summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--.dir-locals.el1
-rw-r--r--.mailmap7
-rw-r--r--Makefile.am4
-rw-r--r--doc/guix.texi8
-rw-r--r--gnu/local.mk14
-rw-r--r--gnu/packages/admin.scm100
-rw-r--r--gnu/packages/bioinformatics.scm31
-rw-r--r--gnu/packages/code.scm4
-rw-r--r--gnu/packages/cryptsetup.scm12
-rw-r--r--gnu/packages/games.scm134
-rw-r--r--gnu/packages/gcc.scm4
-rw-r--r--gnu/packages/gnucash.scm4
-rw-r--r--gnu/packages/gnunet.scm35
-rw-r--r--gnu/packages/gnuzilla.scm7
-rw-r--r--gnu/packages/grub.scm15
-rw-r--r--gnu/packages/linux-libre-4.8-i686.conf (renamed from gnu/packages/linux-libre-4.7-i686.conf)172
-rw-r--r--gnu/packages/linux-libre-4.8-x86_64.conf (renamed from gnu/packages/linux-libre-4.7-x86_64.conf)171
-rw-r--r--gnu/packages/linux.scm14
-rw-r--r--gnu/packages/lisp.scm44
-rw-r--r--gnu/packages/machine-learning.scm27
-rw-r--r--gnu/packages/maths.scm54
-rw-r--r--gnu/packages/package-management.scm2
-rw-r--r--gnu/packages/parallel.scm4
-rw-r--r--gnu/packages/patches/cpio-gets-undeclared.patch45
-rw-r--r--gnu/packages/patches/gsl-test-i686.patch17
-rw-r--r--gnu/packages/patches/libx11-CVE-2016-7942.patch76
-rw-r--r--gnu/packages/patches/libx11-CVE-2016-7943.patch113
-rw-r--r--gnu/packages/patches/libxfixes-CVE-2016-7944.patch62
-rw-r--r--gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch420
-rw-r--r--gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch447
-rw-r--r--gnu/packages/patches/libxrender-CVE-2016-7949.patch66
-rw-r--r--gnu/packages/patches/libxrender-CVE-2016-7950.patch73
-rw-r--r--gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch152
-rw-r--r--gnu/packages/patches/libxv-CVE-2016-5407.patch162
-rw-r--r--gnu/packages/patches/libxvmc-CVE-2016-7953.patch42
-rw-r--r--gnu/packages/patches/metabat-remove-compilation-date.patch16
-rw-r--r--gnu/packages/patches/rush-CVE-2013-6889.patch23
-rw-r--r--gnu/packages/python.scm8
-rw-r--r--gnu/packages/ruby.scm2
-rw-r--r--gnu/packages/rush.scm12
-rw-r--r--gnu/packages/shells.scm17
-rw-r--r--gnu/packages/tls.scm32
-rw-r--r--gnu/packages/version-control.scm6
-rw-r--r--gnu/packages/video.scm4
-rw-r--r--gnu/packages/web.scm37
-rw-r--r--gnu/packages/wordnet.scm19
-rw-r--r--gnu/packages/xorg.scm66
-rw-r--r--gnu/system/mapped-devices.scm4
-rw-r--r--guix/build/graft.scm43
-rw-r--r--guix/scripts/lint.scm38
-rw-r--r--tests/grafts.scm19
-rw-r--r--tests/lint.scm23
52 files changed, 2510 insertions, 402 deletions
diff --git a/.dir-locals.el b/.dir-locals.el
index 572a35f828..adcc50c560 100644
--- a/.dir-locals.el
+++ b/.dir-locals.el
@@ -3,6 +3,7 @@
 ((nil
   . ((fill-column . 78)
      (tab-width   .  8)
+     (sentence-end-double-space . t)
 
      ;; For use with 'bug-reference-prog-mode'.
      (bug-reference-url-format . "http://bugs.gnu.org/%s")
diff --git a/.mailmap b/.mailmap
index 2af7760b16..4f756eca31 100644
--- a/.mailmap
+++ b/.mailmap
@@ -30,9 +30,10 @@ Ludovic Courtès <ludo@gnu.org> <ludovic.courtes@inria.fr>
 Mathieu Lirzin <mthl@gnu.org> <mthl@openmailbox.org>
 Mathieu Lirzin <mthl@gnu.org> <mathieu.lirzin@openmailbox.org>
 Nikita Karetnikov <nikita@karetnikov.org> <nikita.karetnikov@gmail.com>
-ng0 <ng0@we.make.ritual.n0.is> <niasterisk@grrlz.net>
-ng0 <ng0@we.make.ritual.n0.is> <ng@niasterisk.space>
-ng0 <ng0@we.make.ritual.n0.is> <ng0@libertad.pw>
+ng0 <ngillmann@runbox.com> <ng0@we.make.ritual.n0.is>
+ng0 <ngillmann@runbox.com> <niasterisk@grrlz.net>
+ng0 <ngillmann@runbox.com> <ng@niasterisk.space>
+ng0 <ngillmann@runbox.com> <ng0@libertad.pw>
 Pjotr Prins <pjotr.public01@thebird.nl>
 Pjotr Prins <pjotr.public01@thebird.nl> <pjotr.public12@thebird.nl>
 Raimon Grau <raimonster@gmail.com> <raimon@3scale.net>
diff --git a/Makefile.am b/Makefile.am
index 43a33c80ad..1690a94de4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -173,8 +173,8 @@ dist_noinst_DATA = guix/tests.scm
 
 # Linux-Libre configurations.
 KCONFIGS =					\
-  gnu/packages/linux-libre-4.7-i686.conf	\
-  gnu/packages/linux-libre-4.7-x86_64.conf	\
+  gnu/packages/linux-libre-4.8-i686.conf	\
+  gnu/packages/linux-libre-4.8-x86_64.conf	\
   gnu/packages/linux-libre-4.4-i686.conf	\
   gnu/packages/linux-libre-4.4-x86_64.conf	\
   gnu/packages/linux-libre-4.1-i686.conf	\
diff --git a/doc/guix.texi b/doc/guix.texi
index 73570277f6..9bd8b43582 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -11782,10 +11782,10 @@ minute for an ``average'' package on a recent machine.  Grafting is
 recursive: when an indirect dependency requires grafting, then grafting
 ``propagates'' up to the package that the user is installing.
 
-Currently, the graft and the package it replaces (@var{bash-fixed} and
-@var{bash} in the example above) must have the exact same @code{name}
-and @code{version} fields.  This restriction mostly comes from the fact
-that grafting works by patching files, including binary files, directly.
+Currently, the length of the name and version of the graft and that of
+the package it replaces (@var{bash-fixed} and @var{bash} in the example
+above) must be equal.  This restriction mostly comes from the fact that
+grafting works by patching files, including binary files, directly.
 Other restrictions may apply: for instance, when adding a graft to a
 package providing a shared library, the original shared library and its
 replacement must have the same @code{SONAME} and be binary-compatible.
diff --git a/gnu/local.mk b/gnu/local.mk
index d74081b673..db3762278c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -478,7 +478,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/clang-3.8-libc-search-path.patch		\
   %D%/packages/patches/clucene-pkgconfig.patch			\
   %D%/packages/patches/cmake-fix-tests.patch			\
-  %D%/packages/patches/cpio-gets-undeclared.patch		\
   %D%/packages/patches/cpio-CVE-2016-2037.patch			\
   %D%/packages/patches/cpufrequtils-fix-aclocal.patch		\
   %D%/packages/patches/cracklib-CVE-2016-6318.patch		\
@@ -556,6 +555,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/grub-CVE-2015-8370.patch			\
   %D%/packages/patches/grub-gets-undeclared.patch		\
   %D%/packages/patches/grub-freetype.patch			\
+  %D%/packages/patches/gsl-test-i686.patch			\
   %D%/packages/patches/guile-1.8-cpp-4.5.patch			\
   %D%/packages/patches/guile-arm-fixes.patch			\
   %D%/packages/patches/guile-default-utf8.patch			\
@@ -668,6 +668,16 @@ dist_patch_DATA =						\
   %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch	\
   %D%/packages/patches/libwmf-CVE-2015-4695.patch		\
   %D%/packages/patches/libwmf-CVE-2015-4696.patch		\
+  %D%/packages/patches/libx11-CVE-2016-7942.patch		\
+  %D%/packages/patches/libx11-CVE-2016-7943.patch		\
+  %D%/packages/patches/libxfixes-CVE-2016-7944.patch		\
+  %D%/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch	\
+  %D%/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch	\
+  %D%/packages/patches/libxrender-CVE-2016-7949.patch		\
+  %D%/packages/patches/libxrender-CVE-2016-7950.patch		\
+  %D%/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch	\
+  %D%/packages/patches/libxv-CVE-2016-5407.patch		\
+  %D%/packages/patches/libxvmc-CVE-2016-7953.patch		\
   %D%/packages/patches/libxslt-generated-ids.patch		\
   %D%/packages/patches/linux-pam-no-setfsuid.patch		\
   %D%/packages/patches/lirc-localstatedir.patch			\
@@ -691,6 +701,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/mcrypt-CVE-2012-4409.patch			\
   %D%/packages/patches/mcrypt-CVE-2012-4426.patch			\
   %D%/packages/patches/mcrypt-CVE-2012-4527.patch			\
+  %D%/packages/patches/metabat-remove-compilation-date.patch	\
   %D%/packages/patches/mhash-keygen-test-segfault.patch		\
   %D%/packages/patches/mpc123-initialize-ao.patch		\
   %D%/packages/patches/mplayer2-theora-fix.patch		\
@@ -800,7 +811,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/ruby-rack-ignore-failing-test.patch      \
   %D%/packages/patches/ruby-symlinkfix.patch                    \
   %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
-  %D%/packages/patches/rush-CVE-2013-6889.patch			\
   %D%/packages/patches/sed-hurd-path-max.patch			\
   %D%/packages/patches/scheme48-tests.patch			\
   %D%/packages/patches/scotch-test-threading.patch		\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 6d298843c3..f608259382 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -210,16 +210,27 @@ application (for console or X terminals) and requires ncurses.")
 (define-public pies
   (package
     (name "pies")
-    (version "1.2")
+    (version "1.3")
     (source
      (origin
-      (method url-fetch)
-      (uri (string-append "mirror://gnu/pies/pies-"
-                          version ".tar.bz2"))
-      (sha256
-       (base32
-        "18w0dbg77i56cx1bwa789w0qi3l4xkkbascxcv2b6gbm0zmjg1g6"))))
+       (method url-fetch)
+       (uri (string-append "mirror://gnu/pies/pies-"
+                           version ".tar.bz2"))
+       (sha256
+        (base32
+         "12r7rjjyibjdj08dvwbp0iflfpzl4s0zhn6cr6zj3hwf9gbzgl1g"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:phases (modify-phases %standard-phases
+                  (add-before 'build 'patch-/bin/sh
+                    (lambda* (#:key inputs #:allow-other-keys)
+                      ;; Use the right shell when executing user-provided
+                      ;; shell commands.
+                      (let ((bash (assoc-ref inputs "bash")))
+                        (substitute* "src/progman.c"
+                          (("\"/bin/sh\"")
+                           (string-append "\"" bash "/bin/sh\"")))
+                        #t))))))
     (home-page "http://www.gnu.org/software/pies/")
     (synopsis "Program invocation and execution supervisor")
     (description
@@ -1180,14 +1191,14 @@ environment variable is set and output is to tty.")
 (define-public direvent
   (package
     (name "direvent")
-    (version "5.0")
+    (version "5.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/direvent/direvent-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1i14131y6m8wvirz6piw4zxz2q1kbpl0lniv5kl55rx4k372dg8z"))
+                "1nwvjmx7kb14ni34c0b8x9a3791pc20gvhj7xaj66d8q4h6n0qf4"))
               (modules '((guix build utils)))
               (snippet '(substitute* "tests/testsuite"
                           (("#![[:blank:]]?/bin/sh")
@@ -1197,11 +1208,19 @@ environment variable is set and output is to tty.")
      '(#:phases (alist-cons-before
                  'build 'patch-/bin/sh
                  (lambda* (#:key inputs #:allow-other-keys)
-                   ;; Use the right shell when executing the watcher.
+                   ;; Use the right shell when executing the watcher and
+                   ;; user-provided shell commands.
                    (let ((bash (assoc-ref inputs "bash")))
-                     (substitute* "src/direvent.c"
+                     (substitute* '("src/direvent.c" "src/progman.c")
                        (("\"/bin/sh\"")
-                        (string-append "\"" bash "/bin/sh\"")))))
+                        (string-append "\"" bash "/bin/sh\"")))
+
+                     ;; Adjust the 'shell.at' test accordingly.
+                     (substitute* "tests/testsuite"
+                       (("SHELL=/bin/sh")
+                        (string-append "SHELL=" bash "/bin/sh")))
+
+                     #t))
                  %standard-phases)))
     (home-page "http://www.gnu.org/software/direvent/")
     (synopsis "Daemon to monitor directories for events such as file removal")
@@ -1846,3 +1865,60 @@ Kerberos and Heimdal and FAST is supported with recent MIT Kerberos.")
     (license license:gpl1+)))
 
 ;;http://archives.eyrie.org/software/kerberos/pam-krb5-4.7.tar.xz
+
+(define-public sunxi-tools
+  (package
+    (name "sunxi-tools")
+    (version "1.3")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/linux-sunxi/"
+                           "sunxi-tools/archive/v" version ".tar.gz"))
+       (sha256
+        (base32 "1iazm28gws1i8sls3gxwc5p108n56ags287zmh1rpvkn2k1az81a"))
+       (modules '((guix build utils)))
+       (snippet
+        ;; Remove binaries contained in the tarball which are only for the
+        ;; target and can be regenerated anyway.
+        '(delete-file-recursively "bin"))
+       (file-name (string-append name "-" version ".tar.gz"))))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (inputs
+     `(("libusb" ,libusb)))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:tests? #f ; no tests exist
+       #:make-flags (list (string-append "PREFIX="
+                                         (assoc-ref %outputs "out"))
+                          "TARGET_TOOLS=sunxi-pio sunxi-meminfo"
+                          "CROSS_COMPILE=")
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'fix-Makefile
+           (lambda _
+             (substitute* "Makefile"
+               ;; Upstream adds Makefile and config.h as dependencies
+               ;; of all their tools which means $^ would pass them to gcc.
+               ;; gcc won't know what to do with a Makefile.
+               (("-o [$][@] [$]\\^") "-o $@ meminfo.c"))
+             #t))
+         (delete 'configure))))
+    (home-page "https://github.com/linux-sunxi/sunxi-tools")
+    (synopsis "Hardware management tools for Allwinner computers")
+    (description "This package contains tools for Allwinner devices:
+@enumerate
+@item @command{sunxi-fexc}, @command{bin2fex}, @command{fex2bin}: Compile
+a textual description of a board (.fex) to a binary representation (.bin).
+@item @command{sunxi-fel}: Puts an Allwinner device into FEL mode which
+makes it register as a special USB device (rather than USB host).
+You can then connect it to another computer and flash it from there.
+@item @command{sunxi-nand-part}: Partitions NAND flash.
+@item @command{sunxi-bootinfo}: Reads out boot0 and boot1 (Allwinner
+bootloader) parameters.
+@item @command{sunxi-pio}: Sets GPIO parameters and oscillates a GPIO
+in order to be able to find it.
+@item @command{sunxi-meminfo}: Prints memory bus settings.
+@end enumerate")
+    (license license:gpl2+)))
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index cf20057bcd..ac46fe4bcc 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -3221,18 +3221,23 @@ form of assemblies or reads.")
                    license:cpl1.0))))     ; Open Bloom Filter
 
 (define-public metabat
-  (package
-    (name "metabat")
-    (version "0.26.3")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append
-                    "https://bitbucket.org/berkeleylab/metabat/get/"
-                    version ".tar.bz2"))
-              (file-name (string-append name "-" version ".tar.bz2"))
-              (sha256
-               (base32
-                "1vpfvgsn8wdsv1g7z73zxcncskx7dy7bw5msg1hhibk25ay11pyg"))))
+  ;; We package from a git commit because compilation of the released version
+  ;; fails.
+  (let ((commit "cbdca756993e66ae57e50a27970595dda9cbde1b"))
+    (package
+      (name "metabat")
+      (version (string-append "0.32.4-1." (string-take commit 8)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://bitbucket.org/berkeleylab/metabat.git")
+               (commit commit)))
+         (file-name (string-append name "-" version))
+         (sha256
+          (base32
+           "0byia8nsip6zvc4ha0qkxkxxyjf4x7jcvy48q2dvb0pzr989syzr"))
+         (patches (search-patches "metabat-remove-compilation-date.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -3299,7 +3304,7 @@ enables the study of individual organisms and their interactions.  MetaBAT is
 an automated metagenome binning software, which integrates empirical
 probabilistic distances of genome abundance and tetranucleotide frequency.")
    (license (license:non-copyleft "file://license.txt"
-                                  "See license.txt in the distribution."))))
+                                  "See license.txt in the distribution.")))))
 
 (define-public minced
   (package
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 63a9280708..baa9861622 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -92,14 +92,14 @@ highlighting your own code that seemed comprehensible when you wrote it.")
 (define-public global                             ; a global variable
   (package
     (name "global")
-    (version "6.5.4")
+    (version "6.5.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/global/global-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "19hxajpwld6qx0faz4rzyh1hfs25ycjmws6bas8pavx4hskf05mg"))))
+               "0yyg91qw8399lnxfai4bxkh9yq71qdwp9kvadgzp05cdqni44nxw"))))
     (build-system gnu-build-system)
     (inputs `(("ncurses" ,ncurses)
               ("libltdl" ,libltdl)
diff --git a/gnu/packages/cryptsetup.scm b/gnu/packages/cryptsetup.scm
index 725a397837..0c8efceff0 100644
--- a/gnu/packages/cryptsetup.scm
+++ b/gnu/packages/cryptsetup.scm
@@ -21,6 +21,7 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
+  #:use-module (guix utils)
   #:use-module (gnu packages)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages popt)
@@ -30,14 +31,15 @@
 (define-public cryptsetup
   (package
    (name "cryptsetup")
-   (version "1.6.1")
+   (version "1.7.2")
    (source (origin
             (method url-fetch)
-            (uri (string-append "http://cryptsetup.googlecode.com/files/cryptsetup-"
-                                version ".tar.bz2"))
+            (uri (string-append "mirror://kernel.org/linux/utils/cryptsetup/v"
+                                (version-major+minor version)
+                                "/" name "-" version ".tar.xz"))
             (sha256
              (base32
-              "170lalkhh2fa316d12i6r7jprm0yss3c949d91069sq37ik6xwxs"))))
+              "0hikwkkj692c955k29c4zixj8wp8k3z17jc6ihb4j5qcbyzmvcyv"))))
    (build-system gnu-build-system)
    (inputs
     `(("libgcrypt" ,libgcrypt)
@@ -55,4 +57,4 @@ passwords.  In contrast to existing solutions, LUKS stores all setup necessary
 setup information in the partition header, enabling the users to transport
 or migrate their data seamlessly.")
    (license license:gpl2)
-   (home-page "http://code.google.com/p/cryptsetup/")))
+   (home-page "https://gitlab.com/cryptsetup/cryptsetup")))
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index b0a6575aae..8c8a35b121 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -11,7 +11,7 @@
 ;;; Copyright © 2015, 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
 ;;; Copyright © 2015 Christopher Allan Webber <cwebber@dustycloud.org>
-;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015, 2016 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
@@ -1185,6 +1185,7 @@ on the screen and keyboard to display letters.")
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-random" ,ghc-random)
        ("ghc-glut" ,ghc-glut)
+       ("freeglut" ,freeglut)
        ("ghc-opengl" ,ghc-opengl)
        ("ghc-sdl" ,ghc-sdl)
        ("ghc-sdl-image" ,ghc-sdl-image)
@@ -2408,7 +2409,7 @@ capture it and get out alive?")
 (define-public warzone2100
   (package
     (name "warzone2100")
-    (version "3.1.5")
+    (version "3.2.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/" name
@@ -2416,16 +2417,22 @@ capture it and get out alive?")
                                   ".tar.xz"))
               (sha256
                (base32
-                "0hm49i2knvvg3wlnryv7h4m84s3qa7jfyym5yy6365sx8wzcrai1"))))
+                "1nd609s0g4sya3r4amhkz3f4dpdmm94vsd2ii76ap665a1nbfrhg"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:phases (modify-phases %standard-phases
-                  (add-after 'set-paths 'set-sdl-paths
-                    (lambda* (#:key inputs #:allow-other-keys)
-                      (setenv "CPATH"
-                              (string-append (assoc-ref inputs "sdl-union")
-                                             "/include/SDL"))
-                      #t)))))
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'link-tests-with-qt
+           (lambda _
+             (substitute* "tests/Makefile.in"
+               (("(framework_linktest_LDADD|maptest_LDADD) = " prefix)
+                (string-append prefix "$(QT5_LIBS) ")))
+             #t))
+         (add-after 'unpack 'remove-reference-to-missing-file
+           (lambda _
+             (substitute* "icons/Makefile.in"
+               (("\\$\\(INSTALL_DATA\\) \\$\\(srcdir\\)/warzone2100.appdata.xml.*") ""))
+             #t)))))
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("unzip" ,unzip)
                      ("zip" ,zip)))
@@ -2438,9 +2445,10 @@ capture it and get out alive?")
               ("libxrandr" ,libxrandr)
               ("openal" ,openal)
               ("physfs" ,physfs)
-              ("qt", qt-4)
+              ("qt" ,qt)
+              ("openssl" ,openssl)
               ("quesoglc" ,quesoglc)
-              ("sdl-union" ,(sdl-union))))
+              ("sdl2" ,sdl2)))
     (home-page "http://wz2100.net")
     (synopsis "3D Real-time strategy and real-time tactics game")
     (description
@@ -2700,17 +2708,19 @@ with the \"Stamp\" tool within Tux Paint.")
 (define-public supertux
   (package
    (name "supertux")
-   (version "0.4.0")
+   (version "0.5.0")
    (source (origin
             (method url-fetch)
-            (uri (string-append "https://github.com/SuperTux/supertux/releases/"
-                                "download/v" version
-                                "/supertux-" version ".tar.bz2"))
+            (uri (string-append "https://github.com/SuperTux/supertux/"
+                                "releases/download/v" version "/SuperTux-v"
+                                version "-Source.tar.gz"))
             (sha256
              (base32
-              "10ppmy6w77lxj8bdzjahc9bidgl4qgzr9rimn15rnqay84ydx3fi"))))
-   (arguments '(#:tests? #f
-                #:configure-flags '("-DINSTALL_SUBDIR_BIN=bin")))
+              "0fx7c7m6mfanqy7kln7yf6abb5l3r68picf32js2yls11jj0vbng"))))
+   (arguments
+    '(#:tests? #f
+      #:configure-flags '("-DINSTALL_SUBDIR_BIN=bin"
+                          "-DENABLE_BOOST_STATIC_LIBS=OFF")))
    (build-system cmake-build-system)
    (inputs `(("sdl2" ,sdl2)
              ("sdl2-image" ,sdl2-image)
@@ -2896,3 +2906,89 @@ extinguishing action, intense boss battles, a catchy soundtrack and lots of
 throwing people around in pseudo-randomly generated buildings.")
     (license (list license:zlib             ; for source code
                    license:cc-by-sa3.0))))  ; for graphics and music assets
+
+(define-public hyperrogue
+  (package
+    (name "hyperrogue")
+    (version "8.3j")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "http://www.roguetemple.com/z/hyper/"
+                    name "-83j.zip"))
+              (sha256
+               (base32
+                "1ag95d84m4j0rqyn9hj7655znixw2j57bpf93nk14nfy02xz1g6p"))
+              (modules '((guix build utils)))
+              ;; Remove .exe and .dll files.
+              (snippet
+               '(for-each delete-file (find-files "." "\\.(exe|dll)$")))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:tests? #f ; no check target
+       #:make-flags '("-Csrc")
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'set-paths 'set-sdl-paths
+           (lambda* (#:key inputs #:allow-other-keys)
+             (setenv "CPATH"
+                     (string-append (assoc-ref inputs "sdl-union")
+                                    "/include/SDL"))))
+         ;; Fix font and music paths.
+         (replace 'configure
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (dejavu-dir (string-append
+                                (assoc-ref inputs "font-dejavu")
+                                "/share/fonts/truetype"))
+                   (dejavu-font "DejaVuSans-Bold.ttf")
+                   (music-file "hyperrogue-music.txt"))
+               (with-directory-excursion "src"
+                 (substitute* "graph.cpp"
+                   ((dejavu-font)
+                    (string-append dejavu-dir "/" dejavu-font))
+                   (((string-append "\\./" music-file))
+                    (string-append out "/share/hyperrogue/" music-file)))
+                 (substitute* music-file
+                   (("\\*/")
+                    (string-append out "/share/hyperrogue/")))))
+             #t))
+         (replace 'install
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (bin (string-append out "/bin"))
+                    (share-dir (string-append out "/share/hyperrogue")))
+               (mkdir-p bin)
+               (copy-file "src/hyper" (string-append bin "/hyperrogue"))
+               (mkdir-p share-dir)
+               (copy-file "src/hyperrogue-music.txt"
+                          (string-append share-dir "/hyperrogue-music.txt"))
+               (for-each (lambda (file)
+                           (copy-file file (string-append share-dir "/" file)))
+                         (find-files "." "\\.ogg$")))
+             #t)))))
+    (inputs
+     `(("font-dejavu" ,font-dejavu)
+       ("glew" ,glew)
+       ("libpng" ,libpng)
+       ("sdl-union" ,(sdl-union (list sdl
+                                      sdl-gfx
+                                      sdl-mixer
+                                      sdl-ttf)))))
+    (home-page "http://www.roguetemple.com/z/hyper/")
+    (synopsis "Non-euclidean graphical rogue-like game")
+    (description
+     "HyperRogue is a game in which the player collects treasures and fights
+monsters -- rogue-like but for the fact that it is played on the hyperbolic
+plane and not in euclidean space.
+
+In HyperRogue, the player can move through different parts of the world, which
+are home to particular creatures and may be subject to own rules of \"physics\".
+
+While it can use ASCII characters to display the world the classical rogue
+symbols, the game needs graphics to render the non-euclidean world.")
+    (license (list license:bsd-3         ; src/glew.c, src/mtrand.*
+                   license:cc-by-sa3.0   ; *.ogg
+                   license:public-domain ; src/direntx.*
+                   license:zlib          ; src/savepng.*
+                   license:gpl2+))))     ; remaining files
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index da66525707..4a1a309b66 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -776,14 +776,14 @@ effective code.")
 (define-public gnu-c-manual
   (package
     (name "gnu-c-manual")
-    (version "0.2.4")
+    (version "0.2.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/gnu-c-manual/gnu-c-manual-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0cf4503shr7hxkbrjfi9dky6q2lqk95bgbgbjmvj2s2x312kakd9"))))
+                "1sfsj9256w18qzylgag2h5h377aq8in8929svblfnj9svfriqcys"))))
     (build-system gnu-build-system)
     (native-inputs `(("texinfo" ,texinfo)))
     (arguments
diff --git a/gnu/packages/gnucash.scm b/gnu/packages/gnucash.scm
index bdef0b163b..97a4818be3 100644
--- a/gnu/packages/gnucash.scm
+++ b/gnu/packages/gnucash.scm
@@ -42,7 +42,7 @@
 (define-public gnucash
   (package
     (name "gnucash")
-    (version "2.6.12")
+    (version "2.6.14")
     (source
      (origin
       (method url-fetch)
@@ -50,7 +50,7 @@
                           version "/gnucash-" version ".tar.bz2"))
       (sha256
        (base32
-        "0x84f07p30pwhriamv8ifljgw755cj87rc12jy1xddf47spyj7rp"))
+        "0xcf2nl3v6zsablmla20v283x3r0jdpixcbp37mzap82lln4y51v"))
       (patches (search-patches "gnucash-price-quotes-perl.patch"))))
     (build-system gnu-build-system)
     (inputs
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 56a5ea3299..6d9c3c8f33 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -34,14 +34,18 @@
   #:use-module (gnu packages glib)
   #:use-module (gnu packages gnome)
   #:use-module (gnu packages gnupg)
+  #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages groff)
   #:use-module (gnu packages gtk)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages gstreamer)
   #:use-module (gnu packages libidn)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages image)
   #:use-module (gnu packages libunistring)
   #:use-module (gnu packages maths)
+  #:use-module (gnu packages multiprecision)
+  #:use-module (gnu packages ncurses)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pulseaudio)
@@ -49,6 +53,7 @@
   #:use-module (gnu packages databases)
   #:use-module (gnu packages tls)
   #:use-module (gnu packages video)
+  #:use-module (gnu packages web)
   #:use-module (gnu packages xiph)
   #:use-module (gnu packages backup)
   #:use-module ((guix licenses) #:prefix license:)
@@ -217,8 +222,9 @@ supports HTTP, HTTPS and GnuTLS.")
       (method url-fetch)
       (uri (string-append "mirror://gnu/gnunet/gnunet-" version
                           ".tar.gz"))
-      (sha256 (base32
-               "04wxzm3wkgqbn42b8ksr4cx6m5cckyig5cls1adh0nwdczwvnp7n"))))
+      (sha256
+       (base32
+        "04wxzm3wkgqbn42b8ksr4cx6m5cckyig5cls1adh0nwdczwvnp7n"))))
    (build-system gnu-build-system)
    (inputs
     `(("glpk" ,glpk)
@@ -229,17 +235,24 @@ supports HTTP, HTTPS and GnuTLS.")
       ("libextractor" ,libextractor)
       ("libgcrypt" ,libgcrypt)
       ("libidn" ,libidn)
-      ("libmicrohttpd" ,libmicrohttpd)
+      ("libmicrohttpd" ,libmicrohttpd) ; hostlist, pt, contrib, and more
       ("libltdl" ,libltdl)
-      ("libunistring" ,libunistring)
-      ("openssl" ,openssl)
-      ("opus" ,opus)
-      ("pulseaudio" ,pulseaudio)
-      ("sqlite" ,sqlite)
-      ("zlib" ,zlib)))
+      ("libunistring" ,libunistring) ; fs and more
+      ("openssl" ,openssl) ; transport, certificate creation, contribs
+      ("opus" ,opus) ; gnunet-conversation
+      ("pulseaudio" ,pulseaudio) ; conversation
+      ("sqlite" ,sqlite) ; sqlite bindings, *store
+      ("zlib" ,zlib)
+      ("perl" ,perl) ; doxygen and more
+      ("jansson" ,jansson) ; identity, taler (external), gnunet-json, gns
+      ("nss" ,nss) ; gns
+      ("gmp" ,gmp) ; util
+      ("bluez" ,bluez) ; gnunet-transport
+      ("glib" ,glib)
+      ("libogg" ,libogg) ; gnunet-conversation
+      ("python-2" ,python-2))) ; tests, gnunet-qr
    (native-inputs
-    `(("pkg-config" ,pkg-config)
-      ("python" ,python-2)))
+    `(("pkg-config" ,pkg-config)))
    (arguments
     '(#:configure-flags
       (list (string-append "--with-nssdir=" %output "/lib"))
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index c2aba247b4..d114dc0ad5 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -275,10 +275,9 @@ in the Mozilla clients.")
     (propagated-inputs `(("nspr" ,nspr))) ; required by nss.pc.
     (native-inputs `(("perl" ,perl)))
 
-    ;; The NSS test suite takes over 28 hours on Loongson 3A (MIPS), and
-    ;; possibly longer when another build is happening concurrently on the
-    ;; same machine.
-    (properties '((timeout . 144000)))  ; 40 hours
+    ;; The NSS test suite takes around 48 hours on Loongson 3A (MIPS) when
+    ;; another build is happening concurrently on the same machine.
+    (properties '((timeout . 216000)))  ; 60 hours
 
     (home-page
      "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
diff --git a/gnu/packages/grub.scm b/gnu/packages/grub.scm
index bfc9d6ffab..b920be9ea2 100644
--- a/gnu/packages/grub.scm
+++ b/gnu/packages/grub.scm
@@ -98,13 +98,23 @@
     (arguments
      '(;; Two warnings: suggest braces, signed/unsigned comparison.
        #:configure-flags '("--disable-werror")
+
        #:phases (modify-phases %standard-phases
-                  (add-after
-                   'unpack 'patch-stuff
+                  (add-after 'unpack 'patch-stuff
                    (lambda* (#:key inputs #:allow-other-keys)
                      (substitute* "grub-core/Makefile.in"
                        (("/bin/sh") (which "sh")))
 
+                     ;; Give the absolute file name of 'mdadm', used to
+                     ;; determine the root file system when it's a RAID
+                     ;; device.  Failing to do that, 'grub-probe' silently
+                     ;; fails if 'mdadm' is not in $PATH.
+                     (substitute* "grub-core/osdep/linux/getroot.c"
+                       (("argv\\[0\\] = \"mdadm\"")
+                        (string-append "argv[0] = \""
+                                       (assoc-ref inputs "mdadm")
+                                       "/sbin/mdadm\"")))
+
                      ;; Make the font visible.
                      (copy-file (assoc-ref inputs "unifont") "unifont.bdf.gz")
                      (system* "gunzip" "unifont.bdf.gz")
@@ -119,6 +129,7 @@
     (inputs
      `(;; ("lvm2" ,lvm2)
        ("gettext" ,gettext-minimal)
+       ("mdadm" ,mdadm)
        ("freetype" ,freetype)
        ;; ("libusb" ,libusb)
        ;; ("fuse" ,fuse)
diff --git a/gnu/packages/linux-libre-4.7-i686.conf b/gnu/packages/linux-libre-4.8-i686.conf
index 0e7c67432b..75c9824cb1 100644
--- a/gnu/packages/linux-libre-4.7-i686.conf
+++ b/gnu/packages/linux-libre-4.8-i686.conf
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.7.0-gnu Kernel Configuration
+# Linux/x86 4.8.0-gnu Kernel Configuration
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -36,7 +36,6 @@ CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
 CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
 CONFIG_HAVE_INTEL_TXT=y
 CONFIG_X86_32_SMP=y
-CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-ecx -fcall-saved-edx"
 CONFIG_ARCH_SUPPORTS_UPROBES=y
 CONFIG_FIX_EARLYCON_MEM=y
 CONFIG_DEBUG_RODATA=y
@@ -231,6 +230,7 @@ CONFIG_SLUB_DEBUG=y
 # CONFIG_SLAB is not set
 CONFIG_SLUB=y
 # CONFIG_SLOB is not set
+CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLUB_CPU_PARTIAL=y
 # CONFIG_SYSTEM_DATA_VERIFICATION is not set
 CONFIG_PROFILING=y
@@ -278,11 +278,15 @@ CONFIG_HAVE_CMPXCHG_DOUBLE=y
 CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y
 CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
 CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
 CONFIG_HAVE_CC_STACKPROTECTOR=y
 CONFIG_CC_STACKPROTECTOR=y
 # CONFIG_CC_STACKPROTECTOR_NONE is not set
 # CONFIG_CC_STACKPROTECTOR_REGULAR is not set
 CONFIG_CC_STACKPROTECTOR_STRONG=y
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
 CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
 CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
 CONFIG_HAVE_ARCH_HUGE_VMAP=y
@@ -548,6 +552,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_TRANSPARENT_HUGEPAGE=y
 CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
 # CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
+CONFIG_TRANSPARENT_HUGE_PAGECACHE=y
 CONFIG_CLEANCACHE=y
 CONFIG_FRONTSWAP=y
 CONFIG_CMA=y
@@ -649,6 +654,7 @@ CONFIG_ACPI_VIDEO=m
 CONFIG_ACPI_FAN=y
 CONFIG_ACPI_DOCK=y
 CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
 CONFIG_ACPI_PROCESSOR_IDLE=y
 CONFIG_ACPI_PROCESSOR=y
 CONFIG_ACPI_IPMI=m
@@ -657,6 +663,7 @@ CONFIG_ACPI_PROCESSOR_AGGREGATOR=m
 CONFIG_ACPI_THERMAL=y
 CONFIG_ACPI_CUSTOM_DSDT_FILE=""
 # CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
 CONFIG_ACPI_TABLE_UPGRADE=y
 # CONFIG_ACPI_DEBUG is not set
 CONFIG_ACPI_PCI_SLOT=y
@@ -678,8 +685,10 @@ CONFIG_ACPI_APEI_GHES=y
 CONFIG_ACPI_APEI_PCIEAER=y
 CONFIG_ACPI_APEI_EINJ=m
 # CONFIG_ACPI_APEI_ERST_DEBUG is not set
+CONFIG_DPTF_POWER=m
 CONFIG_ACPI_EXTLOG=m
 # CONFIG_PMIC_OPREGION is not set
+CONFIG_ACPI_CONFIGFS=m
 CONFIG_SFI=y
 CONFIG_X86_APM_BOOT=y
 CONFIG_APM=m
@@ -774,7 +783,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_PERFORMANCE is not set
 CONFIG_PCIE_PME=y
-CONFIG_PCIE_DPC=m
+CONFIG_PCIE_DPC=y
 CONFIG_PCI_BUS_ADDR_T_64BIT=y
 CONFIG_PCI_MSI=y
 CONFIG_PCI_MSI_IRQ_DOMAIN=y
@@ -844,6 +853,7 @@ CONFIG_RAPIDIO_DISC_TIMEOUT=30
 CONFIG_RAPIDIO_DMA_ENGINE=y
 # CONFIG_RAPIDIO_DEBUG is not set
 CONFIG_RAPIDIO_ENUM_BASIC=m
+CONFIG_RAPIDIO_CHMAN=m
 CONFIG_RAPIDIO_MPORT_CDEV=m
 
 #
@@ -853,6 +863,7 @@ CONFIG_RAPIDIO_TSI57X=m
 CONFIG_RAPIDIO_CPS_XX=m
 CONFIG_RAPIDIO_TSI568=m
 CONFIG_RAPIDIO_CPS_GEN2=m
+CONFIG_RAPIDIO_RXS_GEN3=m
 # CONFIG_X86_SYSFB is not set
 
 #
@@ -935,6 +946,7 @@ CONFIG_TCP_CONG_HTCP=m
 CONFIG_TCP_CONG_HSTCP=m
 CONFIG_TCP_CONG_HYBLA=m
 CONFIG_TCP_CONG_VEGAS=m
+CONFIG_TCP_CONG_NV=m
 CONFIG_TCP_CONG_SCALABLE=m
 CONFIG_TCP_CONG_LP=m
 CONFIG_TCP_CONG_VENO=m
@@ -1451,6 +1463,7 @@ CONFIG_NET_CLS_FLOW=m
 CONFIG_NET_CLS_CGROUP=m
 CONFIG_NET_CLS_BPF=m
 CONFIG_NET_CLS_FLOWER=m
+CONFIG_NET_CLS_MATCHALL=m
 CONFIG_NET_EMATCH=y
 CONFIG_NET_EMATCH_STACK=32
 CONFIG_NET_EMATCH_CMP=m
@@ -1494,6 +1507,8 @@ CONFIG_OPENVSWITCH_VXLAN=m
 CONFIG_OPENVSWITCH_GENEVE=m
 CONFIG_VSOCKETS=m
 CONFIG_VMWARE_VMCI_VSOCKETS=m
+CONFIG_VIRTIO_VSOCKETS=m
+CONFIG_VIRTIO_VSOCKETS_COMMON=m
 CONFIG_NETLINK_DIAG=m
 CONFIG_MPLS=y
 CONFIG_NET_MPLS_GSO=m
@@ -1502,6 +1517,7 @@ CONFIG_MPLS_IPTUNNEL=m
 CONFIG_HSR=m
 # CONFIG_NET_SWITCHDEV is not set
 CONFIG_NET_L3_MASTER_DEV=y
+CONFIG_NET_NCSI=y
 CONFIG_RPS=y
 CONFIG_RFS_ACCEL=y
 CONFIG_XPS=y
@@ -1966,6 +1982,7 @@ CONFIG_MTD_NAND_CS553X=m
 CONFIG_MTD_NAND_NANDSIM=m
 CONFIG_MTD_NAND_PLATFORM=m
 CONFIG_MTD_NAND_HISI504=m
+CONFIG_MTD_NAND_MTK=m
 CONFIG_MTD_ONENAND=m
 CONFIG_MTD_ONENAND_VERIFY_WRITE=y
 CONFIG_MTD_ONENAND_GENERIC=m
@@ -2043,7 +2060,6 @@ CONFIG_PARIDE_ON20=m
 CONFIG_PARIDE_ON26=m
 CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
 CONFIG_ZRAM=m
-CONFIG_ZRAM_LZ4_COMPRESS=y
 CONFIG_BLK_CPQ_CISS_DA=m
 CONFIG_CISS_SCSI_TAPE=y
 CONFIG_BLK_DEV_DAC960=m
@@ -2074,6 +2090,11 @@ CONFIG_BLK_DEV_RSXX=m
 CONFIG_NVME_CORE=m
 CONFIG_BLK_DEV_NVME=m
 # CONFIG_BLK_DEV_NVME_SCSI is not set
+CONFIG_NVME_FABRICS=m
+CONFIG_NVME_RDMA=m
+CONFIG_NVME_TARGET=m
+CONFIG_NVME_TARGET_LOOP=m
+CONFIG_NVME_TARGET_RDMA=m
 
 #
 # Misc devices
@@ -2097,7 +2118,6 @@ CONFIG_APDS9802ALS=m
 CONFIG_ISL29003=m
 CONFIG_ISL29020=m
 CONFIG_SENSORS_TSL2550=m
-CONFIG_SENSORS_BH1780=m
 CONFIG_SENSORS_BH1770=m
 CONFIG_SENSORS_APDS990X=m
 CONFIG_HMC6352=m
@@ -2177,10 +2197,10 @@ CONFIG_VMWARE_VMCI=m
 #
 # VOP Driver
 #
+CONFIG_VHOST_RING=m
 CONFIG_ECHO=m
 # CONFIG_CXL_BASE is not set
-# CONFIG_CXL_KERNEL_API is not set
-# CONFIG_CXL_EEH is not set
+# CONFIG_CXL_AFU_DRIVER_OPS is not set
 CONFIG_HAVE_IDE=y
 # CONFIG_IDE is not set
 
@@ -2273,7 +2293,9 @@ CONFIG_SCSI_MPT3SAS_MAX_SGE=128
 CONFIG_SCSI_MPT2SAS=m
 CONFIG_SCSI_UFSHCD=m
 CONFIG_SCSI_UFSHCD_PCI=m
+# CONFIG_SCSI_UFS_DWC_TC_PCI is not set
 CONFIG_SCSI_UFSHCD_PLATFORM=m
+# CONFIG_SCSI_UFS_DWC_TC_PLATFORM is not set
 CONFIG_SCSI_HPTIOP=m
 CONFIG_SCSI_BUSLOGIC=m
 CONFIG_SCSI_FLASHPOINT=y
@@ -2620,11 +2642,6 @@ CONFIG_CAIF_SPI_SLAVE=m
 # CONFIG_CAIF_SPI_SYNC is not set
 CONFIG_CAIF_HSI=m
 CONFIG_CAIF_VIRTIO=m
-CONFIG_VHOST_NET=m
-CONFIG_VHOST_SCSI=m
-CONFIG_VHOST_RING=m
-CONFIG_VHOST=m
-# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
 
 #
 # Distributed Switch Architecture drivers
@@ -2674,8 +2691,6 @@ CONFIG_CNIC=m
 CONFIG_TIGON3=m
 CONFIG_BNX2X=m
 CONFIG_BNX2X_SRIOV=y
-CONFIG_BNX2X_VXLAN=y
-# CONFIG_BNX2X_GENEVE is not set
 CONFIG_BNXT=m
 CONFIG_BNXT_SRIOV=y
 CONFIG_NET_VENDOR_BROCADE=y
@@ -2687,9 +2702,9 @@ CONFIG_CHELSIO_T1_1G=y
 CONFIG_CHELSIO_T3=m
 CONFIG_CHELSIO_T4=m
 CONFIG_CHELSIO_T4_DCB=y
-CONFIG_CHELSIO_T4_UWIRE=y
 CONFIG_CHELSIO_T4_FCOE=y
 CONFIG_CHELSIO_T4VF=m
+CONFIG_CHELSIO_LIB=m
 CONFIG_NET_VENDOR_CIRRUS=y
 CONFIG_CS89x0=m
 CONFIG_CS89x0_PLATFORM=y
@@ -2717,7 +2732,6 @@ CONFIG_SUNDANCE=m
 CONFIG_NET_VENDOR_EMULEX=y
 CONFIG_BE2NET=m
 CONFIG_BE2NET_HWMON=y
-CONFIG_BE2NET_VXLAN=y
 CONFIG_NET_VENDOR_EZCHIP=y
 CONFIG_NET_VENDOR_EXAR=y
 CONFIG_S2IO=m
@@ -2737,18 +2751,14 @@ CONFIG_IGB_HWMON=y
 CONFIG_IGBVF=m
 CONFIG_IXGB=m
 CONFIG_IXGBE=m
-CONFIG_IXGBE_VXLAN=y
 CONFIG_IXGBE_HWMON=y
 CONFIG_IXGBE_DCB=y
 CONFIG_IXGBEVF=m
 CONFIG_I40E=m
-CONFIG_I40E_VXLAN=y
-CONFIG_I40E_GENEVE=y
 CONFIG_I40E_DCB=y
 CONFIG_I40E_FCOE=y
 CONFIG_I40EVF=m
 CONFIG_FM10K=m
-CONFIG_FM10K_VXLAN=y
 CONFIG_NET_VENDOR_I825XX=y
 CONFIG_JME=m
 CONFIG_NET_VENDOR_MARVELL=y
@@ -2762,7 +2772,6 @@ CONFIG_SKY2=m
 CONFIG_NET_VENDOR_MELLANOX=y
 CONFIG_MLX4_EN=m
 CONFIG_MLX4_EN_DCB=y
-CONFIG_MLX4_EN_VXLAN=y
 CONFIG_MLX4_CORE=m
 CONFIG_MLX4_DEBUG=y
 CONFIG_MLX5_CORE=m
@@ -2809,15 +2818,12 @@ CONFIG_QLA3XXX=m
 CONFIG_QLCNIC=m
 CONFIG_QLCNIC_SRIOV=y
 CONFIG_QLCNIC_DCB=y
-CONFIG_QLCNIC_VXLAN=y
 CONFIG_QLCNIC_HWMON=y
 CONFIG_QLGE=m
 CONFIG_NETXEN_NIC=m
 CONFIG_QED=m
 CONFIG_QED_SRIOV=y
 CONFIG_QEDE=m
-# CONFIG_QEDE_VXLAN is not set
-# CONFIG_QEDE_GENEVE is not set
 CONFIG_NET_VENDOR_QUALCOMM=y
 CONFIG_NET_VENDOR_REALTEK=y
 CONFIG_ATP=m
@@ -2888,6 +2894,7 @@ CONFIG_SKFP=m
 # CONFIG_HIPPI is not set
 CONFIG_NET_SB1000=m
 CONFIG_PHYLIB=y
+CONFIG_SWPHY=y
 
 #
 # MII PHY device drivers
@@ -2920,6 +2927,7 @@ CONFIG_FIXED_PHY=y
 CONFIG_MDIO_BITBANG=m
 CONFIG_MDIO_GPIO=m
 CONFIG_MDIO_BCM_UNIMAC=m
+CONFIG_INTEL_XWAY_PHY=m
 CONFIG_MICREL_KS8995MA=m
 CONFIG_PLIP=m
 CONFIG_PPP=y
@@ -3540,6 +3548,7 @@ CONFIG_TABLET_USB_AIPTEK=m
 CONFIG_TABLET_USB_GTCO=m
 CONFIG_TABLET_USB_HANWANG=m
 CONFIG_TABLET_USB_KBTAB=m
+CONFIG_TABLET_USB_PEGASUS=m
 CONFIG_TABLET_SERIAL_WACOM4=m
 CONFIG_INPUT_TOUCHSCREEN=y
 CONFIG_TOUCHSCREEN_PROPERTIES=y
@@ -3623,8 +3632,12 @@ CONFIG_TOUCHSCREEN_TSC2004=m
 CONFIG_TOUCHSCREEN_TSC2005=m
 CONFIG_TOUCHSCREEN_TSC2007=m
 CONFIG_TOUCHSCREEN_PCAP=m
+CONFIG_TOUCHSCREEN_RM_TS=m
+CONFIG_TOUCHSCREEN_SILEAD=m
+CONFIG_TOUCHSCREEN_SIS_I2C=m
 CONFIG_TOUCHSCREEN_ST1232=m
 CONFIG_TOUCHSCREEN_SUR40=m
+CONFIG_TOUCHSCREEN_SURFACE3_SPI=m
 CONFIG_TOUCHSCREEN_SX8654=m
 CONFIG_TOUCHSCREEN_TPS6507X=m
 CONFIG_TOUCHSCREEN_ZFORCE=m
@@ -3823,7 +3836,6 @@ CONFIG_IPMI_HANDLER=m
 # CONFIG_IPMI_PANIC_EVENT is not set
 CONFIG_IPMI_DEVICE_INTERFACE=m
 CONFIG_IPMI_SI=m
-CONFIG_IPMI_SI_PROBE_DEFAULTS=y
 CONFIG_IPMI_SSIF=m
 CONFIG_IPMI_WATCHDOG=m
 CONFIG_IPMI_POWEROFF=m
@@ -3859,7 +3871,9 @@ CONFIG_HPET_MMAP=y
 CONFIG_HPET_MMAP_DEFAULT=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
 CONFIG_TCG_TIS=y
+CONFIG_TCG_TIS_SPI=m
 CONFIG_TCG_TIS_I2C_ATMEL=m
 CONFIG_TCG_TIS_I2C_INFINEON=m
 CONFIG_TCG_TIS_I2C_NUVOTON=m
@@ -3868,6 +3882,7 @@ CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
 CONFIG_TCG_CRB=m
+CONFIG_TCG_VTPM_PROXY=m
 CONFIG_TCG_TIS_ST33ZP24=m
 CONFIG_TCG_TIS_ST33ZP24_I2C=m
 CONFIG_TCG_TIS_ST33ZP24_SPI=m
@@ -4058,10 +4073,10 @@ CONFIG_GENERIC_PINCONF=y
 CONFIG_PINCTRL_AMD=y
 CONFIG_PINCTRL_BAYTRAIL=y
 CONFIG_PINCTRL_CHERRYVIEW=m
+CONFIG_PINCTRL_MERRIFIELD=m
 CONFIG_PINCTRL_INTEL=m
 CONFIG_PINCTRL_BROXTON=m
 CONFIG_PINCTRL_SUNRISEPOINT=m
-CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
 CONFIG_GPIOLIB=y
 CONFIG_GPIO_DEVRES=y
 CONFIG_GPIO_ACPI=y
@@ -4140,6 +4155,7 @@ CONFIG_GPIO_WM8994=m
 #
 CONFIG_GPIO_AMD8111=m
 CONFIG_GPIO_INTEL_MID=y
+CONFIG_GPIO_MERRIFIELD=m
 CONFIG_GPIO_ML_IOH=m
 CONFIG_GPIO_PCH=m
 CONFIG_GPIO_RDC321X=m
@@ -4154,7 +4170,6 @@ CONFIG_GPIO_PISOSR=m
 #
 # SPI or I2C GPIO expanders
 #
-CONFIG_GPIO_MCP23S08=m
 
 #
 # USB GPIO expanders
@@ -4289,6 +4304,7 @@ CONFIG_SENSORS_F71882FG=m
 CONFIG_SENSORS_F75375S=m
 CONFIG_SENSORS_MC13783_ADC=m
 CONFIG_SENSORS_FSCHMD=m
+CONFIG_SENSORS_FTSTEUTATES=m
 CONFIG_SENSORS_GL518SM=m
 CONFIG_SENSORS_GL520SM=m
 CONFIG_SENSORS_G760A=m
@@ -4367,6 +4383,7 @@ CONFIG_SENSORS_UCD9200=m
 CONFIG_SENSORS_ZL6100=m
 CONFIG_SENSORS_SHT15=m
 CONFIG_SENSORS_SHT21=m
+CONFIG_SENSORS_SHT3x=m
 CONFIG_SENSORS_SHTC1=m
 CONFIG_SENSORS_SIS5595=m
 CONFIG_SENSORS_DME1737=m
@@ -4387,6 +4404,7 @@ CONFIG_SENSORS_ADS7871=m
 CONFIG_SENSORS_AMC6821=m
 CONFIG_SENSORS_INA209=m
 CONFIG_SENSORS_INA2XX=m
+CONFIG_SENSORS_INA3221=m
 CONFIG_SENSORS_TC74=m
 CONFIG_SENSORS_THMC50=m
 CONFIG_SENSORS_TMP102=m
@@ -4462,7 +4480,6 @@ CONFIG_XILINX_WATCHDOG=m
 CONFIG_ZIIRAVE_WATCHDOG=m
 CONFIG_CADENCE_WATCHDOG=m
 CONFIG_DW_WATCHDOG=m
-CONFIG_RN5T618_WATCHDOG=m
 CONFIG_TWL4030_WATCHDOG=m
 CONFIG_MAX63XX_WATCHDOG=m
 CONFIG_RETU_WATCHDOG=m
@@ -4558,6 +4575,7 @@ CONFIG_BCMA_HOST_PCI_POSSIBLE=y
 CONFIG_BCMA_HOST_PCI=y
 CONFIG_BCMA_HOST_SOC=y
 CONFIG_BCMA_DRIVER_PCI=y
+CONFIG_BCMA_SFLASH=y
 CONFIG_BCMA_DRIVER_GMAC_CMN=y
 CONFIG_BCMA_DRIVER_GPIO=y
 # CONFIG_BCMA_DEBUG is not set
@@ -4624,7 +4642,6 @@ CONFIG_MFD_RTSX_PCI=m
 CONFIG_MFD_RT5033=m
 CONFIG_MFD_RTSX_USB=m
 CONFIG_MFD_RC5T583=y
-CONFIG_MFD_RN5T618=m
 CONFIG_MFD_SEC_CORE=y
 CONFIG_MFD_SI476X_CORE=m
 CONFIG_MFD_SM501=m
@@ -4722,6 +4739,7 @@ CONFIG_REGULATOR_MC13XXX_CORE=m
 CONFIG_REGULATOR_MC13783=m
 CONFIG_REGULATOR_MC13892=m
 CONFIG_REGULATOR_MT6311=m
+CONFIG_REGULATOR_MT6323=m
 CONFIG_REGULATOR_MT6397=m
 CONFIG_REGULATOR_PALMAS=m
 CONFIG_REGULATOR_PCAP=m
@@ -4733,7 +4751,6 @@ CONFIG_REGULATOR_PV88090=m
 CONFIG_REGULATOR_PWM=m
 CONFIG_REGULATOR_QCOM_SPMI=m
 CONFIG_REGULATOR_RC5T583=m
-CONFIG_REGULATOR_RN5T618=m
 CONFIG_REGULATOR_RT5033=m
 CONFIG_REGULATOR_S2MPA01=m
 CONFIG_REGULATOR_S2MPS11=m
@@ -4768,6 +4785,7 @@ CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y
 CONFIG_MEDIA_RADIO_SUPPORT=y
 CONFIG_MEDIA_SDR_SUPPORT=y
 CONFIG_MEDIA_RC_SUPPORT=y
+CONFIG_MEDIA_CEC_EDID=y
 CONFIG_MEDIA_CONTROLLER=y
 # CONFIG_MEDIA_CONTROLLER_DVB is not set
 CONFIG_VIDEO_DEV=m
@@ -4781,7 +4799,6 @@ CONFIG_V4L2_FLASH_LED_CLASS=m
 CONFIG_VIDEOBUF_GEN=m
 CONFIG_VIDEOBUF_DMA_SG=m
 CONFIG_VIDEOBUF_VMALLOC=m
-CONFIG_VIDEOBUF_DMA_CONTIG=m
 CONFIG_VIDEOBUF_DVB=m
 CONFIG_VIDEOBUF2_CORE=m
 CONFIG_VIDEOBUF2_MEMOPS=m
@@ -5185,7 +5202,6 @@ CONFIG_VIDEO_SAA6588=m
 #
 # Video decoders
 #
-CONFIG_VIDEO_ADV7180=m
 CONFIG_VIDEO_ADV7604=m
 CONFIG_VIDEO_ADV7842=m
 CONFIG_VIDEO_BT819=m
@@ -5315,6 +5331,8 @@ CONFIG_DVB_M88DS3103=m
 CONFIG_DVB_DRXK=m
 CONFIG_DVB_TDA18271C2DD=m
 CONFIG_DVB_SI2165=m
+CONFIG_DVB_MN88472=m
+CONFIG_DVB_MN88473=m
 
 #
 # DVB-S (satellite) frontends
@@ -5440,6 +5458,7 @@ CONFIG_DVB_M88RS2000=m
 CONFIG_DVB_AF9033=m
 CONFIG_DVB_HORUS3A=m
 CONFIG_DVB_ASCOT2E=m
+CONFIG_DVB_HELENE=m
 
 #
 # Tools to develop new frontends
@@ -5476,7 +5495,6 @@ CONFIG_DRM_TTM=m
 #
 # I2C encoder or helper chips
 #
-CONFIG_DRM_I2C_ADV7511=m
 CONFIG_DRM_I2C_CH7006=m
 CONFIG_DRM_I2C_SIL164=m
 CONFIG_DRM_I2C_NXP_TDA998X=m
@@ -5502,6 +5520,7 @@ CONFIG_DRM_I810=m
 CONFIG_DRM_I915=m
 # CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT is not set
 CONFIG_DRM_I915_USERPTR=y
+# CONFIG_DRM_I915_GVT is not set
 
 #
 # drm/i915 Debugging
@@ -5954,6 +5973,7 @@ CONFIG_SND_SOC_TOPOLOGY=y
 CONFIG_SND_SOC_AMD_ACP=m
 CONFIG_SND_ATMEL_SOC=m
 CONFIG_SND_DESIGNWARE_I2S=m
+CONFIG_SND_DESIGNWARE_PCM=m
 
 #
 # SoC Audio for Freescale CPUs
@@ -5975,9 +5995,14 @@ CONFIG_SND_SST_IPC=m
 CONFIG_SND_SST_IPC_PCI=m
 CONFIG_SND_SST_IPC_ACPI=m
 CONFIG_SND_SOC_INTEL_SST=m
+CONFIG_SND_SOC_INTEL_SST_FIRMWARE=m
 CONFIG_SND_SOC_INTEL_SST_ACPI=m
 CONFIG_SND_SOC_INTEL_SST_MATCH=m
+CONFIG_SND_SOC_INTEL_HASWELL=m
+CONFIG_SND_SOC_INTEL_HASWELL_MACH=m
+CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m
 CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
+CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m
 CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH=m
 CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m
 CONFIG_SND_SOC_INTEL_CHT_BSW_RT5672_MACH=m
@@ -5992,6 +6017,7 @@ CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m
 # Allwinner SoC Audio support
 #
 CONFIG_SND_SUN4I_CODEC=m
+CONFIG_SND_SUN4I_I2S=m
 CONFIG_SND_SOC_XTFPGA_I2S=m
 CONFIG_SND_SOC_I2C_AND_SPI=m
 
@@ -6000,13 +6026,16 @@ CONFIG_SND_SOC_I2C_AND_SPI=m
 #
 CONFIG_SND_SOC_AC97_CODEC=m
 CONFIG_SND_SOC_ADAU1701=m
+CONFIG_SND_SOC_ADAU7002=m
 CONFIG_SND_SOC_AK4104=m
 CONFIG_SND_SOC_AK4554=m
 CONFIG_SND_SOC_AK4613=m
 CONFIG_SND_SOC_AK4642=m
 CONFIG_SND_SOC_AK5386=m
 CONFIG_SND_SOC_ALC5623=m
+CONFIG_SND_SOC_BT_SCO=m
 CONFIG_SND_SOC_CS35L32=m
+CONFIG_SND_SOC_CS35L33=m
 CONFIG_SND_SOC_CS42L51=m
 CONFIG_SND_SOC_CS42L51_I2C=m
 CONFIG_SND_SOC_CS42L52=m
@@ -6020,6 +6049,8 @@ CONFIG_SND_SOC_CS4271_SPI=m
 CONFIG_SND_SOC_CS42XX8=m
 CONFIG_SND_SOC_CS42XX8_I2C=m
 CONFIG_SND_SOC_CS4349=m
+CONFIG_SND_SOC_CS53L30=m
+CONFIG_SND_SOC_DA7219=m
 CONFIG_SND_SOC_DMIC=m
 CONFIG_SND_SOC_ES8328=m
 CONFIG_SND_SOC_GTM601=m
@@ -6027,6 +6058,8 @@ CONFIG_SND_SOC_HDAC_HDMI=m
 CONFIG_SND_SOC_INNO_RK3036=m
 CONFIG_SND_SOC_MAX98090=m
 CONFIG_SND_SOC_MAX98357A=m
+CONFIG_SND_SOC_MAX98504=m
+CONFIG_SND_SOC_MAX9860=m
 CONFIG_SND_SOC_PCM1681=m
 CONFIG_SND_SOC_PCM179X=m
 CONFIG_SND_SOC_PCM179X_I2C=m
@@ -6093,8 +6126,10 @@ CONFIG_SND_SOC_WM8960=m
 CONFIG_SND_SOC_WM8962=m
 CONFIG_SND_SOC_WM8974=m
 CONFIG_SND_SOC_WM8978=m
+CONFIG_SND_SOC_WM8985=m
 CONFIG_SND_SOC_NAU8825=m
 CONFIG_SND_SOC_TPA6130A2=m
+CONFIG_SND_SIMPLE_CARD_UTILS=m
 CONFIG_SND_SIMPLE_CARD=m
 # CONFIG_SOUND_PRIME is not set
 CONFIG_AC97_BUS=m
@@ -6147,6 +6182,7 @@ CONFIG_HID_ICADE=m
 CONFIG_HID_TWINHAN=m
 CONFIG_HID_KENSINGTON=m
 CONFIG_HID_LCPOWER=m
+CONFIG_HID_LED=m
 CONFIG_HID_LENOVO=m
 CONFIG_HID_LOGITECH=m
 CONFIG_HID_LOGITECH_DJ=m
@@ -6200,6 +6236,7 @@ CONFIG_ZEROPLUS_FF=y
 CONFIG_HID_ZYDACRON=m
 CONFIG_HID_SENSOR_HUB=m
 CONFIG_HID_SENSOR_CUSTOM_SENSOR=m
+CONFIG_HID_ALPS=m
 
 #
 # USB HID support
@@ -6343,7 +6380,7 @@ CONFIG_USB_DWC2_HOST=y
 #
 # Gadget/Dual-role mode requires USB Gadget support to be enabled
 #
-CONFIG_USB_DWC2_PCI=y
+CONFIG_USB_DWC2_PCI=m
 # CONFIG_USB_DWC2_DEBUG is not set
 # CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set
 CONFIG_USB_CHIPIDEA=m
@@ -6438,7 +6475,6 @@ CONFIG_USB_SEVSEG=m
 CONFIG_USB_RIO500=m
 CONFIG_USB_LEGOTOWER=m
 CONFIG_USB_LCD=m
-CONFIG_USB_LED=m
 CONFIG_USB_CYPRESS_CY7C63=m
 CONFIG_USB_CYTHERM=m
 CONFIG_USB_IDMOUSE=m
@@ -6468,7 +6504,7 @@ CONFIG_USB_XUSBATM=m
 # USB Physical Layer drivers
 #
 CONFIG_USB_PHY=y
-CONFIG_NOP_USB_XCEIV=y
+CONFIG_NOP_USB_XCEIV=m
 CONFIG_USB_GPIO_VBUS=m
 CONFIG_TAHVO_USB=m
 CONFIG_TAHVO_USB_HOST_BY_DEFAULT=y
@@ -6644,6 +6680,7 @@ CONFIG_LEDS_PCA9532=m
 CONFIG_LEDS_PCA9532_GPIO=y
 CONFIG_LEDS_GPIO=m
 CONFIG_LEDS_LP3944=m
+CONFIG_LEDS_LP3952=m
 CONFIG_LEDS_LP55XX_COMMON=m
 CONFIG_LEDS_LP5521=m
 CONFIG_LEDS_LP5523=m
@@ -6685,6 +6722,7 @@ CONFIG_LEDS_BLINKM=m
 CONFIG_LEDS_TRIGGERS=y
 CONFIG_LEDS_TRIGGER_TIMER=m
 CONFIG_LEDS_TRIGGER_ONESHOT=m
+CONFIG_LEDS_TRIGGER_DISK=y
 # CONFIG_LEDS_TRIGGER_MTD is not set
 CONFIG_LEDS_TRIGGER_HEARTBEAT=m
 CONFIG_LEDS_TRIGGER_BACKLIGHT=m
@@ -6725,6 +6763,7 @@ CONFIG_INFINIBAND_SRP=m
 CONFIG_INFINIBAND_SRPT=m
 CONFIG_INFINIBAND_ISER=m
 CONFIG_INFINIBAND_ISERT=m
+CONFIG_RDMA_RXE=m
 CONFIG_EDAC_ATOMIC_SCRUB=y
 CONFIG_EDAC_SUPPORT=y
 CONFIG_EDAC=y
@@ -6751,6 +6790,7 @@ CONFIG_EDAC_I5000=m
 CONFIG_EDAC_I5100=m
 CONFIG_EDAC_I7300=m
 CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
 CONFIG_RTC_CLASS=y
 CONFIG_RTC_HCTOSYS=y
 CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
@@ -6822,6 +6862,7 @@ CONFIG_RTC_DRV_DS1305=m
 CONFIG_RTC_DRV_DS1343=m
 CONFIG_RTC_DRV_DS1347=m
 CONFIG_RTC_DRV_DS1390=m
+CONFIG_RTC_DRV_MAX6916=m
 CONFIG_RTC_DRV_R9701=m
 CONFIG_RTC_DRV_RX4581=m
 CONFIG_RTC_DRV_RX6110=m
@@ -7156,7 +7197,6 @@ CONFIG_ADIS16201=m
 CONFIG_ADIS16203=m
 CONFIG_ADIS16209=m
 CONFIG_ADIS16240=m
-CONFIG_LIS3L02DQ=m
 CONFIG_SCA3000=m
 
 #
@@ -7253,9 +7293,8 @@ CONFIG_SPEAKUP_SYNTH_TXPRT=m
 CONFIG_SPEAKUP_SYNTH_DUMMY=m
 CONFIG_STAGING_MEDIA=y
 CONFIG_I2C_BCM2048=m
+# CONFIG_MEDIA_CEC is not set
 CONFIG_DVB_CXD2099=m
-CONFIG_DVB_MN88472=m
-CONFIG_VIDEO_TIMBERDALE=m
 CONFIG_LIRC_STAGING=y
 CONFIG_LIRC_BT829=m
 CONFIG_LIRC_IMON=m
@@ -7336,6 +7375,7 @@ CONFIG_HDM_USB=m
 CONFIG_ISDN_DRV_ICN=m
 CONFIG_ISDN_DRV_PCBIT=m
 CONFIG_ISDN_DRV_ACT2000=m
+CONFIG_KS7010=m
 CONFIG_X86_PLATFORM_DEVICES=y
 CONFIG_ACER_WMI=m
 CONFIG_ACERHDF=m
@@ -7384,6 +7424,7 @@ CONFIG_TOSHIBA_HAPS=m
 CONFIG_TOSHIBA_WMI=m
 CONFIG_ACPI_CMPC=m
 CONFIG_INTEL_HID_EVENT=m
+CONFIG_INTEL_VBTN=m
 CONFIG_INTEL_SCU_IPC=y
 CONFIG_INTEL_SCU_IPC_UTIL=m
 CONFIG_GPIO_INTEL_PMIC=y
@@ -7428,7 +7469,7 @@ CONFIG_COMMON_CLK_PALMAS=m
 CONFIG_COMMON_CLK_PWM=m
 # CONFIG_COMMON_CLK_PXA is not set
 # CONFIG_COMMON_CLK_PIC32 is not set
-# CONFIG_COMMON_CLK_OXNAS is not set
+# CONFIG_SUNXI_CCU is not set
 
 #
 # Hardware Spinlock drivers
@@ -7476,6 +7517,10 @@ CONFIG_STE_MODEM_RPROC=m
 #
 # SOC (System On Chip) specific Drivers
 #
+
+#
+# Broadcom SoC drivers
+#
 # CONFIG_SUNXI_SRAM is not set
 CONFIG_SOC_TI=y
 CONFIG_PM_DEVFREQ=y
@@ -7520,6 +7565,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_CONFIGFS=m
 CONFIG_IIO_TRIGGER=y
 CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
+CONFIG_IIO_SW_DEVICE=m
 CONFIG_IIO_SW_TRIGGER=m
 CONFIG_IIO_TRIGGERED_EVENT=m
 
@@ -7527,6 +7573,7 @@ CONFIG_IIO_TRIGGERED_EVENT=m
 # Accelerometers
 #
 CONFIG_BMA180=m
+CONFIG_BMA220=m
 CONFIG_BMC150_ACCEL=m
 CONFIG_BMC150_ACCEL_I2C=m
 CONFIG_BMC150_ACCEL_SPI=m
@@ -7539,6 +7586,7 @@ CONFIG_KXCJK1013=m
 CONFIG_MMA7455=m
 CONFIG_MMA7455_I2C=m
 CONFIG_MMA7455_SPI=m
+CONFIG_MMA7660=m
 CONFIG_MMA8452=m
 CONFIG_MMA9551_CORE=m
 CONFIG_MMA9551=m
@@ -7776,12 +7824,14 @@ CONFIG_HID_SENSOR_DEVICE_ROTATION=m
 #
 CONFIG_IIO_HRTIMER_TRIGGER=m
 CONFIG_IIO_INTERRUPT_TRIGGER=m
+CONFIG_IIO_TIGHTLOOP_TRIGGER=m
 CONFIG_IIO_SYSFS_TRIGGER=m
 
 #
 # Digital potentiometers
 #
 CONFIG_DS1803=m
+CONFIG_MAX5487=m
 CONFIG_MCP4131=m
 CONFIG_MCP4531=m
 CONFIG_TPL0102=m
@@ -7849,6 +7899,7 @@ CONFIG_VME_PIO2=m
 CONFIG_PWM=y
 CONFIG_PWM_SYSFS=y
 CONFIG_PWM_CRC=y
+CONFIG_PWM_CROS_EC=m
 CONFIG_PWM_LP3943=m
 CONFIG_PWM_LPSS=m
 CONFIG_PWM_LPSS_PCI=m
@@ -7861,6 +7912,7 @@ CONFIG_IPACK_BUS=m
 CONFIG_BOARD_TPCI200=m
 CONFIG_SERIAL_IPOCTAL=m
 CONFIG_RESET_CONTROLLER=y
+CONFIG_TI_SYSCON_RESET=m
 CONFIG_FMC=m
 CONFIG_FMC_FAKEDEV=m
 CONFIG_FMC_TRIVIAL=m
@@ -7924,6 +7976,7 @@ CONFIG_FPGA_MGR_ZYNQ_FPGA=m
 #
 # Firmware Drivers
 #
+# CONFIG_ARM_SCPI_PROTOCOL is not set
 CONFIG_EDD=y
 CONFIG_EDD_OFF=y
 CONFIG_FIRMWARE_MEMMAP=y
@@ -7956,14 +8009,14 @@ CONFIG_UEFI_CPER=y
 # File systems
 #
 CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_FS_IOMAP=y
 # CONFIG_EXT2_FS is not set
 # CONFIG_EXT3_FS is not set
 CONFIG_EXT4_FS=y
 CONFIG_EXT4_USE_FOR_EXT2=y
 CONFIG_EXT4_FS_POSIX_ACL=y
 CONFIG_EXT4_FS_SECURITY=y
-CONFIG_EXT4_ENCRYPTION=m
-CONFIG_EXT4_FS_ENCRYPTION=y
+# CONFIG_EXT4_ENCRYPTION is not set
 # CONFIG_EXT4_DEBUG is not set
 CONFIG_JBD2=y
 # CONFIG_JBD2_DEBUG is not set
@@ -8006,12 +8059,13 @@ CONFIG_F2FS_FS_XATTR=y
 CONFIG_F2FS_FS_POSIX_ACL=y
 CONFIG_F2FS_FS_SECURITY=y
 # CONFIG_F2FS_CHECK_FS is not set
-CONFIG_F2FS_FS_ENCRYPTION=y
+# CONFIG_F2FS_FS_ENCRYPTION is not set
 # CONFIG_F2FS_IO_TRACE is not set
 # CONFIG_F2FS_FAULT_INJECTION is not set
 CONFIG_FS_DAX=y
 CONFIG_FS_POSIX_ACL=y
 CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
 CONFIG_FILE_LOCKING=y
 CONFIG_MANDATORY_FILE_LOCKING=y
 CONFIG_FS_ENCRYPTION=m
@@ -8150,6 +8204,9 @@ CONFIG_ROMFS_BACKED_BY_BLOCK=y
 # CONFIG_ROMFS_BACKED_BY_BOTH is not set
 CONFIG_ROMFS_ON_BLOCK=y
 CONFIG_PSTORE=y
+CONFIG_PSTORE_ZLIB_COMPRESS=y
+# CONFIG_PSTORE_LZO_COMPRESS is not set
+# CONFIG_PSTORE_LZ4_COMPRESS is not set
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
 # CONFIG_PSTORE_FTRACE is not set
@@ -8188,6 +8245,7 @@ CONFIG_NFSD_V3_ACL=y
 CONFIG_NFSD_V4=y
 # CONFIG_NFSD_BLOCKLAYOUT is not set
 # CONFIG_NFSD_SCSILAYOUT is not set
+# CONFIG_NFSD_FLEXFILELAYOUT is not set
 CONFIG_NFSD_V4_SECURITY_LABEL=y
 # CONFIG_NFSD_FAULT_INJECTION is not set
 CONFIG_GRACE_PERIOD=m
@@ -8415,8 +8473,6 @@ CONFIG_PM_NOTIFIER_ERROR_INJECT=m
 CONFIG_NETDEV_NOTIFIER_ERROR_INJECT=m
 # CONFIG_FAULT_INJECTION is not set
 # CONFIG_LATENCYTOP is not set
-CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
-# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
 CONFIG_USER_STACKTRACE_SUPPORT=y
 CONFIG_NOP_TRACER=y
 CONFIG_HAVE_FUNCTION_TRACER=y
@@ -8561,6 +8617,10 @@ CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_INTEL_TXT=y
 CONFIG_LSM_MMAP_MIN_ADDR=0
+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
+CONFIG_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
@@ -8581,6 +8641,7 @@ CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
 CONFIG_SECURITY_APPARMOR=y
 CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_INTEGRITY=y
@@ -8640,7 +8701,11 @@ CONFIG_CRYPTO_RNG2=y
 CONFIG_CRYPTO_RNG_DEFAULT=m
 CONFIG_CRYPTO_AKCIPHER2=y
 CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=m
 CONFIG_CRYPTO_RSA=y
+CONFIG_CRYPTO_DH=m
+CONFIG_CRYPTO_ECDH=m
 CONFIG_CRYPTO_MANAGER=y
 CONFIG_CRYPTO_MANAGER2=y
 CONFIG_CRYPTO_USER=m
@@ -8705,7 +8770,8 @@ CONFIG_CRYPTO_RMD256=m
 CONFIG_CRYPTO_RMD320=m
 CONFIG_CRYPTO_SHA1=y
 CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA3=m
 CONFIG_CRYPTO_TGR192=m
 CONFIG_CRYPTO_WP512=m
 
@@ -8750,12 +8816,12 @@ CONFIG_CRYPTO_LZ4HC=m
 # Random Number Generation
 #
 CONFIG_CRYPTO_ANSI_CPRNG=m
-CONFIG_CRYPTO_DRBG_MENU=m
+CONFIG_CRYPTO_DRBG_MENU=y
 CONFIG_CRYPTO_DRBG_HMAC=y
 CONFIG_CRYPTO_DRBG_HASH=y
 CONFIG_CRYPTO_DRBG_CTR=y
-CONFIG_CRYPTO_DRBG=m
-CONFIG_CRYPTO_JITTERENTROPY=m
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
 CONFIG_CRYPTO_USER_API=m
 CONFIG_CRYPTO_USER_API_HASH=m
 CONFIG_CRYPTO_USER_API_SKCIPHER=m
@@ -8794,7 +8860,6 @@ CONFIG_HAVE_KVM_IRQCHIP=y
 CONFIG_HAVE_KVM_IRQFD=y
 CONFIG_HAVE_KVM_IRQ_ROUTING=y
 CONFIG_HAVE_KVM_EVENTFD=y
-CONFIG_KVM_APIC_ARCHITECTURE=y
 CONFIG_KVM_MMIO=y
 CONFIG_KVM_ASYNC_PF=y
 CONFIG_HAVE_KVM_MSI=y
@@ -8808,6 +8873,11 @@ CONFIG_KVM_INTEL=m
 CONFIG_KVM_AMD=m
 # CONFIG_KVM_MMU_AUDIT is not set
 CONFIG_KVM_DEVICE_ASSIGNMENT=y
+CONFIG_VHOST_NET=m
+CONFIG_VHOST_SCSI=m
+CONFIG_VHOST_VSOCK=m
+CONFIG_VHOST=m
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
 # CONFIG_LGUEST is not set
 CONFIG_BINARY_PRINTF=y
 
@@ -8826,7 +8896,7 @@ CONFIG_GENERIC_PCI_IOMAP=y
 CONFIG_GENERIC_IOMAP=y
 CONFIG_GENERIC_IO=y
 CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-CONFIG_CRC_CCITT=m
+CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
 CONFIG_CRC_ITU_T=m
diff --git a/gnu/packages/linux-libre-4.7-x86_64.conf b/gnu/packages/linux-libre-4.8-x86_64.conf
index 3571f75f9d..bbddf58861 100644
--- a/gnu/packages/linux-libre-4.7-x86_64.conf
+++ b/gnu/packages/linux-libre-4.8-x86_64.conf
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.7.0-gnu Kernel Configuration
+# Linux/x86 4.8.0-gnu Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -39,7 +39,6 @@ CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
 CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
 CONFIG_HAVE_INTEL_TXT=y
 CONFIG_X86_64_SMP=y
-CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
 CONFIG_ARCH_SUPPORTS_UPROBES=y
 CONFIG_FIX_EARLYCON_MEM=y
 CONFIG_DEBUG_RODATA=y
@@ -240,6 +239,7 @@ CONFIG_SLUB_DEBUG=y
 # CONFIG_SLAB is not set
 CONFIG_SLUB=y
 # CONFIG_SLOB is not set
+CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLUB_CPU_PARTIAL=y
 # CONFIG_SYSTEM_DATA_VERIFICATION is not set
 CONFIG_PROFILING=y
@@ -288,11 +288,15 @@ CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
 CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
 CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
 CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
 CONFIG_HAVE_CC_STACKPROTECTOR=y
 CONFIG_CC_STACKPROTECTOR=y
 # CONFIG_CC_STACKPROTECTOR_NONE is not set
 # CONFIG_CC_STACKPROTECTOR_REGULAR is not set
 CONFIG_CC_STACKPROTECTOR_STRONG=y
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
 CONFIG_HAVE_CONTEXT_TRACKING=y
 CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
 CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
@@ -545,6 +549,7 @@ CONFIG_HWPOISON_INJECT=m
 CONFIG_TRANSPARENT_HUGEPAGE=y
 CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
 # CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
+CONFIG_TRANSPARENT_HUGE_PAGECACHE=y
 CONFIG_CLEANCACHE=y
 CONFIG_FRONTSWAP=y
 CONFIG_CMA=y
@@ -602,6 +607,8 @@ CONFIG_RELOCATABLE=y
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_X86_NEED_RELOCS=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_RANDOMIZE_MEMORY=y
+CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
 # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
@@ -659,6 +666,7 @@ CONFIG_ACPI_VIDEO=m
 CONFIG_ACPI_FAN=y
 CONFIG_ACPI_DOCK=y
 CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
 CONFIG_ACPI_PROCESSOR_IDLE=y
 CONFIG_ACPI_PROCESSOR=y
 CONFIG_ACPI_IPMI=m
@@ -668,6 +676,7 @@ CONFIG_ACPI_THERMAL=y
 CONFIG_ACPI_NUMA=y
 CONFIG_ACPI_CUSTOM_DSDT_FILE=""
 # CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
 CONFIG_ACPI_TABLE_UPGRADE=y
 # CONFIG_ACPI_DEBUG is not set
 CONFIG_ACPI_PCI_SLOT=y
@@ -690,8 +699,10 @@ CONFIG_ACPI_APEI_PCIEAER=y
 CONFIG_ACPI_APEI_MEMORY_FAILURE=y
 CONFIG_ACPI_APEI_EINJ=m
 # CONFIG_ACPI_APEI_ERST_DEBUG is not set
+CONFIG_DPTF_POWER=m
 CONFIG_ACPI_EXTLOG=m
 # CONFIG_PMIC_OPREGION is not set
+CONFIG_ACPI_CONFIGFS=m
 CONFIG_SFI=y
 
 #
@@ -767,7 +778,7 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_PERFORMANCE is not set
 CONFIG_PCIE_PME=y
-CONFIG_PCIE_DPC=m
+CONFIG_PCIE_DPC=y
 CONFIG_PCI_BUS_ADDR_T_64BIT=y
 CONFIG_PCI_MSI=y
 CONFIG_PCI_MSI_IRQ_DOMAIN=y
@@ -821,6 +832,7 @@ CONFIG_RAPIDIO_DISC_TIMEOUT=30
 CONFIG_RAPIDIO_DMA_ENGINE=y
 # CONFIG_RAPIDIO_DEBUG is not set
 CONFIG_RAPIDIO_ENUM_BASIC=m
+CONFIG_RAPIDIO_CHMAN=m
 CONFIG_RAPIDIO_MPORT_CDEV=m
 
 #
@@ -830,6 +842,7 @@ CONFIG_RAPIDIO_TSI57X=m
 CONFIG_RAPIDIO_CPS_XX=m
 CONFIG_RAPIDIO_TSI568=m
 CONFIG_RAPIDIO_CPS_GEN2=m
+CONFIG_RAPIDIO_RXS_GEN3=m
 # CONFIG_X86_SYSFB is not set
 
 #
@@ -920,6 +933,7 @@ CONFIG_TCP_CONG_HTCP=m
 CONFIG_TCP_CONG_HSTCP=m
 CONFIG_TCP_CONG_HYBLA=m
 CONFIG_TCP_CONG_VEGAS=m
+CONFIG_TCP_CONG_NV=m
 CONFIG_TCP_CONG_SCALABLE=m
 CONFIG_TCP_CONG_LP=m
 CONFIG_TCP_CONG_VENO=m
@@ -1432,6 +1446,7 @@ CONFIG_NET_CLS_FLOW=m
 CONFIG_NET_CLS_CGROUP=m
 CONFIG_NET_CLS_BPF=m
 CONFIG_NET_CLS_FLOWER=m
+CONFIG_NET_CLS_MATCHALL=m
 CONFIG_NET_EMATCH=y
 CONFIG_NET_EMATCH_STACK=32
 CONFIG_NET_EMATCH_CMP=m
@@ -1475,6 +1490,8 @@ CONFIG_OPENVSWITCH_VXLAN=m
 CONFIG_OPENVSWITCH_GENEVE=m
 CONFIG_VSOCKETS=m
 CONFIG_VMWARE_VMCI_VSOCKETS=m
+CONFIG_VIRTIO_VSOCKETS=m
+CONFIG_VIRTIO_VSOCKETS_COMMON=m
 CONFIG_NETLINK_DIAG=m
 CONFIG_MPLS=y
 CONFIG_NET_MPLS_GSO=m
@@ -1483,6 +1500,7 @@ CONFIG_MPLS_IPTUNNEL=m
 CONFIG_HSR=m
 # CONFIG_NET_SWITCHDEV is not set
 CONFIG_NET_L3_MASTER_DEV=y
+CONFIG_NET_NCSI=y
 CONFIG_RPS=y
 CONFIG_RFS_ACCEL=y
 CONFIG_XPS=y
@@ -1940,6 +1958,7 @@ CONFIG_MTD_NAND_CAFE=m
 CONFIG_MTD_NAND_NANDSIM=m
 CONFIG_MTD_NAND_PLATFORM=m
 CONFIG_MTD_NAND_HISI504=m
+CONFIG_MTD_NAND_MTK=m
 CONFIG_MTD_ONENAND=m
 CONFIG_MTD_ONENAND_VERIFY_WRITE=y
 CONFIG_MTD_ONENAND_GENERIC=m
@@ -2013,7 +2032,6 @@ CONFIG_PARIDE_ON20=m
 CONFIG_PARIDE_ON26=m
 CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
 CONFIG_ZRAM=m
-CONFIG_ZRAM_LZ4_COMPRESS=y
 CONFIG_BLK_CPQ_CISS_DA=m
 CONFIG_CISS_SCSI_TAPE=y
 CONFIG_BLK_DEV_DAC960=m
@@ -2045,6 +2063,11 @@ CONFIG_BLK_DEV_RSXX=m
 CONFIG_NVME_CORE=m
 CONFIG_BLK_DEV_NVME=m
 # CONFIG_BLK_DEV_NVME_SCSI is not set
+CONFIG_NVME_FABRICS=m
+CONFIG_NVME_RDMA=m
+CONFIG_NVME_TARGET=m
+CONFIG_NVME_TARGET_LOOP=m
+CONFIG_NVME_TARGET_RDMA=m
 
 #
 # Misc devices
@@ -2066,7 +2089,6 @@ CONFIG_APDS9802ALS=m
 CONFIG_ISL29003=m
 CONFIG_ISL29020=m
 CONFIG_SENSORS_TSL2550=m
-CONFIG_SENSORS_BH1780=m
 CONFIG_SENSORS_BH1770=m
 CONFIG_SENSORS_APDS990X=m
 CONFIG_HMC6352=m
@@ -2153,12 +2175,12 @@ CONFIG_MIC_COSM=m
 # VOP Driver
 #
 CONFIG_VOP=m
+CONFIG_VHOST_RING=m
 CONFIG_GENWQE=m
 CONFIG_GENWQE_PLATFORM_ERROR_RECOVERY=0
 CONFIG_ECHO=m
 # CONFIG_CXL_BASE is not set
-# CONFIG_CXL_KERNEL_API is not set
-# CONFIG_CXL_EEH is not set
+# CONFIG_CXL_AFU_DRIVER_OPS is not set
 CONFIG_HAVE_IDE=y
 # CONFIG_IDE is not set
 
@@ -2246,7 +2268,9 @@ CONFIG_SCSI_MPT3SAS_MAX_SGE=128
 CONFIG_SCSI_MPT2SAS=m
 CONFIG_SCSI_UFSHCD=m
 CONFIG_SCSI_UFSHCD_PCI=m
+# CONFIG_SCSI_UFS_DWC_TC_PCI is not set
 CONFIG_SCSI_UFSHCD_PLATFORM=m
+# CONFIG_SCSI_UFS_DWC_TC_PLATFORM is not set
 CONFIG_SCSI_HPTIOP=m
 CONFIG_SCSI_BUSLOGIC=m
 CONFIG_SCSI_FLASHPOINT=y
@@ -2568,11 +2592,6 @@ CONFIG_CAIF_SPI_SLAVE=m
 # CONFIG_CAIF_SPI_SYNC is not set
 CONFIG_CAIF_HSI=m
 CONFIG_CAIF_VIRTIO=m
-CONFIG_VHOST_NET=m
-CONFIG_VHOST_SCSI=m
-CONFIG_VHOST_RING=m
-CONFIG_VHOST=m
-# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
 
 #
 # Distributed Switch Architecture drivers
@@ -2618,8 +2637,6 @@ CONFIG_CNIC=m
 CONFIG_TIGON3=m
 CONFIG_BNX2X=m
 CONFIG_BNX2X_SRIOV=y
-CONFIG_BNX2X_VXLAN=y
-# CONFIG_BNX2X_GENEVE is not set
 CONFIG_BNXT=m
 CONFIG_BNXT_SRIOV=y
 CONFIG_NET_VENDOR_BROCADE=y
@@ -2635,9 +2652,9 @@ CONFIG_CHELSIO_T1_1G=y
 CONFIG_CHELSIO_T3=m
 CONFIG_CHELSIO_T4=m
 CONFIG_CHELSIO_T4_DCB=y
-CONFIG_CHELSIO_T4_UWIRE=y
 CONFIG_CHELSIO_T4_FCOE=y
 CONFIG_CHELSIO_T4VF=m
+CONFIG_CHELSIO_LIB=m
 CONFIG_NET_VENDOR_CISCO=y
 CONFIG_ENIC=m
 CONFIG_CX_ECAT=m
@@ -2662,7 +2679,6 @@ CONFIG_SUNDANCE=m
 CONFIG_NET_VENDOR_EMULEX=y
 CONFIG_BE2NET=m
 CONFIG_BE2NET_HWMON=y
-CONFIG_BE2NET_VXLAN=y
 CONFIG_NET_VENDOR_EZCHIP=y
 CONFIG_NET_VENDOR_EXAR=y
 CONFIG_S2IO=m
@@ -2683,19 +2699,15 @@ CONFIG_IGB_DCA=y
 CONFIG_IGBVF=m
 CONFIG_IXGB=m
 CONFIG_IXGBE=m
-CONFIG_IXGBE_VXLAN=y
 CONFIG_IXGBE_HWMON=y
 CONFIG_IXGBE_DCA=y
 CONFIG_IXGBE_DCB=y
 CONFIG_IXGBEVF=m
 CONFIG_I40E=m
-CONFIG_I40E_VXLAN=y
-CONFIG_I40E_GENEVE=y
 CONFIG_I40E_DCB=y
 CONFIG_I40E_FCOE=y
 CONFIG_I40EVF=m
 CONFIG_FM10K=m
-CONFIG_FM10K_VXLAN=y
 CONFIG_NET_VENDOR_I825XX=y
 CONFIG_JME=m
 CONFIG_NET_VENDOR_MARVELL=y
@@ -2709,7 +2721,6 @@ CONFIG_SKY2=m
 CONFIG_NET_VENDOR_MELLANOX=y
 CONFIG_MLX4_EN=m
 CONFIG_MLX4_EN_DCB=y
-CONFIG_MLX4_EN_VXLAN=y
 CONFIG_MLX4_CORE=m
 CONFIG_MLX4_DEBUG=y
 CONFIG_MLX5_CORE=m
@@ -2753,15 +2764,12 @@ CONFIG_QLA3XXX=m
 CONFIG_QLCNIC=m
 CONFIG_QLCNIC_SRIOV=y
 CONFIG_QLCNIC_DCB=y
-CONFIG_QLCNIC_VXLAN=y
 CONFIG_QLCNIC_HWMON=y
 CONFIG_QLGE=m
 CONFIG_NETXEN_NIC=m
 CONFIG_QED=m
 CONFIG_QED_SRIOV=y
 CONFIG_QEDE=m
-# CONFIG_QEDE_VXLAN is not set
-# CONFIG_QEDE_GENEVE is not set
 CONFIG_NET_VENDOR_QUALCOMM=y
 CONFIG_NET_VENDOR_REALTEK=y
 CONFIG_ATP=m
@@ -2831,6 +2839,7 @@ CONFIG_SKFP=m
 # CONFIG_HIPPI is not set
 CONFIG_NET_SB1000=m
 CONFIG_PHYLIB=y
+CONFIG_SWPHY=y
 
 #
 # MII PHY device drivers
@@ -2866,6 +2875,7 @@ CONFIG_MDIO_CAVIUM=m
 CONFIG_MDIO_OCTEON=m
 CONFIG_MDIO_THUNDER=m
 CONFIG_MDIO_BCM_UNIMAC=m
+CONFIG_INTEL_XWAY_PHY=m
 CONFIG_MICREL_KS8995MA=m
 CONFIG_PLIP=m
 CONFIG_PPP=y
@@ -3465,6 +3475,7 @@ CONFIG_TABLET_USB_AIPTEK=m
 CONFIG_TABLET_USB_GTCO=m
 CONFIG_TABLET_USB_HANWANG=m
 CONFIG_TABLET_USB_KBTAB=m
+CONFIG_TABLET_USB_PEGASUS=m
 CONFIG_TABLET_SERIAL_WACOM4=m
 CONFIG_INPUT_TOUCHSCREEN=y
 CONFIG_TOUCHSCREEN_PROPERTIES=y
@@ -3546,8 +3557,12 @@ CONFIG_TOUCHSCREEN_TSC2004=m
 CONFIG_TOUCHSCREEN_TSC2005=m
 CONFIG_TOUCHSCREEN_TSC2007=m
 CONFIG_TOUCHSCREEN_PCAP=m
+CONFIG_TOUCHSCREEN_RM_TS=m
+CONFIG_TOUCHSCREEN_SILEAD=m
+CONFIG_TOUCHSCREEN_SIS_I2C=m
 CONFIG_TOUCHSCREEN_ST1232=m
 CONFIG_TOUCHSCREEN_SUR40=m
+CONFIG_TOUCHSCREEN_SURFACE3_SPI=m
 CONFIG_TOUCHSCREEN_SX8654=m
 CONFIG_TOUCHSCREEN_TPS6507X=m
 CONFIG_TOUCHSCREEN_ZFORCE=m
@@ -3738,7 +3753,6 @@ CONFIG_IPMI_HANDLER=m
 # CONFIG_IPMI_PANIC_EVENT is not set
 CONFIG_IPMI_DEVICE_INTERFACE=m
 CONFIG_IPMI_SI=m
-CONFIG_IPMI_SI_PROBE_DEFAULTS=y
 CONFIG_IPMI_SSIF=m
 CONFIG_IPMI_WATCHDOG=m
 CONFIG_IPMI_POWEROFF=m
@@ -3768,7 +3782,9 @@ CONFIG_HPET_MMAP=y
 CONFIG_HPET_MMAP_DEFAULT=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
 CONFIG_TCG_TIS=y
+CONFIG_TCG_TIS_SPI=m
 CONFIG_TCG_TIS_I2C_ATMEL=m
 CONFIG_TCG_TIS_I2C_INFINEON=m
 CONFIG_TCG_TIS_I2C_NUVOTON=m
@@ -3777,6 +3793,7 @@ CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
 CONFIG_TCG_CRB=m
+CONFIG_TCG_VTPM_PROXY=m
 CONFIG_TCG_TIS_ST33ZP24=m
 CONFIG_TCG_TIS_ST33ZP24_I2C=m
 CONFIG_TCG_TIS_ST33ZP24_SPI=m
@@ -3965,7 +3982,6 @@ CONFIG_PINCTRL_CHERRYVIEW=m
 CONFIG_PINCTRL_INTEL=m
 CONFIG_PINCTRL_BROXTON=m
 CONFIG_PINCTRL_SUNRISEPOINT=m
-CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
 CONFIG_GPIOLIB=y
 CONFIG_GPIO_DEVRES=y
 CONFIG_GPIO_ACPI=y
@@ -4036,7 +4052,6 @@ CONFIG_GPIO_WM8994=m
 # PCI GPIO expanders
 #
 CONFIG_GPIO_AMD8111=m
-CONFIG_GPIO_INTEL_MID=y
 CONFIG_GPIO_ML_IOH=m
 CONFIG_GPIO_RDC321X=m
 
@@ -4050,7 +4065,6 @@ CONFIG_GPIO_PISOSR=m
 #
 # SPI or I2C GPIO expanders
 #
-CONFIG_GPIO_MCP23S08=m
 
 #
 # USB GPIO expanders
@@ -4184,6 +4198,7 @@ CONFIG_SENSORS_F71882FG=m
 CONFIG_SENSORS_F75375S=m
 CONFIG_SENSORS_MC13783_ADC=m
 CONFIG_SENSORS_FSCHMD=m
+CONFIG_SENSORS_FTSTEUTATES=m
 CONFIG_SENSORS_GL518SM=m
 CONFIG_SENSORS_GL520SM=m
 CONFIG_SENSORS_G760A=m
@@ -4262,6 +4277,7 @@ CONFIG_SENSORS_UCD9200=m
 CONFIG_SENSORS_ZL6100=m
 CONFIG_SENSORS_SHT15=m
 CONFIG_SENSORS_SHT21=m
+CONFIG_SENSORS_SHT3x=m
 CONFIG_SENSORS_SHTC1=m
 CONFIG_SENSORS_SIS5595=m
 CONFIG_SENSORS_DME1737=m
@@ -4282,6 +4298,7 @@ CONFIG_SENSORS_ADS7871=m
 CONFIG_SENSORS_AMC6821=m
 CONFIG_SENSORS_INA209=m
 CONFIG_SENSORS_INA2XX=m
+CONFIG_SENSORS_INA3221=m
 CONFIG_SENSORS_TC74=m
 CONFIG_SENSORS_THMC50=m
 CONFIG_SENSORS_TMP102=m
@@ -4357,7 +4374,6 @@ CONFIG_XILINX_WATCHDOG=m
 CONFIG_ZIIRAVE_WATCHDOG=m
 CONFIG_CADENCE_WATCHDOG=m
 CONFIG_DW_WATCHDOG=m
-CONFIG_RN5T618_WATCHDOG=m
 CONFIG_TWL4030_WATCHDOG=m
 CONFIG_MAX63XX_WATCHDOG=m
 CONFIG_RETU_WATCHDOG=m
@@ -4440,6 +4456,7 @@ CONFIG_BCMA_HOST_PCI_POSSIBLE=y
 CONFIG_BCMA_HOST_PCI=y
 CONFIG_BCMA_HOST_SOC=y
 CONFIG_BCMA_DRIVER_PCI=y
+CONFIG_BCMA_SFLASH=y
 CONFIG_BCMA_DRIVER_GMAC_CMN=y
 CONFIG_BCMA_DRIVER_GPIO=y
 # CONFIG_BCMA_DEBUG is not set
@@ -4504,7 +4521,6 @@ CONFIG_MFD_RTSX_PCI=m
 CONFIG_MFD_RT5033=m
 CONFIG_MFD_RTSX_USB=m
 CONFIG_MFD_RC5T583=y
-CONFIG_MFD_RN5T618=m
 CONFIG_MFD_SEC_CORE=y
 CONFIG_MFD_SI476X_CORE=m
 CONFIG_MFD_SM501=m
@@ -4601,6 +4617,7 @@ CONFIG_REGULATOR_MC13XXX_CORE=m
 CONFIG_REGULATOR_MC13783=m
 CONFIG_REGULATOR_MC13892=m
 CONFIG_REGULATOR_MT6311=m
+CONFIG_REGULATOR_MT6323=m
 CONFIG_REGULATOR_MT6397=m
 CONFIG_REGULATOR_PALMAS=m
 CONFIG_REGULATOR_PCAP=m
@@ -4612,7 +4629,6 @@ CONFIG_REGULATOR_PV88090=m
 CONFIG_REGULATOR_PWM=m
 CONFIG_REGULATOR_QCOM_SPMI=m
 CONFIG_REGULATOR_RC5T583=m
-CONFIG_REGULATOR_RN5T618=m
 CONFIG_REGULATOR_RT5033=m
 CONFIG_REGULATOR_S2MPA01=m
 CONFIG_REGULATOR_S2MPS11=m
@@ -4647,6 +4663,7 @@ CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y
 CONFIG_MEDIA_RADIO_SUPPORT=y
 CONFIG_MEDIA_SDR_SUPPORT=y
 CONFIG_MEDIA_RC_SUPPORT=y
+CONFIG_MEDIA_CEC_EDID=y
 CONFIG_MEDIA_CONTROLLER=y
 # CONFIG_MEDIA_CONTROLLER_DVB is not set
 CONFIG_VIDEO_DEV=m
@@ -5177,6 +5194,8 @@ CONFIG_DVB_M88DS3103=m
 CONFIG_DVB_DRXK=m
 CONFIG_DVB_TDA18271C2DD=m
 CONFIG_DVB_SI2165=m
+CONFIG_DVB_MN88472=m
+CONFIG_DVB_MN88473=m
 
 #
 # DVB-S (satellite) frontends
@@ -5302,6 +5321,7 @@ CONFIG_DVB_M88RS2000=m
 CONFIG_DVB_AF9033=m
 CONFIG_DVB_HORUS3A=m
 CONFIG_DVB_ASCOT2E=m
+CONFIG_DVB_HELENE=m
 
 #
 # Tools to develop new frontends
@@ -5332,7 +5352,6 @@ CONFIG_DRM_TTM=m
 #
 # I2C encoder or helper chips
 #
-CONFIG_DRM_I2C_ADV7511=m
 CONFIG_DRM_I2C_CH7006=m
 CONFIG_DRM_I2C_SIL164=m
 CONFIG_DRM_I2C_NXP_TDA998X=m
@@ -5358,6 +5377,7 @@ CONFIG_DRM_I810=m
 CONFIG_DRM_I915=m
 # CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT is not set
 CONFIG_DRM_I915_USERPTR=y
+# CONFIG_DRM_I915_GVT is not set
 
 #
 # drm/i915 Debugging
@@ -5748,6 +5768,7 @@ CONFIG_SND_SOC_TOPOLOGY=y
 CONFIG_SND_SOC_AMD_ACP=m
 CONFIG_SND_ATMEL_SOC=m
 CONFIG_SND_DESIGNWARE_I2S=m
+CONFIG_SND_DESIGNWARE_PCM=m
 
 #
 # SoC Audio for Freescale CPUs
@@ -5767,9 +5788,14 @@ CONFIG_SND_SST_MFLD_PLATFORM=m
 CONFIG_SND_SST_IPC=m
 CONFIG_SND_SST_IPC_ACPI=m
 CONFIG_SND_SOC_INTEL_SST=m
+CONFIG_SND_SOC_INTEL_SST_FIRMWARE=m
 CONFIG_SND_SOC_INTEL_SST_ACPI=m
 CONFIG_SND_SOC_INTEL_SST_MATCH=m
+CONFIG_SND_SOC_INTEL_HASWELL=m
+CONFIG_SND_SOC_INTEL_HASWELL_MACH=m
+CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m
 CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
+CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m
 CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH=m
 CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m
 CONFIG_SND_SOC_INTEL_CHT_BSW_RT5672_MACH=m
@@ -5784,6 +5810,7 @@ CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m
 # Allwinner SoC Audio support
 #
 CONFIG_SND_SUN4I_CODEC=m
+CONFIG_SND_SUN4I_I2S=m
 CONFIG_SND_SOC_XTFPGA_I2S=m
 CONFIG_SND_SOC_I2C_AND_SPI=m
 
@@ -5792,13 +5819,16 @@ CONFIG_SND_SOC_I2C_AND_SPI=m
 #
 CONFIG_SND_SOC_AC97_CODEC=m
 CONFIG_SND_SOC_ADAU1701=m
+CONFIG_SND_SOC_ADAU7002=m
 CONFIG_SND_SOC_AK4104=m
 CONFIG_SND_SOC_AK4554=m
 CONFIG_SND_SOC_AK4613=m
 CONFIG_SND_SOC_AK4642=m
 CONFIG_SND_SOC_AK5386=m
 CONFIG_SND_SOC_ALC5623=m
+CONFIG_SND_SOC_BT_SCO=m
 CONFIG_SND_SOC_CS35L32=m
+CONFIG_SND_SOC_CS35L33=m
 CONFIG_SND_SOC_CS42L51=m
 CONFIG_SND_SOC_CS42L51_I2C=m
 CONFIG_SND_SOC_CS42L52=m
@@ -5812,6 +5842,8 @@ CONFIG_SND_SOC_CS4271_SPI=m
 CONFIG_SND_SOC_CS42XX8=m
 CONFIG_SND_SOC_CS42XX8_I2C=m
 CONFIG_SND_SOC_CS4349=m
+CONFIG_SND_SOC_CS53L30=m
+CONFIG_SND_SOC_DA7219=m
 CONFIG_SND_SOC_DMIC=m
 CONFIG_SND_SOC_ES8328=m
 CONFIG_SND_SOC_GTM601=m
@@ -5819,6 +5851,8 @@ CONFIG_SND_SOC_HDAC_HDMI=m
 CONFIG_SND_SOC_INNO_RK3036=m
 CONFIG_SND_SOC_MAX98090=m
 CONFIG_SND_SOC_MAX98357A=m
+CONFIG_SND_SOC_MAX98504=m
+CONFIG_SND_SOC_MAX9860=m
 CONFIG_SND_SOC_PCM1681=m
 CONFIG_SND_SOC_PCM179X=m
 CONFIG_SND_SOC_PCM179X_I2C=m
@@ -5884,8 +5918,10 @@ CONFIG_SND_SOC_WM8960=m
 CONFIG_SND_SOC_WM8962=m
 CONFIG_SND_SOC_WM8974=m
 CONFIG_SND_SOC_WM8978=m
+CONFIG_SND_SOC_WM8985=m
 CONFIG_SND_SOC_NAU8825=m
 CONFIG_SND_SOC_TPA6130A2=m
+CONFIG_SND_SIMPLE_CARD_UTILS=m
 CONFIG_SND_SIMPLE_CARD=m
 # CONFIG_SOUND_PRIME is not set
 CONFIG_AC97_BUS=m
@@ -5938,6 +5974,7 @@ CONFIG_HID_ICADE=m
 CONFIG_HID_TWINHAN=m
 CONFIG_HID_KENSINGTON=m
 CONFIG_HID_LCPOWER=m
+CONFIG_HID_LED=m
 CONFIG_HID_LENOVO=m
 CONFIG_HID_LOGITECH=m
 CONFIG_HID_LOGITECH_DJ=m
@@ -5991,6 +6028,7 @@ CONFIG_ZEROPLUS_FF=y
 CONFIG_HID_ZYDACRON=m
 CONFIG_HID_SENSOR_HUB=m
 CONFIG_HID_SENSOR_CUSTOM_SENSOR=m
+CONFIG_HID_ALPS=m
 
 #
 # USB HID support
@@ -6134,7 +6172,7 @@ CONFIG_USB_DWC2_HOST=y
 #
 # Gadget/Dual-role mode requires USB Gadget support to be enabled
 #
-CONFIG_USB_DWC2_PCI=y
+CONFIG_USB_DWC2_PCI=m
 # CONFIG_USB_DWC2_DEBUG is not set
 # CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set
 CONFIG_USB_CHIPIDEA=m
@@ -6229,7 +6267,6 @@ CONFIG_USB_SEVSEG=m
 CONFIG_USB_RIO500=m
 CONFIG_USB_LEGOTOWER=m
 CONFIG_USB_LCD=m
-CONFIG_USB_LED=m
 CONFIG_USB_CYPRESS_CY7C63=m
 CONFIG_USB_CYTHERM=m
 CONFIG_USB_IDMOUSE=m
@@ -6259,7 +6296,7 @@ CONFIG_USB_XUSBATM=m
 # USB Physical Layer drivers
 #
 CONFIG_USB_PHY=y
-CONFIG_NOP_USB_XCEIV=y
+CONFIG_NOP_USB_XCEIV=m
 CONFIG_USB_GPIO_VBUS=m
 CONFIG_TAHVO_USB=m
 CONFIG_TAHVO_USB_HOST_BY_DEFAULT=y
@@ -6434,6 +6471,7 @@ CONFIG_LEDS_PCA9532=m
 CONFIG_LEDS_PCA9532_GPIO=y
 CONFIG_LEDS_GPIO=m
 CONFIG_LEDS_LP3944=m
+CONFIG_LEDS_LP3952=m
 CONFIG_LEDS_LP55XX_COMMON=m
 CONFIG_LEDS_LP5521=m
 CONFIG_LEDS_LP5523=m
@@ -6474,6 +6512,7 @@ CONFIG_LEDS_BLINKM=m
 CONFIG_LEDS_TRIGGERS=y
 CONFIG_LEDS_TRIGGER_TIMER=m
 CONFIG_LEDS_TRIGGER_ONESHOT=m
+CONFIG_LEDS_TRIGGER_DISK=y
 # CONFIG_LEDS_TRIGGER_MTD is not set
 CONFIG_LEDS_TRIGGER_HEARTBEAT=m
 CONFIG_LEDS_TRIGGER_BACKLIGHT=m
@@ -6517,6 +6556,7 @@ CONFIG_INFINIBAND_SRPT=m
 CONFIG_INFINIBAND_ISER=m
 CONFIG_INFINIBAND_ISERT=m
 CONFIG_INFINIBAND_RDMAVT=m
+CONFIG_RDMA_RXE=m
 CONFIG_INFINIBAND_HFI1=m
 # CONFIG_HFI1_DEBUG_SDMA_ORDER is not set
 CONFIG_HFI1_VERBS_31BIT_PSN=y
@@ -6542,7 +6582,9 @@ CONFIG_EDAC_I5000=m
 CONFIG_EDAC_I5100=m
 CONFIG_EDAC_I7300=m
 CONFIG_EDAC_SBRIDGE=m
+CONFIG_EDAC_SKX=m
 CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
 CONFIG_RTC_CLASS=y
 CONFIG_RTC_HCTOSYS=y
 CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
@@ -6614,6 +6656,7 @@ CONFIG_RTC_DRV_DS1305=m
 CONFIG_RTC_DRV_DS1343=m
 CONFIG_RTC_DRV_DS1347=m
 CONFIG_RTC_DRV_DS1390=m
+CONFIG_RTC_DRV_MAX6916=m
 CONFIG_RTC_DRV_R9701=m
 CONFIG_RTC_DRV_RX4581=m
 CONFIG_RTC_DRV_RX6110=m
@@ -6949,7 +6992,6 @@ CONFIG_ADIS16201=m
 CONFIG_ADIS16203=m
 CONFIG_ADIS16209=m
 CONFIG_ADIS16240=m
-CONFIG_LIS3L02DQ=m
 CONFIG_SCA3000=m
 
 #
@@ -7042,8 +7084,8 @@ CONFIG_SPEAKUP_SYNTH_TXPRT=m
 CONFIG_SPEAKUP_SYNTH_DUMMY=m
 CONFIG_STAGING_MEDIA=y
 CONFIG_I2C_BCM2048=m
+# CONFIG_MEDIA_CEC is not set
 CONFIG_DVB_CXD2099=m
-CONFIG_DVB_MN88472=m
 CONFIG_LIRC_STAGING=y
 CONFIG_LIRC_BT829=m
 CONFIG_LIRC_IMON=m
@@ -7127,6 +7169,7 @@ CONFIG_HDM_USB=m
 #
 # Old ISDN4Linux (deprecated)
 #
+CONFIG_KS7010=m
 CONFIG_X86_PLATFORM_DEVICES=y
 CONFIG_ACER_WMI=m
 CONFIG_ACERHDF=m
@@ -7174,6 +7217,7 @@ CONFIG_TOSHIBA_HAPS=m
 CONFIG_TOSHIBA_WMI=m
 CONFIG_ACPI_CMPC=m
 CONFIG_INTEL_HID_EVENT=m
+CONFIG_INTEL_VBTN=m
 CONFIG_INTEL_IPS=m
 CONFIG_INTEL_PMC_CORE=y
 CONFIG_IBM_RTL=m
@@ -7214,7 +7258,7 @@ CONFIG_COMMON_CLK_PALMAS=m
 CONFIG_COMMON_CLK_PWM=m
 # CONFIG_COMMON_CLK_PXA is not set
 # CONFIG_COMMON_CLK_PIC32 is not set
-# CONFIG_COMMON_CLK_OXNAS is not set
+# CONFIG_SUNXI_CCU is not set
 
 #
 # Hardware Spinlock drivers
@@ -7263,6 +7307,10 @@ CONFIG_STE_MODEM_RPROC=m
 #
 # SOC (System On Chip) specific Drivers
 #
+
+#
+# Broadcom SoC drivers
+#
 # CONFIG_SUNXI_SRAM is not set
 CONFIG_SOC_TI=y
 CONFIG_PM_DEVFREQ=y
@@ -7307,6 +7355,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
 CONFIG_IIO_CONFIGFS=m
 CONFIG_IIO_TRIGGER=y
 CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
+CONFIG_IIO_SW_DEVICE=m
 CONFIG_IIO_SW_TRIGGER=m
 CONFIG_IIO_TRIGGERED_EVENT=m
 
@@ -7314,6 +7363,7 @@ CONFIG_IIO_TRIGGERED_EVENT=m
 # Accelerometers
 #
 CONFIG_BMA180=m
+CONFIG_BMA220=m
 CONFIG_BMC150_ACCEL=m
 CONFIG_BMC150_ACCEL_I2C=m
 CONFIG_BMC150_ACCEL_SPI=m
@@ -7326,6 +7376,7 @@ CONFIG_KXCJK1013=m
 CONFIG_MMA7455=m
 CONFIG_MMA7455_I2C=m
 CONFIG_MMA7455_SPI=m
+CONFIG_MMA7660=m
 CONFIG_MMA8452=m
 CONFIG_MMA9551_CORE=m
 CONFIG_MMA9551=m
@@ -7562,12 +7613,14 @@ CONFIG_HID_SENSOR_DEVICE_ROTATION=m
 #
 CONFIG_IIO_HRTIMER_TRIGGER=m
 CONFIG_IIO_INTERRUPT_TRIGGER=m
+CONFIG_IIO_TIGHTLOOP_TRIGGER=m
 CONFIG_IIO_SYSFS_TRIGGER=m
 
 #
 # Digital potentiometers
 #
 CONFIG_DS1803=m
+CONFIG_MAX5487=m
 CONFIG_MCP4131=m
 CONFIG_MCP4531=m
 CONFIG_TPL0102=m
@@ -7637,6 +7690,7 @@ CONFIG_VME_PIO2=m
 CONFIG_PWM=y
 CONFIG_PWM_SYSFS=y
 CONFIG_PWM_CRC=y
+CONFIG_PWM_CROS_EC=m
 CONFIG_PWM_LP3943=m
 CONFIG_PWM_LPSS=m
 CONFIG_PWM_LPSS_PCI=m
@@ -7649,6 +7703,7 @@ CONFIG_IPACK_BUS=m
 CONFIG_BOARD_TPCI200=m
 CONFIG_SERIAL_IPOCTAL=m
 CONFIG_RESET_CONTROLLER=y
+CONFIG_TI_SYSCON_RESET=m
 CONFIG_FMC=m
 CONFIG_FMC_FAKEDEV=m
 CONFIG_FMC_TRIVIAL=m
@@ -7716,6 +7771,7 @@ CONFIG_FPGA_MGR_ZYNQ_FPGA=m
 #
 # Firmware Drivers
 #
+# CONFIG_ARM_SCPI_PROTOCOL is not set
 CONFIG_EDD=y
 CONFIG_EDD_OFF=y
 CONFIG_FIRMWARE_MEMMAP=y
@@ -7748,14 +7804,14 @@ CONFIG_UEFI_CPER=y
 # File systems
 #
 CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_FS_IOMAP=y
 # CONFIG_EXT2_FS is not set
 # CONFIG_EXT3_FS is not set
 CONFIG_EXT4_FS=y
 CONFIG_EXT4_USE_FOR_EXT2=y
 CONFIG_EXT4_FS_POSIX_ACL=y
 CONFIG_EXT4_FS_SECURITY=y
-CONFIG_EXT4_ENCRYPTION=m
-CONFIG_EXT4_FS_ENCRYPTION=y
+# CONFIG_EXT4_ENCRYPTION is not set
 # CONFIG_EXT4_DEBUG is not set
 CONFIG_JBD2=y
 # CONFIG_JBD2_DEBUG is not set
@@ -7798,12 +7854,13 @@ CONFIG_F2FS_FS_XATTR=y
 CONFIG_F2FS_FS_POSIX_ACL=y
 CONFIG_F2FS_FS_SECURITY=y
 # CONFIG_F2FS_CHECK_FS is not set
-CONFIG_F2FS_FS_ENCRYPTION=y
+# CONFIG_F2FS_FS_ENCRYPTION is not set
 # CONFIG_F2FS_IO_TRACE is not set
 # CONFIG_F2FS_FAULT_INJECTION is not set
 CONFIG_FS_DAX=y
 CONFIG_FS_POSIX_ACL=y
 CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
 CONFIG_FILE_LOCKING=y
 CONFIG_MANDATORY_FILE_LOCKING=y
 CONFIG_FS_ENCRYPTION=m
@@ -7943,6 +8000,9 @@ CONFIG_ROMFS_BACKED_BY_BLOCK=y
 # CONFIG_ROMFS_BACKED_BY_BOTH is not set
 CONFIG_ROMFS_ON_BLOCK=y
 CONFIG_PSTORE=y
+CONFIG_PSTORE_ZLIB_COMPRESS=y
+# CONFIG_PSTORE_LZO_COMPRESS is not set
+# CONFIG_PSTORE_LZ4_COMPRESS is not set
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
 # CONFIG_PSTORE_FTRACE is not set
@@ -7981,6 +8041,7 @@ CONFIG_NFSD_V3_ACL=y
 CONFIG_NFSD_V4=y
 # CONFIG_NFSD_BLOCKLAYOUT is not set
 # CONFIG_NFSD_SCSILAYOUT is not set
+# CONFIG_NFSD_FLEXFILELAYOUT is not set
 CONFIG_NFSD_V4_SECURITY_LABEL=y
 # CONFIG_NFSD_FAULT_INJECTION is not set
 CONFIG_GRACE_PERIOD=m
@@ -8212,8 +8273,6 @@ CONFIG_PM_NOTIFIER_ERROR_INJECT=m
 CONFIG_NETDEV_NOTIFIER_ERROR_INJECT=m
 # CONFIG_FAULT_INJECTION is not set
 # CONFIG_LATENCYTOP is not set
-CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
-# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
 CONFIG_USER_STACKTRACE_SUPPORT=y
 CONFIG_NOP_TRACER=y
 CONFIG_HAVE_FUNCTION_TRACER=y
@@ -8360,6 +8419,10 @@ CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_INTEL_TXT=y
 CONFIG_LSM_MMAP_MIN_ADDR=0
+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
+CONFIG_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
@@ -8380,6 +8443,7 @@ CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
 CONFIG_SECURITY_APPARMOR=y
 CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_INTEGRITY=y
@@ -8439,7 +8503,11 @@ CONFIG_CRYPTO_RNG2=y
 CONFIG_CRYPTO_RNG_DEFAULT=m
 CONFIG_CRYPTO_AKCIPHER2=y
 CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=m
 CONFIG_CRYPTO_RSA=y
+CONFIG_CRYPTO_DH=m
+CONFIG_CRYPTO_ECDH=m
 CONFIG_CRYPTO_MANAGER=y
 CONFIG_CRYPTO_MANAGER2=y
 CONFIG_CRYPTO_USER=m
@@ -8509,8 +8577,11 @@ CONFIG_CRYPTO_SHA1_SSSE3=m
 CONFIG_CRYPTO_SHA256_SSSE3=m
 CONFIG_CRYPTO_SHA512_SSSE3=m
 CONFIG_CRYPTO_SHA1_MB=m
+CONFIG_CRYPTO_SHA256_MB=m
+CONFIG_CRYPTO_SHA512_MB=m
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SHA3=m
 CONFIG_CRYPTO_TGR192=m
 CONFIG_CRYPTO_WP512=m
 CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
@@ -8568,12 +8639,12 @@ CONFIG_CRYPTO_LZ4HC=m
 # Random Number Generation
 #
 CONFIG_CRYPTO_ANSI_CPRNG=m
-CONFIG_CRYPTO_DRBG_MENU=m
+CONFIG_CRYPTO_DRBG_MENU=y
 CONFIG_CRYPTO_DRBG_HMAC=y
 CONFIG_CRYPTO_DRBG_HASH=y
 CONFIG_CRYPTO_DRBG_CTR=y
-CONFIG_CRYPTO_DRBG=m
-CONFIG_CRYPTO_JITTERENTROPY=m
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
 CONFIG_CRYPTO_USER_API=m
 CONFIG_CRYPTO_USER_API_HASH=m
 CONFIG_CRYPTO_USER_API_SKCIPHER=m
@@ -8611,7 +8682,6 @@ CONFIG_HAVE_KVM_IRQCHIP=y
 CONFIG_HAVE_KVM_IRQFD=y
 CONFIG_HAVE_KVM_IRQ_ROUTING=y
 CONFIG_HAVE_KVM_EVENTFD=y
-CONFIG_KVM_APIC_ARCHITECTURE=y
 CONFIG_KVM_MMIO=y
 CONFIG_KVM_ASYNC_PF=y
 CONFIG_HAVE_KVM_MSI=y
@@ -8626,6 +8696,11 @@ CONFIG_KVM_INTEL=m
 CONFIG_KVM_AMD=m
 # CONFIG_KVM_MMU_AUDIT is not set
 CONFIG_KVM_DEVICE_ASSIGNMENT=y
+CONFIG_VHOST_NET=m
+CONFIG_VHOST_SCSI=m
+CONFIG_VHOST_VSOCK=m
+CONFIG_VHOST=m
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
 CONFIG_BINARY_PRINTF=y
 
 #
@@ -8644,7 +8719,7 @@ CONFIG_GENERIC_IOMAP=y
 CONFIG_GENERIC_IO=y
 CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
 CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-CONFIG_CRC_CCITT=m
+CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
 CONFIG_CRC_ITU_T=m
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index c6de8fa651..b77ca774b4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -321,8 +321,8 @@ It has been modified to remove all non-free binary blobs.")
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 
 (define-public linux-libre
-  (make-linux-libre "4.7.6"
-                    "0716lpzq3w2pdc0nrrx06gqzdfzhkrjq7g37v4ws9wjlzak8hkvy"
+  (make-linux-libre "4.8"
+                    "0fnax2qb597zg2gchab9n9fn7551vccmqfcvq5k3ckz24y50yknm"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
@@ -617,7 +617,11 @@ slabtop, and skill.")
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("texinfo" ,texinfo)))     ;for the libext2fs Info manual
     (arguments
-     '(;; util-linux is the preferred source for some of the libraries and
+     '(;; Parallel building reliably yields a failure like this:
+       ;; "make[2]: *** No rule to make target '../lib/libss.so', needed by
+       ;; 'debugfs'.  Stop."
+       #:parallel-build? #f
+       ;; util-linux is the preferred source for some of the libraries and
        ;; commands, so disable them (see, e.g.,
        ;; <http://git.buildroot.net/buildroot/commit/?id=e1ffc2f791b33633>.)
        #:configure-flags '("--disable-libblkid"
@@ -2595,7 +2599,7 @@ and copy/paste text in the console and in xterm.")
 (define-public btrfs-progs
   (package
     (name "btrfs-progs")
-    (version "4.7.3")
+    (version "4.8")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/kernel/"
@@ -2603,7 +2607,7 @@ and copy/paste text in the console and in xterm.")
                                   "btrfs-progs-v" version ".tar.xz"))
               (sha256
                (base32
-                "073pvx8vz6rkw2d8mm1m60b3i8743pc712pasvydbgm8wl66zkch"))))
+                "06v6fqr0rl1bqg87ndi5fjh3l59v7yvimlg3abr4jc3wxw8hmdg6"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "static"))      ; static versions of binaries in "out" (~16MiB!)
diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm
index 439433a22b..2e50897594 100644
--- a/gnu/packages/lisp.scm
+++ b/gnu/packages/lisp.scm
@@ -443,50 +443,6 @@ interface.")
     (license (list license:lgpl2.1
                    license:clarified-artistic)))) ;TRIVIAL-LDAP package
 
-(define-public lispf4
-  (let ((commit "174d8764d2f9764e8f4794c2e3feada9f9c1f1ba"))
-    (package
-      (name "lispf4")
-      (version (string-append "0.0.0-1" "-"
-                              (string-take commit 7)))
-      (source (origin
-                (method git-fetch)
-                (uri (git-reference
-                      (url "https://github.com/blakemcbride/LISPF4.git")
-                      (commit commit)))
-                (file-name (string-append name "-" version "-checkout"))
-                (sha256
-                 (base32
-                  "18k8kfn30za637y4bfbm9x3vv4psa3q8f7bi9h4h0qlb8rz8m92c"))))
-      (build-system gnu-build-system)
-      ;; 80 MB appended Documentation -> output:doc
-      (outputs '("out" "doc"))
-      (arguments
-       `(#:make-flags
-         '("-f" "Makefile.unx" "CC=gcc")
-         #:tests? #f ; No 'check phase
-         #:phases
-         (modify-phases %standard-phases
-           (delete 'configure)
-           (replace 'install
-            (lambda* (#:key outputs #:allow-other-keys)
-              (let* ((out (assoc-ref outputs "out"))
-                     (bin (string-append out "/bin"))
-                     (doc (string-append (assoc-ref outputs "doc")
-                                         "/share/doc/lispf4")))
-                (install-file "lispf4" bin)
-                (install-file "SYSATOMS" bin)
-                (install-file "BASIC.IMG" bin)
-                (copy-recursively "Documentation" doc))
-                #t)))))
-      (synopsis "InterLisp interpreter")
-      (description
-       "LISPF4 is an InterLisp interpreter written in FORTRAN by Mats Nordstrom
-in the early 80's.  It was converted to C by Blake McBride and supports much of
-the InterLisp Standard.")
-      (home-page "https://github.com/blakemcbride/LISPF4.git")
-      (license license:expat))))
-
 (define-public femtolisp
   (let ((commit "68c5b1225572ecf2c52baf62f928063e5a30511b")
         (revision "1"))
diff --git a/gnu/packages/machine-learning.scm b/gnu/packages/machine-learning.scm
index 7fd0a26d0d..c239c4f00f 100644
--- a/gnu/packages/machine-learning.scm
+++ b/gnu/packages/machine-learning.scm
@@ -134,20 +134,25 @@ classification.")
                   "0qbq1rqp94l530f043qzp8aw5lj7dng9wq0miffd7spd1ff638wq"))))
       (build-system gnu-build-system)
       (arguments
-       `(#:phases
+       `(#:imported-modules (,@%gnu-build-system-modules
+                             (guix build python-build-system))
+         #:phases
          (modify-phases %standard-phases
            (add-after 'unpack 'enter-dir
              (lambda _ (chdir "ghmm") #t))
-           (add-after 'enter-dir 'fix-PYTHONPATH
-             (lambda* (#:key outputs #:allow-other-keys)
-               ;; The Python tests fail as the library is assumed to be stored
-               ;; in ./build/lib.linux-i686-*.  To fix this we detect the CPU
-               ;; and use it in the path.
-               (substitute* "configure.in"
-                 (("AM_INIT_AUTOMAKE" line)
-                  (string-append line "\nAC_CANONICAL_HOST\n")))
-               (substitute* "ghmmwrapper/Makefile.am"
-                 (("i686") "@host_cpu@"))
+           (delete 'check)
+           (add-after 'install 'check
+             (assoc-ref %standard-phases 'check))
+           (add-before 'check 'fix-PYTHONPATH
+             (lambda* (#:key inputs outputs #:allow-other-keys)
+               (let ((python-version ((@@ (guix build python-build-system)
+                                           get-python-version)
+                                      (assoc-ref inputs "python"))))
+                 (setenv "PYTHONPATH"
+                         (string-append (getenv "PYTHONPATH")
+                                        ":" (assoc-ref outputs "out")
+                                        "/lib/python" python-version
+                                        "/site-packages")))
                #t))
            (add-after 'enter-dir 'fix-runpath
              (lambda* (#:key outputs #:allow-other-keys)
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index eafb501508..3bb2a386b0 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -185,15 +185,15 @@ semiconductors.")
 (define-public gsl
   (package
     (name "gsl")
-    (version "2.1")
-    (source
-     (origin
-      (method url-fetch)
-      (uri (string-append "mirror://gnu/gsl/gsl-"
-                          version ".tar.gz"))
-      (sha256
-       (base32
-        "0rhcia9jhr3p1f1wybwyllwqfs9bggz99i3mi5lpyqcpff1hdbar"))))
+    (version "2.2.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/gsl/gsl-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "095hp01d8lkqdvv0p1k25kvbisgfdmvx1rzpyc2i8kl2n33kvlhk"))
+              (patches (search-patches "gsl-test-i686.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:parallel-tests? #f))
@@ -442,7 +442,7 @@ from one map projection to another.  The GCTP is the standard computer
 software used by the National Mapping Division for map projection
 computations.")
     (home-page "https://github.com/OkoSanto/GCTP")
-    (license 'license:public-domain))) ; https://www2.usgs.gov/laws/info_policies.html
+    (license license:public-domain))) ;https://www2.usgs.gov/laws/info_policies.html
 
 (define-public hdf5
   (package
@@ -2629,3 +2629,37 @@ the same amount of space as the original point representation.  This is useful
 when using the Gilbert curve as a space filling curve through a
 high-dimensional space where not all demensions have the same cardinality.")
     (license license:lgpl2.1+)))
+
+(define-public vc
+  (package
+    (name "vc")
+    (version "1.2.0")
+    (source
+      (origin (method url-fetch)
+              (uri (string-append "https://github.com/VcDevel/Vc/releases/"
+                                  "download/" version "/Vc-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1rh6dhqar3y07n4xqyml0sa0v48qv3ch9dc3yc2in855hlh4vnqi"))))
+    (build-system cmake-build-system)
+    (arguments
+     '(#:configure-flags
+       '("-DBUILD_TESTING=ON")))
+    (synopsis "SIMD vector classes for C++")
+    (description "Vc provides portable, zero-overhead C++ types for explicitly
+data-parallel programming.  It is a library designed to ease explicit
+vectorization of C++ code.  Its types enable explicitly stating data-parallel
+operations on multiple values.  The parallelism is therefore added via the type
+system.  Vc has an intuitive API and provides portability between different
+compilers and compiler versions as well as portability between different vector
+instruction sets.  Thus, an application written with Vc can be compiled for:
+@enumerate
+@item AVX and AVX2
+@item SSE2 upto SSE4.2 or SSE4a
+@item Scalar
+@item MIC
+@item NEON (in development)
+@item NVIDIA GPUs / CUDA (in development)
+@end enumerate\n")
+    (home-page "https://github.com/VcDevel/Vc")
+    (license license:bsd-3)))
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 058221ac02..34515f1d22 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -154,7 +154,7 @@
                        ;; incompatible .go files as reported at
                        ;; <https://lists.gnu.org/archive/html/guix-devel/2016-03/msg01261.html>.
                        (wrap-program (string-append out "/bin/guix")
-                         `("GUILE_LOAD_PATH" ":" = (,path))
+                         `("GUILE_LOAD_PATH" ":" prefix (,path))
                          `("GUILE_LOAD_COMPILED_PATH" ":" = (,path)))
 
                        #t))))))
diff --git a/gnu/packages/parallel.scm b/gnu/packages/parallel.scm
index b49ec1f8c1..3a0d4aa564 100644
--- a/gnu/packages/parallel.scm
+++ b/gnu/packages/parallel.scm
@@ -45,7 +45,7 @@
 (define-public parallel
   (package
     (name "parallel")
-    (version "20160822")
+    (version "20160922")
     (source
      (origin
       (method url-fetch)
@@ -53,7 +53,7 @@
                           version ".tar.bz2"))
       (sha256
        (base32
-        "1qdb7889w7v5amd0z4qg3v4hia0wj5vjly9qvm5lm5nlxg8bfrwq"))))
+        "157q17v2vkjwccx9s2pxqip46gvwhfq4v9ar0l1ghgmpxggksvyq"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/patches/cpio-gets-undeclared.patch b/gnu/packages/patches/cpio-gets-undeclared.patch
deleted file mode 100644
index bc34de6455..0000000000
--- a/gnu/packages/patches/cpio-gets-undeclared.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-This patch is needed to allow builds with newer versions of
-the GNU libc (2.16+).
-
-The upstream fix was:
-
-  commit 66712c23388e93e5c518ebc8515140fa0c807348
-  Author: Eric Blake <eblake@redhat.com>
-  Date:   Thu Mar 29 13:30:41 2012 -0600
-
-      stdio: don't assume gets any more
-
-      Gnulib intentionally does not have a gets module, and now that C11
-      and glibc have dropped it, we should be more proactive about warning
-      any user on a platform that still has a declaration of this dangerous
-      interface.
-
-      * m4/stdio_h.m4 (gl_STDIO_H, gl_STDIO_H_DEFAULTS): Drop gets
-      support.
-      * modules/stdio (Makefile.am): Likewise.
-      * lib/stdio-read.c (gets): Likewise.
-      * tests/test-stdio-c++.cc: Likewise.
-      * m4/warn-on-use.m4 (gl_WARN_ON_USE_PREPARE): Fix comment.
-      * lib/stdio.in.h (gets): Make warning occur in more places.
-      * doc/posix-functions/gets.texi (gets): Update documentation.
-      Reported by Christer Solskogen.
-
-      Signed-off-by: Eric Blake <eblake@redhat.com>
-
-This patch just gets rid of the offending part.
-
---- cpio-2.11/gnu/stdio.in.h-orig	2012-11-25 22:17:06.000000000 +0400
-+++ cpio-2.11/gnu/stdio.in.h		2012-11-25 22:18:36.000000000 +0400
-@@ -135,12 +135,6 @@
-                  "use gnulib module fflush for portable POSIX compliance");
- #endif
- 
--/* It is very rare that the developer ever has full control of stdin,
--   so any use of gets warrants an unconditional warning.  Assume it is
--   always declared, since it is required by C89.  */
--#undef gets
--_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
--
- #if @GNULIB_FOPEN@
- # if @REPLACE_FOPEN@
- #  if !(defined __cplusplus && defined GNULIB_NAMESPACE)
diff --git a/gnu/packages/patches/gsl-test-i686.patch b/gnu/packages/patches/gsl-test-i686.patch
new file mode 100644
index 0000000000..8828c08614
--- /dev/null
+++ b/gnu/packages/patches/gsl-test-i686.patch
@@ -0,0 +1,17 @@
+Work around a test failure due to a rounding issue on 32-bit
+platforms, as reported at:
+
+  https://lists.gnu.org/archive/html/bug-gsl/2016-10/msg00000.html
+
+--- gsl-2.2.1/linalg/test.c	2016-10-05 13:27:42.464059730 +0200
++++ gsl-2.2.1/linalg/test.c	2016-10-05 13:27:46.988095882 +0200
+@@ -4843,9 +4843,6 @@ main(void)
+   gsl_test(test_cholesky_decomp_unit(),  "Cholesky Decomposition [unit triangular]");
+   gsl_test(test_cholesky_solve(),        "Cholesky Solve");
+ 
+-  gsl_test(test_cholesky_decomp(r),      "Cholesky Decomposition");
+-  gsl_test(test_cholesky_invert(r),      "Cholesky Inverse");
+-  gsl_test(test_pcholesky_decomp(r),     "Pivoted Cholesky Decomposition");
+   gsl_test(test_pcholesky_solve(r),      "Pivoted Cholesky Solve");
+   gsl_test(test_pcholesky_invert(r),     "Pivoted Cholesky Inverse");
+   gsl_test(test_mcholesky_decomp(r),     "Modified Cholesky Decomposition");
diff --git a/gnu/packages/patches/libx11-CVE-2016-7942.patch b/gnu/packages/patches/libx11-CVE-2016-7942.patch
new file mode 100644
index 0000000000..75770235ef
--- /dev/null
+++ b/gnu/packages/patches/libx11-CVE-2016-7942.patch
@@ -0,0 +1,76 @@
+Fix CVE-2016-7942:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
+
+From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:25:25 +0200
+Subject: [PATCH] Validation of server responses in XGetImage()
+
+Check if enough bytes were received for specified image type and
+geometry. Otherwise GetPixel and other functions could trigger an
+out of boundary read later on.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/GetImage.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/src/GetImage.c b/src/GetImage.c
+index c461abc..ff32d58 100644
+--- a/src/GetImage.c
++++ b/src/GetImage.c
+@@ -59,6 +59,7 @@ XImage *XGetImage (
+ 	char *data;
+ 	unsigned long nbytes;
+ 	XImage *image;
++	int planes;
+ 	LockDisplay(dpy);
+ 	GetReq (GetImage, req);
+ 	/*
+@@ -91,18 +92,28 @@ XImage *XGetImage (
+ 	    return (XImage *) NULL;
+ 	}
+         _XReadPad (dpy, data, nbytes);
+-        if (format == XYPixmap)
+-	   image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+-		  Ones (plane_mask &
+-			(((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+-		  format, 0, data, width, height, dpy->bitmap_pad, 0);
+-	else /* format == ZPixmap */
+-           image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+-		 rep.depth, ZPixmap, 0, data, width, height,
+-		  _XGetScanlinePad(dpy, (int) rep.depth), 0);
++        if (format == XYPixmap) {
++	    image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
++		Ones (plane_mask &
++		    (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
++		format, 0, data, width, height, dpy->bitmap_pad, 0);
++	    planes = image->depth;
++	} else { /* format == ZPixmap */
++            image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
++		rep.depth, ZPixmap, 0, data, width, height,
++		    _XGetScanlinePad(dpy, (int) rep.depth), 0);
++	    planes = 1;
++	}
+ 
+ 	if (!image)
+ 	    Xfree(data);
++	if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
++	    INT_MAX / image->height <= image->bytes_per_line ||
++	    INT_MAX / planes <= image->height * image->bytes_per_line ||
++	    nbytes < planes * image->height * image->bytes_per_line) {
++	    XDestroyImage(image);
++	    image = NULL;
++	}
+ 	UnlockDisplay(dpy);
+ 	SyncHandle();
+ 	return (image);
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libx11-CVE-2016-7943.patch b/gnu/packages/patches/libx11-CVE-2016-7943.patch
new file mode 100644
index 0000000000..7bcbc58dd4
--- /dev/null
+++ b/gnu/packages/patches/libx11-CVE-2016-7943.patch
@@ -0,0 +1,113 @@
+Fix CVE-2016-7943:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943.
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
+
+From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:22:57 +0200
+Subject: [PATCH] The validation of server responses avoids out of boundary
+ accesses.
+
+v2: FontNames.c  return a NULL list whenever a single
+length field from the server is incohent.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/FontNames.c | 23 +++++++++++++++++------
+ src/ListExt.c   | 12 ++++++++----
+ src/ModMap.c    |  3 ++-
+ 3 files changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/src/FontNames.c b/src/FontNames.c
+index 21dcafe..e55f338 100644
+--- a/src/FontNames.c
++++ b/src/FontNames.c
+@@ -66,7 +66,7 @@ int *actualCount)	/* RETURN */
+ 
+     if (rep.nFonts) {
+ 	flist = Xmalloc (rep.nFonts * sizeof(char *));
+-	if (rep.length < (INT_MAX >> 2)) {
++	if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+ 	    rlen = rep.length << 2;
+ 	    ch = Xmalloc(rlen + 1);
+ 	    /* +1 to leave room for last null-terminator */
+@@ -93,11 +93,22 @@ int *actualCount)	/* RETURN */
+ 	    if (ch + length < chend) {
+ 		flist[i] = ch + 1;  /* skip over length */
+ 		ch += length + 1;  /* find next length ... */
+-		length = *(unsigned char *)ch;
+-		*ch = '\0';  /* and replace with null-termination */
+-		count++;
+-	    } else
+-		flist[i] = NULL;
++		if (ch <= chend) {
++		    length = *(unsigned char *)ch;
++		    *ch = '\0';  /* and replace with null-termination */
++		    count++;
++		} else {
++                    Xfree(flist);
++                    flist = NULL;
++                    count = 0;
++                    break;
++		}
++	    } else {
++                Xfree(flist);
++                flist = NULL;
++                count = 0;
++                break;
++            }
+ 	}
+     }
+     *actualCount = count;
+diff --git a/src/ListExt.c b/src/ListExt.c
+index be6b989..0516e45 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -55,7 +55,7 @@ char **XListExtensions(
+ 
+ 	if (rep.nExtensions) {
+ 	    list = Xmalloc (rep.nExtensions * sizeof (char *));
+-	    if (rep.length < (INT_MAX >> 2)) {
++	    if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+ 		rlen = rep.length << 2;
+ 		ch = Xmalloc (rlen + 1);
+                 /* +1 to leave room for last null-terminator */
+@@ -80,9 +80,13 @@ char **XListExtensions(
+ 		if (ch + length < chend) {
+ 		    list[i] = ch+1;  /* skip over length */
+ 		    ch += length + 1; /* find next length ... */
+-		    length = *ch;
+-		    *ch = '\0'; /* and replace with null-termination */
+-		    count++;
++		    if (ch <= chend) {
++			length = *ch;
++			*ch = '\0'; /* and replace with null-termination */
++			count++;
++		    } else {
++			list[i] = NULL;
++		    }
+ 		} else
+ 		    list[i] = NULL;
+ 	    }
+diff --git a/src/ModMap.c b/src/ModMap.c
+index a809aa2..49a5d08 100644
+--- a/src/ModMap.c
++++ b/src/ModMap.c
+@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
+     GetEmptyReq(GetModifierMapping, req);
+     (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
+ 
+-    if (rep.length < (INT_MAX >> 2)) {
++    if (rep.length < (INT_MAX >> 2) &&
++	(rep.length >> 1) == rep.numKeyPerModifier) {
+ 	nbytes = (unsigned long)rep.length << 2;
+ 	res = Xmalloc(sizeof (XModifierKeymap));
+ 	if (res)
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch b/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
new file mode 100644
index 0000000000..2ce463fc46
--- /dev/null
+++ b/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
@@ -0,0 +1,62 @@
+Fix CVE-2016-7944:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e
+
+From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 22:38:44 +0200
+Subject: [PATCH] Integer overflow on illegal server response
+
+The 32 bit field "rep.length" is not checked for validity, which allows
+an integer overflow on 32 bit systems.
+
+A malicious server could send INT_MAX as length, which gets multiplied
+by the size of XRectangle. In that case the client won't read the whole
+data from server, getting out of sync.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/Region.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/Region.c b/src/Region.c
+index cb0cf6e..59bcc1a 100644
+--- a/src/Region.c
++++ b/src/Region.c
+@@ -23,6 +23,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include "Xfixesint.h"
+ 
+ XserverRegion
+@@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display	    *dpy,
+     bounds->y = rep.y;
+     bounds->width = rep.width;
+     bounds->height = rep.height;
+-    nbytes = (long) rep.length << 2;
+-    nrects = rep.length >> 1;
+-    rects = Xmalloc (nrects * sizeof (XRectangle));
++
++    if (rep.length < (INT_MAX >> 2)) {
++	nbytes = (long) rep.length << 2;
++	nrects = rep.length >> 1;
++	rects = Xmalloc (nrects * sizeof (XRectangle));
++    } else {
++	nbytes = 0;
++	nrects = 0;
++	rects = NULL;
++    }
++
+     if (!rects)
+     {
+ 	_XEatDataWords(dpy, rep.length);
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch b/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch
new file mode 100644
index 0000000000..ca899e34c0
--- /dev/null
+++ b/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch
@@ -0,0 +1,420 @@
+Fix CVE-2016-7945:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7945
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5
+
+From 19a9cd607de73947fcfb104682f203ffe4e1f4e5 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 22:31:34 +0200
+Subject: [PATCH] Properly validate server responses.
+
+By validating length fields from server responses, out of boundary
+accesses and endless loops can be mitigated.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/XGMotion.c      |  3 ++-
+ src/XGetBMap.c      |  3 ++-
+ src/XGetDCtl.c      |  6 ++++--
+ src/XGetFCtl.c      |  7 ++++++-
+ src/XGetKMap.c      | 14 +++++++++++---
+ src/XGetMMap.c      | 11 +++++++++--
+ src/XIQueryDevice.c | 36 ++++++++++++++++++++++++++++++++++--
+ src/XListDev.c      | 21 +++++++++++++++------
+ src/XOpenDev.c      | 13 ++++++++++---
+ src/XQueryDv.c      |  8 ++++++--
+ 10 files changed, 99 insertions(+), 23 deletions(-)
+
+diff --git a/src/XGMotion.c b/src/XGMotion.c
+index 7785843..9433e29 100644
+--- a/src/XGMotion.c
++++ b/src/XGMotion.c
+@@ -114,7 +114,8 @@ XGetDeviceMotionEvents(
+     }
+     /* rep.axes is a CARD8, so assume max number of axes for bounds check */
+     if (rep.nEvents <
+-	(INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
++	(INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) &&
++	rep.nEvents * (rep.axes + 1) <= rep.length) {
+ 	size_t bsize = rep.nEvents *
+ 	    (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
+ 	bufp = Xmalloc(bsize);
+diff --git a/src/XGetBMap.c b/src/XGetBMap.c
+index 002daba..13bb8c6 100644
+--- a/src/XGetBMap.c
++++ b/src/XGetBMap.c
+@@ -92,7 +92,8 @@ XGetDeviceButtonMapping(
+ 
+     status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
+     if (status == 1) {
+-	if (rep.length <= (sizeof(mapping) >> 2)) {
++	if (rep.length <= (sizeof(mapping) >> 2) &&
++	    rep.nElts <= (rep.length << 2)) {
+ 	    unsigned long nbytes = rep.length << 2;
+ 	    _XRead(dpy, (char *)mapping, nbytes);
+ 
+diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
+index c5d3b53..7f6b396 100644
+--- a/src/XGetDCtl.c
++++ b/src/XGetDCtl.c
+@@ -93,7 +93,8 @@ XGetDeviceControl(
+     if (rep.length > 0) {
+ 	unsigned long nbytes;
+ 	size_t size = 0;
+-	if (rep.length < (INT_MAX >> 2)) {
++	if (rep.length < (INT_MAX >> 2) &&
++	    (rep.length << 2) >= sizeof(xDeviceState)) {
+ 	    nbytes = (unsigned long) rep.length << 2;
+ 	    d = Xmalloc(nbytes);
+ 	}
+@@ -117,7 +118,8 @@ XGetDeviceControl(
+ 	    size_t val_size;
+ 
+ 	    r = (xDeviceResolutionState *) d;
+-	    if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
++	    if (sizeof(xDeviceResolutionState) > nbytes ||
++		r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
+ 		goto out;
+ 	    val_size = 3 * sizeof(int) * r->num_valuators;
+ 	    if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
+diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
+index 7fd6d0e..82dcc64 100644
+--- a/src/XGetFCtl.c
++++ b/src/XGetFCtl.c
+@@ -73,6 +73,7 @@ XGetFeedbackControl(
+     XFeedbackState *Sav = NULL;
+     xFeedbackState *f = NULL;
+     xFeedbackState *sav = NULL;
++    char *end = NULL;
+     xGetFeedbackControlReq *req;
+     xGetFeedbackControlReply rep;
+     XExtDisplayInfo *info = XInput_find_display(dpy);
+@@ -105,10 +106,12 @@ XGetFeedbackControl(
+ 	    goto out;
+ 	}
+ 	sav = f;
++	end = (char *)f + nbytes;
+ 	_XRead(dpy, (char *)f, nbytes);
+ 
+ 	for (i = 0; i < *num_feedbacks; i++) {
+-	    if (f->length > nbytes)
++	    if ((char *)f + sizeof(*f) > end ||
++	        f->length == 0 || f->length > nbytes)
+ 		goto out;
+ 	    nbytes -= f->length;
+ 
+@@ -125,6 +128,8 @@ XGetFeedbackControl(
+ 	    case StringFeedbackClass:
+ 	    {
+ 		xStringFeedbackState *strf = (xStringFeedbackState *) f;
++		if ((char *)f + sizeof(*strf) > end)
++		    goto out;
+ 		size += sizeof(XStringFeedbackState) +
+ 		    (strf->num_syms_supported * sizeof(KeySym));
+ 	    }
+diff --git a/src/XGetKMap.c b/src/XGetKMap.c
+index 0540ce4..008a72b 100644
+--- a/src/XGetKMap.c
++++ b/src/XGetKMap.c
+@@ -54,6 +54,7 @@ SOFTWARE.
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <X11/extensions/XI.h>
+ #include <X11/extensions/XIproto.h>
+ #include <X11/Xlibint.h>
+@@ -93,9 +94,16 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev,
+ 	return (KeySym *) NULL;
+     }
+     if (rep.length > 0) {
+-	*syms_per_code = rep.keySymsPerKeyCode;
+-	nbytes = (long)rep.length << 2;
+-	mapping = (KeySym *) Xmalloc((unsigned)nbytes);
++	if (rep.length < INT_MAX >> 2 &&
++	    rep.length == rep.keySymsPerKeyCode * keycount) {
++	    *syms_per_code = rep.keySymsPerKeyCode;
++	    nbytes = (long)rep.length << 2;
++	    mapping = (KeySym *) Xmalloc((unsigned)nbytes);
++	} else {
++	    *syms_per_code = 0;
++	    nbytes = 0;
++	    mapping = NULL;
++	}
+ 	if (mapping)
+ 	    _XRead(dpy, (char *)mapping, nbytes);
+ 	else
+diff --git a/src/XGetMMap.c b/src/XGetMMap.c
+index 246698c..33c114f 100644
+--- a/src/XGetMMap.c
++++ b/src/XGetMMap.c
+@@ -53,6 +53,7 @@ SOFTWARE.
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <X11/extensions/XI.h>
+ #include <X11/extensions/XIproto.h>
+ #include <X11/Xlibint.h>
+@@ -85,8 +86,14 @@ XGetDeviceModifierMapping(
+ 	SyncHandle();
+ 	return (XModifierKeymap *) NULL;
+     }
+-    nbytes = (unsigned long)rep.length << 2;
+-    res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
++    if (rep.length < (INT_MAX >> 2) &&
++	rep.numKeyPerModifier == rep.length >> 1) {
++	nbytes = (unsigned long)rep.length << 2;
++	res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
++    } else {
++	nbytes = 0;
++	res = NULL;
++    }
+     if (res) {
+ 	res->modifiermap = (KeyCode *) Xmalloc(nbytes);
+ 	if (res->modifiermap)
+diff --git a/src/XIQueryDevice.c b/src/XIQueryDevice.c
+index fb8504f..a457cd6 100644
+--- a/src/XIQueryDevice.c
++++ b/src/XIQueryDevice.c
+@@ -26,6 +26,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdint.h>
+ #include <X11/Xlibint.h>
+ #include <X11/extensions/XI2proto.h>
+@@ -43,6 +44,7 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
+     xXIQueryDeviceReq   *req;
+     xXIQueryDeviceReply reply;
+     char                *ptr;
++    char                *end;
+     int                 i;
+     char                *buf;
+ 
+@@ -60,14 +62,24 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
+     if (!_XReply(dpy, (xReply*) &reply, 0, xFalse))
+         goto error;
+ 
+-    *ndevices_return = reply.num_devices;
+-    info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
++    if (reply.length < INT_MAX / 4)
++    {
++	*ndevices_return = reply.num_devices;
++	info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
++    }
++    else
++    {
++	*ndevices_return = 0;
++	info = NULL;
++    }
++
+     if (!info)
+         goto error;
+ 
+     buf = Xmalloc(reply.length * 4);
+     _XRead(dpy, buf, reply.length * 4);
+     ptr = buf;
++    end = buf + reply.length * 4;
+ 
+     /* info is a null-terminated array */
+     info[reply.num_devices].name = NULL;
+@@ -79,6 +91,9 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
+         XIDeviceInfo    *lib = &info[i];
+         xXIDeviceInfo   *wire = (xXIDeviceInfo*)ptr;
+ 
++        if (ptr + sizeof(xXIDeviceInfo) > end)
++            goto error_loop;
++
+         lib->deviceid    = wire->deviceid;
+         lib->use         = wire->use;
+         lib->attachment  = wire->attachment;
+@@ -87,12 +102,23 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
+ 
+         ptr += sizeof(xXIDeviceInfo);
+ 
++        if (ptr + wire->name_len > end)
++            goto error_loop;
++
+         lib->name = Xcalloc(wire->name_len + 1, 1);
++        if (lib->name == NULL)
++            goto error_loop;
+         strncpy(lib->name, ptr, wire->name_len);
++        lib->name[wire->name_len] = '\0';
+         ptr += ((wire->name_len + 3)/4) * 4;
+ 
+         sz = size_classes((xXIAnyInfo*)ptr, nclasses);
+         lib->classes = Xmalloc(sz);
++        if (lib->classes == NULL)
++        {
++            Xfree(lib->name);
++            goto error_loop;
++        }
+         ptr += copy_classes(lib, (xXIAnyInfo*)ptr, &nclasses);
+         /* We skip over unused classes */
+         lib->num_classes = nclasses;
+@@ -103,6 +129,12 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
+     SyncHandle();
+     return info;
+ 
++error_loop:
++    while (--i >= 0)
++    {
++        Xfree(info[i].name);
++        Xfree(info[i].classes);
++    }
+ error:
+     UnlockDisplay(dpy);
+ error_unlocked:
+diff --git a/src/XListDev.c b/src/XListDev.c
+index b85ff3c..f850cd0 100644
+--- a/src/XListDev.c
++++ b/src/XListDev.c
+@@ -74,7 +74,7 @@ static int pad_to_xid(int base_size)
+ }
+ 
+ static size_t
+-SizeClassInfo(xAnyClassPtr *any, int num_classes)
++SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes)
+ {
+     int size = 0;
+     int j;
+@@ -90,6 +90,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes)
+                 {
+                     xValuatorInfoPtr v;
+ 
++                    if (len < sizeof(v))
++                        return 0;
+                     v = (xValuatorInfoPtr) *any;
+                     size += pad_to_xid(sizeof(XValuatorInfo) +
+                         (v->num_axes * sizeof(XAxisInfo)));
+@@ -98,6 +100,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes)
+             default:
+                 break;
+         }
++        if ((*any)->length > len)
++            return 0;
+         *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length);
+     }
+ 
+@@ -170,7 +174,7 @@ XListInputDevices(
+     register Display	*dpy,
+     int			*ndevices)
+ {
+-    size_t size;
++    size_t s, size;
+     xListInputDevicesReq *req;
+     xListInputDevicesReply rep;
+     xDeviceInfo *list, *slist = NULL;
+@@ -178,6 +182,7 @@ XListInputDevices(
+     XDeviceInfo *clist = NULL;
+     xAnyClassPtr any, sav_any;
+     XAnyClassPtr Any;
++    char *end = NULL;
+     unsigned char *nptr, *Nptr;
+     int i;
+     unsigned long rlen;
+@@ -213,16 +218,20 @@ XListInputDevices(
+ 
+ 	any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo)));
+ 	sav_any = any;
++	end = (char *)list + rlen;
+ 	for (i = 0; i < *ndevices; i++, list++) {
+-            size += SizeClassInfo(&any, (int)list->num_classes);
++            s = SizeClassInfo(&any, end - (char *)any, (int)list->num_classes);
++            if (!s)
++                goto out;
++            size += s;
+ 	}
+ 
+-	Nptr = ((unsigned char *)list) + rlen + 1;
++	Nptr = ((unsigned char *)list) + rlen;
+ 	for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
++	    if (nptr >= Nptr)
++		goto out;
+ 	    size += *nptr + 1;
+ 	    nptr += (*nptr + 1);
+-	    if (nptr > Nptr)
+-		goto out;
+ 	}
+ 
+ 	clist = (XDeviceInfoPtr) Xmalloc(size);
+diff --git a/src/XOpenDev.c b/src/XOpenDev.c
+index 029dec2..4b3c460 100644
+--- a/src/XOpenDev.c
++++ b/src/XOpenDev.c
+@@ -53,6 +53,7 @@ SOFTWARE.
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <X11/extensions/XI.h>
+ #include <X11/extensions/XIproto.h>
+ #include <X11/Xlibint.h>
+@@ -86,9 +87,15 @@ XOpenDevice(
+ 	return (XDevice *) NULL;
+     }
+ 
+-    rlen = rep.length << 2;
+-    dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
+-			      sizeof(XInputClassInfo));
++    if (rep.length < INT_MAX >> 2 &&
++	(rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) {
++	rlen = rep.length << 2;
++	dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
++				  sizeof(XInputClassInfo));
++    } else {
++	rlen = 0;
++	dev = NULL;
++    }
+     if (dev) {
+ 	int dlen;	/* data length */
+ 
+diff --git a/src/XQueryDv.c b/src/XQueryDv.c
+index de1c0e5..7ee2272 100644
+--- a/src/XQueryDv.c
++++ b/src/XQueryDv.c
+@@ -73,7 +73,7 @@ XQueryDeviceState(
+     xQueryDeviceStateReply rep;
+     XDeviceState *state = NULL;
+     XInputClass *any, *Any;
+-    char *data = NULL;
++    char *data = NULL, *end = NULL;
+     XExtDisplayInfo *info = XInput_find_display(dpy);
+ 
+     LockDisplay(dpy);
+@@ -92,6 +92,7 @@ XQueryDeviceState(
+ 	if (rep.length < (INT_MAX >> 2)) {
+ 	    rlen = (unsigned long) rep.length << 2;
+ 	    data = Xmalloc(rlen);
++	    end = data + rlen;
+ 	}
+ 	if (!data) {
+ 	    _XEatDataWords(dpy, rep.length);
+@@ -100,7 +101,8 @@ XQueryDeviceState(
+ 	_XRead(dpy, data, rlen);
+ 
+ 	for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
+-	    if (any->length > rlen)
++	    if ((char *)any + sizeof(XInputClass) > end ||
++		any->length == 0 || any->length > rlen)
+ 		goto out;
+ 	    rlen -= any->length;
+ 
+@@ -114,6 +116,8 @@ XQueryDeviceState(
+ 	    case ValuatorClass:
+ 	    {
+ 		xValuatorState *v = (xValuatorState *) any;
++		if ((char *)any + sizeof(xValuatorState) > end)
++		    goto out;
+ 		size += (sizeof(XValuatorState) +
+ 			 (v->num_valuators * sizeof(int)));
+ 	    }
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch b/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch
new file mode 100644
index 0000000000..ece8b18309
--- /dev/null
+++ b/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch
@@ -0,0 +1,447 @@
+Fix CVE-2016-7947 and CVE-2016-7948.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6
+
+From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 22:21:40 +0200
+Subject: [PATCH] Avoid out of boundary accesses on illegal responses
+
+The responses of the connected X server have to be properly checked
+to avoid out of boundary accesses that could otherwise be triggered
+by a malicious server.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/XrrConfig.c   | 32 +++++++++++++--------
+ src/XrrCrtc.c     | 83 ++++++++++++++++++++++++++++++++++++++++++-------------
+ src/XrrMonitor.c  | 18 ++++++++++++
+ src/XrrOutput.c   | 11 ++++++++
+ src/XrrProvider.c | 28 ++++++++++++++++---
+ src/XrrScreen.c   | 52 ++++++++++++++++++++++------------
+ 6 files changed, 172 insertions(+), 52 deletions(-)
+
+diff --git a/src/XrrConfig.c b/src/XrrConfig.c
+index 2f0282b..e68c45a 100644
+--- a/src/XrrConfig.c
++++ b/src/XrrConfig.c
+@@ -29,6 +29,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy,
+ 	rep.rate = 0;
+ 	rep.nrateEnts = 0;
+     }
++    if (rep.length < INT_MAX >> 2) {
++	nbytes = (long) rep.length << 2;
+ 
+-    nbytes = (long) rep.length << 2;
++	nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
++			    ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
+ 
+-    nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
+-			 ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
++	/*
++	 * first we must compute how much space to allocate for
++	 * randr library's use; we'll allocate the structures in a single
++	 * allocation, on cleanlyness grounds.
++	 */
+ 
+-    /*
+-     * first we must compute how much space to allocate for
+-     * randr library's use; we'll allocate the structures in a single
+-     * allocation, on cleanlyness grounds.
+-     */
++	rbytes = sizeof (XRRScreenConfiguration) +
++	  (rep.nSizes * sizeof (XRRScreenSize) +
++	   rep.nrateEnts * sizeof (int));
+ 
+-    rbytes = sizeof (XRRScreenConfiguration) +
+-      (rep.nSizes * sizeof (XRRScreenSize) +
+-       rep.nrateEnts * sizeof (int));
++	scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
++    } else {
++	nbytes = 0;
++	nbytesRead = 0;
++	rbytes = 0;
++	scp = NULL;
++    }
+ 
+-    scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
+     if (scp == NULL) {
+ 	_XEatData (dpy, (unsigned long) nbytes);
+ 	return NULL;
+diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
+index 5ae35c5..6665092 100644
+--- a/src/XrrCrtc.c
++++ b/src/XrrCrtc.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
+ 	return NULL;
+     }
+ 
+-    nbytes = (long) rep.length << 2;
++    if (rep.length < INT_MAX >> 2)
++    {
++	nbytes = (long) rep.length << 2;
+ 
+-    nbytesRead = (long) (rep.nOutput * 4 +
+-			 rep.nPossibleOutput * 4);
++	nbytesRead = (long) (rep.nOutput * 4 +
++			     rep.nPossibleOutput * 4);
+ 
+-    /*
+-     * first we must compute how much space to allocate for
+-     * randr library's use; we'll allocate the structures in a single
+-     * allocation, on cleanlyness grounds.
+-     */
++	/*
++	 * first we must compute how much space to allocate for
++	 * randr library's use; we'll allocate the structures in a single
++	 * allocation, on cleanlyness grounds.
++	 */
+ 
+-    rbytes = (sizeof (XRRCrtcInfo) +
+-	      rep.nOutput * sizeof (RROutput) +
+-	      rep.nPossibleOutput * sizeof (RROutput));
++	rbytes = (sizeof (XRRCrtcInfo) +
++		  rep.nOutput * sizeof (RROutput) +
++		  rep.nPossibleOutput * sizeof (RROutput));
++
++	xci = (XRRCrtcInfo *) Xmalloc(rbytes);
++    }
++    else
++    {
++	nbytes = 0;
++	nbytesRead = 0;
++	rbytes = 0;
++	xci = NULL;
++    }
+ 
+-    xci = (XRRCrtcInfo *) Xmalloc(rbytes);
+     if (xci == NULL) {
+ 	_XEatDataWords (dpy, rep.length);
+ 	UnlockDisplay (dpy);
+@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
+     if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
+ 	goto out;
+ 
+-    nbytes = (long) rep.length << 2;
++    if (rep.length < INT_MAX >> 2)
++    {
++	nbytes = (long) rep.length << 2;
+ 
+-    /* three channels of CARD16 data */
+-    nbytesRead = (rep.size * 2 * 3);
++	/* three channels of CARD16 data */
++	nbytesRead = (rep.size * 2 * 3);
+ 
+-    crtc_gamma = XRRAllocGamma (rep.size);
++	crtc_gamma = XRRAllocGamma (rep.size);
++    }
++    else
++    {
++	nbytes = 0;
++	nbytesRead = 0;
++	crtc_gamma = NULL;
++    }
+ 
+     if (!crtc_gamma)
+     {
+@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display	*dpy,
+     xRRGetCrtcTransformReq	*req;
+     int				major_version, minor_version;
+     XRRCrtcTransformAttributes	*attr;
+-    char			*extra = NULL, *e;
++    char			*extra = NULL, *end = NULL, *e;
+     int				p;
+ 
+     *attributes = NULL;
+@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display	*dpy,
+ 	else
+ 	{
+ 	    int extraBytes = rep.length * 4 - CrtcTransformExtra;
+-	    extra = Xmalloc (extraBytes);
++	    if (rep.length < INT_MAX / 4 &&
++		rep.length * 4 >= CrtcTransformExtra) {
++		extra = Xmalloc (extraBytes);
++		end = extra + extraBytes;
++	    } else
++		extra = NULL;
+ 	    if (!extra) {
+-		_XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
++		if (rep.length > (CrtcTransformExtra >> 2))
++		    _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
++		else
++		    _XEatDataWords (dpy, rep.length);
+ 		UnlockDisplay (dpy);
+ 		SyncHandle ();
+ 		return False;
+@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display	*dpy,
+ 
+     e = extra;
+ 
++    if (e + rep.pendingNbytesFilter > end) {
++	XFree (extra);
++	return False;
++    }
+     memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter);
+     attr->pendingFilter[rep.pendingNbytesFilter] = '\0';
+     e += (rep.pendingNbytesFilter + 3) & ~3;
+     for (p = 0; p < rep.pendingNparamsFilter; p++) {
+ 	INT32	f;
++	if (e + 4 > end) {
++	    XFree (extra);
++	    return False;
++	}
+ 	memcpy (&f, e, 4);
+ 	e += 4;
+ 	attr->pendingParams[p] = (XFixed) f;
+     }
+     attr->pendingNparams = rep.pendingNparamsFilter;
+ 
++    if (e + rep.currentNbytesFilter > end) {
++	XFree (extra);
++	return False;
++    }
+     memcpy (attr->currentFilter, e, rep.currentNbytesFilter);
+     attr->currentFilter[rep.currentNbytesFilter] = '\0';
+     e += (rep.currentNbytesFilter + 3) & ~3;
+     for (p = 0; p < rep.currentNparamsFilter; p++) {
+ 	INT32	f;
++	if (e + 4 > end) {
++	    XFree (extra);
++	    return False;
++	}
+ 	memcpy (&f, e, 4);
+ 	e += 4;
+ 	attr->currentParams[p] = (XFixed) f;
+diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c
+index a9eaa7b..adc5330 100644
+--- a/src/XrrMonitor.c
++++ b/src/XrrMonitor.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
+ 	return NULL;
+     }
+ 
++    if (rep.length > INT_MAX >> 2 ||
++	rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) ||
++	rep.noutputs > INT_MAX / 4 ||
++	rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) {
++	_XEatData (dpy, rep.length);
++	UnlockDisplay (dpy);
++	SyncHandle ();
++	return NULL;
++    }
+     nbytes = (long) rep.length << 2;
+     nmon = rep.nmonitors;
+     noutput = rep.noutputs;
+@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
+ 	    mon[m].outputs = output;
+ 	    buf += SIZEOF (xRRMonitorInfo);
+ 	    xoutput = (CARD32 *) buf;
++	    if (xmon->noutput > rep.noutputs) {
++	        Xfree(buf);
++	        Xfree(mon);
++	        UnlockDisplay (dpy);
++	        SyncHandle ();
++	        return NULL;
++	    }
++	    rep.noutputs -= xmon->noutput;
+ 	    for (o = 0; o < xmon->noutput; o++)
+ 		output[o] = xoutput[o];
+ 	    output += xmon->noutput;
+diff --git a/src/XrrOutput.c b/src/XrrOutput.c
+index 85f0b6e..30f3d40 100644
+--- a/src/XrrOutput.c
++++ b/src/XrrOutput.c
+@@ -25,6 +25,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
+ 	return NULL;
+     }
+ 
++    if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2))
++    {
++        if (rep.length > (OutputInfoExtra >> 2))
++	    _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
++	else
++	    _XEatDataWords (dpy, rep.length);
++	UnlockDisplay (dpy);
++	SyncHandle ();
++	return NULL;
++    }
+     nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
+ 
+     nbytesRead = (long) (rep.nCrtcs * 4 +
+diff --git a/src/XrrProvider.c b/src/XrrProvider.c
+index 9e620c7..d796cd0 100644
+--- a/src/XrrProvider.c
++++ b/src/XrrProvider.c
+@@ -25,6 +25,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window)
+       return NULL;
+     }
+ 
+-    nbytes = (long) rep.length << 2;
++    if (rep.length < INT_MAX >> 2) {
++	nbytes = (long) rep.length << 2;
+ 
+-    nbytesRead = (long) (rep.nProviders * 4);
++	nbytesRead = (long) (rep.nProviders * 4);
+ 
+-    rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider));
+-    xrpr = (XRRProviderResources *) Xmalloc(rbytes);
++	rbytes = (sizeof(XRRProviderResources) + rep.nProviders *
++		  sizeof(RRProvider));
++	xrpr = (XRRProviderResources *) Xmalloc(rbytes);
++    } else {
++	nbytes = 0;
++	nbytesRead = 0;
++	rbytes = 0;
++	xrpr = NULL;
++    }
+ 
+     if (xrpr == NULL) {
+        _XEatDataWords (dpy, rep.length);
+@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
+ 	return NULL;
+     }
+ 
++    if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2)
++    {
++	if (rep.length < ProviderInfoExtra >> 2)
++	    _XEatDataWords (dpy, rep.length);
++	else
++	    _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
++	UnlockDisplay (dpy);
++	SyncHandle ();
++	return NULL;
++    }
++
+     nbytes = ((long) rep.length << 2) - ProviderInfoExtra;
+ 
+     nbytesRead = (long)(rep.nCrtcs * 4 +
+diff --git a/src/XrrScreen.c b/src/XrrScreen.c
+index b8ce7e5..1f7ffe6 100644
+--- a/src/XrrScreen.c
++++ b/src/XrrScreen.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll)
+ 	xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
+     }
+ 
+-    nbytes = (long) rep.length << 2;
++    if (rep.length < INT_MAX >> 2) {
++	nbytes = (long) rep.length << 2;
+ 
+-    nbytesRead = (long) (rep.nCrtcs * 4 +
+-			 rep.nOutputs * 4 +
+-			 rep.nModes * SIZEOF (xRRModeInfo) +
+-			 ((rep.nbytesNames + 3) & ~3));
++	nbytesRead = (long) (rep.nCrtcs * 4 +
++			     rep.nOutputs * 4 +
++			     rep.nModes * SIZEOF (xRRModeInfo) +
++			     ((rep.nbytesNames + 3) & ~3));
+ 
+-    /*
+-     * first we must compute how much space to allocate for
+-     * randr library's use; we'll allocate the structures in a single
+-     * allocation, on cleanlyness grounds.
+-     */
++	/*
++	 * first we must compute how much space to allocate for
++	 * randr library's use; we'll allocate the structures in a single
++	 * allocation, on cleanlyness grounds.
++	 */
++
++	rbytes = (sizeof (XRRScreenResources) +
++		  rep.nCrtcs * sizeof (RRCrtc) +
++		  rep.nOutputs * sizeof (RROutput) +
++		  rep.nModes * sizeof (XRRModeInfo) +
++		  rep.nbytesNames + rep.nModes);    /* '\0' terminate names */
+ 
+-    rbytes = (sizeof (XRRScreenResources) +
+-	      rep.nCrtcs * sizeof (RRCrtc) +
+-	      rep.nOutputs * sizeof (RROutput) +
+-	      rep.nModes * sizeof (XRRModeInfo) +
+-	      rep.nbytesNames + rep.nModes);	/* '\0' terminate names */
++	xrsr = (XRRScreenResources *) Xmalloc(rbytes);
++	wire_names = (char *) Xmalloc (rep.nbytesNames);
++    } else {
++	nbytes = 0;
++	nbytesRead = 0;
++	rbytes = 0;
++	xrsr = NULL;
++	wire_names = NULL;
++    }
+ 
+-    xrsr = (XRRScreenResources *) Xmalloc(rbytes);
+-    wire_names = (char *) Xmalloc (rep.nbytesNames);
+     if (xrsr == NULL || wire_names == NULL) {
+ 	Xfree (xrsr);
+ 	Xfree (wire_names);
+@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll)
+     wire_name = wire_names;
+     for (i = 0; i < rep.nModes; i++)  {
+ 	xrsr->modes[i].name = names;
++	if (xrsr->modes[i].nameLength > rep.nbytesNames) {
++	    Xfree (xrsr);
++	    Xfree (wire_names);
++	    UnlockDisplay (dpy);
++	    SyncHandle ();
++	    return NULL;
++	}
++	rep.nbytesNames -= xrsr->modes[i].nameLength;
+ 	memcpy (names, wire_name, xrsr->modes[i].nameLength);
+ 	names[xrsr->modes[i].nameLength] = '\0';
+ 	names += xrsr->modes[i].nameLength + 1;
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libxrender-CVE-2016-7949.patch b/gnu/packages/patches/libxrender-CVE-2016-7949.patch
new file mode 100644
index 0000000000..3a2be4ea8e
--- /dev/null
+++ b/gnu/packages/patches/libxrender-CVE-2016-7949.patch
@@ -0,0 +1,66 @@
+Fix CVE-2016-7949:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4
+
+From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:43:09 +0200
+Subject: [PATCH] Validate lengths while parsing server data.
+
+Individual lengths inside received server data can overflow
+the previously reserved memory.
+
+It is therefore important to validate every single length
+field to not overflow the previously agreed sum of all invidual
+length fields.
+
+v2: consume remaining bytes in the reply buffer on error.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb@laas.fr
+---
+ src/Xrender.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 3102eb2..71cf3e6 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
+ 	screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
+ 	screen->subpixel = SubPixelUnknown;
+ 	xDepth = (xPictDepth *) (xScreen + 1);
++	if (screen->ndepths > rep.numDepths) {
++	    Xfree (xri);
++	    Xfree (xData);
++	    _XEatDataWords (dpy, rep.length);
++	    UnlockDisplay (dpy);
++	    SyncHandle ();
++	    return 0;
++	}
++	rep.numDepths -= screen->ndepths;
+ 	for (nd = 0; nd < screen->ndepths; nd++)
+ 	{
+ 	    depth->depth = xDepth->depth;
+ 	    depth->nvisuals = xDepth->nPictVisuals;
+ 	    depth->visuals = visual;
+ 	    xVisual = (xPictVisual *) (xDepth + 1);
++	    if (depth->nvisuals > rep.numVisuals) {
++		Xfree (xri);
++		Xfree (xData);
++		_XEatDataWords (dpy, rep.length);
++		UnlockDisplay (dpy);
++		SyncHandle ();
++		return 0;
++	    }
++	    rep.numVisuals -= depth->nvisuals;
+ 	    for (nv = 0; nv < depth->nvisuals; nv++)
+ 	    {
+ 		visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libxrender-CVE-2016-7950.patch b/gnu/packages/patches/libxrender-CVE-2016-7950.patch
new file mode 100644
index 0000000000..1a64b6e724
--- /dev/null
+++ b/gnu/packages/patches/libxrender-CVE-2016-7950.patch
@@ -0,0 +1,73 @@
+Fix CVE-2016-7950:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714
+
+From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:42:09 +0200
+Subject: [PATCH] Avoid OOB write in XRenderQueryFilters
+
+The memory for filter names is reserved right after receiving the reply.
+After that, filters are iterated and each individual filter name is
+stored in that reserved memory.
+
+The individual name lengths are not checked for validity, which means
+that a malicious server can reserve less memory than it will write to
+during each iteration.
+
+v2: consume remaining bytes in reply buffer on error.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/Filter.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/Filter.c b/src/Filter.c
+index edfa572..8d701eb 100644
+--- a/src/Filter.c
++++ b/src/Filter.c
+@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+     char			*name;
+     char			len;
+     int				i;
+-    unsigned long		nbytes, nbytesAlias, nbytesName;
++    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
+ 
+     if (!RenderHasExtension (info))
+ 	return NULL;
+@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+      * Read the filter aliases
+      */
+     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
++    reply_left = 8 + rep.length - 2 * rep.numAliases;;
+ 
+     /*
+      * Read the filter names
+@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+     {
+ 	int	l;
+ 	_XRead (dpy, &len, 1);
++	reply_left--;
+ 	l = len & 0xff;
++	if ((unsigned long)l + 1 > nbytesName) {
++            _XEatDataWords(dpy, reply_left);
++	    Xfree(filters);
++	    UnlockDisplay (dpy);
++	    SyncHandle ();
++	    return NULL;
++	}
++	nbytesName -= l + 1;
+ 	filters->filter[i] = name;
+ 	_XRead (dpy, name, l);
++        reply_left -= l;
+ 	name[l] = '\0';
+ 	name += l + 1;
+     }
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch b/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
new file mode 100644
index 0000000000..9df6cf3f4d
--- /dev/null
+++ b/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
@@ -0,0 +1,152 @@
+Fix CVE-2016-7951 and CVE-2016-7952
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3
+
+From 9556ad67af3129ec4a7a4f4b54a0d59701beeae3 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:37:01 +0200
+Subject: [PATCH] Out of boundary access and endless loop in libXtst
+
+A lack of range checks in libXtst allows out of boundary accesses.
+The checks have to be done in-place here, because it cannot be done
+without in-depth knowledge of the read data.
+
+If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
+without a client sequence have attached data, an endless loop would
+occur. The do-while-loop continues until the current index reaches
+the end. But in these cases, the current index would not be
+incremented, leading to an endless processing.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/XRecord.c | 43 +++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 39 insertions(+), 4 deletions(-)
+
+diff --git a/src/XRecord.c b/src/XRecord.c
+index 50420c0..fefd842 100644
+--- a/src/XRecord.c
++++ b/src/XRecord.c
+@@ -749,15 +749,23 @@ parse_reply_call_callback(
+ 	switch (rep->category) {
+ 	case XRecordFromServer:
+ 	    if (rep->elementHeader&XRecordFromServerTime) {
++		if (current_index + 4 > rep->length << 2)
++		    return Error;
+ 		EXTRACT_CARD32(rep->clientSwapped,
+ 			       reply->buf+current_index,
+ 			       data->server_time);
+ 		current_index += 4;
+ 	    }
++	    if (current_index + 1 > rep->length << 2)
++		return Error;
+ 	    switch (reply->buf[current_index]) {
+ 	    case X_Reply: /* reply */
++		if (current_index + 8 > rep->length << 2)
++		    return Error;
+ 		EXTRACT_CARD32(rep->clientSwapped,
+ 			       reply->buf+current_index+4, datum_bytes);
++		if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
++		    return Error;
+ 		datum_bytes = (datum_bytes+8) << 2;
+ 		break;
+ 	    default: /* error or event */
+@@ -766,52 +774,73 @@ parse_reply_call_callback(
+ 	    break;
+ 	case XRecordFromClient:
+ 	    if (rep->elementHeader&XRecordFromClientTime) {
++		if (current_index + 4 > rep->length << 2)
++		    return Error;
+ 		EXTRACT_CARD32(rep->clientSwapped,
+ 			       reply->buf+current_index,
+ 			       data->server_time);
+ 		current_index += 4;
+ 	    }
+ 	    if (rep->elementHeader&XRecordFromClientSequence) {
++		if (current_index + 4 > rep->length << 2)
++		    return Error;
+ 		EXTRACT_CARD32(rep->clientSwapped,
+ 			       reply->buf+current_index,
+ 			       data->client_seq);
+ 		current_index += 4;
+ 	    }
++	    if (current_index + 4 > rep->length<<2)
++		return Error;
+ 	    if (reply->buf[current_index+2] == 0
+ 		&& reply->buf[current_index+3] == 0) /* needn't swap 0 */
+ 	    {	/* BIG-REQUESTS */
++		if (current_index + 8 > rep->length << 2)
++		    return Error;
+ 		EXTRACT_CARD32(rep->clientSwapped,
+ 			       reply->buf+current_index+4, datum_bytes);
+ 	    } else {
+ 		EXTRACT_CARD16(rep->clientSwapped,
+ 			       reply->buf+current_index+2, datum_bytes);
+ 	    }
++	    if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
++		return Error;
+ 	    datum_bytes <<= 2;
+ 	    break;
+ 	case XRecordClientStarted:
++	    if (current_index + 8 > rep->length << 2)
++		return Error;
+ 	    EXTRACT_CARD16(rep->clientSwapped,
+ 			   reply->buf+current_index+6, datum_bytes);
+ 	    datum_bytes = (datum_bytes+2) << 2;
+ 	    break;
+ 	case XRecordClientDied:
+ 	    if (rep->elementHeader&XRecordFromClientSequence) {
++		if (current_index + 4 > rep->length << 2)
++		    return Error;
+ 		EXTRACT_CARD32(rep->clientSwapped,
+ 			       reply->buf+current_index,
+ 			       data->client_seq);
+ 		current_index += 4;
+-	    }
+-	    /* fall through */
++	    } else if (current_index < rep->length << 2)
++		return Error;
++	    datum_bytes = 0;
++	    break;
+ 	case XRecordStartOfData:
+ 	case XRecordEndOfData:
++	    if (current_index < rep->length << 2)
++		return Error;
+ 	    datum_bytes = 0;
++	    break;
+ 	}
+ 
+ 	if (datum_bytes > 0) {
+-	    if (current_index + datum_bytes > rep->length << 2)
++	    if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
+ 		fprintf(stderr,
+ 			"XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n",
+-			(long)rep->length << 2, current_index + datum_bytes,
++			(unsigned long)rep->length << 2, current_index + datum_bytes,
+ 			dpy->last_request_read);
++		return Error;
++	    }
+ 	    /*
+ 	     * This assignment (and indeed the whole buffer sharing
+ 	     * scheme) assumes arbitrary 4-byte boundaries are
+@@ -863,6 +892,12 @@ XRecordEnableContext(Display *dpy, XRecordContext context,
+ 	    return 0;
+ 	}
+ 
++	if (rep.length > INT_MAX >> 2) {
++	    UnlockDisplay(dpy);
++	    SyncHandle();
++	    return 0;
++	}
++
+ 	if (rep.length > 0) {
+ 	    reply = alloc_reply_buffer(info, rep.length<<2);
+ 	    if (!reply) {
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch b/gnu/packages/patches/libxv-CVE-2016-5407.patch
new file mode 100644
index 0000000000..e6a76c9f70
--- /dev/null
+++ b/gnu/packages/patches/libxv-CVE-2016-5407.patch
@@ -0,0 +1,162 @@
+Fix CVE-2016-5407:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17
+
+From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:30:03 +0200
+Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407
+
+The Xv query functions for adaptors and encodings suffer from out of
+boundary accesses if a hostile X server sends a maliciously crafted
+response.
+
+A previous fix already checks the received length against fixed values
+but ignores additional length specifications which are stored inside
+the received data.
+
+These lengths are accessed in a for-loop. The easiest way to guarantee
+a correct processing is by validating all lengths against the
+remaining size left before accessing referenced memory.
+
+This makes the previously applied check obsolete, therefore I removed
+it.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/Xv.c | 46 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 29 insertions(+), 17 deletions(-)
+
+diff --git a/src/Xv.c b/src/Xv.c
+index e47093a..be450c4 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -158,6 +158,7 @@ XvQueryAdaptors(
+     size_t size;
+     unsigned int ii, jj;
+     char *name;
++    char *end;
+     XvAdaptorInfo *pas = NULL, *pa;
+     XvFormat *pfs, *pf;
+     char *buffer = NULL;
+@@ -197,17 +198,13 @@ XvQueryAdaptors(
+     /* GET INPUT ADAPTORS */
+ 
+     if (rep.num_adaptors == 0) {
+-        /* If there's no adaptors, there's nothing more to do. */
++        /* If there are no adaptors, there's nothing more to do. */
+         status = Success;
+         goto out;
+     }
+ 
+-    if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
+-        /* If there's not enough data for the number of adaptors,
+-           then we have a problem. */
+-        status = XvBadReply;
+-        goto out;
+-    }
++    u.buffer = buffer;
++    end = buffer + size;
+ 
+     size = rep.num_adaptors * sizeof(XvAdaptorInfo);
+     if ((pas = Xmalloc(size)) == NULL) {
+@@ -225,9 +222,12 @@ XvQueryAdaptors(
+         pa++;
+     }
+ 
+-    u.buffer = buffer;
+     pa = pas;
+     for (ii = 0; ii < rep.num_adaptors; ii++) {
++        if (u.buffer + sz_xvAdaptorInfo > end) {
++            status = XvBadReply;
++            goto out;
++        }
+         pa->type = u.pa->type;
+         pa->base_id = u.pa->base_id;
+         pa->num_ports = u.pa->num_ports;
+@@ -239,6 +239,10 @@ XvQueryAdaptors(
+         size = u.pa->name_size;
+         u.buffer += pad_to_int32(sz_xvAdaptorInfo);
+ 
++        if (u.buffer + size > end) {
++            status = XvBadReply;
++            goto out;
++        }
+         if ((name = Xmalloc(size + 1)) == NULL) {
+             status = XvBadAlloc;
+             goto out;
+@@ -259,6 +263,11 @@ XvQueryAdaptors(
+ 
+         pf = pfs;
+         for (jj = 0; jj < pa->num_formats; jj++) {
++            if (u.buffer + sz_xvFormat > end) {
++                Xfree(pfs);
++                status = XvBadReply;
++                goto out;
++            }
+             pf->depth = u.pf->depth;
+             pf->visual_id = u.pf->visual;
+             pf++;
+@@ -327,6 +336,7 @@ XvQueryEncodings(
+     size_t size;
+     unsigned int jj;
+     char *name;
++    char *end;
+     XvEncodingInfo *pes = NULL, *pe;
+     char *buffer = NULL;
+     union {
+@@ -364,17 +374,13 @@ XvQueryEncodings(
+     /* GET ENCODINGS */
+ 
+     if (rep.num_encodings == 0) {
+-        /* If there's no encodings, there's nothing more to do. */
++        /* If there are no encodings, there's nothing more to do. */
+         status = Success;
+         goto out;
+     }
+ 
+-    if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
+-        /* If there's not enough data for the number of adaptors,
+-           then we have a problem. */
+-        status = XvBadReply;
+-        goto out;
+-    }
++    u.buffer = buffer;
++    end = buffer + size;
+ 
+     size = rep.num_encodings * sizeof(XvEncodingInfo);
+     if ((pes = Xmalloc(size)) == NULL) {
+@@ -391,10 +397,12 @@ XvQueryEncodings(
+         pe++;
+     }
+ 
+-    u.buffer = buffer;
+-
+     pe = pes;
+     for (jj = 0; jj < rep.num_encodings; jj++) {
++        if (u.buffer + sz_xvEncodingInfo > end) {
++            status = XvBadReply;
++            goto out;
++        }
+         pe->encoding_id = u.pe->encoding;
+         pe->width = u.pe->width;
+         pe->height = u.pe->height;
+@@ -405,6 +413,10 @@ XvQueryEncodings(
+         size = u.pe->name_size;
+         u.buffer += pad_to_int32(sz_xvEncodingInfo);
+ 
++        if (u.buffer + size > end) {
++            status = XvBadReply;
++            goto out;
++        }
+         if ((name = Xmalloc(size + 1)) == NULL) {
+             status = XvBadAlloc;
+             goto out;
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch b/gnu/packages/patches/libxvmc-CVE-2016-7953.patch
new file mode 100644
index 0000000000..737abdeb9f
--- /dev/null
+++ b/gnu/packages/patches/libxvmc-CVE-2016-7953.patch
@@ -0,0 +1,42 @@
+Fix CVE-2016-7953:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb
+
+From 2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 22:34:27 +0200
+Subject: [PATCH] Avoid buffer underflow on empty strings.
+
+If an empty string is received from an x-server, do not underrun the
+buffer by accessing "rep.nameLen - 1" unconditionally, which could end
+up being -1.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/XvMC.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/XvMC.c b/src/XvMC.c
+index 7336760..3ee4212 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -576,9 +576,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
+ 	if (*name && *busID && tmpBuf) {
+ 	    _XRead(dpy, tmpBuf, realSize);
+ 	    strncpy(*name,tmpBuf,rep.nameLen);
+-	    (*name)[rep.nameLen - 1] = '\0';
++	    (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0';
+ 	    strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
+-	    (*busID)[rep.busIDLen - 1] = '\0';
++	    (*busID)[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0';
+ 	    XFree(tmpBuf);
+ 	} else {
+ 	    XFree(*name);
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/metabat-remove-compilation-date.patch b/gnu/packages/patches/metabat-remove-compilation-date.patch
new file mode 100644
index 0000000000..7672205b22
--- /dev/null
+++ b/gnu/packages/patches/metabat-remove-compilation-date.patch
@@ -0,0 +1,16 @@
+Remove the reference to the compilation date so that the build is
+reproducible.
+
+diff --git a/src/metabat.cpp b/src/metabat.cpp
+index 88e06de..c95cb1a 100644
+--- a/src/metabat.cpp
++++ b/src/metabat.cpp
+@@ -49,7 +49,7 @@ int main(int ac, char* av[]) {
+ 	po::notify(vm);
+ 
+ 	if (vm.count("help") || inFile.length() == 0 || outFile.length() == 0) {
+-		cerr << "\nMetaBAT: Metagenome Binning based on Abundance and Tetranucleotide frequency (version " << version << "; " << __DATE__ << " " << __TIME__ << ")" << endl;
++		cerr << "\nMetaBAT: Metagenome Binning based on Abundance and Tetranucleotide frequency (version " << version << "; unknown compilation date)" << endl;
+ 		cerr << "by Don Kang (ddkang@lbl.gov), Jeff Froula, Rob Egan, and Zhong Wang (zhongwang@lbl.gov) \n" << endl;
+ 		cerr << desc << endl << endl;
+ 
diff --git a/gnu/packages/patches/rush-CVE-2013-6889.patch b/gnu/packages/patches/rush-CVE-2013-6889.patch
deleted file mode 100644
index 862528a12c..0000000000
--- a/gnu/packages/patches/rush-CVE-2013-6889.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-commit 00bdccd429517f12dbf37ab4397ddec3e51a2738
-Author: Mats Erik Andersson <gnu@gisladisker.se>
-Date:   Mon Jan 20 13:33:52 2014 +0200
-
-    Protect against CVE-2013-6889 (tiny change).
-    
-    Reset the effective user identification in testing mode.
-
-diff --git a/src/rush.c b/src/rush.c
-index 45d737a..dc6518e 100644
---- a/src/rush.c
-+++ b/src/rush.c
-@@ -980,6 +980,10 @@ main(int argc, char **argv)
- 	} else if (argc > optind)
- 		die(usage_error, NULL, _("invalid command line"));
- 	
-+	/* Relinquish root privileges in test mode */
-+	if (lint_option)
-+		setuid(getuid());
-+	
- 	if (test_user_name) {
- 		struct passwd *pw = getpwnam(test_user_name);
- 		if (!pw)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 190f59400d..30b0bdd22f 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -8807,11 +8807,9 @@ library.")
                (base32
                 "17zajiw4mjbkkv6ahp3xf025qglkj0805m9s41c45zryzj6p2h39"))))
     (build-system python-build-system)
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (replace 'check
-           (lambda _ (zero? (system* "python" "./test_pathlib.py")))))))
+    ;; The tests depend on the internal "test" module, which does not provide
+    ;; a stable interface.
+    (arguments `(#:tests? #f))
     (home-page "https://pathlib.readthedocs.org/")
     (synopsis "Object-oriented file system paths")
     (description "Pathlib offers a set of classes to handle file system paths.
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 2b5938b477..a80b8f7739 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -2608,7 +2608,7 @@ multibyte strings, internationalization, time zones, and testing.")
                     (ice-9 rdelim))
          #:phases
          (modify-phases %standard-phases
-           (add-before 'build 'build-gemspec
+           (add-after 'unpack 'build-gemspec
             (lambda _
               (substitute* "Rakefile"
                 ;; Build Makefile even without a copy of gumbo-parser sources
diff --git a/gnu/packages/rush.scm b/gnu/packages/rush.scm
index cf9e49a7e3..36a8f2069b 100644
--- a/gnu/packages/rush.scm
+++ b/gnu/packages/rush.scm
@@ -26,18 +26,14 @@
 (define-public rush
   (package
     (name "rush")
-    (version "1.7")
+    (version "1.8")
     (source (origin
              (method url-fetch)
-             (uri (string-append
-                   "mirror://gnu/rush/rush-"
-                   version
-                   ".tar.gz"))
+             (uri (string-append "mirror://gnu/rush/rush-"
+                                 version ".tar.gz"))
              (sha256
               (base32
-               "0fh0gbbp0iiq3wbkf503xb40r8ljk42vyj9bnlflbz82d6ipy1rm"))
-             (patches (search-patches "cpio-gets-undeclared.patch"
-                                      "rush-CVE-2013-6889.patch"))))
+               "1vxdb81ify4xcyygh86250pi50krb16dkj42i5ii4ns3araiwckz"))))
     (build-system gnu-build-system)
     (home-page "http://www.gnu.org/software/rush/")
     (synopsis "Restricted user (login) shell")
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index 272fff7430..6d510c2e4c 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -22,6 +22,7 @@
 
 (define-module (gnu packages shells)
   #:use-module (gnu packages)
+  #:use-module (gnu packages algebra)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages base)
   #:use-module (gnu packages documentation)
@@ -95,11 +96,23 @@ direct descendant of NetBSD's Almquist Shell (@command{ash}).")
     (native-inputs
      `(("doxygen" ,doxygen)))
     (inputs
-     `(("ncurses" ,ncurses)
+     `(("bc" ,bc)
+       ("ncurses" ,ncurses)
+       ("pcre2" ,pcre2)               ;don't use the bundled PCRE2
        ("python" ,python-wrapper)))   ;for fish_config and manpage completions
     (arguments
      '(#:tests? #f ; no check target
-       #:configure-flags '("--sysconfdir=/etc")))
+       #:configure-flags '("--sysconfdir=/etc")
+       #:phases
+       (modify-phases %standard-phases
+         ;; Replace 'bc' by its absolute file name in the store.
+         (add-after 'unpack 'patch-bc
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (substitute* '("share/functions/math.fish"
+                            "share/functions/seq.fish")
+               (("\\| bc")
+                (string-append "| " (assoc-ref %build-inputs "bc")
+                               "/bin/bc"))))))))
     (synopsis "The friendly interactive shell")
     (description
      "Fish (friendly interactive shell) is a shell focused on interactive use,
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 5af3e57ca4..8e9c9287fa 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -355,22 +355,22 @@ required structures.")
    (home-page "http://www.openssl.org/")))
 
 (define openssl-1.0.2j
-  (package (inherit openssl)
-    (source
-      (let ((name "openssl")
-            (version "1.0.2j"))
-        (origin
-          (method url-fetch)
-          (uri (list (string-append "ftp://ftp.openssl.org/source/"
-                                    name "-" version ".tar.gz")
-                     (string-append "ftp://ftp.openssl.org/source/old/"
-                                    (string-trim-right version char-set:letter)
-                                    "/" name "-" version ".tar.gz")))
-          (sha256
-           (base32
-            "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
-          (patches (search-patches "openssl-runpath.patch"
-                                   "openssl-c-rehash-in.patch")))))))
+  (package
+    (inherit openssl)
+    (name "openssl")
+    (version "1.0.2j")
+    (source (origin
+              (method url-fetch)
+              (uri (list (string-append "ftp://ftp.openssl.org/source/"
+                                        name "-" version ".tar.gz")
+                         (string-append "ftp://ftp.openssl.org/source/old/"
+                                        (string-trim-right version char-set:letter)
+                                        "/" name "-" version ".tar.gz")))
+              (sha256
+               (base32
+                "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
+              (patches (search-patches "openssl-runpath.patch"
+                                       "openssl-c-rehash-in.patch"))))))
 
 (define-public openssl-next
   (package
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c0a122379c..a4db4e774a 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -112,14 +112,14 @@ as well as the classic centralized workflow.")
 (define-public git
   (package
    (name "git")
-   (version "2.10.0")
+   (version "2.10.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://kernel.org/software/scm/git/git-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1rr9zyafb6q3wixyjar6cc7z7vdh1dqa4b5irz3gz1df02n68cy7"))))
+              "1ijd1b6szvfw0dmqa3dz1m5g5hbkl9xkb86a9qcjrz0w0vwjvhx9"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
@@ -132,7 +132,7 @@ as well as the classic centralized workflow.")
                 version ".tar.xz"))
           (sha256
            (base32
-            "1y92v1bxk67ilsizqnjba6hqvrsy2zvmipyd9nnz865s21yrj5ry"))))))
+            "049n4ashc1i0rzg19zw1h4hf1qhv1vhpjr5c3jqdcljj4yp7mzw9"))))))
    (inputs
     `(("curl" ,curl)
       ("expat" ,expat)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 064a39b829..243a8fb44e 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -253,7 +253,7 @@ H.264 (MPEG-4 AVC) video streams.")
 (define-public libass
   (package
     (name "libass")
-    (version "0.13.2")
+    (version "0.13.4")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -261,7 +261,7 @@ H.264 (MPEG-4 AVC) video streams.")
                     version "/libass-" version ".tar.xz"))
               (sha256
                (base32
-                "1kpsw4zw95v4cjvild9wpk73dzavn1khsm3bm32kcz6amnkd166n"))))
+                "1dlzkjybnpl2fkvyjq0qblb7qw12cs893bs7zj3rvf8ij342yjnq"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 923b39ee8f..4901f116e3 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -65,6 +65,7 @@
   #:use-module (gnu packages icu4c)
   #:use-module (gnu packages image)
   #:use-module (gnu packages lua)
+  #:use-module (gnu packages ncurses)
   #:use-module (gnu packages base)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages python)
@@ -254,7 +255,7 @@ data.")
 (define-public json-c
   (package
     (name "json-c")
-    (version "0.12")
+    (version "0.12.1")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -262,7 +263,7 @@ data.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "0gwzic3ifg2d0w32ya3agpxh8i083cgvf7kmc51cnbgqnfr02300"))
+               "08qibrq29a5v7g23wi5icy6l4fbfw90h9ccps6vq0bcklx8n84ra"))
              (modules '((guix build utils)))
              (snippet
               '(begin
@@ -3737,3 +3738,35 @@ standalone and does not need inetd or ucspi-tcp.  It does not need any
 config files---you only have to specify the www root.")
     (home-page "https://unix4lyfe.org/darkhttpd/")
     (license l:isc)))
+
+(define-public goaccess
+  (package
+    (name "goaccess")
+    (version "1.0.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://tar.goaccess.io/goaccess-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "1w84y61f3ldg2f28q6qlyr1scn3mcx0bsbq3i5xi5w193wh3xa2q"))
+              (modules '((guix build utils)))
+              (snippet
+               '(substitute* "src/error.h"
+                  (("__DATE__") "\"1970-01-01\"")
+                  (("__TIME__") "\"00:00:00\"")))))
+    (build-system gnu-build-system)
+    (inputs
+     ;; TODO: Add dependency on geoip-tools.
+     `(("glib" ,glib)
+       ("ncurses" ,ncurses)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (home-page "https://goaccess.io")
+    (synopsis "Analyze Web server logs in real time")
+    (description
+     "GoAccess is a real-time web log analyzer and interactive viewer that
+runs in a terminal or through your browser.  It provides fast and valuable
+HTTP statistics for system administrators that require a visual server report
+on the fly.")
+    (license l:x11)))
diff --git a/gnu/packages/wordnet.scm b/gnu/packages/wordnet.scm
index 289ecdeffb..357c19351b 100644
--- a/gnu/packages/wordnet.scm
+++ b/gnu/packages/wordnet.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -51,7 +51,22 @@
 
                                ;; Provide the `result' field in `Tcl_Interp'.
                                ;; See <https://bugs.gentoo.org/show_bug.cgi?id=452034>.
-                               "CFLAGS=-DUSE_INTERP_RESULT")
+                               ;;
+                               ;; The 'DEFAULTPATH' string literal, which
+                               ;; contains the output path, only appears as
+                               ;; the operand of one 'strcpy' call.  As a
+                               ;; consequence, GCC does not store the string
+                               ;; literal as is but instead introduces "gaps"
+                               ;; for alignment reasons presumably---like
+                               ;; "/gnu/sto?????re/8jp8b??????ky105…".  This
+                               ;; makes this string invisible to the GC, which
+                               ;; in turns causes problems when running a
+                               ;; grafted WordNet because that grafted WordNet
+                               ;; keeps referring to the ungrafted variant,
+                               ;; which is not protected from GC.  Thus,
+                               ;; disable use of '__builtin_strcpy' to avoid
+                               ;; that.
+                               "CFLAGS=-DUSE_INTERP_RESULT -O2 -fno-builtin-strcpy")
        #:phases
        (modify-phases %standard-phases
          (add-after 'install 'post-install
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 00f975bf65..3dac36a4d3 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -4602,6 +4602,7 @@ cannot be adequately worked around on the client side of the wire.")
 (define-public libxrender
   (package
     (name "libxrender")
+    (replacement libxrender/fixed)
     (version "0.9.9")
     (source
       (origin
@@ -4626,10 +4627,19 @@ cannot be adequately worked around on the client side of the wire.")
     (description "Library for the Render Extension to the X11 protocol.")
     (license license:x11)))
 
+(define libxrender/fixed
+  (package
+    (inherit libxrender)
+    (source (origin
+              (inherit (package-source libxrender))
+              (patches (search-patches
+                         "libxrender-CVE-2016-7949.patch"
+                         "libxrender-CVE-2016-7950.patch"))))))
 
 (define-public libxtst
   (package
     (name "libxtst")
+    (replacement libxtst/fixed)
     (version "1.2.2")
     (source
       (origin
@@ -4665,10 +4675,18 @@ The RECORD extension supports the recording and reporting of all core X
 protocol and arbitrary X extension protocol.")
     (license license:x11)))
 
+(define libxtst/fixed
+  (package
+    (inherit libxtst)
+    (source (origin
+              (inherit (package-source libxtst))
+              (patches (search-patches
+                         "libxtst-CVE-2016-7951-CVE-2016-7952.patch"))))))
 
 (define-public libxv
   (package
     (name "libxv")
+    (replacement libxv/fixed)
     (version "1.0.10")
     (source
       (origin
@@ -4694,6 +4712,13 @@ protocol and arbitrary X extension protocol.")
     (description "Library for the X Video Extension to the X11 protocol.")
     (license license:x11)))
 
+(define libxv/fixed
+  (package
+    (inherit libxv)
+    (source (origin
+              (inherit (package-source libxv))
+              (patches (search-patches
+                         "libxv-CVE-2016-5407.patch"))))))
 
 (define-public mkfontdir
   (package
@@ -4823,6 +4848,7 @@ an X Window System display.")
 (define-public libxfixes
   (package
     (name "libxfixes")
+    (replacement libxfixes/fixed)
     (version "5.0.2")
     (source
       (origin
@@ -4847,6 +4873,13 @@ an X Window System display.")
     (description "Library for the XFixes Extension to the X11 protocol.")
     (license license:x11)))
 
+(define libxfixes/fixed
+  (package
+    (inherit libxfixes)
+    (source (origin
+              (inherit (package-source libxfixes))
+              (patches (search-patches
+                         "libxfixes-CVE-2016-7944.patch"))))))
 
 (define-public libxfont
   (package
@@ -4888,6 +4921,7 @@ new API's in libXft, or the legacy API's in libX11.")
 (define-public libxi
   (package
     (name "libxi")
+    (replacement libxi/fixed)
     (version "1.7.6")
     (source
       (origin
@@ -4914,10 +4948,18 @@ new API's in libXft, or the legacy API's in libX11.")
     (description "Library for the XInput Extension to the X11 protocol.")
     (license license:x11)))
 
+(define libxi/fixed
+  (package
+    (inherit libxi)
+    (source (origin
+              (inherit (package-source libxi))
+              (patches (search-patches
+                         "libxi-CVE-2016-7945-CVE-2016-7946.patch"))))))
 
 (define-public libxrandr
   (package
     (name "libxrandr")
+    (replacement libxrandr/fixed)
     (version "1.5.0")
     (source
       (origin
@@ -4945,10 +4987,18 @@ new API's in libXft, or the legacy API's in libX11.")
      "Library for the Resize and Rotate Extension to the X11 protocol.")
     (license license:x11)))
 
+(define libxrandr/fixed
+  (package
+    (inherit libxrandr)
+    (source (origin
+              (inherit (package-source libxrandr))
+              (patches (search-patches
+                         "libxrandr-CVE-2016-7947-CVE-2016-7948.patch"))))))
 
 (define-public libxvmc
   (package
     (name "libxvmc")
+    (replacement libxvmc/fixed)
     (version "1.0.9")
     (source
       (origin
@@ -4974,6 +5024,13 @@ new API's in libXft, or the legacy API's in libX11.")
     (description "Xorg XvMC library.")
     (license license:x11)))
 
+(define libxvmc/fixed
+  (package
+    (inherit libxvmc)
+    (source (origin
+              (inherit (package-source libxvmc))
+              (patches (search-patches
+                         "libxvmc-CVE-2016-7953.patch"))))))
 
 (define-public libxxf86vm
   (package
@@ -5195,6 +5252,7 @@ draggable titlebars and borders.")
 (define-public libx11
   (package
     (name "libx11")
+    (replacement libx11/fixed)
     (version "1.6.3")
     (source
       (origin
@@ -5227,6 +5285,14 @@ draggable titlebars and borders.")
     (description "Xorg Core X11 protocol client library.")
     (license license:x11)))
 
+(define libx11/fixed
+  (package
+    (inherit libx11)
+    (source (origin
+              (inherit (package-source libx11))
+              (patches (search-patches
+                         "libx11-CVE-2016-7942.patch"
+                         "libx11-CVE-2016-7943.patch"))))))
 
 ;; packages of height 5 in the propagated-inputs tree
 
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 2ce35eaa07..2487638c52 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -150,8 +150,8 @@ TARGET (e.g., \"/dev/md0\"), using 'mdadm'."
           (sleep 1)
           (loop (+ 1 attempts))))
 
-      (zero? (system* (string-append #$mdadm "/sbin/mdadm")
-                      "--assemble" #$target sources))))
+      (zero? (apply system* (string-append #$mdadm "/sbin/mdadm")
+                    "--assemble" #$target sources))))
 
 (define (close-raid-device sources target)
   "Return a gexp that stops the RAID device TARGET."
diff --git a/guix/build/graft.scm b/guix/build/graft.scm
index f85d485554..b08b65b7cf 100644
--- a/guix/build/graft.scm
+++ b/guix/build/graft.scm
@@ -20,7 +20,6 @@
 (define-module (guix build graft)
   #:use-module (guix build utils)
   #:use-module (rnrs bytevectors)
-  #:use-module (rnrs io ports)
   #:use-module (ice-9 vlist)
   #:use-module (ice-9 match)
   #:use-module (ice-9 threads)
@@ -58,7 +57,9 @@
                                    #:optional (store (%store-directory)))
   "Read data from INPUT, replacing store references according to
 REPLACEMENT-TABLE, and writing the result to OUTPUT.  REPLACEMENT-TABLE is a
-vhash that maps strings (original hashes) to bytevectors (replacement hashes).
+vhash that maps strings (original hashes) to bytevectors (replacement strings
+comprising the replacement hash, a dash, and a string).
+
 Note: We use string keys to work around the fact that guile-2.0 hashes all
 bytevectors to the same value."
 
@@ -130,16 +131,18 @@ bytevectors to the same value."
                              ;; that have not yet been written.
                              (put-bytevector output buffer written
                                              (- i hash-length written))
-                             ;; Now write the replacement hash.
+                             ;; Now write the replacement string.
                              (put-bytevector output replacement)
                              ;; Since the byte at position 'i' is a dash,
                              ;; which is not a nix-base32 char, the earliest
                              ;; position where the next hash might start is
                              ;; i+1, and the earliest position where the
                              ;; following dash might start is (+ i 1
-                             ;; hash-length).  Also, we have now written up to
-                             ;; position 'i' in the buffer.
-                             (scan-from (+ i 1 hash-length) i)))
+                             ;; hash-length).  Also, increase the write
+                             ;; position to account for REPLACEMENT.
+                             (let ((len (bytevector-length replacement)))
+                               (scan-from (+ i 1 len)
+                                          (+ i (- len hash-length))))))
                        ;; If the byte at position 'i' is a nix-base32 char,
                        ;; then the dash we're looking for might be as early as
                        ;; the following byte, so we can only advance by 1.
@@ -213,26 +216,32 @@ an exception is caught."
 file name pairs."
 
   (define hash-mapping
+    ;; List of hash/replacement pairs, where the hash is a nix-base32 string
+    ;; and the replacement is a string that includes the replacement's name,
+    ;; like "r837zajjc1q8z9hph4b6860a9c05blyy-openssl-1.0.2j".
     (let* ((prefix (string-append store "/"))
            (start  (string-length prefix))
            (end    (+ start hash-length)))
       (define (valid-hash? h)
         (every nix-base32-char? (string->list h)))
-      (define (valid-suffix? s)
-        (string-prefix? "-" s))
-      (define (hash+suffix s)
+      (define (hash+rest s)
         (and (< end (string-length s))
-             (let ((hash   (substring s start end))
-                   (suffix (substring s end)))
+             (let ((hash (substring s start end))
+                   (all  (substring s start)))
                (and (string-prefix? prefix s)
-                    (valid-hash?    hash)
-                    (valid-suffix?  suffix)
-                    (list hash suffix)))))
+                    (valid-hash? hash)
+                    (eqv? #\- (string-ref s end))
+                    (list hash all)))))
+
       (map (match-lambda
-             (((= hash+suffix (origin-hash      suffix))
+             (((= hash+rest (origin-hash origin-string))
                .
-               (= hash+suffix (replacement-hash suffix)))
-              (cons origin-hash (string->utf8 replacement-hash)))
+               (= hash+rest (replacement-hash replacement-string)))
+              (unless (= (string-length origin-string)
+                         (string-length replacement-string))
+                (error "replacement length differs from the original length"
+                       origin-string replacement-string))
+              (cons origin-hash (string->utf8 replacement-string)))
              ((origin . replacement)
               (error "invalid replacement" origin replacement)))
            mapping)))
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index eac3214bbf..b3ec6d628e 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -683,25 +683,25 @@ from ~s: ~a (~s)~%")
 
 (define (check-vulnerabilities package)
   "Check for known vulnerabilities for PACKAGE."
-  (match (package-vulnerabilities package)
-    (()
-     #t)
-    ((vulnerabilities ...)
-     (let* ((package   (or (package-replacement package) package))
-            (patches   (filter-map patch-file-name
-                                   (or (and=> (package-source package)
-                                              origin-patches)
-                                       '())))
-            (unpatched (remove (lambda (vuln)
-                                 (find (cute string-contains
-                                         <> (vulnerability-id vuln))
-                                       patches))
-                               vulnerabilities)))
-       (unless (null? unpatched)
-         (emit-warning package
-                       (format #f (_ "probably vulnerable to ~a")
-                               (string-join (map vulnerability-id unpatched)
-                                            ", "))))))))
+  (let ((package (or (package-replacement package) package)))
+    (match (package-vulnerabilities package)
+      (()
+       #t)
+      ((vulnerabilities ...)
+       (let* ((patches   (filter-map patch-file-name
+                                     (or (and=> (package-source package)
+                                                origin-patches)
+                                         '())))
+              (unpatched (remove (lambda (vuln)
+                                   (find (cute string-contains
+                                           <> (vulnerability-id vuln))
+                                         patches))
+                                 vulnerabilities)))
+         (unless (null? unpatched)
+           (emit-warning package
+                         (format #f (_ "probably vulnerable to ~a")
+                                 (string-join (map vulnerability-id unpatched)
+                                              ", ")))))))))
 
 
 ;;;
diff --git a/tests/grafts.scm b/tests/grafts.scm
index 13c56750ed..f2ff839fd8 100644
--- a/tests/grafts.scm
+++ b/tests/grafts.scm
@@ -80,6 +80,25 @@
                 (string=? (readlink (string-append grafted "/self"))
                           grafted))))))
 
+(test-assert "graft-derivation, grafted item uses a different name"
+  (let* ((build   `(begin
+                     (mkdir %output)
+                     (chdir %output)
+                     (symlink %output "self")
+                     (symlink ,%bash "sh")))
+         (orig    (build-expression->derivation %store "grafted" build
+                                                #:inputs `(("a" ,%bash))))
+         (repl    (add-text-to-store %store "BaSH" "fake bash"))
+         (grafted (graft-derivation %store orig
+                                    (list (graft
+                                            (origin %bash)
+                                            (replacement repl))))))
+    (and (build-derivations %store (list grafted))
+         (let ((grafted (derivation->output-path grafted)))
+           (and (string=? (readlink (string-append grafted "/sh")) repl)
+                (string=? (readlink (string-append grafted "/self"))
+                          grafted))))))
+
 ;; Make sure 'derivation-file-name' always gets to see an absolute file name.
 (fluid-set! %file-port-name-canonicalization 'absolute)
 
diff --git a/tests/lint.scm b/tests/lint.scm
index df69d2b4b1..d692b42f93 100644
--- a/tests/lint.scm
+++ b/tests/lint.scm
@@ -36,6 +36,7 @@
   #:use-module (web server)
   #:use-module (web server http)
   #:use-module (web response)
+  #:use-module (ice-9 match)
   #:use-module (ice-9 threads)
   #:use-module (srfi srfi-9 gnu)
   #:use-module (srfi srfi-64))
@@ -613,6 +614,28 @@ string) on HTTP requests."
                              (patches
                               (list "/a/b/pi-CVE-2015-1234.patch"))))))))))
 
+(test-assert "cve: vulnerability fixed in replacement version"
+  (mock ((guix scripts lint) package-vulnerabilities
+         (lambda (package)
+           (match (package-version package)
+             ("0"
+              (list (make-struct (@@ (guix cve) <vulnerability>) 0
+                                 "CVE-2015-1234"
+                                 (list (cons (package-name package)
+                                             (package-version package))))))
+             ("1"
+              '()))))
+        (and (not (string-null?
+                   (with-warnings
+                     (check-vulnerabilities
+                      (dummy-package "foo" (version "0"))))))
+             (string-null?
+              (with-warnings
+                (check-vulnerabilities
+                 (dummy-package
+                  "foo" (version "0")
+                  (replacement (dummy-package "foo" (version "1"))))))))))
+
 (test-assert "cve: patched vulnerability in replacement"
   (mock ((guix scripts lint) package-vulnerabilities
          (lambda (package)