Merge branch 'staging/for_v3.7' into v4l_for_linus

* staging/for_v3.7: (2891 commits)
  em28xx: regression fix: use DRX-K sync firmware requests on em28xx
  drxk: allow loading firmware synchrousnously
  em28xx: Make all em28xx extensions to be initialized asynchronously
  [media] tda18271: properly report read errors in tda18271_get_id
  [media] tda18271: delay IR & RF calibration until init() if delay_cal is set
  [media] MAINTAINERS: add Michael Krufky as tda827x maintainer
  [media] MAINTAINERS: add Michael Krufky as tda8290 maintainer
  [media] MAINTAINERS: add Michael Krufky as cxusb maintainer
  [media] MAINTAINERS: add Michael Krufky as lg2160 maintainer
  [media] MAINTAINERS: add Michael Krufky as lgdt3305 maintainer
  [media] MAINTAINERS: add Michael Krufky as mxl111sf maintainer
  [media] MAINTAINERS: add Michael Krufky as mxl5007t maintainer
  [media] MAINTAINERS: add Michael Krufky as tda18271 maintainer
  [media] s5p-tv: Report only multi-plane capabilities in vidioc_querycap
  [media] s5p-mfc: Fix misplaced return statement in s5p_mfc_suspend()
  [media] exynos-gsc: Add missing static storage class specifiers
  [media] exynos-gsc: Remove <linux/version.h> header file inclusion
  [media] s5p-fimc: Fix incorrect condition in fimc_lite_reqbufs()
  [media] s5p-tv: Fix potential NULL pointer dereference error
  [media] s5k6aa: Fix possible NULL pointer dereference
  ...

Conflicts:
	drivers/media/platform/s5p-fimc/fimc-capture.c
	drivers/media/platform/s5p-fimc/fimc-lite.c

3 files changed, 41 insertions, 5 deletions

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 68d82daed257..4d3fab47e643 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -274,7 +274,7 @@ static struct avc_node *avc_alloc_node(void)
 {
 	struct avc_node *node;
 
-	node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC);
+	node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC|__GFP_NOMEMALLOC);
 	if (!node)
 		goto out;
 
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index c220f314709c..65f67cb0aefb 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -51,6 +51,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
 static inline void selinux_xfrm_notify_policyload(void)
 {
 	atomic_inc(&flow_cache_genid);
+	rt_genid_bump(&init_net);
 }
 #else
 static inline int selinux_xfrm_enabled(void)
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 83554ee8a587..0cc99a3ea42d 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -279,12 +279,46 @@ static int yama_ptrace_access_check(struct task_struct *child,
 	}
 
 	if (rc) {
-		char name[sizeof(current->comm)];
 		printk_ratelimited(KERN_NOTICE
 			"ptrace of pid %d was attempted by: %s (pid %d)\n",
-			child->pid,
-			get_task_comm(name, current),
-			current->pid);
+			child->pid, current->comm, current->pid);
+	}
+
+	return rc;
+}
+
+/**
+ * yama_ptrace_traceme - validate PTRACE_TRACEME calls
+ * @parent: task that will become the ptracer of the current task
+ *
+ * Returns 0 if following the ptrace is allowed, -ve on error.
+ */
+static int yama_ptrace_traceme(struct task_struct *parent)
+{
+	int rc;
+
+	/* If standard caps disallows it, so does Yama.  We should
+	 * only tighten restrictions further.
+	 */
+	rc = cap_ptrace_traceme(parent);
+	if (rc)
+		return rc;
+
+	/* Only disallow PTRACE_TRACEME on more aggressive settings. */
+	switch (ptrace_scope) {
+	case YAMA_SCOPE_CAPABILITY:
+		if (!ns_capable(task_user_ns(parent), CAP_SYS_PTRACE))
+			rc = -EPERM;
+		break;
+	case YAMA_SCOPE_NO_ATTACH:
+		rc = -EPERM;
+		break;
+	}
+
+	if (rc) {
+		printk_ratelimited(KERN_NOTICE
+			"ptraceme of pid %d was attempted by: %s (pid %d)\n",
+			current->pid, parent->comm, parent->pid);
 	}
 
 	return rc;
@@ -294,6 +328,7 @@ static struct security_operations yama_ops = {
 	.name =			"yama",
 
 	.ptrace_access_check =	yama_ptrace_access_check,
+	.ptrace_traceme =	yama_ptrace_traceme,
 	.task_prctl =		yama_task_prctl,
 	.task_free =		yama_task_free,
 };