nfsd: decouple the xprtsec policy check from check_nfsd_access()

[ Upstream commit e4f574ca ]

This is a backport of e4f574ca specifically for the 6.6-stable
kernel.  It differs from the upstream version mainly in that it's
working around the absence of some 6.12-era commits:
- 1459ad57 nfsd: Move error code mapping to per-version proc code.
- 0a183f24 NFSD: Handle @rqstp == NULL in check_nfsd_access()
- 5e66d2d9 nfsd: factor out __fh_verify to allow NULL rqstp to be
  passed

A while back I had reported that an NFSv3 client could successfully
mount using '-o xprtsec=none' an export that had been exported with
'xprtsec=tls:mtls'.  By "successfully" I mean that the mount command
would succeed and the mount would show up in /proc/mount.  Attempting
to do anything futher with the mount would be met with NFS3ERR_ACCES.

Transport Layer Security isn't an RPC security flavor or pseudo-flavor,
so we shouldn't be conflating them when determining whether the access
checks can be bypassed.  Split check_nfsd_access() into two helpers, and
have fh_verify() call the helpers directly since fh_verify() has
logic that allows one or both of the checks to be skipped.  All other
sites will continue to call check_nfsd_access().

Link: https://lore.kernel.org/linux-nfs/ZjO3Qwf_G87yNXb2@aion/


Fixes: 9280c577 ("NFSD: Handle new xprtsec= export option")
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>