git: 4bef138e8d91 - stable/13 - nfs: Fallback to GID_NOGROUP on no groups

From: Olivier Certner <olce_at_FreeBSD.org>
Date: Fri, 15 Nov 2024 13:00:56 UTC
The branch stable/13 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=4bef138e8d91cda4d26cb4f20c6f419908b0f7b6

commit 4bef138e8d91cda4d26cb4f20c6f419908b0f7b6
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-11-03 10:26:37 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2024-11-15 12:59:10 +0000

    nfs: Fallback to GID_NOGROUP on no groups
    
    We cannot unconditionally access nfsd's VNET variables in
    'sys/kern/vfs_export.c' nor 'sys/fs/nfsserver/nfs_nfsdsubs.c', as they
    may not have been compiled in depending on build options.
    
    So, forget about the extra mile of using the configured default group
    and use the hardcoded GID_NOGROUP (which differs only on systems running
    nfsuserd(8) and with a non-default GID for their "nogroup" group).
    
    Reported by:    rpokala, bapt (MINIMAL compile breakup)
    Reported by:    cy, David Wolfskill (panics caused by mountd(8))
    Approved by:    markj (mentor)
    Fixes:          cfbe7a62dc62 ("nfs, rpc: Ensure kernel credentials have at least one group")
    
    (cherry picked from commit 5169d4307eb9c8b7bb0bd46d600012bcc12cbdae)
---
 sys/fs/nfs/nfs_commonport.c | 3 +--
 sys/fs/nfs/nfs_commonsubs.c | 2 +-
 sys/kern/vfs_export.c       | 9 +++------
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/sys/fs/nfs/nfs_commonport.c b/sys/fs/nfs/nfs_commonport.c
index 67dd8e14a22c..c84548b54fc1 100644
--- a/sys/fs/nfs/nfs_commonport.c
+++ b/sys/fs/nfs/nfs_commonport.c
@@ -75,7 +75,6 @@ NFSD_VNET_DEFINE(struct nfsstatsv1 *, nfsstatsv1_p);
 
 NFSD_VNET_DECLARE(struct nfssockreq, nfsrv_nfsuserdsock);
 NFSD_VNET_DECLARE(nfsuserd_state, nfsrv_nfsuserd);
-NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid);
 
 int nfs_pnfsio(task_fn_t *, void *);
 
@@ -261,7 +260,7 @@ newnfs_copycred(struct nfscred *nfscr, struct ucred *cr)
 	    ("newnfs_copycred: negative nfsc_ngroups"));
 	cr->cr_uid = nfscr->nfsc_uid;
 	crsetgroups_fallback(cr, nfscr->nfsc_ngroups, nfscr->nfsc_groups,
-	    NFSD_VNET(nfsrv_defaultgid));
+	    GID_NOGROUP);
 }
 
 /*
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index cbac4ee85167..256342f146f0 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -3979,7 +3979,7 @@ nfssvc_idname(struct nfsd_idargs *nidp)
 			cr = crget();
 			cr->cr_uid = cr->cr_ruid = cr->cr_svuid = nidp->nid_uid;
 			crsetgroups_fallback(cr, nidp->nid_ngroup, grps,
-			    NFSD_VNET(nfsrv_defaultgid));
+			    GID_NOGROUP);
 			cr->cr_rgid = cr->cr_svgid = cr->cr_gid;
 			cr->cr_prison = curthread->td_ucred->cr_prison;
 			prison_hold(cr->cr_prison);
diff --git a/sys/kern/vfs_export.c b/sys/kern/vfs_export.c
index 6eb20c8ed3a9..f3c11541ceea 100644
--- a/sys/kern/vfs_export.c
+++ b/sys/kern/vfs_export.c
@@ -42,6 +42,7 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/conf.h>
 #include <sys/dirent.h>
 #include <sys/jail.h>
 #include <sys/kernel.h>
@@ -63,10 +64,6 @@
 #include <rpc/types.h>
 #include <rpc/auth.h>
 
-#include <fs/nfs/nfsport.h>
-
-NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid);
-
 static MALLOC_DEFINE(M_NETADDR, "export_host", "Export host address structure");
 
 #if defined(INET) || defined(INET6)
@@ -140,7 +137,7 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep,
 		np->netc_anon = crget();
 		np->netc_anon->cr_uid = argp->ex_uid;
 		crsetgroups_fallback(np->netc_anon, argp->ex_ngroups,
-		    argp->ex_groups, NFSD_VNET(nfsrv_defaultgid));
+		    argp->ex_groups, GID_NOGROUP);
 		np->netc_anon->cr_prison = &prison0;
 		prison_hold(np->netc_anon->cr_prison);
 		np->netc_numsecflavors = argp->ex_numsecflavors;
@@ -219,7 +216,7 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep,
 	np->netc_anon = crget();
 	np->netc_anon->cr_uid = argp->ex_uid;
 	crsetgroups_fallback(np->netc_anon, argp->ex_ngroups, argp->ex_groups,
-	    NFSD_VNET(nfsrv_defaultgid));
+	    GID_NOGROUP);
 	np->netc_anon->cr_prison = &prison0;
 	prison_hold(np->netc_anon->cr_prison);
 	np->netc_numsecflavors = argp->ex_numsecflavors;