From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux@stwm.de>
X-Google-Smtp-Source: AH8x224idBSYZ/GvVFlBywfyMZed1Tw/ii6jG1WjwfQG56a9R5sHLWKmmCc5TxbZZGvnmaAW2qIH
ARC-Seal: i=1; a=rsa-sha256; t=1517233372; cv=none;
        d=google.com; s=arc-20160816;
        b=mU49nsv2TRA5LQUvv4ThVoDMJkLVL3/lVzYmji53p0O1eumvWQFwYwARgZLv83wPS9
         kjzXOeSiPgGXErK5MrLzkarcKdDBimYSwkgY1OjC4qQKdLZDBo0+RQ9SZVG7e/n264MR
         UeZHGK+dV+Xtpr8GYBk8L4S6YaF3vAv2tW4fj+Qk5OL3c0BYnm0eoVdpNUwTD0a7u7TC
         lNw/YOW/6WRXNQiA3hidiZ9Vnl8C8A3Jy3MaQZy3Z34tgGHVWEeZ7R771xcoN8Rka6pQ
         HKg/fMqZSyKqzFBBQWZuXa9mkwQ2RviSkbgXlNbz7Fc5JE51ONHY6dghjYstzJ7GSa/Q
         9dVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :user-agent:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=c3XrKvKBlaoxkMyVYPj/jVw5Ns5KFuGAp3jhg7ZyUgI=;
        b=X0htL4CCsQJbuD6an6Dc85RjHz9o9+2E8FFgZMT+9R+g0gDjx4W4ajmNBAa3OSqHBg
         kZGvLABqs+LSTzvZ9m+5XVSu1mrBTTNLnfP5IRggtzGX+HTSP3NeCp7IPgp7DpLGpUz7
         1qx/LkANy1lB6za3UgKico5Lk7BegYfldBUa1sSPJQA/MXG8qUwj4MwZLxaKf1PQyf3+
         ZvggPtKN/pol2YycjaVRvE+7ljIheiR7GJeKeiJ822N5tA7QcbxlP9fC4hISRULhDSUV
         QL3FuEA7kplr3fVYF2ABeQ7vkT0uIwLxJlNu8e5KaHLMybtKFHD3eXq7eMJ3n9JXZVVj
         yXPQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 141.84.225.229 is neither permitted nor denied by best guess record for domain of linux@stwm.de) smtp.mailfrom=linux@stwm.de
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 141.84.225.229 is neither permitted nor denied by best guess record for domain of linux@stwm.de) smtp.mailfrom=linux@stwm.de
From: Wolfgang Walter <linux@stwm.de>
To: stable@vger.kernel.org
Cc: gregkh@linuxfoundation.org, Ben Hutchings <ben.hutchings@codethink.co.uk>, linux-kernel@vger.kernel.org
Subject: Re: NFS: regression in stable kernel 4.9.78 from 4.9.75
Date: Mon, 29 Jan 2018 14:42:49 +0100
Message-ID: <3821612.ct3L5FXvrM@stwm.de>
User-Agent: KMail/4.14.3 (Linux/4.4.0-109-generic; KDE/4.14.13; x86_64; ; )
In-Reply-To: <2316958.ApAh1ic5rg@stwm.de>
References: <2316958.ApAh1ic5rg@stwm.de>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-LABELS: =?utf-8?b?IlxcSW1wb3J0YW50Ig==?=
X-GMAIL-THRID: =?utf-8?q?1590934500066486121?=
X-GMAIL-MSGID: =?utf-8?q?1590934500066486121?=
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

Hello!

Am Montag, 29. Januar 2018, 13:22:49 schrieb Wolfgang Walter:
> Hello,
>=20
> after upgrading our nfs-server from  4.9.75 to 4.9.78 group permissio=
ns stop
> working (for clients). If you need group permissions to access a file=
 or
> directory, sometimes access is granted, but rather often denied. Ofte=
n
> access to the same object is denied within seconds after access was g=
ranted
> in an earlier access. user permissions work fine.
>=20
> Downgrading to 4.9.75 fixes the issue.
>=20
> We use kerberos.
>=20
> Regards,

This seems to be fixed in 4.15 with commit=20
1995266727fa8143897e89b55f5d3c79aa828420:


commit 1995266727fa8143897e89b55f5d3c79aa828420
Author: Ben Hutchings <ben.hutchings@codethink.co.uk>
Date:   Mon Jan 22 20:11:06 2018 +0000

    nfsd: auth: Fix gid sorting when rootsquash enabled
   =20
    Commit bdcf0a423ea1 ("kernel: make groups_sort calling a responsibi=
lity
    group_info allocators") appears to break nfsd rootsquash in a prett=
y
    major way.
   =20
    It adds a call to groups_sort() inside the loop that copies/squashe=
s
    gids, which means the valid gids are sorted along with the followin=
g
    garbage.  The net result is that the highest numbered valid gids ar=
e
    replaced with any lower-valued garbage gids, possibly including 0.
   =20
    We should sort only once, after filling in all the gids.
   =20
    Fixes: bdcf0a423ea1 ("kernel: make groups_sort calling a responsibi=
lity=20
...")
    Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Acked-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>


So this should be applied to stables 4.4, 4.9 and 4.14 (and others wher=
e=20
bdcf0a423ea1 has been backported to).

Regards,
--=20
Wolfgang Walter
Studentenwerk M=FCnchen
Anstalt des =F6ffentlichen Rechts

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mailin.studentenwerk.mhn.de ([141.84.225.229]:59956 "EHLO
        email.studentenwerk.mhn.de" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751256AbeA2Nmx (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 29 Jan 2018 08:42:53 -0500
From: Wolfgang Walter <linux@stwm.de>
To: stable@vger.kernel.org
Cc: gregkh@linuxfoundation.org,
        Ben Hutchings <ben.hutchings@codethink.co.uk>,
        linux-kernel@vger.kernel.org
Subject: Re: NFS: regression in stable kernel 4.9.78 from 4.9.75
Date: Mon, 29 Jan 2018 14:42:49 +0100
Message-ID: <3821612.ct3L5FXvrM@stwm.de>
In-Reply-To: <2316958.ApAh1ic5rg@stwm.de>
References: <2316958.ApAh1ic5rg@stwm.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8BIT
Content-Type: text/plain; charset="iso-8859-1"
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

Hello!

Am Montag, 29. Januar 2018, 13:22:49 schrieb Wolfgang Walter:
> Hello,
> 
> after upgrading our nfs-server from  4.9.75 to 4.9.78 group permissions stop
> working (for clients). If you need group permissions to access a file or
> directory, sometimes access is granted, but rather often denied. Often
> access to the same object is denied within seconds after access was granted
> in an earlier access. user permissions work fine.
> 
> Downgrading to 4.9.75 fixes the issue.
> 
> We use kerberos.
> 
> Regards,

This seems to be fixed in 4.15 with commit 
1995266727fa8143897e89b55f5d3c79aa828420:


commit 1995266727fa8143897e89b55f5d3c79aa828420
Author: Ben Hutchings <ben.hutchings@codethink.co.uk>
Date:   Mon Jan 22 20:11:06 2018 +0000

    nfsd: auth: Fix gid sorting when rootsquash enabled
    
    Commit bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility
    group_info allocators") appears to break nfsd rootsquash in a pretty
    major way.
    
    It adds a call to groups_sort() inside the loop that copies/squashes
    gids, which means the valid gids are sorted along with the following
    garbage.  The net result is that the highest numbered valid gids are
    replaced with any lower-valued garbage gids, possibly including 0.
    
    We should sort only once, after filling in all the gids.
    
    Fixes: bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility 
...")
    Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Acked-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>


So this should be applied to stables 4.4, 4.9 and 4.14 (and others where 
bdcf0a423ea1 has been backported to).

Regards,
-- 
Wolfgang Walter
Studentenwerk M�nchen
Anstalt des �ffentlichen Rechts