From 60e20eede94acfa2538201529fd11ef936495e35 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 11 Nov 2025 15:57:00 +0000 Subject: [PATCH] import UBI autofs-5.1.7-65.el9 --- ...1.8-always-recreate-credential-cache.patch | 132 ++++++++++++++++++ ...n-pointer-types-in-cyrus-sasl-module.patch | 4 +- ...fix-always-recreate-credential-cache.patch | 36 +++++ ....1.9-fix-handling-of-ignored-offsets.patch | 89 ++++++++++++ ...d-map-entry-handling-in-hosts-module.patch | 40 ++++++ ...-ordering-deadlock-in-expire_cleanup.patch | 4 +- ...-special-case-getautomntbyname-error.patch | 49 +++++++ SPECS/autofs.spec | 52 +++++-- 8 files changed, 392 insertions(+), 14 deletions(-) create mode 100644 SOURCES/autofs-5.1.8-always-recreate-credential-cache.patch create mode 100644 SOURCES/autofs-5.1.9-fix-always-recreate-credential-cache.patch create mode 100644 SOURCES/autofs-5.1.9-fix-handling-of-ignored-offsets.patch create mode 100644 SOURCES/autofs-5.1.9-fix-invalidated-map-entry-handling-in-hosts-module.patch create mode 100644 SOURCES/autofs-5.1.9-handle-sss-special-case-getautomntbyname-error.patch diff --git a/SOURCES/autofs-5.1.8-always-recreate-credential-cache.patch b/SOURCES/autofs-5.1.8-always-recreate-credential-cache.patch new file mode 100644 index 0000000..eda7b44 --- /dev/null +++ b/SOURCES/autofs-5.1.8-always-recreate-credential-cache.patch @@ -0,0 +1,132 @@ +autofs-5.1.8 - always recreate credential cache + +From: Ian Collier + +In recent Kerberos revisions when a TGT expires autofs will fail to +renew the ticket. + +Expired creds are being pulled out of the cache and in that case the patched +version clears the cache to remove the expired creds. + +If the cache is already in use, try to pull out a cred and then if that +was successful and the cred is expired, clear the cache. + +So this fixes the behaviour I was seeing, since that was happening because +expired creds were being pulled out of the cache and in that case the patched +version clears the cache to remove the expired creds. + +What sort of race conditions might happen here? + + - If the function is called very late during the validity of a ticket, it + might expire after the decision not to clear the cache. In that case, + the behaviour is the same as the unpatched version, but this is highly + unlikely because do_kinit is not supposed to happen while there is a + valid ticket. + + - If two or more threads decide to call do_kinit at about the same time: + it's protected by a mutex, so one of the calls will happen first; this + call will clear the cache and add a new ticket. When the others kick + in, the cache won't be cleared because it's only cleared if we can + find an expired ticket in the cache and any such ticket was removed + when the first do_kinit happened. + + - If one thread does do_kinit while another thread is trying to do a lookup: + if the current ticket is expired then the lookup would have failed anyway; + if it's not expired then we won't clear the cache. + + - If there is both an expired and a valid ticket in the cache: + this only happens if two or more do_kinits clashed and stored tickets + with different expiration times, and if the current time is between those + times. The current bug happens because krb5 cache retrieval is returning + the earliest (i.e. expired) ticket. When that's the case then do_kinit + will clear the cache because when it tests the cache it will pull the + expired cred - and it needs to do this because otherwise all lookups are + failing (that's the bug). In a case where krb5 cache retrieval returns + the valid ticket, it doesn't matter that the cache is not cleared because + any subsequent lookups will use that valid ticket. + +Signed-off-by: Ian Collier +--- + CHANGELOG | 1 + modules/cyrus-sasl.c | 53 +++++++++++++++++++++++++++++++++++++++------------ + 2 files changed, 42 insertions(+), 12 deletions(-) + +--- autofs-5.1.7.orig/CHANGELOG ++++ autofs-5.1.7/CHANGELOG +@@ -184,6 +184,7 @@ + - Fix incompatible function pointer types in cyrus-sasl module. + - fix handling of ignored offsets. + - fix invalidated map entry handling in hosts module. ++- always recreate credential cache. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +--- autofs-5.1.7.orig/modules/cyrus-sasl.c ++++ autofs-5.1.7/modules/cyrus-sasl.c +@@ -509,6 +509,46 @@ sasl_do_kinit(unsigned logopt, struct lo + debug(logopt, "Using tgs name %s", tgs_name); + + memset(&my_creds, 0, sizeof(my_creds)); ++ ++ if (krb5cc_in_use++ == 0) { ++ /* tell the cache what the default principal is */ ++ ret = krb5_cc_initialize(ctxt->krb5ctxt, ++ ctxt->krb5_ccache, krb5_client_princ); ++ ++ if (ret) { ++ --krb5cc_in_use; ++ error(logopt, ++ "krb5_cc_initialize failed with error %d", ret); ++ goto out_cleanup_unparse; ++ } ++ } ++ else { ++ krb5_creds match_creds, out_creds; ++ time_t now = monotonic_time(NULL); ++ ++ /* even if the cache is in use, we will clear it if it ++ * contains an expired credential for our principal, ++ * because Kerberos doesn't always work well with caches ++ * that contain both expired and valid credentials ++ */ ++ memset(&match_creds, 0, sizeof match_creds); ++ match_creds.client = krb5_client_princ; ++ match_creds.server = tgs_princ; ++ ret = krb5_cc_retrieve_cred(ctxt->krb5ctxt, ctxt->krb5_ccache, ++ 0, &match_creds, &out_creds); ++ if (ret == 0 && (time_t) out_creds.times.endtime < now) { ++ debug(logopt, ++ "calling krb5_cc_initialize to clear expired tickets"); ++ ret = krb5_cc_initialize(ctxt->krb5ctxt, ++ ctxt->krb5_ccache, krb5_client_princ); ++ if (ret) ++ warn(logopt, ++ "krb5_cc_initialize failed with error %d " ++ "while trying to clear existing cache", ++ ret); ++ } ++ } ++ + ret = krb5_get_init_creds_keytab(ctxt->krb5ctxt, &my_creds, + krb5_client_princ, + NULL /*keytab*/, +@@ -521,18 +561,7 @@ sasl_do_kinit(unsigned logopt, struct lo + goto out_cleanup_unparse; + } + +- if (krb5cc_in_use++ == 0) +- /* tell the cache what the default principal is */ +- ret = krb5_cc_initialize(ctxt->krb5ctxt, +- ctxt->krb5_ccache, krb5_client_princ); +- +- if (ret) { +- error(logopt, +- "krb5_cc_initialize failed with error %d", ret); +- goto out_cleanup_creds; +- } +- +- /* and store credentials for that principal */ ++ /* and store credentials for our principal */ + ret = krb5_cc_store_cred(ctxt->krb5ctxt, ctxt->krb5_ccache, &my_creds); + if (ret) { + error(logopt, diff --git a/SOURCES/autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch b/SOURCES/autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch index 1c1559b..20b2dba 100644 --- a/SOURCES/autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch +++ b/SOURCES/autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch @@ -14,9 +14,9 @@ Signed-off-by: Ian Kent --- autofs-5.1.7.orig/CHANGELOG +++ autofs-5.1.7/CHANGELOG -@@ -180,6 +180,7 @@ - - clear per-mount timeout if not set. +@@ -181,6 +181,7 @@ - fix deadlock in master_notify_submount(). + - handle sss special case getautomntbyname() error. - fix lock ordering deadlock in expire_cleanup(). +- Fix incompatible function pointer types in cyrus-sasl module. diff --git a/SOURCES/autofs-5.1.9-fix-always-recreate-credential-cache.patch b/SOURCES/autofs-5.1.9-fix-always-recreate-credential-cache.patch new file mode 100644 index 0000000..291eb1b --- /dev/null +++ b/SOURCES/autofs-5.1.9-fix-always-recreate-credential-cache.patch @@ -0,0 +1,36 @@ +autofs-5.1.9 - fix always recreate credential cache + +From: Ian Kent + +When I aplied the original patch from Ian Collier for this I changed +the credential end time comparison to be against the time returned from +monotomic_time(). But this isn't the same as the calander time returned +from time() which Ian used in his original patch. + +Signed-off-by: Ian Kent < raven@themaw.net> +--- + CHANGELOG | 1 + + modules/cyrus-sasl.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- autofs-5.1.7.orig/CHANGELOG ++++ autofs-5.1.7/CHANGELOG +@@ -185,6 +185,7 @@ + - fix handling of ignored offsets. + - fix invalidated map entry handling in hosts module. + - always recreate credential cache. ++- fix always recreate credential cache. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +--- autofs-5.1.7.orig/modules/cyrus-sasl.c ++++ autofs-5.1.7/modules/cyrus-sasl.c +@@ -524,7 +524,7 @@ sasl_do_kinit(unsigned logopt, struct lo + } + else { + krb5_creds match_creds, out_creds; +- time_t now = monotonic_time(NULL); ++ time_t now = time(NULL); + + /* even if the cache is in use, we will clear it if it + * contains an expired credential for our principal, diff --git a/SOURCES/autofs-5.1.9-fix-handling-of-ignored-offsets.patch b/SOURCES/autofs-5.1.9-fix-handling-of-ignored-offsets.patch new file mode 100644 index 0000000..012eed8 --- /dev/null +++ b/SOURCES/autofs-5.1.9-fix-handling-of-ignored-offsets.patch @@ -0,0 +1,89 @@ +autofs-5.1.9 - fix handling of ignored offsets + +From: Ian Kent + +If a map entry offset path already has a real mount mounted on it then +it's ignored as it has very likely been auto-mounted by the NFS client. + +But we have seen a case were autofs incorrectly makes a function call +that attempts to mount the offset tree mounts again after successfully +mounting the real mount on the offset. This causes automount(8) to see +this as an NFS auto-mounted mount to be ignored and then incorrectly +invalidates these offsets. + +Guard against this by flagging offset trigger mounts as mounted when +they are initially successfully mounted and clearing it upon umounting +them. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/direct.c | 3 +++ + include/automount.h | 3 +++ + lib/mounts.c | 7 ++++++- + 4 files changed, 13 insertions(+), 1 deletion(-) + +--- autofs-5.1.7.orig/CHANGELOG ++++ autofs-5.1.7/CHANGELOG +@@ -182,6 +182,7 @@ + - handle sss special case getautomntbyname() error. + - fix lock ordering deadlock in expire_cleanup(). + - Fix incompatible function pointer types in cyrus-sasl module. ++- fix handling of ignored offsets. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +--- autofs-5.1.7.orig/daemon/direct.c ++++ autofs-5.1.7/daemon/direct.c +@@ -539,6 +539,7 @@ int umount_autofs_offset(struct autofs_p + debug(ap->logopt, + "offset %s not mounted", + me->key); ++ me->flags &= ~MOUNT_FLAG_OFFSET_MOUNTED; + return 0; + } + ioctlfd = open_ioctlfd(ap, me->key, me->dev); +@@ -627,6 +628,7 @@ force_umount: + rv = umount2(me->key, MNT_DETACH); + } else + info(ap->logopt, "umounted offset mount %s", me->key); ++ me->flags &= ~MOUNT_FLAG_OFFSET_MOUNTED; + + return rv; + } +@@ -781,6 +783,7 @@ int mount_autofs_offset(struct autofs_po + cache_set_ino_index(me->mc, me); + notify_mount_result(ap, me->key, timeout, str_offset); + ops->close(ap->logopt, ioctlfd); ++ me->flags |= MOUNT_FLAG_OFFSET_MOUNTED; + + debug(ap->logopt, "mounted trigger %s", me->key); + +--- autofs-5.1.7.orig/include/automount.h ++++ autofs-5.1.7/include/automount.h +@@ -543,6 +543,9 @@ struct kernel_mod_version { + /* Indicator for applications to ignore the mount entry */ + #define MOUNT_FLAG_IGNORE 0x1000 + ++/* Flag to show we have mounted the offset mount trigger */ ++#define MOUNT_FLAG_OFFSET_MOUNTED 0x2000 ++ + struct autofs_point { + pthread_t thid; + char *path; /* Mount point name */ +--- autofs-5.1.7.orig/lib/mounts.c ++++ autofs-5.1.7/lib/mounts.c +@@ -1882,7 +1882,12 @@ static int tree_mapent_mount_offset(stru + if (ret != MOUNT_OFFSET_IGNORE) { + warn(ap->logopt, "failed to mount offset"); + return 0; +- } else { ++ } ++ ++ /* Only invalidate the offset trigger if a real mount ++ * is not covering it. ++ */ ++ if (!(oe->flags & MOUNT_FLAG_OFFSET_MOUNTED)) { + debug(ap->logopt, + "ignoring \"nohide\" trigger %s", oe->key); + /* diff --git a/SOURCES/autofs-5.1.9-fix-invalidated-map-entry-handling-in-hosts-module.patch b/SOURCES/autofs-5.1.9-fix-invalidated-map-entry-handling-in-hosts-module.patch new file mode 100644 index 0000000..083a1a1 --- /dev/null +++ b/SOURCES/autofs-5.1.9-fix-invalidated-map-entry-handling-in-hosts-module.patch @@ -0,0 +1,40 @@ +autofs-5.1.9 - fix invalidated map entry handling in hosts module + +From: Ian Kent + +The multi-mount handling must be able to deal with NFS auto-mounting +mounts itself within a mount tree. If this happens the mapent will have +its ->mapent set to NULL but will not be marked with a negative timeout +and mount attempts should silently succeed. All lookup modules handle +this ok already except the hosts lookup module so fix it. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + modules/lookup_hosts.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- autofs-5.1.7.orig/CHANGELOG ++++ autofs-5.1.7/CHANGELOG +@@ -183,6 +183,7 @@ + - fix lock ordering deadlock in expire_cleanup(). + - Fix incompatible function pointer types in cyrus-sasl module. + - fix handling of ignored offsets. ++- fix invalidated map entry handling in hosts module. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +--- autofs-5.1.7.orig/modules/lookup_hosts.c ++++ autofs-5.1.7/modules/lookup_hosts.c +@@ -428,6 +428,11 @@ int lookup_mount(struct autofs_point *ap + * it must be a mount request for one of the exports. + */ + if (*name == '/') { ++ /* Multi-mounts must be able to ignore offsets that have ++ * been auto-mounted by NFS itself. ++ */ ++ if (!me->mapent) ++ return NSS_STATUS_SUCCESS; + pthread_cleanup_push(cache_lock_cleanup, mc); + mapent_len = strlen(me->mapent); + mapent = malloc(mapent_len + 1); diff --git a/SOURCES/autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch b/SOURCES/autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch index 7b9f3e5..0dac443 100644 --- a/SOURCES/autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch +++ b/SOURCES/autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch @@ -31,10 +31,10 @@ Signed-off-by: Ian Kent --- autofs-5.1.7.orig/CHANGELOG +++ autofs-5.1.7/CHANGELOG -@@ -179,6 +179,7 @@ - - update per-mount expire timeout on readmap. +@@ -180,6 +180,7 @@ - clear per-mount timeout if not set. - fix deadlock in master_notify_submount(). + - handle sss special case getautomntbyname() error. +- fix lock ordering deadlock in expire_cleanup(). 25/01/2021 autofs-5.1.7 diff --git a/SOURCES/autofs-5.1.9-handle-sss-special-case-getautomntbyname-error.patch b/SOURCES/autofs-5.1.9-handle-sss-special-case-getautomntbyname-error.patch new file mode 100644 index 0000000..e2098c7 --- /dev/null +++ b/SOURCES/autofs-5.1.9-handle-sss-special-case-getautomntbyname-error.patch @@ -0,0 +1,49 @@ +autofs-5.1.9 - handle sss special case getautomntbyname() error + +From: Ian Kent + +The sss key lookup (via getautomntbyname()) returns EHOSTDOWN when the +entry is invalid, such as when the location is empty. But setatomntent() +has already been called successfully so we know the host is up and the +map exists hence this probably should be EINVAL. + +In both these cases the better return is NSS_STATUS_UNAVAIL. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + modules/lookup_sss.c | 6 +++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- autofs-5.1.7.orig/CHANGELOG ++++ autofs-5.1.7/CHANGELOG +@@ -179,6 +179,7 @@ + - update per-mount expire timeout on readmap. + - clear per-mount timeout if not set. + - fix deadlock in master_notify_submount(). ++- handle sss special case getautomntbyname() error. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +--- autofs-5.1.7.orig/modules/lookup_sss.c ++++ autofs-5.1.7/modules/lookup_sss.c +@@ -658,8 +658,8 @@ static int getautomntbyname(unsigned int + err = NSS_STATUS_NOTFOUND; + goto free; + } +- if (ret != EHOSTDOWN) +- goto error; ++ if (ret == EINVAL || ret == EHOSTDOWN) ++ goto free; + } + + ret = getautomntbyname_wait(logopt, ctxt, +@@ -670,7 +670,7 @@ static int getautomntbyname(unsigned int + if (ret == ETIMEDOUT) + goto error; + /* sss proto version 0 and sss timeout not set */ +- if (ret == EINVAL) ++ if (ret == EINVAL || ret == EHOSTDOWN) + goto free; + if (ret == ENOENT) { + err = NSS_STATUS_NOTFOUND; diff --git a/SPECS/autofs.spec b/SPECS/autofs.spec index bbf0e38..206d4f9 100644 --- a/SPECS/autofs.spec +++ b/SPECS/autofs.spec @@ -12,15 +12,13 @@ Summary: A tool for automatically mounting and unmounting filesystems Name: autofs Version: 5.1.7 -Release: 60%{?dist}.1 +Release: 65%{?dist} Epoch: 1 License: GPLv2+ Source: https://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-%{version}-2.tar.gz # patches 1 and 2 have been applied to the source tar to remove # lib/mount.x as it has an incompatible license. -#Patch1: autofs-5.1.7-add-xdr_exports.patch -#Patch2: autofs-5.1.7-remove-mount_x-and-rpcgen-dependencies.patch Patch3: autofs-5.1.7-dont-use-realloc-in-host-exports-list-processing.patch Patch4: autofs-5.1.7-use-sprintf-when-constructing-hosts-mapent.patch Patch5: autofs-5.1.7-fix-mnts_remove_amdmount-uses-wrong-list.patch @@ -220,9 +218,20 @@ Patch205: autofs-5.1.7-clear-per-mount-timeout-if-not-set.patch # JIRA: RHEL-77321 Patch206: autofs-5.1.9-fix-deadlock-in-master_notify_submount.patch -# JIRA: RHEL-99167 -Patch207: autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch -Patch208: autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch +#JIRA: RHEL-32684 +Patch207: autofs-5.1.9-handle-sss-special-case-getautomntbyname-error.patch + +#JIRA: RHEL-87031 +Patch208: autofs-5.1.9-fix-lock-ordering-deadlock-in-expire_cleanup.patch +Patch209: autofs-5.1.9-Fix-incompatible-function-pointer-types-in-cyrus-sasl-module.patch + +#JIRA: RHEL-81885 +Patch210: autofs-5.1.9-fix-handling-of-ignored-offsets.patch +Patch211: autofs-5.1.9-fix-invalidated-map-entry-handling-in-hosts-module.patch + +#JIRA: RHEL-85615 +Patch212: autofs-5.1.8-always-recreate-credential-cache.patch +Patch213: autofs-5.1.9-fix-always-recreate-credential-cache.patch %if %{with_systemd} BuildRequires: systemd-units @@ -479,9 +488,13 @@ echo %{version}-%{release} > .version %patch -P 205 -p1 %patch -P 206 -p1 - %patch -P 207 -p1 %patch -P 208 -p1 +%patch -P 209 -p1 +%patch -P 210 -p1 +%patch -P 211 -p1 +%patch -P 212 -p1 +%patch -P 213 -p1 %build LDFLAGS=-Wl,-z,now @@ -590,13 +603,32 @@ fi %dir /etc/auto.master.d %changelog -* Mon Jun 23 2025 Ian Kent - 1:5.1.7-60.el9_6.1 -- RHEL-99167 - autofs hang - autofs-5.1.4-114.el8_10.2 [rhel-9.6.z] +* Tue May 13 2025 Ian Kent - 1:5.1.7-65 +- RHEL-85615 - autofs fails to mount shares when using kerberised LDAP + - always recreate credential cache. + - fix always recreate credential cache. +-Resolves: RHEL-85615 + +* Wed May 07 2025 Ian Kent - 1:5.1.7-64 +- RHEL-81885 - autofs: segfault while dereferencing null mapent + - fix handling of ignored offsets. + - fix invalidated map entry handling in hosts module. + - fix changelog revision number of previous change. +- Resolves: RHEL-81885 + +* Wed Apr 16 2025 Ian Kent - 1:5.1.7-63 +- RHEL-87031 - autofs hang - autofs-5.1.4-114.el8_10.2 - fix lock ordering deadlock in expire_cleanup(). - change spec file %patchN to %patch -P N as required by rpm(8). - Fix compile error caused by function pointer types in cyrus-sasl module. - removed references to patch1 and patch2 due to rbmbuild(8) complaints. -- Resolves: RHEL-99167 +- Resolves: RHEL-87031 + +* Fri Mar 14 2025 Ian Kent - 1:5.1.7-61 +- RHEL-32684 - sssd autofs fails to get correct EHOSTDOWN if requested + incorrect mount after upgrade to sssd-2.9.1-4.el8_9.5.x86_64 + - handle sss special case getautomntbyname() error +- Resolves: RHEL-32684 * Thu Feb 06 2025 Ian Kent - 1:5.1.7-60 - RHEL-77321 - autofs: deadlock between mnts_lookup_mount and mnts_remove_mount