Re: git: 5169d4307eb9 - main - nfs: Fallback to GID_NOGROUP on no groups

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Sun, 03 Nov 2024 17:10:56 UTC
In message <202411031547.4A3Fl0Lh079122@gitrepo.freebsd.org>, Olivier 
Certner w
rites:
> The branch main has been updated by olce:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=5169d4307eb9c8b7bb0bd46d600012bc
> c12cbdae
>
> commit 5169d4307eb9c8b7bb0bd46d600012bcc12cbdae
> Author:     Olivier Certner <olce@FreeBSD.org>
> AuthorDate: 2024-11-03 10:26:37 +0000
> Commit:     Olivier Certner <olce@FreeBSD.org>
> CommitDate: 2024-11-03 15:45:43 +0000
>
>     nfs: Fallback to GID_NOGROUP on no groups
>     
>     We cannot unconditionally access nfsd's VNET variables in
>     'sys/kern/vfs_export.c' nor 'sys/fs/nfsserver/nfs_nfsdsubs.c', as they
>     may not have been compiled in depending on build options.
>     
>     So, forget about the extra mile of using the configured default group
>     and use the hardcoded GID_NOGROUP (which differs only on systems running
>     nfsuserd(8) and with a non-default GID for their "nogroup" group).
>     
>     Reported by:    rpokala, bapt (MINIMAL compile breakup)
>     Reported by:    cy, David Wolfskill (panics caused by mountd(8))
>     Approved by:    markj (mentor)
>     Fixes:          cfbe7a62dc62 ("nfs, rpc: Ensure kernel credentials have a
> t least one group")
> ---
>  sys/fs/nfs/nfs_commonport.c | 3 +--
>  sys/fs/nfs/nfs_commonsubs.c | 2 +-
>  sys/kern/vfs_export.c       | 9 +++------
>  3 files changed, 5 insertions(+), 9 deletions(-)
>
> diff --git a/sys/fs/nfs/nfs_commonport.c b/sys/fs/nfs/nfs_commonport.c
> index 11f31d1a0e9f..0c94f4e7dc52 100644
> --- a/sys/fs/nfs/nfs_commonport.c
> +++ b/sys/fs/nfs/nfs_commonport.c
> @@ -75,7 +75,6 @@ NFSD_VNET_DEFINE(struct nfsstatsv1 *, nfsstatsv1_p);
>  
>  NFSD_VNET_DECLARE(struct nfssockreq, nfsrv_nfsuserdsock);
>  NFSD_VNET_DECLARE(nfsuserd_state, nfsrv_nfsuserd);
> -NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid);
>  
>  int nfs_pnfsio(task_fn_t *, void *);
>  
> @@ -260,7 +259,7 @@ newnfs_copycred(struct nfscred *nfscr, struct ucred *cr)
>  	    ("newnfs_copycred: negative nfsc_ngroups"));
>  	cr->cr_uid = nfscr->nfsc_uid;
>  	crsetgroups_fallback(cr, nfscr->nfsc_ngroups, nfscr->nfsc_groups,
> -	    NFSD_VNET(nfsrv_defaultgid));
> +	    GID_NOGROUP);
>  }
>  
>  /*
> diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
> index ce4b0052714e..81c558d768ea 100644
> --- a/sys/fs/nfs/nfs_commonsubs.c
> +++ b/sys/fs/nfs/nfs_commonsubs.c
> @@ -4052,7 +4052,7 @@ nfssvc_idname(struct nfsd_idargs *nidp)
>  			cr = crget();
>  			cr->cr_uid = cr->cr_ruid = cr->cr_svuid = nidp->nid_uid
> ;
>  			crsetgroups_fallback(cr, nidp->nid_ngroup, grps,
> -			    NFSD_VNET(nfsrv_defaultgid));
> +			    GID_NOGROUP);
>  			cr->cr_rgid = cr->cr_svgid = cr->cr_gid;
>  			cr->cr_prison = curthread->td_ucred->cr_prison;
>  			prison_hold(cr->cr_prison);
> diff --git a/sys/kern/vfs_export.c b/sys/kern/vfs_export.c
> index c0337b1fe858..a314bda164de 100644
> --- a/sys/kern/vfs_export.c
> +++ b/sys/kern/vfs_export.c
> @@ -40,6 +40,7 @@
>  
>  #include <sys/param.h>
>  #include <sys/systm.h>
> +#include <sys/conf.h>
>  #include <sys/dirent.h>
>  #include <sys/jail.h>
>  #include <sys/kernel.h>
> @@ -61,10 +62,6 @@
>  #include <rpc/types.h>
>  #include <rpc/auth.h>
>  
> -#include <fs/nfs/nfsport.h>
> -
> -NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid);
> -
>  static MALLOC_DEFINE(M_NETADDR, "export_host", "Export host address structur
> e");
>  
>  #if defined(INET) || defined(INET6)
> @@ -138,7 +135,7 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep
> ,
>  		np->netc_anon = crget();
>  		np->netc_anon->cr_uid = argp->ex_uid;
>  		crsetgroups_fallback(np->netc_anon, argp->ex_ngroups,
> -		    argp->ex_groups, NFSD_VNET(nfsrv_defaultgid));
> +		    argp->ex_groups, GID_NOGROUP);
>  		np->netc_anon->cr_prison = &prison0;
>  		prison_hold(np->netc_anon->cr_prison);
>  		np->netc_numsecflavors = argp->ex_numsecflavors;
> @@ -217,7 +214,7 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep
> ,
>  	np->netc_anon = crget();
>  	np->netc_anon->cr_uid = argp->ex_uid;
>  	crsetgroups_fallback(np->netc_anon, argp->ex_ngroups, argp->ex_groups,
> -	    NFSD_VNET(nfsrv_defaultgid));
> +	    GID_NOGROUP);
>  	np->netc_anon->cr_prison = &prison0;
>  	prison_hold(np->netc_anon->cr_prison);
>  	np->netc_numsecflavors = argp->ex_numsecflavors;
>

I'm getting a different panic this time.

panic: Assertion groups on 'cr' already set! failed at 
/opt/src/git-src/sys/kern
/kern_prot.c:2364^M
cpuid = 3^M
time = 1730653662^M
KDB: stack backtrace:^M
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 
0xfffffe008e9a2fb0^M
vpanic() at vpanic+0x136/frame 0xfffffe008e9a30e0^M
panic() at panic+0x43/frame 0xfffffe008e9a3140^M
crextend() at crextend+0x115/frame 0xfffffe008e9a3160^M
crsetgroups() at crsetgroups+0x29/frame 0xfffffe008e9a3190^M
nfsd_excred() at nfsd_excred+0xb3/frame 0xfffffe008e9a31c0^M
nfsrvd_dorpc() at nfsrvd_dorpc+0x128c/frame 0xfffffe008e9a33d0^M
nfssvc_program() at nfssvc_program+0x808/frame 0xfffffe008e9a35d0^M
svc_run_internal() at svc_run_internal+0xaea/frame 0xfffffe008e9a3700^M
svc_run() at svc_run+0x280/frame 0xfffffe008e9a3760^M
nfsrvd_nfsd() at nfsrvd_nfsd+0x3d3/frame 0xfffffe008e9a38c0^M
nfssvc_nfsd() at nfssvc_nfsd+0x535/frame 0xfffffe008e9a3de0^M
sys_nfssvc() at sys_nfssvc+0xcc/frame 0xfffffe008e9a3e00^M
amd64_syscall() at amd64_syscall+0x158/frame 0xfffffe008e9a3f30^M
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe008e9a3f30^M
--- syscall (155, FreeBSD ELF64, nfssvc), rip = 0x159c44daf14a, rsp = 
0x159c4238
b428, rbp = 0x159c4238b6c0 ---^M
Uptime: 14m7s^M
Dumping 1050 out of 8122 MB:..2%..11%..22%..31%..42%..51%..61%..71%..81%..92
%^M


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0