From nobody Fri Jan 9 00:33:27 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dnN6b3Qwsz6N11k for ; Fri, 09 Jan 2026 00:33:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dnN6b1G8Kz3WFG for ; Fri, 09 Jan 2026 00:33:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767918807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=acrlZNdxPzH7BYesYB1oIob4VOgeMAvr88rItBTkECA=; b=nj1eqYrqaGQLISAoAmn9W//tmy7ReJQxDH8SKe9yRJJ6j8UsINoK//aP4yUPh8/jfEHa6d PyfxRF1tMn1f/JZx4CX2VBrxyhP2pn50QA6BpfzwU/GlEinpuIWXifimAjAIlpTMm59ubT Xk9z6oeTb+qTEX4FqKkU5xIz0/kUF3fYsjEVB8wcwnjsg+oLPrULDXYNpTysDryOfh3Nun BT9Z2k8uJk7sjvrDtWCU//D5oVI7aNx0TPJbvahOt5HAGLQAW6Rqw8g2bZVW/l6K/iq7+f fYVcs1JLpaNqBUn3hb0chC8n1pFtOjnhQmQMa+bF+wMyyUSg9iJEV6Z9uYfksw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767918807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=acrlZNdxPzH7BYesYB1oIob4VOgeMAvr88rItBTkECA=; b=OxQcaUsOfEUgpc4H44O9G7+A15T7OGkF018EBJ3JokaWHuP16yTH/cOwYOpjJf9vl1/URd XpA6k7HNADb5zAkPffT9lo9bBjmX2/Atp0FNdNEtXLfbiiZOHT9IsRRnfbN/DXTN2wnd1y RM0jgRlyxSvM3Mct8uWVNWsFkXwaORq5unYv+1NmUw57FNZXK7e7fNDnAmYlaJjOiLZ80k lZlsdbhxGInDrF+LocWTUBMblDsoXmjNfjyWInhDusz6RkGgsrpMN20pPq7U2q4xtWSLb4 tiWL+HWm4UFhgpjBnOgqeXz3t5Fuq8ulW/aIdVS7ys3VB5u8aa7hUpc1qvLKag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767918807; a=rsa-sha256; cv=none; b=EZnXh85KMysPsOzbdtlFk3+O336yl9XkBwK3Cz/blIJv8CmYsyau4hKdFbCUq09nmWsNG/ XD3bSPrUQwQ75/gYL4A2Ycrhx0+PENn+lcGkz4F5jDQA+/2YVbOIUbDxWMQpRCJsanj04/ k8bxuuyyKmUnI9N2zvdXvngSqD3awngKwbYJG5xcaPVEJrOTY9w87wv5jTH2fPtr5Y1XSQ VsbcT3jI8seMMNCl9ToNBrg3oi8X5K8IrolBgsBw++AHR1Ud2ALkCfNv8PBjISfXWmGFuf 7M636RB3ZA3HjpBM1q/ZRrw8ZUhFS1m4RG6ETd+MNH5HotDOgwCfqj0reDfv9w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dnN6b0jVBz12Bt for ; Fri, 09 Jan 2026 00:33:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3aebd by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 09 Jan 2026 00:33:27 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Rick Macklem Subject: git: a6d57f312f18 - main - nfsd: Fix handling of hidden/system during Open/Create List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a6d57f312f18bbeeda8a34e99d0a662b0db9a190 Auto-Submitted: auto-generated Date: Fri, 09 Jan 2026 00:33:27 +0000 Message-Id: <69604cd7.3aebd.7fdcb739@gitrepo.freebsd.org> The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=a6d57f312f18bbeeda8a34e99d0a662b0db9a190 commit a6d57f312f18bbeeda8a34e99d0a662b0db9a190 Author: Rick Macklem AuthorDate: 2026-01-08 16:27:32 +0000 Commit: Rick Macklem CommitDate: 2026-01-08 16:27:32 +0000 nfsd: Fix handling of hidden/system during Open/Create When an NFSv4.n client specifies settings for the archive, hidden and/or system attributes during a Open/Create, the Open/Create fails for ZFS. This is caused by ZFS doing a secpolicy_xvattr() call, which fails for non-root. If this check is bypassed, ZFS panics. This patch resolves the problem by disabling va_flags for the VOP_CREATE() call in the NFSv4.n server and then setting the flags with a subsequent VOP_SETATTR(). This problem only affects FreeBSD-15 and main, since the archive, system and hidden attributes are not enabled for FreeBSD-14. I think a similar problem exists for the NFSv4.n Open/Create/Exclusive_41, but that will be resolved in a future commit. Note that the Linux, Solaris and FreeBSD clients do not set archive, hidden or system for Open/Create, so the bug does not affect mounts from those clients. PR: 292283 Reported by: Aurelien Couderc Tested by: Aurelien Couderc MFC after: 2 weeks --- sys/fs/nfsserver/nfs_nfsdport.c | 11 +++++++++++ sys/fs/nfsserver/nfs_nfsdsubs.c | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/sys/fs/nfsserver/nfs_nfsdport.c b/sys/fs/nfsserver/nfs_nfsdport.c index 7d64f211b058..1e215b52e835 100644 --- a/sys/fs/nfsserver/nfs_nfsdport.c +++ b/sys/fs/nfsserver/nfs_nfsdport.c @@ -1977,6 +1977,7 @@ nfsvno_open(struct nfsrv_descript *nd, struct nameidata *ndp, struct nfsexstuff nes; struct thread *p = curthread; uint32_t oldrepstat; + u_long savflags; if (ndp->ni_vp == NULL) { /* @@ -1991,6 +1992,15 @@ nfsvno_open(struct nfsrv_descript *nd, struct nameidata *ndp, } if (!nd->nd_repstat) { if (ndp->ni_vp == NULL) { + /* + * Most file systems ignore va_flags for + * VOP_CREATE(), however setting va_flags + * for VOP_CREATE() causes problems for ZFS. + * So disable them and let nfsrv_fixattr() + * do them, as required. + */ + savflags = nvap->na_flags; + nvap->na_flags = VNOVAL; nd->nd_repstat = VOP_CREATE(ndp->ni_dvp, &ndp->ni_vp, &ndp->ni_cnd, &nvap->na_vattr); /* For a pNFS server, create the data file on a DS. */ @@ -2003,6 +2013,7 @@ nfsvno_open(struct nfsrv_descript *nd, struct nameidata *ndp, nfsrv_pnfscreate(ndp->ni_vp, &nvap->na_vattr, cred, p); } + nvap->na_flags = savflags; VOP_VPUT_PAIR(ndp->ni_dvp, nd->nd_repstat == 0 ? &ndp->ni_vp : NULL, false); nfsvno_relpathbuf(ndp); diff --git a/sys/fs/nfsserver/nfs_nfsdsubs.c b/sys/fs/nfsserver/nfs_nfsdsubs.c index ea8382e4282a..c8c78d98be72 100644 --- a/sys/fs/nfsserver/nfs_nfsdsubs.c +++ b/sys/fs/nfsserver/nfs_nfsdsubs.c @@ -1697,6 +1697,44 @@ nfsrv_fixattr(struct nfsrv_descript *nd, vnode_t vp, NFSCLRBIT_ATTRBIT(attrbitp, NFSATTRBIT_OWNERGROUP); } } + + /* + * For archive, ZFS sets it by default for new files, + * so if specified, it must be set or cleared. + * For hidden and system, no file system sets them + * by default upon creation, so they only need to be + * set and not cleared. + */ + if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_ARCHIVE)) { + if (nva.na_flags == VNOVAL) + nva.na_flags = 0; + if ((nvap->na_flags & UF_ARCHIVE) != 0) + nva.na_flags |= UF_ARCHIVE; + change++; + NFSSETBIT_ATTRBIT(&nattrbits, NFSATTRBIT_ARCHIVE); + } + if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_HIDDEN)) { + if ((nvap->na_flags & UF_HIDDEN) != 0) { + if (nva.na_flags == VNOVAL) + nva.na_flags = 0; + nva.na_flags |= UF_HIDDEN; + change++; + NFSSETBIT_ATTRBIT(&nattrbits, NFSATTRBIT_HIDDEN); + } else { + NFSCLRBIT_ATTRBIT(attrbitp, NFSATTRBIT_HIDDEN); + } + } + if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_SYSTEM)) { + if ((nvap->na_flags & UF_SYSTEM) != 0) { + if (nva.na_flags == VNOVAL) + nva.na_flags = 0; + nva.na_flags |= UF_SYSTEM; + change++; + NFSSETBIT_ATTRBIT(&nattrbits, NFSATTRBIT_SYSTEM); + } else { + NFSCLRBIT_ATTRBIT(attrbitp, NFSATTRBIT_SYSTEM); + } + } if (change) { error = nfsvno_setattr(vp, &nva, nd->nd_cred, p, exp); if (error) {