diff --git a/patches.suse/keys-Change-keyring_serialise_link_sem-to-a-mutex.patch b/patches.suse/keys-Change-keyring_serialise_link_sem-to-a-mutex.patch
new file mode 100644
index 0000000..faaa7e8
--- /dev/null
+++ b/patches.suse/keys-Change-keyring_serialise_link_sem-to-a-mutex.patch
@@ -0,0 +1,73 @@
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 30 May 2019 11:40:24 +0100
+Subject: keys: Change keyring_serialise_link_sem to a mutex
+Git-commit: 3be59f74512e37f4d4243a5d0831970e2a009206
+Patch-mainline: v5.3-rc1
+References: bsc#1207088
+
+Change keyring_serialise_link_sem to a mutex as it's only ever
+write-locked.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Petr Pavlu <petr.pavlu@suse.com>
+---
+ security/keys/keyring.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index 5b218b270598..ca6694ba1773 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -100,7 +100,7 @@ EXPORT_SYMBOL(key_type_keyring);
+  * Semaphore to serialise link/link calls to prevent two link calls in parallel
+  * introducing a cycle.
+  */
+-static DECLARE_RWSEM(keyring_serialise_link_sem);
++static DEFINE_MUTEX(keyring_serialise_link_lock);
+ 
+ /*
+  * Publish the name of a keyring so that it can be found by name (if it has
+@@ -1206,7 +1206,7 @@ int __key_link_begin(struct key *keyring,
+ 		     const struct keyring_index_key *index_key,
+ 		     struct assoc_array_edit **_edit)
+ 	__acquires(&keyring->sem)
+-	__acquires(&keyring_serialise_link_sem)
++	__acquires(&keyring_serialise_link_lock)
+ {
+ 	struct assoc_array_edit *edit;
+ 	int ret;
+@@ -1228,7 +1228,7 @@ int __key_link_begin(struct key *keyring,
+ 	/* serialise link/link calls to prevent parallel calls causing a cycle
+ 	 * when linking two keyring in opposite orders */
+ 	if (index_key->type == &key_type_keyring)
+-		down_write(&keyring_serialise_link_sem);
++		mutex_lock(&keyring_serialise_link_lock);
+ 
+ 	/* Create an edit script that will insert/replace the key in the
+ 	 * keyring tree.
+@@ -1260,7 +1260,7 @@ int __key_link_begin(struct key *keyring,
+ 	assoc_array_cancel_edit(edit);
+ error_sem:
+ 	if (index_key->type == &key_type_keyring)
+-		up_write(&keyring_serialise_link_sem);
++		mutex_unlock(&keyring_serialise_link_lock);
+ error_krsem:
+ 	up_write(&keyring->sem);
+ 	kleave(" = %d", ret);
+@@ -1307,13 +1307,13 @@ void __key_link_end(struct key *keyring,
+ 		    const struct keyring_index_key *index_key,
+ 		    struct assoc_array_edit *edit)
+ 	__releases(&keyring->sem)
+-	__releases(&keyring_serialise_link_sem)
++	__releases(&keyring_serialise_link_lock)
+ {
+ 	BUG_ON(index_key->type == NULL);
+ 	kenter("%d,%s,", keyring->serial, index_key->type->name);
+ 
+ 	if (index_key->type == &key_type_keyring)
+-		up_write(&keyring_serialise_link_sem);
++		mutex_unlock(&keyring_serialise_link_lock);
+ 
+ 	if (edit) {
+ 		if (!edit->dead_leaf) {
+
diff --git a/series.conf b/series.conf
index 4e89e60..51cc4bb 100644
--- a/series.conf
+++ b/series.conf
@@ -50882,6 +50882,7 @@
 	patches.suse/perf-x86-intel-uncore-Cosmetic-renames-in-response-t.patch
 	patches.suse/perf-x86-intel-rapl-Cosmetic-rename-internal-variabl.patch
 	patches.suse/tpm-Fix-TPM-1.2-Shutdown-sequence-to-prevent-future-.patch
+	patches.suse/keys-Change-keyring_serialise_link_sem-to-a-mutex.patch
 	patches.suse/crypto-ccp-AES-CFB-mode-is-a-stream-cipher.patch
 	patches.suse/crypto-ccp-fix-AES-CFB-error-exposed-by-new-test-vec.patch
 	patches.suse/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch