import UBI autofs-5.1.7-65.el9

2025-11-11 15:57:00 +00:00 · 2025-11-11 15:57:00 +00:00 · 60e20eede9
commit 60e20eede9
parent d253c34893
8 changed files with 392 additions and 14 deletions
--- a/SOURCES/autofs-5.1.8-always-recreate-credential-cache.patch
+++ b/SOURCES/autofs-5.1.8-always-recreate-credential-cache.patch
@ -0,0 +1,132 @@
+autofs-5.1.8 - always recreate credential cache
+
+From: Ian Collier <imc@cs.ox.ac.uk>
+
+In recent Kerberos revisions when a TGT expires autofs will fail to
+renew the ticket.
+
+Expired creds are being pulled out of the cache and in that case the patched
+version clears the cache to remove the expired creds.
+
+If the cache is already in use, try to pull out a cred and then if that
+was successful and the cred is expired, clear the cache.
+
+So this fixes the behaviour I was seeing, since that was happening because
+expired creds were being pulled out of the cache and in that case the patched
+version clears the cache to remove the expired creds.
+
+What sort of race conditions might happen here?
+
+ - If the function is called very late during the validity of a ticket, it
+   might expire after the decision not to clear the cache.  In that case,
+   the behaviour is the same as the unpatched version, but this is highly
+   unlikely because do_kinit is not supposed to happen while there is a
+   valid ticket.
+
+ - If two or more threads decide to call do_kinit at about the same time:
+   it's protected by a mutex, so one of the calls will happen first; this
+   call will clear the cache and add a new ticket.  When the others kick
+   in, the cache won't be cleared because it's only cleared if we can
+   find an expired ticket in the cache and any such ticket was removed
+   when the first do_kinit happened.
+
+ - If one thread does do_kinit while another thread is trying to do a lookup:
+   if the current ticket is expired then the lookup would have failed anyway;
+   if it's not expired then we won't clear the cache.
+
+ - If there is both an expired and a valid ticket in the cache:
+   this only happens if two or more do_kinits clashed and stored tickets
+   with different expiration times, and if the current time is between those
+   times.  The current bug happens because krb5 cache retrieval is returning
+   the earliest (i.e. expired) ticket.  When that's the case then do_kinit
+   will clear the cache because when it tests the cache it will pull the
+   expired cred - and it needs to do this because otherwise all lookups are
+   failing (that's the bug).  In a case where krb5 cache retrieval returns
+   the valid ticket, it doesn't matter that the cache is not cleared because
+   any subsequent lookups will use that valid ticket.
+
+Signed-off-by: Ian Collier <imc@cs.ox.ac.uk>
+---
+ CHANGELOG            |    1 
+ modules/cyrus-sasl.c |   53 +++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 42 insertions(+), 12 deletions(-)
+
+--- autofs-5.1.7.orig/CHANGELOG
+++ autofs-5.1.7/CHANGELOG
+@@ -184,6 +184,7 @@
+ - Fix incompatible function pointer types in cyrus-sasl module.
+ - fix handling of ignored offsets.
+ - fix invalidated map entry handling in hosts module.
+- always recreate credential cache.
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+--- autofs-5.1.7.orig/modules/cyrus-sasl.c
+++ autofs-5.1.7/modules/cyrus-sasl.c
+@@ -509,6 +509,46 @@ sasl_do_kinit(unsigned logopt, struct lo
+ 	debug(logopt, "Using tgs name %s", tgs_name);
+ 
+ 	memset(&my_creds, 0, sizeof(my_creds));
+
+	if (krb5cc_in_use++ == 0) {
+		/* tell the cache what the default principal is */
+		ret = krb5_cc_initialize(ctxt->krb5ctxt,
+				 ctxt->krb5_ccache, krb5_client_princ);
+
+		if (ret) {
+			--krb5cc_in_use;
+			error(logopt,
+			      "krb5_cc_initialize failed with error %d", ret);
+			goto out_cleanup_unparse;
+		}
+	}
+	else {
+		krb5_creds match_creds, out_creds;
+		time_t now = monotonic_time(NULL);
+
+		/* even if the cache is in use, we will clear it if it
+		 * contains an expired credential for our principal,
+		 * because Kerberos doesn't always work well with caches
+		 * that contain both expired and valid credentials
+		 */
+		memset(&match_creds, 0, sizeof match_creds);
+		match_creds.client = krb5_client_princ;
+		match_creds.server = tgs_princ;
+		ret = krb5_cc_retrieve_cred(ctxt->krb5ctxt, ctxt->krb5_ccache,
+					    0, &match_creds, &out_creds);
+		if (ret == 0 && (time_t) out_creds.times.endtime < now) {
+			debug(logopt,
+			 "calling krb5_cc_initialize to clear expired tickets");
+			ret = krb5_cc_initialize(ctxt->krb5ctxt,
+					 ctxt->krb5_ccache, krb5_client_princ);
+			if (ret)
+				warn(logopt,
+				     "krb5_cc_initialize failed with error %d "
+				     "while trying to clear existing cache",
+				     ret);
+		}
+	}
+
+ 	ret = krb5_get_init_creds_keytab(ctxt->krb5ctxt, &my_creds,
+ 					 krb5_client_princ,
+ 					 NULL /*keytab*/,
+@@ -521,18 +561,7 @@ sasl_do_kinit(unsigned logopt, struct lo
+ 		goto out_cleanup_unparse;
+ 	}
+ 
+-	if (krb5cc_in_use++ == 0)
+-		/* tell the cache what the default principal is */
+-		ret = krb5_cc_initialize(ctxt->krb5ctxt,
+-				 ctxt->krb5_ccache, krb5_client_princ);
+-
+-	if (ret) {
+-		error(logopt,
+-		      "krb5_cc_initialize failed with error %d", ret);
+-		goto out_cleanup_creds;
+-	}
+-
+-	/* and store credentials for that principal */
+	/* and store credentials for our principal */
+ 	ret = krb5_cc_store_cred(ctxt->krb5ctxt, ctxt->krb5_ccache, &my_creds);
+ 	if (ret) {
+ 		error(logopt,
--- a/SOURCES/autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch
+++ b/SOURCES/autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch
@ -14,9 +14,9 @@ Signed-off-by: Ian Kent <raven@themaw.net>

 --- autofs-5.1.7.orig/CHANGELOG
 +++ autofs-5.1.7/CHANGELOG
-@@ -180,6 +180,7 @@
- - clear per-mount timeout if not set.
+@@ -181,6 +181,7 @@
 - fix deadlock in master_notify_submount().
+ - handle sss special case getautomntbyname() error.
 - fix lock ordering deadlock in expire_cleanup().
 +- Fix incompatible function pointer types in cyrus-sasl module.
 
--- a/SOURCES/autofs-5.1.9-fix-always-recreate-credential-cache.patch
+++ b/SOURCES/autofs-5.1.9-fix-always-recreate-credential-cache.patch
@ -0,0 +1,36 @@
+autofs-5.1.9 - fix always recreate credential cache
+
+From: Ian Kent <raven@themaw.net>
+
+When I aplied the original patch from Ian Collier for this I changed
+the credential end time comparison to be against the time returned from
+monotomic_time(). But this isn't the same as the calander time returned
+from time() which Ian used in his original patch.
+
+Signed-off-by: Ian Kent < raven@themaw.net>
+---
+ CHANGELOG            |    1 +
+ modules/cyrus-sasl.c |    2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- autofs-5.1.7.orig/CHANGELOG
+++ autofs-5.1.7/CHANGELOG
+@@ -185,6 +185,7 @@
+ - fix handling of ignored offsets.
+ - fix invalidated map entry handling in hosts module.
+ - always recreate credential cache.
+- fix always recreate credential cache.
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+--- autofs-5.1.7.orig/modules/cyrus-sasl.c
+++ autofs-5.1.7/modules/cyrus-sasl.c
+@@ -524,7 +524,7 @@ sasl_do_kinit(unsigned logopt, struct lo
+ 	}
+ 	else {
+ 		krb5_creds match_creds, out_creds;
+-		time_t now = monotonic_time(NULL);
+		time_t now = time(NULL);
+ 
+ 		/* even if the cache is in use, we will clear it if it
+ 		 * contains an expired credential for our principal,
--- a/SOURCES/autofs-5.1.9-fix-handling-of-ignored-offsets.patch
+++ b/SOURCES/autofs-5.1.9-fix-handling-of-ignored-offsets.patch
@ -0,0 +1,89 @@
+autofs-5.1.9 - fix handling of ignored offsets
+
+From: Ian Kent <raven@themaw.net>
+
+If a map entry offset path already has a real mount mounted on it then
+it's ignored as it has very likely been auto-mounted by the NFS client.
+
+But we have seen a case were autofs incorrectly makes a function call
+that attempts to mount the offset tree mounts again after successfully
+mounting the real mount on the offset. This causes automount(8) to see
+this as an NFS auto-mounted mount to be ignored and then incorrectly
+invalidates these offsets.
+
+Guard against this by flagging offset trigger mounts as mounted when
+they are initially successfully mounted and clearing it upon umounting
+them.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG           |    1 +
+ daemon/direct.c     |    3 +++
+ include/automount.h |    3 +++
+ lib/mounts.c        |    7 ++++++-
+ 4 files changed, 13 insertions(+), 1 deletion(-)
+
+--- autofs-5.1.7.orig/CHANGELOG
+++ autofs-5.1.7/CHANGELOG
+@@ -182,6 +182,7 @@
+ - handle sss special case getautomntbyname() error.
+ - fix lock ordering deadlock in expire_cleanup().
+ - Fix incompatible function pointer types in cyrus-sasl module.
+- fix handling of ignored offsets.
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+--- autofs-5.1.7.orig/daemon/direct.c
+++ autofs-5.1.7/daemon/direct.c
+@@ -539,6 +539,7 @@ int umount_autofs_offset(struct autofs_p
+ 			debug(ap->logopt,
+ 			      "offset %s not mounted",
+ 			      me->key);
+			me->flags &= ~MOUNT_FLAG_OFFSET_MOUNTED;
+ 			return 0;
+ 		}
+ 		ioctlfd = open_ioctlfd(ap, me->key, me->dev);
+@@ -627,6 +628,7 @@ force_umount:
+ 		rv = umount2(me->key, MNT_DETACH);
+ 	} else
+ 		info(ap->logopt, "umounted offset mount %s", me->key);
+	me->flags &= ~MOUNT_FLAG_OFFSET_MOUNTED;
+ 
+ 	return rv;
+ }
+@@ -781,6 +783,7 @@ int mount_autofs_offset(struct autofs_po
+ 	cache_set_ino_index(me->mc, me);
+ 	notify_mount_result(ap, me->key, timeout, str_offset);
+ 	ops->close(ap->logopt, ioctlfd);
+	me->flags |= MOUNT_FLAG_OFFSET_MOUNTED;
+ 
+ 	debug(ap->logopt, "mounted trigger %s", me->key);
+ 
+--- autofs-5.1.7.orig/include/automount.h
+++ autofs-5.1.7/include/automount.h
+@@ -543,6 +543,9 @@ struct kernel_mod_version {
+ /* Indicator for applications to ignore the mount entry */
+ #define MOUNT_FLAG_IGNORE		0x1000
+ 
+/* Flag to show we have mounted the offset mount trigger */
+#define MOUNT_FLAG_OFFSET_MOUNTED	0x2000
+
+ struct autofs_point {
+ 	pthread_t thid;
+ 	char *path;			/* Mount point name */
+--- autofs-5.1.7.orig/lib/mounts.c
+++ autofs-5.1.7/lib/mounts.c
+@@ -1882,7 +1882,12 @@ static int tree_mapent_mount_offset(stru
+ 		if (ret != MOUNT_OFFSET_IGNORE) {
+ 			warn(ap->logopt, "failed to mount offset");
+ 			return 0;
+-		} else {
+		}
+
+		/* Only invalidate the offset trigger if a real mount
+		 * is not covering it.
+		 */
+		if (!(oe->flags & MOUNT_FLAG_OFFSET_MOUNTED)) {
+ 			debug(ap->logopt,
+ 			      "ignoring \"nohide\" trigger %s", oe->key);
+ 			/*
--- a/SOURCES/autofs-5.1.9-fix-invalidated-map-entry-handling-in-hosts-module.patch
+++ b/SOURCES/autofs-5.1.9-fix-invalidated-map-entry-handling-in-hosts-module.patch
@ -0,0 +1,40 @@
+autofs-5.1.9 - fix invalidated map entry handling in hosts module
+
+From: Ian Kent <raven@themaw.net>
+
+The multi-mount handling must be able to deal with NFS auto-mounting
+mounts itself within a mount tree. If this happens the mapent will have
+its ->mapent set to NULL but will not be marked with a negative timeout
+and mount attempts should silently succeed. All lookup modules handle
+this ok already except the hosts lookup module so fix it.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG              |    1 +
+ modules/lookup_hosts.c |    5 +++++
+ 2 files changed, 6 insertions(+)
+
+--- autofs-5.1.7.orig/CHANGELOG
+++ autofs-5.1.7/CHANGELOG
+@@ -183,6 +183,7 @@
+ - fix lock ordering deadlock in expire_cleanup().
+ - Fix incompatible function pointer types in cyrus-sasl module.
+ - fix handling of ignored offsets.
+- fix invalidated map entry handling in hosts module.
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+--- autofs-5.1.7.orig/modules/lookup_hosts.c
+++ autofs-5.1.7/modules/lookup_hosts.c
+@@ -428,6 +428,11 @@ int lookup_mount(struct autofs_point *ap
+ 	 * it must be a mount request for one of the exports.
+ 	 */
+ 	if (*name == '/') {
+		/* Multi-mounts must be able to ignore offsets that have
+		 * been auto-mounted by NFS itself.
+		 */
+		if (!me->mapent)
+			return NSS_STATUS_SUCCESS;
+ 		pthread_cleanup_push(cache_lock_cleanup, mc);
+ 		mapent_len = strlen(me->mapent);
+ 		mapent = malloc(mapent_len + 1);
--- a/SOURCES/autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch
+++ b/SOURCES/autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch
@ -31,10 +31,10 @@ Signed-off-by: Ian Kent <raven@themaw.net>

 --- autofs-5.1.7.orig/CHANGELOG
 +++ autofs-5.1.7/CHANGELOG
-@@ -179,6 +179,7 @@
- - update per-mount expire timeout on readmap.
+@@ -180,6 +180,7 @@
 - clear per-mount timeout if not set.
 - fix deadlock in master_notify_submount().
+ - handle sss special case getautomntbyname() error.
 +- fix lock ordering deadlock in expire_cleanup().
 
 25/01/2021 autofs-5.1.7
--- a/SOURCES/autofs-5.1.9-handle-sss-special-case-getautomntbyname-error.patch
+++ b/SOURCES/autofs-5.1.9-handle-sss-special-case-getautomntbyname-error.patch
@ -0,0 +1,49 @@
+autofs-5.1.9 - handle sss special case getautomntbyname() error
+
+From: Ian Kent <raven@themaw.net>
+
+The sss key lookup (via getautomntbyname()) returns EHOSTDOWN when the
+entry is invalid, such as when the location is empty. But setatomntent()
+has already been called successfully so we know the host is up and the
+map exists hence this probably should be EINVAL.
+
+In both these cases the better return is NSS_STATUS_UNAVAIL.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+ CHANGELOG            |    1 +
+ modules/lookup_sss.c |    6 +++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- autofs-5.1.7.orig/CHANGELOG
+++ autofs-5.1.7/CHANGELOG
+@@ -179,6 +179,7 @@
+ - update per-mount expire timeout on readmap.
+ - clear per-mount timeout if not set.
+ - fix deadlock in master_notify_submount().
+- handle sss special case getautomntbyname() error.
+ 
+ 25/01/2021 autofs-5.1.7
+ - make bind mounts propagation slave by default.
+--- autofs-5.1.7.orig/modules/lookup_sss.c
+++ autofs-5.1.7/modules/lookup_sss.c
+@@ -658,8 +658,8 @@ static int getautomntbyname(unsigned int
+ 				err = NSS_STATUS_NOTFOUND;
+ 				goto free;
+ 			}
+-			if (ret != EHOSTDOWN)
+-				goto error;
+			if (ret == EINVAL || ret == EHOSTDOWN)
+				goto free;
+ 		}
+ 
+ 		ret = getautomntbyname_wait(logopt, ctxt,
+@@ -670,7 +670,7 @@ static int getautomntbyname(unsigned int
+ 			if (ret == ETIMEDOUT)
+ 				goto error;
+ 			/* sss proto version 0 and sss timeout not set */
+-			if (ret == EINVAL)
+			if (ret == EINVAL || ret == EHOSTDOWN)
+ 				goto free;
+ 			if (ret == ENOENT) {
+ 				err = NSS_STATUS_NOTFOUND;
--- a/SPECS/autofs.spec
+++ b/SPECS/autofs.spec
@ -12,15 +12,13 @@
 Summary: A tool for automatically mounting and unmounting filesystems
 Name: autofs
 Version: 5.1.7
-Release: 60%{?dist}.1
+Release: 65%{?dist}
 Epoch: 1
 License: GPLv2+
 Source: https://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-%{version}-2.tar.gz

 # patches 1 and 2 have been applied to the source tar to remove
 # lib/mount.x as it has an incompatible license.
-#Patch1: autofs-5.1.7-add-xdr_exports.patch
-#Patch2: autofs-5.1.7-remove-mount_x-and-rpcgen-dependencies.patch
 Patch3: autofs-5.1.7-dont-use-realloc-in-host-exports-list-processing.patch
 Patch4: autofs-5.1.7-use-sprintf-when-constructing-hosts-mapent.patch
 Patch5: autofs-5.1.7-fix-mnts_remove_amdmount-uses-wrong-list.patch
@ -220,9 +218,20 @@ Patch205: autofs-5.1.7-clear-per-mount-timeout-if-not-set.patch
 # JIRA: RHEL-77321
 Patch206: autofs-5.1.9-fix-deadlock-in-master_notify_submount.patch

-# JIRA: RHEL-99167
-Patch207: autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch
-Patch208: autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch
+#JIRA: RHEL-32684
+Patch207: autofs-5.1.9-handle-sss-special-case-getautomntbyname-error.patch
+
+#JIRA: RHEL-87031
+Patch208: autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch
+Patch209: autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch
+
+#JIRA: RHEL-81885
+Patch210: autofs-5.1.9-fix-handling-of-ignored-offsets.patch
+Patch211: autofs-5.1.9-fix-invalidated-map-entry-handling-in-hosts-module.patch
+
+#JIRA: RHEL-85615
+Patch212: autofs-5.1.8-always-recreate-credential-cache.patch
+Patch213: autofs-5.1.9-fix-always-recreate-credential-cache.patch

 %if %{with_systemd}
 BuildRequires: systemd-units
@ -479,9 +488,13 @@ echo %{version}-%{release} > .version
 %patch -P 205 -p1

 %patch -P 206 -p1
-
 %patch -P 207 -p1
 %patch -P 208 -p1
+%patch -P 209 -p1
+%patch -P 210 -p1
+%patch -P 211 -p1
+%patch -P 212 -p1
+%patch -P 213 -p1

 %build
 LDFLAGS=-Wl,-z,now
@ -590,13 +603,32 @@ fi
 %dir /etc/auto.master.d

 %changelog
-* Mon Jun 23 2025 Ian Kent <ikent@redhat.com> - 1:5.1.7-60.el9_6.1
- RHEL-99167 - autofs hang - autofs-5.1.4-114.el8_10.2 [rhel-9.6.z]
+* Tue May 13 2025 Ian Kent <ikent@redhat.com> - 1:5.1.7-65
+- RHEL-85615 - autofs fails to mount shares when using kerberised LDAP
+  - always recreate credential cache.
+  - fix always recreate credential cache.
+-Resolves: RHEL-85615
+
+* Wed May 07 2025 Ian Kent <ikent@redhat.com> - 1:5.1.7-64
+- RHEL-81885 - autofs: segfault while dereferencing null mapent
+  - fix handling of ignored offsets.
+  - fix invalidated map entry handling in hosts module.
+  - fix changelog revision number of previous change.
+- Resolves: RHEL-81885
+
+* Wed Apr 16 2025 Ian Kent <ikent@redhat.com> - 1:5.1.7-63
+- RHEL-87031 - autofs hang - autofs-5.1.4-114.el8_10.2
  - fix lock ordering deadlock in expire_cleanup().
  - change spec file %patchN to %patch -P N as required by rpm(8).
  - Fix compile error caused by function pointer types in cyrus-sasl module.
  - removed references to patch1 and patch2 due to rbmbuild(8) complaints.
- Resolves: RHEL-99167
+- Resolves: RHEL-87031
+
+* Fri Mar 14 2025 Ian Kent <ikent@redhat.com> - 1:5.1.7-61
+- RHEL-32684 - sssd autofs fails to get correct EHOSTDOWN if requested
+  incorrect mount after upgrade to sssd-2.9.1-4.el8_9.5.x86_64
+  - handle sss special case getautomntbyname() error
+- Resolves: RHEL-32684

 * Thu Feb 06 2025 Ian Kent <ikent@redhat.com> - 1:5.1.7-60
 - RHEL-77321 - autofs: deadlock between mnts_lookup_mount and mnts_remove_mount