diff --git a/debian/changelog b/debian/changelog
index e107ce3a3..306e6d9fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,8 @@ linux (4.7~rc6-1~exp1) UNRELEASED; urgency=medium
   * [amd64] power: Fix crash whan the hibernation code passes control to the
     image kernel
   * [x86] KASLR, power: Remove x86 hibernation restrictions
+  * fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737)
+    - Warn and taint kernel if this feature is actually used
 
   [ Bastian Blank ]
   * Mark debug symbols packages to move them into the debug archive.
diff --git a/debian/config/armel/config.marvell b/debian/config/armel/config.marvell
index 049116a4e..83ed5633e 100644
--- a/debian/config/armel/config.marvell
+++ b/debian/config/armel/config.marvell
@@ -663,6 +663,11 @@ CONFIG_ORION_WATCHDOG=m
 ##
 # CONFIG_FS_DAX is not set
 
+##
+## file: fs/notify/fanotify/Kconfig
+##
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
+
 ##
 ## file: init/Kconfig
 ##
diff --git a/debian/config/config b/debian/config/config
index 4b8c853a9..f56c443d6 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -5319,7 +5319,7 @@ CONFIG_DNOTIFY=y
 ## file: fs/notify/fanotify/Kconfig
 ##
 CONFIG_FANOTIFY=y
-# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
+CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
 
 ##
 ## file: fs/notify/inotify/Kconfig
diff --git a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
new file mode 100644
index 000000000..77d44b431
--- /dev/null
+++ b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS
+Date: Wed, 13 Jul 2016 01:37:22 +0100
+Forwarded: not-needed
+
+Various free and proprietary AV products use this feature and users
+apparently want it.  But punting access checks to userland seems like
+an easy way to deadlock the system, and there will be nothing we can
+do about that.  So warn and taint the kernel if this feature is
+actually used.
+
+---
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -847,6 +847,14 @@ SYSCALL_DEFINE5(fanotify_mark, int, fano
+ #endif
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
++	if (mask & FAN_ALL_PERM_EVENTS) {
++		pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n",
++			     current->comm, current->pid);
++		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
++	}
++#endif
++
+ 	f = fdget(fanotify_fd);
+ 	if (unlikely(!f.file))
+ 		return -EBADF;
diff --git a/debian/patches/series b/debian/patches/series
index 6ee0974ed..cbdf9a961 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -43,6 +43,9 @@ debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
 debian/snd-pcsp-disable-autoload.patch
 bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
 
+# Taint if dangerous features are used
+debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
+
 # Arch bug fixes
 bugfix/x86/x86-power-64-fix-crash-whan-the-hibernation-code-pas.patch