nfsd: fix access checking for NLM under XPRTSEC policies

When an export policy with xprtsec policy is set with "tls" and/or "mtls", but an NFS client is doing a v3 xprtsec=tls mount, then NLM locking calls fail with an error because there is currently no support for NLM with TLS. Until such support is added, allow NLM calls under TLS-secured policy. Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK") Cc: stable@vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Reviewed-by: NeilBrown <neil@brown.name> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
author: Olga Kornievskaia <okorniev@redhat.com> 2025-03-21 20:13:04 -0400
committer: Chuck Lever <chuck.lever@oracle.com> 2025-05-11 19:48:25 -0400
commit: 0813c5f01249dbc32ccbc68d27a24fde5bf2901c (patch)
tree: 8f237cd47566a1b71376eaa2dece34dfadc4f037
parent: c447d2ac987bb5e155ed817a61db29978e684339 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 0363720280d4..88ae410b4113 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1124,7 +1124,8 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
 		    test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
 			goto ok;
 	}
-	goto denied;
+	if (!may_bypass_gss)
+		goto denied;
 
 ok:
 	/* legacy gss-only clients are always OK: */
author	Olga Kornievskaia <okorniev@redhat.com>	2025-03-21 20:13:04 -0400
committer	Chuck Lever <chuck.lever@oracle.com>	2025-05-11 19:48:25 -0400
commit	0813c5f01249dbc32ccbc68d27a24fde5bf2901c (patch)
tree	8f237cd47566a1b71376eaa2dece34dfadc4f037
parent	c447d2ac987bb5e155ed817a61db29978e684339 (diff)