nfsd: fix access checking for NLM under XPRTSEC policies

Olga Kornievskaia · Olga Kornievskaia · commit b139cd7a50a6 · 2025-06-12T11:36:09.000-04:00
JIRA: https://issues.redhat.com/browse/RHEL-82689 commit 0813c5f Author: Olga Kornievskaia <okorniev@redhat.com> Date: Fri Mar 21 20:13:04 2025 -0400 nfsd: fix access checking for NLM under XPRTSEC policies When an export policy with xprtsec policy is set with "tls" and/or "mtls", but an NFS client is doing a v3 xprtsec=tls mount, then NLM locking calls fail with an error because there is currently no support for NLM with TLS. Until such support is added, allow NLM calls under TLS-secured policy. Fixes: 4cc9b9f ("nfsd: refine and rename NFSD_MAY_LOCK") Cc: stable@vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Reviewed-by: NeilBrown <neil@brown.name> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
@@ -1130,7 +1130,8 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
 		    test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
 			goto ok;
 	}
-	goto denied;
+	if (!may_bypass_gss)
+		goto denied;
 
 ok:
 	/* legacy gss-only clients are always OK: */

Original file line number	Diff line number	Diff line change
`@@ -1130,7 +1130,8 @@ __be32 check_nfsd_access(struct svc_export exp, struct svc_rqst rqstp,`
`1130`	`1130`	`test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))`
`1131`	`1131`	`goto ok;`
`1132`	`1132`	`}`
`1133`		`- goto denied;`
	`1133`	`+ if (!may_bypass_gss)`
	`1134`	`+ goto denied;`
`1134`	`1135`
`1135`	`1136`	`ok:`
`1136`	`1137`	`/* legacy gss-only clients are always OK: */`