import sssd-2.8.2-2.el8

SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch

@@ -0,0 +1,58 @@
+From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 3 Feb 2023 11:35:42 +0100
+Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
+ read/write/check helpers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
+error condition is detected, regular `POLLIN/POLLOUT` won't be set.
+Error code set by error condition should have a priority. This enables
+users of this helper to retry attempt (as designed).
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
+---
+ src/sss_client/common.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index 2c888faa9..27e09f6f3 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
+         case 1:
+             if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
+                 *errnop = EPIPE;
+-            }
+-            if (!(pfd.revents & POLLOUT)) {
++            } else if (!(pfd.revents & POLLOUT)) {
+                 *errnop = EBUSY;
+             }
+             break;
+@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
+             }
+             if (pfd.revents & (POLLERR | POLLNVAL)) {
+                 *errnop = EPIPE;
+-            }
+-            if (!(pfd.revents & POLLIN)) {
++            } else if (!(pfd.revents & POLLIN)) {
+                 *errnop = EBUSY;
+             }
+             break;
+@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
+         case 1:
+             if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
+                 *errnop = EPIPE;
+-            }
+-            if (!(pfd.revents & (POLLIN | POLLOUT))) {
++            } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
+                 *errnop = EBUSY;
+             }
+             break;
+-- 
+2.37.3
+

SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch

@@ -0,0 +1,63 @@
+From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 8 Feb 2023 17:48:52 +0100
+Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
+ alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
+ there is a risk to close "foreign" socket opened in another thread.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
+---
+ src/sss_client/common.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index 27e09f6f3..c8ade645b 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
+             *errnop = ETIME;
+             break;
+         case 1:
+-            if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
++            if (pfd.revents & (POLLERR | POLLHUP)) {
++                *errnop = EPIPE;
++            } else if (pfd.revents & POLLNVAL) {
++                /* Invalid request: fd is not opened */
++                sss_cli_sd = -1;
+                 *errnop = EPIPE;
+             } else if (!(pfd.revents & POLLOUT)) {
+                 *errnop = EBUSY;
+@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
+             if (pfd.revents & (POLLHUP)) {
+                 pollhup = true;
+             }
+-            if (pfd.revents & (POLLERR | POLLNVAL)) {
++            if (pfd.revents & POLLERR) {
++                *errnop = EPIPE;
++            } else if (pfd.revents & POLLNVAL) {
++                /* Invalid request: fd is not opened */
++                sss_cli_sd = -1;
+                 *errnop = EPIPE;
+             } else if (!(pfd.revents & POLLIN)) {
+                 *errnop = EBUSY;
+@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
+             *errnop = ETIME;
+             break;
+         case 1:
+-            if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
++            if (pfd.revents & (POLLERR | POLLHUP)) {
++                *errnop = EPIPE;
++            } else if (pfd.revents & POLLNVAL) {
++                /* Invalid request: fd is not opened */
++                sss_cli_sd = -1;
+                 *errnop = EPIPE;
+             } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
+                 *errnop = EBUSY;
+-- 
+2.37.3
+

SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch

@@ -0,0 +1,53 @@
+From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 8 Feb 2023 18:58:37 +0100
+Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with
+ mutex. Otherwise a thread calling pam_end() can close socket mid pam
+ transaction in another thread.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug only manifested on platforms where "lockfree client"
+feature wasn't built.
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082)
+---
+ src/sss_client/pam_sss.c     | 3 +++
+ src/sss_client/pam_sss_gss.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
+index afbdef59a..39ad17188 100644
+--- a/src/sss_client/pam_sss.c
++++ b/src/sss_client/pam_sss.c
+@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
+ #endif /* PAM_DATA_REPLACE */
+ 
+     D(("Closing the fd"));
++
++    sss_pam_lock();
+     sss_cli_close_socket();
++    sss_pam_unlock();
+ }
+ 
+ struct cert_auth_info {
+diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
+index 1109ec570..dd578ae5d 100644
+--- a/src/sss_client/pam_sss_gss.c
++++ b/src/sss_client/pam_sss_gss.c
+@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,
+     }
+ 
+ done:
++    sss_pam_lock();
+     sss_cli_close_socket();
++    sss_pam_unlock();
+     free(username);
+     free(domain);
+     free(target);
+-- 
+2.37.3
+

SPECS/sssd.spec

@@ -19,7 +19,7 @@
 
 Name: sssd
 Version: 2.8.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -28,6 +28,9 @@ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{versio
 
 ### Patches ###
 Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
+Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
+Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
+Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
 
 ### Downstream Patches ###
 
@@ -1210,6 +1213,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
+- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
+
 * Mon Dec 19 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
 - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
 - Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.