9 files changed, 119 insertions, 76 deletions

diff --git a/net/compat.c b/net/compat.c
index 79ae88485001..f0a1ba6c8086 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -734,19 +734,25 @@ static unsigned char nas[21] = {
 
 asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
 {
-        return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+        return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
 
 asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
                                     unsigned int vlen, unsigned int flags)
 {
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
         return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
                               flags | MSG_CMSG_COMPAT);
 }
 
 asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
 {
-        return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+        return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
 
 asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags)
@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
         int datagrams;
         struct timespec ktspec;
 
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+
         if (COMPAT_USE_64BIT_TIME)
                 return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
                                       flags | MSG_CMSG_COMPAT,
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 2b935e7cfe7b..281c1bded1f6 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -291,17 +291,18 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *ta
 {
         struct qdisc_rate_table *rtab;
 
+        if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
+            nla_len(tab) != TC_RTAB_SIZE)
+                return NULL;
+
         for (rtab = qdisc_rtab_list; rtab; rtab = rtab->next) {
-                if (memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) == 0) {
+                if (!memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) &&
+                    !memcmp(&rtab->data, nla_data(tab), 1024)) {
                         rtab->refcnt++;
                         return rtab;
                 }
         }
 
-        if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
-            nla_len(tab) != TC_RTAB_SIZE)
-                return NULL;
-
         rtab = kmalloc(sizeof(*rtab), GFP_KERNEL);
         if (rtab) {
                 rtab->rate = *r;
diff --git a/net/socket.c b/net/socket.c
index 9ff6366fee13..4ca1526db756 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1956,7 +1956,7 @@ struct used_address {
         unsigned int name_len;
 };
 
-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
                          struct msghdr *msg_sys, unsigned int flags,
                          struct used_address *used_address)
 {
@@ -2071,26 +2071,30 @@ out:
  *      BSD sendmsg interface
  */
 
-SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
 {
         int fput_needed, err;
         struct msghdr msg_sys;
         struct socket *sock;
 
-        if (flags & MSG_CMSG_COMPAT)
-                return -EINVAL;
-
         sock = sockfd_lookup_light(fd, &err, &fput_needed);
         if (!sock)
                 goto out;
 
-        err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+        err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
 
         fput_light(sock->file, fput_needed);
 out:
         return err;
 }
 
+SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+{
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+        return __sys_sendmsg(fd, msg, flags);
+}
+
 /*
  *      Linux sendmmsg interface
  */
@@ -2121,15 +2125,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
 
         while (datagrams < vlen) {
                 if (MSG_CMSG_COMPAT & flags) {
-                        err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
-                                            &msg_sys, flags, &used_address);
+                        err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+                                             &msg_sys, flags, &used_address);
                         if (err < 0)
                                 break;
                         err = __put_user(err, &compat_entry->msg_len);
                         ++compat_entry;
                 } else {
-                        err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
-                                            &msg_sys, flags, &used_address);
+                        err = ___sys_sendmsg(sock,
+                                             (struct msghdr __user *)entry,
+                                             &msg_sys, flags, &used_address);
                         if (err < 0)
                                 break;
                         err = put_user(err, &entry->msg_len);
@@ -2158,7 +2163,7 @@ SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
         return __sys_sendmmsg(fd, mmsg, vlen, flags);
 }
 
-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
                          struct msghdr *msg_sys, unsigned int flags, int nosec)
 {
         struct compat_msghdr __user *msg_compat =
@@ -2250,27 +2255,31 @@ out:
  *      BSD recvmsg interface
  */
 
-SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
-                unsigned int, flags)
+long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
 {
         int fput_needed, err;
         struct msghdr msg_sys;
         struct socket *sock;
 
-        if (flags & MSG_CMSG_COMPAT)
-                return -EINVAL;
-
         sock = sockfd_lookup_light(fd, &err, &fput_needed);
         if (!sock)
                 goto out;
 
-        err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
+        err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
 
         fput_light(sock->file, fput_needed);
 out:
         return err;
 }
 
+SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+                unsigned int, flags)
+{
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+        return __sys_recvmsg(fd, msg, flags);
+}
+
 /*
  *     Linux recvmmsg interface
  */
@@ -2308,17 +2317,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
                  * No need to ask LSM for more than the first datagram.
                  */
                 if (MSG_CMSG_COMPAT & flags) {
-                        err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
-                                            &msg_sys, flags & ~MSG_WAITFORONE,
-                                            datagrams);
+                        err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
+                                             &msg_sys, flags & ~MSG_WAITFORONE,
+                                             datagrams);
                         if (err < 0)
                                 break;
                         err = __put_user(err, &compat_entry->msg_len);
                         ++compat_entry;
                 } else {
-                        err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
-                                            &msg_sys, flags & ~MSG_WAITFORONE,
-                                            datagrams);
+                        err = ___sys_recvmsg(sock,
+                                             (struct msghdr __user *)entry,
+                                             &msg_sys, flags & ~MSG_WAITFORONE,
+                                             datagrams);
                         if (err < 0)
                                 break;
                         err = put_user(err, &entry->msg_len);
@@ -2505,31 +2515,15 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
                                    (int __user *)a[4]);
                 break;
         case SYS_SENDMSG:
-                if (a[2] & MSG_CMSG_COMPAT) {
-                        err = -EINVAL;
-                        break;
-                }
                 err = sys_sendmsg(a0, (struct msghdr __user *)a1, a[2]);
                 break;
         case SYS_SENDMMSG:
-                if (a[3] & MSG_CMSG_COMPAT) {
-                        err = -EINVAL;
-                        break;
-                }
                 err = sys_sendmmsg(a0, (struct mmsghdr __user *)a1, a[2], a[3]);
                 break;
         case SYS_RECVMSG:
-                if (a[2] & MSG_CMSG_COMPAT) {
-                        err = -EINVAL;
-                        break;
-                }
                 err = sys_recvmsg(a0, (struct msghdr __user *)a1, a[2]);
                 break;
         case SYS_RECVMMSG:
-                if (a[3] & MSG_CMSG_COMPAT) {
-                        err = -EINVAL;
-                        break;
-                }
                 err = sys_recvmmsg(a0, (struct mmsghdr __user *)a1, a[2], a[3],
                                    (struct timespec __user *)a[4]);
                 break;
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 7da6b457f66a..fc2f78d6a9b4 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -52,6 +52,8 @@
 #include <linux/sunrpc/gss_api.h>
 #include <asm/uaccess.h>
 
+#include "../netns.h"
+
 static const struct rpc_authops authgss_ops;
 
 static const struct rpc_credops gss_credops;
@@ -85,8 +87,6 @@ struct gss_auth {
 };
 
 /* pipe_version >= 0 if and only if someone has a pipe open. */
-static int pipe_version = -1;
-static atomic_t pipe_users = ATOMIC_INIT(0);
 static DEFINE_SPINLOCK(pipe_version_lock);
 static struct rpc_wait_queue pipe_version_rpc_waitqueue;
 static DECLARE_WAIT_QUEUE_HEAD(pipe_version_waitqueue);
@@ -266,24 +266,27 @@ struct gss_upcall_msg {
         char databuf[UPCALL_BUF_LEN];
 };
 
-static int get_pipe_version(void)
+static int get_pipe_version(struct net *net)
 {
+        struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
         int ret;
 
         spin_lock(&pipe_version_lock);
-        if (pipe_version >= 0) {
-                atomic_inc(&pipe_users);
-                ret = pipe_version;
+        if (sn->pipe_version >= 0) {
+                atomic_inc(&sn->pipe_users);
+                ret = sn->pipe_version;
         } else
                 ret = -EAGAIN;
         spin_unlock(&pipe_version_lock);
         return ret;
 }
 
-static void put_pipe_version(void)
+static void put_pipe_version(struct net *net)
 {
-        if (atomic_dec_and_lock(&pipe_users, &pipe_version_lock)) {
-                pipe_version = -1;
+        struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
+
+        if (atomic_dec_and_lock(&sn->pipe_users, &pipe_version_lock)) {
+                sn->pipe_version = -1;
                 spin_unlock(&pipe_version_lock);
         }
 }
@@ -291,9 +294,10 @@ static void put_pipe_version(void)
 static void
 gss_release_msg(struct gss_upcall_msg *gss_msg)
 {
+        struct net *net = rpc_net_ns(gss_msg->auth->client);
         if (!atomic_dec_and_test(&gss_msg->count))
                 return;
-        put_pipe_version();
+        put_pipe_version(net);
         BUG_ON(!list_empty(&gss_msg->list));
         if (gss_msg->ctx != NULL)
                 gss_put_ctx(gss_msg->ctx);
@@ -439,7 +443,10 @@ static void gss_encode_msg(struct gss_upcall_msg *gss_msg,
                                 struct rpc_clnt *clnt,
                                 const char *service_name)
 {
-        if (pipe_version == 0)
+        struct net *net = rpc_net_ns(clnt);
+        struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
+
+        if (sn->pipe_version == 0)
                 gss_encode_v0_msg(gss_msg);
         else /* pipe_version == 1 */
                 gss_encode_v1_msg(gss_msg, clnt, service_name);
@@ -455,7 +462,7 @@ gss_alloc_msg(struct gss_auth *gss_auth, struct rpc_clnt *clnt,
         gss_msg = kzalloc(sizeof(*gss_msg), GFP_NOFS);
         if (gss_msg == NULL)
                 return ERR_PTR(-ENOMEM);
-        vers = get_pipe_version();
+        vers = get_pipe_version(rpc_net_ns(clnt));
         if (vers < 0) {
                 kfree(gss_msg);
                 return ERR_PTR(vers);
@@ -559,24 +566,34 @@ out:
 static inline int
 gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred)
 {
+        struct net *net = rpc_net_ns(gss_auth->client);
+        struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
         struct rpc_pipe *pipe;
         struct rpc_cred *cred = &gss_cred->gc_base;
         struct gss_upcall_msg *gss_msg;
+        unsigned long timeout;
         DEFINE_WAIT(wait);
-        int err = 0;
+        int err;
 
         dprintk("RPC:       %s for uid %u\n",
                 __func__, from_kuid(&init_user_ns, cred->cr_uid));
 retry:
+        err = 0;
+        /* Default timeout is 15s unless we know that gssd is not running */
+        timeout = 15 * HZ;
+        if (!sn->gssd_running)
+                timeout = HZ >> 2;
         gss_msg = gss_setup_upcall(gss_auth->client, gss_auth, cred);
         if (PTR_ERR(gss_msg) == -EAGAIN) {
                 err = wait_event_interruptible_timeout(pipe_version_waitqueue,
-                                pipe_version >= 0, 15*HZ);
-                if (pipe_version < 0) {
+                                sn->pipe_version >= 0, timeout);
+                if (sn->pipe_version < 0) {
+                        if (err == 0)
+                                sn->gssd_running = 0;
                         warn_gssd();
                         err = -EACCES;
                 }
-                if (err)
+                if (err < 0)
                         goto out;
                 goto retry;
         }
@@ -707,20 +724,22 @@ out:
 
 static int gss_pipe_open(struct inode *inode, int new_version)
 {
+        struct net *net = inode->i_sb->s_fs_info;
+        struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
         int ret = 0;
 
         spin_lock(&pipe_version_lock);
-        if (pipe_version < 0) {
+        if (sn->pipe_version < 0) {
                 /* First open of any gss pipe determines the version: */
-                pipe_version = new_version;
+                sn->pipe_version = new_version;
                 rpc_wake_up(&pipe_version_rpc_waitqueue);
                 wake_up(&pipe_version_waitqueue);
-        } else if (pipe_version != new_version) {
+        } else if (sn->pipe_version != new_version) {
                 /* Trying to open a pipe of a different version */
                 ret = -EBUSY;
                 goto out;
         }
-        atomic_inc(&pipe_users);
+        atomic_inc(&sn->pipe_users);
 out:
         spin_unlock(&pipe_version_lock);
         return ret;
@@ -740,6 +759,7 @@ static int gss_pipe_open_v1(struct inode *inode)
 static void
 gss_pipe_release(struct inode *inode)
 {
+        struct net *net = inode->i_sb->s_fs_info;
         struct rpc_pipe *pipe = RPC_I(inode)->pipe;
         struct gss_upcall_msg *gss_msg;
 
@@ -758,7 +778,7 @@ restart:
         }
         spin_unlock(&pipe->lock);
 
-        put_pipe_version();
+        put_pipe_version(net);
 }
 
 static void
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 871c73c92165..29b4ba93ab3c 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1287,7 +1287,7 @@ static bool use_gss_proxy(struct net *net)
 
 #ifdef CONFIG_PROC_FS
 
-static bool set_gss_proxy(struct net *net, int type)
+static int set_gss_proxy(struct net *net, int type)
 {
         struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
         int ret = 0;
@@ -1317,10 +1317,12 @@ static inline bool gssp_ready(struct sunrpc_net *sn)
         return false;
 }
 
-static int wait_for_gss_proxy(struct net *net)
+static int wait_for_gss_proxy(struct net *net, struct file *file)
 {
         struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
 
+        if (file->f_flags & O_NONBLOCK && !gssp_ready(sn))
+                return -EAGAIN;
         return wait_event_interruptible(sn->gssp_wq, gssp_ready(sn));
 }
 
@@ -1362,7 +1364,7 @@ static ssize_t read_gssp(struct file *file, char __user *buf,
         size_t len;
         int ret;
 
-        ret = wait_for_gss_proxy(net);
+        ret = wait_for_gss_proxy(net, file);
         if (ret)
                 return ret;
 
diff --git a/net/sunrpc/netns.h b/net/sunrpc/netns.h
index 7111a4c9113b..74d948f5d5a1 100644
--- a/net/sunrpc/netns.h
+++ b/net/sunrpc/netns.h
@@ -28,7 +28,11 @@ struct sunrpc_net {
         wait_queue_head_t gssp_wq;
         struct rpc_clnt *gssp_clnt;
         int use_gss_proxy;
+        int pipe_version;
+        atomic_t pipe_users;
         struct proc_dir_entry *use_gssp_proc;
+
+        unsigned int gssd_running;
 };
 
 extern int sunrpc_net_id;
diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index a9129f8d7070..e7ce4b3eb0bd 100644
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -216,11 +216,14 @@ rpc_destroy_inode(struct inode *inode)
 static int
 rpc_pipe_open(struct inode *inode, struct file *filp)
 {
+        struct net *net = inode->i_sb->s_fs_info;
+        struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
         struct rpc_pipe *pipe;
         int first_open;
         int res = -ENXIO;
 
         mutex_lock(&inode->i_mutex);
+        sn->gssd_running = 1;
         pipe = RPC_I(inode)->pipe;
         if (pipe == NULL)
                 goto out;
@@ -1069,6 +1072,8 @@ void rpc_pipefs_init_net(struct net *net)
         struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
 
         mutex_init(&sn->pipefs_sb_lock);
+        sn->gssd_running = 1;
+        sn->pipe_version = -1;
 }
 
 /*
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index f8529fc8e542..5356b120dbf8 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -324,11 +324,17 @@ EXPORT_SYMBOL_GPL(__rpc_wait_for_completion_task);
  * Note: If the task is ASYNC, and is being made runnable after sitting on an
  * rpc_wait_queue, this must be called with the queue spinlock held to protect
  * the wait queue operation.
+ * Note the ordering of rpc_test_and_set_running() and rpc_clear_queued(),
+ * which is needed to ensure that __rpc_execute() doesn't loop (due to the
+ * lockless RPC_IS_QUEUED() test) before we've had a chance to test
+ * the RPC_TASK_RUNNING flag.
  */
 static void rpc_make_runnable(struct rpc_task *task)
 {
+        bool need_wakeup = !rpc_test_and_set_running(task);
+
         rpc_clear_queued(task);
-        if (rpc_test_and_set_running(task))
+        if (!need_wakeup)
                 return;
         if (RPC_IS_ASYNC(task)) {
                 INIT_WORK(&task->u.tk_work, rpc_async_schedule);
diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
index c3f9e1ef7f53..06bdf5a1082c 100644
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -810,11 +810,15 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
                 goto badcred;
         argv->iov_base = (void*)((__be32*)argv->iov_base + slen);       /* skip machname */
         argv->iov_len -= slen*4;
-
+        /*
+         * Note: we skip uid_valid()/gid_valid() checks here for
+         * backwards compatibility with clients that use -1 id's.
+         * Instead, -1 uid or gid is later mapped to the
+         * (export-specific) anonymous id by nfsd_setuser.
+         * Supplementary gid's will be left alone.
+         */
         cred->cr_uid = make_kuid(&init_user_ns, svc_getnl(argv)); /* uid */
         cred->cr_gid = make_kgid(&init_user_ns, svc_getnl(argv)); /* gid */
-        if (!uid_valid(cred->cr_uid) || !gid_valid(cred->cr_gid))
-                goto badcred;
         slen = svc_getnl(argv);                 /* gids length */
         if (slen > 16 || (len -= (slen + 2)*4) < 0)
                 goto badcred;
@@ -823,8 +827,6 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
                 return SVC_CLOSE;
         for (i = 0; i < slen; i++) {
                 kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
-                if (!gid_valid(kgid))
-                        goto badcred;
                 GROUP_AT(cred->cr_group_info, i) = kgid;
         }
         if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {