On Fri, 2025-03-21 at 20:13 -0400, Olga Kornievskaia wrote:
> When an export policy with xprtsec policy is set with "tls"
> and/or "mtls", but an NFS client is doing a v3 xprtsec=tls
> mount, then NLM locking calls fail with an error because
> there is currently no support for NLM with TLS.
>
> Until such support is added, allow NLM calls under TLS-secured
> policy.
>
> Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK")
> Signed-off-by: Olga Kornievskaia <okorniev@xxxxxxxxxx>
> ---
> fs/nfsd/export.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index 0363720280d4..88ae410b4113 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -1124,7 +1124,8 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
> test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
> goto ok;
> }
> - goto denied;
> + if (!may_bypass_gss)
> + goto denied;
>
> ok:
> /* legacy gss-only clients are always OK: */
Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>
