-EPERM);
        unsigned long flags;
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index 829aba75a6df..a26c43a151fd 100644
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -224,8 +224,8 @@ struct ffs_data {
        /* File permissions, written once when fs is mounted */
        struct ffs_file_perms {
                umode_t                         mode;
-                uid_t                           uid;
+                kuid_t                          uid;
-                gid_t                           gid;
+                kgid_t                          gid;
        }                               file_perms;
        /*
@@ -1147,10 +1147,19 @@ static int ffs_fs_parse_opts(struct ffs_sb_fill_data *data, char *opts)
                        break;
                case 3:
-                        if (!memcmp(opts, "uid", 3))
+                        if (!memcmp(opts, "uid", 3)) {
-                                data->perms.uid = value;
+                                data->perms.uid = make_kuid(current_user_ns(), value);
+                                if (!uid_valid(data->perms.uid)) {
+                                        pr_err("%s: unmapped value: %lu\n", opts, value);
+                                        return -EINVAL;
+                                }
+                        }
                        else if (!memcmp(opts, "gid", 3))
-                                data->perms.gid = value;
+                                data->perms.gid = make_kgid(current_user_ns(), value);
+                                if (!gid_valid(data->perms.gid)) {
+                                        pr_err("%s: unmapped value: %lu\n", opts, value);
+                                        return -EINVAL;
+                                }
                        else
                                goto invalid;
                        break;
@@ -1179,8 +1188,8 @@ ffs_fs_mount(struct file_system_type *t, int flags,
        struct ffs_sb_fill_data data = {
                .perms = {
                        .mode = S_IFREG | 0600,
-                        .uid = 0,
+                        .uid = GLOBAL_ROOT_UID,
-                        .gid = 0
+                        .gid = GLOBAL_ROOT_GID,
                },
                .root_mode = S_IFDIR | 0500,
        };
diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index 4bb6d53f2de3..76494cabf4e4 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1985,8 +1985,8 @@ gadgetfs_make_inode (struct super_block *sb,
        if (inode) {
                inode->i_ino = get_next_ino();
                inode->i_mode = mode;
-                inode->i_uid = default_uid;
+                inode->i_uid = make_kuid(&init_user_ns, default_uid);
-                inode->i_gid = default_gid;
+                inode->i_gid = make_kgid(&init_user_ns, default_gid);
                inode->i_atime = inode->i_mtime = inode->i_ctime
                                = CURRENT_TIME;
                inode->i_private = data;
diff --git a/drivers/xen/xenfs/super.c b/drivers/xen/xenfs/super.c
index a84b53c01436..459b9ac45cf5 100644
--- a/drivers/xen/xenfs/super.c
+++ b/drivers/xen/xenfs/super.c
@@ -30,7 +30,8 @@ static struct inode *xenfs_make_inode(struct super_block *sb, int mode)
        if (ret) {
                ret->i_mode = mode;
-                ret->i_uid = ret->i_gid = 0;
+                ret->i_uid = GLOBAL_ROOT_UID;
+                ret->i_gid = GLOBAL_ROOT_GID;
                ret->i_blocks = 0;
                ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME;
        }
diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 9a1d42630751..15b679166201 100644
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -37,7 +37,7 @@ static struct posix_acl *__v9fs_get_acl(struct p9_fid *fid, char *name)
                        return ERR_PTR(-ENOMEM);
                size = v9fs_fid_xattr_get(fid, name, value, size);
                if (size > 0) {
-                        acl = posix_acl_from_xattr(value, size);
+                        acl = posix_acl_from_xattr(&init_user_ns, value, size);
                        if (IS_ERR(acl))
                                goto err_out;
                }
@@ -131,7 +131,7 @@ static int v9fs_set_acl(struct dentry *dentry, int type, struct posix_acl *acl)
        buffer = kmalloc(size, GFP_KERNEL);
        if (!buffer)
                return -ENOMEM;
-        retval = posix_acl_to_xattr(acl, buffer, size);
+        retval = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        if (retval < 0)
                goto err_free_out;
        switch (type) {
@@ -251,7 +251,7 @@ static int v9fs_xattr_get_acl(struct dentry *dentry, const char *name,
                return PTR_ERR(acl);
        if (acl == NULL)
                return -ENODATA;
-        error = posix_acl_to_xattr(acl, buffer, size);
+        error = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return error;
@@ -304,7 +304,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
                return -EPERM;
        if (value) {
                /* update the cached acl value */
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl))
                        return PTR_ERR(acl);
                else if (acl) {
diff --git a/fs/adfs/adfs.h b/fs/adfs/adfs.h
index 718ac1f440c6..585adafb0cc2 100644
--- a/fs/adfs/adfs.h
+++ b/fs/adfs/adfs.h
@@ -46,8 +46,8 @@ struct adfs_sb_info {
        struct adfs_discmap *s_map;     /* bh list containing map                */
        struct adfs_dir_ops *s_dir;     /* directory operations                  */
-        uid_t           s_uid;          /* owner uid                             */
+        kuid_t          s_uid;          /* owner uid                             */
-        gid_t           s_gid;          /* owner gid                             */
+        kgid_t          s_gid;          /* owner gid                             */
        umode_t         s_owner_mask;   /* ADFS owner perm -> unix perm          */
        umode_t         s_other_mask;   /* ADFS other perm -> unix perm          */
        int             s_ftsuffix;     /* ,xyz hex filetype suffix option */
diff --git a/fs/adfs/inode.c b/fs/adfs/inode.c
index 1dab6a174d6a..e9bad5093a3f 100644
--- a/fs/adfs/inode.c
+++ b/fs/adfs/inode.c
@@ -304,8 +304,8 @@ adfs_notify_change(struct dentry *dentry, struct iattr *attr)
         * we can't change the UID or GID of any file -
         * we have a global UID/GID in the superblock
         */
-        if ((ia_valid & ATTR_UID && attr->ia_uid != ADFS_SB(sb)->s_uid) ||
+        if ((ia_valid & ATTR_UID && !uid_eq(attr->ia_uid, ADFS_SB(sb)->s_uid)) ||
-            (ia_valid & ATTR_GID && attr->ia_gid != ADFS_SB(sb)->s_gid))
+            (ia_valid & ATTR_GID && !gid_eq(attr->ia_gid, ADFS_SB(sb)->s_gid)))
                error = -EPERM;
        if (error)
diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index bdaec92353c2..22a0d7ed5fa1 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -15,6 +15,7 @@
 #include <linux/seq_file.h>
 #include <linux/slab.h>
 #include <linux/statfs.h>
+#include <linux/user_namespace.h>
 #include "adfs.h"
 #include "dir_f.h"
 #include "dir_fplus.h"
@@ -130,10 +131,10 @@ static int adfs_show_options(struct seq_file *seq, struct dentry *root)
 {
        struct adfs_sb_info *asb = ADFS_SB(root->d_sb);
-        if (asb->s_uid != 0)
+        if (!uid_eq(asb->s_uid, GLOBAL_ROOT_UID))
-                seq_printf(seq, ",uid=%u", asb->s_uid);
+                seq_printf(seq, ",uid=%u", from_kuid_munged(&init_user_ns, asb->s_uid));
-        if (asb->s_gid != 0)
+        if (!gid_eq(asb->s_gid, GLOBAL_ROOT_GID))
-                seq_printf(seq, ",gid=%u", asb->s_gid);
+                seq_printf(seq, ",gid=%u", from_kgid_munged(&init_user_ns, asb->s_gid));
        if (asb->s_owner_mask != ADFS_DEFAULT_OWNER_MASK)
                seq_printf(seq, ",ownmask=%o", asb->s_owner_mask);
        if (asb->s_other_mask != ADFS_DEFAULT_OTHER_MASK)
@@ -175,12 +176,16 @@ static int parse_options(struct super_block *sb, char *options)
                case Opt_uid:
                        if (match_int(args, &option))
                                return -EINVAL;
-                        asb->s_uid = option;
+                        asb->s_uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(asb->s_uid))
+                                return -EINVAL;
                        break;
                case Opt_gid:
                        if (match_int(args, &option))
                                return -EINVAL;
-                        asb->s_gid = option;
+                        asb->s_gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(asb->s_gid))
+                                return -EINVAL;
                        break;
                case Opt_ownmask:
                        if (match_octal(args, &option))
@@ -369,8 +374,8 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
        sb->s_fs_info = asb;
        /* set default options */
-        asb->s_uid = 0;
+        asb->s_uid = GLOBAL_ROOT_UID;
-        asb->s_gid = 0;
+        asb->s_gid = GLOBAL_ROOT_GID;
        asb->s_owner_mask = ADFS_DEFAULT_OWNER_MASK;
        asb->s_other_mask = ADFS_DEFAULT_OTHER_MASK;
        asb->s_ftsuffix = 0;
diff --git a/fs/affs/affs.h b/fs/affs/affs.h
index 6e216419f340..3952121f2f28 100644
--- a/fs/affs/affs.h
+++ b/fs/affs/affs.h
@@ -88,8 +88,8 @@ struct affs_sb_info {
        u32 s_root_block;               /* FFS root block number. */
        int s_hashsize;                 /* Size of hash table. */
        unsigned long s_flags;          /* See below. */
-        uid_t s_uid;                    /* uid to override */
+        kuid_t s_uid;                   /* uid to override */
-        gid_t s_gid;                    /* gid to override */
+        kgid_t s_gid;                   /* gid to override */
        umode_t s_mode;                 /* mode to override */
        struct buffer_head *s_root_bh;  /* Cached root block. */
        struct mutex s_bmlock;          /* Protects bitmap access. */
diff --git a/fs/affs/inode.c b/fs/affs/inode.c
index 8bc4a59f4e7e..15c484268229 100644
--- a/fs/affs/inode.c
+++ b/fs/affs/inode.c
@@ -80,17 +80,17 @@ struct inode *affs_iget(struct super_block *sb, unsigned long ino)
        if (id == 0 || sbi->s_flags & SF_SETUID)
                inode->i_uid = sbi->s_uid;
        else if (id == 0xFFFF && sbi->s_flags & SF_MUFS)
-                inode->i_uid = 0;
+                i_uid_write(inode, 0);
        else
-                inode->i_uid = id;
+                i_uid_write(inode, id);
        id = be16_to_cpu(tail->gid);
        if (id == 0 || sbi->s_flags & SF_SETGID)
                inode->i_gid = sbi->s_gid;
        else if (id == 0xFFFF && sbi->s_flags & SF_MUFS)
-                inode->i_gid = 0;
+                i_gid_write(inode, 0);
        else
-                inode->i_gid = id;
+                i_gid_write(inode, id);
        switch (be32_to_cpu(tail->stype)) {
        case ST_ROOT:
@@ -193,13 +193,13 @@ affs_write_inode(struct inode *inode, struct writeback_control *wbc)
                tail->size = cpu_to_be32(inode->i_size);
                secs_to_datestamp(inode->i_mtime.tv_sec,&tail->change);
                if (!(inode->i_ino == AFFS_SB(sb)->s_root_block)) {
-                        uid = inode->i_uid;
+                        uid = i_uid_read(inode);
-                        gid = inode->i_gid;
+                        gid = i_gid_read(inode);
                        if (AFFS_SB(sb)->s_flags & SF_MUFS) {
-                                if (inode->i_uid == 0 || inode->i_uid == 0xFFFF)
+                                if (uid == 0 || uid == 0xFFFF)
-                                        uid = inode->i_uid ^ ~0;
+                                        uid = uid ^ ~0;
-                                if (inode->i_gid == 0 || inode->i_gid == 0xFFFF)
+                                if (gid == 0 || gid == 0xFFFF)
-                                        gid = inode->i_gid ^ ~0;
+                                        gid = gid ^ ~0;
                        }
                        if (!(AFFS_SB(sb)->s_flags & SF_SETUID))
                                tail->uid = cpu_to_be16(uid);
diff --git a/fs/affs/super.c b/fs/affs/super.c
index 022cecb0757d..1f030825cd3a 100644
--- a/fs/affs/super.c
+++ b/fs/affs/super.c
@@ -188,7 +188,7 @@ static const match_table_t tokens = {
 };
 static int
-parse_options(char *options, uid_t *uid, gid_t *gid, int *mode, int *reserved, s32 *root,
+parse_options(char *options, kuid_t *uid, kgid_t *gid, int *mode, int *reserved, s32 *root,
                int *blocksize, char **prefix, char *volume, unsigned long *mount_opts)
 {
        char *p;
@@ -253,13 +253,17 @@ parse_options(char *options, uid_t *uid, gid_t *gid, int *mode, int *reserved, s
                case Opt_setgid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        *gid = option;
+                        *gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(*gid))
+                                return 0;
                        *mount_opts |= SF_SETGID;
                        break;
                case Opt_setuid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        *uid = option;
+                        *uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(*uid))
+                                return 0;
                        *mount_opts |= SF_SETUID;
                        break;
                case Opt_verbose:
@@ -301,8 +305,8 @@ static int affs_fill_super(struct super_block *sb, void *data, int silent)
        int                      num_bm;
        int                      i, j;
        s32                      key;
-        uid_t                    uid;
+        kuid_t                   uid;
-        gid_t                    gid;
+        kgid_t                   gid;
        int                      reserved;
        unsigned long            mount_flags;
        int                      tmp_flags;     /* fix remount prototype... */
@@ -527,8 +531,8 @@ affs_remount(struct super_block *sb, int *flags, char *data)
 {
        struct affs_sb_info     *sbi = AFFS_SB(sb);
        int                      blocksize;
-        uid_t                    uid;
+        kuid_t                   uid;
-        gid_t                    gid;
+        kgid_t                   gid;
        int                      mode;
        int                      reserved;
        int                      root_block;
diff --git a/fs/befs/befs.h b/fs/befs/befs.h
index d9a40abda6b7..b26642839156 100644
--- a/fs/befs/befs.h
+++ b/fs/befs/befs.h
@@ -20,8 +20,8 @@ typedef u64 befs_blocknr_t;
 */
 typedef struct befs_mount_options {
-        gid_t gid;
+        kgid_t gid;
-        uid_t uid;
+        kuid_t uid;
        int use_gid;
        int use_uid;
        int debug;
diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index cf7f3c67c8b7..7f73a692bfd0 100644
--- a/fs/befs/linuxvfs.c
+++ b/fs/befs/linuxvfs.c
@@ -15,6 +15,7 @@
 #include <linux/vfs.h>
 #include <linux/parser.h>
 #include <linux/namei.h>
+#include <linux/sched.h>
 #include "befs.h"
 #include "btree.h"
@@ -352,9 +353,11 @@ static struct inode *befs_iget(struct super_block *sb, unsigned long ino)
         */   
        inode->i_uid = befs_sb->mount_opts.use_uid ?
-            befs_sb->mount_opts.uid : (uid_t) fs32_to_cpu(sb, raw_inode->uid);
+                befs_sb->mount_opts.uid :
+                make_kuid(&init_user_ns, fs32_to_cpu(sb, raw_inode->uid));
        inode->i_gid = befs_sb->mount_opts.use_gid ?
-            befs_sb->mount_opts.gid : (gid_t) fs32_to_cpu(sb, raw_inode->gid);
+                befs_sb->mount_opts.gid :
+                make_kgid(&init_user_ns, fs32_to_cpu(sb, raw_inode->gid));
        set_nlink(inode, 1);
@@ -674,10 +677,12 @@ parse_options(char *options, befs_mount_options * opts)
        char *p;
        substring_t args[MAX_OPT_ARGS];
        int option;
+        kuid_t uid;
+        kgid_t gid;
        /* Initialize options */
-        opts->uid = 0;
+        opts->uid = GLOBAL_ROOT_UID;
-        opts->gid = 0;
+        opts->gid = GLOBAL_ROOT_GID;
        opts->use_uid = 0;
        opts->use_gid = 0;
        opts->iocharset = NULL;
@@ -696,23 +701,29 @@ parse_options(char *options, befs_mount_options * opts)
                case Opt_uid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        if (option < 0) {
+                        uid = INVALID_UID;
+                        if (option >= 0)
+                                uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(uid)) {
                                printk(KERN_ERR "BeFS: Invalid uid %d, "
                                                "using default\n", option);
                                break;
                        }
-                        opts->uid = option;
+                        opts->uid = uid;
                        opts->use_uid = 1;
                        break;
                case Opt_gid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        if (option < 0) {
+                        gid = INVALID_GID;
+                        if (option >= 0)
+                                gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(gid)) {
                                printk(KERN_ERR "BeFS: Invalid gid %d, "
                                                "using default\n", option);
                                break;
                        }
-                        opts->gid = option;
+                        opts->gid = gid;
                        opts->use_gid = 1;
                        break;
                case Opt_charset:
diff --git a/fs/bfs/inode.c b/fs/bfs/inode.c
index 9870417c26e7..b242beba58ed 100644
--- a/fs/bfs/inode.c
+++ b/fs/bfs/inode.c
@@ -76,8 +76,8 @@ struct inode *bfs_iget(struct super_block *sb, unsigned long ino)
        BFS_I(inode)->i_sblock =  le32_to_cpu(di->i_sblock);
        BFS_I(inode)->i_eblock =  le32_to_cpu(di->i_eblock);
        BFS_I(inode)->i_dsk_ino = le16_to_cpu(di->i_ino);
-        inode->i_uid =  le32_to_cpu(di->i_uid);
+        i_uid_write(inode, le32_to_cpu(di->i_uid));
-        inode->i_gid =  le32_to_cpu(di->i_gid);
+        i_gid_write(inode,  le32_to_cpu(di->i_gid));
        set_nlink(inode, le32_to_cpu(di->i_nlink));
        inode->i_size = BFS_FILESIZE(di);
        inode->i_blocks = BFS_FILEBLOCKS(di);
@@ -139,8 +139,8 @@ static int bfs_write_inode(struct inode *inode, struct writeback_control *wbc)
        di->i_ino = cpu_to_le16(ino);
        di->i_mode = cpu_to_le32(inode->i_mode);
-        di->i_uid = cpu_to_le32(inode->i_uid);
+        di->i_uid = cpu_to_le32(i_uid_read(inode));
-        di->i_gid = cpu_to_le32(inode->i_gid);
+        di->i_gid = cpu_to_le32(i_gid_read(inode));
        di->i_nlink = cpu_to_le32(inode->i_nlink);
        di->i_atime = cpu_to_le32(inode->i_atime.tv_sec);
        di->i_mtime = cpu_to_le32(inode->i_mtime.tv_sec);
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 761e2cd8fed1..0c16e3dbfd56 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -61,7 +61,7 @@ struct posix_acl *btrfs_get_acl(struct inode *inode, int type)
                size = __btrfs_getxattr(inode, name, value, size);
        }
        if (size > 0) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
        } else if (size == -ENOENT || size == -ENODATA || size == 0) {
                /* FIXME, who returns -ENOENT?  I think nobody */
                acl = NULL;
@@ -91,7 +91,7 @@ static int btrfs_xattr_acl_get(struct dentry *dentry, const char *name,
                return PTR_ERR(acl);
        if (acl == NULL)
                return -ENODATA;
-        ret = posix_acl_to_xattr(acl, value, size);
+        ret = posix_acl_to_xattr(&init_user_ns, acl, value, size);
        posix_acl_release(acl);
        return ret;
@@ -141,7 +141,7 @@ static int btrfs_set_acl(struct btrfs_trans_handle *trans,
                        goto out;
                }
-                ret = posix_acl_to_xattr(acl, value, size);
+                ret = posix_acl_to_xattr(&init_user_ns, acl, value, size);
                if (ret < 0)
                        goto out;
        }
@@ -169,7 +169,7 @@ static int btrfs_xattr_acl_set(struct dentry *dentry, const char *name,
                return -EOPNOTSUPP;
        if (value) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl))
                        return PTR_ERR(acl);
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 07d5eeb1e6f1..52c85e2b95d0 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1715,8 +1715,8 @@ static void fill_stack_inode_item(struct btrfs_trans_handle *trans,
                                  struct btrfs_inode_item *inode_item,
                                  struct inode *inode)
 {
-        btrfs_set_stack_inode_uid(inode_item, inode->i_uid);
+        btrfs_set_stack_inode_uid(inode_item, i_uid_read(inode));
-        btrfs_set_stack_inode_gid(inode_item, inode->i_gid);
+        btrfs_set_stack_inode_gid(inode_item, i_gid_read(inode));
        btrfs_set_stack_inode_size(inode_item, BTRFS_I(inode)->disk_i_size);
        btrfs_set_stack_inode_mode(inode_item, inode->i_mode);
        btrfs_set_stack_inode_nlink(inode_item, inode->i_nlink);
@@ -1764,8 +1764,8 @@ int btrfs_fill_inode(struct inode *inode, u32 *rdev)
        inode_item = &delayed_node->inode_item;
-        inode->i_uid = btrfs_stack_inode_uid(inode_item);
+        i_uid_write(inode, btrfs_stack_inode_uid(inode_item));
-        inode->i_gid = btrfs_stack_inode_gid(inode_item);
+        i_gid_write(inode, btrfs_stack_inode_gid(inode_item));
        btrfs_i_size_write(inode, btrfs_stack_inode_size(inode_item));
        inode->i_mode = btrfs_stack_inode_mode(inode_item);
        set_nlink(inode, btrfs_stack_inode_nlink(inode_item));
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 316b07a866d2..2a028a58619c 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -2572,8 +2572,8 @@ static void btrfs_read_locked_inode(struct inode *inode)
                                    struct btrfs_inode_item);
        inode->i_mode = btrfs_inode_mode(leaf, inode_item);
        set_nlink(inode, btrfs_inode_nlink(leaf, inode_item));
-        inode->i_uid = btrfs_inode_uid(leaf, inode_item);
+        i_uid_write(inode, btrfs_inode_uid(leaf, inode_item));
-        inode->i_gid = btrfs_inode_gid(leaf, inode_item);
+        i_gid_write(inode, btrfs_inode_gid(leaf, inode_item));
        btrfs_i_size_write(inode, btrfs_inode_size(leaf, inode_item));
        tspec = btrfs_inode_atime(inode_item);
@@ -2651,8 +2651,8 @@ static void fill_inode_item(struct btrfs_trans_handle *trans,
                            struct btrfs_inode_item *item,
                            struct inode *inode)
 {
-        btrfs_set_inode_uid(leaf, item, inode->i_uid);
+        btrfs_set_inode_uid(leaf, item, i_uid_read(inode));
-        btrfs_set_inode_gid(leaf, item, inode->i_gid);
+        btrfs_set_inode_gid(leaf, item, i_gid_read(inode));
        btrfs_set_inode_size(leaf, item, BTRFS_I(inode)->disk_i_size);
        btrfs_set_inode_mode(leaf, item, inode->i_mode);
        btrfs_set_inode_nlink(leaf, item, inode->i_nlink);
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 9df50fa8a078..27bfce58da3b 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -575,13 +575,13 @@ fail:
 */
 static inline int btrfs_check_sticky(struct inode *dir, struct inode *inode)
 {
-        uid_t fsuid = current_fsuid();
+        kuid_t fsuid = current_fsuid();
        if (!(dir->i_mode & S_ISVTX))
                return 0;
-        if (inode->i_uid == fsuid)
+        if (uid_eq(inode->i_uid, fsuid))
                return 0;
-        if (dir->i_uid == fsuid)
+        if (uid_eq(dir->i_uid, fsuid))
                return 0;
        return !capable(CAP_FOWNER);
 }
diff --git a/fs/configfs/inode.c b/fs/configfs/inode.c
index 0074362d9f7f..a9d35b0e06cf 100644
--- a/fs/configfs/inode.c
+++ b/fs/configfs/inode.c
@@ -79,8 +79,8 @@ int configfs_setattr(struct dentry * dentry, struct iattr * iattr)
                        return -ENOMEM;
                /* assign default attributes */
                sd_iattr->ia_mode = sd->s_mode;
-                sd_iattr->ia_uid = 0;
+                sd_iattr->ia_uid = GLOBAL_ROOT_UID;
-                sd_iattr->ia_gid = 0;
+                sd_iattr->ia_gid = GLOBAL_ROOT_GID;
                sd_iattr->ia_atime = sd_iattr->ia_mtime = sd_iattr->ia_ctime = CURRENT_TIME;
                sd->s_iattr = sd_iattr;
        }
diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
index 28cca01ca9c9..c6c3f91ecf06 100644
--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -90,8 +90,8 @@ static struct inode *get_cramfs_inode(struct super_block *sb,
        }
        inode->i_mode = cramfs_inode->mode;
-        inode->i_uid = cramfs_inode->uid;
+        i_uid_write(inode, cramfs_inode->uid);
-        inode->i_gid = cramfs_inode->gid;
+        i_gid_write(inode, cramfs_inode->gid);
        /* if the lower 2 bits are zero, the inode contains data */
        if (!(inode->i_ino & 3)) {
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 6393fd61d5c4..b607d92cdf24 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -128,8 +128,8 @@ static inline int debugfs_positive(struct dentry *dentry)
 }
 struct debugfs_mount_opts {
-        uid_t uid;
+        kuid_t uid;
-        gid_t gid;
+        kgid_t gid;
        umode_t mode;
 };
@@ -156,6 +156,8 @@ static int debugfs_parse_options(char *data, struct debugfs_mount_opts *opts)
        substring_t args[MAX_OPT_ARGS];
        int option;
        int token;
+        kuid_t uid;
+        kgid_t gid;
        char *p;
        opts->mode = DEBUGFS_DEFAULT_MODE;
@@ -169,12 +171,18 @@ static int debugfs_parse_options(char *data, struct debugfs_mount_opts *opts)
                case Opt_uid:
                        if (match_int(&args[0], &option))
                                return -EINVAL;
-                        opts->uid = option;
+                        uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(uid))
+                                return -EINVAL;
+                        opts->uid = uid;
                        break;
                case Opt_gid:
                        if (match_octal(&args[0], &option))
                                return -EINVAL;
-                        opts->gid = option;
+                        gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(gid))
+                                return -EINVAL;
+                        opts->gid = gid;
                        break;
                case Opt_mode:
                        if (match_octal(&args[0], &option))
@@ -226,10 +234,12 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root)
        struct debugfs_fs_info *fsi = root->d_sb->s_fs_info;
        struct debugfs_mount_opts *opts = &fsi->mount_opts;
-        if (opts->uid != 0)
+        if (!uid_eq(opts->uid, GLOBAL_ROOT_UID))
-                seq_printf(m, ",uid=%u", opts->uid);
+                seq_printf(m, ",uid=%u",
-        if (opts->gid != 0)
+                           from_kuid_munged(&init_user_ns, opts->uid));
-                seq_printf(m, ",gid=%u", opts->gid);
+        if (!gid_eq(opts->gid, GLOBAL_ROOT_GID))
+                seq_printf(m, ",gid=%u",
+                           from_kgid_munged(&init_user_ns, opts->gid));
        if (opts->mode != DEBUGFS_DEFAULT_MODE)
                seq_printf(m, ",mode=%o", opts->mode);
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
index 9b627c15010a..24bb043e50d9 100644
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -545,11 +545,12 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
                goto out_free;
        }
-        if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
+        if (check_ruid && !uid_eq(path.dentry->d_inode->i_uid, current_uid())) {
                rc = -EPERM;
                printk(KERN_ERR "Mount of device (uid: %d) not owned by "
                       "requested user (uid: %d)\n",
-                       path.dentry->d_inode->i_uid, current_uid());
+                        i_uid_read(path.dentry->d_inode),
+                        from_kuid(&init_user_ns, current_uid()));
                goto out_free;
        }
diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c
index b29bb8bfa8d9..5fa2471796c2 100644
--- a/fs/ecryptfs/messaging.c
+++ b/fs/ecryptfs/messaging.c
@@ -33,7 +33,7 @@ static struct hlist_head *ecryptfs_daemon_hash;
 struct mutex ecryptfs_daemon_hash_mux;
 static int ecryptfs_hash_bits;
 #define ecryptfs_current_euid_hash(uid) \
-                hash_long((unsigned long)current_euid(), ecryptfs_hash_bits)
+        hash_long((unsigned long)from_kuid(&init_user_ns, current_euid()), ecryptfs_hash_bits)
 static u32 ecryptfs_msg_counter;
 static struct ecryptfs_msg_ctx *ecryptfs_msg_ctx_arr;
@@ -121,8 +121,7 @@ int ecryptfs_find_daemon_by_euid(struct ecryptfs_daemon **daemon)
        hlist_for_each_entry(*daemon, elem,
                            &ecryptfs_daemon_hash[ecryptfs_current_euid_hash()],
                            euid_chain) {
-                if ((*daemon)->file->f_cred->euid == current_euid() &&
+                if (uid_eq((*daemon)->file->f_cred->euid, current_euid())) {
-                    (*daemon)->file->f_cred->user_ns == current_user_ns()) {
                        rc = 0;
                        goto out;
                }
diff --git a/fs/efs/inode.c b/fs/efs/inode.c
index bc84f365d75c..f3913eb2c474 100644
--- a/fs/efs/inode.c
+++ b/fs/efs/inode.c
@@ -97,8 +97,8 @@ struct inode *efs_iget(struct super_block *super, unsigned long ino)
    
        inode->i_mode  = be16_to_cpu(efs_inode->di_mode);
        set_nlink(inode, be16_to_cpu(efs_inode->di_nlink));
-        inode->i_uid   = (uid_t)be16_to_cpu(efs_inode->di_uid);
+        i_uid_write(inode, (uid_t)be16_to_cpu(efs_inode->di_uid));
-        inode->i_gid   = (gid_t)be16_to_cpu(efs_inode->di_gid);
+        i_gid_write(inode, (gid_t)be16_to_cpu(efs_inode->di_gid));
        inode->i_size  = be32_to_cpu(efs_inode->di_size);
        inode->i_atime.tv_sec = be32_to_cpu(efs_inode->di_atime);
        inode->i_mtime.tv_sec = be32_to_cpu(efs_inode->di_mtime);
diff --git a/fs/exofs/inode.c b/fs/exofs/inode.c
index 1562c27a2fab..b56181047751 100644
--- a/fs/exofs/inode.c
+++ b/fs/exofs/inode.c
@@ -1172,8 +1172,8 @@ struct inode *exofs_iget(struct super_block *sb, unsigned long ino)
        /* copy stuff from on-disk struct to in-memory struct */
        inode->i_mode = le16_to_cpu(fcb.i_mode);
-        inode->i_uid = le32_to_cpu(fcb.i_uid);
+        i_uid_write(inode, le32_to_cpu(fcb.i_uid));
-        inode->i_gid = le32_to_cpu(fcb.i_gid);
+        i_gid_write(inode, le32_to_cpu(fcb.i_gid));
        set_nlink(inode, le16_to_cpu(fcb.i_links_count));
        inode->i_ctime.tv_sec = (signed)le32_to_cpu(fcb.i_ctime);
        inode->i_atime.tv_sec = (signed)le32_to_cpu(fcb.i_atime);
@@ -1385,8 +1385,8 @@ static int exofs_update_inode(struct inode *inode, int do_sync)
        fcb = &args->fcb;
        fcb->i_mode = cpu_to_le16(inode->i_mode);
-        fcb->i_uid = cpu_to_le32(inode->i_uid);
+        fcb->i_uid = cpu_to_le32(i_uid_read(inode));
-        fcb->i_gid = cpu_to_le32(inode->i_gid);
+        fcb->i_gid = cpu_to_le32(i_gid_read(inode));
        fcb->i_links_count = cpu_to_le16(inode->i_nlink);
        fcb->i_ctime = cpu_to_le32(inode->i_ctime.tv_sec);
        fcb->i_atime = cpu_to_le32(inode->i_atime.tv_sec);
diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
index 35d6a3cfd9ff..110b6b371a4e 100644
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -53,16 +53,23 @@ ext2_acl_from_disk(const void *value, size_t size)
                        case ACL_OTHER:
                                value = (char *)value +
                                        sizeof(ext2_acl_entry_short);
-                                acl->a_entries[n].e_id = ACL_UNDEFINED_ID;
                                break;
                        case ACL_USER:
+                                value = (char *)value + sizeof(ext2_acl_entry);
+                                if ((char *)value > end)
+                                        goto fail;
+                                acl->a_entries[n].e_uid =
+                                        make_kuid(&init_user_ns,
+                                                  le32_to_cpu(entry->e_id));
+                                break;
                        case ACL_GROUP:
                                value = (char *)value + sizeof(ext2_acl_entry);
                                if ((char *)value > end)
                                        goto fail;
-                                acl->a_entries[n].e_id =
+                                acl->a_entries[n].e_gid =
-                                        le32_to_cpu(entry->e_id);
+                                        make_kgid(&init_user_ns,
+                                                  le32_to_cpu(entry->e_id));
                                break;
                        default:
@@ -96,14 +103,19 @@ ext2_acl_to_disk(const struct posix_acl *acl, size_t *size)
        ext_acl->a_version = cpu_to_le32(EXT2_ACL_VERSION);
        e = (char *)ext_acl + sizeof(ext2_acl_header);
        for (n=0; n < acl->a_count; n++) {
+                const struct posix_acl_entry *acl_e = &acl->a_entries[n];
                ext2_acl_entry *entry = (ext2_acl_entry *)e;
-                entry->e_tag  = cpu_to_le16(acl->a_entries[n].e_tag);
+                entry->e_tag  = cpu_to_le16(acl_e->e_tag);
-                entry->e_perm = cpu_to_le16(acl->a_entries[n].e_perm);
+                entry->e_perm = cpu_to_le16(acl_e->e_perm);
-                switch(acl->a_entries[n].e_tag) {
+                switch(acl_e->e_tag) {
                        case ACL_USER:
+                                entry->e_id = cpu_to_le32(
+                                        from_kuid(&init_user_ns, acl_e->e_uid));
+                                e += sizeof(ext2_acl_entry);
+                                break;
                        case ACL_GROUP:
-                                entry->e_id =
+                                entry->e_id = cpu_to_le32(
-                                        cpu_to_le32(acl->a_entries[n].e_id);
+                                        from_kgid(&init_user_ns, acl_e->e_gid));
                                e += sizeof(ext2_acl_entry);
                                break;
@@ -350,7 +362,7 @@ ext2_xattr_get_acl(struct dentry *dentry, const char *name, void *buffer,
                return PTR_ERR(acl);
        if (acl == NULL)
                return -ENODATA;
-        error = posix_acl_to_xattr(acl, buffer, size);
+        error = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return error;
@@ -371,7 +383,7 @@ ext2_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
                return -EPERM;
        if (value) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl))
                        return PTR_ERR(acl);
                else if (acl) {
diff --git a/fs/ext3/acl.c b/fs/ext3/acl.c
index c76832c8d192..dbb5ad59a7fc 100644
--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -48,16 +48,23 @@ ext3_acl_from_disk(const void *value, size_t size)
                        case ACL_OTHER:
                                value = (char *)value +
                                        sizeof(ext3_acl_entry_short);
-                                acl->a_entries[n].e_id = ACL_UNDEFINED_ID;
                                break;
                        case ACL_USER:
+                                value = (char *)value + sizeof(ext3_acl_entry);
+                                if ((char *)value > end)
+                                        goto fail;
+                                acl->a_entries[n].e_uid =
+                                        make_kuid(&init_user_ns,
+                                                  le32_to_cpu(entry->e_id));
+                                break;
                        case ACL_GROUP:
                                value = (char *)value + sizeof(ext3_acl_entry);
                                if ((char *)value > end)
                                        goto fail;
-                                acl->a_entries[n].e_id =
+                                acl->a_entries[n].e_gid =
-                                        le32_to_cpu(entry->e_id);
+                                        make_kgid(&init_user_ns,
+                                                  le32_to_cpu(entry->e_id));
                                break;
                        default:
@@ -91,14 +98,19 @@ ext3_acl_to_disk(const struct posix_acl *acl, size_t *size)
        ext_acl->a_version = cpu_to_le32(EXT3_ACL_VERSION);
        e = (char *)ext_acl + sizeof(ext3_acl_header);
        for (n=0; n < acl->a_count; n++) {
+                const struct posix_acl_entry *acl_e = &acl->a_entries[n];
                ext3_acl_entry *entry = (ext3_acl_entry *)e;
-                entry->e_tag  = cpu_to_le16(acl->a_entries[n].e_tag);
+                entry->e_tag  = cpu_to_le16(acl_e->e_tag);
-                entry->e_perm = cpu_to_le16(acl->a_entries[n].e_perm);
+                entry->e_perm = cpu_to_le16(acl_e->e_perm);
-                switch(acl->a_entries[n].e_tag) {
+                switch(acl_e->e_tag) {
                        case ACL_USER:
+                                entry->e_id = cpu_to_le32(
+                                        from_kuid(&init_user_ns, acl_e->e_uid));
+                                e += sizeof(ext3_acl_entry);
+                                break;
                        case ACL_GROUP:
-                                entry->e_id =
+                                entry->e_id = cpu_to_le32(
-                                        cpu_to_le32(acl->a_entries[n].e_id);
+                                        from_kgid(&init_user_ns, acl_e->e_gid));
                                e += sizeof(ext3_acl_entry);
                                break;
@@ -369,7 +381,7 @@ ext3_xattr_get_acl(struct dentry *dentry, const char *name, void *buffer,
                return PTR_ERR(acl);
        if (acl == NULL)
                return -ENODATA;
-        error = posix_acl_to_xattr(acl, buffer, size);
+        error = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return error;
@@ -392,7 +404,7 @@ ext3_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
                return -EPERM;
        if (value) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl))
                        return PTR_ERR(acl);
                else if (acl) {
diff --git a/fs/ext3/super.c b/fs/ext3/super.c
index 8c892e93d8e7..09b8455bd7eb 100644
--- a/fs/ext3/super.c
+++ b/fs/ext3/super.c
@@ -2803,7 +2803,7 @@ static int ext3_statfs (struct dentry * dentry, struct kstatfs * buf)
 static inline struct inode *dquot_to_inode(struct dquot *dquot)
 {
-        return sb_dqopt(dquot->dq_sb)->files[dquot->dq_type];
+        return sb_dqopt(dquot->dq_sb)->files[dquot->dq_id.type];
 }
 static int ext3_write_dquot(struct dquot *dquot)
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index a5c29bb3b835..d3c5b88fd89f 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -55,16 +55,23 @@ ext4_acl_from_disk(const void *value, size_t size)
                case ACL_OTHER:
                        value = (char *)value +
                                sizeof(ext4_acl_entry_short);
-                        acl->a_entries[n].e_id = ACL_UNDEFINED_ID;
                        break;
                case ACL_USER:
+                        value = (char *)value + sizeof(ext4_acl_entry);
+                        if ((char *)value > end)
+                                goto fail;
+                        acl->a_entries[n].e_uid =
+                                make_kuid(&init_user_ns,
+                                          le32_to_cpu(entry->e_id));
+                        break;
                case ACL_GROUP:
                        value = (char *)value + sizeof(ext4_acl_entry);
                        if ((char *)value > end)
                                goto fail;
-                        acl->a_entries[n].e_id =
+                        acl->a_entries[n].e_gid =
-                                le32_to_cpu(entry->e_id);
+                                make_kgid(&init_user_ns,
+                                          le32_to_cpu(entry->e_id));
                        break;
                default:
@@ -98,13 +105,19 @@ ext4_acl_to_disk(const struct posix_acl *acl, size_t *size)
        ext_acl->a_version = cpu_to_le32(EXT4_ACL_VERSION);
        e = (char *)ext_acl + sizeof(ext4_acl_header);
        for (n = 0; n < acl->a_count; n++) {
+                const struct posix_acl_entry *acl_e = &acl->a_entries[n];
                ext4_acl_entry *entry = (ext4_acl_entry *)e;
-                entry->e_tag  = cpu_to_le16(acl->a_entries[n].e_tag);
+                entry->e_tag  = cpu_to_le16(acl_e->e_tag);
-                entry->e_perm = cpu_to_le16(acl->a_entries[n].e_perm);
+                entry->e_perm = cpu_to_le16(acl_e->e_perm);
-                switch (acl->a_entries[n].e_tag) {
+                switch (acl_e->e_tag) {
                case ACL_USER:
+                        entry->e_id = cpu_to_le32(
+                                from_kuid(&init_user_ns, acl_e->e_uid));
+                        e += sizeof(ext4_acl_entry);
+                        break;
                case ACL_GROUP:
-                        entry->e_id = cpu_to_le32(acl->a_entries[n].e_id);
+                        entry->e_id = cpu_to_le32(
+                                from_kgid(&init_user_ns, acl_e->e_gid));
                        e += sizeof(ext4_acl_entry);
                        break;
@@ -374,7 +387,7 @@ ext4_xattr_get_acl(struct dentry *dentry, const char *name, void *buffer,
                return PTR_ERR(acl);
        if (acl == NULL)
                return -ENODATA;
-        error = posix_acl_to_xattr(acl, buffer, size);
+        error = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return error;
@@ -397,7 +410,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
                return -EPERM;
        if (value) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl))
                        return PTR_ERR(acl);
                else if (acl) {
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index c6e0cb3d1f4a..1f15cc836fbd 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4791,7 +4791,7 @@ static int ext4_statfs(struct dentry *dentry, struct kstatfs *buf)
 static inline struct inode *dquot_to_inode(struct dquot *dquot)
 {
-        return sb_dqopt(dquot->dq_sb)->files[dquot->dq_type];
+        return sb_dqopt(dquot->dq_sb)->files[dquot->dq_id.type];
 }
 static int ext4_write_dquot(struct dquot *dquot)
diff --git a/fs/fat/fat.h b/fs/fat/fat.h
index 2deeeb86f331..7d8e0dcac5d5 100644
--- a/fs/fat/fat.h
+++ b/fs/fat/fat.h
@@ -23,8 +23,8 @@
 #define FAT_ERRORS_RO           3      /* remount r/o on error */
 struct fat_mount_options {
-        uid_t fs_uid;
+        kuid_t fs_uid;
-        gid_t fs_gid;
+        kgid_t fs_gid;
        unsigned short fs_fmask;
        unsigned short fs_dmask;
        unsigned short codepage;  /* Codepage for shortname conversions */
diff --git a/fs/fat/file.c b/fs/fat/file.c
index e007b8bd8e5e..a62e0ecbe2db 100644
--- a/fs/fat/file.c
+++ b/fs/fat/file.c
@@ -352,7 +352,7 @@ static int fat_allow_set_time(struct msdos_sb_info *sbi, struct inode *inode)
 {
        umode_t allow_utime = sbi->options.allow_utime;
-        if (current_fsuid() != inode->i_uid) {
+        if (!uid_eq(current_fsuid(), inode->i_uid)) {
                if (in_group_p(inode->i_gid))
                        allow_utime >>= 3;
                if (allow_utime & MAY_WRITE)
@@ -407,9 +407,9 @@ int fat_setattr(struct dentry *dentry, struct iattr *attr)
        }
        if (((attr->ia_valid & ATTR_UID) &&
-             (attr->ia_uid != sbi->options.fs_uid)) ||
+             (!uid_eq(attr->ia_uid, sbi->options.fs_uid))) ||
            ((attr->ia_valid & ATTR_GID) &&
-             (attr->ia_gid != sbi->options.fs_gid)) ||
+             (!gid_eq(attr->ia_gid, sbi->options.fs_gid))) ||
            ((attr->ia_valid & ATTR_MODE) &&
             (attr->ia_mode & ~FAT_VALID_MODE)))
                error = -EPERM;
diff --git a/fs/fat/inode.c b/fs/fat/inode.c
index 05e897fe9866..47d9eb0be886 100644
--- a/fs/fat/inode.c
+++ b/fs/fat/inode.c
@@ -791,10 +791,12 @@ static int fat_show_options(struct seq_file *m, struct dentry *root)
        struct fat_mount_options *opts = &sbi->options;
        int isvfat = opts->isvfat;
-        if (opts->fs_uid != 0)
+        if (!uid_eq(opts->fs_uid, GLOBAL_ROOT_UID))
-                seq_printf(m, ",uid=%u", opts->fs_uid);
+                seq_printf(m, ",uid=%u",
-        if (opts->fs_gid != 0)
+                                from_kuid_munged(&init_user_ns, opts->fs_uid));
-                seq_printf(m, ",gid=%u", opts->fs_gid);
+        if (!gid_eq(opts->fs_gid, GLOBAL_ROOT_GID))
+                seq_printf(m, ",gid=%u",
+                                from_kgid_munged(&init_user_ns, opts->fs_gid));
        seq_printf(m, ",fmask=%04o", opts->fs_fmask);
        seq_printf(m, ",dmask=%04o", opts->fs_dmask);
        if (opts->allow_utime)
@@ -1037,12 +1039,16 @@ static int parse_options(struct super_block *sb, char *options, int is_vfat,
                case Opt_uid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        opts->fs_uid = option;
+                        opts->fs_uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(opts->fs_uid))
+                                return 0;
                        break;
                case Opt_gid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        opts->fs_gid = option;
+                        opts->fs_gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(opts->fs_gid))
+                                return 0;
                        break;
                case Opt_umask:
                        if (match_octal(&args[0], &option))
diff --git a/fs/freevxfs/vxfs_inode.c b/fs/freevxfs/vxfs_inode.c
index ef67c95f12d4..f47df72cef17 100644
--- a/fs/freevxfs/vxfs_inode.c
+++ b/fs/freevxfs/vxfs_inode.c
@@ -224,8 +224,8 @@ vxfs_iinit(struct inode *ip, struct vxfs_inode_info *vip)
 {
        ip->i_mode = vxfs_transmod(vip);
-        ip->i_uid = (uid_t)vip->vii_uid;
+        i_uid_write(ip, (uid_t)vip->vii_uid);
-        ip->i_gid = (gid_t)vip->vii_gid;
+        i_gid_write(ip, (gid_t)vip->vii_gid);
        set_nlink(ip, vip->vii_nlink);
        ip->i_size = vip->vii_size;
diff --git a/fs/generic_acl.c b/fs/generic_acl.c
index d0dddaceac59..b3f3676796d3 100644
--- a/fs/generic_acl.c
+++ b/fs/generic_acl.c
@@ -56,7 +56,7 @@ generic_acl_get(struct dentry *dentry, const char *name, void *buffer,
        acl = get_cached_acl(dentry->d_inode, type);
        if (!acl)
                return -ENODATA;
-        error = posix_acl_to_xattr(acl, buffer, size);
+        error = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return error;
@@ -77,7 +77,7 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value,
        if (!inode_owner_or_capable(inode))
                return -EPERM;
        if (value) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl))
                        return PTR_ERR(acl);
        }
diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c
index bd4a5892c93c..f850020ad906 100644
--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -63,7 +63,7 @@ struct posix_acl *gfs2_get_acl(struct inode *inode, int type)
        if (len == 0)
                return NULL;
-        acl = posix_acl_from_xattr(data, len);
+        acl = posix_acl_from_xattr(&init_user_ns, data, len);
        kfree(data);
        return acl;
 }
@@ -88,13 +88,13 @@ static int gfs2_acl_set(struct inode *inode, int type, struct posix_acl *acl)
        const char *name = gfs2_acl_name(type);
        BUG_ON(name == NULL);
-        len = posix_acl_to_xattr(acl, NULL, 0);
+        len = posix_acl_to_xattr(&init_user_ns, acl, NULL, 0);
        if (len == 0)
                return 0;
        data = kmalloc(len, GFP_NOFS);
        if (data == NULL)
                return -ENOMEM;
-        error = posix_acl_to_xattr(acl, data, len);
+        error = posix_acl_to_xattr(&init_user_ns, acl, data, len);
        if (error < 0)
                goto out;
        error = __gfs2_xattr_set(inode, name, data, len, 0, GFS2_EATYPE_SYS);
@@ -166,12 +166,12 @@ int gfs2_acl_chmod(struct gfs2_inode *ip, struct iattr *attr)
        if (error)
                return error;
-        len = posix_acl_to_xattr(acl, NULL, 0);
+        len = posix_acl_to_xattr(&init_user_ns, acl, NULL, 0);
        data = kmalloc(len, GFP_NOFS);
        error = -ENOMEM;
        if (data == NULL)
                goto out;
-        posix_acl_to_xattr(acl, data, len);
+        posix_acl_to_xattr(&init_user_ns, acl, data, len);
        error = gfs2_xattr_acl_chmod(ip, attr, data);
        kfree(data);
        set_cached_acl(&ip->i_inode, ACL_TYPE_ACCESS, acl);
@@ -212,7 +212,7 @@ static int gfs2_xattr_system_get(struct dentry *dentry, const char *name,
        if (acl == NULL)
                return -ENODATA;
-        error = posix_acl_to_xattr(acl, buffer, size);
+        error = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return error;
@@ -245,7 +245,7 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name,
        if (!value)
                goto set_acl;
-        acl = posix_acl_from_xattr(value, size);
+        acl = posix_acl_from_xattr(&init_user_ns, value, size);
        if (!acl) {
                /*
                 * acl_set_file(3) may request that we set default ACLs with
diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 4021deca61ef..40c4b0d42fa8 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -1071,8 +1071,10 @@ int gfs2_quota_check(struct gfs2_inode *ip, u32 uid, u32 gid)
                if (be64_to_cpu(qd->qd_qb.qb_limit) && (s64)be64_to_cpu(qd->qd_qb.qb_limit) < value) {
                        print_message(qd, "exceeded");
-                        quota_send_warning(test_bit(QDF_USER, &qd->qd_flags) ?
+                        quota_send_warning(make_kqid(&init_user_ns,
-                                           USRQUOTA : GRPQUOTA, qd->qd_id,
+                                                     test_bit(QDF_USER, &qd->qd_flags) ?
+                                                     USRQUOTA : GRPQUOTA,
+                                                     qd->qd_id),
                                           sdp->sd_vfs->s_dev, QUOTA_NL_BHARDWARN);
                        error = -EDQUOT;
@@ -1082,8 +1084,10 @@ int gfs2_quota_check(struct gfs2_inode *ip, u32 uid, u32 gid)
                           time_after_eq(jiffies, qd->qd_last_warn +
                                         gfs2_tune_get(sdp,
                                                gt_quota_warn_period) * HZ)) {
-                        quota_send_warning(test_bit(QDF_USER, &qd->qd_flags) ?
+                        quota_send_warning(make_kqid(&init_user_ns,
-                                           USRQUOTA : GRPQUOTA, qd->qd_id,
+                                                     test_bit(QDF_USER, &qd->qd_flags) ?
+                                                     USRQUOTA : GRPQUOTA,
+                                                     qd->qd_id),
                                           sdp->sd_vfs->s_dev, QUOTA_NL_BSOFTWARN);
                        error = print_message(qd, "warning");
                        qd->qd_last_warn = jiffies;
@@ -1470,7 +1474,7 @@ static int gfs2_quota_get_xstate(struct super_block *sb,
        return 0;
 }
-static int gfs2_get_dqblk(struct super_block *sb, int type, qid_t id,
+static int gfs2_get_dqblk(struct super_block *sb, struct kqid qid,
                          struct fs_disk_quota *fdq)
 {
        struct gfs2_sbd *sdp = sb->s_fs_info;
@@ -1478,20 +1482,21 @@ static int gfs2_get_dqblk(struct super_block *sb, int type, qid_t id,
        struct gfs2_quota_data *qd;
        struct gfs2_holder q_gh;
        int error;
+        int type;
        memset(fdq, 0, sizeof(struct fs_disk_quota));
        if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF)
                return -ESRCH; /* Crazy XFS error code */
-        if (type == USRQUOTA)
+        if (qid.type == USRQUOTA)
                type = QUOTA_USER;
-        else if (type == GRPQUOTA)
+        else if (qid.type == GRPQUOTA)
                type = QUOTA_GROUP;
        else
                return -EINVAL;
-        error = qd_get(sdp, type, id, &qd);
+        error = qd_get(sdp, type, from_kqid(&init_user_ns, qid), &qd);
        if (error)
                return error;
        error = do_glock(qd, FORCE, &q_gh);
@@ -1501,7 +1506,7 @@ static int gfs2_get_dqblk(struct super_block *sb, int type, qid_t id,
        qlvb = (struct gfs2_quota_lvb *)qd->qd_gl->gl_lvb;
        fdq->d_version = FS_DQUOT_VERSION;
        fdq->d_flags = (type == QUOTA_USER) ? FS_USER_QUOTA : FS_GROUP_QUOTA;
-        fdq->d_id = id;
+        fdq->d_id = from_kqid(&init_user_ns, qid);
        fdq->d_blk_hardlimit = be64_to_cpu(qlvb->qb_limit) << sdp->sd_fsb2bb_shift;
        fdq->d_blk_softlimit = be64_to_cpu(qlvb->qb_warn) << sdp->sd_fsb2bb_shift;
        fdq->d_bcount = be64_to_cpu(qlvb->qb_value) << sdp->sd_fsb2bb_shift;
@@ -1515,7 +1520,7 @@ out:
 /* GFS2 only supports a subset of the XFS fields */
 #define GFS2_FIELDMASK (FS_DQ_BSOFT|FS_DQ_BHARD|FS_DQ_BCOUNT)
-static int gfs2_set_dqblk(struct super_block *sb, int type, qid_t id,
+static int gfs2_set_dqblk(struct super_block *sb, struct kqid qid,
                          struct fs_disk_quota *fdq)
 {
        struct gfs2_sbd *sdp = sb->s_fs_info;
@@ -1527,11 +1532,12 @@ static int gfs2_set_dqblk(struct super_block *sb, int type, qid_t id,
        int alloc_required;
        loff_t offset;
        int error;
+        int type;
        if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF)
                return -ESRCH; /* Crazy XFS error code */
-        switch(type) {
+        switch(qid.type) {
        case USRQUOTA:
                type = QUOTA_USER;
                if (fdq->d_flags != FS_USER_QUOTA)
@@ -1548,10 +1554,10 @@ static int gfs2_set_dqblk(struct super_block *sb, int type, qid_t id,
        if (fdq->d_fieldmask & ~GFS2_FIELDMASK)
                return -EINVAL;
-        if (fdq->d_id != id)
+        if (fdq->d_id != from_kqid(&init_user_ns, qid))
                return -EINVAL;
-        error = qd_get(sdp, type, id, &qd);
+        error = qd_get(sdp, type, from_kqid(&init_user_ns, qid), &qd);
        if (error)
                return error;
diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
index 8275175acf6e..693df9fe52b2 100644
--- a/fs/hfs/hfs_fs.h
+++ b/fs/hfs/hfs_fs.h
@@ -134,8 +134,8 @@ struct hfs_sb_info {
                                                   permissions on all files */
        umode_t s_dir_umask;                    /* The umask applied to the
                                                   permissions on all dirs */
-        uid_t s_uid;                            /* The uid of all files */
+        kuid_t s_uid;                           /* The uid of all files */
-        gid_t s_gid;                            /* The gid of all files */
+        kgid_t s_gid;                           /* The gid of all files */
        int session, part;
        struct nls_table *nls_io, *nls_disk;
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 553909395270..0b35903219bc 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -594,9 +594,9 @@ int hfs_inode_setattr(struct dentry *dentry, struct iattr * attr)
        /* no uig/gid changes and limit which mode bits can be set */
        if (((attr->ia_valid & ATTR_UID) &&
-             (attr->ia_uid != hsb->s_uid)) ||
+             (!uid_eq(attr->ia_uid, hsb->s_uid))) ||
            ((attr->ia_valid & ATTR_GID) &&
-             (attr->ia_gid != hsb->s_gid)) ||
+             (!gid_eq(attr->ia_gid, hsb->s_gid))) ||
            ((attr->ia_valid & ATTR_MODE) &&
             ((S_ISDIR(inode->i_mode) &&
               (attr->ia_mode != inode->i_mode)) ||
diff --git a/fs/hfs/super.c b/fs/hfs/super.c
index 4eb873e0c07b..0b63d135a092 100644
--- a/fs/hfs/super.c
+++ b/fs/hfs/super.c
@@ -138,7 +138,9 @@ static int hfs_show_options(struct seq_file *seq, struct dentry *root)
                seq_printf(seq, ",creator=%.4s", (char *)&sbi->s_creator);
        if (sbi->s_type != cpu_to_be32(0x3f3f3f3f))
                seq_printf(seq, ",type=%.4s", (char *)&sbi->s_type);
-        seq_printf(seq, ",uid=%u,gid=%u", sbi->s_uid, sbi->s_gid);
+        seq_printf(seq, ",uid=%u,gid=%u",
+                        from_kuid_munged(&init_user_ns, sbi->s_uid),
+                        from_kgid_munged(&init_user_ns, sbi->s_gid));
        if (sbi->s_file_umask != 0133)
                seq_printf(seq, ",file_umask=%o", sbi->s_file_umask);
        if (sbi->s_dir_umask != 0022)
@@ -254,14 +256,22 @@ static int parse_options(char *options, struct hfs_sb_info *hsb)
                                printk(KERN_ERR "hfs: uid requires an argument\n");
                                return 0;
                        }
-                        hsb->s_uid = (uid_t)tmp;
+                        hsb->s_uid = make_kuid(current_user_ns(), (uid_t)tmp);
+                        if (!uid_valid(hsb->s_uid)) {
+                                printk(KERN_ERR "hfs: invalid uid %d\n", tmp);
+                                return 0;
+                        }
                        break;
                case opt_gid:
                        if (match_int(&args[0], &tmp)) {
                                printk(KERN_ERR "hfs: gid requires an argument\n");
                                return 0;
                        }
-                        hsb->s_gid = (gid_t)tmp;
+                        hsb->s_gid = make_kgid(current_user_ns(), (gid_t)tmp);
+                        if (!gid_valid(hsb->s_gid)) {
+                                printk(KERN_ERR "hfs: invalid gid %d\n", tmp);
+                                return 0;
+                        }
                        break;
                case opt_umask:
                        if (match_octal(&args[0], &tmp)) {
diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
index ec2a9c23f0c9..798d9c4c5e71 100644
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -80,8 +80,8 @@ void hfsplus_cat_set_perms(struct inode *inode, struct hfsplus_perm *perms)
        perms->userflags = HFSPLUS_I(inode)->userflags;
        perms->mode = cpu_to_be16(inode->i_mode);
-        perms->owner = cpu_to_be32(inode->i_uid);
+        perms->owner = cpu_to_be32(i_uid_read(inode));
-        perms->group = cpu_to_be32(inode->i_gid);
+        perms->group = cpu_to_be32(i_gid_read(inode));
        if (S_ISREG(inode->i_mode))
                perms->dev = cpu_to_be32(inode->i_nlink);
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index 558dbb463a4e..c571de224b15 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -149,8 +149,8 @@ struct hfsplus_sb_info {
        u32 type;
        umode_t umask;
-        uid_t uid;
+        kuid_t uid;
-        gid_t gid;
+        kgid_t gid;
        int part, session;
        unsigned long flags;
diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index 3d8b4a675ba0..2172aa5976f5 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -233,12 +233,12 @@ static void hfsplus_get_perms(struct inode *inode,
        mode = be16_to_cpu(perms->mode);
-        inode->i_uid = be32_to_cpu(perms->owner);
+        i_uid_write(inode, be32_to_cpu(perms->owner));
-        if (!inode->i_uid && !mode)
+        if (!i_uid_read(inode) && !mode)
                inode->i_uid = sbi->uid;
-        inode->i_gid = be32_to_cpu(perms->group);
+        i_gid_write(inode, be32_to_cpu(perms->group));
-        if (!inode->i_gid && !mode)
+        if (!i_gid_read(inode) && !mode)
                inode->i_gid = sbi->gid;
        if (dir) {
diff --git a/fs/hfsplus/options.c b/fs/hfsplus/options.c
index 06fa5618600c..ed257c671615 100644
--- a/fs/hfsplus/options.c
+++ b/fs/hfsplus/options.c
@@ -135,14 +135,22 @@ int hfsplus_parse_options(char *input, struct hfsplus_sb_info *sbi)
                                printk(KERN_ERR "hfs: uid requires an argument\n");
                                return 0;
                        }
-                        sbi->uid = (uid_t)tmp;
+                        sbi->uid = make_kuid(current_user_ns(), (uid_t)tmp);
+                        if (!uid_valid(sbi->uid)) {
+                                printk(KERN_ERR "hfs: invalid uid specified\n");
+                                return 0;
+                        }
                        break;
                case opt_gid:
                        if (match_int(&args[0], &tmp)) {
                                printk(KERN_ERR "hfs: gid requires an argument\n");
                                return 0;
                        }
-                        sbi->gid = (gid_t)tmp;
+                        sbi->gid = make_kgid(current_user_ns(), (gid_t)tmp);
+                        if (!gid_valid(sbi->gid)) {
+                                printk(KERN_ERR "hfs: invalid gid specified\n");
+                                return 0;
+                        }
                        break;
                case opt_part:
                        if (match_int(&args[0], &sbi->part)) {
@@ -215,7 +223,8 @@ int hfsplus_show_options(struct seq_file *seq, struct dentry *root)
        if (sbi->type != HFSPLUS_DEF_CR_TYPE)
                seq_printf(seq, ",type=%.4s", (char *)&sbi->type);
        seq_printf(seq, ",umask=%o,uid=%u,gid=%u", sbi->umask,
-                sbi->uid, sbi->gid);
+                        from_kuid_munged(&init_user_ns, sbi->uid),
+                        from_kgid_munged(&init_user_ns, sbi->gid));
        if (sbi->part >= 0)
                seq_printf(seq, ",part=%u", sbi->part);
        if (sbi->session >= 0)
diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c
index 124146543aa7..6c9f3a9d5e21 100644
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -542,8 +542,8 @@ static int read_name(struct inode *ino, char *name)
        ino->i_ino = st.ino;
        ino->i_mode = st.mode;
        set_nlink(ino, st.nlink);
-        ino->i_uid = st.uid;
+        i_uid_write(ino, st.uid);
-        ino->i_gid = st.gid;
+        i_gid_write(ino, st.gid);
        ino->i_atime = st.atime;
        ino->i_mtime = st.mtime;
        ino->i_ctime = st.ctime;
@@ -808,11 +808,11 @@ int hostfs_setattr(struct dentry *dentry, struct iattr *attr)
        }
        if (attr->ia_valid & ATTR_UID) {
                attrs.ia_valid |= HOSTFS_ATTR_UID;
-                attrs.ia_uid = attr->ia_uid;
+                attrs.ia_uid = from_kuid(&init_user_ns, attr->ia_uid);
        }
        if (attr->ia_valid & ATTR_GID) {
                attrs.ia_valid |= HOSTFS_ATTR_GID;
-                attrs.ia_gid = attr->ia_gid;
+                attrs.ia_gid = from_kgid(&init_user_ns, attr->ia_gid);
        }
        if (attr->ia_valid & ATTR_SIZE) {
                attrs.ia_valid |= HOSTFS_ATTR_SIZE;
diff --git a/fs/hpfs/hpfs_fn.h b/fs/hpfs/hpfs_fn.h
index ac1ead194db5..7102aaecc244 100644
--- a/fs/hpfs/hpfs_fn.h
+++ b/fs/hpfs/hpfs_fn.h
@@ -63,8 +63,8 @@ struct hpfs_sb_info {
        unsigned sb_dmap;               /* sector number of dnode bit map */
        unsigned sb_n_free;             /* free blocks for statfs, or -1 */
        unsigned sb_n_free_dnodes;      /* free dnodes for statfs, or -1 */
-        uid_t sb_uid;                   /* uid from mount options */
+        kuid_t sb_uid;                  /* uid from mount options */
-        gid_t sb_gid;                   /* gid from mount options */
+        kgid_t sb_gid;                  /* gid from mount options */
        umode_t sb_mode;                /* mode from mount options */
        unsigned sb_eas : 2;            /* eas: 0-ignore, 1-ro, 2-rw */
        unsigned sb_err : 2;            /* on errs: 0-cont, 1-ro, 2-panic */
diff --git a/fs/hpfs/inode.c b/fs/hpfs/inode.c
index ed671e0ea784..804a9a842cbc 100644
--- a/fs/hpfs/inode.c
+++ b/fs/hpfs/inode.c
@@ -7,6 +7,7 @@
 */
 #include <linux/slab.h>
+#include <linux/user_namespace.h>
 #include "hpfs_fn.h"
 void hpfs_init_inode(struct inode *i)
@@ -60,14 +61,14 @@ void hpfs_read_inode(struct inode *i)
        if (hpfs_sb(i->i_sb)->sb_eas) {
                if ((ea = hpfs_get_ea(i->i_sb, fnode, "UID", &ea_size))) {
                        if (ea_size == 2) {
-                                i->i_uid = le16_to_cpu(*(__le16*)ea);
+                                i_uid_write(i, le16_to_cpu(*(__le16*)ea));
                                hpfs_inode->i_ea_uid = 1;
                        }
                        kfree(ea);
                }
                if ((ea = hpfs_get_ea(i->i_sb, fnode, "GID", &ea_size))) {
                        if (ea_size == 2) {
-                                i->i_gid = le16_to_cpu(*(__le16*)ea);
+                                i_gid_write(i, le16_to_cpu(*(__le16*)ea));
                                hpfs_inode->i_ea_gid = 1;
                        }
                        kfree(ea);
@@ -149,13 +150,13 @@ static void hpfs_write_inode_ea(struct inode *i, struct fnode *fnode)
                hpfs_error(i->i_sb, "fnode %08x has some unknown HPFS386 stuctures", i->i_ino);
        } else*/ if (hpfs_sb(i->i_sb)->sb_eas >= 2) {
                __le32 ea;
-                if ((i->i_uid != hpfs_sb(i->i_sb)->sb_uid) || hpfs_inode->i_ea_uid) {
+                if (!uid_eq(i->i_uid, hpfs_sb(i->i_sb)->sb_uid) || hpfs_inode->i_ea_uid) {
-                        ea = cpu_to_le32(i->i_uid);
+                        ea = cpu_to_le32(i_uid_read(i));
                        hpfs_set_ea(i, fnode, "UID", (char*)&ea, 2);
                        hpfs_inode->i_ea_uid = 1;
                }
-                if ((i->i_gid != hpfs_sb(i->i_sb)->sb_gid) || hpfs_inode->i_ea_gid) {
+                if (!gid_eq(i->i_gid, hpfs_sb(i->i_sb)->sb_gid) || hpfs_inode->i_ea_gid) {
-                        ea = cpu_to_le32(i->i_gid);
+                        ea = cpu_to_le32(i_gid_read(i));
                        hpfs_set_ea(i, fnode, "GID", (char *)&ea, 2);
                        hpfs_inode->i_ea_gid = 1;
                }
@@ -261,9 +262,11 @@ int hpfs_setattr(struct dentry *dentry, struct iattr *attr)
        hpfs_lock(inode->i_sb);
        if (inode->i_ino == hpfs_sb(inode->i_sb)->sb_root)
                goto out_unlock;
-        if ((attr->ia_valid & ATTR_UID) && attr->ia_uid >= 0x10000)
+        if ((attr->ia_valid & ATTR_UID) &&
+            from_kuid(&init_user_ns, attr->ia_uid) >= 0x10000)
                goto out_unlock;
-        if ((attr->ia_valid & ATTR_GID) && attr->ia_gid >= 0x10000)
+        if ((attr->ia_valid & ATTR_GID) &&
+            from_kgid(&init_user_ns, attr->ia_gid) >= 0x10000)
                goto out_unlock;
        if ((attr->ia_valid & ATTR_SIZE) && attr->ia_size > inode->i_size)
                goto out_unlock;
diff --git a/fs/hpfs/namei.c b/fs/hpfs/namei.c
index bc9082482f68..345713d2f8f3 100644
--- a/fs/hpfs/namei.c
+++ b/fs/hpfs/namei.c
@@ -91,8 +91,8 @@ static int hpfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
        inc_nlink(dir);
        insert_inode_hash(result);
-        if (result->i_uid != current_fsuid() ||
+        if (!uid_eq(result->i_uid, current_fsuid()) ||
-            result->i_gid != current_fsgid() ||
+            !gid_eq(result->i_gid, current_fsgid()) ||
            result->i_mode != (mode | S_IFDIR)) {
                result->i_uid = current_fsuid();
                result->i_gid = current_fsgid();
@@ -179,8 +179,8 @@ static int hpfs_create(struct inode *dir, struct dentry *dentry, umode_t mode, b
        insert_inode_hash(result);
-        if (result->i_uid != current_fsuid() ||
+        if (!uid_eq(result->i_uid, current_fsuid()) ||
-            result->i_gid != current_fsgid() ||
+            !gid_eq(result->i_gid, current_fsgid()) ||
            result->i_mode != (mode | S_IFREG)) {
                result->i_uid = current_fsuid();
                result->i_gid = current_fsgid();
diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 706a12c083ea..a152783602d9 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -251,7 +251,7 @@ static const match_table_t tokens = {
        {Opt_err, NULL},
 };
-static int parse_opts(char *opts, uid_t *uid, gid_t *gid, umode_t *umask,
+static int parse_opts(char *opts, kuid_t *uid, kgid_t *gid, umode_t *umask,
                      int *lowercase, int *eas, int *chk, int *errs,
                      int *chkdsk, int *timeshift)
 {
@@ -276,12 +276,16 @@ static int parse_opts(char *opts, uid_t *uid, gid_t *gid, umode_t *umask,
                case Opt_uid:
                        if (match_int(args, &option))
                                return 0;
-                        *uid = option;
+                        *uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(*uid))
+                                return 0;
                        break;
                case Opt_gid:
                        if (match_int(args, &option))
                                return 0;
-                        *gid = option;
+                        *gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(*gid))
+                                return 0;
                        break;
                case Opt_umask:
                        if (match_octal(args, &option))
@@ -378,8 +382,8 @@ HPFS filesystem options:\n\
 static int hpfs_remount_fs(struct super_block *s, int *flags, char *data)
 {
-        uid_t uid;
+        kuid_t uid;
-        gid_t gid;
+        kgid_t gid;
        umode_t umask;
        int lowercase, eas, chk, errs, chkdsk, timeshift;
        int o;
@@ -455,8 +459,8 @@ static int hpfs_fill_super(struct super_block *s, void *options, int silent)
        struct hpfs_sb_info *sbi;
        struct inode *root;
-        uid_t uid;
+        kuid_t uid;
-        gid_t gid;
+        kgid_t gid;
        umode_t umask;
        int lowercase, eas, chk, errs, chkdsk, timeshift;
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 8349a899912e..6e572c4fbf68 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -42,8 +42,8 @@ static const struct inode_operations hugetlbfs_dir_inode_operations;
 static const struct inode_operations hugetlbfs_inode_operations;
 struct hugetlbfs_config {
-        uid_t   uid;
+        kuid_t   uid;
-        gid_t   gid;
+        kgid_t   gid;
        umode_t mode;
        long    nr_blocks;
        long    nr_inodes;
@@ -785,13 +785,17 @@ hugetlbfs_parse_options(char *options, struct hugetlbfs_config *pconfig)
                case Opt_uid:
                        if (match_int(&args[0], &option))
                                goto bad_val;
-                        pconfig->uid = option;
+                        pconfig->uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(pconfig->uid))
+                                goto bad_val;
                        break;
                case Opt_gid:
                        if (match_int(&args[0], &option))
                                goto bad_val;
-                        pconfig->gid = option;
+                        pconfig->gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(pconfig->gid))
+                                goto bad_val;
                        break;
                case Opt_mode:
@@ -924,7 +928,9 @@ static struct vfsmount *hugetlbfs_vfsmount;
 static int can_do_hugetlb_shm(void)
 {
-        return capable(CAP_IPC_LOCK) || in_group_p(sysctl_hugetlb_shm_group);
+        kgid_t shm_group;
+        shm_group = make_kgid(&init_user_ns, sysctl_hugetlb_shm_group);
+        return capable(CAP_IPC_LOCK) || in_group_p(shm_group);
 }
 struct file *hugetlb_file_setup(const char *name, unsigned long addr,
diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
index 29037c365ba4..a7d8e6cc5e0c 100644
--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -21,6 +21,7 @@
 #include <linux/cdrom.h>
 #include <linux/parser.h>
 #include <linux/mpage.h>
+#include <linux/user_namespace.h>
 #include "isofs.h"
 #include "zisofs.h"
@@ -171,8 +172,8 @@ struct iso9660_options{
        unsigned int blocksize;
        umode_t fmode;
        umode_t dmode;
-        gid_t gid;
+        kgid_t gid;
-        uid_t uid;
+        kuid_t uid;
        char *iocharset;
        /* LVE */
        s32 session;
@@ -383,8 +384,8 @@ static int parse_options(char *options, struct iso9660_options *popt)
        popt->fmode = popt->dmode = ISOFS_INVALID_MODE;
        popt->uid_set = 0;
        popt->gid_set = 0;
-        popt->gid = 0;
+        popt->gid = GLOBAL_ROOT_GID;
-        popt->uid = 0;
+        popt->uid = GLOBAL_ROOT_UID;
        popt->iocharset = NULL;
        popt->utf8 = 0;
        popt->overriderockperm = 0;
@@ -460,13 +461,17 @@ static int parse_options(char *options, struct iso9660_options *popt)
                case Opt_uid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        popt->uid = option;
+                        popt->uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(popt->uid))
+                                return 0;
                        popt->uid_set = 1;
                        break;
                case Opt_gid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        popt->gid = option;
+                        popt->gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(popt->gid))
+                                return 0;
                        popt->gid_set = 1;
                        break;
                case Opt_mode:
diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
index 3620ad1ea9bc..99167238518d 100644
--- a/fs/isofs/isofs.h
+++ b/fs/isofs/isofs.h
@@ -52,8 +52,8 @@ struct isofs_sb_info {
        umode_t s_fmode;
        umode_t s_dmode;
-        gid_t s_gid;
+        kgid_t s_gid;
-        uid_t s_uid;
+        kuid_t s_uid;
        struct nls_table *s_nls_iocharset; /* Native language support table */
 };
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index 70e79d0c756a..c0bf42472e40 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -364,8 +364,8 @@ repeat:
                case SIG('P', 'X'):
                        inode->i_mode = isonum_733(rr->u.PX.mode);
                        set_nlink(inode, isonum_733(rr->u.PX.n_links));
-                        inode->i_uid = isonum_733(rr->u.PX.uid);
+                        i_uid_write(inode, isonum_733(rr->u.PX.uid));
-                        inode->i_gid = isonum_733(rr->u.PX.gid);
+                        i_gid_write(inode, isonum_733(rr->u.PX.gid));
                        break;
                case SIG('P', 'N'):
                        {
diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
index 922f146e4235..223283c30111 100644
--- a/fs/jffs2/acl.c
+++ b/fs/jffs2/acl.c
@@ -94,15 +94,23 @@ static struct posix_acl *jffs2_acl_from_medium(void *value, size_t size)
                        case ACL_MASK:
                        case ACL_OTHER:
                                value += sizeof(struct jffs2_acl_entry_short);
-                                acl->a_entries[i].e_id = ACL_UNDEFINED_ID;
                                break;
                        case ACL_USER:
+                                value += sizeof(struct jffs2_acl_entry);
+                                if (value > end)
+                                        goto fail;
+                                acl->a_entries[i].e_uid =
+                                        make_kuid(&init_user_ns,
+                                                  je32_to_cpu(entry->e_id));
+                                break;
                        case ACL_GROUP:
                                value += sizeof(struct jffs2_acl_entry);
                                if (value > end)
                                        goto fail;
-                                acl->a_entries[i].e_id = je32_to_cpu(entry->e_id);
+                                acl->a_entries[i].e_gid =
+                                        make_kgid(&init_user_ns,
+                                                  je32_to_cpu(entry->e_id));
                                break;
                        default:
@@ -131,13 +139,19 @@ static void *jffs2_acl_to_medium(const struct posix_acl *acl, size_t *size)
        header->a_version = cpu_to_je32(JFFS2_ACL_VERSION);
        e = header + 1;
        for (i=0; i < acl->a_count; i++) {
+                const struct posix_acl_entry *acl_e = &acl->a_entries[i];
                entry = e;
-                entry->e_tag = cpu_to_je16(acl->a_entries[i].e_tag);
+                entry->e_tag = cpu_to_je16(acl_e->e_tag);
-                entry->e_perm = cpu_to_je16(acl->a_entries[i].e_perm);
+                entry->e_perm = cpu_to_je16(acl_e->e_perm);
-                switch(acl->a_entries[i].e_tag) {
+                switch(acl_e->e_tag) {
                        case ACL_USER:
+                                entry->e_id = cpu_to_je32(
+                                        from_kuid(&init_user_ns, acl_e->e_uid));
+                                e += sizeof(struct jffs2_acl_entry);
+                                break;
                        case ACL_GROUP:
-                                entry->e_id = cpu_to_je32(acl->a_entries[i].e_id);
+                                entry->e_id = cpu_to_je32(
+                                        from_kgid(&init_user_ns, acl_e->e_gid));
                                e += sizeof(struct jffs2_acl_entry);
                                break;
@@ -363,7 +377,7 @@ static int jffs2_acl_getxattr(struct dentry *dentry, const char *name,
                return PTR_ERR(acl);
        if (!acl)
                return -ENODATA;
-        rc = posix_acl_to_xattr(acl, buffer, size);
+        rc = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return rc;
@@ -381,7 +395,7 @@ static int jffs2_acl_setxattr(struct dentry *dentry, const char *name,
                return -EPERM;
        if (value) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl))
                        return PTR_ERR(acl);
                if (acl) {
diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c
index db3889ba8818..60ef3fb707ff 100644
--- a/fs/jffs2/file.c
+++ b/fs/jffs2/file.c
@@ -175,8 +175,8 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
                ri.ino = cpu_to_je32(f->inocache->ino);
                ri.version = cpu_to_je32(++f->highest_version);
                ri.mode = cpu_to_jemode(inode->i_mode);
-                ri.uid = cpu_to_je16(inode->i_uid);
+                ri.uid = cpu_to_je16(i_uid_read(inode));
-                ri.gid = cpu_to_je16(inode->i_gid);
+                ri.gid = cpu_to_je16(i_gid_read(inode));
                ri.isize = cpu_to_je32(max((uint32_t)inode->i_size, pageofs));
                ri.atime = ri.ctime = ri.mtime = cpu_to_je32(get_seconds());
                ri.offset = cpu_to_je32(inode->i_size);
@@ -283,8 +283,8 @@ static int jffs2_write_end(struct file *filp, struct address_space *mapping,
        /* Set the fields that the generic jffs2_write_inode_range() code can't find */
        ri->ino = cpu_to_je32(inode->i_ino);
        ri->mode = cpu_to_jemode(inode->i_mode);
-        ri->uid = cpu_to_je16(inode->i_uid);
+        ri->uid = cpu_to_je16(i_uid_read(inode));
-        ri->gid = cpu_to_je16(inode->i_gid);
+        ri->gid = cpu_to_je16(i_gid_read(inode));
        ri->isize = cpu_to_je32((uint32_t)inode->i_size);
        ri->atime = ri->ctime = ri->mtime = cpu_to_je32(get_seconds());
diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
index 3d3092eda811..fe3c0527545f 100644
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -99,8 +99,10 @@ int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
        ri->ino = cpu_to_je32(inode->i_ino);
        ri->version = cpu_to_je32(++f->highest_version);
-        ri->uid = cpu_to_je16((ivalid & ATTR_UID)?iattr->ia_uid:inode->i_uid);
+        ri->uid = cpu_to_je16((ivalid & ATTR_UID)?
-        ri->gid = cpu_to_je16((ivalid & ATTR_GID)?iattr->ia_gid:inode->i_gid);
+                from_kuid(&init_user_ns, iattr->ia_uid):i_uid_read(inode));
+        ri->gid = cpu_to_je16((ivalid & ATTR_GID)?
+                from_kgid(&init_user_ns, iattr->ia_gid):i_gid_read(inode));
        if (ivalid & ATTR_MODE)
                ri->mode = cpu_to_jemode(iattr->ia_mode);
@@ -147,8 +149,8 @@ int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
        inode->i_ctime = ITIME(je32_to_cpu(ri->ctime));
        inode->i_mtime = ITIME(je32_to_cpu(ri->mtime));
        inode->i_mode = jemode_to_cpu(ri->mode);
-        inode->i_uid = je16_to_cpu(ri->uid);
+        i_uid_write(inode, je16_to_cpu(ri->uid));
-        inode->i_gid = je16_to_cpu(ri->gid);
+        i_gid_write(inode, je16_to_cpu(ri->gid));
        old_metadata = f->metadata;
@@ -276,8 +278,8 @@ struct inode *jffs2_iget(struct super_block *sb, unsigned long ino)
                return ERR_PTR(ret);
        }
        inode->i_mode = jemode_to_cpu(latest_node.mode);
-        inode->i_uid = je16_to_cpu(latest_node.uid);
+        i_uid_write(inode, je16_to_cpu(latest_node.uid));
-        inode->i_gid = je16_to_cpu(latest_node.gid);
+        i_gid_write(inode, je16_to_cpu(latest_node.gid));
        inode->i_size = je32_to_cpu(latest_node.isize);
        inode->i_atime = ITIME(je32_to_cpu(latest_node.atime));
        inode->i_mtime = ITIME(je32_to_cpu(latest_node.mtime));
@@ -440,14 +442,14 @@ struct inode *jffs2_new_inode (struct inode *dir_i, umode_t mode, struct jffs2_r
        memset(ri, 0, sizeof(*ri));
        /* Set OS-specific defaults for new inodes */
-        ri->uid = cpu_to_je16(current_fsuid());
+        ri->uid = cpu_to_je16(from_kuid(&init_user_ns, current_fsuid()));
        if (dir_i->i_mode & S_ISGID) {
-                ri->gid = cpu_to_je16(dir_i->i_gid);
+                ri->gid = cpu_to_je16(i_gid_read(dir_i));
                if (S_ISDIR(mode))
                        mode |= S_ISGID;
        } else {
-                ri->gid = cpu_to_je16(current_fsgid());
+                ri->gid = cpu_to_je16(from_kgid(&init_user_ns, current_fsgid()));
        }
        /* POSIX ACLs have to be processed now, at least partly.
@@ -467,8 +469,8 @@ struct inode *jffs2_new_inode (struct inode *dir_i, umode_t mode, struct jffs2_r
        set_nlink(inode, 1);
        inode->i_ino = je32_to_cpu(ri->ino);
        inode->i_mode = jemode_to_cpu(ri->mode);
-        inode->i_gid = je16_to_cpu(ri->gid);
+        i_gid_write(inode, je16_to_cpu(ri->gid));
-        inode->i_uid = je16_to_cpu(ri->uid);
+        i_uid_write(inode, je16_to_cpu(ri->uid));
        inode->i_atime = inode->i_ctime = inode->i_mtime = CURRENT_TIME_SEC;
        ri->atime = ri->mtime = ri->ctime = cpu_to_je32(I_SEC(inode->i_mtime));
diff --git a/fs/jffs2/os-linux.h b/fs/jffs2/os-linux.h
index bcd983d7e7f9..d200a9b8fd5e 100644
--- a/fs/jffs2/os-linux.h
+++ b/fs/jffs2/os-linux.h
@@ -27,8 +27,8 @@ struct kvec;
 #define JFFS2_F_I_SIZE(f) (OFNI_EDONI_2SFFJ(f)->i_size)
 #define JFFS2_F_I_MODE(f) (OFNI_EDONI_2SFFJ(f)->i_mode)
-#define JFFS2_F_I_UID(f) (OFNI_EDONI_2SFFJ(f)->i_uid)
+#define JFFS2_F_I_UID(f) (i_uid_read(OFNI_EDONI_2SFFJ(f)))
-#define JFFS2_F_I_GID(f) (OFNI_EDONI_2SFFJ(f)->i_gid)
+#define JFFS2_F_I_GID(f) (i_gid_read(OFNI_EDONI_2SFFJ(f)))
 #define JFFS2_F_I_RDEV(f) (OFNI_EDONI_2SFFJ(f)->i_rdev)
 #define ITIME(sec) ((struct timespec){sec, 0})
diff --git a/fs/jfs/acl.c b/fs/jfs/acl.c
index 45559dc3ea2f..d254d6d35995 100644
--- a/fs/jfs/acl.c
+++ b/fs/jfs/acl.c
@@ -64,7 +64,7 @@ struct posix_acl *jfs_get_acl(struct inode *inode, int type)
                else
                        acl = ERR_PTR(size);
        } else {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
        }
        kfree(value);
        if (!IS_ERR(acl))
@@ -100,7 +100,7 @@ static int jfs_set_acl(tid_t tid, struct inode *inode, int type,
                value = kmalloc(size, GFP_KERNEL);
                if (!value)
                        return -ENOMEM;
-                rc = posix_acl_to_xattr(acl, value, size);
+                rc = posix_acl_to_xattr(&init_user_ns, acl, value, size);
                if (rc < 0)
                        goto out;
        }
diff --git a/fs/jfs/file.c b/fs/jfs/file.c
index 844f9460cb11..9d3afd157f99 100644
--- a/fs/jfs/file.c
+++ b/fs/jfs/file.c
@@ -108,8 +108,8 @@ int jfs_setattr(struct dentry *dentry, struct iattr *iattr)
        if (is_quota_modification(inode, iattr))
                dquot_initialize(inode);
-        if ((iattr->ia_valid & ATTR_UID && iattr->ia_uid != inode->i_uid) ||
+        if ((iattr->ia_valid & ATTR_UID && !uid_eq(iattr->ia_uid, inode->i_uid)) ||
-            (iattr->ia_valid & ATTR_GID && iattr->ia_gid != inode->i_gid)) {
+            (iattr->ia_valid & ATTR_GID && !gid_eq(iattr->ia_gid, inode->i_gid))) {
                rc = dquot_transfer(inode, iattr);
                if (rc)
                        return rc;
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 1b6f15f191b3..6ba4006e011b 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -3078,15 +3078,15 @@ static int copy_from_dinode(struct dinode * dip, struct inode *ip)
        }
        set_nlink(ip, le32_to_cpu(dip->di_nlink));
-        jfs_ip->saved_uid = le32_to_cpu(dip->di_uid);
+        jfs_ip->saved_uid = make_kuid(&init_user_ns, le32_to_cpu(dip->di_uid));
-        if (sbi->uid == -1)
+        if (!uid_valid(sbi->uid))
                ip->i_uid = jfs_ip->saved_uid;
        else {
                ip->i_uid = sbi->uid;
        }
-        jfs_ip->saved_gid = le32_to_cpu(dip->di_gid);
+        jfs_ip->saved_gid = make_kgid(&init_user_ns, le32_to_cpu(dip->di_gid));
-        if (sbi->gid == -1)
+        if (!gid_valid(sbi->gid))
                ip->i_gid = jfs_ip->saved_gid;
        else {
                ip->i_gid = sbi->gid;
@@ -3150,14 +3150,16 @@ static void copy_to_dinode(struct dinode * dip, struct inode *ip)
        dip->di_size = cpu_to_le64(ip->i_size);
        dip->di_nblocks = cpu_to_le64(PBLK2LBLK(ip->i_sb, ip->i_blocks));
        dip->di_nlink = cpu_to_le32(ip->i_nlink);
-        if (sbi->uid == -1)
+        if (!uid_valid(sbi->uid))
-                dip->di_uid = cpu_to_le32(ip->i_uid);
+                dip->di_uid = cpu_to_le32(i_uid_read(ip));
        else
-                dip->di_uid = cpu_to_le32(jfs_ip->saved_uid);
+                dip->di_uid =cpu_to_le32(from_kuid(&init_user_ns,
-        if (sbi->gid == -1)
+                                                   jfs_ip->saved_uid));
-                dip->di_gid = cpu_to_le32(ip->i_gid);
+        if (!gid_valid(sbi->gid))
+                dip->di_gid = cpu_to_le32(i_gid_read(ip));
        else
-                dip->di_gid = cpu_to_le32(jfs_ip->saved_gid);
+                dip->di_gid = cpu_to_le32(from_kgid(&init_user_ns,
+                                                    jfs_ip->saved_gid));
        jfs_get_inode_flags(jfs_ip);
        /*
         * mode2 is only needed for storing the higher order bits.
diff --git a/fs/jfs/jfs_incore.h b/fs/jfs/jfs_incore.h
index 584a4a1a6e81..680605d7bf15 100644
--- a/fs/jfs/jfs_incore.h
+++ b/fs/jfs/jfs_incore.h
@@ -38,8 +38,8 @@
 struct jfs_inode_info {
        int     fileset;        /* fileset number (always 16)*/
        uint    mode2;          /* jfs-specific mode            */
-        uint    saved_uid;      /* saved for uid mount option */
+        kuid_t  saved_uid;      /* saved for uid mount option */
-        uint    saved_gid;      /* saved for gid mount option */
+        kgid_t  saved_gid;      /* saved for gid mount option */
        pxd_t   ixpxd;          /* inode extent descriptor      */
        dxd_t   acl;            /* dxd describing acl   */
        dxd_t   ea;             /* dxd describing ea    */
@@ -192,8 +192,8 @@ struct jfs_sb_info {
        uint            state;          /* mount/recovery state */
        unsigned long   flag;           /* mount time flags */
        uint            p_state;        /* state prior to going no integrity */
-        uint            uid;            /* uid to override on-disk uid */
+        kuid_t          uid;            /* uid to override on-disk uid */
-        uint            gid;            /* gid to override on-disk gid */
+        kgid_t          gid;            /* gid to override on-disk gid */
        uint            umask;          /* umask to override on-disk umask */
 };
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index c55c7452d285..706692f24033 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -321,13 +321,19 @@ static int parse_options(char *options, struct super_block *sb, s64 *newLVSize,
                case Opt_uid:
                {
                        char *uid = args[0].from;
-                        sbi->uid = simple_strtoul(uid, &uid, 0);
+                        uid_t val = simple_strtoul(uid, &uid, 0);
+                        sbi->uid = make_kuid(current_user_ns(), val);
+                        if (!uid_valid(sbi->uid))
+                                goto cleanup;
                        break;
                }
                case Opt_gid:
                {
                        char *gid = args[0].from;
-                        sbi->gid = simple_strtoul(gid, &gid, 0);
+                        gid_t val = simple_strtoul(gid, &gid, 0);
+                        sbi->gid = make_kgid(current_user_ns(), val);
+                        if (!gid_valid(sbi->gid))
+                                goto cleanup;
                        break;
                }
                case Opt_umask:
@@ -443,7 +449,9 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
        sb->s_fs_info = sbi;
        sb->s_max_links = JFS_LINK_MAX;
        sbi->sb = sb;
-        sbi->uid = sbi->gid = sbi->umask = -1;
+        sbi->uid = INVALID_UID;
+        sbi->gid = INVALID_GID;
+        sbi->umask = -1;
        /* initialize the mount flag and determine the default error handler */
        flag = JFS_ERR_REMOUNT_RO;
@@ -617,10 +625,10 @@ static int jfs_show_options(struct seq_file *seq, struct dentry *root)
 {
        struct jfs_sb_info *sbi = JFS_SBI(root->d_sb);
-        if (sbi->uid != -1)
+        if (uid_valid(sbi->uid))
-                seq_printf(seq, ",uid=%d", sbi->uid);
+                seq_printf(seq, ",uid=%d", from_kuid(&init_user_ns, sbi->uid));
-        if (sbi->gid != -1)
+        if (gid_valid(sbi->gid))
-                seq_printf(seq, ",gid=%d", sbi->gid);
+                seq_printf(seq, ",gid=%d", from_kgid(&init_user_ns, sbi->gid));
        if (sbi->umask != -1)
                seq_printf(seq, ",umask=%03o", sbi->umask);
        if (sbi->flag & JFS_NOINTEGRITY)
diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index 26683e15b3ac..42d67f9757bf 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -685,7 +685,7 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
         * POSIX_ACL_XATTR_ACCESS is tied to i_mode
         */
        if (strcmp(name, POSIX_ACL_XATTR_ACCESS) == 0) {
-                acl = posix_acl_from_xattr(value, value_len);
+                acl = posix_acl_from_xattr(&init_user_ns, value, value_len);
                if (IS_ERR(acl)) {
                        rc = PTR_ERR(acl);
                        printk(KERN_ERR "posix_acl_from_xattr returned %d\n",
@@ -710,7 +710,7 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
                return 0;
        } else if (strcmp(name, POSIX_ACL_XATTR_DEFAULT) == 0) {
-                acl = posix_acl_from_xattr(value, value_len);
+                acl = posix_acl_from_xattr(&init_user_ns, value, value_len);
                if (IS_ERR(acl)) {
                        rc = PTR_ERR(acl);
                        printk(KERN_ERR "posix_acl_from_xattr returned %d\n",
diff --git a/fs/logfs/inode.c b/fs/logfs/inode.c
index 6984562738d3..bda39085309f 100644
--- a/fs/logfs/inode.c
+++ b/fs/logfs/inode.c
@@ -208,8 +208,8 @@ static void logfs_init_inode(struct super_block *sb, struct inode *inode)
        li->li_height   = 0;
        li->li_used_bytes = 0;
        li->li_block    = NULL;
-        inode->i_uid    = 0;
+        i_uid_write(inode, 0);
-        inode->i_gid    = 0;
+        i_gid_write(inode, 0);
        inode->i_size   = 0;
        inode->i_blocks = 0;
        inode->i_ctime  = CURRENT_TIME;
diff --git a/fs/logfs/readwrite.c b/fs/logfs/readwrite.c
index 5be0abef603d..e1a3b6bf6324 100644
--- a/fs/logfs/readwrite.c
+++ b/fs/logfs/readwrite.c
@@ -119,8 +119,8 @@ static void logfs_disk_to_inode(struct logfs_disk_inode *di, struct inode*inode)
        inode->i_mode   = be16_to_cpu(di->di_mode);
        li->li_height   = di->di_height;
        li->li_flags    = be32_to_cpu(di->di_flags);
-        inode->i_uid    = be32_to_cpu(di->di_uid);
+        i_uid_write(inode, be32_to_cpu(di->di_uid));
-        inode->i_gid    = be32_to_cpu(di->di_gid);
+        i_gid_write(inode, be32_to_cpu(di->di_gid));
        inode->i_size   = be64_to_cpu(di->di_size);
        logfs_set_blocks(inode, be64_to_cpu(di->di_used_bytes));
        inode->i_atime  = be64_to_timespec(di->di_atime);
@@ -156,8 +156,8 @@ static void logfs_inode_to_disk(struct inode *inode, struct logfs_disk_inode*di)
        di->di_height   = li->li_height;
        di->di_pad      = 0;
        di->di_flags    = cpu_to_be32(li->li_flags);
-        di->di_uid      = cpu_to_be32(inode->i_uid);
+        di->di_uid      = cpu_to_be32(i_uid_read(inode));
-        di->di_gid      = cpu_to_be32(inode->i_gid);
+        di->di_gid      = cpu_to_be32(i_gid_read(inode));
        di->di_size     = cpu_to_be64(i_size_read(inode));
        di->di_used_bytes = cpu_to_be64(li->li_used_bytes);
        di->di_atime    = timespec_to_be64(inode->i_atime);
diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 2a503ad020d5..d0e42c678923 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -460,8 +460,8 @@ static struct inode *V1_minix_iget(struct inode *inode)
                return ERR_PTR(-EIO);
        }
        inode->i_mode = raw_inode->i_mode;
-        inode->i_uid = (uid_t)raw_inode->i_uid;
+        i_uid_write(inode, raw_inode->i_uid);
-        inode->i_gid = (gid_t)raw_inode->i_gid;
+        i_gid_write(inode, raw_inode->i_gid);
        set_nlink(inode, raw_inode->i_nlinks);
        inode->i_size = raw_inode->i_size;
        inode->i_mtime.tv_sec = inode->i_atime.tv_sec = inode->i_ctime.tv_sec = raw_inode->i_time;
@@ -493,8 +493,8 @@ static struct inode *V2_minix_iget(struct inode *inode)
                return ERR_PTR(-EIO);
        }
        inode->i_mode = raw_inode->i_mode;
-        inode->i_uid = (uid_t)raw_inode->i_uid;
+        i_uid_write(inode, raw_inode->i_uid);
-        inode->i_gid = (gid_t)raw_inode->i_gid;
+        i_gid_write(inode, raw_inode->i_gid);
        set_nlink(inode, raw_inode->i_nlinks);
        inode->i_size = raw_inode->i_size;
        inode->i_mtime.tv_sec = raw_inode->i_mtime;
@@ -545,8 +545,8 @@ static struct buffer_head * V1_minix_update_inode(struct inode * inode)
        if (!raw_inode)
                return NULL;
        raw_inode->i_mode = inode->i_mode;
-        raw_inode->i_uid = fs_high2lowuid(inode->i_uid);
+        raw_inode->i_uid = fs_high2lowuid(i_uid_read(inode));
-        raw_inode->i_gid = fs_high2lowgid(inode->i_gid);
+        raw_inode->i_gid = fs_high2lowgid(i_gid_read(inode));
        raw_inode->i_nlinks = inode->i_nlink;
        raw_inode->i_size = inode->i_size;
        raw_inode->i_time = inode->i_mtime.tv_sec;
@@ -572,8 +572,8 @@ static struct buffer_head * V2_minix_update_inode(struct inode * inode)
        if (!raw_inode)
                return NULL;
        raw_inode->i_mode = inode->i_mode;
-        raw_inode->i_uid = fs_high2lowuid(inode->i_uid);
+        raw_inode->i_uid = fs_high2lowuid(i_uid_read(inode));
-        raw_inode->i_gid = fs_high2lowgid(inode->i_gid);
+        raw_inode->i_gid = fs_high2lowgid(i_gid_read(inode));
        raw_inode->i_nlinks = inode->i_nlink;
        raw_inode->i_size = inode->i_size;
        raw_inode->i_mtime = inode->i_mtime.tv_sec;
diff --git a/fs/namei.c b/fs/namei.c
index dd1ed1b8e98e..a856e7f7b6e3 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -680,7 +680,7 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd)
        /* Allowed if owner and follower match. */
        inode = link->dentry->d_inode;
-        if (current_cred()->fsuid == inode->i_uid)
+        if (uid_eq(current_cred()->fsuid, inode->i_uid))
                return 0;
        /* Allowed if parent directory not sticky and world-writable. */
@@ -689,7 +689,7 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd)
                return 0;
        /* Allowed if parent directory and link owner match. */
-        if (parent->i_uid == inode->i_uid)
+        if (uid_eq(parent->i_uid, inode->i_uid))
                return 0;
        path_put_conditional(link, nd);
@@ -759,7 +759,7 @@ static int may_linkat(struct path *link)
        /* Source inode owner (or CAP_FOWNER) can hardlink all they like,
         * otherwise, it must be a safe source.
         */
-        if (cred->fsuid == inode->i_uid || safe_hardlink_source(inode) ||
+        if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) ||
            capable(CAP_FOWNER))
                return 0;
diff --git a/fs/nfs/nfs3acl.c b/fs/nfs/nfs3acl.c
index e4498dc351a8..4a1aafba6a20 100644
--- a/fs/nfs/nfs3acl.c
+++ b/fs/nfs/nfs3acl.c
@@ -70,7 +70,7 @@ ssize_t nfs3_getxattr(struct dentry *dentry, const char *name,
                if (type == ACL_TYPE_ACCESS && acl->a_count == 0)
                        error = -ENODATA;
                else
-                        error = posix_acl_to_xattr(acl, buffer, size);
+                        error = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
                posix_acl_release(acl);
        } else
                error = -ENODATA;
@@ -92,7 +92,7 @@ int nfs3_setxattr(struct dentry *dentry, const char *name,
        else
                return -EOPNOTSUPP;
-        acl = posix_acl_from_xattr(value, size);
+        acl = posix_acl_from_xattr(&init_user_ns, value, size);
        if (IS_ERR(acl))
                return PTR_ERR(acl);
        error = nfs3_proc_setacl(inode, type, acl);
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index a9269f142cc4..3f67b8e12251 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -480,7 +480,7 @@ set_nfsv4_acl_one(struct dentry *dentry, struct posix_acl *pacl, char *key)
        if (buf == NULL)
                goto out;
-        len = posix_acl_to_xattr(pacl, buf, buflen);
+        len = posix_acl_to_xattr(&init_user_ns, pacl, buf, buflen);
        if (len < 0) {
                error = len;
                goto out;
@@ -549,7 +549,7 @@ _get_posix_acl(struct dentry *dentry, char *key)
        if (buflen <= 0)
                return ERR_PTR(buflen);
-        pacl = posix_acl_from_xattr(buf, buflen);
+        pacl = posix_acl_from_xattr(&init_user_ns, buf, buflen);
        kfree(buf);
        return pacl;
 }
@@ -2264,7 +2264,7 @@ nfsd_get_posix_acl(struct svc_fh *fhp, int type)
        if (size < 0)
                return ERR_PTR(size);
-        acl = posix_acl_from_xattr(value, size);
+        acl = posix_acl_from_xattr(&init_user_ns, value, size);
        kfree(value);
        return acl;
 }
@@ -2297,7 +2297,7 @@ nfsd_set_posix_acl(struct svc_fh *fhp, int type, struct posix_acl *acl)
                value = kmalloc(size, GFP_KERNEL);
                if (!value)
                        return -ENOMEM;
-                error = posix_acl_to_xattr(acl, value, size);
+                error = posix_acl_to_xattr(&init_user_ns, acl, value, size);
                if (error < 0)
                        goto getout;
                size = error;
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index 6e2c3db976b2..4d31d2cca7fd 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -401,8 +401,8 @@ int nilfs_read_inode_common(struct inode *inode,
        int err;
        inode->i_mode = le16_to_cpu(raw_inode->i_mode);
-        inode->i_uid = (uid_t)le32_to_cpu(raw_inode->i_uid);
+        i_uid_write(inode, le32_to_cpu(raw_inode->i_uid));
-        inode->i_gid = (gid_t)le32_to_cpu(raw_inode->i_gid);
+        i_gid_write(inode, le32_to_cpu(raw_inode->i_gid));
        set_nlink(inode, le16_to_cpu(raw_inode->i_links_count));
        inode->i_size = le64_to_cpu(raw_inode->i_size);
        inode->i_atime.tv_sec = le64_to_cpu(raw_inode->i_mtime);
@@ -590,8 +590,8 @@ void nilfs_write_inode_common(struct inode *inode,
        struct nilfs_inode_info *ii = NILFS_I(inode);
        raw_inode->i_mode = cpu_to_le16(inode->i_mode);
-        raw_inode->i_uid = cpu_to_le32(inode->i_uid);
+        raw_inode->i_uid = cpu_to_le32(i_uid_read(inode));
-        raw_inode->i_gid = cpu_to_le32(inode->i_gid);
+        raw_inode->i_gid = cpu_to_le32(i_gid_read(inode));
        raw_inode->i_links_count = cpu_to_le16(inode->i_nlink);
        raw_inode->i_size = cpu_to_le64(inode->i_size);
        raw_inode->i_ctime = cpu_to_le64(inode->i_ctime.tv_sec);
diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index c6dbd3db6ca8..1d27331e6fc9 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -2124,7 +2124,8 @@ int ntfs_read_inode_mount(struct inode *vi)
                         * ntfs_read_inode() will have set up the default ones.
                         */
                        /* Set uid and gid to root. */
-                        vi->i_uid = vi->i_gid = 0;
+                        vi->i_uid = GLOBAL_ROOT_UID;
+                        vi->i_gid = GLOBAL_ROOT_GID;
                        /* Regular file. No access for anyone. */
                        vi->i_mode = S_IFREG;
                        /* No VFS initiated operations allowed for $MFT. */
@@ -2312,8 +2313,8 @@ int ntfs_show_options(struct seq_file *sf, struct dentry *root)
        ntfs_volume *vol = NTFS_SB(root->d_sb);
        int i;
-        seq_printf(sf, ",uid=%i", vol->uid);
+        seq_printf(sf, ",uid=%i", from_kuid_munged(&init_user_ns, vol->uid));
-        seq_printf(sf, ",gid=%i", vol->gid);
+        seq_printf(sf, ",gid=%i", from_kgid_munged(&init_user_ns, vol->gid));
        if (vol->fmask == vol->dmask)
                seq_printf(sf, ",umask=0%o", vol->fmask);
        else {
diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
index 2bc149d6a784..da01c165067d 100644
--- a/fs/ntfs/super.c
+++ b/fs/ntfs/super.c
@@ -102,8 +102,8 @@ static bool parse_options(ntfs_volume *vol, char *opt)
        char *p, *v, *ov;
        static char *utf8 = "utf8";
        int errors = 0, sloppy = 0;
-        uid_t uid = (uid_t)-1;
+        kuid_t uid = INVALID_UID;
-        gid_t gid = (gid_t)-1;
+        kgid_t gid = INVALID_GID;
        umode_t fmask = (umode_t)-1, dmask = (umode_t)-1;
        int mft_zone_multiplier = -1, on_errors = -1;
        int show_sys_files = -1, case_sensitive = -1, disable_sparse = -1;
@@ -128,6 +128,30 @@ static bool parse_options(ntfs_volume *vol, char *opt)
                if (*v)                                                 \
                        goto needs_val;                                 \
        }
+#define NTFS_GETOPT_UID(option, variable)                               \
+        if (!strcmp(p, option)) {                                       \
+                uid_t uid_value;                                        \
+                if (!v || !*v)                                          \
+                        goto needs_arg;                                 \
+                uid_value = simple_strtoul(ov = v, &v, 0);              \
+                if (*v)                                                 \
+                        goto needs_val;                                 \
+                variable = make_kuid(current_user_ns(), uid_value);     \
+                if (!uid_valid(variable))                               \
+                        goto needs_val;                                 \
+        }
+#define NTFS_GETOPT_GID(option, variable)                               \
+        if (!strcmp(p, option)) {                                       \
+                gid_t gid_value;                                        \
+                if (!v || !*v)                                          \
+                        goto needs_arg;                                 \
+                gid_value = simple_strtoul(ov = v, &v, 0);              \
+                if (*v)                                                 \
+                        goto needs_val;                                 \
+                variable = make_kgid(current_user_ns(), gid_value);     \
+                if (!gid_valid(variable))                               \
+                        goto needs_val;                                 \
+        }
 #define NTFS_GETOPT_OCTAL(option, variable)                             \
        if (!strcmp(p, option)) {                                       \
                if (!v || !*v)                                          \
@@ -165,8 +189,8 @@ static bool parse_options(ntfs_volume *vol, char *opt)
        while ((p = strsep(&opt, ","))) {
                if ((v = strchr(p, '=')))
                        *v++ = 0;
-                NTFS_GETOPT("uid", uid)
+                NTFS_GETOPT_UID("uid", uid)
-                else NTFS_GETOPT("gid", gid)
+                else NTFS_GETOPT_GID("gid", gid)
                else NTFS_GETOPT_OCTAL("umask", fmask = dmask)
                else NTFS_GETOPT_OCTAL("fmask", fmask)
                else NTFS_GETOPT_OCTAL("dmask", dmask)
@@ -283,9 +307,9 @@ no_mount_options:
                vol->on_errors = on_errors;
        if (!vol->on_errors || vol->on_errors == ON_ERRORS_RECOVER)
                vol->on_errors |= ON_ERRORS_CONTINUE;
-        if (uid != (uid_t)-1)
+        if (uid_valid(uid))
                vol->uid = uid;
-        if (gid != (gid_t)-1)
+        if (gid_valid(gid))
                vol->gid = gid;
        if (fmask != (umode_t)-1)
                vol->fmask = fmask;
@@ -1023,7 +1047,8 @@ static bool load_and_init_mft_mirror(ntfs_volume *vol)
         * ntfs_read_inode() will have set up the default ones.
         */
        /* Set uid and gid to root. */
-        tmp_ino->i_uid = tmp_ino->i_gid = 0;
+        tmp_ino->i_uid = GLOBAL_ROOT_UID;
+        tmp_ino->i_gid = GLOBAL_ROOT_GID;
        /* Regular file.  No access for anyone. */
        tmp_ino->i_mode = S_IFREG;
        /* No VFS initiated operations allowed for $MFTMirr. */
diff --git a/fs/ntfs/volume.h b/fs/ntfs/volume.h
index 15e3ba8d521a..4f579b02bc76 100644
--- a/fs/ntfs/volume.h
+++ b/fs/ntfs/volume.h
@@ -25,6 +25,7 @@
 #define _LINUX_NTFS_VOLUME_H
 #include <linux/rwsem.h>
+#include <linux/uidgid.h>
 #include "types.h"
 #include "layout.h"
@@ -46,8 +47,8 @@ typedef struct {
                                           sized blocks on the device. */
        /* Configuration provided by user at mount time. */
        unsigned long flags;            /* Miscellaneous flags, see below. */
-        uid_t uid;                      /* uid that files will be mounted as. */
+        kuid_t uid;                     /* uid that files will be mounted as. */
-        gid_t gid;                      /* gid that files will be mounted as. */
+        kgid_t gid;                     /* gid that files will be mounted as. */
        umode_t fmask;                  /* The mask for file permissions. */
        umode_t dmask;                  /* The mask for directory
                                           permissions. */
diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
index a7219075b4de..260b16281fc3 100644
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -452,7 +452,7 @@ static int ocfs2_xattr_get_acl(struct dentry *dentry, const char *name,
                return PTR_ERR(acl);
        if (acl == NULL)
                return -ENODATA;
-        ret = posix_acl_to_xattr(acl, buffer, size);
+        ret = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return ret;
@@ -475,7 +475,7 @@ static int ocfs2_xattr_set_acl(struct dentry *dentry, const char *name,
                return -EPERM;
        if (value) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl))
                        return PTR_ERR(acl);
                else if (acl) {
diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
index 46a1f6d75104..5a4ee77cec51 100644
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1184,8 +1184,7 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
                if (attr->ia_valid & ATTR_UID && attr->ia_uid != inode->i_uid
                    && OCFS2_HAS_RO_COMPAT_FEATURE(sb,
                    OCFS2_FEATURE_RO_COMPAT_USRQUOTA)) {
-                        transfer_to[USRQUOTA] = dqget(sb, attr->ia_uid,
+                        transfer_to[USRQUOTA] = dqget(sb, make_kqid_uid(attr->ia_uid));
-                                                      USRQUOTA);
                        if (!transfer_to[USRQUOTA]) {
                                status = -ESRCH;
                                goto bail_unlock;
@@ -1194,8 +1193,7 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
                if (attr->ia_valid & ATTR_GID && attr->ia_gid != inode->i_gid
                    && OCFS2_HAS_RO_COMPAT_FEATURE(sb,
                    OCFS2_FEATURE_RO_COMPAT_GRPQUOTA)) {
-                        transfer_to[GRPQUOTA] = dqget(sb, attr->ia_gid,
+                        transfer_to[GRPQUOTA] = dqget(sb, make_kqid_gid(attr->ia_gid));
-                                                      GRPQUOTA);
                        if (!transfer_to[GRPQUOTA]) {
                                status = -ESRCH;
                                goto bail_unlock;
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 0a86e302655f..332a281f217e 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -95,7 +95,7 @@ static void ocfs2_global_mem2diskdqb(void *dp, struct dquot *dquot)
        struct ocfs2_global_disk_dqblk *d = dp;
        struct mem_dqblk *m = &dquot->dq_dqb;
-        d->dqb_id = cpu_to_le32(dquot->dq_id);
+        d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id));
        d->dqb_use_count = cpu_to_le32(OCFS2_DQUOT(dquot)->dq_use_count);
        d->dqb_ihardlimit = cpu_to_le64(m->dqb_ihardlimit);
        d->dqb_isoftlimit = cpu_to_le64(m->dqb_isoftlimit);
@@ -112,11 +112,14 @@ static int ocfs2_global_is_id(void *dp, struct dquot *dquot)
 {
        struct ocfs2_global_disk_dqblk *d = dp;
        struct ocfs2_mem_dqinfo *oinfo =
-                        sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv;
+                        sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv;
        if (qtree_entry_unused(&oinfo->dqi_gi, dp))
                return 0;
-        return le32_to_cpu(d->dqb_id) == dquot->dq_id;
+        return qid_eq(make_kqid(&init_user_ns, dquot->dq_id.type,
+                                le32_to_cpu(d->dqb_id)),
+                      dquot->dq_id);
 }
 struct qtree_fmt_operations ocfs2_global_ops = {
@@ -475,7 +478,7 @@ int __ocfs2_sync_dquot(struct dquot *dquot, int freeing)
 {
        int err, err2;
        struct super_block *sb = dquot->dq_sb;
-        int type = dquot->dq_type;
+        int type = dquot->dq_id.type;
        struct ocfs2_mem_dqinfo *info = sb_dqinfo(sb, type)->dqi_priv;
        struct ocfs2_global_disk_dqblk dqblk;
        s64 spacechange, inodechange;
@@ -504,7 +507,8 @@ int __ocfs2_sync_dquot(struct dquot *dquot, int freeing)
        olditime = dquot->dq_dqb.dqb_itime;
        oldbtime = dquot->dq_dqb.dqb_btime;
        ocfs2_global_disk2memdqb(dquot, &dqblk);
-        trace_ocfs2_sync_dquot(dquot->dq_id, dquot->dq_dqb.dqb_curspace,
+        trace_ocfs2_sync_dquot(from_kqid(&init_user_ns, dquot->dq_id),
+                               dquot->dq_dqb.dqb_curspace,
                               (long long)spacechange,
                               dquot->dq_dqb.dqb_curinodes,
                               (long long)inodechange);
@@ -555,8 +559,8 @@ int __ocfs2_sync_dquot(struct dquot *dquot, int freeing)
        err = ocfs2_qinfo_lock(info, freeing);
        if (err < 0) {
                mlog(ML_ERROR, "Failed to lock quota info, losing quota write"
-                               " (type=%d, id=%u)\n", dquot->dq_type,
+                               " (type=%d, id=%u)\n", dquot->dq_id.type,
-                               (unsigned)dquot->dq_id);
+                               (unsigned)from_kqid(&init_user_ns, dquot->dq_id));
                goto out;
        }
        if (freeing)
@@ -591,9 +595,10 @@ static int ocfs2_sync_dquot_helper(struct dquot *dquot, unsigned long type)
        struct ocfs2_super *osb = OCFS2_SB(sb);
        int status = 0;
-        trace_ocfs2_sync_dquot_helper(dquot->dq_id, dquot->dq_type,
+        trace_ocfs2_sync_dquot_helper(from_kqid(&init_user_ns, dquot->dq_id),
+                                      dquot->dq_id.type,
                                      type, sb->s_id);
-        if (type != dquot->dq_type)
+        if (type != dquot->dq_id.type)
                goto out;
        status = ocfs2_lock_global_qf(oinfo, 1);
        if (status < 0)
@@ -643,7 +648,8 @@ static int ocfs2_write_dquot(struct dquot *dquot)
        struct ocfs2_super *osb = OCFS2_SB(dquot->dq_sb);
        int status = 0;
-        trace_ocfs2_write_dquot(dquot->dq_id, dquot->dq_type);
+        trace_ocfs2_write_dquot(from_kqid(&init_user_ns, dquot->dq_id),
+                                dquot->dq_id.type);
        handle = ocfs2_start_trans(osb, OCFS2_QWRITE_CREDITS);
        if (IS_ERR(handle)) {
@@ -677,11 +683,12 @@ static int ocfs2_release_dquot(struct dquot *dquot)
 {
        handle_t *handle;
        struct ocfs2_mem_dqinfo *oinfo =
-                        sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv;
+                        sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv;
        struct ocfs2_super *osb = OCFS2_SB(dquot->dq_sb);
        int status = 0;
-        trace_ocfs2_release_dquot(dquot->dq_id, dquot->dq_type);
+        trace_ocfs2_release_dquot(from_kqid(&init_user_ns, dquot->dq_id),
+                                  dquot->dq_id.type);
        mutex_lock(&dquot->dq_lock);
        /* Check whether we are not racing with some other dqget() */
@@ -691,7 +698,7 @@ static int ocfs2_release_dquot(struct dquot *dquot)
        if (status < 0)
                goto out;
        handle = ocfs2_start_trans(osb,
-                ocfs2_calc_qdel_credits(dquot->dq_sb, dquot->dq_type));
+                ocfs2_calc_qdel_credits(dquot->dq_sb, dquot->dq_id.type));
        if (IS_ERR(handle)) {
                status = PTR_ERR(handle);
                mlog_errno(status);
@@ -733,13 +740,14 @@ static int ocfs2_acquire_dquot(struct dquot *dquot)
        int ex = 0;
        struct super_block *sb = dquot->dq_sb;
        struct ocfs2_super *osb = OCFS2_SB(sb);
-        int type = dquot->dq_type;
+        int type = dquot->dq_id.type;
        struct ocfs2_mem_dqinfo *info = sb_dqinfo(sb, type)->dqi_priv;
        struct inode *gqinode = info->dqi_gqinode;
        int need_alloc = ocfs2_global_qinit_alloc(sb, type);
        handle_t *handle;
-        trace_ocfs2_acquire_dquot(dquot->dq_id, type);
+        trace_ocfs2_acquire_dquot(from_kqid(&init_user_ns, dquot->dq_id),
+                                  type);
        mutex_lock(&dquot->dq_lock);
        /*
         * We need an exclusive lock, because we're going to update use count
@@ -821,12 +829,13 @@ static int ocfs2_mark_dquot_dirty(struct dquot *dquot)
        int sync = 0;
        int status;
        struct super_block *sb = dquot->dq_sb;
-        int type = dquot->dq_type;
+        int type = dquot->dq_id.type;
        struct ocfs2_mem_dqinfo *oinfo = sb_dqinfo(sb, type)->dqi_priv;
        handle_t *handle;
        struct ocfs2_super *osb = OCFS2_SB(sb);
-        trace_ocfs2_mark_dquot_dirty(dquot->dq_id, type);
+        trace_ocfs2_mark_dquot_dirty(from_kqid(&init_user_ns, dquot->dq_id),
+                                     type);
        /* In case user set some limits, sync dquot immediately to global
         * quota file so that information propagates quicker */
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index f100bf70a906..27fe7ee4874c 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -501,7 +501,9 @@ static int ocfs2_recover_local_quota_file(struct inode *lqinode,
                        }
                        dqblk = (struct ocfs2_local_disk_dqblk *)(qbh->b_data +
                                ol_dqblk_block_off(sb, chunk, bit));
-                        dquot = dqget(sb, le64_to_cpu(dqblk->dqb_id), type);
+                        dquot = dqget(sb,
+                                      make_kqid(&init_user_ns, type,
+                                                le64_to_cpu(dqblk->dqb_id)));
                        if (!dquot) {
                                status = -EIO;
                                mlog(ML_ERROR, "Failed to get quota structure "
@@ -881,7 +883,8 @@ static void olq_set_dquot(struct buffer_head *bh, void *private)
        dqblk = (struct ocfs2_local_disk_dqblk *)(bh->b_data
                + ol_dqblk_block_offset(sb, od->dq_local_off));
-        dqblk->dqb_id = cpu_to_le64(od->dq_dquot.dq_id);
+        dqblk->dqb_id = cpu_to_le64(from_kqid(&init_user_ns,
+                                              od->dq_dquot.dq_id));
        spin_lock(&dq_data_lock);
        dqblk->dqb_spacemod = cpu_to_le64(od->dq_dquot.dq_dqb.dqb_curspace -
                                          od->dq_origspace);
@@ -891,7 +894,7 @@ static void olq_set_dquot(struct buffer_head *bh, void *private)
        trace_olq_set_dquot(
                (unsigned long long)le64_to_cpu(dqblk->dqb_spacemod),
                (unsigned long long)le64_to_cpu(dqblk->dqb_inodemod),
-                od->dq_dquot.dq_id);
+                from_kqid(&init_user_ns, od->dq_dquot.dq_id));
 }
 /* Write dquot to local quota file */
@@ -900,7 +903,7 @@ int ocfs2_local_write_dquot(struct dquot *dquot)
        struct super_block *sb = dquot->dq_sb;
        struct ocfs2_dquot *od = OCFS2_DQUOT(dquot);
        struct buffer_head *bh;
-        struct inode *lqinode = sb_dqopt(sb)->files[dquot->dq_type];
+        struct inode *lqinode = sb_dqopt(sb)->files[dquot->dq_id.type];
        int status;
        status = ocfs2_read_quota_phys_block(lqinode, od->dq_local_phys_blk,
@@ -1221,7 +1224,7 @@ static void olq_alloc_dquot(struct buffer_head *bh, void *private)
 int ocfs2_create_local_dquot(struct dquot *dquot)
 {
        struct super_block *sb = dquot->dq_sb;
-        int type = dquot->dq_type;
+        int type = dquot->dq_id.type;
        struct inode *lqinode = sb_dqopt(sb)->files[type];
        struct ocfs2_quota_chunk *chunk;
        struct ocfs2_dquot *od = OCFS2_DQUOT(dquot);
@@ -1275,7 +1278,7 @@ out:
 int ocfs2_local_release_dquot(handle_t *handle, struct dquot *dquot)
 {
        int status;
-        int type = dquot->dq_type;
+        int type = dquot->dq_id.type;
        struct ocfs2_dquot *od = OCFS2_DQUOT(dquot);
        struct super_block *sb = dquot->dq_sb;
        struct ocfs2_local_disk_chunk *dchunk;
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index e6213b3725d1..25d715c7c87a 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -391,12 +391,16 @@ static int parse_options(char *options, struct omfs_sb_info *sbi)
                case Opt_uid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        sbi->s_uid = option;
+                        sbi->s_uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(sbi->s_uid))
+                                return 0;
                        break;
                case Opt_gid:
                        if (match_int(&args[0], &option))
                                return 0;
-                        sbi->s_gid = option;
+                        sbi->s_gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(sbi->s_gid))
+                                return 0;
                        break;
                case Opt_umask:
                        if (match_octal(&args[0], &option))
diff --git a/fs/omfs/omfs.h b/fs/omfs/omfs.h
index 8941f12c6b01..f0f8bc75e609 100644
--- a/fs/omfs/omfs.h
+++ b/fs/omfs/omfs.h
@@ -19,8 +19,8 @@ struct omfs_sb_info {
        unsigned long **s_imap;
        int s_imap_size;
        struct mutex s_bitmap_lock;
-        int s_uid;
+        kuid_t s_uid;
-        int s_gid;
+        kgid_t s_gid;
        int s_dmask;
        int s_fmask;
 };
diff --git a/fs/open.c b/fs/open.c
index e1f2cdb91a4d..b0bae3a41825 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -534,7 +534,7 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
                newattrs.ia_valid |=
                        ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
        mutex_lock(&inode->i_mutex);
-        error = security_path_chown(path, user, group);
+        error = security_path_chown(path, uid, gid);
        if (!error)
                error = notify_change(path->dentry, &newattrs);
        mutex_unlock(&inode->i_mutex);
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 5e325a42e33d..8bd2135b7f82 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -78,7 +78,8 @@ posix_acl_valid(const struct posix_acl *acl)
 {
        const struct posix_acl_entry *pa, *pe;
        int state = ACL_USER_OBJ;
-        unsigned int id = 0;  /* keep gcc happy */
+        kuid_t prev_uid = INVALID_UID;
+        kgid_t prev_gid = INVALID_GID;
        int needs_mask = 0;
        FOREACH_ACL_ENTRY(pa, acl, pe) {
@@ -87,7 +88,6 @@ posix_acl_valid(const struct posix_acl *acl)
                switch (pa->e_tag) {
                        case ACL_USER_OBJ:
                                if (state == ACL_USER_OBJ) {
-                                        id = 0;
                                        state = ACL_USER;
                                        break;
                                }
@@ -96,16 +96,17 @@ posix_acl_valid(const struct posix_acl *acl)
                        case ACL_USER:
                                if (state != ACL_USER)
                                        return -EINVAL;
-                                if (pa->e_id == ACL_UNDEFINED_ID ||
+                                if (!uid_valid(pa->e_uid))
-                                    pa->e_id < id)
                                        return -EINVAL;
-                                id = pa->e_id + 1;
+                                if (uid_valid(prev_uid) &&
+                                    uid_lte(pa->e_uid, prev_uid))
+                                        return -EINVAL;
+                                prev_uid = pa->e_uid;
                                needs_mask = 1;
                                break;
                        case ACL_GROUP_OBJ:
                                if (state == ACL_USER) {
-                                        id = 0;
                                        state = ACL_GROUP;
                                        break;
                                }
@@ -114,10 +115,12 @@ posix_acl_valid(const struct posix_acl *acl)
                        case ACL_GROUP:
                                if (state != ACL_GROUP)
                                        return -EINVAL;
-                                if (pa->e_id == ACL_UNDEFINED_ID ||
+                                if (!gid_valid(pa->e_gid))
-                                    pa->e_id < id)
+                                        return -EINVAL;
+                                if (gid_valid(prev_gid) &&
+                                    gid_lte(pa->e_gid, prev_gid))
                                        return -EINVAL;
-                                id = pa->e_id + 1;
+                                prev_gid = pa->e_gid;
                                needs_mask = 1;
                                break;
@@ -195,15 +198,12 @@ posix_acl_from_mode(umode_t mode, gfp_t flags)
                return ERR_PTR(-ENOMEM);
        acl->a_entries[0].e_tag  = ACL_USER_OBJ;
-        acl->a_entries[0].e_id   = ACL_UNDEFINED_ID;
        acl->a_entries[0].e_perm = (mode & S_IRWXU) >> 6;
        acl->a_entries[1].e_tag  = ACL_GROUP_OBJ;
-        acl->a_entries[1].e_id   = ACL_UNDEFINED_ID;
        acl->a_entries[1].e_perm = (mode & S_IRWXG) >> 3;
        acl->a_entries[2].e_tag  = ACL_OTHER;
-        acl->a_entries[2].e_id   = ACL_UNDEFINED_ID;
        acl->a_entries[2].e_perm = (mode & S_IRWXO);
        return acl;
 }
@@ -224,11 +224,11 @@ posix_acl_permission(struct inode *inode, const struct posix_acl *acl, int want)
                switch(pa->e_tag) {
                        case ACL_USER_OBJ:
                                /* (May have been checked already) */
-                                if (inode->i_uid == current_fsuid())
+                                if (uid_eq(inode->i_uid, current_fsuid()))
                                        goto check_perm;
                                break;
                        case ACL_USER:
-                                if (pa->e_id == current_fsuid())
+                                if (uid_eq(pa->e_uid, current_fsuid()))
                                        goto mask;
                                break;
                        case ACL_GROUP_OBJ:
@@ -239,7 +239,7 @@ posix_acl_permission(struct inode *inode, const struct posix_acl *acl, int want)
                                }
                                break;
                        case ACL_GROUP:
-                                if (in_group_p(pa->e_id)) {
+                                if (in_group_p(pa->e_gid)) {
                                        found = 1;
                                        if ((pa->e_perm & want) == want)
                                                goto mask;
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 1b6c84cbdb73..acd1960c28a2 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1089,7 +1089,8 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
        if (!task)
                return -ESRCH;
        length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
-                                audit_get_loginuid(task));
+                           from_kuid(file->f_cred->user_ns,
+                                     audit_get_loginuid(task)));
        put_task_struct(task);
        return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }
@@ -1101,6 +1102,7 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
        char *page, *tmp;
        ssize_t length;
        uid_t loginuid;
+        kuid_t kloginuid;
        rcu_read_lock();
        if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) {
@@ -1130,7 +1132,13 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
                goto out_free_page;
        }
-        length = audit_set_loginuid(loginuid);
+        kloginuid = make_kuid(file->f_cred->user_ns, loginuid);
+        if (!uid_valid(kloginuid)) {
+                length = -EINVAL;
+                goto out_free_page;
+        }
+        length = audit_set_loginuid(kloginuid);
        if (likely(length == 0))
                length = count;
@@ -2983,6 +2991,11 @@ static int proc_gid_map_open(struct inode *inode, struct file *file)
        return proc_id_map_open(inode, file, &proc_gid_seq_operations);
 }
+static int proc_projid_map_open(struct inode *inode, struct file *file)
+{
+        return proc_id_map_open(inode, file, &proc_projid_seq_operations);
+}
 static const struct file_operations proc_uid_map_operations = {
        .open           = proc_uid_map_open,
        .write          = proc_uid_map_write,
@@ -2998,6 +3011,14 @@ static const struct file_operations proc_gid_map_operations = {
        .llseek         = seq_lseek,
        .release        = proc_id_map_release,
 };
+static const struct file_operations proc_projid_map_operations = {
+        .open           = proc_projid_map_open,
+        .write          = proc_projid_map_write,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = proc_id_map_release,
+};
 #endif /* CONFIG_USER_NS */
 static int proc_pid_personality(struct seq_file *m, struct pid_namespace *ns,
@@ -3105,6 +3126,7 @@ static const struct pid_entry tgid_base_stuff[] = {
 #ifdef CONFIG_USER_NS
        REG("uid_map",    S_IRUGO|S_IWUSR, proc_uid_map_operations),
        REG("gid_map",    S_IRUGO|S_IWUSR, proc_gid_map_operations),
+        REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations),
 #endif
 };
@@ -3468,6 +3490,7 @@ static const struct pid_entry tid_base_stuff[] = {
 #ifdef CONFIG_USER_NS
        REG("uid_map",    S_IRUGO|S_IWUSR, proc_uid_map_operations),
        REG("gid_map",    S_IRUGO|S_IWUSR, proc_gid_map_operations),
+        REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations),
 #endif
 };
diff --git a/fs/qnx4/inode.c b/fs/qnx4/inode.c
index 552e994e3aa1..5c3c7b02e17b 100644
--- a/fs/qnx4/inode.c
+++ b/fs/qnx4/inode.c
@@ -312,8 +312,8 @@ struct inode *qnx4_iget(struct super_block *sb, unsigned long ino)
            (ino % QNX4_INODES_PER_BLOCK);
        inode->i_mode    = le16_to_cpu(raw_inode->di_mode);
-        inode->i_uid     = (uid_t)le16_to_cpu(raw_inode->di_uid);
+        i_uid_write(inode, (uid_t)le16_to_cpu(raw_inode->di_uid));
-        inode->i_gid     = (gid_t)le16_to_cpu(raw_inode->di_gid);
+        i_gid_write(inode, (gid_t)le16_to_cpu(raw_inode->di_gid));
        set_nlink(inode, le16_to_cpu(raw_inode->di_nlink));
        inode->i_size    = le32_to_cpu(raw_inode->di_size);
        inode->i_mtime.tv_sec   = le32_to_cpu(raw_inode->di_mtime);
diff --git a/fs/qnx6/inode.c b/fs/qnx6/inode.c
index 2049c814bda4..f4eef0b5e7b5 100644
--- a/fs/qnx6/inode.c
+++ b/fs/qnx6/inode.c
@@ -574,8 +574,8 @@ struct inode *qnx6_iget(struct super_block *sb, unsigned ino)
        raw_inode = ((struct qnx6_inode_entry *)page_address(page)) + offs;
        inode->i_mode    = fs16_to_cpu(sbi, raw_inode->di_mode);
-        inode->i_uid     = (uid_t)fs32_to_cpu(sbi, raw_inode->di_uid);
+        i_uid_write(inode, (uid_t)fs32_to_cpu(sbi, raw_inode->di_uid));
-        inode->i_gid     = (gid_t)fs32_to_cpu(sbi, raw_inode->di_gid);
+        i_gid_write(inode, (gid_t)fs32_to_cpu(sbi, raw_inode->di_gid));
        inode->i_size    = fs64_to_cpu(sbi, raw_inode->di_size);
        inode->i_mtime.tv_sec   = fs32_to_cpu(sbi, raw_inode->di_mtime);
        inode->i_mtime.tv_nsec = 0;
diff --git a/fs/quota/Makefile b/fs/quota/Makefile
index 5f9e9e276af0..c66c37cdaa39 100644
--- a/fs/quota/Makefile
+++ b/fs/quota/Makefile
@@ -2,6 +2,6 @@ obj-$(CONFIG_QUOTA)		+= dquot.o
 obj-$(CONFIG_QFMT_V1)           += quota_v1.o
 obj-$(CONFIG_QFMT_V2)           += quota_v2.o
 obj-$(CONFIG_QUOTA_TREE)        += quota_tree.o
-obj-$(CONFIG_QUOTACTL)          += quota.o
+obj-$(CONFIG_QUOTACTL)          += quota.o kqid.o
 obj-$(CONFIG_QUOTACTL_COMPAT)   += compat.o
 obj-$(CONFIG_QUOTA_NETLINK_INTERFACE)   += netlink.o
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index c495a3055e2a..557a9c20a215 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -253,8 +253,10 @@ static qsize_t inode_get_rsv_space(struct inode *inode);
 static void __dquot_initialize(struct inode *inode, int type);
 static inline unsigned int
-hashfn(const struct super_block *sb, unsigned int id, int type)
+hashfn(const struct super_block *sb, struct kqid qid)
 {
+        unsigned int id = from_kqid(&init_user_ns, qid);
+        int type = qid.type;
        unsigned long tmp;
        tmp = (((unsigned long)sb>>L1_CACHE_SHIFT) ^ id) * (MAXQUOTAS - type);
@@ -267,7 +269,7 @@ hashfn(const struct super_block *sb, unsigned int id, int type)
 static inline void insert_dquot_hash(struct dquot *dquot)
 {
        struct hlist_head *head;
-        head = dquot_hash + hashfn(dquot->dq_sb, dquot->dq_id, dquot->dq_type);
+        head = dquot_hash + hashfn(dquot->dq_sb, dquot->dq_id);
        hlist_add_head(&dquot->dq_hash, head);
 }
@@ -277,15 +279,14 @@ static inline void remove_dquot_hash(struct dquot *dquot)
 }
 static struct dquot *find_dquot(unsigned int hashent, struct super_block *sb,
-                                unsigned int id, int type)
+                                struct kqid qid)
 {
        struct hlist_node *node;
        struct dquot *dquot;
        hlist_for_each (node, dquot_hash+hashent) {
                dquot = hlist_entry(node, struct dquot, dq_hash);
-                if (dquot->dq_sb == sb && dquot->dq_id == id &&
+                if (dquot->dq_sb == sb && qid_eq(dquot->dq_id, qid))
-                    dquot->dq_type == type)
                        return dquot;
        }
        return NULL;
@@ -351,7 +352,7 @@ int dquot_mark_dquot_dirty(struct dquot *dquot)
        spin_lock(&dq_list_lock);
        if (!test_and_set_bit(DQ_MOD_B, &dquot->dq_flags)) {
                list_add(&dquot->dq_dirty, &sb_dqopt(dquot->dq_sb)->
-                                info[dquot->dq_type].dqi_dirty_list);
+                                info[dquot->dq_id.type].dqi_dirty_list);
                ret = 0;
        }
        spin_unlock(&dq_list_lock);
@@ -410,17 +411,17 @@ int dquot_acquire(struct dquot *dquot)
        mutex_lock(&dquot->dq_lock);
        mutex_lock(&dqopt->dqio_mutex);
        if (!test_bit(DQ_READ_B, &dquot->dq_flags))
-                ret = dqopt->ops[dquot->dq_type]->read_dqblk(dquot);
+                ret = dqopt->ops[dquot->dq_id.type]->read_dqblk(dquot);
        if (ret < 0)
                goto out_iolock;
        set_bit(DQ_READ_B, &dquot->dq_flags);
        /* Instantiate dquot if needed */
        if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags) && !dquot->dq_off) {
-                ret = dqopt->ops[dquot->dq_type]->commit_dqblk(dquot);
+                ret = dqopt->ops[dquot->dq_id.type]->commit_dqblk(dquot);
                /* Write the info if needed */
-                if (info_dirty(&dqopt->info[dquot->dq_type])) {
+                if (info_dirty(&dqopt->info[dquot->dq_id.type])) {
-                        ret2 = dqopt->ops[dquot->dq_type]->write_file_info(
+                        ret2 = dqopt->ops[dquot->dq_id.type]->write_file_info(
-                                                dquot->dq_sb, dquot->dq_type);
+                                        dquot->dq_sb, dquot->dq_id.type);
                }
                if (ret < 0)
                        goto out_iolock;
@@ -455,7 +456,7 @@ int dquot_commit(struct dquot *dquot)
        /* Inactive dquot can be only if there was error during read/init
         * => we have better not writing it */
        if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags))
-                ret = dqopt->ops[dquot->dq_type]->commit_dqblk(dquot);
+                ret = dqopt->ops[dquot->dq_id.type]->commit_dqblk(dquot);
        else
                ret = -EIO;
 out_sem:
@@ -477,12 +478,12 @@ int dquot_release(struct dquot *dquot)
        if (atomic_read(&dquot->dq_count) > 1)
                goto out_dqlock;
        mutex_lock(&dqopt->dqio_mutex);
-        if (dqopt->ops[dquot->dq_type]->release_dqblk) {
+        if (dqopt->ops[dquot->dq_id.type]->release_dqblk) {
-                ret = dqopt->ops[dquot->dq_type]->release_dqblk(dquot);
+                ret = dqopt->ops[dquot->dq_id.type]->release_dqblk(dquot);
                /* Write the info */
-                if (info_dirty(&dqopt->info[dquot->dq_type])) {
+                if (info_dirty(&dqopt->info[dquot->dq_id.type])) {
-                        ret2 = dqopt->ops[dquot->dq_type]->write_file_info(
+                        ret2 = dqopt->ops[dquot->dq_id.type]->write_file_info(
-                                                dquot->dq_sb, dquot->dq_type);
+                                                dquot->dq_sb, dquot->dq_id.type);
                }
                if (ret >= 0)
                        ret = ret2;
@@ -521,7 +522,7 @@ restart:
        list_for_each_entry_safe(dquot, tmp, &inuse_list, dq_inuse) {
                if (dquot->dq_sb != sb)
                        continue;
-                if (dquot->dq_type != type)
+                if (dquot->dq_id.type != type)
                        continue;
                /* Wait for dquot users */
                if (atomic_read(&dquot->dq_count)) {
@@ -741,7 +742,8 @@ void dqput(struct dquot *dquot)
 #ifdef CONFIG_QUOTA_DEBUG
        if (!atomic_read(&dquot->dq_count)) {
                quota_error(dquot->dq_sb, "trying to free free dquot of %s %d",
-                            quotatypes[dquot->dq_type], dquot->dq_id);
+                            quotatypes[dquot->dq_id.type],
+                            from_kqid(&init_user_ns, dquot->dq_id));
                BUG();
        }
 #endif
@@ -752,7 +754,7 @@ we_slept:
                /* We have more than one user... nothing to do */
                atomic_dec(&dquot->dq_count);
                /* Releasing dquot during quotaoff phase? */
-                if (!sb_has_quota_active(dquot->dq_sb, dquot->dq_type) &&
+                if (!sb_has_quota_active(dquot->dq_sb, dquot->dq_id.type) &&
                    atomic_read(&dquot->dq_count) == 1)
                        wake_up(&dquot->dq_wait_unused);
                spin_unlock(&dq_list_lock);
@@ -815,7 +817,7 @@ static struct dquot *get_empty_dquot(struct super_block *sb, int type)
        INIT_LIST_HEAD(&dquot->dq_dirty);
        init_waitqueue_head(&dquot->dq_wait_unused);
        dquot->dq_sb = sb;
-        dquot->dq_type = type;
+        dquot->dq_id = make_kqid_invalid(type);
        atomic_set(&dquot->dq_count, 1);
        return dquot;
@@ -829,35 +831,35 @@ static struct dquot *get_empty_dquot(struct super_block *sb, int type)
 *   a) checking for quota flags under dq_list_lock and
 *   b) getting a reference to dquot before we release dq_list_lock
 */
-struct dquot *dqget(struct super_block *sb, unsigned int id, int type)
+struct dquot *dqget(struct super_block *sb, struct kqid qid)
 {
-        unsigned int hashent = hashfn(sb, id, type);
+        unsigned int hashent = hashfn(sb, qid);
        struct dquot *dquot = NULL, *empty = NULL;
-        if (!sb_has_quota_active(sb, type))
+        if (!sb_has_quota_active(sb, qid.type))
                return NULL;
 we_slept:
        spin_lock(&dq_list_lock);
        spin_lock(&dq_state_lock);
-        if (!sb_has_quota_active(sb, type)) {
+        if (!sb_has_quota_active(sb, qid.type)) {
                spin_unlock(&dq_state_lock);
                spin_unlock(&dq_list_lock);
                goto out;
        }
        spin_unlock(&dq_state_lock);
-        dquot = find_dquot(hashent, sb, id, type);
+        dquot = find_dquot(hashent, sb, qid);
        if (!dquot) {
                if (!empty) {
                        spin_unlock(&dq_list_lock);
-                        empty = get_empty_dquot(sb, type);
+                        empty = get_empty_dquot(sb, qid.type);
                        if (!empty)
                                schedule();     /* Try to wait for a moment... */
                        goto we_slept;
                }
                dquot = empty;
                empty = NULL;
-                dquot->dq_id = id;
+                dquot->dq_id = qid;
                /* all dquots go on the inuse_list */
                put_inuse(dquot);
                /* hash it first so it can be found */
@@ -1129,8 +1131,7 @@ static void dquot_decr_space(struct dquot *dquot, qsize_t number)
 struct dquot_warn {
        struct super_block *w_sb;
-        qid_t w_dq_id;
+        struct kqid w_dq_id;
-        short w_dq_type;
        short w_type;
 };
@@ -1154,11 +1155,11 @@ static int need_print_warning(struct dquot_warn *warn)
        if (!flag_print_warnings)
                return 0;
-        switch (warn->w_dq_type) {
+        switch (warn->w_dq_id.type) {
                case USRQUOTA:
-                        return current_fsuid() == warn->w_dq_id;
+                        return uid_eq(current_fsuid(), warn->w_dq_id.uid);
                case GRPQUOTA:
-                        return in_group_p(warn->w_dq_id);
+                        return in_group_p(warn->w_dq_id.gid);
        }
        return 0;
 }
@@ -1184,7 +1185,7 @@ static void print_warning(struct dquot_warn *warn)
                tty_write_message(tty, ": warning, ");
        else
                tty_write_message(tty, ": write failed, ");
-        tty_write_message(tty, quotatypes[warn->w_dq_type]);
+        tty_write_message(tty, quotatypes[warn->w_dq_id.type]);
        switch (warntype) {
                case QUOTA_NL_IHARDWARN:
                        msg = " file limit reached.\r\n";
@@ -1218,7 +1219,6 @@ static void prepare_warning(struct dquot_warn *warn, struct dquot *dquot,
        warn->w_type = warntype;
        warn->w_sb = dquot->dq_sb;
        warn->w_dq_id = dquot->dq_id;
-        warn->w_dq_type = dquot->dq_type;
 }
 /*
@@ -1236,14 +1236,14 @@ static void flush_warnings(struct dquot_warn *warn)
 #ifdef CONFIG_PRINT_QUOTA_WARNING
                print_warning(&warn[i]);
 #endif
-                quota_send_warning(warn[i].w_dq_type, warn[i].w_dq_id,
+                quota_send_warning(warn[i].w_dq_id,
                                   warn[i].w_sb->s_dev, warn[i].w_type);
        }
 }
 static int ignore_hardlimit(struct dquot *dquot)
 {
-        struct mem_dqinfo *info = &sb_dqopt(dquot->dq_sb)->info[dquot->dq_type];
+        struct mem_dqinfo *info = &sb_dqopt(dquot->dq_sb)->info[dquot->dq_id.type];
        return capable(CAP_SYS_RESOURCE) &&
               (info->dqi_format->qf_fmt_id != QFMT_VFS_OLD ||
@@ -1256,7 +1256,7 @@ static int check_idq(struct dquot *dquot, qsize_t inodes,
 {
        qsize_t newinodes = dquot->dq_dqb.dqb_curinodes + inodes;
-        if (!sb_has_quota_limits_enabled(dquot->dq_sb, dquot->dq_type) ||
+        if (!sb_has_quota_limits_enabled(dquot->dq_sb, dquot->dq_id.type) ||
            test_bit(DQ_FAKE_B, &dquot->dq_flags))
                return 0;
@@ -1281,7 +1281,7 @@ static int check_idq(struct dquot *dquot, qsize_t inodes,
            dquot->dq_dqb.dqb_itime == 0) {
                prepare_warning(warn, dquot, QUOTA_NL_ISOFTWARN);
                dquot->dq_dqb.dqb_itime = get_seconds() +
-                    sb_dqopt(dquot->dq_sb)->info[dquot->dq_type].dqi_igrace;
+                    sb_dqopt(dquot->dq_sb)->info[dquot->dq_id.type].dqi_igrace;
        }
        return 0;
@@ -1294,7 +1294,7 @@ static int check_bdq(struct dquot *dquot, qsize_t space, int prealloc,
        qsize_t tspace;
        struct super_block *sb = dquot->dq_sb;
-        if (!sb_has_quota_limits_enabled(sb, dquot->dq_type) ||
+        if (!sb_has_quota_limits_enabled(sb, dquot->dq_id.type) ||
            test_bit(DQ_FAKE_B, &dquot->dq_flags))
                return 0;
@@ -1325,7 +1325,7 @@ static int check_bdq(struct dquot *dquot, qsize_t space, int prealloc,
                if (!prealloc) {
                        prepare_warning(warn, dquot, QUOTA_NL_BSOFTWARN);
                        dquot->dq_dqb.dqb_btime = get_seconds() +
-                            sb_dqopt(sb)->info[dquot->dq_type].dqi_bgrace;
+                            sb_dqopt(sb)->info[dquot->dq_id.type].dqi_bgrace;
                }
                else
                        /*
@@ -1344,7 +1344,7 @@ static int info_idq_free(struct dquot *dquot, qsize_t inodes)
        if (test_bit(DQ_FAKE_B, &dquot->dq_flags) ||
            dquot->dq_dqb.dqb_curinodes <= dquot->dq_dqb.dqb_isoftlimit ||
-            !sb_has_quota_limits_enabled(dquot->dq_sb, dquot->dq_type))
+            !sb_has_quota_limits_enabled(dquot->dq_sb, dquot->dq_id.type))
                return QUOTA_NL_NOWARN;
        newinodes = dquot->dq_dqb.dqb_curinodes - inodes;
@@ -1390,7 +1390,6 @@ static int dquot_active(const struct inode *inode)
 */
 static void __dquot_initialize(struct inode *inode, int type)
 {
-        unsigned int id = 0;
        int cnt;
        struct dquot *got[MAXQUOTAS];
        struct super_block *sb = inode->i_sb;
@@ -1403,18 +1402,19 @@ static void __dquot_initialize(struct inode *inode, int type)
        /* First get references to structures we might need. */
        for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+                struct kqid qid;
                got[cnt] = NULL;
                if (type != -1 && cnt != type)
                        continue;
                switch (cnt) {
                case USRQUOTA:
-                        id = inode->i_uid;
+                        qid = make_kqid_uid(inode->i_uid);
                        break;
                case GRPQUOTA:
-                        id = inode->i_gid;
+                        qid = make_kqid_gid(inode->i_gid);
                        break;
                }
-                got[cnt] = dqget(sb, id, cnt);
+                got[cnt] = dqget(sb, qid);
        }
        down_write(&sb_dqopt(sb)->dqptr_sem);
@@ -1897,10 +1897,10 @@ int dquot_transfer(struct inode *inode, struct iattr *iattr)
        if (!dquot_active(inode))
                return 0;
-        if (iattr->ia_valid & ATTR_UID && iattr->ia_uid != inode->i_uid)
+        if (iattr->ia_valid & ATTR_UID && !uid_eq(iattr->ia_uid, inode->i_uid))
-                transfer_to[USRQUOTA] = dqget(sb, iattr->ia_uid, USRQUOTA);
+                transfer_to[USRQUOTA] = dqget(sb, make_kqid_uid(iattr->ia_uid));
-        if (iattr->ia_valid & ATTR_GID && iattr->ia_gid != inode->i_gid)
+        if (iattr->ia_valid & ATTR_GID && !gid_eq(iattr->ia_gid, inode->i_gid))
-                transfer_to[GRPQUOTA] = dqget(sb, iattr->ia_gid, GRPQUOTA);
+                transfer_to[GRPQUOTA] = dqget(sb, make_kqid_gid(iattr->ia_gid));
        ret = __dquot_transfer(inode, transfer_to);
        dqput_all(transfer_to);
@@ -2360,9 +2360,9 @@ static void do_get_dqblk(struct dquot *dquot, struct fs_disk_quota *di)
        memset(di, 0, sizeof(*di));
        di->d_version = FS_DQUOT_VERSION;
-        di->d_flags = dquot->dq_type == USRQUOTA ?
+        di->d_flags = dquot->dq_id.type == USRQUOTA ?
                        FS_USER_QUOTA : FS_GROUP_QUOTA;
-        di->d_id = dquot->dq_id;
+        di->d_id = from_kqid_munged(current_user_ns(), dquot->dq_id);
        spin_lock(&dq_data_lock);
        di->d_blk_hardlimit = stoqb(dm->dqb_bhardlimit);
@@ -2376,12 +2376,12 @@ static void do_get_dqblk(struct dquot *dquot, struct fs_disk_quota *di)
        spin_unlock(&dq_data_lock);
 }
-int dquot_get_dqblk(struct super_block *sb, int type, qid_t id,
+int dquot_get_dqblk(struct super_block *sb, struct kqid qid,
                    struct fs_disk_quota *di)
 {
        struct dquot *dquot;
-        dquot = dqget(sb, id, type);
+        dquot = dqget(sb, qid);
        if (!dquot)
                return -ESRCH;
        do_get_dqblk(dquot, di);
@@ -2401,7 +2401,7 @@ static int do_set_dqblk(struct dquot *dquot, struct fs_disk_quota *di)
 {
        struct mem_dqblk *dm = &dquot->dq_dqb;
        int check_blim = 0, check_ilim = 0;
-        struct mem_dqinfo *dqi = &sb_dqopt(dquot->dq_sb)->info[dquot->dq_type];
+        struct mem_dqinfo *dqi = &sb_dqopt(dquot->dq_sb)->info[dquot->dq_id.type];
        if (di->d_fieldmask & ~VFS_FS_DQ_MASK)
                return -EINVAL;
@@ -2488,13 +2488,13 @@ static int do_set_dqblk(struct dquot *dquot, struct fs_disk_quota *di)
        return 0;
 }
-int dquot_set_dqblk(struct super_block *sb, int type, qid_t id,
+int dquot_set_dqblk(struct super_block *sb, struct kqid qid,
                  struct fs_disk_quota *di)
 {
        struct dquot *dquot;
        int rc;
-        dquot = dqget(sb, id, type);
+        dquot = dqget(sb, qid);
        if (!dquot) {
                rc = -ESRCH;
                goto out;
diff --git a/fs/quota/kqid.c b/fs/quota/kqid.c
new file mode 100644
index 000000000000..2f97b0e2c501
--- /dev/null
+++ b/fs/quota/kqid.c
@@ -0,0 +1,132 @@
+#include <linux/fs.h>
+#include <linux/quota.h>
+#include <linux/export.h>
+/**
+ *      qid_eq - Test to see if to kquid values are the same
+ *      @left: A qid value
+ *      @right: Another quid value
+ *
+ *      Return true if the two qid values are equal and false otherwise.
+ */
+bool qid_eq(struct kqid left, struct kqid right)
+{
+        if (left.type != right.type)
+                return false;
+        switch(left.type) {
+        case USRQUOTA:
+                return uid_eq(left.uid, right.uid);
+        case GRPQUOTA:
+                return gid_eq(left.gid, right.gid);
+        case PRJQUOTA:
+                return projid_eq(left.projid, right.projid);
+        default:
+                BUG();
+        }
+}
+EXPORT_SYMBOL(qid_eq);
+/**
+ *      qid_lt - Test to see if one qid value is less than another
+ *      @left: The possibly lesser qid value
+ *      @right: The possibly greater qid value
+ *
+ *      Return true if left is less than right and false otherwise.
+ */
+bool qid_lt(struct kqid left, struct kqid right)
+{
+        if (left.type < right.type)
+                return true;
+        if (left.type > right.type)
+                return false;
+        switch (left.type) {
+        case USRQUOTA:
+                return uid_lt(left.uid, right.uid);
+        case GRPQUOTA:
+                return gid_lt(left.gid, right.gid);
+        case PRJQUOTA:
+                return projid_lt(left.projid, right.projid);
+        default:
+                BUG();
+        }
+}
+EXPORT_SYMBOL(qid_lt);
+/**
+ *      from_kqid - Create a qid from a kqid user-namespace pair.
+ *      @targ: The user namespace we want a qid in.
+ *      @kuid: The kernel internal quota identifier to start with.
+ *
+ *      Map @kqid into the user-namespace specified by @targ and
+ *      return the resulting qid.
+ *
+ *      There is always a mapping into the initial user_namespace.
+ *
+ *      If @kqid has no mapping in @targ (qid_t)-1 is returned.
+ */
+qid_t from_kqid(struct user_namespace *targ, struct kqid kqid)
+{
+        switch (kqid.type) {
+        case USRQUOTA:
+                return from_kuid(targ, kqid.uid);
+        case GRPQUOTA:
+                return from_kgid(targ, kqid.gid);
+        case PRJQUOTA:
+                return from_kprojid(targ, kqid.projid);
+        default:
+                BUG();
+        }
+}
+EXPORT_SYMBOL(from_kqid);
+/**
+ *      from_kqid_munged - Create a qid from a kqid user-namespace pair.
+ *      @targ: The user namespace we want a qid in.
+ *      @kqid: The kernel internal quota identifier to start with.
+ *
+ *      Map @kqid into the user-namespace specified by @targ and
+ *      return the resulting qid.
+ *
+ *      There is always a mapping into the initial user_namespace.
+ *
+ *      Unlike from_kqid from_kqid_munged never fails and always
+ *      returns a valid projid.  This makes from_kqid_munged
+ *      appropriate for use in places where failing to provide
+ *      a qid_t is not a good option.
+ *
+ *      If @kqid has no mapping in @targ the kqid.type specific
+ *      overflow identifier is returned.
+ */
+qid_t from_kqid_munged(struct user_namespace *targ, struct kqid kqid)
+{
+        switch (kqid.type) {
+        case USRQUOTA:
+                return from_kuid_munged(targ, kqid.uid);
+        case GRPQUOTA:
+                return from_kgid_munged(targ, kqid.gid);
+        case PRJQUOTA:
+                return from_kprojid_munged(targ, kqid.projid);
+        default:
+                BUG();
+        }
+}
+EXPORT_SYMBOL(from_kqid_munged);
+/**
+ *      qid_valid - Report if a valid value is stored in a kqid.
+ *      @qid: The kernel internal quota identifier to test.
+ */
+bool qid_valid(struct kqid qid)
+{
+        switch (qid.type) {
+        case USRQUOTA:
+                return uid_valid(qid.uid);
+        case GRPQUOTA:
+                return gid_valid(qid.gid);
+        case PRJQUOTA:
+                return projid_valid(qid.projid);
+        default:
+                BUG();
+        }
+}
+EXPORT_SYMBOL(qid_valid);
diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c
index d67908b407d9..16e8abb7709b 100644
--- a/fs/quota/netlink.c
+++ b/fs/quota/netlink.c
@@ -30,7 +30,7 @@ static struct genl_family quota_genl_family = {
 *
 */
-void quota_send_warning(short type, unsigned int id, dev_t dev,
+void quota_send_warning(struct kqid qid, dev_t dev,
                        const char warntype)
 {
        static atomic_t seq;
@@ -56,10 +56,11 @@ void quota_send_warning(short type, unsigned int id, dev_t dev,
                  "VFS: Cannot store netlink header in quota warning.\n");
                goto err_out;
        }
-        ret = nla_put_u32(skb, QUOTA_NL_A_QTYPE, type);
+        ret = nla_put_u32(skb, QUOTA_NL_A_QTYPE, qid.type);
        if (ret)
                goto attr_err_out;
-        ret = nla_put_u64(skb, QUOTA_NL_A_EXCESS_ID, id);
+        ret = nla_put_u64(skb, QUOTA_NL_A_EXCESS_ID,
+                          from_kqid_munged(&init_user_ns, qid));
        if (ret)
                goto attr_err_out;
        ret = nla_put_u32(skb, QUOTA_NL_A_WARNING, warntype);
@@ -71,7 +72,8 @@ void quota_send_warning(short type, unsigned int id, dev_t dev,
        ret = nla_put_u32(skb, QUOTA_NL_A_DEV_MINOR, MINOR(dev));
        if (ret)
                goto attr_err_out;
-        ret = nla_put_u64(skb, QUOTA_NL_A_CAUSED_ID, current_uid());
+        ret = nla_put_u64(skb, QUOTA_NL_A_CAUSED_ID,
+                          from_kuid_munged(&init_user_ns, current_uid()));
        if (ret)
                goto attr_err_out;
        genlmsg_end(skb, msg_head);
diff --git a/fs/quota/quota.c b/fs/quota/quota.c
index 6f155788cbc6..ff0135d6bc51 100644
--- a/fs/quota/quota.c
+++ b/fs/quota/quota.c
@@ -32,8 +32,8 @@ static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
        /* allow to query information for dquots we "own" */
        case Q_GETQUOTA:
        case Q_XGETQUOTA:
-                if ((type == USRQUOTA && current_euid() == id) ||
+                if ((type == USRQUOTA && uid_eq(current_euid(), make_kuid(current_user_ns(), id))) ||
-                    (type == GRPQUOTA && in_egroup_p(id)))
+                    (type == GRPQUOTA && in_egroup_p(make_kgid(current_user_ns(), id))))
                        break;
                /*FALLTHROUGH*/
        default:
@@ -130,13 +130,17 @@ static void copy_to_if_dqblk(struct if_dqblk *dst, struct fs_disk_quota *src)
 static int quota_getquota(struct super_block *sb, int type, qid_t id,
                          void __user *addr)
 {
+        struct kqid qid;
        struct fs_disk_quota fdq;
        struct if_dqblk idq;
        int ret;
        if (!sb->s_qcop->get_dqblk)
                return -ENOSYS;
-        ret = sb->s_qcop->get_dqblk(sb, type, id, &fdq);
+        qid = make_kqid(current_user_ns(), type, id);
+        if (!qid_valid(qid))
+                return -EINVAL;
+        ret = sb->s_qcop->get_dqblk(sb, qid, &fdq);
        if (ret)
                return ret;
        copy_to_if_dqblk(&idq, &fdq);
@@ -176,13 +180,17 @@ static int quota_setquota(struct super_block *sb, int type, qid_t id,
 {
        struct fs_disk_quota fdq;
        struct if_dqblk idq;
+        struct kqid qid;
        if (copy_from_user(&idq, addr, sizeof(idq)))
                return -EFAULT;
        if (!sb->s_qcop->set_dqblk)
                return -ENOSYS;
+        qid = make_kqid(current_user_ns(), type, id);
+        if (!qid_valid(qid))
+                return -EINVAL;
        copy_from_if_dqblk(&fdq, &idq);
-        return sb->s_qcop->set_dqblk(sb, type, id, &fdq);
+        return sb->s_qcop->set_dqblk(sb, qid, &fdq);
 }
 static int quota_setxstate(struct super_block *sb, int cmd, void __user *addr)
@@ -213,23 +221,31 @@ static int quota_setxquota(struct super_block *sb, int type, qid_t id,
                           void __user *addr)
 {
        struct fs_disk_quota fdq;
+        struct kqid qid;
        if (copy_from_user(&fdq, addr, sizeof(fdq)))
                return -EFAULT;
        if (!sb->s_qcop->set_dqblk)
                return -ENOSYS;
-        return sb->s_qcop->set_dqblk(sb, type, id, &fdq);
+        qid = make_kqid(current_user_ns(), type, id);
+        if (!qid_valid(qid))
+                return -EINVAL;
+        return sb->s_qcop->set_dqblk(sb, qid, &fdq);
 }
 static int quota_getxquota(struct super_block *sb, int type, qid_t id,
                           void __user *addr)
 {
        struct fs_disk_quota fdq;
+        struct kqid qid;
        int ret;
        if (!sb->s_qcop->get_dqblk)
                return -ENOSYS;
-        ret = sb->s_qcop->get_dqblk(sb, type, id, &fdq);
+        qid = make_kqid(current_user_ns(), type, id);
+        if (!qid_valid(qid))
+                return -EINVAL;
+        ret = sb->s_qcop->get_dqblk(sb, qid, &fdq);
        if (!ret && copy_to_user(addr, &fdq, sizeof(fdq)))
                return -EFAULT;
        return ret;
diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c
index e41c1becf096..d65877fbe8f4 100644
--- a/fs/quota/quota_tree.c
+++ b/fs/quota/quota_tree.c
@@ -22,9 +22,10 @@ MODULE_LICENSE("GPL");
 #define __QUOTA_QT_PARANOIA
-static int get_index(struct qtree_mem_dqinfo *info, qid_t id, int depth)
+static int get_index(struct qtree_mem_dqinfo *info, struct kqid qid, int depth)
 {
        unsigned int epb = info->dqi_usable_bs >> 2;
+        qid_t id = from_kqid(&init_user_ns, qid);
        depth = info->dqi_qtree_depth - depth - 1;
        while (depth--)
@@ -244,7 +245,7 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info,
                /* This is enough as the block is already zeroed and the entry
                 * list is empty... */
                info->dqi_free_entry = blk;
-                mark_info_dirty(dquot->dq_sb, dquot->dq_type);
+                mark_info_dirty(dquot->dq_sb, dquot->dq_id.type);
        }
        /* Block will be full? */
        if (le16_to_cpu(dh->dqdh_entries) + 1 >= qtree_dqstr_in_blk(info)) {
@@ -357,7 +358,7 @@ static inline int dq_insert_tree(struct qtree_mem_dqinfo *info,
 */
 int qtree_write_dquot(struct qtree_mem_dqinfo *info, struct dquot *dquot)
 {
-        int type = dquot->dq_type;
+        int type = dquot->dq_id.type;
        struct super_block *sb = dquot->dq_sb;
        ssize_t ret;
        char *ddquot = getdqbuf(info->dqi_entry_size);
@@ -538,8 +539,9 @@ static loff_t find_block_dqentry(struct qtree_mem_dqinfo *info,
                ddquot += info->dqi_entry_size;
        }
        if (i == qtree_dqstr_in_blk(info)) {
-                quota_error(dquot->dq_sb, "Quota for id %u referenced "
+                quota_error(dquot->dq_sb,
-                            "but not present", dquot->dq_id);
+                            "Quota for id %u referenced but not present",
+                            from_kqid(&init_user_ns, dquot->dq_id));
                ret = -EIO;
                goto out_buf;
        } else {
@@ -589,7 +591,7 @@ static inline loff_t find_dqentry(struct qtree_mem_dqinfo *info,
 int qtree_read_dquot(struct qtree_mem_dqinfo *info, struct dquot *dquot)
 {
-        int type = dquot->dq_type;
+        int type = dquot->dq_id.type;
        struct super_block *sb = dquot->dq_sb;
        loff_t offset;
        char *ddquot;
@@ -607,8 +609,10 @@ int qtree_read_dquot(struct qtree_mem_dqinfo *info, struct dquot *dquot)
                offset = find_dqentry(info, dquot);
                if (offset <= 0) {      /* Entry not present? */
                        if (offset < 0)
-                                quota_error(sb, "Can't read quota structure "
+                                quota_error(sb,"Can't read quota structure "
-                                            "for id %u", dquot->dq_id);
+                                            "for id %u",
+                                            from_kqid(&init_user_ns,
+                                                      dquot->dq_id));
                        dquot->dq_off = 0;
                        set_bit(DQ_FAKE_B, &dquot->dq_flags);
                        memset(&dquot->dq_dqb, 0, sizeof(struct mem_dqblk));
@@ -626,7 +630,7 @@ int qtree_read_dquot(struct qtree_mem_dqinfo *info, struct dquot *dquot)
                if (ret >= 0)
                        ret = -EIO;
                quota_error(sb, "Error while reading quota structure for id %u",
-                            dquot->dq_id);
+                            from_kqid(&init_user_ns, dquot->dq_id));
                set_bit(DQ_FAKE_B, &dquot->dq_flags);
                memset(&dquot->dq_dqb, 0, sizeof(struct mem_dqblk));
                kfree(ddquot);
diff --git a/fs/quota/quota_v1.c b/fs/quota/quota_v1.c
index 34b37a67bb16..469c6848b322 100644
--- a/fs/quota/quota_v1.c
+++ b/fs/quota/quota_v1.c
@@ -54,7 +54,7 @@ static void v1_mem2disk_dqblk(struct v1_disk_dqblk *d, struct mem_dqblk *m)
 static int v1_read_dqblk(struct dquot *dquot)
 {
-        int type = dquot->dq_type;
+        int type = dquot->dq_id.type;
        struct v1_disk_dqblk dqblk;
        if (!sb_dqopt(dquot->dq_sb)->files[type])
@@ -63,7 +63,8 @@ static int v1_read_dqblk(struct dquot *dquot)
        /* Set structure to 0s in case read fails/is after end of file */
        memset(&dqblk, 0, sizeof(struct v1_disk_dqblk));
        dquot->dq_sb->s_op->quota_read(dquot->dq_sb, type, (char *)&dqblk,
-                        sizeof(struct v1_disk_dqblk), v1_dqoff(dquot->dq_id));
+                        sizeof(struct v1_disk_dqblk),
+                        v1_dqoff(from_kqid(&init_user_ns, dquot->dq_id)));
        v1_disk2mem_dqblk(&dquot->dq_dqb, &dqblk);
        if (dquot->dq_dqb.dqb_bhardlimit == 0 &&
@@ -78,12 +79,13 @@ static int v1_read_dqblk(struct dquot *dquot)
 static int v1_commit_dqblk(struct dquot *dquot)
 {
-        short type = dquot->dq_type;
+        short type = dquot->dq_id.type;
        ssize_t ret;
        struct v1_disk_dqblk dqblk;
        v1_mem2disk_dqblk(&dqblk, &dquot->dq_dqb);
-        if (dquot->dq_id == 0) {
+        if (((type == USRQUOTA) && uid_eq(dquot->dq_id.uid, GLOBAL_ROOT_UID)) ||
+            ((type == GRPQUOTA) && gid_eq(dquot->dq_id.gid, GLOBAL_ROOT_GID))) {
                dqblk.dqb_btime =
                        sb_dqopt(dquot->dq_sb)->info[type].dqi_bgrace;
                dqblk.dqb_itime =
@@ -93,7 +95,7 @@ static int v1_commit_dqblk(struct dquot *dquot)
        if (sb_dqopt(dquot->dq_sb)->files[type])
                ret = dquot->dq_sb->s_op->quota_write(dquot->dq_sb, type,
                        (char *)&dqblk, sizeof(struct v1_disk_dqblk),
-                        v1_dqoff(dquot->dq_id));
+                        v1_dqoff(from_kqid(&init_user_ns, dquot->dq_id)));
        if (ret != sizeof(struct v1_disk_dqblk)) {
                quota_error(dquot->dq_sb, "dquota write failed");
                if (ret >= 0)
diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c
index f1ab3604db5a..02751ec695c5 100644
--- a/fs/quota/quota_v2.c
+++ b/fs/quota/quota_v2.c
@@ -196,7 +196,7 @@ static void v2r0_mem2diskdqb(void *dp, struct dquot *dquot)
        struct v2r0_disk_dqblk *d = dp;
        struct mem_dqblk *m = &dquot->dq_dqb;
        struct qtree_mem_dqinfo *info =
-                        sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv;
+                        sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv;
        d->dqb_ihardlimit = cpu_to_le32(m->dqb_ihardlimit);
        d->dqb_isoftlimit = cpu_to_le32(m->dqb_isoftlimit);
@@ -206,7 +206,7 @@ static void v2r0_mem2diskdqb(void *dp, struct dquot *dquot)
        d->dqb_bsoftlimit = cpu_to_le32(v2_stoqb(m->dqb_bsoftlimit));
        d->dqb_curspace = cpu_to_le64(m->dqb_curspace);
        d->dqb_btime = cpu_to_le64(m->dqb_btime);
-        d->dqb_id = cpu_to_le32(dquot->dq_id);
+        d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id));
        if (qtree_entry_unused(info, dp))
                d->dqb_itime = cpu_to_le64(1);
 }
@@ -215,11 +215,13 @@ static int v2r0_is_id(void *dp, struct dquot *dquot)
 {
        struct v2r0_disk_dqblk *d = dp;
        struct qtree_mem_dqinfo *info =
-                        sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv;
+                        sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv;
        if (qtree_entry_unused(info, dp))
                return 0;
-        return le32_to_cpu(d->dqb_id) == dquot->dq_id;
+        return qid_eq(make_kqid(&init_user_ns, dquot->dq_id.type,
+                                le32_to_cpu(d->dqb_id)),
+                      dquot->dq_id);
 }
 static void v2r1_disk2memdqb(struct dquot *dquot, void *dp)
@@ -247,7 +249,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot)
        struct v2r1_disk_dqblk *d = dp;
        struct mem_dqblk *m = &dquot->dq_dqb;
        struct qtree_mem_dqinfo *info =
-                        sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv;
+                        sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv;
        d->dqb_ihardlimit = cpu_to_le64(m->dqb_ihardlimit);
        d->dqb_isoftlimit = cpu_to_le64(m->dqb_isoftlimit);
@@ -257,7 +259,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot)
        d->dqb_bsoftlimit = cpu_to_le64(v2_stoqb(m->dqb_bsoftlimit));
        d->dqb_curspace = cpu_to_le64(m->dqb_curspace);
        d->dqb_btime = cpu_to_le64(m->dqb_btime);
-        d->dqb_id = cpu_to_le32(dquot->dq_id);
+        d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id));
        if (qtree_entry_unused(info, dp))
                d->dqb_itime = cpu_to_le64(1);
 }
@@ -266,26 +268,28 @@ static int v2r1_is_id(void *dp, struct dquot *dquot)
 {
        struct v2r1_disk_dqblk *d = dp;
        struct qtree_mem_dqinfo *info =
-                        sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv;
+                        sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv;
        if (qtree_entry_unused(info, dp))
                return 0;
-        return le32_to_cpu(d->dqb_id) == dquot->dq_id;
+        return qid_eq(make_kqid(&init_user_ns, dquot->dq_id.type,
+                                le32_to_cpu(d->dqb_id)),
+                      dquot->dq_id);
 }
 static int v2_read_dquot(struct dquot *dquot)
 {
-        return qtree_read_dquot(sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv, dquot);
+        return qtree_read_dquot(sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv, dquot);
 }
 static int v2_write_dquot(struct dquot *dquot)
 {
-        return qtree_write_dquot(sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv, dquot);
+        return qtree_write_dquot(sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv, dquot);
 }
 static int v2_release_dquot(struct dquot *dquot)
 {
-        return qtree_release_dquot(sb_dqinfo(dquot->dq_sb, dquot->dq_type)->dqi_priv, dquot);
+        return qtree_release_dquot(sb_dqinfo(dquot->dq_sb, dquot->dq_id.type)->dqi_priv, dquot);
 }
 static int v2_free_file_info(struct super_block *sb, int type)
diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
index 855da58db145..46485557cdc6 100644
--- a/fs/reiserfs/inode.c
+++ b/fs/reiserfs/inode.c
@@ -1155,8 +1155,8 @@ static void init_inode(struct inode *inode, struct treepath *path)
                set_inode_sd_version(inode, STAT_DATA_V1);
                inode->i_mode = sd_v1_mode(sd);
                set_nlink(inode, sd_v1_nlink(sd));
-                inode->i_uid = sd_v1_uid(sd);
+                i_uid_write(inode, sd_v1_uid(sd));
-                inode->i_gid = sd_v1_gid(sd);
+                i_gid_write(inode, sd_v1_gid(sd));
                inode->i_size = sd_v1_size(sd);
                inode->i_atime.tv_sec = sd_v1_atime(sd);
                inode->i_mtime.tv_sec = sd_v1_mtime(sd);
@@ -1200,9 +1200,9 @@ static void init_inode(struct inode *inode, struct treepath *path)
                inode->i_mode = sd_v2_mode(sd);
                set_nlink(inode, sd_v2_nlink(sd));
-                inode->i_uid = sd_v2_uid(sd);
+                i_uid_write(inode, sd_v2_uid(sd));
                inode->i_size = sd_v2_size(sd);
-                inode->i_gid = sd_v2_gid(sd);
+                i_gid_write(inode, sd_v2_gid(sd));
                inode->i_mtime.tv_sec = sd_v2_mtime(sd);
                inode->i_atime.tv_sec = sd_v2_atime(sd);
                inode->i_ctime.tv_sec = sd_v2_ctime(sd);
@@ -1258,9 +1258,9 @@ static void inode2sd(void *sd, struct inode *inode, loff_t size)
        set_sd_v2_mode(sd_v2, inode->i_mode);
        set_sd_v2_nlink(sd_v2, inode->i_nlink);
-        set_sd_v2_uid(sd_v2, inode->i_uid);
+        set_sd_v2_uid(sd_v2, i_uid_read(inode));
        set_sd_v2_size(sd_v2, size);
-        set_sd_v2_gid(sd_v2, inode->i_gid);
+        set_sd_v2_gid(sd_v2, i_gid_read(inode));
        set_sd_v2_mtime(sd_v2, inode->i_mtime.tv_sec);
        set_sd_v2_atime(sd_v2, inode->i_atime.tv_sec);
        set_sd_v2_ctime(sd_v2, inode->i_ctime.tv_sec);
@@ -1280,8 +1280,8 @@ static void inode2sd_v1(void *sd, struct inode *inode, loff_t size)
        struct stat_data_v1 *sd_v1 = (struct stat_data_v1 *)sd;
        set_sd_v1_mode(sd_v1, inode->i_mode);
-        set_sd_v1_uid(sd_v1, inode->i_uid);
+        set_sd_v1_uid(sd_v1, i_uid_read(inode));
-        set_sd_v1_gid(sd_v1, inode->i_gid);
+        set_sd_v1_gid(sd_v1, i_gid_read(inode));
        set_sd_v1_nlink(sd_v1, inode->i_nlink);
        set_sd_v1_size(sd_v1, size);
        set_sd_v1_atime(sd_v1, inode->i_atime.tv_sec);
@@ -1869,7 +1869,7 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
                goto out_bad_inode;
        }
        if (old_format_only(sb)) {
-                if (inode->i_uid & ~0xffff || inode->i_gid & ~0xffff) {
+                if (i_uid_read(inode) & ~0xffff || i_gid_read(inode) & ~0xffff) {
                        pathrelse(&path_to_key);
                        /* i_uid or i_gid is too big to be stored in stat data v3.5 */
                        err = -EINVAL;
@@ -3140,16 +3140,16 @@ int reiserfs_setattr(struct dentry *dentry, struct iattr *attr)
                }
        }
-        if ((((attr->ia_valid & ATTR_UID) && (attr->ia_uid & ~0xffff)) ||
+        if ((((attr->ia_valid & ATTR_UID) && (from_kuid(&init_user_ns, attr->ia_uid) & ~0xffff)) ||
-             ((attr->ia_valid & ATTR_GID) && (attr->ia_gid & ~0xffff))) &&
+             ((attr->ia_valid & ATTR_GID) && (from_kgid(&init_user_ns, attr->ia_gid) & ~0xffff))) &&
            (get_inode_sd_version(inode) == STAT_DATA_V1)) {
                /* stat data of format v3.5 has 16 bit uid and gid */
                error = -EINVAL;
                goto out;
        }
-        if ((ia_valid & ATTR_UID && attr->ia_uid != inode->i_uid) ||
+        if ((ia_valid & ATTR_UID && !uid_eq(attr->ia_uid, inode->i_uid)) ||
-            (ia_valid & ATTR_GID && attr->ia_gid != inode->i_gid)) {
+            (ia_valid & ATTR_GID && !gid_eq(attr->ia_gid, inode->i_gid))) {
                struct reiserfs_transaction_handle th;
                int jbegin_count =
                    2 *
diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
index 44474f9b990d..d7c01ef64eda 100644
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -30,7 +30,7 @@ posix_acl_set(struct dentry *dentry, const char *name, const void *value,
                return -EPERM;
        if (value) {
-                acl = posix_acl_from_xattr(value, size);
+                acl = posix_acl_from_xattr(&init_user_ns, value, size);
                if (IS_ERR(acl)) {
                        return PTR_ERR(acl);
                } else if (acl) {
@@ -77,7 +77,7 @@ posix_acl_get(struct dentry *dentry, const char *name, void *buffer,
                return PTR_ERR(acl);
        if (acl == NULL)
                return -ENODATA;
-        error = posix_acl_to_xattr(acl, buffer, size);
+        error = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
        posix_acl_release(acl);
        return error;
@@ -121,15 +121,23 @@ static struct posix_acl *posix_acl_from_disk(const void *value, size_t size)
                case ACL_OTHER:
                        value = (char *)value +
                            sizeof(reiserfs_acl_entry_short);
-                        acl->a_entries[n].e_id = ACL_UNDEFINED_ID;
                        break;
                case ACL_USER:
+                        value = (char *)value + sizeof(reiserfs_acl_entry);
+                        if ((char *)value > end)
+                                goto fail;
+                        acl->a_entries[n].e_uid = 
+                                make_kuid(&init_user_ns,
+                                          le32_to_cpu(entry->e_id));
+                        break;
                case ACL_GROUP:
                        value = (char *)value + sizeof(reiserfs_acl_entry);
                        if ((char *)value > end)
                                goto fail;
-                        acl->a_entries[n].e_id = le32_to_cpu(entry->e_id);
+                        acl->a_entries[n].e_gid =
+                                make_kgid(&init_user_ns,
+                                          le32_to_cpu(entry->e_id));
                        break;
                default:
@@ -164,13 +172,19 @@ static void *posix_acl_to_disk(const struct posix_acl *acl, size_t * size)
        ext_acl->a_version = cpu_to_le32(REISERFS_ACL_VERSION);
        e = (char *)ext_acl + sizeof(reiserfs_acl_header);
        for (n = 0; n < acl->a_count; n++) {
+                const struct posix_acl_entry *acl_e = &acl->a_entries[n];
                reiserfs_acl_entry *entry = (reiserfs_acl_entry *) e;
                entry->e_tag = cpu_to_le16(acl->a_entries[n].e_tag);
                entry->e_perm = cpu_to_le16(acl->a_entries[n].e_perm);
                switch (acl->a_entries[n].e_tag) {
                case ACL_USER:
+                        entry->e_id = cpu_to_le32(
+                                from_kuid(&init_user_ns, acl_e->e_uid));
+                        e += sizeof(reiserfs_acl_entry);
+                        break;
                case ACL_GROUP:
-                        entry->e_id = cpu_to_le32(acl->a_entries[n].e_id);
+                        entry->e_id = cpu_to_le32(
+                                from_kgid(&init_user_ns, acl_e->e_gid));
                        e += sizeof(reiserfs_acl_entry);
                        break;
diff --git a/fs/seq_file.c b/fs/seq_file.c
index 14cf9de1dbe1..99dffab4c4e4 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -9,6 +9,7 @@
 #include <linux/export.h>
 #include <linux/seq_file.h>
 #include <linux/slab.h>
+#include <linux/cred.h>
 #include <asm/uaccess.h>
 #include <asm/page.h>
@@ -56,6 +57,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
        memset(p, 0, sizeof(*p));
        mutex_init(&p->lock);
        p->op = op;
+#ifdef CONFIG_USER_NS
+        p->user_ns = file->f_cred->user_ns;
+#endif
        /*
         * Wrappers around seq_open(e.g. swaps_open) need to be
diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
index 81afbccfa843..a1ce5ce60632 100644
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -56,16 +56,20 @@
 static int squashfs_new_inode(struct super_block *sb, struct inode *inode,
                                struct squashfs_base_inode *sqsh_ino)
 {
+        uid_t i_uid;
+        gid_t i_gid;
        int err;
-        err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->uid), &inode->i_uid);
+        err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->uid), &i_uid);
        if (err)
                return err;
-        err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->guid), &inode->i_gid);
+        err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->guid), &i_gid);
        if (err)
                return err;
+        i_uid_write(inode, i_uid);
+        i_gid_write(inode, i_gid);
        inode->i_ino = le32_to_cpu(sqsh_ino->inode_number);
        inode->i_mtime.tv_sec = le32_to_cpu(sqsh_ino->mtime);
        inode->i_atime.tv_sec = inode->i_mtime.tv_sec;
diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c
index 80e1e2b18df1..b23ab736685d 100644
--- a/fs/sysv/inode.c
+++ b/fs/sysv/inode.c
@@ -202,8 +202,8 @@ struct inode *sysv_iget(struct super_block *sb, unsigned int ino)
        }
        /* SystemV FS: kludge permissions if ino==SYSV_ROOT_INO ?? */
        inode->i_mode = fs16_to_cpu(sbi, raw_inode->i_mode);
-        inode->i_uid = (uid_t)fs16_to_cpu(sbi, raw_inode->i_uid);
+        i_uid_write(inode, (uid_t)fs16_to_cpu(sbi, raw_inode->i_uid));
-        inode->i_gid = (gid_t)fs16_to_cpu(sbi, raw_inode->i_gid);
+        i_gid_write(inode, (gid_t)fs16_to_cpu(sbi, raw_inode->i_gid));
        set_nlink(inode, fs16_to_cpu(sbi, raw_inode->i_nlink));
        inode->i_size = fs32_to_cpu(sbi, raw_inode->i_size);
        inode->i_atime.tv_sec = fs32_to_cpu(sbi, raw_inode->i_atime);
@@ -256,8 +256,8 @@ static int __sysv_write_inode(struct inode *inode, int wait)
        }
        raw_inode->i_mode = cpu_to_fs16(sbi, inode->i_mode);
-        raw_inode->i_uid = cpu_to_fs16(sbi, fs_high2lowuid(inode->i_uid));
+        raw_inode->i_uid = cpu_to_fs16(sbi, fs_high2lowuid(i_uid_read(inode)));
-        raw_inode->i_gid = cpu_to_fs16(sbi, fs_high2lowgid(inode->i_gid));
+        raw_inode->i_gid = cpu_to_fs16(sbi, fs_high2lowgid(i_gid_read(inode)));
        raw_inode->i_nlink = cpu_to_fs16(sbi, inode->i_nlink);
        raw_inode->i_size = cpu_to_fs32(sbi, inode->i_size);
        raw_inode->i_atime = cpu_to_fs32(sbi, inode->i_atime.tv_sec);
diff --git a/fs/ubifs/budget.c b/fs/ubifs/budget.c
index bc4f94b28706..969489e478bc 100644
--- a/fs/ubifs/budget.c
+++ b/fs/ubifs/budget.c
@@ -272,8 +272,8 @@ long long ubifs_calc_available(const struct ubifs_info *c, int min_idx_lebs)
 */
 static int can_use_rp(struct ubifs_info *c)
 {
-        if (current_fsuid() == c->rp_uid || capable(CAP_SYS_RESOURCE) ||
+        if (uid_eq(current_fsuid(), c->rp_uid) || capable(CAP_SYS_RESOURCE) ||
-            (c->rp_gid != 0 && in_group_p(c->rp_gid)))
+            (!gid_eq(c->rp_gid, GLOBAL_ROOT_GID) && in_group_p(c->rp_gid)))
                return 1;
        return 0;
 }
diff --git a/fs/ubifs/debug.c b/fs/ubifs/debug.c
index bb3167257aab..340d1afc1302 100644
--- a/fs/ubifs/debug.c
+++ b/fs/ubifs/debug.c
@@ -243,8 +243,8 @@ void ubifs_dump_inode(struct ubifs_info *c, const struct inode *inode)
        printk(KERN_ERR "\tsize           %llu\n",
               (unsigned long long)i_size_read(inode));
        printk(KERN_ERR "\tnlink          %u\n", inode->i_nlink);
-        printk(KERN_ERR "\tuid            %u\n", (unsigned int)inode->i_uid);
+        printk(KERN_ERR "\tuid            %u\n", (unsigned int)i_uid_read(inode));
-        printk(KERN_ERR "\tgid            %u\n", (unsigned int)inode->i_gid);
+        printk(KERN_ERR "\tgid            %u\n", (unsigned int)i_gid_read(inode));
        printk(KERN_ERR "\tatime          %u.%u\n",
               (unsigned int)inode->i_atime.tv_sec,
               (unsigned int)inode->i_atime.tv_nsec);
diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c
index 12c0f154ca83..afaad07f3b29 100644
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -469,8 +469,8 @@ static void pack_inode(struct ubifs_info *c, struct ubifs_ino_node *ino,
        ino->ctime_nsec = cpu_to_le32(inode->i_ctime.tv_nsec);
        ino->mtime_sec  = cpu_to_le64(inode->i_mtime.tv_sec);
        ino->mtime_nsec = cpu_to_le32(inode->i_mtime.tv_nsec);
-        ino->uid   = cpu_to_le32(inode->i_uid);
+        ino->uid   = cpu_to_le32(i_uid_read(inode));
-        ino->gid   = cpu_to_le32(inode->i_gid);
+        ino->gid   = cpu_to_le32(i_gid_read(inode));
        ino->mode  = cpu_to_le32(inode->i_mode);
        ino->flags = cpu_to_le32(ui->flags);
        ino->size  = cpu_to_le64(ui->ui_size);
diff --git a/fs/ubifs/sb.c b/fs/ubifs/sb.c
index 15e2fc5aa60b..52c21f4190f6 100644
--- a/fs/ubifs/sb.c
+++ b/fs/ubifs/sb.c
@@ -611,8 +611,8 @@ int ubifs_read_superblock(struct ubifs_info *c)
        c->fanout        = le32_to_cpu(sup->fanout);
        c->lsave_cnt     = le32_to_cpu(sup->lsave_cnt);
        c->rp_size       = le64_to_cpu(sup->rp_size);
-        c->rp_uid        = le32_to_cpu(sup->rp_uid);
+        c->rp_uid        = make_kuid(&init_user_ns, le32_to_cpu(sup->rp_uid));
-        c->rp_gid        = le32_to_cpu(sup->rp_gid);
+        c->rp_gid        = make_kgid(&init_user_ns, le32_to_cpu(sup->rp_gid));
        sup_flags        = le32_to_cpu(sup->flags);
        if (!c->mount_opts.override_compr)
                c->default_compr = le16_to_cpu(sup->default_compr);
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index 71a197f0f93d..681f3a942444 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -130,8 +130,8 @@ struct inode *ubifs_iget(struct super_block *sb, unsigned long inum)
        inode->i_flags |= (S_NOCMTIME | S_NOATIME);
        set_nlink(inode, le32_to_cpu(ino->nlink));
-        inode->i_uid   = le32_to_cpu(ino->uid);
+        i_uid_write(inode, le32_to_cpu(ino->uid));
-        inode->i_gid   = le32_to_cpu(ino->gid);
+        i_gid_write(inode, le32_to_cpu(ino->gid));
        inode->i_atime.tv_sec  = (int64_t)le64_to_cpu(ino->atime_sec);
        inode->i_atime.tv_nsec = le32_to_cpu(ino->atime_nsec);
        inode->i_mtime.tv_sec  = (int64_t)le64_to_cpu(ino->mtime_sec);
diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
index 1e5a08623d11..64f2367c2f4c 100644
--- a/fs/ubifs/ubifs.h
+++ b/fs/ubifs/ubifs.h
@@ -1426,8 +1426,8 @@ struct ubifs_info {
        long long rp_size;
        long long report_rp_size;
-        uid_t rp_uid;
+        kuid_t rp_uid;
-        gid_t rp_gid;
+        kgid_t rp_gid;
        /* The below fields are used only during mounting and re-mounting */
        unsigned int empty:1;
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index aa233469b3c1..287ef9f587b7 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1312,14 +1312,14 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
        }
        read_lock(&sbi->s_cred_lock);
-        inode->i_uid = le32_to_cpu(fe->uid);
+        i_uid_write(inode, le32_to_cpu(fe->uid));
-        if (inode->i_uid == -1 ||
+        if (!uid_valid(inode->i_uid) ||
            UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_UID_IGNORE) ||
            UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_UID_SET))
                inode->i_uid = UDF_SB(inode->i_sb)->s_uid;
-        inode->i_gid = le32_to_cpu(fe->gid);
+        i_gid_write(inode, le32_to_cpu(fe->gid));
-        if (inode->i_gid == -1 ||
+        if (!gid_valid(inode->i_gid) ||
            UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_GID_IGNORE) ||
            UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_GID_SET))
                inode->i_gid = UDF_SB(inode->i_sb)->s_gid;
@@ -1542,12 +1542,12 @@ static int udf_update_inode(struct inode *inode, int do_sync)
        if (UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_UID_FORGET))
                fe->uid = cpu_to_le32(-1);
        else
-                fe->uid = cpu_to_le32(inode->i_uid);
+                fe->uid = cpu_to_le32(i_uid_read(inode));
        if (UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_GID_FORGET))
                fe->gid = cpu_to_le32(-1);
        else
-                fe->gid = cpu_to_le32(inode->i_gid);
+                fe->gid = cpu_to_le32(i_gid_read(inode));
        udfperms = ((inode->i_mode & S_IRWXO)) |
                   ((inode->i_mode & S_IRWXG) << 2) |
diff --git a/fs/udf/super.c b/fs/udf/super.c
index 18fc038a438d..862741dddf27 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -199,8 +199,8 @@ struct udf_options {
        unsigned int rootdir;
        unsigned int flags;
        umode_t umask;
-        gid_t gid;
+        kgid_t gid;
-        uid_t uid;
+        kuid_t uid;
        umode_t fmode;
        umode_t dmode;
        struct nls_table *nls_map;
@@ -335,9 +335,9 @@ static int udf_show_options(struct seq_file *seq, struct dentry *root)
        if (UDF_QUERY_FLAG(sb, UDF_FLAG_GID_IGNORE))
                seq_puts(seq, ",gid=ignore");
        if (UDF_QUERY_FLAG(sb, UDF_FLAG_UID_SET))
-                seq_printf(seq, ",uid=%u", sbi->s_uid);
+                seq_printf(seq, ",uid=%u", from_kuid(&init_user_ns, sbi->s_uid));
        if (UDF_QUERY_FLAG(sb, UDF_FLAG_GID_SET))
-                seq_printf(seq, ",gid=%u", sbi->s_gid);
+                seq_printf(seq, ",gid=%u", from_kgid(&init_user_ns, sbi->s_gid));
        if (sbi->s_umask != 0)
                seq_printf(seq, ",umask=%ho", sbi->s_umask);
        if (sbi->s_fmode != UDF_INVALID_MODE)
@@ -516,13 +516,17 @@ static int udf_parse_options(char *options, struct udf_options *uopt,
                case Opt_gid:
                        if (match_int(args, &option))
                                return 0;
-                        uopt->gid = option;
+                        uopt->gid = make_kgid(current_user_ns(), option);
+                        if (!gid_valid(uopt->gid))
+                                return 0;
                        uopt->flags |= (1 << UDF_FLAG_GID_SET);
                        break;
                case Opt_uid:
                        if (match_int(args, &option))
                                return 0;
-                        uopt->uid = option;
+                        uopt->uid = make_kuid(current_user_ns(), option);
+                        if (!uid_valid(uopt->uid))
+                                return 0;
                        uopt->flags |= (1 << UDF_FLAG_UID_SET);
                        break;
                case Opt_umask:
@@ -1934,8 +1938,8 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent)
        struct udf_sb_info *sbi;
        uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT);
-        uopt.uid = -1;
+        uopt.uid = INVALID_UID;
-        uopt.gid = -1;
+        uopt.gid = INVALID_GID;
        uopt.umask = 0;
        uopt.fmode = UDF_INVALID_MODE;
        uopt.dmode = UDF_INVALID_MODE;
diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h
index 42ad69ac9576..5f027227f085 100644
--- a/fs/udf/udf_sb.h
+++ b/fs/udf/udf_sb.h
@@ -128,8 +128,8 @@ struct udf_sb_info {
        /* Default permissions */
        umode_t                 s_umask;
-        gid_t                   s_gid;
+        kgid_t                  s_gid;
-        uid_t                   s_uid;
+        kuid_t                  s_uid;
        umode_t                 s_fmode;
        umode_t                 s_dmode;
        /* Lock protecting consistency of above permission settings */
diff --git a/fs/ufs/inode.c b/fs/ufs/inode.c
index dd7c89d8a1c1..eb6d0b7dc879 100644
--- a/fs/ufs/inode.c
+++ b/fs/ufs/inode.c
@@ -597,8 +597,8 @@ static int ufs1_read_inode(struct inode *inode, struct ufs_inode *ufs_inode)
        /*
         * Linux now has 32-bit uid and gid, so we can support EFT.
         */
-        inode->i_uid = ufs_get_inode_uid(sb, ufs_inode);
+        i_uid_write(inode, ufs_get_inode_uid(sb, ufs_inode));
-        inode->i_gid = ufs_get_inode_gid(sb, ufs_inode);
+        i_gid_write(inode, ufs_get_inode_gid(sb, ufs_inode));
        inode->i_size = fs64_to_cpu(sb, ufs_inode->ui_size);
        inode->i_atime.tv_sec = fs32_to_cpu(sb, ufs_inode->ui_atime.tv_sec);
@@ -645,8 +645,8 @@ static int ufs2_read_inode(struct inode *inode, struct ufs2_inode *ufs2_inode)
        /*
         * Linux now has 32-bit uid and gid, so we can support EFT.
         */
-        inode->i_uid = fs32_to_cpu(sb, ufs2_inode->ui_uid);
+        i_uid_write(inode, fs32_to_cpu(sb, ufs2_inode->ui_uid));
-        inode->i_gid = fs32_to_cpu(sb, ufs2_inode->ui_gid);
+        i_gid_write(inode, fs32_to_cpu(sb, ufs2_inode->ui_gid));
        inode->i_size = fs64_to_cpu(sb, ufs2_inode->ui_size);
        inode->i_atime.tv_sec = fs64_to_cpu(sb, ufs2_inode->ui_atime);
@@ -745,8 +745,8 @@ static void ufs1_update_inode(struct inode *inode, struct ufs_inode *ufs_inode)
        ufs_inode->ui_mode = cpu_to_fs16(sb, inode->i_mode);
        ufs_inode->ui_nlink = cpu_to_fs16(sb, inode->i_nlink);
-        ufs_set_inode_uid(sb, ufs_inode, inode->i_uid);
+        ufs_set_inode_uid(sb, ufs_inode, i_uid_read(inode));
-        ufs_set_inode_gid(sb, ufs_inode, inode->i_gid);
+        ufs_set_inode_gid(sb, ufs_inode, i_gid_read(inode));
                
        ufs_inode->ui_size = cpu_to_fs64(sb, inode->i_size);
        ufs_inode->ui_atime.tv_sec = cpu_to_fs32(sb, inode->i_atime.tv_sec);
@@ -789,8 +789,8 @@ static void ufs2_update_inode(struct inode *inode, struct ufs2_inode *ufs_inode)
        ufs_inode->ui_mode = cpu_to_fs16(sb, inode->i_mode);
        ufs_inode->ui_nlink = cpu_to_fs16(sb, inode->i_nlink);
-        ufs_inode->ui_uid = cpu_to_fs32(sb, inode->i_uid);
+        ufs_inode->ui_uid = cpu_to_fs32(sb, i_uid_read(inode));
-        ufs_inode->ui_gid = cpu_to_fs32(sb, inode->i_gid);
+        ufs_inode->ui_gid = cpu_to_fs32(sb, i_gid_read(inode));
        ufs_inode->ui_size = cpu_to_fs64(sb, inode->i_size);
        ufs_inode->ui_atime = cpu_to_fs64(sb, inode->i_atime.tv_sec);
diff --git a/fs/xattr.c b/fs/xattr.c
index 014f11321fd9..f7f7f09b0b41 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -20,6 +20,7 @@
 #include <linux/fsnotify.h>
 #include <linux/audit.h>
 #include <linux/vmalloc.h>
+#include <linux/posix_acl_xattr.h>
 #include <asm/uaccess.h>
@@ -347,6 +348,9 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
                        error = -EFAULT;
                        goto out;
                }
+                if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+                    (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
+                        posix_acl_fix_xattr_from_user(kvalue, size);
        }
        error = vfs_setxattr(d, kname, kvalue, size, flags);
@@ -450,6 +454,9 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
        error = vfs_getxattr(d, kname, kvalue, size);
        if (error > 0) {
+                if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+                    (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
+                        posix_acl_fix_xattr_to_user(kvalue, size);
                if (size && copy_to_user(value, kvalue, error))
                        error = -EFAULT;
        } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
diff --git a/fs/xattr_acl.c b/fs/xattr_acl.c
index 69d06b07b169..11efd830b5f5 100644
--- a/fs/xattr_acl.c
+++ b/fs/xattr_acl.c
@@ -9,13 +9,72 @@
 #include <linux/fs.h>
 #include <linux/posix_acl_xattr.h>
 #include <linux/gfp.h>
+#include <linux/user_namespace.h>
+/*
+ * Fix up the uids and gids in posix acl extended attributes in place.
+ */
+static void posix_acl_fix_xattr_userns(
+        struct user_namespace *to, struct user_namespace *from,
+        void *value, size_t size)
+{
+        posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
+        posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
+        int count;
+        kuid_t uid;
+        kgid_t gid;
+        if (!value)
+                return;
+        if (size < sizeof(posix_acl_xattr_header))
+                return;
+        if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION))
+                return;
+        count = posix_acl_xattr_count(size);
+        if (count < 0)
+                return;
+        if (count == 0)
+                return;
+        for (end = entry + count; entry != end; entry++) {
+                switch(le16_to_cpu(entry->e_tag)) {
+                case ACL_USER:
+                        uid = make_kuid(from, le32_to_cpu(entry->e_id));
+                        entry->e_id = cpu_to_le32(from_kuid(to, uid));
+                        break;
+                case ACL_GROUP:
+                        gid = make_kgid(from, le32_to_cpu(entry->e_id));
+                        entry->e_id = cpu_to_le32(from_kuid(to, uid));
+                        break;
+                default:
+                        break;
+                }
+        }
+}
+void posix_acl_fix_xattr_from_user(void *value, size_t size)
+{
+        struct user_namespace *user_ns = current_user_ns();
+        if (user_ns == &init_user_ns)
+                return;
+        posix_acl_fix_xattr_userns(&init_user_ns, user_ns, value, size);
+}
+void posix_acl_fix_xattr_to_user(void *value, size_t size)
+{
+        struct user_namespace *user_ns = current_user_ns();
+        if (user_ns == &init_user_ns)
+                return;
+        posix_acl_fix_xattr_userns(user_ns, &init_user_ns, value, size);
+}
 /*
 * Convert from extended attribute to in-memory representation.
 */
 struct posix_acl *
-posix_acl_from_xattr(const void *value, size_t size)
+posix_acl_from_xattr(struct user_namespace *user_ns,
+                     const void *value, size_t size)
 {
        posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
        posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
@@ -50,12 +109,21 @@ posix_acl_from_xattr(const void *value, size_t size)
                        case ACL_GROUP_OBJ:
                        case ACL_MASK:
                        case ACL_OTHER:
-                                acl_e->e_id = ACL_UNDEFINED_ID;
                                break;
                        case ACL_USER:
+                                acl_e->e_uid =
+                                        make_kuid(user_ns,
+                                                  le32_to_cpu(entry->e_id));
+                                if (!uid_valid(acl_e->e_uid))
+                                        goto fail;
+                                break;
                        case ACL_GROUP:
-                                acl_e->e_id = le32_to_cpu(entry->e_id);
+                                acl_e->e_gid =
+                                        make_kgid(user_ns,
+                                                  le32_to_cpu(entry->e_id));
+                                if (!gid_valid(acl_e->e_gid))
+                                        goto fail;
                                break;
                        default:
@@ -74,7 +142,8 @@ EXPORT_SYMBOL (posix_acl_from_xattr);
 * Convert from in-memory to extended attribute representation.
 */
 int
-posix_acl_to_xattr(const struct posix_acl *acl, void *buffer, size_t size)
+posix_acl_to_xattr(struct user_namespace *user_ns, const struct posix_acl *acl,
+                   void *buffer, size_t size)
 {
        posix_acl_xattr_header *ext_acl = (posix_acl_xattr_header *)buffer;
        posix_acl_xattr_entry *ext_entry = ext_acl->a_entries;
@@ -89,9 +158,22 @@ posix_acl_to_xattr(const struct posix_acl *acl, void *buffer, size_t size)
        ext_acl->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION);
        for (n=0; n < acl->a_count; n++, ext_entry++) {
-                ext_entry->e_tag  = cpu_to_le16(acl->a_entries[n].e_tag);
+                const struct posix_acl_entry *acl_e = &acl->a_entries[n];
-                ext_entry->e_perm = cpu_to_le16(acl->a_entries[n].e_perm);
+                ext_entry->e_tag  = cpu_to_le16(acl_e->e_tag);
-                ext_entry->e_id   = cpu_to_le32(acl->a_entries[n].e_id);
+                ext_entry->e_perm = cpu_to_le16(acl_e->e_perm);
+                switch(acl_e->e_tag) {
+                case ACL_USER:
+                        ext_entry->e_id =
+                                cpu_to_le32(from_kuid(user_ns, acl_e->e_uid));
+                        break;
+                case ACL_GROUP:
+                        ext_entry->e_id =
+                                cpu_to_le32(from_kgid(user_ns, acl_e->e_gid));
+                        break;
+                default:
+                        ext_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID);
+                        break;
+                }
        }
        return real_size;
 }
diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
index ac702a6eab9b..1d32f1d52763 100644
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -337,7 +337,7 @@ xfs_xattr_acl_get(struct dentry *dentry, const char *name,
        if (acl == NULL)
                return -ENODATA;
-        error = posix_acl_to_xattr(acl, value, size);
+        error = posix_acl_to_xattr(&init_user_ns, acl, value, size);
        posix_acl_release(acl);
        return error;
@@ -361,7 +361,7 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name,
        if (!value)
                goto set_acl;
-        acl = posix_acl_from_xattr(value, size);
+        acl = posix_acl_from_xattr(&init_user_ns, value, size);
        if (!acl) {
                /*
                 * acl_set_file(3) may request that we set default ACLs with
diff --git a/fs/xfs/xfs_quotaops.c b/fs/xfs/xfs_quotaops.c
index fed504fc2999..71926d630527 100644
--- a/fs/xfs/xfs_quotaops.c
+++ b/fs/xfs/xfs_quotaops.c
@@ -97,8 +97,7 @@ xfs_fs_set_xstate(
 STATIC int
 xfs_fs_get_dqblk(
        struct super_block      *sb,
-        int                     type,
+        struct kqid             qid,
-        qid_t                   id,
        struct fs_disk_quota    *fdq)
 {
        struct xfs_mount        *mp = XFS_M(sb);
@@ -108,14 +107,14 @@ xfs_fs_get_dqblk(
        if (!XFS_IS_QUOTA_ON(mp))
                return -ESRCH;
-        return -xfs_qm_scall_getquota(mp, id, xfs_quota_type(type), fdq);
+        return -xfs_qm_scall_getquota(mp, from_kqid(&init_user_ns, qid),
+                                      xfs_quota_type(qid.type), fdq);
 }
 STATIC int
 xfs_fs_set_dqblk(
        struct super_block      *sb,
-        int                     type,
+        struct kqid             qid,
-        qid_t                   id,
        struct fs_disk_quota    *fdq)
 {
        struct xfs_mount        *mp = XFS_M(sb);
@@ -127,7 +126,8 @@ xfs_fs_set_dqblk(
        if (!XFS_IS_QUOTA_ON(mp))
                return -ESRCH;
-        return -xfs_qm_scall_setqlim(mp, id, xfs_quota_type(type), fdq);
+        return -xfs_qm_scall_setqlim(mp, from_kqid(&init_user_ns, qid),
+                                     xfs_quota_type(qid.type), fdq);
 }
 const struct quotactl_ops xfs_quotactl_operations = {
diff --git a/fs/xfs/xfs_trans_dquot.c b/fs/xfs/xfs_trans_dquot.c
index bcb60542fcf1..0c7fa54f309e 100644
--- a/fs/xfs/xfs_trans_dquot.c
+++ b/fs/xfs/xfs_trans_dquot.c
@@ -578,9 +578,11 @@ xfs_quota_warn(
        /* no warnings for project quotas - we just return ENOSPC later */
        if (dqp->dq_flags & XFS_DQ_PROJ)
                return;
-        quota_send_warning((dqp->dq_flags & XFS_DQ_USER) ? USRQUOTA : GRPQUOTA,
+        quota_send_warning(make_kqid(&init_user_ns,
-                           be32_to_cpu(dqp->q_core.d_id), mp->m_super->s_dev,
+                                     (dqp->dq_flags & XFS_DQ_USER) ?
-                           type);
+                                     USRQUOTA : GRPQUOTA,
+                                     be32_to_cpu(dqp->q_core.d_id)),
+                           mp->m_super->s_dev, type);
 }
 /*
diff --git a/include/drm/drmP.h b/include/drm/drmP.h
index d6b67bb9075f..9bc5c6a1d52c 100644
--- a/include/drm/drmP.h
+++ b/include/drm/drmP.h
@@ -426,8 +426,8 @@ struct drm_prime_file_private {
 /** File private data */
 struct drm_file {
        int authenticated;
-        pid_t pid;
+        struct pid *pid;
-        uid_t uid;
+        kuid_t uid;
        drm_magic_t magic;
        unsigned long ioctl_count;
        struct list_head lhead;
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 36abf2aa7e68..12367cbadfe1 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -442,6 +442,8 @@ struct audit_krule {
 struct audit_field {
        u32                             type;
        u32                             val;
+        kuid_t                          uid;
+        kgid_t                          gid;
        u32                             op;
        char                            *lsm_str;
        void                            *lsm_rule;
@@ -525,7 +527,7 @@ static inline void audit_ptrace(struct task_struct *t)
 extern unsigned int audit_serial(void);
 extern int auditsc_get_stamp(struct audit_context *ctx,
                              struct timespec *t, unsigned int *serial);
-extern int  audit_set_loginuid(uid_t loginuid);
+extern int  audit_set_loginuid(kuid_t loginuid);
 #define audit_get_loginuid(t) ((t)->loginuid)
 #define audit_get_sessionid(t) ((t)->sessionid)
 extern void audit_log_task_context(struct audit_buffer *ab);
@@ -637,7 +639,7 @@ extern int audit_signals;
 #define audit_core_dumps(i) do { ; } while (0)
 #define audit_seccomp(i,s,c) do { ; } while (0)
 #define auditsc_get_stamp(c,t,s) (0)
-#define audit_get_loginuid(t) (-1)
+#define audit_get_loginuid(t) (INVALID_UID)
 #define audit_get_sessionid(t) (-1)
 #define audit_log_task_context(b) do { ; } while (0)
 #define audit_ipc_obj(i) ((void)0)
@@ -700,10 +702,10 @@ extern void 		    audit_log_secctx(struct audit_buffer *ab, u32 secid);
 extern int                  audit_update_lsm_rules(void);
                                /* Private API (for audit.c only) */
-extern int audit_filter_user(struct netlink_skb_parms *cb);
+extern int audit_filter_user(void);
 extern int audit_filter_type(int type);
-extern int  audit_receive_filter(int type, int pid, int uid, int seq,
+extern int  audit_receive_filter(int type, int pid, int seq,
-                                void *data, size_t datasz, uid_t loginuid,
+                                void *data, size_t datasz, kuid_t loginuid,
                                u32 sessionid, u32 sid);
 extern int audit_enabled;
 #else
diff --git a/include/linux/inet_diag.h b/include/linux/inet_diag.h
index f1362b5447fc..e788c186ed3a 100644
--- a/include/linux/inet_diag.h
+++ b/include/linux/inet_diag.h
@@ -159,6 +159,7 @@ struct inet_diag_handler {
 struct inet_connection_sock;
 int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
                              struct sk_buff *skb, struct inet_diag_req_v2 *req,
+                              struct user_namespace *user_ns,
                              u32 pid, u32 seq, u16 nlmsg_flags,
                              const struct nlmsghdr *unlh);
 void inet_diag_dump_icsk(struct inet_hashinfo *h, struct sk_buff *skb,
diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index 89f1cb1056f0..6d087c5f57f7 100644
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -92,7 +92,7 @@ extern struct group_info init_groups;
 #ifdef CONFIG_AUDITSYSCALL
 #define INIT_IDS \
-        .loginuid = -1, \
+        .loginuid = INVALID_UID, \
        .sessionid = -1,
 #else
 #define INIT_IDS
diff --git a/include/linux/ipc.h b/include/linux/ipc.h
index 30e816148df4..ca833fdc3138 100644
--- a/include/linux/ipc.h
+++ b/include/linux/ipc.h
@@ -79,6 +79,7 @@ struct ipc_kludge {
 #ifdef __KERNEL__
 #include <linux/spinlock.h>
+#include <linux/uidgid.h>
 #define IPCMNI 32768  /* <= MAX_INT limit for ipc arrays (including sysctl changes) */
@@ -89,10 +90,10 @@ struct kern_ipc_perm
        int             deleted;
        int             id;
        key_t           key;
-        uid_t           uid;
+        kuid_t          uid;
-        gid_t           gid;
+        kgid_t          gid;
-        uid_t           cuid;
+        kuid_t          cuid;
-        gid_t           cgid;
+        kgid_t          cgid;
        umode_t         mode; 
        unsigned long   seq;
        void            *security;
diff --git a/include/linux/key.h b/include/linux/key.h
index cef3b315ba7c..2393b1c040b6 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -24,6 +24,7 @@
 #include <linux/atomic.h>
 #ifdef __KERNEL__
+#include <linux/uidgid.h>
 /* key handle serial number */
 typedef int32_t key_serial_t;
@@ -137,8 +138,8 @@ struct key {
                time_t          revoked_at;     /* time at which key was revoked */
        };
        time_t                  last_used_at;   /* last time used for LRU keyring discard */
-        uid_t                   uid;
+        kuid_t                  uid;
-        gid_t                   gid;
+        kgid_t                  gid;
        key_perm_t              perm;           /* access permissions */
        unsigned short          quotalen;       /* length added to quota */
        unsigned short          datalen;        /* payload data length
@@ -193,7 +194,7 @@ struct key {
 extern struct key *key_alloc(struct key_type *type,
                             const char *desc,
-                             uid_t uid, gid_t gid,
+                             kuid_t uid, kgid_t gid,
                             const struct cred *cred,
                             key_perm_t perm,
                             unsigned long flags);
@@ -262,7 +263,7 @@ extern int key_link(struct key *keyring,
 extern int key_unlink(struct key *keyring,
                      struct key *key);
-extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
+extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
                                 const struct cred *cred,
                                 unsigned long flags,
                                 struct key *dest);
diff --git a/include/linux/loop.h b/include/linux/loop.h
index 11a41a8f08eb..9635116dd830 100644
--- a/include/linux/loop.h
+++ b/include/linux/loop.h
@@ -44,7 +44,7 @@ struct loop_device {
        int             lo_encrypt_key_size;
        struct loop_func_table *lo_encryption;
        __u32           lo_init[2];
-        uid_t           lo_key_owner;   /* Who set the key */
+        kuid_t          lo_key_owner;   /* Who set the key */
        int             (*ioctl)(struct loop_device *, int cmd, 
                                 unsigned long arg); 
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index f74dd133788f..c9fdde2bc73f 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -165,6 +165,7 @@ struct netlink_skb_parms {
        struct ucred            creds;          /* Skb credentials      */
        __u32                   pid;
        __u32                   dst_group;
+        struct sock             *ssk;
 };
 #define NETLINK_CB(skb)         (*(struct netlink_skb_parms*)&((skb)->cb))
diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
index 11bad91c4433..7931efe71175 100644
--- a/include/linux/posix_acl.h
+++ b/include/linux/posix_acl.h
@@ -36,7 +36,13 @@
 struct posix_acl_entry {
        short                   e_tag;
        unsigned short          e_perm;
-        unsigned int            e_id;
+        union {
+                kuid_t          e_uid;
+                kgid_t          e_gid;
+#ifndef CONFIG_UIDGID_STRICT_TYPE_CHECKS
+                unsigned int    e_id;
+#endif
+        };
 };
 struct posix_acl {
diff --git a/include/linux/posix_acl_xattr.h b/include/linux/posix_acl_xattr.h
index 6e53c34035cd..ad93ad0f1db0 100644
--- a/include/linux/posix_acl_xattr.h
+++ b/include/linux/posix_acl_xattr.h
@@ -52,7 +52,21 @@ posix_acl_xattr_count(size_t size)
        return size / sizeof(posix_acl_xattr_entry);
 }
-struct posix_acl *posix_acl_from_xattr(const void *value, size_t size);
+#ifdef CONFIG_FS_POSIX_ACL
-int posix_acl_to_xattr(const struct posix_acl *acl, void *buffer, size_t size);
+void posix_acl_fix_xattr_from_user(void *value, size_t size);
+void posix_acl_fix_xattr_to_user(void *value, size_t size);
+#else
+static inline void posix_acl_fix_xattr_from_user(void *value, size_t size)
+{
+}
+static inline void posix_acl_fix_xattr_to_user(void *value, size_t size)
+{
+}
+#endif
+struct posix_acl *posix_acl_from_xattr(struct user_namespace *user_ns, 
+                                       const void *value, size_t size);
+int posix_acl_to_xattr(struct user_namespace *user_ns,
+                       const struct posix_acl *acl, void *buffer, size_t size);
 #endif  /* _POSIX_ACL_XATTR_H */
diff --git a/include/linux/projid.h b/include/linux/projid.h
new file mode 100644
index 000000000000..36517b95be5c
--- /dev/null
+++ b/include/linux/projid.h
@@ -0,0 +1,104 @@
+#ifndef _LINUX_PROJID_H
+#define _LINUX_PROJID_H
+/*
+ * A set of types for the internal kernel types representing project ids.
+ *
+ * The types defined in this header allow distinguishing which project ids in
+ * the kernel are values used by userspace and which project id values are
+ * the internal kernel values.  With the addition of user namespaces the values
+ * can be different.  Using the type system makes it possible for the compiler
+ * to detect when we overlook these differences.
+ *
+ */
+#include <linux/types.h>
+struct user_namespace;
+extern struct user_namespace init_user_ns;
+typedef __kernel_uid32_t projid_t;
+#ifdef CONFIG_UIDGID_STRICT_TYPE_CHECKS
+typedef struct {
+        projid_t val;
+} kprojid_t;
+static inline projid_t __kprojid_val(kprojid_t projid)
+{
+        return projid.val;
+}
+#define KPROJIDT_INIT(value) (kprojid_t){ value }
+#else
+typedef projid_t kprojid_t;
+static inline projid_t __kprojid_val(kprojid_t projid)
+{
+        return projid;
+}
+#define KPROJIDT_INIT(value) ((kprojid_t) value )
+#endif
+#define INVALID_PROJID KPROJIDT_INIT(-1)
+#define OVERFLOW_PROJID 65534
+static inline bool projid_eq(kprojid_t left, kprojid_t right)
+{
+        return __kprojid_val(left) == __kprojid_val(right);
+}
+static inline bool projid_lt(kprojid_t left, kprojid_t right)
+{
+        return __kprojid_val(left) < __kprojid_val(right);
+}
+static inline bool projid_valid(kprojid_t projid)
+{
+        return !projid_eq(projid, INVALID_PROJID);
+}
+#ifdef CONFIG_USER_NS
+extern kprojid_t make_kprojid(struct user_namespace *from, projid_t projid);
+extern projid_t from_kprojid(struct user_namespace *to, kprojid_t projid);
+extern projid_t from_kprojid_munged(struct user_namespace *to, kprojid_t projid);
+static inline bool kprojid_has_mapping(struct user_namespace *ns, kprojid_t projid)
+{
+        return from_kprojid(ns, projid) != (projid_t)-1;
+}
+#else
+static inline kprojid_t make_kprojid(struct user_namespace *from, projid_t projid)
+{
+        return KPROJIDT_INIT(projid);
+}
+static inline projid_t from_kprojid(struct user_namespace *to, kprojid_t kprojid)
+{
+        return __kprojid_val(kprojid);
+}
+static inline projid_t from_kprojid_munged(struct user_namespace *to, kprojid_t kprojid)
+{
+        projid_t projid = from_kprojid(to, kprojid);
+        if (projid == (projid_t)-1)
+                projid = OVERFLOW_PROJID;
+        return projid;
+}
+static inline bool kprojid_has_mapping(struct user_namespace *ns, kprojid_t projid)
+{
+        return true;
+}
+#endif /* CONFIG_USER_NS */
+#endif /* _LINUX_PROJID_H */
diff --git a/include/linux/quota.h b/include/linux/quota.h
index 524ede8a160a..dcd5721e626d 100644
--- a/include/linux/quota.h
+++ b/include/linux/quota.h
@@ -181,10 +181,135 @@ enum {
 #include <linux/dqblk_v2.h>
 #include <linux/atomic.h>
+#include <linux/uidgid.h>
+#include <linux/projid.h>
+#undef USRQUOTA
+#undef GRPQUOTA
+enum quota_type {
+        USRQUOTA = 0,           /* element used for user quotas */
+        GRPQUOTA = 1,           /* element used for group quotas */
+        PRJQUOTA = 2,           /* element used for project quotas */
+};
 typedef __kernel_uid32_t qid_t; /* Type in which we store ids in memory */
 typedef long long qsize_t;      /* Type in which we store sizes */
+struct kqid {                   /* Type in which we store the quota identifier */
+        union {
+                kuid_t uid;
+                kgid_t gid;
+                kprojid_t projid;
+        };
+        enum quota_type type;  /* USRQUOTA (uid) or GRPQUOTA (gid) or PRJQUOTA (projid) */
+};
+extern bool qid_eq(struct kqid left, struct kqid right);
+extern bool qid_lt(struct kqid left, struct kqid right);
+extern qid_t from_kqid(struct user_namespace *to, struct kqid qid);
+extern qid_t from_kqid_munged(struct user_namespace *to, struct kqid qid);
+extern bool qid_valid(struct kqid qid);
+/**
+ *      make_kqid - Map a user-namespace, type, qid tuple into a kqid.
+ *      @from: User namespace that the qid is in
+ *      @type: The type of quota
+ *      @qid: Quota identifier
+ *
+ *      Maps a user-namespace, type qid tuple into a kernel internal
+ *      kqid, and returns that kqid.
+ *
+ *      When there is no mapping defined for the user-namespace, type,
+ *      qid tuple an invalid kqid is returned.  Callers are expected to
+ *      test for and handle handle invalid kqids being returned.
+ *      Invalid kqids may be tested for using qid_valid().
+ */
+static inline struct kqid make_kqid(struct user_namespace *from,
+                                    enum quota_type type, qid_t qid)
+{
+        struct kqid kqid;
+        kqid.type = type;
+        switch (type) {
+        case USRQUOTA:
+                kqid.uid = make_kuid(from, qid);
+                break;
+        case GRPQUOTA:
+                kqid.gid = make_kgid(from, qid);
+                break;
+        case PRJQUOTA:
+                kqid.projid = make_kprojid(from, qid);
+                break;
+        default:
+                BUG();
+        }
+        return kqid;
+}
+/**
+ *      make_kqid_invalid - Explicitly make an invalid kqid
+ *      @type: The type of quota identifier
+ *
+ *      Returns an invalid kqid with the specified type.
+ */
+static inline struct kqid make_kqid_invalid(enum quota_type type)
+{
+        struct kqid kqid;
+        kqid.type = type;
+        switch (type) {
+        case USRQUOTA:
+                kqid.uid = INVALID_UID;
+                break;
+        case GRPQUOTA:
+                kqid.gid = INVALID_GID;
+                break;
+        case PRJQUOTA:
+                kqid.projid = INVALID_PROJID;
+                break;
+        default:
+                BUG();
+        }
+        return kqid;
+}
+/**
+ *      make_kqid_uid - Make a kqid from a kuid
+ *      @uid: The kuid to make the quota identifier from
+ */
+static inline struct kqid make_kqid_uid(kuid_t uid)
+{
+        struct kqid kqid;
+        kqid.type = USRQUOTA;
+        kqid.uid = uid;
+        return kqid;
+}
+/**
+ *      make_kqid_gid - Make a kqid from a kgid
+ *      @gid: The kgid to make the quota identifier from
+ */
+static inline struct kqid make_kqid_gid(kgid_t gid)
+{
+        struct kqid kqid;
+        kqid.type = GRPQUOTA;
+        kqid.gid = gid;
+        return kqid;
+}
+/**
+ *      make_kqid_projid - Make a kqid from a projid
+ *      @projid: The kprojid to make the quota identifier from
+ */
+static inline struct kqid make_kqid_projid(kprojid_t projid)
+{
+        struct kqid kqid;
+        kqid.type = PRJQUOTA;
+        kqid.projid = projid;
+        return kqid;
+}
 extern spinlock_t dq_data_lock;
 /* Maximal numbers of writes for quota operation (insert/delete/update)
@@ -294,10 +419,9 @@ struct dquot {
        atomic_t dq_count;              /* Use count */
        wait_queue_head_t dq_wait_unused;       /* Wait queue for dquot to become unused */
        struct super_block *dq_sb;      /* superblock this applies to */
-        unsigned int dq_id;             /* ID this applies to (uid, gid) */
+        struct kqid dq_id;              /* ID this applies to (uid, gid, projid) */
        loff_t dq_off;                  /* Offset of dquot on disk */
        unsigned long dq_flags;         /* See DQ_* */
-        short dq_type;                  /* Type of quota */
        struct mem_dqblk dq_dqb;        /* Diskquota usage */
 };
@@ -336,8 +460,8 @@ struct quotactl_ops {
        int (*quota_sync)(struct super_block *, int);
        int (*get_info)(struct super_block *, int, struct if_dqinfo *);
        int (*set_info)(struct super_block *, int, struct if_dqinfo *);
-        int (*get_dqblk)(struct super_block *, int, qid_t, struct fs_disk_quota *);
+        int (*get_dqblk)(struct super_block *, struct kqid, struct fs_disk_quota *);
-        int (*set_dqblk)(struct super_block *, int, qid_t, struct fs_disk_quota *);
+        int (*set_dqblk)(struct super_block *, struct kqid, struct fs_disk_quota *);
        int (*get_xstate)(struct super_block *, struct fs_quota_stat *);
        int (*set_xstate)(struct super_block *, unsigned int, int);
 };
@@ -386,10 +510,10 @@ static inline unsigned int dquot_generic_flag(unsigned int flags, int type)
 }
 #ifdef CONFIG_QUOTA_NETLINK_INTERFACE
-extern void quota_send_warning(short type, unsigned int id, dev_t dev,
+extern void quota_send_warning(struct kqid qid, dev_t dev,
                               const char warntype);
 #else
-static inline void quota_send_warning(short type, unsigned int id, dev_t dev,
+static inline void quota_send_warning(struct kqid qid, dev_t dev,
                                      const char warntype)
 {
        return;
diff --git a/include/linux/quotaops.h b/include/linux/quotaops.h
index ec6b65feaaba..1c50093ae656 100644
--- a/include/linux/quotaops.h
+++ b/include/linux/quotaops.h
@@ -44,7 +44,7 @@ void inode_sub_rsv_space(struct inode *inode, qsize_t number);
 void dquot_initialize(struct inode *inode);
 void dquot_drop(struct inode *inode);
-struct dquot *dqget(struct super_block *sb, unsigned int id, int type);
+struct dquot *dqget(struct super_block *sb, struct kqid qid);
 void dqput(struct dquot *dquot);
 int dquot_scan_active(struct super_block *sb,
                      int (*fn)(struct dquot *dquot, unsigned long priv),
@@ -87,9 +87,9 @@ int dquot_writeback_dquots(struct super_block *sb, int type);
 int dquot_quota_sync(struct super_block *sb, int type);
 int dquot_get_dqinfo(struct super_block *sb, int type, struct if_dqinfo *ii);
 int dquot_set_dqinfo(struct super_block *sb, int type, struct if_dqinfo *ii);
-int dquot_get_dqblk(struct super_block *sb, int type, qid_t id,
+int dquot_get_dqblk(struct super_block *sb, struct kqid id,
                struct fs_disk_quota *di);
-int dquot_set_dqblk(struct super_block *sb, int type, qid_t id,
+int dquot_set_dqblk(struct super_block *sb, struct kqid id,
                struct fs_disk_quota *di);
 int __dquot_transfer(struct inode *inode, struct dquot **transfer_to);
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 765dffbb085e..d23ca6245d54 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1414,7 +1414,7 @@ struct task_struct {
        struct audit_context *audit_context;
 #ifdef CONFIG_AUDITSYSCALL
-        uid_t loginuid;
+        kuid_t loginuid;
        unsigned int sessionid;
 #endif
        struct seccomp seccomp;
diff --git a/include/linux/security.h b/include/linux/security.h
index d143b8e01954..145accee9236 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1436,7 +1436,7 @@ struct security_operations {
        int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
                            struct path *new_dir, struct dentry *new_dentry);
        int (*path_chmod) (struct path *path, umode_t mode);
-        int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
+        int (*path_chown) (struct path *path, kuid_t uid, kgid_t gid);
        int (*path_chroot) (struct path *path);
 #endif
@@ -2831,7 +2831,7 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir,
 int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
                         struct path *new_dir, struct dentry *new_dentry);
 int security_path_chmod(struct path *path, umode_t mode);
-int security_path_chown(struct path *path, uid_t uid, gid_t gid);
+int security_path_chown(struct path *path, kuid_t uid, kgid_t gid);
 int security_path_chroot(struct path *path);
 #else   /* CONFIG_SECURITY_PATH */
 static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
@@ -2887,7 +2887,7 @@ static inline int security_path_chmod(struct path *path, umode_t mode)
        return 0;
 }
-static inline int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+static inline int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
 {
        return 0;
 }
diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
index 83c44eefe698..68a04a343cad 100644
--- a/include/linux/seq_file.h
+++ b/include/linux/seq_file.h
@@ -13,6 +13,7 @@ struct file;
 struct path;
 struct inode;
 struct dentry;
+struct user_namespace;
 struct seq_file {
        char *buf;
@@ -25,6 +26,9 @@ struct seq_file {
        struct mutex lock;
        const struct seq_operations *op;
        int poll_event;
+#ifdef CONFIG_USER_NS
+        struct user_namespace *user_ns;
+#endif
        void *private;
 };
@@ -128,6 +132,16 @@ int seq_put_decimal_ull(struct seq_file *m, char delimiter,
 int seq_put_decimal_ll(struct seq_file *m, char delimiter,
                        long long num);
+static inline struct user_namespace *seq_user_ns(struct seq_file *seq)
+{
+#ifdef CONFIG_USER_NS
+        return seq->user_ns;
+#else
+        extern struct user_namespace init_user_ns;
+        return &init_user_ns;
+#endif
+}
 #define SEQ_START_TOKEN ((void *)1)
 /*
 * Helpers for iteration over list_head-s in seq_files
diff --git a/include/linux/tsacct_kern.h b/include/linux/tsacct_kern.h
index 7e50ac795b0b..44893e5ec8f7 100644
--- a/include/linux/tsacct_kern.h
+++ b/include/linux/tsacct_kern.h
@@ -10,9 +10,13 @@
 #include <linux/taskstats.h>
 #ifdef CONFIG_TASKSTATS
-extern void bacct_add_tsk(struct taskstats *stats, struct task_struct *tsk);
+extern void bacct_add_tsk(struct user_namespace *user_ns,
+                          struct pid_namespace *pid_ns,
+                          struct taskstats *stats, struct task_struct *tsk);
 #else
-static inline void bacct_add_tsk(struct taskstats *stats, struct task_struct *tsk)
+static inline void bacct_add_tsk(struct user_namespace *user_ns,
+                                 struct pid_namespace *pid_ns,
+                                 struct taskstats *stats, struct task_struct *tsk)
 {}
 #endif /* CONFIG_TASKSTATS */
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 1509b86825d8..4f6c59a5fb79 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -575,7 +575,7 @@ extern void tty_audit_fork(struct signal_struct *sig);
 extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
 extern void tty_audit_push(struct tty_struct *tty);
 extern int tty_audit_push_task(struct task_struct *tsk,
-                               uid_t loginuid, u32 sessionid);
+                               kuid_t loginuid, u32 sessionid);
 #else
 static inline void tty_audit_add_data(struct tty_struct *tty,
                                      unsigned char *data, size_t size)
@@ -594,7 +594,7 @@ static inline void tty_audit_push(struct tty_struct *tty)
 {
 }
 static inline int tty_audit_push_task(struct task_struct *tsk,
-                                      uid_t loginuid, u32 sessionid)
+                                      kuid_t loginuid, u32 sessionid)
 {
        return 0;
 }
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 4e72922e5a75..95142cae446a 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -20,6 +20,7 @@ struct uid_gid_map {	/* 64 bytes -- 1 cache line */
 struct user_namespace {
        struct uid_gid_map      uid_map;
        struct uid_gid_map      gid_map;
+        struct uid_gid_map      projid_map;
        struct kref             kref;
        struct user_namespace   *parent;
        kuid_t                  owner;
@@ -49,8 +50,10 @@ static inline void put_user_ns(struct user_namespace *ns)
 struct seq_operations;
 extern struct seq_operations proc_uid_seq_operations;
 extern struct seq_operations proc_gid_seq_operations;
+extern struct seq_operations proc_projid_seq_operations;
 extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
 extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
+extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
 #else
 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
diff --git a/include/net/ax25.h b/include/net/ax25.h
index 5d2352154cf6..53539acbd81a 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -157,7 +157,7 @@ enum {
 typedef struct ax25_uid_assoc {
        struct hlist_node       uid_node;
        atomic_t                refcount;
-        uid_t                   uid;
+        kuid_t                  uid;
        ax25_address            call;
 } ax25_uid_assoc;
@@ -434,7 +434,7 @@ extern unsigned long ax25_display_timer(struct timer_list *);
 /* ax25_uid.c */
 extern int  ax25_uid_policy;
-extern ax25_uid_assoc *ax25_findbyuid(uid_t);
+extern ax25_uid_assoc *ax25_findbyuid(kuid_t);
 extern int __must_check ax25_uid_ioctl(int, struct sockaddr_ax25 *);
 extern const struct file_operations ax25_uid_fops;
 extern void ax25_uid_free(void);
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 01c34b363a34..c8a202436e01 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -222,7 +222,10 @@ struct ip6_flowlabel {
        struct ipv6_txoptions   *opt;
        unsigned long           linger;
        u8                      share;
-        u32                     owner;
+        union {
+                struct pid *pid;
+                kuid_t uid;
+        } owner;
        unsigned long           lastuse;
        unsigned long           expires;
        struct net              *fl_net;
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index f67440970d7e..2c95d55f7914 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -110,7 +110,7 @@ struct cipso_v4_doi;
 /* NetLabel audit information */
 struct netlbl_audit {
        u32 secid;
-        uid_t loginuid;
+        kuid_t loginuid;
        u32 sessionid;
 };
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index eb24dbccd81e..69e50c789d96 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -5,6 +5,7 @@
 #ifndef __NETNS_IPV4_H__
 #define __NETNS_IPV4_H__
+#include <linux/uidgid.h>
 #include <net/inet_frag.h>
 struct tcpm_hash_bucket;
@@ -62,7 +63,7 @@ struct netns_ipv4 {
        int sysctl_icmp_ratemask;
        int sysctl_icmp_errors_use_inbound_ifaddr;
-        unsigned int sysctl_ping_group_range[2];
+        kgid_t sysctl_ping_group_range[2];
        long sysctl_tcp_mem[3];
        atomic_t dev_addr_genid;
diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
index d9611e032418..4616f468d599 100644
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -188,7 +188,8 @@ struct tcf_proto_ops {
        unsigned long           (*get)(struct tcf_proto*, u32 handle);
        void                    (*put)(struct tcf_proto*, unsigned long);
-        int                     (*change)(struct tcf_proto*, unsigned long,
+        int                     (*change)(struct sk_buff *,
+                                        struct tcf_proto*, unsigned long,
                                        u32 handle, struct nlattr **,
                                        unsigned long *);
        int                     (*delete)(struct tcf_proto*, unsigned long);
diff --git a/include/net/sock.h b/include/net/sock.h
index 6e6ec18fb6d0..0d7e9834d9be 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -606,6 +606,15 @@ static inline void sk_add_bind_node(struct sock *sk,
 #define sk_for_each_bound(__sk, node, list) \
        hlist_for_each_entry(__sk, node, list, sk_bind_node)
+static inline struct user_namespace *sk_user_ns(struct sock *sk)
+{
+        /* Careful only use this in a context where these parameters
+         * can not change and must all be valid, such as recvmsg from
+         * userspace.
+         */
+        return sk->sk_socket->file->f_cred->user_ns;
+}
 /* Sock flags */
 enum sock_flags {
        SOCK_DEAD,
@@ -1662,7 +1671,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
        write_unlock_bh(&sk->sk_callback_lock);
 }
-extern int sock_i_uid(struct sock *sk);
+extern kuid_t sock_i_uid(struct sock *sk);
 extern unsigned long sock_i_ino(struct sock *sk);
 static inline struct dst_entry *
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 1f000ffe7075..9a0021d16d91 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1510,7 +1510,8 @@ struct tcp_iter_state {
        sa_family_t             family;
        enum tcp_seq_states     state;
        struct sock             *syn_wait_sk;
-        int                     bucket, offset, sbucket, num, uid;
+        int                     bucket, offset, sbucket, num;
+        kuid_t                  uid;
        loff_t                  last_pos;
 };
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 639dd1316d37..411d83c9821d 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -671,7 +671,7 @@ struct xfrm_spi_skb_cb {
 /* Audit Information */
 struct xfrm_audit {
        u32     secid;
-        uid_t   loginuid;
+        kuid_t  loginuid;
        u32     sessionid;
 };
@@ -690,13 +690,14 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
        return audit_buf;
 }
-static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
+static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
                                             struct audit_buffer *audit_buf)
 {
        char *secctx;
        u32 secctx_len;
-        audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
+        audit_log_format(audit_buf, " auid=%u ses=%u",
+                         from_kuid(&init_user_ns, auid), ses);
        if (secid != 0 &&
            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
                audit_log_format(audit_buf, " subj=%s", secctx);
@@ -706,13 +707,13 @@ static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
 }
 extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
-                                  u32 auid, u32 ses, u32 secid);
+                                  kuid_t auid, u32 ses, u32 secid);
 extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
-                                  u32 auid, u32 ses, u32 secid);
+                                  kuid_t auid, u32 ses, u32 secid);
 extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
-                                 u32 auid, u32 ses, u32 secid);
+                                 kuid_t auid, u32 ses, u32 secid);
 extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
-                                    u32 auid, u32 ses, u32 secid);
+                                    kuid_t auid, u32 ses, u32 secid);
 extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
                                             struct sk_buff *skb);
 extern void xfrm_audit_state_replay(struct xfrm_state *x,
@@ -725,22 +726,22 @@ extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
 #else
 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
-                                  u32 auid, u32 ses, u32 secid)
+                                  kuid_t auid, u32 ses, u32 secid)
 {
 }
 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
-                                  u32 auid, u32 ses, u32 secid)
+                                  kuid_t auid, u32 ses, u32 secid)
 {
 }
 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
-                                 u32 auid, u32 ses, u32 secid)
+                                 kuid_t auid, u32 ses, u32 secid)
 {
 }
 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
-                                    u32 auid, u32 ses, u32 secid)
+                                    kuid_t auid, u32 ses, u32 secid)
 {
 }
diff --git a/init/Kconfig b/init/Kconfig
index 73e4adfa91dc..cb003a3c9122 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -986,113 +986,24 @@ config UIDGID_CONVERTED
        bool
        default y
-        # List of kernel pieces that need user namespace work
-        # Features
-        depends on SYSVIPC = n
-        depends on IMA = n
-        depends on EVM = n
-        depends on KEYS = n
-        depends on AUDIT = n
-        depends on AUDITSYSCALL = n
-        depends on TASKSTATS = n
-        depends on TRACING = n
-        depends on FS_POSIX_ACL = n
-        depends on QUOTA = n
-        depends on QUOTACTL = n
-        depends on DEBUG_CREDENTIALS = n
-        depends on BSD_PROCESS_ACCT = n
-        depends on DRM = n
-        depends on PROC_EVENTS = n
        # Networking
-        depends on NET = n
        depends on NET_9P = n
-        depends on IPX = n
-        depends on PHONET = n
-        depends on NET_CLS_FLOW = n
-        depends on NETFILTER_XT_MATCH_OWNER = n
-        depends on NETFILTER_XT_MATCH_RECENT = n
-        depends on NETFILTER_XT_TARGET_LOG = n
-        depends on NETFILTER_NETLINK_LOG = n
-        depends on INET = n
-        depends on IPV6 = n
-        depends on IP_SCTP = n
-        depends on AF_RXRPC = n
-        depends on LLC2 = n
-        depends on NET_KEY = n
-        depends on INET_DIAG = n
-        depends on DNS_RESOLVER = n
-        depends on AX25 = n
-        depends on ATALK = n
        # Filesystems
-        depends on USB_DEVICEFS = n
-        depends on USB_GADGETFS = n
-        depends on USB_FUNCTIONFS = n
-        depends on DEVTMPFS = n
-        depends on XENFS = n
        depends on 9P_FS = n
-        depends on ADFS_FS = n
-        depends on AFFS_FS = n
        depends on AFS_FS = n
        depends on AUTOFS4_FS = n
-        depends on BEFS_FS = n
-        depends on BFS_FS = n
-        depends on BTRFS_FS = n
        depends on CEPH_FS = n
        depends on CIFS = n
        depends on CODA_FS = n
-        depends on CONFIGFS_FS = n
-        depends on CRAMFS = n
-        depends on DEBUG_FS = n
-        depends on ECRYPT_FS = n
-        depends on EFS_FS = n
-        depends on EXOFS_FS = n
-        depends on FAT_FS = n
        depends on FUSE_FS = n
        depends on GFS2_FS = n
-        depends on HFS_FS = n
-        depends on HFSPLUS_FS = n
-        depends on HPFS_FS = n
-        depends on HUGETLBFS = n
-        depends on ISO9660_FS = n
-        depends on JFFS2_FS = n
-        depends on JFS_FS = n
-        depends on LOGFS = n
-        depends on MINIX_FS = n
        depends on NCP_FS = n
        depends on NFSD = n
        depends on NFS_FS = n
-        depends on NILFS2_FS = n
-        depends on NTFS_FS = n
        depends on OCFS2_FS = n
-        depends on OMFS_FS = n
-        depends on QNX4FS_FS = n
-        depends on QNX6FS_FS = n
-        depends on REISERFS_FS = n
-        depends on SQUASHFS = n
-        depends on SYSV_FS = n
-        depends on UBIFS_FS = n
-        depends on UDF_FS = n
-        depends on UFS_FS = n
-        depends on VXFS_FS = n
        depends on XFS_FS = n
-        depends on !UML || HOSTFS = n
-        # The rare drivers that won't build
-        depends on AIRO = n
-        depends on AIRO_CS = n
-        depends on TUN = n
-        depends on INFINIBAND_QIB = n
-        depends on BLK_DEV_LOOP = n
-        depends on ANDROID_BINDER_IPC = n
-        # Security modules
-        depends on SECURITY_TOMOYO = n
-        depends on SECURITY_APPARMOR = n
 config UIDGID_STRICT_TYPE_CHECKS
        bool "Require conversions between uid/gids and their internal representation"
        depends on UIDGID_CONVERTED
diff --git a/ipc/msg.c b/ipc/msg.c
index 7385de25788a..a71af5a65abf 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -443,9 +443,12 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
                        goto out_unlock;
                }
+                err = ipc_update_perm(&msqid64.msg_perm, ipcp);
+                if (err)
+                        goto out_unlock;
                msq->q_qbytes = msqid64.msg_qbytes;
-                ipc_update_perm(&msqid64.msg_perm, ipcp);
                msq->q_ctime = get_seconds();
                /* sleeping receivers might be excluded by
                 * stricter permissions.
@@ -922,6 +925,7 @@ out:
 #ifdef CONFIG_PROC_FS
 static int sysvipc_msg_proc_show(struct seq_file *s, void *it)
 {
+        struct user_namespace *user_ns = seq_user_ns(s);
        struct msg_queue *msq = it;
        return seq_printf(s,
@@ -933,10 +937,10 @@ static int sysvipc_msg_proc_show(struct seq_file *s, void *it)
                        msq->q_qnum,
                        msq->q_lspid,
                        msq->q_lrpid,
-                        msq->q_perm.uid,
+                        from_kuid_munged(user_ns, msq->q_perm.uid),
-                        msq->q_perm.gid,
+                        from_kgid_munged(user_ns, msq->q_perm.gid),
-                        msq->q_perm.cuid,
+                        from_kuid_munged(user_ns, msq->q_perm.cuid),
-                        msq->q_perm.cgid,
+                        from_kgid_munged(user_ns, msq->q_perm.cgid),
                        msq->q_stime,
                        msq->q_rtime,
                        msq->q_ctime);
diff --git a/ipc/sem.c b/ipc/sem.c
index 5215a81420df..58d31f1c1eb5 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -1104,7 +1104,9 @@ static int semctl_down(struct ipc_namespace *ns, int semid,
                freeary(ns, ipcp);
                goto out_up;
        case IPC_SET:
-                ipc_update_perm(&semid64.sem_perm, ipcp);
+                err = ipc_update_perm(&semid64.sem_perm, ipcp);
+                if (err)
+                        goto out_unlock;
                sma->sem_ctime = get_seconds();
                break;
        default:
@@ -1677,6 +1679,7 @@ void exit_sem(struct task_struct *tsk)
 #ifdef CONFIG_PROC_FS
 static int sysvipc_sem_proc_show(struct seq_file *s, void *it)
 {
+        struct user_namespace *user_ns = seq_user_ns(s);
        struct sem_array *sma = it;
        return seq_printf(s,
@@ -1685,10 +1688,10 @@ static int sysvipc_sem_proc_show(struct seq_file *s, void *it)
                          sma->sem_perm.id,
                          sma->sem_perm.mode,
                          sma->sem_nsems,
-                          sma->sem_perm.uid,
+                          from_kuid_munged(user_ns, sma->sem_perm.uid),
-                          sma->sem_perm.gid,
+                          from_kgid_munged(user_ns, sma->sem_perm.gid),
-                          sma->sem_perm.cuid,
+                          from_kuid_munged(user_ns, sma->sem_perm.cuid),
-                          sma->sem_perm.cgid,
+                          from_kgid_munged(user_ns, sma->sem_perm.cgid),
                          sma->sem_otime,
                          sma->sem_ctime);
 }
diff --git a/ipc/shm.c b/ipc/shm.c
index 00faa05cf72a..dff40c9f73c9 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -758,7 +758,9 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
                do_shm_rmid(ns, ipcp);
                goto out_up;
        case IPC_SET:
-                ipc_update_perm(&shmid64.shm_perm, ipcp);
+                err = ipc_update_perm(&shmid64.shm_perm, ipcp);
+                if (err)
+                        goto out_unlock;
                shp->shm_ctim = get_seconds();
                break;
        default:
@@ -893,10 +895,10 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
                audit_ipc_obj(&(shp->shm_perm));
                if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
-                        uid_t euid = current_euid();
+                        kuid_t euid = current_euid();
                        err = -EPERM;
-                        if (euid != shp->shm_perm.uid &&
+                        if (!uid_eq(euid, shp->shm_perm.uid) &&
-                            euid != shp->shm_perm.cuid)
+                            !uid_eq(euid, shp->shm_perm.cuid))
                                goto out_unlock;
                        if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK))
                                goto out_unlock;
@@ -1220,6 +1222,7 @@ SYSCALL_DEFINE1(shmdt, char __user *, shmaddr)
 #ifdef CONFIG_PROC_FS
 static int sysvipc_shm_proc_show(struct seq_file *s, void *it)
 {
+        struct user_namespace *user_ns = seq_user_ns(s);
        struct shmid_kernel *shp = it;
        unsigned long rss = 0, swp = 0;
@@ -1242,10 +1245,10 @@ static int sysvipc_shm_proc_show(struct seq_file *s, void *it)
                          shp->shm_cprid,
                          shp->shm_lprid,
                          shp->shm_nattch,
-                          shp->shm_perm.uid,
+                          from_kuid_munged(user_ns, shp->shm_perm.uid),
-                          shp->shm_perm.gid,
+                          from_kgid_munged(user_ns, shp->shm_perm.gid),
-                          shp->shm_perm.cuid,
+                          from_kuid_munged(user_ns, shp->shm_perm.cuid),
-                          shp->shm_perm.cgid,
+                          from_kgid_munged(user_ns, shp->shm_perm.cgid),
                          shp->shm_atim,
                          shp->shm_dtim,
                          shp->shm_ctim,
diff --git a/ipc/util.c b/ipc/util.c
index eb07fd356f27..72fd0785ac94 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -249,8 +249,8 @@ int ipc_get_maxid(struct ipc_ids *ids)
 
 int ipc_addid(struct ipc_ids* ids, struct kern_ipc_perm* new, int size)
 {
-        uid_t euid;
+        kuid_t euid;
-        gid_t egid;
+        kgid_t egid;
        int id, err;
        if (size > IPCMNI)
@@ -606,14 +606,14 @@ void ipc_rcu_putref(void *ptr)
 
 int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
 {
-        uid_t euid = current_euid();
+        kuid_t euid = current_euid();
        int requested_mode, granted_mode;
        audit_ipc_obj(ipcp);
        requested_mode = (flag >> 6) | (flag >> 3) | flag;
        granted_mode = ipcp->mode;
-        if (euid == ipcp->cuid ||
+        if (uid_eq(euid, ipcp->cuid) ||
-            euid == ipcp->uid)
+            uid_eq(euid, ipcp->uid))
                granted_mode >>= 6;
        else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))
                granted_mode >>= 3;
@@ -643,10 +643,10 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
 void kernel_to_ipc64_perm (struct kern_ipc_perm *in, struct ipc64_perm *out)
 {
        out->key        = in->key;
-        out->uid        = in->uid;
+        out->uid        = from_kuid_munged(current_user_ns(), in->uid);
-        out->gid        = in->gid;
+        out->gid        = from_kgid_munged(current_user_ns(), in->gid);
-        out->cuid       = in->cuid;
+        out->cuid       = from_kuid_munged(current_user_ns(), in->cuid);
-        out->cgid       = in->cgid;
+        out->cgid       = from_kgid_munged(current_user_ns(), in->cgid);
        out->mode       = in->mode;
        out->seq        = in->seq;
 }
@@ -747,12 +747,19 @@ int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids,
 * @in:  the permission given as input.
 * @out: the permission of the ipc to set.
 */
-void ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out)
+int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out)
 {
-        out->uid = in->uid;
+        kuid_t uid = make_kuid(current_user_ns(), in->uid);
-        out->gid = in->gid;
+        kgid_t gid = make_kgid(current_user_ns(), in->gid);
+        if (!uid_valid(uid) || !gid_valid(gid))
+                return -EINVAL;
+        out->uid = uid;
+        out->gid = gid;
        out->mode = (out->mode & ~S_IRWXUGO)
                | (in->mode & S_IRWXUGO);
+        return 0;
 }
 /**
@@ -777,7 +784,7 @@ struct kern_ipc_perm *ipcctl_pre_down(struct ipc_namespace *ns,
                                      struct ipc64_perm *perm, int extra_perm)
 {
        struct kern_ipc_perm *ipcp;
-        uid_t euid;
+        kuid_t euid;
        int err;
        down_write(&ids->rw_mutex);
@@ -793,7 +800,7 @@ struct kern_ipc_perm *ipcctl_pre_down(struct ipc_namespace *ns,
                                         perm->gid, perm->mode);
        euid = current_euid();
-        if (euid == ipcp->cuid || euid == ipcp->uid  ||
+        if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid)  ||
            ns_capable(ns->user_ns, CAP_SYS_ADMIN))
                return ipcp;
diff --git a/ipc/util.h b/ipc/util.h
index 850ef3e962cb..c8fe2f7631e9 100644
--- a/ipc/util.h
+++ b/ipc/util.h
@@ -125,7 +125,7 @@ struct kern_ipc_perm *ipc_lock(struct ipc_ids *, int);
 void kernel_to_ipc64_perm(struct kern_ipc_perm *in, struct ipc64_perm *out);
 void ipc64_perm_to_ipc_perm(struct ipc64_perm *in, struct ipc_perm *out);
-void ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out);
+int ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out);
 struct kern_ipc_perm *ipcctl_pre_down(struct ipc_namespace *ns,
                                      struct ipc_ids *ids, int id, int cmd,
                                      struct ipc64_perm *perm, int extra_perm);
diff --git a/kernel/acct.c b/kernel/acct.c
index 02e6167a53b0..6cd7529c9e6a 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -507,8 +507,8 @@ static void do_acct_process(struct bsd_acct_struct *acct,
        do_div(elapsed, AHZ);
        ac.ac_btime = get_seconds() - elapsed;
        /* we really need to bite the bullet and change layout */
-        ac.ac_uid = orig_cred->uid;
+        ac.ac_uid = from_kuid_munged(file->f_cred->user_ns, orig_cred->uid);
-        ac.ac_gid = orig_cred->gid;
+        ac.ac_gid = from_kgid_munged(file->f_cred->user_ns, orig_cred->gid);
 #if ACCT_VERSION==2
        ac.ac_ahz = AHZ;
 #endif
diff --git a/kernel/audit.c b/kernel/audit.c
index ea3b7b6191c7..511488a7bc71 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -61,6 +61,7 @@
 #include <linux/netlink.h>
 #include <linux/freezer.h>
 #include <linux/tty.h>
+#include <linux/pid_namespace.h>
 #include "audit.h"
@@ -104,7 +105,7 @@ static int	audit_backlog_wait_time = 60 * HZ;
 static int      audit_backlog_wait_overflow = 0;
 /* The identity of the user shutting down the audit system. */
-uid_t           audit_sig_uid = -1;
+kuid_t          audit_sig_uid = INVALID_UID;
 pid_t           audit_sig_pid = -1;
 u32             audit_sig_sid = 0;
@@ -264,7 +265,7 @@ void audit_log_lost(const char *message)
 }
 static int audit_log_config_change(char *function_name, int new, int old,
-                                   uid_t loginuid, u32 sessionid, u32 sid,
+                                   kuid_t loginuid, u32 sessionid, u32 sid,
                                   int allow_changes)
 {
        struct audit_buffer *ab;
@@ -272,7 +273,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
        audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
-                         old, loginuid, sessionid);
+                         old, from_kuid(&init_user_ns, loginuid), sessionid);
        if (sid) {
                char *ctx = NULL;
                u32 len;
@@ -292,7 +293,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
 }
 static int audit_do_config_change(char *function_name, int *to_change,
-                                  int new, uid_t loginuid, u32 sessionid,
+                                  int new, kuid_t loginuid, u32 sessionid,
                                  u32 sid)
 {
        int allow_changes, rc = 0, old = *to_change;
@@ -319,21 +320,21 @@ static int audit_do_config_change(char *function_name, int *to_change,
        return rc;
 }
-static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid,
+static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid,
                                u32 sid)
 {
        return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
                                      limit, loginuid, sessionid, sid);
 }
-static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid,
+static int audit_set_backlog_limit(int limit, kuid_t loginuid, u32 sessionid,
                                   u32 sid)
 {
        return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
                                      limit, loginuid, sessionid, sid);
 }
-static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
+static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid)
 {
        int rc;
        if (state < AUDIT_OFF || state > AUDIT_LOCKED)
@@ -348,7 +349,7 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
        return rc;
 }
-static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid)
+static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, u32 sid)
 {
        if (state != AUDIT_FAIL_SILENT
            && state != AUDIT_FAIL_PRINTK
@@ -467,24 +468,6 @@ static int kauditd_thread(void *dummy)
        return 0;
 }
-static int audit_prepare_user_tty(pid_t pid, uid_t loginuid, u32 sessionid)
-{
-        struct task_struct *tsk;
-        int err;
-        rcu_read_lock();
-        tsk = find_task_by_vpid(pid);
-        if (!tsk) {
-                rcu_read_unlock();
-                return -ESRCH;
-        }
-        get_task_struct(tsk);
-        rcu_read_unlock();
-        err = tty_audit_push_task(tsk, loginuid, sessionid);
-        put_task_struct(tsk);
-        return err;
-}
 int audit_send_list(void *_dest)
 {
        struct audit_netlink_list *dest = _dest;
@@ -588,6 +571,11 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 {
        int err = 0;
+        /* Only support the initial namespaces for now. */
+        if ((current_user_ns() != &init_user_ns) ||
+            (task_active_pid_ns(current) != &init_pid_ns))
+                return -EPERM;
        switch (msg_type) {
        case AUDIT_GET:
        case AUDIT_LIST:
@@ -619,8 +607,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 }
 static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
-                                     u32 pid, u32 uid, uid_t auid, u32 ses,
+                                     kuid_t auid, u32 ses, u32 sid)
-                                     u32 sid)
 {
        int rc = 0;
        char *ctx = NULL;
@@ -633,7 +620,9 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
        *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
        audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
-                         pid, uid, auid, ses);
+                         task_tgid_vnr(current),
+                         from_kuid(&init_user_ns, current_uid()),
+                         from_kuid(&init_user_ns, auid), ses);
        if (sid) {
                rc = security_secid_to_secctx(sid, &ctx, &len);
                if (rc)
@@ -649,13 +638,13 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
-        u32                     uid, pid, seq, sid;
+        u32                     seq, sid;
        void                    *data;
        struct audit_status     *status_get, status_set;
        int                     err;
        struct audit_buffer     *ab;
        u16                     msg_type = nlh->nlmsg_type;
-        uid_t                   loginuid; /* loginuid of sender */
+        kuid_t                  loginuid; /* loginuid of sender */
        u32                     sessionid;
        struct audit_sig_info   *sig_data;
        char                    *ctx = NULL;
@@ -675,8 +664,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                return err;
        }
-        pid  = NETLINK_CREDS(skb)->pid;
-        uid  = NETLINK_CREDS(skb)->uid;
        loginuid = audit_get_loginuid(current);
        sessionid = audit_get_sessionid(current);
        security_task_getsecid(current, &sid);
@@ -738,16 +725,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                if (!audit_enabled && msg_type != AUDIT_USER_AVC)
                        return 0;
-                err = audit_filter_user(&NETLINK_CB(skb));
+                err = audit_filter_user();
                if (err == 1) {
                        err = 0;
                        if (msg_type == AUDIT_USER_TTY) {
-                                err = audit_prepare_user_tty(pid, loginuid,
+                                err = tty_audit_push_task(current, loginuid,
                                                             sessionid);
                                if (err)
                                        break;
                        }
-                        audit_log_common_recv_msg(&ab, msg_type, pid, uid,
+                        audit_log_common_recv_msg(&ab, msg_type,
                                                  loginuid, sessionid, sid);
                        if (msg_type != AUDIT_USER_TTY)
@@ -763,7 +750,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                        size--;
                                audit_log_n_untrustedstring(ab, data, size);
                        }
-                        audit_set_pid(ab, pid);
+                        audit_set_pid(ab, NETLINK_CB(skb).pid);
                        audit_log_end(ab);
                }
                break;
@@ -772,8 +759,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                if (nlmsg_len(nlh) < sizeof(struct audit_rule))
                        return -EINVAL;
                if (audit_enabled == AUDIT_LOCKED) {
-                        audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
+                        audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
-                                                  uid, loginuid, sessionid, sid);
+                                                  loginuid, sessionid, sid);
                        audit_log_format(ab, " audit_enabled=%d res=0",
                                         audit_enabled);
@@ -783,7 +770,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                /* fallthrough */
        case AUDIT_LIST:
                err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
-                                           uid, seq, data, nlmsg_len(nlh),
+                                           seq, data, nlmsg_len(nlh),
                                           loginuid, sessionid, sid);
                break;
        case AUDIT_ADD_RULE:
@@ -791,8 +778,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
                        return -EINVAL;
                if (audit_enabled == AUDIT_LOCKED) {
-                        audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
+                        audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
-                                                  uid, loginuid, sessionid, sid);
+                                                  loginuid, sessionid, sid);
                        audit_log_format(ab, " audit_enabled=%d res=0",
                                         audit_enabled);
@@ -802,14 +789,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                /* fallthrough */
        case AUDIT_LIST_RULES:
                err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
-                                           uid, seq, data, nlmsg_len(nlh),
+                                           seq, data, nlmsg_len(nlh),
                                           loginuid, sessionid, sid);
                break;
        case AUDIT_TRIM:
                audit_trim_trees();
-                audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
+                audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
-                                          uid, loginuid, sessionid, sid);
+                                          loginuid, sessionid, sid);
                audit_log_format(ab, " op=trim res=1");
                audit_log_end(ab);
@@ -840,8 +827,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                /* OK, here comes... */
                err = audit_tag_tree(old, new);
-                audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
+                audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
-                                          uid, loginuid, sessionid, sid);
+                                          loginuid, sessionid, sid);
                audit_log_format(ab, " op=make_equiv old=");
                audit_log_untrustedstring(ab, old);
@@ -866,7 +853,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                security_release_secctx(ctx, len);
                        return -ENOMEM;
                }
-                sig_data->uid = audit_sig_uid;
+                sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
                sig_data->pid = audit_sig_pid;
                if (audit_sig_sid) {
                        memcpy(sig_data->ctx, ctx, len);
@@ -878,41 +865,29 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                break;
        case AUDIT_TTY_GET: {
                struct audit_tty_status s;
-                struct task_struct *tsk;
+                struct task_struct *tsk = current;
-                unsigned long flags;
+                spin_lock_irq(&tsk->sighand->siglock);
-                rcu_read_lock();
+                s.enabled = tsk->signal->audit_tty != 0;
-                tsk = find_task_by_vpid(pid);
+                spin_unlock_irq(&tsk->sighand->siglock);
-                if (tsk && lock_task_sighand(tsk, &flags)) {
-                        s.enabled = tsk->signal->audit_tty != 0;
+                audit_send_reply(NETLINK_CB(skb).pid, seq,
-                        unlock_task_sighand(tsk, &flags);
+                                 AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
-                } else
-                        err = -ESRCH;
-                rcu_read_unlock();
-                if (!err)
-                        audit_send_reply(NETLINK_CB(skb).pid, seq,
-                                         AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
                break;
        }
        case AUDIT_TTY_SET: {
                struct audit_tty_status *s;
-                struct task_struct *tsk;
+                struct task_struct *tsk = current;
-                unsigned long flags;
                if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
                        return -EINVAL;
                s = data;
                if (s->enabled != 0 && s->enabled != 1)
                        return -EINVAL;
-                rcu_read_lock();
-                tsk = find_task_by_vpid(pid);
+                spin_lock_irq(&tsk->sighand->siglock);
-                if (tsk && lock_task_sighand(tsk, &flags)) {
+                tsk->signal->audit_tty = s->enabled != 0;
-                        tsk->signal->audit_tty = s->enabled != 0;
+                spin_unlock_irq(&tsk->sighand->siglock);
-                        unlock_task_sighand(tsk, &flags);
-                } else
-                        err = -ESRCH;
-                rcu_read_unlock();
                break;
        }
        default:
diff --git a/kernel/audit.h b/kernel/audit.h
index 816766803371..9eb3d79482b6 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -76,6 +76,8 @@ static inline int audit_hash_ino(u32 ino)
 extern int audit_match_class(int class, unsigned syscall);
 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
+extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
+extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
 extern int audit_compare_dname_path(const char *dname, const char *path,
                                    int *dirlen);
 extern struct sk_buff *     audit_make_reply(int pid, int seq, int type,
@@ -144,7 +146,7 @@ extern void audit_kill_trees(struct list_head *);
 extern char *audit_unpack_string(void **, size_t *, size_t);
 extern pid_t audit_sig_pid;
-extern uid_t audit_sig_uid;
+extern kuid_t audit_sig_uid;
 extern u32 audit_sig_sid;
 #ifdef CONFIG_AUDITSYSCALL
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 3823281401b5..1c22ec3d87bc 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -241,7 +241,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
                struct audit_buffer *ab;
                ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
                audit_log_format(ab, "auid=%u ses=%u op=",
-                                 audit_get_loginuid(current),
+                                 from_kuid(&init_user_ns, audit_get_loginuid(current)),
                                 audit_get_sessionid(current));
                audit_log_string(ab, op);
                audit_log_format(ab, " path=");
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index a6c3f1abd206..c4bcdbaf4d4d 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -342,6 +342,8 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
                f->val = rule->values[i];
+                f->uid = INVALID_UID;
+                f->gid = INVALID_GID;
                err = -EINVAL;
                if (f->op == Audit_bad)
@@ -350,16 +352,32 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                switch(f->type) {
                default:
                        goto exit_free;
-                case AUDIT_PID:
                case AUDIT_UID:
                case AUDIT_EUID:
                case AUDIT_SUID:
                case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                        /* bit ops not implemented for uid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+                        f->uid = make_kuid(current_user_ns(), f->val);
+                        if (!uid_valid(f->uid))
+                                goto exit_free;
+                        break;
                case AUDIT_GID:
                case AUDIT_EGID:
                case AUDIT_SGID:
                case AUDIT_FSGID:
-                case AUDIT_LOGINUID:
+                        /* bit ops not implemented for gid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+                        f->gid = make_kgid(current_user_ns(), f->val);
+                        if (!gid_valid(f->gid))
+                                goto exit_free;
+                        break;
+                case AUDIT_PID:
                case AUDIT_PERS:
                case AUDIT_MSGTYPE:
                case AUDIT_PPID:
@@ -437,19 +455,39 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                f->type = data->fields[i];
                f->val = data->values[i];
+                f->uid = INVALID_UID;
+                f->gid = INVALID_GID;
                f->lsm_str = NULL;
                f->lsm_rule = NULL;
                switch(f->type) {
-                case AUDIT_PID:
                case AUDIT_UID:
                case AUDIT_EUID:
                case AUDIT_SUID:
                case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_UID:
+                        /* bit ops not implemented for uid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+                        f->uid = make_kuid(current_user_ns(), f->val);
+                        if (!uid_valid(f->uid))
+                                goto exit_free;
+                        break;
                case AUDIT_GID:
                case AUDIT_EGID:
                case AUDIT_SGID:
                case AUDIT_FSGID:
-                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_GID:
+                        /* bit ops not implemented for gid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+                        f->gid = make_kgid(current_user_ns(), f->val);
+                        if (!gid_valid(f->gid))
+                                goto exit_free;
+                        break;
+                case AUDIT_PID:
                case AUDIT_PERS:
                case AUDIT_MSGTYPE:
                case AUDIT_PPID:
@@ -461,8 +499,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                case AUDIT_ARG1:
                case AUDIT_ARG2:
                case AUDIT_ARG3:
-                case AUDIT_OBJ_UID:
-                case AUDIT_OBJ_GID:
                        break;
                case AUDIT_ARCH:
                        entry->rule.arch_f = f;
@@ -707,6 +743,23 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
                        if (strcmp(a->filterkey, b->filterkey))
                                return 1;
                        break;
+                case AUDIT_UID:
+                case AUDIT_EUID:
+                case AUDIT_SUID:
+                case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_UID:
+                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
+                                return 1;
+                        break;
+                case AUDIT_GID:
+                case AUDIT_EGID:
+                case AUDIT_SGID:
+                case AUDIT_FSGID:
+                case AUDIT_OBJ_GID:
+                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
+                                return 1;
+                        break;
                default:
                        if (a->fields[i].val != b->fields[i].val)
                                return 1;
@@ -1056,7 +1109,7 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
 }
 /* Log rule additions and removals */
-static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
+static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
                                  char *action, struct audit_krule *rule,
                                  int res)
 {
@@ -1068,7 +1121,8 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
        if (!ab)
                return;
-        audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
+        audit_log_format(ab, "auid=%u ses=%u",
+                         from_kuid(&init_user_ns, loginuid), sessionid);
        if (sid) {
                char *ctx = NULL;
                u32 len;
@@ -1098,8 +1152,8 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
 * @sessionid: sessionid for netlink audit message
 * @sid: SE Linux Security ID of sender
 */
-int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
+int audit_receive_filter(int type, int pid, int seq, void *data,
-                         size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
+                         size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
 {
        struct task_struct *tsk;
        struct audit_netlink_list *dest;
@@ -1198,6 +1252,52 @@ int audit_comparator(u32 left, u32 op, u32 right)
        }
 }
+int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
+{
+        switch (op) {
+        case Audit_equal:
+                return uid_eq(left, right);
+        case Audit_not_equal:
+                return !uid_eq(left, right);
+        case Audit_lt:
+                return uid_lt(left, right);
+        case Audit_le:
+                return uid_lte(left, right);
+        case Audit_gt:
+                return uid_gt(left, right);
+        case Audit_ge:
+                return uid_gte(left, right);
+        case Audit_bitmask:
+        case Audit_bittest:
+        default:
+                BUG();
+                return 0;
+        }
+}
+int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
+{
+        switch (op) {
+        case Audit_equal:
+                return gid_eq(left, right);
+        case Audit_not_equal:
+                return !gid_eq(left, right);
+        case Audit_lt:
+                return gid_lt(left, right);
+        case Audit_le:
+                return gid_lte(left, right);
+        case Audit_gt:
+                return gid_gt(left, right);
+        case Audit_ge:
+                return gid_gte(left, right);
+        case Audit_bitmask:
+        case Audit_bittest:
+        default:
+                BUG();
+                return 0;
+        }
+}
 /* Compare given dentry name with last component in given path,
 * return of 0 indicates a match. */
 int audit_compare_dname_path(const char *dname, const char *path,
@@ -1236,8 +1336,7 @@ int audit_compare_dname_path(const char *dname, const char *path,
        return strncmp(p, dname, dlen);
 }
-static int audit_filter_user_rules(struct netlink_skb_parms *cb,
+static int audit_filter_user_rules(struct audit_krule *rule,
-                                   struct audit_krule *rule,
                                   enum audit_state *state)
 {
        int i;
@@ -1249,17 +1348,17 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
                switch (f->type) {
                case AUDIT_PID:
-                        result = audit_comparator(cb->creds.pid, f->op, f->val);
+                        result = audit_comparator(task_pid_vnr(current), f->op, f->val);
                        break;
                case AUDIT_UID:
-                        result = audit_comparator(cb->creds.uid, f->op, f->val);
+                        result = audit_uid_comparator(current_uid(), f->op, f->uid);
                        break;
                case AUDIT_GID:
-                        result = audit_comparator(cb->creds.gid, f->op, f->val);
+                        result = audit_gid_comparator(current_gid(), f->op, f->gid);
                        break;
                case AUDIT_LOGINUID:
-                        result = audit_comparator(audit_get_loginuid(current),
+                        result = audit_uid_comparator(audit_get_loginuid(current),
-                                                  f->op, f->val);
+                                                  f->op, f->uid);
                        break;
                case AUDIT_SUBJ_USER:
                case AUDIT_SUBJ_ROLE:
@@ -1287,7 +1386,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
        return 1;
 }
-int audit_filter_user(struct netlink_skb_parms *cb)
+int audit_filter_user(void)
 {
        enum audit_state state = AUDIT_DISABLED;
        struct audit_entry *e;
@@ -1295,7 +1394,7 @@ int audit_filter_user(struct netlink_skb_parms *cb)
        rcu_read_lock();
        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
-                if (audit_filter_user_rules(cb, &e->rule, &state)) {
+                if (audit_filter_user_rules(&e->rule, &state)) {
                        if (state == AUDIT_DISABLED)
                                ret = 0;
                        break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4b96415527b8..ff4798fcb488 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -113,8 +113,8 @@ struct audit_names {
        unsigned long   ino;
        dev_t           dev;
        umode_t         mode;
-        uid_t           uid;
+        kuid_t          uid;
-        gid_t           gid;
+        kgid_t          gid;
        dev_t           rdev;
        u32             osid;
        struct audit_cap_data fcap;
@@ -149,8 +149,8 @@ struct audit_aux_data_execve {
 struct audit_aux_data_pids {
        struct audit_aux_data   d;
        pid_t                   target_pid[AUDIT_AUX_PIDS];
-        uid_t                   target_auid[AUDIT_AUX_PIDS];
+        kuid_t                  target_auid[AUDIT_AUX_PIDS];
-        uid_t                   target_uid[AUDIT_AUX_PIDS];
+        kuid_t                  target_uid[AUDIT_AUX_PIDS];
        unsigned int            target_sessionid[AUDIT_AUX_PIDS];
        u32                     target_sid[AUDIT_AUX_PIDS];
        char                    target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
@@ -208,14 +208,14 @@ struct audit_context {
        size_t sockaddr_len;
                                /* Save things to print about task_struct */
        pid_t               pid, ppid;
-        uid_t               uid, euid, suid, fsuid;
+        kuid_t              uid, euid, suid, fsuid;
-        gid_t               gid, egid, sgid, fsgid;
+        kgid_t              gid, egid, sgid, fsgid;
        unsigned long       personality;
        int                 arch;
        pid_t               target_pid;
-        uid_t               target_auid;
+        kuid_t              target_auid;
-        uid_t               target_uid;
+        kuid_t              target_uid;
        unsigned int        target_sessionid;
        u32                 target_sid;
        char                target_comm[TASK_COMM_LEN];
@@ -231,8 +231,8 @@ struct audit_context {
                        long args[6];
                } socketcall;
                struct {
-                        uid_t                   uid;
+                        kuid_t                  uid;
-                        gid_t                   gid;
+                        kgid_t                  gid;
                        umode_t                 mode;
                        u32                     osid;
                        int                     has_perm;
@@ -464,37 +464,47 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
        return 0;
 }
-static int audit_compare_id(uid_t uid1,
+static int audit_compare_uid(kuid_t uid,
-                            struct audit_names *name,
+                             struct audit_names *name,
-                            unsigned long name_offset,
+                             struct audit_field *f,
-                            struct audit_field *f,
+                             struct audit_context *ctx)
-                            struct audit_context *ctx)
 {
        struct audit_names *n;
-        unsigned long addr;
-        uid_t uid2;
        int rc;
+ 
-        BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
        if (name) {
-                addr = (unsigned long)name;
+                rc = audit_uid_comparator(uid, f->op, name->uid);
-                addr += name_offset;
-                uid2 = *(uid_t *)addr;
-                rc = audit_comparator(uid1, f->op, uid2);
                if (rc)
                        return rc;
        }
+ 
        if (ctx) {
                list_for_each_entry(n, &ctx->names_list, list) {
-                        addr = (unsigned long)n;
+                        rc = audit_uid_comparator(uid, f->op, n->uid);
-                        addr += name_offset;
+                        if (rc)
+                                return rc;
-                        uid2 = *(uid_t *)addr;
+                }
+        }
+        return 0;
+}
-                        rc = audit_comparator(uid1, f->op, uid2);
+static int audit_compare_gid(kgid_t gid,
+                             struct audit_names *name,
+                             struct audit_field *f,
+                             struct audit_context *ctx)
+{
+        struct audit_names *n;
+        int rc;
+ 
+        if (name) {
+                rc = audit_gid_comparator(gid, f->op, name->gid);
+                if (rc)
+                        return rc;
+        }
+ 
+        if (ctx) {
+                list_for_each_entry(n, &ctx->names_list, list) {
+                        rc = audit_gid_comparator(gid, f->op, n->gid);
                        if (rc)
                                return rc;
                }
@@ -511,80 +521,62 @@ static int audit_field_compare(struct task_struct *tsk,
        switch (f->val) {
        /* process to file object comparisons */
        case AUDIT_COMPARE_UID_TO_OBJ_UID:
-                return audit_compare_id(cred->uid,
+                return audit_compare_uid(cred->uid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_GID_TO_OBJ_GID:
-                return audit_compare_id(cred->gid,
+                return audit_compare_gid(cred->gid, name, f, ctx);
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
        case AUDIT_COMPARE_EUID_TO_OBJ_UID:
-                return audit_compare_id(cred->euid,
+                return audit_compare_uid(cred->euid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_EGID_TO_OBJ_GID:
-                return audit_compare_id(cred->egid,
+                return audit_compare_gid(cred->egid, name, f, ctx);
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
        case AUDIT_COMPARE_AUID_TO_OBJ_UID:
-                return audit_compare_id(tsk->loginuid,
+                return audit_compare_uid(tsk->loginuid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_SUID_TO_OBJ_UID:
-                return audit_compare_id(cred->suid,
+                return audit_compare_uid(cred->suid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_SGID_TO_OBJ_GID:
-                return audit_compare_id(cred->sgid,
+                return audit_compare_gid(cred->sgid, name, f, ctx);
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
        case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
-                return audit_compare_id(cred->fsuid,
+                return audit_compare_uid(cred->fsuid, name, f, ctx);
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
        case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
-                return audit_compare_id(cred->fsgid,
+                return audit_compare_gid(cred->fsgid, name, f, ctx);
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
        /* uid comparisons */
        case AUDIT_COMPARE_UID_TO_AUID:
-                return audit_comparator(cred->uid, f->op, tsk->loginuid);
+                return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
        case AUDIT_COMPARE_UID_TO_EUID:
-                return audit_comparator(cred->uid, f->op, cred->euid);
+                return audit_uid_comparator(cred->uid, f->op, cred->euid);
        case AUDIT_COMPARE_UID_TO_SUID:
-                return audit_comparator(cred->uid, f->op, cred->suid);
+                return audit_uid_comparator(cred->uid, f->op, cred->suid);
        case AUDIT_COMPARE_UID_TO_FSUID:
-                return audit_comparator(cred->uid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
        /* auid comparisons */
        case AUDIT_COMPARE_AUID_TO_EUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->euid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
        case AUDIT_COMPARE_AUID_TO_SUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->suid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
        case AUDIT_COMPARE_AUID_TO_FSUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
        /* euid comparisons */
        case AUDIT_COMPARE_EUID_TO_SUID:
-                return audit_comparator(cred->euid, f->op, cred->suid);
+                return audit_uid_comparator(cred->euid, f->op, cred->suid);
        case AUDIT_COMPARE_EUID_TO_FSUID:
-                return audit_comparator(cred->euid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
        /* suid comparisons */
        case AUDIT_COMPARE_SUID_TO_FSUID:
-                return audit_comparator(cred->suid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
        /* gid comparisons */
        case AUDIT_COMPARE_GID_TO_EGID:
-                return audit_comparator(cred->gid, f->op, cred->egid);
+                return audit_gid_comparator(cred->gid, f->op, cred->egid);
        case AUDIT_COMPARE_GID_TO_SGID:
-                return audit_comparator(cred->gid, f->op, cred->sgid);
+                return audit_gid_comparator(cred->gid, f->op, cred->sgid);
        case AUDIT_COMPARE_GID_TO_FSGID:
-                return audit_comparator(cred->gid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
        /* egid comparisons */
        case AUDIT_COMPARE_EGID_TO_SGID:
-                return audit_comparator(cred->egid, f->op, cred->sgid);
+                return audit_gid_comparator(cred->egid, f->op, cred->sgid);
        case AUDIT_COMPARE_EGID_TO_FSGID:
-                return audit_comparator(cred->egid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
        /* sgid comparison */
        case AUDIT_COMPARE_SGID_TO_FSGID:
-                return audit_comparator(cred->sgid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
        default:
                WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
                return 0;
@@ -630,28 +622,28 @@ static int audit_filter_rules(struct task_struct *tsk,
                        }
                        break;
                case AUDIT_UID:
-                        result = audit_comparator(cred->uid, f->op, f->val);
+                        result = audit_uid_comparator(cred->uid, f->op, f->uid);
                        break;
                case AUDIT_EUID:
-                        result = audit_comparator(cred->euid, f->op, f->val);
+                        result = audit_uid_comparator(cred->euid, f->op, f->uid);
                        break;
                case AUDIT_SUID:
-                        result = audit_comparator(cred->suid, f->op, f->val);
+                        result = audit_uid_comparator(cred->suid, f->op, f->uid);
                        break;
                case AUDIT_FSUID:
-                        result = audit_comparator(cred->fsuid, f->op, f->val);
+                        result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
                        break;
                case AUDIT_GID:
-                        result = audit_comparator(cred->gid, f->op, f->val);
+                        result = audit_gid_comparator(cred->gid, f->op, f->gid);
                        break;
                case AUDIT_EGID:
-                        result = audit_comparator(cred->egid, f->op, f->val);
+                        result = audit_gid_comparator(cred->egid, f->op, f->gid);
                        break;
                case AUDIT_SGID:
-                        result = audit_comparator(cred->sgid, f->op, f->val);
+                        result = audit_gid_comparator(cred->sgid, f->op, f->gid);
                        break;
                case AUDIT_FSGID:
-                        result = audit_comparator(cred->fsgid, f->op, f->val);
+                        result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
                        break;
                case AUDIT_PERS:
                        result = audit_comparator(tsk->personality, f->op, f->val);
@@ -717,10 +709,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_OBJ_UID:
                        if (name) {
-                                result = audit_comparator(name->uid, f->op, f->val);
+                                result = audit_uid_comparator(name->uid, f->op, f->uid);
                        } else if (ctx) {
                                list_for_each_entry(n, &ctx->names_list, list) {
-                                        if (audit_comparator(n->uid, f->op, f->val)) {
+                                        if (audit_uid_comparator(n->uid, f->op, f->uid)) {
                                                ++result;
                                                break;
                                        }
@@ -729,10 +721,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_OBJ_GID:
                        if (name) {
-                                result = audit_comparator(name->gid, f->op, f->val);
+                                result = audit_gid_comparator(name->gid, f->op, f->gid);
                        } else if (ctx) {
                                list_for_each_entry(n, &ctx->names_list, list) {
-                                        if (audit_comparator(n->gid, f->op, f->val)) {
+                                        if (audit_gid_comparator(n->gid, f->op, f->gid)) {
                                                ++result;
                                                break;
                                        }
@@ -750,7 +742,7 @@ static int audit_filter_rules(struct task_struct *tsk,
                case AUDIT_LOGINUID:
                        result = 0;
                        if (ctx)
-                                result = audit_comparator(tsk->loginuid, f->op, f->val);
+                                result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
                        break;
                case AUDIT_SUBJ_USER:
                case AUDIT_SUBJ_ROLE:
@@ -1184,7 +1176,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
 }
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-                                 uid_t auid, uid_t uid, unsigned int sessionid,
+                                 kuid_t auid, kuid_t uid, unsigned int sessionid,
                                 u32 sid, char *comm)
 {
        struct audit_buffer *ab;
@@ -1196,8 +1188,9 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
        if (!ab)
                return rc;
-        audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
+        audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
-                         uid, sessionid);
+                         from_kuid(&init_user_ns, auid),
+                         from_kuid(&init_user_ns, uid), sessionid);
        if (security_secid_to_secctx(sid, &ctx, &len)) {
                audit_log_format(ab, " obj=(none)");
                rc = 1;
@@ -1447,7 +1440,9 @@ static void show_special(struct audit_context *context, int *call_panic)
                u32 osid = context->ipc.osid;
                audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
-                         context->ipc.uid, context->ipc.gid, context->ipc.mode);
+                                 from_kuid(&init_user_ns, context->ipc.uid),
+                                 from_kgid(&init_user_ns, context->ipc.gid),
+                                 context->ipc.mode);
                if (osid) {
                        char *ctx = NULL;
                        u32 len;
@@ -1560,8 +1555,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
                                 MAJOR(n->dev),
                                 MINOR(n->dev),
                                 n->mode,
-                                 n->uid,
+                                 from_kuid(&init_user_ns, n->uid),
-                                 n->gid,
+                                 from_kgid(&init_user_ns, n->gid),
                                 MAJOR(n->rdev),
                                 MINOR(n->rdev));
        }
@@ -1638,11 +1633,16 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                  context->name_count,
                  context->ppid,
                  context->pid,
-                  tsk->loginuid,
+                  from_kuid(&init_user_ns, tsk->loginuid),
-                  context->uid,
+                  from_kuid(&init_user_ns, context->uid),
-                  context->gid,
+                  from_kgid(&init_user_ns, context->gid),
-                  context->euid, context->suid, context->fsuid,
+                  from_kuid(&init_user_ns, context->euid),
-                  context->egid, context->sgid, context->fsgid, tty,
+                  from_kuid(&init_user_ns, context->suid),
+                  from_kuid(&init_user_ns, context->fsuid),
+                  from_kgid(&init_user_ns, context->egid),
+                  from_kgid(&init_user_ns, context->sgid),
+                  from_kgid(&init_user_ns, context->fsgid),
+                  tty,
                  tsk->sessionid);
@@ -2299,14 +2299,14 @@ static atomic_t session_id = ATOMIC_INIT(0);
 *
 * Called (set) from fs/proc/base.c::proc_loginuid_write().
 */
-int audit_set_loginuid(uid_t loginuid)
+int audit_set_loginuid(kuid_t loginuid)
 {
        struct task_struct *task = current;
        struct audit_context *context = task->audit_context;
        unsigned int sessionid;
 #ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
-        if (task->loginuid != -1)
+        if (uid_valid(task->loginuid))
                return -EPERM;
 #else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
        if (!capable(CAP_AUDIT_CONTROL))
@@ -2322,8 +2322,10 @@ int audit_set_loginuid(uid_t loginuid)
                        audit_log_format(ab, "login pid=%d uid=%u "
                                "old auid=%u new auid=%u"
                                " old ses=%u new ses=%u",
-                                task->pid, task_uid(task),
+                                task->pid,
-                                task->loginuid, loginuid,
+                                from_kuid(&init_user_ns, task_uid(task)),
+                                from_kuid(&init_user_ns, task->loginuid),
+                                from_kuid(&init_user_ns, loginuid),
                                task->sessionid, sessionid);
                        audit_log_end(ab);
                }
@@ -2546,12 +2548,12 @@ int __audit_signal_info(int sig, struct task_struct *t)
        struct audit_aux_data_pids *axp;
        struct task_struct *tsk = current;
        struct audit_context *ctx = tsk->audit_context;
-        uid_t uid = current_uid(), t_uid = task_uid(t);
+        kuid_t uid = current_uid(), t_uid = task_uid(t);
        if (audit_pid && t->tgid == audit_pid) {
                if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
                        audit_sig_pid = tsk->pid;
-                        if (tsk->loginuid != -1)
+                        if (uid_valid(tsk->loginuid))
                                audit_sig_uid = tsk->loginuid;
                        else
                                audit_sig_uid = uid;
@@ -2672,8 +2674,8 @@ void __audit_mmap_fd(int fd, int flags)
 static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
 {
-        uid_t auid, uid;
+        kuid_t auid, uid;
-        gid_t gid;
+        kgid_t gid;
        unsigned int sessionid;
        auid = audit_get_loginuid(current);
@@ -2681,7 +2683,10 @@ static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
        current_uid_gid(&uid, &gid);
        audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
-                         auid, uid, gid, sessionid);
+                         from_kuid(&init_user_ns, auid),
+                         from_kuid(&init_user_ns, uid),
+                         from_kgid(&init_user_ns, gid),
+                         sessionid);
        audit_log_task_context(ab);
        audit_log_format(ab, " pid=%d comm=", current->pid);
        audit_log_untrustedstring(ab, current->comm);
diff --git a/kernel/cred.c b/kernel/cred.c
index de728ac50d82..48cea3da6d05 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -799,9 +799,15 @@ static void dump_invalid_creds(const struct cred *cred, const char *label,
               atomic_read(&cred->usage),
               read_cred_subscribers(cred));
        printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
-               cred->uid, cred->euid, cred->suid, cred->fsuid);
+                from_kuid_munged(&init_user_ns, cred->uid),
+                from_kuid_munged(&init_user_ns, cred->euid),
+                from_kuid_munged(&init_user_ns, cred->suid),
+                from_kuid_munged(&init_user_ns, cred->fsuid));
        printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
-               cred->gid, cred->egid, cred->sgid, cred->fsgid);
+                from_kgid_munged(&init_user_ns, cred->gid),
+                from_kgid_munged(&init_user_ns, cred->egid),
+                from_kgid_munged(&init_user_ns, cred->sgid),
+                from_kgid_munged(&init_user_ns, cred->fsgid));
 #ifdef CONFIG_SECURITY
        printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
        if ((unsigned long) cred->security >= PAGE_SIZE &&
diff --git a/kernel/pid.c b/kernel/pid.c
index e86b291ad834..aebd4f5aaf41 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -479,6 +479,7 @@ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
        }
        return nr;
 }
+EXPORT_SYMBOL_GPL(pid_nr_ns);
 pid_t pid_vnr(struct pid *pid)
 {
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index 6144bab8fd8e..478bad2745e3 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -16,6 +16,7 @@
 #include <linux/slab.h>
 #include <linux/proc_fs.h>
 #include <linux/reboot.h>
+#include <linux/export.h>
 #define BITS_PER_PAGE           (PAGE_SIZE*8)
@@ -144,6 +145,7 @@ void free_pid_ns(struct kref *kref)
        if (parent != NULL)
                put_pid_ns(parent);
 }
+EXPORT_SYMBOL_GPL(free_pid_ns);
 void zap_pid_ns_processes(struct pid_namespace *pid_ns)
 {
diff --git a/kernel/taskstats.c b/kernel/taskstats.c
index d0a32796550f..3880df2acf05 100644
--- a/kernel/taskstats.c
+++ b/kernel/taskstats.c
@@ -27,6 +27,7 @@
 #include <linux/cgroup.h>
 #include <linux/fs.h>
 #include <linux/file.h>
+#include <linux/pid_namespace.h>
 #include <net/genetlink.h>
 #include <linux/atomic.h>
@@ -174,7 +175,9 @@ static void send_cpu_listeners(struct sk_buff *skb,
        up_write(&listeners->sem);
 }
-static void fill_stats(struct task_struct *tsk, struct taskstats *stats)
+static void fill_stats(struct user_namespace *user_ns,
+                       struct pid_namespace *pid_ns,
+                       struct task_struct *tsk, struct taskstats *stats)
 {
        memset(stats, 0, sizeof(*stats));
        /*
@@ -190,7 +193,7 @@ static void fill_stats(struct task_struct *tsk, struct taskstats *stats)
        stats->version = TASKSTATS_VERSION;
        stats->nvcsw = tsk->nvcsw;
        stats->nivcsw = tsk->nivcsw;
-        bacct_add_tsk(stats, tsk);
+        bacct_add_tsk(user_ns, pid_ns, stats, tsk);
        /* fill in extended acct fields */
        xacct_add_tsk(stats, tsk);
@@ -207,7 +210,7 @@ static int fill_stats_for_pid(pid_t pid, struct taskstats *stats)
        rcu_read_unlock();
        if (!tsk)
                return -ESRCH;
-        fill_stats(tsk, stats);
+        fill_stats(current_user_ns(), task_active_pid_ns(current), tsk, stats);
        put_task_struct(tsk);
        return 0;
 }
@@ -291,6 +294,12 @@ static int add_del_listener(pid_t pid, const struct cpumask *mask, int isadd)
        if (!cpumask_subset(mask, cpu_possible_mask))
                return -EINVAL;
+        if (current_user_ns() != &init_user_ns)
+                return -EINVAL;
+        if (task_active_pid_ns(current) != &init_pid_ns)
+                return -EINVAL;
        if (isadd == REGISTER) {
                for_each_cpu(cpu, mask) {
                        s = kmalloc_node(sizeof(struct listener),
@@ -631,11 +640,12 @@ void taskstats_exit(struct task_struct *tsk, int group_dead)
        if (rc < 0)
                return;
-        stats = mk_reply(rep_skb, TASKSTATS_TYPE_PID, tsk->pid);
+        stats = mk_reply(rep_skb, TASKSTATS_TYPE_PID,
+                         task_pid_nr_ns(tsk, &init_pid_ns));
        if (!stats)
                goto err;
-        fill_stats(tsk, stats);
+        fill_stats(&init_user_ns, &init_pid_ns, tsk, stats);
        /*
         * Doesn't matter if tsk is the leader or the last group member leaving
@@ -643,7 +653,8 @@ void taskstats_exit(struct task_struct *tsk, int group_dead)
        if (!is_thread_group || !group_dead)
                goto send;
-        stats = mk_reply(rep_skb, TASKSTATS_TYPE_TGID, tsk->tgid);
+        stats = mk_reply(rep_skb, TASKSTATS_TYPE_TGID,
+                         task_tgid_nr_ns(tsk, &init_pid_ns));
        if (!stats)
                goto err;
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 1ec5c1dab629..cdcb59450b49 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -2061,7 +2061,8 @@ print_trace_header(struct seq_file *m, struct trace_iterator *iter)
        seq_puts(m, "#    -----------------\n");
        seq_printf(m, "#    | task: %.16s-%d "
                   "(uid:%d nice:%ld policy:%ld rt_prio:%ld)\n",
-                   data->comm, data->pid, data->uid, data->nice,
+                   data->comm, data->pid,
+                   from_kuid_munged(seq_user_ns(m), data->uid), data->nice,
                   data->policy, data->rt_priority);
        seq_puts(m, "#    -----------------\n");
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index 63a2da0b9a6e..c15f528c1af4 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -147,7 +147,7 @@ struct trace_array_cpu {
        unsigned long           skipped_entries;
        cycle_t                 preempt_timestamp;
        pid_t                   pid;
-        uid_t                   uid;
+        kuid_t                  uid;
        char                    comm[TASK_COMM_LEN];
 };
diff --git a/kernel/tsacct.c b/kernel/tsacct.c
index 23b4d784ebdd..625df0b44690 100644
--- a/kernel/tsacct.c
+++ b/kernel/tsacct.c
@@ -26,7 +26,9 @@
 /*
 * fill in basic accounting fields
 */
-void bacct_add_tsk(struct taskstats *stats, struct task_struct *tsk)
+void bacct_add_tsk(struct user_namespace *user_ns,
+                   struct pid_namespace *pid_ns,
+                   struct taskstats *stats, struct task_struct *tsk)
 {
        const struct cred *tcred;
        struct timespec uptime, ts;
@@ -55,13 +57,13 @@ void bacct_add_tsk(struct taskstats *stats, struct task_struct *tsk)
                stats->ac_flag |= AXSIG;
        stats->ac_nice   = task_nice(tsk);
        stats->ac_sched  = tsk->policy;
-        stats->ac_pid    = tsk->pid;
+        stats->ac_pid    = task_pid_nr_ns(tsk, pid_ns);
        rcu_read_lock();
        tcred = __task_cred(tsk);
-        stats->ac_uid    = tcred->uid;
+        stats->ac_uid    = from_kuid_munged(user_ns, tcred->uid);
-        stats->ac_gid    = tcred->gid;
+        stats->ac_gid    = from_kgid_munged(user_ns, tcred->gid);
        stats->ac_ppid   = pid_alive(tsk) ?
-                                rcu_dereference(tsk->real_parent)->tgid : 0;
+                task_tgid_nr_ns(rcu_dereference(tsk->real_parent), pid_ns) : 0;
        rcu_read_unlock();
        stats->ac_utime = cputime_to_usecs(tsk->utime);
        stats->ac_stime = cputime_to_usecs(tsk->stime);
diff --git a/kernel/user.c b/kernel/user.c
index b815fefbe76f..750acffbe9ec 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -38,6 +38,14 @@ struct user_namespace init_user_ns = {
                        .count = 4294967295U,
                },
        },
+        .projid_map = {
+                .nr_extents = 1,
+                .extent[0] = {
+                        .first = 0,
+                        .lower_first = 0,
+                        .count = 4294967295U,
+                },
+        },
        .kref = {
                .refcount       = ATOMIC_INIT(3),
        },
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 86602316422d..456a6b9fba34 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -19,6 +19,7 @@
 #include <linux/fs.h>
 #include <linux/uaccess.h>
 #include <linux/ctype.h>
+#include <linux/projid.h>
 static struct kmem_cache *user_ns_cachep __read_mostly;
@@ -295,6 +296,75 @@ gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
 }
 EXPORT_SYMBOL(from_kgid_munged);
+/**
+ *      make_kprojid - Map a user-namespace projid pair into a kprojid.
+ *      @ns:  User namespace that the projid is in
+ *      @projid: Project identifier
+ *
+ *      Maps a user-namespace uid pair into a kernel internal kuid,
+ *      and returns that kuid.
+ *
+ *      When there is no mapping defined for the user-namespace projid
+ *      pair INVALID_PROJID is returned.  Callers are expected to test
+ *      for and handle handle INVALID_PROJID being returned.  INVALID_PROJID
+ *      may be tested for using projid_valid().
+ */
+kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
+{
+        /* Map the uid to a global kernel uid */
+        return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
+}
+EXPORT_SYMBOL(make_kprojid);
+/**
+ *      from_kprojid - Create a projid from a kprojid user-namespace pair.
+ *      @targ: The user namespace we want a projid in.
+ *      @kprojid: The kernel internal project identifier to start with.
+ *
+ *      Map @kprojid into the user-namespace specified by @targ and
+ *      return the resulting projid.
+ *
+ *      There is always a mapping into the initial user_namespace.
+ *
+ *      If @kprojid has no mapping in @targ (projid_t)-1 is returned.
+ */
+projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
+{
+        /* Map the uid from a global kernel uid */
+        return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
+}
+EXPORT_SYMBOL(from_kprojid);
+/**
+ *      from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
+ *      @targ: The user namespace we want a projid in.
+ *      @kprojid: The kernel internal projid to start with.
+ *
+ *      Map @kprojid into the user-namespace specified by @targ and
+ *      return the resulting projid.
+ *
+ *      There is always a mapping into the initial user_namespace.
+ *
+ *      Unlike from_kprojid from_kprojid_munged never fails and always
+ *      returns a valid projid.  This makes from_kprojid_munged
+ *      appropriate for use in syscalls like stat and where
+ *      failing the system call and failing to provide a valid projid are
+ *      not an options.
+ *
+ *      If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
+ */
+projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
+{
+        projid_t projid;
+        projid = from_kprojid(targ, kprojid);
+        if (projid == (projid_t) -1)
+                projid = OVERFLOW_PROJID;
+        return projid;
+}
+EXPORT_SYMBOL(from_kprojid_munged);
 static int uid_m_show(struct seq_file *seq, void *v)
 {
        struct user_namespace *ns = seq->private;
@@ -337,6 +407,27 @@ static int gid_m_show(struct seq_file *seq, void *v)
        return 0;
 }
+static int projid_m_show(struct seq_file *seq, void *v)
+{
+        struct user_namespace *ns = seq->private;
+        struct uid_gid_extent *extent = v;
+        struct user_namespace *lower_ns;
+        projid_t lower;
+        lower_ns = seq_user_ns(seq);
+        if ((lower_ns == ns) && lower_ns->parent)
+                lower_ns = lower_ns->parent;
+        lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
+        seq_printf(seq, "%10u %10u %10u\n",
+                extent->first,
+                lower,
+                extent->count);
+        return 0;
+}
 static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map)
 {
        struct uid_gid_extent *extent = NULL;
@@ -362,6 +453,13 @@ static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
        return m_start(seq, ppos, &ns->gid_map);
 }
+static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
+{
+        struct user_namespace *ns = seq->private;
+        return m_start(seq, ppos, &ns->projid_map);
+}
 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
 {
        (*pos)++;
@@ -387,6 +485,13 @@ struct seq_operations proc_gid_seq_operations = {
        .show = gid_m_show,
 };
+struct seq_operations proc_projid_seq_operations = {
+        .start = projid_m_start,
+        .stop = m_stop,
+        .next = m_next,
+        .show = projid_m_show,
+};
 static DEFINE_MUTEX(id_map_mutex);
 static ssize_t map_write(struct file *file, const char __user *buf,
@@ -434,7 +539,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
        /* Require the appropriate privilege CAP_SETUID or CAP_SETGID
         * over the user namespace in order to set the id mapping.
         */
-        if (!ns_capable(ns, cap_setid))
+        if (cap_valid(cap_setid) && !ns_capable(ns, cap_setid))
                goto out;
        /* Get a buffer */
@@ -584,9 +689,30 @@ ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t siz
                         &ns->gid_map, &ns->parent->gid_map);
 }
+ssize_t proc_projid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
+{
+        struct seq_file *seq = file->private_data;
+        struct user_namespace *ns = seq->private;
+        struct user_namespace *seq_ns = seq_user_ns(seq);
+        if (!ns->parent)
+                return -EPERM;
+        if ((seq_ns != ns) && (seq_ns != ns->parent))
+                return -EPERM;
+        /* Anyone can set any valid project id no capability needed */
+        return map_write(file, buf, size, ppos, -1,
+                         &ns->projid_map, &ns->parent->projid_map);
+}
 static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
                                struct uid_gid_map *new_map)
 {
+        /* Allow anyone to set a mapping that doesn't require privilege */
+        if (!cap_valid(cap_setid))
+                return true;
        /* Allow the specified ids if we have the appropriate capability
         * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
         */
diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
index b5b1a221c242..c30f3a0717fb 100644
--- a/net/appletalk/atalk_proc.c
+++ b/net/appletalk/atalk_proc.c
@@ -183,7 +183,8 @@ static int atalk_seq_socket_show(struct seq_file *seq, void *v)
                   ntohs(at->dest_net), at->dest_node, at->dest_port,
                   sk_wmem_alloc_get(s),
                   sk_rmem_alloc_get(s),
-                   s->sk_state, SOCK_INODE(s->sk_socket)->i_uid);
+                   s->sk_state,
+                   from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)));
 out:
        return 0;
 }
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c
index e3c579ba6325..957999e43ff7 100644
--- a/net/ax25/ax25_uid.c
+++ b/net/ax25/ax25_uid.c
@@ -51,14 +51,14 @@ int ax25_uid_policy;
 EXPORT_SYMBOL(ax25_uid_policy);
-ax25_uid_assoc *ax25_findbyuid(uid_t uid)
+ax25_uid_assoc *ax25_findbyuid(kuid_t uid)
 {
        ax25_uid_assoc *ax25_uid, *res = NULL;
        struct hlist_node *node;
        read_lock(&ax25_uid_lock);
        ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) {
-                if (ax25_uid->uid == uid) {
+                if (uid_eq(ax25_uid->uid, uid)) {
                        ax25_uid_hold(ax25_uid);
                        res = ax25_uid;
                        break;
@@ -84,7 +84,7 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax)
                read_lock(&ax25_uid_lock);
                ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) {
                        if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) {
-                                res = ax25_uid->uid;
+                                res = from_kuid_munged(current_user_ns(), ax25_uid->uid);
                                break;
                        }
                }
@@ -93,9 +93,14 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax)
                return res;
        case SIOCAX25ADDUID:
+        {
+                kuid_t sax25_kuid;
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                user = ax25_findbyuid(sax->sax25_uid);
+                sax25_kuid = make_kuid(current_user_ns(), sax->sax25_uid);
+                if (!uid_valid(sax25_kuid))
+                        return -EINVAL;
+                user = ax25_findbyuid(sax25_kuid);
                if (user) {
                        ax25_uid_put(user);
                        return -EEXIST;
@@ -106,7 +111,7 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax)
                        return -ENOMEM;
                atomic_set(&ax25_uid->refcount, 1);
-                ax25_uid->uid  = sax->sax25_uid;
+                ax25_uid->uid  = sax25_kuid;
                ax25_uid->call = sax->sax25_call;
                write_lock(&ax25_uid_lock);
@@ -114,7 +119,7 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax)
                write_unlock(&ax25_uid_lock);
                return 0;
+        }
        case SIOCAX25DELUID:
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
@@ -172,7 +177,9 @@ static int ax25_uid_seq_show(struct seq_file *seq, void *v)
                struct ax25_uid_assoc *pt;
                pt = hlist_entry(v, struct ax25_uid_assoc, uid_node);
-                seq_printf(seq, "%6d %s\n", pt->uid, ax2asc(buf, &pt->call));
+                seq_printf(seq, "%6d %s\n",
+                        from_kuid_munged(seq_user_ns(seq), pt->uid),
+                        ax2asc(buf, &pt->call));
        }
        return 0;
 }
diff --git a/net/core/dev.c b/net/core/dev.c
index 36c4a0cdb6c1..17e912f9b711 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4512,8 +4512,8 @@ static void dev_change_rx_flags(struct net_device *dev, int flags)
 static int __dev_set_promiscuity(struct net_device *dev, int inc)
 {
        unsigned int old_flags = dev->flags;
-        uid_t uid;
+        kuid_t uid;
-        gid_t gid;
+        kgid_t gid;
        ASSERT_RTNL();
@@ -4544,8 +4544,9 @@ static int __dev_set_promiscuity(struct net_device *dev, int inc)
                                "dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
                                dev->name, (dev->flags & IFF_PROMISC),
                                (old_flags & IFF_PROMISC),
-                                audit_get_loginuid(current),
+                                from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                                uid, gid,
+                                from_kuid(&init_user_ns, uid),
+                                from_kgid(&init_user_ns, gid),
                                audit_get_sessionid(current));
                }
diff --git a/net/core/scm.c b/net/core/scm.c
index 040cebeed45b..6ab491d6c26f 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -45,12 +45,17 @@
 static __inline__ int scm_check_creds(struct ucred *creds)
 {
        const struct cred *cred = current_cred();
+        kuid_t uid = make_kuid(cred->user_ns, creds->uid);
+        kgid_t gid = make_kgid(cred->user_ns, creds->gid);
+        if (!uid_valid(uid) || !gid_valid(gid))
+                return -EINVAL;
        if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) &&
-            ((creds->uid == cred->uid   || creds->uid == cred->euid ||
+            ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
-              creds->uid == cred->suid) || capable(CAP_SETUID)) &&
+              uid_eq(uid, cred->suid)) || capable(CAP_SETUID)) &&
-            ((creds->gid == cred->gid   || creds->gid == cred->egid ||
+            ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
-              creds->gid == cred->sgid) || capable(CAP_SETGID))) {
+              gid_eq(gid, cred->sgid)) || capable(CAP_SETGID))) {
               return 0;
        }
        return -EPERM;
@@ -149,6 +154,9 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
                                goto error;
                        break;
                case SCM_CREDENTIALS:
+                {
+                        kuid_t uid;
+                        kgid_t gid;
                        if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
                                goto error;
                        memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
@@ -166,22 +174,29 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
                                p->pid = pid;
                        }
+                        err = -EINVAL;
+                        uid = make_kuid(current_user_ns(), p->creds.uid);
+                        gid = make_kgid(current_user_ns(), p->creds.gid);
+                        if (!uid_valid(uid) || !gid_valid(gid))
+                                goto error;
                        if (!p->cred ||
-                            (p->cred->euid != p->creds.uid) ||
+                            !uid_eq(p->cred->euid, uid) ||
-                            (p->cred->egid != p->creds.gid)) {
+                            !gid_eq(p->cred->egid, gid)) {
                                struct cred *cred;
                                err = -ENOMEM;
                                cred = prepare_creds();
                                if (!cred)
                                        goto error;
-                                cred->uid = cred->euid = p->creds.uid;
+                                cred->uid = cred->euid = uid;
-                                cred->gid = cred->egid = p->creds.gid;
+                                cred->gid = cred->egid = gid;
                                if (p->cred)
                                        put_cred(p->cred);
                                p->cred = cred;
                        }
                        break;
+                }
                default:
                        goto error;
                }
diff --git a/net/core/sock.c b/net/core/sock.c
index 341fa1c3bd69..12cddd037bce 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -858,8 +858,8 @@ void cred_to_ucred(struct pid *pid, const struct cred *cred,
        if (cred) {
                struct user_namespace *current_ns = current_user_ns();
-                ucred->uid = from_kuid(current_ns, cred->euid);
+                ucred->uid = from_kuid_munged(current_ns, cred->euid);
-                ucred->gid = from_kgid(current_ns, cred->egid);
+                ucred->gid = from_kgid_munged(current_ns, cred->egid);
        }
 }
 EXPORT_SYMBOL_GPL(cred_to_ucred);
@@ -1528,12 +1528,12 @@ void sock_edemux(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(sock_edemux);
-int sock_i_uid(struct sock *sk)
+kuid_t sock_i_uid(struct sock *sk)
 {
-        int uid;
+        kuid_t uid;
        read_lock_bh(&sk->sk_callback_lock);
-        uid = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_uid : 0;
+        uid = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_uid : GLOBAL_ROOT_UID;
        read_unlock_bh(&sk->sk_callback_lock);
        return uid;
 }
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index d9507dd05818..9807945a56d9 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -259,7 +259,8 @@ static int __init init_dns_resolver(void)
        if (!cred)
                return -ENOMEM;
-        keyring = key_alloc(&key_type_keyring, ".dns_resolver", 0, 0, cred,
+        keyring = key_alloc(&key_type_keyring, ".dns_resolver",
+                            GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
                            (KEY_POS_ALL & ~KEY_POS_SETATTR) |
                            KEY_USR_VIEW | KEY_USR_READ,
                            KEY_ALLOC_NOT_IN_QUOTA);
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 570e61f9611f..8bc005b1435f 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -69,6 +69,7 @@ static inline void inet_diag_unlock_handler(
 int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
                              struct sk_buff *skb, struct inet_diag_req_v2 *req,
+                              struct user_namespace *user_ns,                   
                              u32 pid, u32 seq, u16 nlmsg_flags,
                              const struct nlmsghdr *unlh)
 {
@@ -124,7 +125,7 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
        }
 #endif
-        r->idiag_uid = sock_i_uid(sk);
+        r->idiag_uid = from_kuid_munged(user_ns, sock_i_uid(sk));
        r->idiag_inode = sock_i_ino(sk);
        if (ext & (1 << (INET_DIAG_MEMINFO - 1))) {
@@ -199,11 +200,12 @@ EXPORT_SYMBOL_GPL(inet_sk_diag_fill);
 static int inet_csk_diag_fill(struct sock *sk,
                              struct sk_buff *skb, struct inet_diag_req_v2 *req,
+                              struct user_namespace *user_ns,
                              u32 pid, u32 seq, u16 nlmsg_flags,
                              const struct nlmsghdr *unlh)
 {
        return inet_sk_diag_fill(sk, inet_csk(sk),
-                        skb, req, pid, seq, nlmsg_flags, unlh);
+                        skb, req, user_ns, pid, seq, nlmsg_flags, unlh);
 }
 static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
@@ -256,14 +258,16 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
 }
 static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
-                        struct inet_diag_req_v2 *r, u32 pid, u32 seq, u16 nlmsg_flags,
+                        struct inet_diag_req_v2 *r,
+                        struct user_namespace *user_ns,
+                        u32 pid, u32 seq, u16 nlmsg_flags,
                        const struct nlmsghdr *unlh)
 {
        if (sk->sk_state == TCP_TIME_WAIT)
                return inet_twsk_diag_fill((struct inet_timewait_sock *)sk,
                                           skb, r, pid, seq, nlmsg_flags,
                                           unlh);
-        return inet_csk_diag_fill(sk, skb, r, pid, seq, nlmsg_flags, unlh);
+        return inet_csk_diag_fill(sk, skb, r, user_ns, pid, seq, nlmsg_flags, unlh);
 }
 int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_skb,
@@ -311,6 +315,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_s
        }
        err = sk_diag_fill(sk, rep, req,
+                           sk_user_ns(NETLINK_CB(in_skb).ssk),
                           NETLINK_CB(in_skb).pid,
                           nlh->nlmsg_seq, 0, nlh);
        if (err < 0) {
@@ -551,6 +556,7 @@ static int inet_csk_diag_dump(struct sock *sk,
                return 0;
        return inet_csk_diag_fill(sk, skb, r,
+                                  sk_user_ns(NETLINK_CB(cb->skb).ssk),
                                  NETLINK_CB(cb->skb).pid,
                                  cb->nlh->nlmsg_seq, NLM_F_MULTI, cb->nlh);
 }
@@ -591,7 +597,9 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
 }
 static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
-                              struct request_sock *req, u32 pid, u32 seq,
+                              struct request_sock *req,
+                              struct user_namespace *user_ns,
+                              u32 pid, u32 seq,
                              const struct nlmsghdr *unlh)
 {
        const struct inet_request_sock *ireq = inet_rsk(req);
@@ -625,7 +633,7 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
        r->idiag_expires = jiffies_to_msecs(tmo);
        r->idiag_rqueue = 0;
        r->idiag_wqueue = 0;
-        r->idiag_uid = sock_i_uid(sk);
+        r->idiag_uid = from_kuid_munged(user_ns, sock_i_uid(sk));
        r->idiag_inode = 0;
 #if IS_ENABLED(CONFIG_IPV6)
        if (r->idiag_family == AF_INET6) {
@@ -702,6 +710,7 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
                        }
                        err = inet_diag_fill_req(skb, sk, req,
+                                               sk_user_ns(NETLINK_CB(cb->skb).ssk),
                                               NETLINK_CB(cb->skb).pid,
                                               cb->nlh->nlmsg_seq, cb->nlh);
                        if (err < 0) {
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 6232d476f37e..8f3d05424a3e 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -185,10 +185,10 @@ exit:
        return sk;
 }
-static void inet_get_ping_group_range_net(struct net *net, gid_t *low,
+static void inet_get_ping_group_range_net(struct net *net, kgid_t *low,
-                                          gid_t *high)
+                                          kgid_t *high)
 {
-        gid_t *data = net->ipv4.sysctl_ping_group_range;
+        kgid_t *data = net->ipv4.sysctl_ping_group_range;
        unsigned int seq;
        do {
@@ -203,19 +203,13 @@ static void inet_get_ping_group_range_net(struct net *net, gid_t *low,
 static int ping_init_sock(struct sock *sk)
 {
        struct net *net = sock_net(sk);
-        gid_t group = current_egid();
+        kgid_t group = current_egid();
-        gid_t range[2];
        struct group_info *group_info = get_current_groups();
        int i, j, count = group_info->ngroups;
        kgid_t low, high;
-        inet_get_ping_group_range_net(net, range, range+1);
+        inet_get_ping_group_range_net(net, &low, &high);
-        low = make_kgid(&init_user_ns, range[0]);
+        if (gid_lte(low, group) && gid_lte(group, high))
-        high = make_kgid(&init_user_ns, range[1]);
-        if (!gid_valid(low) || !gid_valid(high) || gid_lt(high, low))
-                return -EACCES;
-        if (range[0] <= group && group <= range[1])
                return 0;
        for (i = 0; i < group_info->nblocks; i++) {
@@ -845,7 +839,9 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
                bucket, src, srcp, dest, destp, sp->sk_state,
                sk_wmem_alloc_get(sp),
                sk_rmem_alloc_get(sp),
-                0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
+                0, 0L, 0,
+                from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
+                0, sock_i_ino(sp),
                atomic_read(&sp->sk_refcnt), sp,
                atomic_read(&sp->sk_drops), len);
 }
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index d23c6571ba1c..73d1e4df4bf6 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -994,7 +994,9 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
                i, src, srcp, dest, destp, sp->sk_state,
                sk_wmem_alloc_get(sp),
                sk_rmem_alloc_get(sp),
-                0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
+                0, 0L, 0,
+                from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
+                0, sock_i_ino(sp),
                atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
 }
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 1b5ce96707a3..3e78c79b5586 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -76,9 +76,9 @@ static int ipv4_local_port_range(ctl_table *table, int write,
 }
-static void inet_get_ping_group_range_table(struct ctl_table *table, gid_t *low, gid_t *high)
+static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low, kgid_t *high)
 {
-        gid_t *data = table->data;
+        kgid_t *data = table->data;
        unsigned int seq;
        do {
                seq = read_seqbegin(&sysctl_local_ports.lock);
@@ -89,12 +89,12 @@ static void inet_get_ping_group_range_table(struct ctl_table *table, gid_t *low,
 }
 /* Update system visible IP port range */
-static void set_ping_group_range(struct ctl_table *table, gid_t range[2])
+static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t high)
 {
-        gid_t *data = table->data;
+        kgid_t *data = table->data;
        write_seqlock(&sysctl_local_ports.lock);
-        data[0] = range[0];
+        data[0] = low;
-        data[1] = range[1];
+        data[1] = high;
        write_sequnlock(&sysctl_local_ports.lock);
 }
@@ -103,21 +103,33 @@ static int ipv4_ping_group_range(ctl_table *table, int write,
                                 void __user *buffer,
                                 size_t *lenp, loff_t *ppos)
 {
+        struct user_namespace *user_ns = current_user_ns();
        int ret;
-        gid_t range[2];
+        gid_t urange[2];
+        kgid_t low, high;
        ctl_table tmp = {
-                .data = &range,
+                .data = &urange,
-                .maxlen = sizeof(range),
+                .maxlen = sizeof(urange),
                .mode = table->mode,
                .extra1 = &ip_ping_group_range_min,
                .extra2 = &ip_ping_group_range_max,
        };
-        inet_get_ping_group_range_table(table, range, range + 1);
+        inet_get_ping_group_range_table(table, &low, &high);
+        urange[0] = from_kgid_munged(user_ns, low);
+        urange[1] = from_kgid_munged(user_ns, high);
        ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
-        if (write && ret == 0)
+        if (write && ret == 0) {
-                set_ping_group_range(table, range);
+                low = make_kgid(user_ns, urange[0]);
+                high = make_kgid(user_ns, urange[1]);
+                if (!gid_valid(low) || !gid_valid(high) ||
+                    (urange[1] < urange[0]) || gid_lt(high, low)) {
+                        low = make_kgid(&init_user_ns, 1);
+                        high = make_kgid(&init_user_ns, 0);
+                }
+                set_ping_group_range(table, low, high);
+        }
        return ret;
 }
@@ -786,7 +798,7 @@ static struct ctl_table ipv4_net_table[] = {
        {
                .procname       = "ping_group_range",
                .data           = &init_net.ipv4.sysctl_ping_group_range,
-                .maxlen         = sizeof(init_net.ipv4.sysctl_ping_group_range),
+                .maxlen         = sizeof(gid_t)*2,
                .mode           = 0644,
                .proc_handler   = ipv4_ping_group_range,
        },
@@ -830,8 +842,8 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
         * Sane defaults - nobody may create ping sockets.
         * Boot scripts should set this to distro-specific group.
         */
-        net->ipv4.sysctl_ping_group_range[0] = 1;
+        net->ipv4.sysctl_ping_group_range[0] = make_kgid(&init_user_ns, 1);
-        net->ipv4.sysctl_ping_group_range[1] = 0;
+        net->ipv4.sysctl_ping_group_range[1] = make_kgid(&init_user_ns, 0);
        tcp_init_mem(net);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 00a748d14062..be23a0b7b89e 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2393,7 +2393,7 @@ void tcp_proc_unregister(struct net *net, struct tcp_seq_afinfo *afinfo)
 EXPORT_SYMBOL(tcp_proc_unregister);
 static void get_openreq4(const struct sock *sk, const struct request_sock *req,
-                         struct seq_file *f, int i, int uid, int *len)
+                         struct seq_file *f, int i, kuid_t uid, int *len)
 {
        const struct inet_request_sock *ireq = inet_rsk(req);
        int ttd = req->expires - jiffies;
@@ -2410,7 +2410,7 @@ static void get_openreq4(const struct sock *sk, const struct request_sock *req,
                1,    /* timers active (only the expire timer) */
                jiffies_to_clock_t(ttd),
                req->retrans,
-                uid,
+                from_kuid_munged(seq_user_ns(f), uid),
                0,  /* non standard timer */
                0, /* open_requests have no inode */
                atomic_read(&sk->sk_refcnt),
@@ -2461,7 +2461,7 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len)
                timer_active,
                jiffies_to_clock_t(timer_expires - jiffies),
                icsk->icsk_retransmits,
-                sock_i_uid(sk),
+                from_kuid_munged(seq_user_ns(f), sock_i_uid(sk)),
                icsk->icsk_probes_out,
                sock_i_ino(sk),
                atomic_read(&sk->sk_refcnt), sk,
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 2814f66dac64..79c8dbe59b54 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2115,7 +2115,9 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
                bucket, src, srcp, dest, destp, sp->sk_state,
                sk_wmem_alloc_get(sp),
                sk_rmem_alloc_get(sp),
-                0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
+                0, 0L, 0,
+                from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
+                0, sock_i_ino(sp),
                atomic_read(&sp->sk_refcnt), sp,
                atomic_read(&sp->sk_drops), len);
 }
diff --git a/net/ipv4/udp_diag.c b/net/ipv4/udp_diag.c
index 16d0960062be..d2f336ea82ca 100644
--- a/net/ipv4/udp_diag.c
+++ b/net/ipv4/udp_diag.c
@@ -24,7 +24,9 @@ static int sk_diag_dump(struct sock *sk, struct sk_buff *skb,
        if (!inet_diag_bc_sk(bc, sk))
                return 0;
-        return inet_sk_diag_fill(sk, NULL, skb, req, NETLINK_CB(cb->skb).pid,
+        return inet_sk_diag_fill(sk, NULL, skb, req,
+                        sk_user_ns(NETLINK_CB(cb->skb).ssk),
+                        NETLINK_CB(cb->skb).pid,
                        cb->nlh->nlmsg_seq, NLM_F_MULTI, cb->nlh);
 }
@@ -69,6 +71,7 @@ static int udp_dump_one(struct udp_table *tbl, struct sk_buff *in_skb,
                goto out;
        err = inet_sk_diag_fill(sk, NULL, rep, req,
+                           sk_user_ns(NETLINK_CB(in_skb).ssk),
                           NETLINK_CB(in_skb).pid,
                           nlh->nlmsg_seq, 0, nlh);
        if (err < 0) {
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 9772fbd8a3f5..90bbefb57943 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -22,6 +22,7 @@
 #include <linux/seq_file.h>
 #include <linux/slab.h>
 #include <linux/export.h>
+#include <linux/pid_namespace.h>
 #include <net/net_namespace.h>
 #include <net/sock.h>
@@ -91,6 +92,8 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label)
 static void fl_free(struct ip6_flowlabel *fl)
 {
        if (fl) {
+                if (fl->share == IPV6_FL_S_PROCESS)
+                        put_pid(fl->owner.pid);
                release_net(fl->fl_net);
                kfree(fl->opt);
        }
@@ -394,10 +397,10 @@ fl_create(struct net *net, struct sock *sk, struct in6_flowlabel_req *freq,
        case IPV6_FL_S_ANY:
                break;
        case IPV6_FL_S_PROCESS:
-                fl->owner = current->pid;
+                fl->owner.pid = get_task_pid(current, PIDTYPE_PID);
                break;
        case IPV6_FL_S_USER:
-                fl->owner = current_euid();
+                fl->owner.uid = current_euid();
                break;
        default:
                err = -EINVAL;
@@ -561,7 +564,10 @@ recheck:
                                err = -EPERM;
                                if (fl1->share == IPV6_FL_S_EXCL ||
                                    fl1->share != fl->share ||
-                                    fl1->owner != fl->owner)
+                                    ((fl1->share == IPV6_FL_S_PROCESS) &&
+                                     (fl1->owner.pid == fl->owner.pid)) ||
+                                    ((fl1->share == IPV6_FL_S_USER) &&
+                                     uid_eq(fl1->owner.uid, fl->owner.uid)))
                                        goto release;
                                err = -EINVAL;
@@ -621,6 +627,7 @@ done:
 struct ip6fl_iter_state {
        struct seq_net_private p;
+        struct pid_namespace *pid_ns;
        int bucket;
 };
@@ -699,6 +706,7 @@ static void ip6fl_seq_stop(struct seq_file *seq, void *v)
 static int ip6fl_seq_show(struct seq_file *seq, void *v)
 {
+        struct ip6fl_iter_state *state = ip6fl_seq_private(seq);
        if (v == SEQ_START_TOKEN)
                seq_printf(seq, "%-5s %-1s %-6s %-6s %-6s %-8s %-32s %s\n",
                           "Label", "S", "Owner", "Users", "Linger", "Expires", "Dst", "Opt");
@@ -708,7 +716,11 @@ static int ip6fl_seq_show(struct seq_file *seq, void *v)
                           "%05X %-1d %-6d %-6d %-6ld %-8ld %pi6 %-4d\n",
                           (unsigned int)ntohl(fl->label),
                           fl->share,
-                           (int)fl->owner,
+                           ((fl->share == IPV6_FL_S_PROCESS) ?
+                            pid_nr_ns(fl->owner.pid, state->pid_ns) :
+                            ((fl->share == IPV6_FL_S_USER) ?
+                             from_kuid_munged(seq_user_ns(seq), fl->owner.uid) :
+                             0)),
                           atomic_read(&fl->users),
                           fl->linger/HZ,
                           (long)(fl->expires - jiffies)/HZ,
@@ -727,8 +739,29 @@ static const struct seq_operations ip6fl_seq_ops = {
 static int ip6fl_seq_open(struct inode *inode, struct file *file)
 {
-        return seq_open_net(inode, file, &ip6fl_seq_ops,
+        struct seq_file *seq;
-                            sizeof(struct ip6fl_iter_state));
+        struct ip6fl_iter_state *state;
+        int err;
+        err = seq_open_net(inode, file, &ip6fl_seq_ops,
+                           sizeof(struct ip6fl_iter_state));
+        if (!err) {
+                seq = file->private_data;
+                state = ip6fl_seq_private(seq);
+                rcu_read_lock();
+                state->pid_ns = get_pid_ns(task_active_pid_ns(current));
+                rcu_read_unlock();
+        }
+        return err;
+}
+static int ip6fl_seq_release(struct inode *inode, struct file *file)
+{
+        struct seq_file *seq = file->private_data;
+        struct ip6fl_iter_state *state = ip6fl_seq_private(seq);
+        put_pid_ns(state->pid_ns);
+        return seq_release_net(inode, file);
 }
 static const struct file_operations ip6fl_seq_fops = {
@@ -736,7 +769,7 @@ static const struct file_operations ip6fl_seq_fops = {
        .open           =       ip6fl_seq_open,
        .read           =       seq_read,
        .llseek         =       seq_lseek,
-        .release        =       seq_release_net,
+        .release        =       ip6fl_seq_release,
 };
 static int __net_init ip6_flowlabel_proc_init(struct net *net)
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 4a5f78b50495..d8e95c77db99 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -1250,7 +1250,8 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
                   sk_wmem_alloc_get(sp),
                   sk_rmem_alloc_get(sp),
                   0, 0L, 0,
-                   sock_i_uid(sp), 0,
+                   from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
+                   0,
                   sock_i_ino(sp),
                   atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
 }
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index acd32e3f1b68..342ec62cdbde 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1829,7 +1829,7 @@ static void tcp_v6_destroy_sock(struct sock *sk)
 #ifdef CONFIG_PROC_FS
 /* Proc filesystem TCPv6 sock list dumping. */
 static void get_openreq6(struct seq_file *seq,
-                         const struct sock *sk, struct request_sock *req, int i, int uid)
+                         const struct sock *sk, struct request_sock *req, int i, kuid_t uid)
 {
        int ttd = req->expires - jiffies;
        const struct in6_addr *src = &inet6_rsk(req)->loc_addr;
@@ -1853,7 +1853,7 @@ static void get_openreq6(struct seq_file *seq,
                   1,   /* timers active (only the expire timer) */
                   jiffies_to_clock_t(ttd),
                   req->retrans,
-                   uid,
+                   from_kuid_munged(seq_user_ns(seq), uid),
                   0,  /* non standard timer */
                   0, /* open_requests have no inode */
                   0, req);
@@ -1903,7 +1903,7 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
                   timer_active,
                   jiffies_to_clock_t(timer_expires - jiffies),
                   icsk->icsk_retransmits,
-                   sock_i_uid(sp),
+                   from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
                   icsk->icsk_probes_out,
                   sock_i_ino(sp),
                   atomic_read(&sp->sk_refcnt), sp,
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 07e2bfef6845..fc9997260a6b 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1469,7 +1469,8 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket
                   sk_wmem_alloc_get(sp),
                   sk_rmem_alloc_get(sp),
                   0, 0L, 0,
-                   sock_i_uid(sp), 0,
+                   from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
+                   0,
                   sock_i_ino(sp),
                   atomic_read(&sp->sk_refcnt), sp,
                   atomic_read(&sp->sk_drops));
diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c
index f8ba30dfecae..02ff7f2f60d4 100644
--- a/net/ipx/ipx_proc.c
+++ b/net/ipx/ipx_proc.c
@@ -217,7 +217,8 @@ static int ipx_seq_socket_show(struct seq_file *seq, void *v)
        seq_printf(seq, "%08X  %08X  %02X     %03d\n",
                   sk_wmem_alloc_get(s),
                   sk_rmem_alloc_get(s),
-                   s->sk_state, SOCK_INODE(s->sk_socket)->i_uid);
+                   s->sk_state,
+                   from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)));
 out:
        return 0;
 }
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 34e418508a67..0481d4b51476 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3661,7 +3661,7 @@ static int pfkey_seq_show(struct seq_file *f, void *v)
                               atomic_read(&s->sk_refcnt),
                               sk_rmem_alloc_get(s),
                               sk_wmem_alloc_get(s),
-                               sock_i_uid(s),
+                               from_kuid_munged(seq_user_ns(f), sock_i_uid(s)),
                               sock_i_ino(s)
                               );
        return 0;
diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c
index a1839c004357..7b4799cfbf8d 100644
--- a/net/llc/llc_proc.c
+++ b/net/llc/llc_proc.c
@@ -151,7 +151,7 @@ static int llc_seq_socket_show(struct seq_file *seq, void *v)
                   sk_wmem_alloc_get(sk),
                   sk_rmem_alloc_get(sk) - llc->copied_seq,
                   sk->sk_state,
-                   sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_uid : -1,
+                   from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
                   llc->link);
 out:
        return 0;
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 5cfb5bedb2b8..8cfc401e197e 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -55,6 +55,7 @@ struct nfulnl_instance {
        unsigned int qlen;              /* number of nlmsgs in skb */
        struct sk_buff *skb;            /* pre-allocatd skb */
        struct timer_list timer;
+        struct user_namespace *peer_user_ns;    /* User namespace of the peer process */
        int peer_pid;                   /* PID of the peer process */
        /* configurable parameters */
@@ -132,7 +133,7 @@ instance_put(struct nfulnl_instance *inst)
 static void nfulnl_timer(unsigned long data);
 static struct nfulnl_instance *
-instance_create(u_int16_t group_num, int pid)
+instance_create(u_int16_t group_num, int pid, struct user_namespace *user_ns)
 {
        struct nfulnl_instance *inst;
        int err;
@@ -162,6 +163,7 @@ instance_create(u_int16_t group_num, int pid)
        setup_timer(&inst->timer, nfulnl_timer, (unsigned long)inst);
+        inst->peer_user_ns = user_ns;
        inst->peer_pid = pid;
        inst->group_num = group_num;
@@ -505,8 +507,10 @@ __build_packet_message(struct nfulnl_instance *inst,
                read_lock_bh(&sk->sk_callback_lock);
                if (sk->sk_socket && sk->sk_socket->file) {
                        struct file *file = sk->sk_socket->file;
-                        __be32 uid = htonl(file->f_cred->fsuid);
+                        const struct cred *cred = file->f_cred;
-                        __be32 gid = htonl(file->f_cred->fsgid);
+                        struct user_namespace *user_ns = inst->peer_user_ns;
+                        __be32 uid = htonl(from_kuid_munged(user_ns, cred->fsuid));
+                        __be32 gid = htonl(from_kgid_munged(user_ns, cred->fsgid));
                        read_unlock_bh(&sk->sk_callback_lock);
                        if (nla_put_be32(inst->skb, NFULA_UID, uid) ||
                            nla_put_be32(inst->skb, NFULA_GID, gid))
@@ -785,7 +789,8 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
                        }
                        inst = instance_create(group_num,
-                                               NETLINK_CB(skb).pid);
+                                               NETLINK_CB(skb).pid,
+                                               sk_user_ns(NETLINK_CB(skb).ssk));
                        if (IS_ERR(inst)) {
                                ret = PTR_ERR(inst);
                                goto out;
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
index 91e9af4d1f42..fa40096940a1 100644
--- a/net/netfilter/xt_LOG.c
+++ b/net/netfilter/xt_LOG.c
@@ -151,10 +151,12 @@ static void dump_sk_uid_gid(struct sbuff *m, struct sock *sk)
                return;
        read_lock_bh(&sk->sk_callback_lock);
-        if (sk->sk_socket && sk->sk_socket->file)
+        if (sk->sk_socket && sk->sk_socket->file) {
+                const struct cred *cred = sk->sk_socket->file->f_cred;
                sb_add(m, "UID=%u GID=%u ",
-                        sk->sk_socket->file->f_cred->fsuid,
+                        from_kuid_munged(&init_user_ns, cred->fsuid),
-                        sk->sk_socket->file->f_cred->fsgid);
+                        from_kgid_munged(&init_user_ns, cred->fsgid));
+        }
        read_unlock_bh(&sk->sk_callback_lock);
 }
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 772d7389b337..ca2e577ed8ac 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -17,6 +17,17 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_owner.h>
+static int owner_check(const struct xt_mtchk_param *par)
+{
+        struct xt_owner_match_info *info = par->matchinfo;
+        /* For now only allow adding matches from the initial user namespace */
+        if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
+            (current_user_ns() != &init_user_ns))
+                return -EINVAL;
+        return 0;
+}
 static bool
 owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
@@ -37,17 +48,23 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
                return ((info->match ^ info->invert) &
                       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
-        if (info->match & XT_OWNER_UID)
+        if (info->match & XT_OWNER_UID) {
-                if ((filp->f_cred->fsuid >= info->uid_min &&
+                kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
-                    filp->f_cred->fsuid <= info->uid_max) ^
+                kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
+                if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
+                     uid_lte(filp->f_cred->fsuid, uid_max)) ^
                    !(info->invert & XT_OWNER_UID))
                        return false;
+        }
-        if (info->match & XT_OWNER_GID)
+        if (info->match & XT_OWNER_GID) {
-                if ((filp->f_cred->fsgid >= info->gid_min &&
+                kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
-                    filp->f_cred->fsgid <= info->gid_max) ^
+                kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
+                if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
+                     gid_lte(filp->f_cred->fsgid, gid_max)) ^
                    !(info->invert & XT_OWNER_GID))
                        return false;
+        }
        return true;
 }
@@ -56,6 +73,7 @@ static struct xt_match owner_mt_reg __read_mostly = {
        .name       = "owner",
        .revision   = 1,
        .family     = NFPROTO_UNSPEC,
+        .checkentry = owner_check,
        .match      = owner_mt,
        .matchsize  = sizeof(struct xt_owner_match_info),
        .hooks      = (1 << NF_INET_LOCAL_OUT) |
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index ae2ad1eec8d0..4635c9b00459 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -317,6 +317,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
        struct recent_table *t;
 #ifdef CONFIG_PROC_FS
        struct proc_dir_entry *pde;
+        kuid_t uid;
+        kgid_t gid;
 #endif
        unsigned int i;
        int ret = -EINVAL;
@@ -372,6 +374,13 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
        for (i = 0; i < ip_list_hash_size; i++)
                INIT_LIST_HEAD(&t->iphash[i]);
 #ifdef CONFIG_PROC_FS
+        uid = make_kuid(&init_user_ns, ip_list_uid);
+        gid = make_kgid(&init_user_ns, ip_list_gid);
+        if (!uid_valid(uid) || !gid_valid(gid)) {
+                kfree(t);
+                ret = -EINVAL;
+                goto out;
+        }
        pde = proc_create_data(t->name, ip_list_perms, recent_net->xt_recent,
                  &recent_mt_fops, t);
        if (pde == NULL) {
@@ -379,8 +388,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
                ret = -ENOMEM;
                goto out;
        }
-        pde->uid = ip_list_uid;
+        pde->uid = uid;
-        pde->gid = ip_list_gid;
+        pde->gid = gid;
 #endif
        spin_lock_bh(&recent_lock);
        list_add_tail(&t->list, &recent_net->tables);
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index e7ff694f1049..729a345c75a4 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1541,7 +1541,7 @@ int __init netlbl_unlabel_defconf(void)
         * it is called is at bootup before the audit subsystem is reporting
         * messages so don't worry to much about these values. */
        security_task_getsecid(current, &audit_info.secid);
-        audit_info.loginuid = 0;
+        audit_info.loginuid = GLOBAL_ROOT_UID;
        audit_info.sessionid = 0;
        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 9fae63f10298..9650c4ad5f88 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -109,7 +109,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
                return NULL;
        audit_log_format(audit_buf, "netlabel: auid=%u ses=%u",
-                         audit_info->loginuid,
+                         from_kuid(&init_user_ns, audit_info->loginuid),
                         audit_info->sessionid);
        if (audit_info->secid != 0 &&
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 527023823b5c..382119917166 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -912,7 +912,8 @@ static void netlink_rcv_wake(struct sock *sk)
                wake_up_interruptible(&nlk->wait);
 }
-static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb)
+static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb,
+                                  struct sock *ssk)
 {
        int ret;
        struct netlink_sock *nlk = nlk_sk(sk);
@@ -921,6 +922,7 @@ static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb)
        if (nlk->netlink_rcv != NULL) {
                ret = skb->len;
                skb_set_owner_r(skb, sk);
+                NETLINK_CB(skb).ssk = ssk;
                nlk->netlink_rcv(skb);
                consume_skb(skb);
        } else {
@@ -947,7 +949,7 @@ retry:
                return PTR_ERR(sk);
        }
        if (netlink_is_kernel(sk))
-                return netlink_unicast_kernel(sk, skb);
+                return netlink_unicast_kernel(sk, skb, ssk);
        if (sk_filter(sk, skb)) {
                err = skb->len;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index c5c9e2a54218..048fba476aa5 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3854,7 +3854,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
                           po->ifindex,
                           po->running,
                           atomic_read(&s->sk_rmem_alloc),
-                           sock_i_uid(s),
+                           from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
                           sock_i_ino(s));
        }
diff --git a/net/phonet/socket.c b/net/phonet/socket.c
index 0acc943f713a..b7e982782255 100644
--- a/net/phonet/socket.c
+++ b/net/phonet/socket.c
@@ -612,7 +612,8 @@ static int pn_sock_seq_show(struct seq_file *seq, void *v)
                        sk->sk_protocol, pn->sobject, pn->dobject,
                        pn->resource, sk->sk_state,
                        sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
-                        sock_i_uid(sk), sock_i_ino(sk),
+                        from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
+                        sock_i_ino(sk),
                        atomic_read(&sk->sk_refcnt), sk,
                        atomic_read(&sk->sk_drops), &len);
        }
@@ -796,7 +797,8 @@ static int pn_res_seq_show(struct seq_file *seq, void *v)
                struct sock *sk = *psk;
                seq_printf(seq, "%02X %5d %lu%n",
-                           (int) (psk - pnres.sk), sock_i_uid(sk),
+                           (int) (psk - pnres.sk),
+                           from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
                           sock_i_ino(sk), &len);
        }
        seq_printf(seq, "%*s\n", 63 - len, "");
diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
index 8b1f9f49960f..011d2384b115 100644
--- a/net/rxrpc/ar-key.c
+++ b/net/rxrpc/ar-key.c
@@ -948,7 +948,8 @@ int rxrpc_get_server_data_key(struct rxrpc_connection *conn,
        _enter("");
-        key = key_alloc(&key_type_rxrpc, "x", 0, 0, cred, 0,
+        key = key_alloc(&key_type_rxrpc, "x",
+                        GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, 0,
                        KEY_ALLOC_NOT_IN_QUOTA);
        if (IS_ERR(key)) {
                _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key));
@@ -994,7 +995,8 @@ struct key *rxrpc_get_null_key(const char *keyname)
        struct key *key;
        int ret;
-        key = key_alloc(&key_type_rxrpc, keyname, 0, 0, cred,
+        key = key_alloc(&key_type_rxrpc, keyname,
+                        GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
                        KEY_POS_SEARCH, KEY_ALLOC_NOT_IN_QUOTA);
        if (IS_ERR(key))
                return key;
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 6dd1131f2ec1..dc3ef5aef355 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -319,7 +319,7 @@ replay:
                }
        }
-        err = tp->ops->change(tp, cl, t->tcm_handle, tca, &fh);
+        err = tp->ops->change(skb, tp, cl, t->tcm_handle, tca, &fh);
        if (err == 0) {
                if (tp_created) {
                        spin_lock_bh(root_lock);
diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c
index 590960a22a77..344a11b342e5 100644
--- a/net/sched/cls_basic.c
+++ b/net/sched/cls_basic.c
@@ -162,7 +162,8 @@ errout:
        return err;
 }
-static int basic_change(struct tcf_proto *tp, unsigned long base, u32 handle,
+static int basic_change(struct sk_buff *in_skb,
+                        struct tcf_proto *tp, unsigned long base, u32 handle,
                        struct nlattr **tca, unsigned long *arg)
 {
        int err;
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index 4a23ccca6b70..2ecde225ae60 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -158,7 +158,8 @@ static const struct nla_policy cgroup_policy[TCA_CGROUP_MAX + 1] = {
        [TCA_CGROUP_EMATCHES]   = { .type = NLA_NESTED },
 };
-static int cls_cgroup_change(struct tcf_proto *tp, unsigned long base,
+static int cls_cgroup_change(struct sk_buff *in_skb,
+                             struct tcf_proto *tp, unsigned long base,
                             u32 handle, struct nlattr **tca,
                             unsigned long *arg)
 {
diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index ccd08c8dc6a7..ce82d0cb1b47 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -193,15 +193,19 @@ static u32 flow_get_rtclassid(const struct sk_buff *skb)
 static u32 flow_get_skuid(const struct sk_buff *skb)
 {
-        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
+        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file) {
-                return skb->sk->sk_socket->file->f_cred->fsuid;
+                kuid_t skuid = skb->sk->sk_socket->file->f_cred->fsuid;
+                return from_kuid(&init_user_ns, skuid);
+        }
        return 0;
 }
 static u32 flow_get_skgid(const struct sk_buff *skb)
 {
-        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
+        if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file) {
-                return skb->sk->sk_socket->file->f_cred->fsgid;
+                kgid_t skgid = skb->sk->sk_socket->file->f_cred->fsgid;
+                return from_kgid(&init_user_ns, skgid);
+        }
        return 0;
 }
@@ -347,7 +351,8 @@ static const struct nla_policy flow_policy[TCA_FLOW_MAX + 1] = {
        [TCA_FLOW_PERTURB]      = { .type = NLA_U32 },
 };
-static int flow_change(struct tcf_proto *tp, unsigned long base,
+static int flow_change(struct sk_buff *in_skb, 
+                       struct tcf_proto *tp, unsigned long base,
                       u32 handle, struct nlattr **tca,
                       unsigned long *arg)
 {
@@ -386,6 +391,10 @@ static int flow_change(struct tcf_proto *tp, unsigned long base,
                if (fls(keymask) - 1 > FLOW_KEY_MAX)
                        return -EOPNOTSUPP;
+                if ((keymask & (FLOW_KEY_SKUID|FLOW_KEY_SKGID)) &&
+                    sk_user_ns(NETLINK_CB(in_skb).ssk) != &init_user_ns)
+                        return -EOPNOTSUPP;
        }
        err = tcf_exts_validate(tp, tb, tca[TCA_RATE], &e, &flow_ext_map);
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 8384a4797240..4075a0aef2aa 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -233,7 +233,8 @@ errout:
        return err;
 }
-static int fw_change(struct tcf_proto *tp, unsigned long base,
+static int fw_change(struct sk_buff *in_skb,
+                     struct tcf_proto *tp, unsigned long base,
                     u32 handle,
                     struct nlattr **tca,
                     unsigned long *arg)
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index 44f405cb9aaf..c10d57bf98f2 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -427,7 +427,8 @@ errout:
        return err;
 }
-static int route4_change(struct tcf_proto *tp, unsigned long base,
+static int route4_change(struct sk_buff *in_skb,
+                       struct tcf_proto *tp, unsigned long base,
                       u32 handle,
                       struct nlattr **tca,
                       unsigned long *arg)
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
index 18ab93ec8d7e..494bbb90924a 100644
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -416,7 +416,8 @@ static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = {
        [TCA_RSVP_PINFO]        = { .len = sizeof(struct tc_rsvp_pinfo) },
 };
-static int rsvp_change(struct tcf_proto *tp, unsigned long base,
+static int rsvp_change(struct sk_buff *in_skb,
+                       struct tcf_proto *tp, unsigned long base,
                       u32 handle,
                       struct nlattr **tca,
                       unsigned long *arg)
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index fe29420d0b0e..a1293b4ab7a1 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -332,7 +332,8 @@ errout:
 }
 static int
-tcindex_change(struct tcf_proto *tp, unsigned long base, u32 handle,
+tcindex_change(struct sk_buff *in_skb,
+               struct tcf_proto *tp, unsigned long base, u32 handle,
               struct nlattr **tca, unsigned long *arg)
 {
        struct nlattr *opt = tca[TCA_OPTIONS];
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index d45373fb00b9..c7c27bc91b5a 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -544,7 +544,8 @@ errout:
        return err;
 }
-static int u32_change(struct tcf_proto *tp, unsigned long base, u32 handle,
+static int u32_change(struct sk_buff *in_skb,
+                      struct tcf_proto *tp, unsigned long base, u32 handle,
                      struct nlattr **tca,
                      unsigned long *arg)
 {
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index 1e2eee88c3ea..dc12febc977a 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -216,7 +216,8 @@ static int sctp_eps_seq_show(struct seq_file *seq, void *v)
                seq_printf(seq, "%8pK %8pK %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
                           sctp_sk(sk)->type, sk->sk_state, hash,
                           epb->bind_addr.port,
-                           sock_i_uid(sk), sock_i_ino(sk));
+                           from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
+                           sock_i_ino(sk));
                sctp_seq_dump_local_addrs(seq, epb);
                seq_printf(seq, "\n");
@@ -324,7 +325,8 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
                           assoc->assoc_id,
                           assoc->sndbuf_used,
                           atomic_read(&assoc->rmem_alloc),
-                           sock_i_uid(sk), sock_i_ino(sk),
+                           from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
+                           sock_i_ino(sk),
                           epb->bind_addr.port,
                           assoc->peer.port);
                seq_printf(seq, " ");
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 387848e90078..46550997548c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2633,12 +2633,12 @@ static void xfrm_policy_fini(struct net *net)
        flush_work(&net->xfrm.policy_hash_work);
 #ifdef CONFIG_XFRM_SUB_POLICY
-        audit_info.loginuid = -1;
+        audit_info.loginuid = INVALID_UID;
        audit_info.sessionid = -1;
        audit_info.secid = 0;
        xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
 #endif
-        audit_info.loginuid = -1;
+        audit_info.loginuid = INVALID_UID;
        audit_info.sessionid = -1;
        audit_info.secid = 0;
        xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
@@ -2745,7 +2745,7 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
 }
 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
-                           uid_t auid, u32 sessionid, u32 secid)
+                           kuid_t auid, u32 sessionid, u32 secid)
 {
        struct audit_buffer *audit_buf;
@@ -2760,7 +2760,7 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
-                              uid_t auid, u32 sessionid, u32 secid)
+                              kuid_t auid, u32 sessionid, u32 secid)
 {
        struct audit_buffer *audit_buf;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 210be48d8ae3..bd2d9841ad59 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2060,7 +2060,7 @@ void xfrm_state_fini(struct net *net)
        unsigned int sz;
        flush_work(&net->xfrm.state_hash_work);
-        audit_info.loginuid = -1;
+        audit_info.loginuid = INVALID_UID;
        audit_info.sessionid = -1;
        audit_info.secid = 0;
        xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info);
@@ -2127,7 +2127,7 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
 }
 void xfrm_audit_state_add(struct xfrm_state *x, int result,
-                          uid_t auid, u32 sessionid, u32 secid)
+                          kuid_t auid, u32 sessionid, u32 secid)
 {
        struct audit_buffer *audit_buf;
@@ -2142,7 +2142,7 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result,
 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
-                             uid_t auid, u32 sessionid, u32 secid)
+                             kuid_t auid, u32 sessionid, u32 secid)
 {
        struct audit_buffer *audit_buf;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 289f4bf18ff0..bc542448307a 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -595,7 +595,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_state *x;
        int err;
        struct km_event c;
-        uid_t loginuid = audit_get_loginuid(current);
+        kuid_t loginuid = audit_get_loginuid(current);
        u32 sessionid = audit_get_sessionid(current);
        u32 sid;
@@ -674,7 +674,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        int err = -ESRCH;
        struct km_event c;
        struct xfrm_usersa_id *p = nlmsg_data(nlh);
-        uid_t loginuid = audit_get_loginuid(current);
+        kuid_t loginuid = audit_get_loginuid(current);
        u32 sessionid = audit_get_sessionid(current);
        u32 sid;
@@ -1393,7 +1393,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct km_event c;
        int err;
        int excl;
-        uid_t loginuid = audit_get_loginuid(current);
+        kuid_t loginuid = audit_get_loginuid(current);
        u32 sessionid = audit_get_sessionid(current);
        u32 sid;
@@ -1651,7 +1651,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
                                            NETLINK_CB(skb).pid);
                }
        } else {
-                uid_t loginuid = audit_get_loginuid(current);
+                kuid_t loginuid = audit_get_loginuid(current);
                u32 sessionid = audit_get_sessionid(current);
                u32 sid;
@@ -1945,7 +1945,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
        err = 0;
        if (up->hard) {
-                uid_t loginuid = audit_get_loginuid(current);
+                kuid_t loginuid = audit_get_loginuid(current);
                u32 sessionid = audit_get_sessionid(current);
                u32 sid;
@@ -1988,7 +1988,7 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
        km_state_expired(x, ue->hard, current->pid);
        if (ue->hard) {
-                uid_t loginuid = audit_get_loginuid(current);
+                kuid_t loginuid = audit_get_loginuid(current);
                u32 sessionid = audit_get_sessionid(current);
                u32 sid;
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index b81ea10a17a3..60f0c76a27d3 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -721,7 +721,7 @@ audit:
        if (!permtest)
                error = aa_audit_file(profile, &perms, GFP_KERNEL,
                                      OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL,
-                                      target, 0, info, error);
+                                      target, GLOBAL_ROOT_UID, info, error);
 out:
        aa_put_profile(hat);
@@ -848,7 +848,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
 audit:
        if (!permtest)
                error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request,
-                                      name, hname, 0, info, error);
+                                      name, hname, GLOBAL_ROOT_UID, info, error);
        aa_put_namespace(ns);
        aa_put_profile(target);
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index cf19d4093ca4..cd21ec5b90af 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -65,7 +65,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask)
 static void file_audit_cb(struct audit_buffer *ab, void *va)
 {
        struct common_audit_data *sa = va;
-        uid_t fsuid = current_fsuid();
+        kuid_t fsuid = current_fsuid();
        if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) {
                audit_log_format(ab, " requested_mask=");
@@ -76,8 +76,10 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
                audit_file_mask(ab, sa->aad->fs.denied);
        }
        if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) {
-                audit_log_format(ab, " fsuid=%d", fsuid);
+                audit_log_format(ab, " fsuid=%d",
-                audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid);
+                                 from_kuid(&init_user_ns, fsuid));
+                audit_log_format(ab, " ouid=%d",
+                                 from_kuid(&init_user_ns, sa->aad->fs.ouid));
        }
        if (sa->aad->fs.target) {
@@ -103,7 +105,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
 */
 int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
                  gfp_t gfp, int op, u32 request, const char *name,
-                  const char *target, uid_t ouid, const char *info, int error)
+                  const char *target, kuid_t ouid, const char *info, int error)
 {
        int type = AUDIT_APPARMOR_AUTO;
        struct common_audit_data sa;
@@ -201,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
         */
        perms.kill = 0;
-        if (current_fsuid() == cond->uid) {
+        if (uid_eq(current_fsuid(), cond->uid)) {
                perms.allow = map_old_perms(dfa_user_allow(dfa, state));
                perms.audit = map_old_perms(dfa_user_audit(dfa, state));
                perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 4b7e18951aea..69d8cae634e7 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -125,7 +125,7 @@ struct apparmor_audit_data {
                        const char *target;
                        u32 request;
                        u32 denied;
-                        uid_t ouid;
+                        kuid_t ouid;
                } fs;
        };
 };
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index f98fd4701d80..967b2deda376 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -71,7 +71,7 @@ struct path;
 /* need to make conditional which ones are being set */
 struct path_cond {
-        uid_t uid;
+        kuid_t uid;
        umode_t mode;
 };
@@ -146,7 +146,7 @@ static inline u16 dfa_map_xindex(u16 mask)
 int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
                  gfp_t gfp, int op, u32 request, const char *name,
-                  const char *target, uid_t ouid, const char *info, int error);
+                  const char *target, kuid_t ouid, const char *info, int error);
 /**
 * struct aa_file_rules - components used for file rule permissions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8ea39aabe948..8c2a7f6b35e2 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -352,7 +352,7 @@ static int apparmor_path_chmod(struct path *path, umode_t mode)
        return common_perm_mnt_dentry(OP_CHMOD, path->mnt, path->dentry, AA_MAY_CHMOD);
 }
-static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid)
+static int apparmor_path_chown(struct path *path, kuid_t uid, kgid_t gid)
 {
        struct path_cond cond =  { path->dentry->d_inode->i_uid,
                                   path->dentry->d_inode->i_mode
diff --git a/security/capability.c b/security/capability.c
index 61095df8b89a..a40aac677c72 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -284,7 +284,7 @@ static int cap_path_chmod(struct path *path, umode_t mode)
        return 0;
 }
-static int cap_path_chown(struct path *path, uid_t uid, gid_t gid)
+static int cap_path_chown(struct path *path, kuid_t uid, kgid_t gid)
 {
        return 0;
 }
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 49a464f5595b..dfb26918699c 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -106,8 +106,8 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
        memset(&hmac_misc, 0, sizeof hmac_misc);
        hmac_misc.ino = inode->i_ino;
        hmac_misc.generation = inode->i_generation;
-        hmac_misc.uid = inode->i_uid;
+        hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid);
-        hmac_misc.gid = inode->i_gid;
+        hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
        hmac_misc.mode = inode->i_mode;
        crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc);
        crypto_shash_final(desc, digest);
diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c
index 7a57f6769e9c..c586faae8fd6 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -39,8 +39,9 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
        ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
        audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",
-                         current->pid, current_cred()->uid,
+                         current->pid,
-                         audit_get_loginuid(current),
+                         from_kuid(&init_user_ns, current_cred()->uid),
+                         from_kuid(&init_user_ns, audit_get_loginuid(current)),
                         audit_get_sessionid(current));
        audit_log_task_context(ab);
        audit_log_format(ab, " op=");
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 1a9583008aae..c84df05180cb 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -39,7 +39,7 @@ struct ima_measure_rule_entry {
        enum ima_hooks func;
        int mask;
        unsigned long fsmagic;
-        uid_t uid;
+        kuid_t uid;
        struct {
                void *rule;     /* LSM file metadata specific */
                int type;       /* audit type */
@@ -71,7 +71,7 @@ static struct ima_measure_rule_entry default_rules[] = {
         .flags = IMA_FUNC | IMA_MASK},
        {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
         .flags = IMA_FUNC | IMA_MASK},
-        {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0,
+        {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID,
         .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 };
@@ -112,7 +112,7 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule,
        if ((rule->flags & IMA_FSMAGIC)
            && rule->fsmagic != inode->i_sb->s_magic)
                return false;
-        if ((rule->flags & IMA_UID) && rule->uid != cred->uid)
+        if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
                return false;
        for (i = 0; i < MAX_LSM_RULES; i++) {
                int rc = 0;
@@ -277,7 +277,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
-        entry->uid = -1;
+        entry->uid = INVALID_UID;
        entry->action = UNKNOWN;
        while ((p = strsep(&rule, " \t")) != NULL) {
                substring_t args[MAX_OPT_ARGS];
@@ -361,15 +361,15 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
                case Opt_uid:
                        ima_log_string(ab, "uid", args[0].from);
-                        if (entry->uid != -1) {
+                        if (uid_valid(entry->uid)) {
                                result = -EINVAL;
                                break;
                        }
                        result = strict_strtoul(args[0].from, 10, &lnum);
                        if (!result) {
-                                entry->uid = (uid_t) lnum;
+                                entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
-                                if (entry->uid != lnum)
+                                if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
                                        result = -EINVAL;
                                else
                                        entry->flags |= IMA_UID;
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 22ff05269e3d..8bbefc3b55d4 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -52,8 +52,7 @@ struct key_user {
        atomic_t                usage;          /* for accessing qnkeys & qnbytes */
        atomic_t                nkeys;          /* number of keys */
        atomic_t                nikeys;         /* number of instantiated keys */
-        uid_t                   uid;
+        kuid_t                  uid;
-        struct user_namespace   *user_ns;
        int                     qnkeys;         /* number of keys allocated to this user */
        int                     qnbytes;        /* number of bytes allocated to this user */
 };
@@ -62,8 +61,7 @@ extern struct rb_root	key_user_tree;
 extern spinlock_t       key_user_lock;
 extern struct key_user  root_key_user;
-extern struct key_user *key_user_lookup(uid_t uid,
+extern struct key_user *key_user_lookup(kuid_t uid);
-                                        struct user_namespace *user_ns);
 extern void key_user_put(struct key_user *user);
 /*
diff --git a/security/keys/key.c b/security/keys/key.c
index 3cbe3529c418..a30e92734905 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -18,7 +18,6 @@
 #include <linux/workqueue.h>
 #include <linux/random.h>
 #include <linux/err.h>
-#include <linux/user_namespace.h>
 #include "internal.h"
 struct kmem_cache *key_jar;
@@ -52,7 +51,7 @@ void __key_check(const struct key *key)
 * Get the key quota record for a user, allocating a new record if one doesn't
 * already exist.
 */
-struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns)
+struct key_user *key_user_lookup(kuid_t uid)
 {
        struct key_user *candidate = NULL, *user;
        struct rb_node *parent = NULL;
@@ -67,13 +66,9 @@ try_again:
                parent = *p;
                user = rb_entry(parent, struct key_user, node);
-                if (uid < user->uid)
+                if (uid_lt(uid, user->uid))
                        p = &(*p)->rb_left;
-                else if (uid > user->uid)
+                else if (uid_gt(uid, user->uid))
-                        p = &(*p)->rb_right;
-                else if (user_ns < user->user_ns)
-                        p = &(*p)->rb_left;
-                else if (user_ns > user->user_ns)
                        p = &(*p)->rb_right;
                else
                        goto found;
@@ -102,7 +97,6 @@ try_again:
        atomic_set(&candidate->nkeys, 0);
        atomic_set(&candidate->nikeys, 0);
        candidate->uid = uid;
-        candidate->user_ns = get_user_ns(user_ns);
        candidate->qnkeys = 0;
        candidate->qnbytes = 0;
        spin_lock_init(&candidate->lock);
@@ -131,7 +125,6 @@ void key_user_put(struct key_user *user)
        if (atomic_dec_and_lock(&user->usage, &key_user_lock)) {
                rb_erase(&user->node, &key_user_tree);
                spin_unlock(&key_user_lock);
-                put_user_ns(user->user_ns);
                kfree(user);
        }
@@ -229,7 +222,7 @@ serial_exists:
 * key_alloc() calls don't race with module unloading.
 */
 struct key *key_alloc(struct key_type *type, const char *desc,
-                      uid_t uid, gid_t gid, const struct cred *cred,
+                      kuid_t uid, kgid_t gid, const struct cred *cred,
                      key_perm_t perm, unsigned long flags)
 {
        struct key_user *user = NULL;
@@ -253,16 +246,16 @@ struct key *key_alloc(struct key_type *type, const char *desc,
        quotalen = desclen + type->def_datalen;
        /* get hold of the key tracking for this user */
-        user = key_user_lookup(uid, cred->user_ns);
+        user = key_user_lookup(uid);
        if (!user)
                goto no_memory_1;
        /* check that the user's quota permits allocation of another key and
         * its description */
        if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) {
-                unsigned maxkeys = (uid == 0) ?
+                unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ?
                        key_quota_root_maxkeys : key_quota_maxkeys;
-                unsigned maxbytes = (uid == 0) ?
+                unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ?
                        key_quota_root_maxbytes : key_quota_maxbytes;
                spin_lock(&user->lock);
@@ -380,7 +373,7 @@ int key_payload_reserve(struct key *key, size_t datalen)
        /* contemplate the quota adjustment */
        if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
-                unsigned maxbytes = (key->user->uid == 0) ?
+                unsigned maxbytes = uid_eq(key->user->uid, GLOBAL_ROOT_UID) ?
                        key_quota_root_maxbytes : key_quota_maxbytes;
                spin_lock(&key->user->lock);
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 6cfc6478863e..305ecb76519c 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -569,8 +569,8 @@ okay:
        ret = snprintf(tmpbuf, PAGE_SIZE - 1,
                       "%s;%d;%d;%08x;%s",
                       key->type->name,
-                       key->uid,
+                       from_kuid_munged(current_user_ns(), key->uid),
-                       key->gid,
+                       from_kgid_munged(current_user_ns(), key->gid),
                       key->perm,
                       key->description ?: "");
@@ -766,15 +766,25 @@ error:
 *
 * If successful, 0 will be returned.
 */
-long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
+long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group)
 {
        struct key_user *newowner, *zapowner = NULL;
        struct key *key;
        key_ref_t key_ref;
        long ret;
+        kuid_t uid;
+        kgid_t gid;
+        uid = make_kuid(current_user_ns(), user);
+        gid = make_kgid(current_user_ns(), group);
+        ret = -EINVAL;
+        if ((user != (uid_t) -1) && !uid_valid(uid))
+                goto error;
+        if ((group != (gid_t) -1) && !gid_valid(gid))
+                goto error;
        ret = 0;
-        if (uid == (uid_t) -1 && gid == (gid_t) -1)
+        if (user == (uid_t) -1 && group == (gid_t) -1)
                goto error;
        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
@@ -792,27 +802,27 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
        if (!capable(CAP_SYS_ADMIN)) {
                /* only the sysadmin can chown a key to some other UID */
-                if (uid != (uid_t) -1 && key->uid != uid)
+                if (user != (uid_t) -1 && !uid_eq(key->uid, uid))
                        goto error_put;
                /* only the sysadmin can set the key's GID to a group other
                 * than one of those that the current process subscribes to */
-                if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid))
+                if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid))
                        goto error_put;
        }
        /* change the UID */
-        if (uid != (uid_t) -1 && uid != key->uid) {
+        if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) {
                ret = -ENOMEM;
-                newowner = key_user_lookup(uid, current_user_ns());
+                newowner = key_user_lookup(uid);
                if (!newowner)
                        goto error_put;
                /* transfer the quota burden to the new user */
                if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
-                        unsigned maxkeys = (uid == 0) ?
+                        unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ?
                                key_quota_root_maxkeys : key_quota_maxkeys;
-                        unsigned maxbytes = (uid == 0) ?
+                        unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ?
                                key_quota_root_maxbytes : key_quota_maxbytes;
                        spin_lock(&newowner->lock);
@@ -846,7 +856,7 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
        }
        /* change the GID */
-        if (gid != (gid_t) -1)
+        if (group != (gid_t) -1)
                key->gid = gid;
        ret = 0;
@@ -897,7 +907,7 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
        down_write(&key->sem);
        /* if we're not the sysadmin, we can only change a key that we own */
-        if (capable(CAP_SYS_ADMIN) || key->uid == current_fsuid()) {
+        if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) {
                key->perm = perm;
                ret = 0;
        }
@@ -1506,18 +1516,18 @@ long keyctl_session_to_parent(void)
        /* the parent must have the same effective ownership and mustn't be
         * SUID/SGID */
-        if (pcred->uid  != mycred->euid ||
+        if (!uid_eq(pcred->uid,  mycred->euid) ||
-            pcred->euid != mycred->euid ||
+            !uid_eq(pcred->euid, mycred->euid) ||
-            pcred->suid != mycred->euid ||
+            !uid_eq(pcred->suid, mycred->euid) ||
-            pcred->gid  != mycred->egid ||
+            !gid_eq(pcred->gid,  mycred->egid) ||
-            pcred->egid != mycred->egid ||
+            !gid_eq(pcred->egid, mycred->egid) ||
-            pcred->sgid != mycred->egid)
+            !gid_eq(pcred->sgid, mycred->egid))
                goto unlock;
        /* the keyrings must have the same UID */
        if ((pcred->tgcred->session_keyring &&
-             pcred->tgcred->session_keyring->uid != mycred->euid) ||
+             !uid_eq(pcred->tgcred->session_keyring->uid, mycred->euid)) ||
-            mycred->tgcred->session_keyring->uid != mycred->euid)
+            !uid_eq(mycred->tgcred->session_keyring->uid, mycred->euid))
                goto unlock;
        /* cancel an already pending keyring replacement */
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 81e7852d281d..a5f5c4b6edc5 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -256,7 +256,7 @@ error:
 /*
 * Allocate a keyring and link into the destination keyring.
 */
-struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
+struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
                          const struct cred *cred, unsigned long flags,
                          struct key *dest)
 {
@@ -612,7 +612,7 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
                                    &keyring_name_hash[bucket],
                                    type_data.link
                                    ) {
-                        if (keyring->user->user_ns != current_user_ns())
+                        if (!kuid_has_mapping(current_user_ns(), keyring->user->uid))
                                continue;
                        if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
diff --git a/security/keys/permission.c b/security/keys/permission.c
index 0b4d019e027d..efcc0c855a0d 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -36,33 +36,27 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
        key = key_ref_to_ptr(key_ref);
-        if (key->user->user_ns != cred->user_ns)
-                goto use_other_perms;
        /* use the second 8-bits of permissions for keys the caller owns */
-        if (key->uid == cred->fsuid) {
+        if (uid_eq(key->uid, cred->fsuid)) {
                kperm = key->perm >> 16;
                goto use_these_perms;
        }
        /* use the third 8-bits of permissions for keys the caller has a group
         * membership in common with */
-        if (key->gid != -1 && key->perm & KEY_GRP_ALL) {
+        if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) {
-                if (key->gid == cred->fsgid) {
+                if (gid_eq(key->gid, cred->fsgid)) {
                        kperm = key->perm >> 8;
                        goto use_these_perms;
                }
-                ret = groups_search(cred->group_info,
+                ret = groups_search(cred->group_info, key->gid);
-                                    make_kgid(current_user_ns(), key->gid));
                if (ret) {
                        kperm = key->perm >> 8;
                        goto use_these_perms;
                }
        }
-use_other_perms:
        /* otherwise use the least-significant 8-bits */
        kperm = key->perm;
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 30d1ddfd9cef..217b6855e815 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -88,14 +88,14 @@ __initcall(key_proc_init);
 */
 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
-static struct rb_node *key_serial_next(struct rb_node *n)
+static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n)
 {
-        struct user_namespace *user_ns = current_user_ns();
+        struct user_namespace *user_ns = seq_user_ns(p);
        n = rb_next(n);
        while (n) {
                struct key *key = rb_entry(n, struct key, serial_node);
-                if (key->user->user_ns == user_ns)
+                if (kuid_has_mapping(user_ns, key->user->uid))
                        break;
                n = rb_next(n);
        }
@@ -107,9 +107,9 @@ static int proc_keys_open(struct inode *inode, struct file *file)
        return seq_open(file, &proc_keys_ops);
 }
-static struct key *find_ge_key(key_serial_t id)
+static struct key *find_ge_key(struct seq_file *p, key_serial_t id)
 {
-        struct user_namespace *user_ns = current_user_ns();
+        struct user_namespace *user_ns = seq_user_ns(p);
        struct rb_node *n = key_serial_tree.rb_node;
        struct key *minkey = NULL;
@@ -132,7 +132,7 @@ static struct key *find_ge_key(key_serial_t id)
                return NULL;
        for (;;) {
-                if (minkey->user->user_ns == user_ns)
+                if (kuid_has_mapping(user_ns, minkey->user->uid))
                        return minkey;
                n = rb_next(&minkey->serial_node);
                if (!n)
@@ -151,7 +151,7 @@ static void *proc_keys_start(struct seq_file *p, loff_t *_pos)
        if (*_pos > INT_MAX)
                return NULL;
-        key = find_ge_key(pos);
+        key = find_ge_key(p, pos);
        if (!key)
                return NULL;
        *_pos = key->serial;
@@ -168,7 +168,7 @@ static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos)
 {
        struct rb_node *n;
-        n = key_serial_next(v);
+        n = key_serial_next(p, v);
        if (n)
                *_pos = key_node_serial(n);
        return n;
@@ -254,8 +254,8 @@ static int proc_keys_show(struct seq_file *m, void *v)
                   atomic_read(&key->usage),
                   xbuf,
                   key->perm,
-                   key->uid,
+                   from_kuid_munged(seq_user_ns(m), key->uid),
-                   key->gid,
+                   from_kgid_munged(seq_user_ns(m), key->gid),
                   key->type->name);
 #undef showflag
@@ -270,26 +270,26 @@ static int proc_keys_show(struct seq_file *m, void *v)
 #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */
-static struct rb_node *__key_user_next(struct rb_node *n)
+static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n)
 {
        while (n) {
                struct key_user *user = rb_entry(n, struct key_user, node);
-                if (user->user_ns == current_user_ns())
+                if (kuid_has_mapping(user_ns, user->uid))
                        break;
                n = rb_next(n);
        }
        return n;
 }
-static struct rb_node *key_user_next(struct rb_node *n)
+static struct rb_node *key_user_next(struct user_namespace *user_ns, struct rb_node *n)
 {
-        return __key_user_next(rb_next(n));
+        return __key_user_next(user_ns, rb_next(n));
 }
-static struct rb_node *key_user_first(struct rb_root *r)
+static struct rb_node *key_user_first(struct user_namespace *user_ns, struct rb_root *r)
 {
        struct rb_node *n = rb_first(r);
-        return __key_user_next(n);
+        return __key_user_next(user_ns, n);
 }
 /*
@@ -309,10 +309,10 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos)
        spin_lock(&key_user_lock);
-        _p = key_user_first(&key_user_tree);
+        _p = key_user_first(seq_user_ns(p), &key_user_tree);
        while (pos > 0 && _p) {
                pos--;
-                _p = key_user_next(_p);
+                _p = key_user_next(seq_user_ns(p), _p);
        }
        return _p;
@@ -321,7 +321,7 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos)
 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos)
 {
        (*_pos)++;
-        return key_user_next((struct rb_node *)v);
+        return key_user_next(seq_user_ns(p), (struct rb_node *)v);
 }
 static void proc_key_users_stop(struct seq_file *p, void *v)
@@ -334,13 +334,13 @@ static int proc_key_users_show(struct seq_file *m, void *v)
 {
        struct rb_node *_p = v;
        struct key_user *user = rb_entry(_p, struct key_user, node);
-        unsigned maxkeys = (user->uid == 0) ?
+        unsigned maxkeys = uid_eq(user->uid, GLOBAL_ROOT_UID) ?
                key_quota_root_maxkeys : key_quota_maxkeys;
-        unsigned maxbytes = (user->uid == 0) ?
+        unsigned maxbytes = uid_eq(user->uid, GLOBAL_ROOT_UID) ?
                key_quota_root_maxbytes : key_quota_maxbytes;
        seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n",
-                   user->uid,
+                   from_kuid_munged(seq_user_ns(m), user->uid),
                   atomic_read(&user->usage),
                   atomic_read(&user->nkeys),
                   atomic_read(&user->nikeys),
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 54339cfd6734..a58f712605d8 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -34,8 +34,7 @@ struct key_user root_key_user = {
        .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
        .nkeys          = ATOMIC_INIT(2),
        .nikeys         = ATOMIC_INIT(2),
-        .uid            = 0,
+        .uid            = GLOBAL_ROOT_UID,
-        .user_ns        = &init_user_ns,
 };
 /*
@@ -48,11 +47,13 @@ int install_user_keyrings(void)
        struct key *uid_keyring, *session_keyring;
        char buf[20];
        int ret;
+        uid_t uid;
        cred = current_cred();
        user = cred->user;
+        uid = from_kuid(cred->user_ns, user->uid);
-        kenter("%p{%u}", user, user->uid);
+        kenter("%p{%u}", user, uid);
        if (user->uid_keyring) {
                kleave(" = 0 [exist]");
@@ -67,11 +68,11 @@ int install_user_keyrings(void)
                 * - there may be one in existence already as it may have been
                 *   pinned by a session, but the user_struct pointing to it
                 *   may have been destroyed by setuid */
-                sprintf(buf, "_uid.%u", user->uid);
+                sprintf(buf, "_uid.%u", uid);
                uid_keyring = find_keyring_by_name(buf, true);
                if (IS_ERR(uid_keyring)) {
-                        uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
+                        uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
                                                    cred, KEY_ALLOC_IN_QUOTA,
                                                    NULL);
                        if (IS_ERR(uid_keyring)) {
@@ -82,12 +83,12 @@ int install_user_keyrings(void)
                /* get a default session keyring (which might also exist
                 * already) */
-                sprintf(buf, "_uid_ses.%u", user->uid);
+                sprintf(buf, "_uid_ses.%u", uid);
                session_keyring = find_keyring_by_name(buf, true);
                if (IS_ERR(session_keyring)) {
                        session_keyring =
-                                keyring_alloc(buf, user->uid, (gid_t) -1,
+                                keyring_alloc(buf, user->uid, INVALID_GID,
                                              cred, KEY_ALLOC_IN_QUOTA, NULL);
                        if (IS_ERR(session_keyring)) {
                                ret = PTR_ERR(session_keyring);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 000e75017520..66e21184b559 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -139,8 +139,8 @@ static int call_sbin_request_key(struct key_construction *cons,
                goto error_link;
        /* record the UID and GID */
-        sprintf(uid_str, "%d", cred->fsuid);
+        sprintf(uid_str, "%d", from_kuid(&init_user_ns, cred->fsuid));
-        sprintf(gid_str, "%d", cred->fsgid);
+        sprintf(gid_str, "%d", from_kgid(&init_user_ns, cred->fsgid));
        /* we say which key is under construction */
        sprintf(key_str, "%d", key->serial);
@@ -442,7 +442,7 @@ static struct key *construct_key_and_link(struct key_type *type,
        kenter("");
-        user = key_user_lookup(current_fsuid(), current_user_ns());
+        user = key_user_lookup(current_fsuid());
        if (!user)
                return ERR_PTR(-ENOMEM);
diff --git a/security/security.c b/security/security.c
index 860aeb349cb3..f9a2f2ef2454 100644
--- a/security/security.c
+++ b/security/security.c
@@ -434,7 +434,7 @@ int security_path_chmod(struct path *path, umode_t mode)
        return security_ops->path_chmod(path, mode);
 }
-int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
 {
        if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
                return 0;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 298e695d6822..55af8c5b57e6 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -174,7 +174,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
                audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
                        "enforcing=%d old_enforcing=%d auid=%u ses=%u",
                        new_value, selinux_enforcing,
-                        audit_get_loginuid(current),
+                        from_kuid(&init_user_ns, audit_get_loginuid(current)),
                        audit_get_sessionid(current));
                selinux_enforcing = new_value;
                if (selinux_enforcing)
@@ -305,7 +305,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
                        goto out;
                audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
                        "selinux=0 auid=%u ses=%u",
-                        audit_get_loginuid(current),
+                        from_kuid(&init_user_ns, audit_get_loginuid(current)),
                        audit_get_sessionid(current));
        }
@@ -551,7 +551,7 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
 out1:
        audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
                "policy loaded auid=%u ses=%u",
-                audit_get_loginuid(current),
+                from_kuid(&init_user_ns, audit_get_loginuid(current)),
                audit_get_sessionid(current));
 out:
        mutex_unlock(&sel_mutex);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4321b8fc8863..b4feecc3fe01 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2440,7 +2440,7 @@ int security_set_bools(int len, int *values)
                                sym_name(&policydb, SYM_BOOLS, i),
                                !!values[i],
                                policydb.bool_val_to_struct[i]->state,
-                                audit_get_loginuid(current),
+                                from_kuid(&init_user_ns, audit_get_loginuid(current)),
                                audit_get_sessionid(current));
                }
                if (values[i])
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index 7ef9fa3e37e0..c1b00375c9ad 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -168,9 +168,14 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
                       stamp.day, stamp.hour, stamp.min, stamp.sec, r->profile,
                       tomoyo_mode[r->mode], tomoyo_yesno(r->granted), gpid,
                       tomoyo_sys_getpid(), tomoyo_sys_getppid(),
-                       current_uid(), current_gid(), current_euid(),
+                       from_kuid(&init_user_ns, current_uid()),
-                       current_egid(), current_suid(), current_sgid(),
+                       from_kgid(&init_user_ns, current_gid()),
-                       current_fsuid(), current_fsgid());
+                       from_kuid(&init_user_ns, current_euid()),
+                       from_kgid(&init_user_ns, current_egid()),
+                       from_kuid(&init_user_ns, current_suid()),
+                       from_kgid(&init_user_ns, current_sgid()),
+                       from_kuid(&init_user_ns, current_fsuid()),
+                       from_kgid(&init_user_ns, current_fsgid()));
        if (!obj)
                goto no_obj_info;
        if (!obj->validate_done) {
@@ -191,15 +196,19 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
                                        tomoyo_buffer_len - 1 - pos,
                                        " path%u.parent={ uid=%u gid=%u "
                                        "ino=%lu perm=0%o }", (i >> 1) + 1,
-                                        stat->uid, stat->gid, (unsigned long)
+                                        from_kuid(&init_user_ns, stat->uid),
-                                        stat->ino, stat->mode & S_IALLUGO);
+                                        from_kgid(&init_user_ns, stat->gid),
+                                        (unsigned long)stat->ino,
+                                        stat->mode & S_IALLUGO);
                        continue;
                }
                pos += snprintf(buffer + pos, tomoyo_buffer_len - 1 - pos,
                                " path%u={ uid=%u gid=%u ino=%lu major=%u"
                                " minor=%u perm=0%o type=%s", (i >> 1) + 1,
-                                stat->uid, stat->gid, (unsigned long)
+                                from_kuid(&init_user_ns, stat->uid),
-                                stat->ino, MAJOR(dev), MINOR(dev),
+                                from_kgid(&init_user_ns, stat->gid),
+                                (unsigned long)stat->ino,
+                                MAJOR(dev), MINOR(dev),
                                mode & S_IALLUGO, tomoyo_filetype(mode));
                if (S_ISCHR(mode) || S_ISBLK(mode)) {
                        dev = stat->rdev;
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 2e0f12c62938..f89a0333b813 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -925,7 +925,9 @@ static bool tomoyo_manager(void)
        if (!tomoyo_policy_loaded)
                return true;
-        if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
+        if (!tomoyo_manage_by_non_root &&
+            (!uid_eq(task->cred->uid,  GLOBAL_ROOT_UID) ||
+             !uid_eq(task->cred->euid, GLOBAL_ROOT_UID)))
                return false;
        exe = tomoyo_get_exe();
        if (!exe)
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 75e4dc1c02a0..af010b62d544 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -561,8 +561,8 @@ struct tomoyo_address_group {
 /* Subset of "struct stat". Used by conditional ACL and audit logs. */
 struct tomoyo_mini_stat {
-        uid_t uid;
+        kuid_t uid;
-        gid_t gid;
+        kgid_t gid;
        ino_t ino;
        umode_t mode;
        dev_t dev;
diff --git a/security/tomoyo/condition.c b/security/tomoyo/condition.c
index 986330b8c73e..63681e8be628 100644
--- a/security/tomoyo/condition.c
+++ b/security/tomoyo/condition.c
@@ -813,28 +813,28 @@ bool tomoyo_condition(struct tomoyo_request_info *r,
                        unsigned long value = 0;
                        switch (index) {
                        case TOMOYO_TASK_UID:
-                                value = current_uid();
+                                value = from_kuid(&init_user_ns, current_uid());
                                break;
                        case TOMOYO_TASK_EUID:
-                                value = current_euid();
+                                value = from_kuid(&init_user_ns, current_euid());
                                break;
                        case TOMOYO_TASK_SUID:
-                                value = current_suid();
+                                value = from_kuid(&init_user_ns, current_suid());
                                break;
                        case TOMOYO_TASK_FSUID:
-                                value = current_fsuid();
+                                value = from_kuid(&init_user_ns, current_fsuid());
                                break;
                        case TOMOYO_TASK_GID:
-                                value = current_gid();
+                                value = from_kgid(&init_user_ns, current_gid());
                                break;
                        case TOMOYO_TASK_EGID:
-                                value = current_egid();
+                                value = from_kgid(&init_user_ns, current_egid());
                                break;
                        case TOMOYO_TASK_SGID:
-                                value = current_sgid();
+                                value = from_kgid(&init_user_ns, current_sgid());
                                break;
                        case TOMOYO_TASK_FSGID:
-                                value = current_fsgid();
+                                value = from_kgid(&init_user_ns, current_fsgid());
                                break;
                        case TOMOYO_TASK_PID:
                                value = tomoyo_sys_getpid();
@@ -970,13 +970,13 @@ bool tomoyo_condition(struct tomoyo_request_info *r,
                                        case TOMOYO_PATH2_UID:
                                        case TOMOYO_PATH1_PARENT_UID:
                                        case TOMOYO_PATH2_PARENT_UID:
-                                                value = stat->uid;
+                                                value = from_kuid(&init_user_ns, stat->uid);
                                                break;
                                        case TOMOYO_PATH1_GID:
                                        case TOMOYO_PATH2_GID:
                                        case TOMOYO_PATH1_PARENT_GID:
                                        case TOMOYO_PATH2_PARENT_GID:
-                                                value = stat->gid;
+                                                value = from_kgid(&init_user_ns, stat->gid);
                                                break;
                                        case TOMOYO_PATH1_INO:
                                        case TOMOYO_PATH2_INO:
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index c2d04a50f76a..d88eb3a046ed 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -373,13 +373,15 @@ static int tomoyo_path_chmod(struct path *path, umode_t mode)
 *
 * Returns 0 on success, negative value otherwise.
 */
-static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid)
+static int tomoyo_path_chown(struct path *path, kuid_t uid, kgid_t gid)
 {
        int error = 0;
-        if (uid != (uid_t) -1)
+        if (uid_valid(uid))
-                error = tomoyo_path_number_perm(TOMOYO_TYPE_CHOWN, path, uid);
+                error = tomoyo_path_number_perm(TOMOYO_TYPE_CHOWN, path,
-        if (!error && gid != (gid_t) -1)
+                                                from_kuid(&init_user_ns, uid));
-                error = tomoyo_path_number_perm(TOMOYO_TYPE_CHGRP, path, gid);
+        if (!error && gid_valid(gid))
+                error = tomoyo_path_number_perm(TOMOYO_TYPE_CHGRP, path,
+                                                from_kgid(&init_user_ns, gid));
        return error;
 }