pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS

author Trond Myklebust <trond.myklebust@hammerspace.com>

Sun, 19 Oct 2025 00:10:35 +0000 (20:10 -0400)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 24 Nov 2025 09:35:54 +0000 (10:35 +0100)
author Trond Myklebust <trond.myklebust@hammerspace.com>
Sun, 19 Oct 2025 00:10:35 +0000 (20:10 -0400)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 24 Nov 2025 09:35:54 +0000 (10:35 +0100)
diff --git a/fs/nfs/nfs3client.c b/fs/nfs/nfs3client.c

index b0c8a39c2bbdeab011a468a6b267d20a8d8ce91e..1aa4c43c9b3b417549f0f623838c99a907950315 100644 (file)
--- a/fs/nfs/nfs3client.c
+++ b/fs/nfs/nfs3client.c
@@ -2,6 +2,7 @@
  #include <linux/nfs_fs.h>
  #include <linux/nfs_mount.h>
  #include <linux/sunrpc/addr.h>
+#include <net/handshake.h>
  #include "internal.h"
  #include "nfs3_fs.h"
  #include "netns.h"
@@ -98,7 +99,11 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv,
                 .net = mds_clp->cl_net,
                 .timeparms = &ds_timeout,
                 .cred = mds_srv->cred,
-               .xprtsec = mds_clp->cl_xprtsec,
+               .xprtsec = {
+                       .policy = RPC_XPRTSEC_NONE,
+                       .cert_serial = TLS_NO_CERT,
+                       .privkey_serial = TLS_NO_PRIVKEY,
+               },
                 .connect_timeout = connect_timeout,
                 .reconnect_timeout = connect_timeout,
         };
@@ -111,9 +116,14 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv,
         cl_init.hostname = buf;
  
         switch (ds_proto) {
+       case XPRT_TRANSPORT_TCP_TLS:
+               if (mds_clp->cl_xprtsec.policy != RPC_XPRTSEC_NONE)
+                       cl_init.xprtsec = mds_clp->cl_xprtsec;
+               else
+                       ds_proto = XPRT_TRANSPORT_TCP;
+               fallthrough;
         case XPRT_TRANSPORT_RDMA:
         case XPRT_TRANSPORT_TCP:
-       case XPRT_TRANSPORT_TCP_TLS:
                 if (mds_clp->cl_nconnect > 1)
                         cl_init.nconnect = mds_clp->cl_nconnect;
         }
diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c

index aaf723471228b749bc0a4cff7944686ab989ef5d..b14688da814d6c0d3967c6e3d84d5142c698f7ce 100644 (file)
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -11,6 +11,7 @@
  #include <linux/sunrpc/xprt.h>
  #include <linux/sunrpc/bc_xprt.h>
  #include <linux/sunrpc/rpc_pipe_fs.h>
+#include <net/handshake.h>
  #include "internal.h"
  #include "callback.h"
  #include "delegation.h"
@@ -992,7 +993,11 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv,
                 .net = mds_clp->cl_net,
                 .timeparms = &ds_timeout,
                 .cred = mds_srv->cred,
-               .xprtsec = mds_srv->nfs_client->cl_xprtsec,
+               .xprtsec = {
+                       .policy = RPC_XPRTSEC_NONE,
+                       .cert_serial = TLS_NO_CERT,
+                       .privkey_serial = TLS_NO_PRIVKEY,
+               },
         };
         char buf[INET6_ADDRSTRLEN + 1];
  
@@ -1001,9 +1006,14 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv,
         cl_init.hostname = buf;
  
         switch (ds_proto) {
+       case XPRT_TRANSPORT_TCP_TLS:
+               if (mds_srv->nfs_client->cl_xprtsec.policy != RPC_XPRTSEC_NONE)
+                       cl_init.xprtsec = mds_srv->nfs_client->cl_xprtsec;
+               else
+                       ds_proto = XPRT_TRANSPORT_TCP;
+               fallthrough;
         case XPRT_TRANSPORT_RDMA:
         case XPRT_TRANSPORT_TCP:
-       case XPRT_TRANSPORT_TCP_TLS:
                 if (mds_clp->cl_nconnect > 1) {
                         cl_init.nconnect = mds_clp->cl_nconnect;
                         cl_init.max_connect = NFS_MAX_TRANSPORTS;
author	Trond Myklebust <trond.myklebust@hammerspace.com>
	Sun, 19 Oct 2025 00:10:35 +0000 (20:10 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 24 Nov 2025 09:35:54 +0000 (10:35 +0100)
fs/nfs/nfs3client.c		patch \| blob \| blame \| history
fs/nfs/nfs4client.c		patch \| blob \| blame \| history