Ubuntu
sssd package

Merge ~lvoytek/ubuntu/+source/sssd:fix-client-fd-leak-kinetic into ubuntu/+source/sssd:ubuntu/kinetic-devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/sssd
  3. fix-client-fd-leak-kinetic
  4. Merge into ubuntu/kinetic-devel
Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Lena Voytek
Merged at revision: 575d671ff8bdfbfe35cc1f18e4b7a95302d89821
Proposed branch: ~lvoytek/ubuntu/+source/sssd:fix-client-fd-leak-kinetic
Merge into: ubuntu/+source/sssd:ubuntu/kinetic-devel
Diff against target: 301 lines (+279/-0)
3 files modified
debian/changelog (+10/-0)
debian/patches/fix-client-fd-leak.patch (+268/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Athos Ribeiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+436860@code.launchpad.net

Description of the change

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/sssd-fix-client-fd-leak

autopkgtest results:
  sssd @ amd64:
    25.01.23 22:01:50 Log 🗒️ ✅ Triggers: sssd/2.7.3-2ubuntu3~ppa2
  sssd @ arm64:
    03.02.23 20:48:14 Log 🗒️ ✅ Triggers: sssd/2.7.3-2ubuntu3~ppa2
  sssd @ armhf:
    03.02.23 20:47:14 Log 🗒️ ✅ Triggers: sssd/2.7.3-2ubuntu3~ppa2
  sssd @ ppc64el:
    03.02.23 20:43:14 Log 🗒️ ✅ Triggers: sssd/2.7.3-2ubuntu3~ppa2
  sssd @ s390x:
    03.02.23 20:48:50 Log 🗒️ ✅ Triggers: sssd/2.7.3-2ubuntu3~ppa2

To post a comment you must log in.
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks, Lena!

LGTM. I did add a couple nitpick comments inline below.

review: Needs Information
~lvoytek/ubuntu/+source/sssd:fix-client-fd-leak-kinetic updated
575d671... by Lena Voytek

changelog

3180ab1... by Lena Voytek

* d/p/fix-client-fd-leak.patch:
  - close client socket at thread exit
  - only build lock-free client support if libc has required
    functionality for a proper cleanup
  - use proper mechanisms to init lock_mode only once

Revision history for this message
Lena Voytek (lvoytek) wrote :

Thanks for the review Athos! Updated based on your comments

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

LGTM! Thanks :)

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: lvoytek, athos-ribeiro
Uploaders: lvoytek, athos-ribeiro
MP auto-approved

review: Approve
Revision history for this message
Lena Voytek (lvoytek) wrote :

Uploaded, thanks!
dput ubuntu ../sssd_2.7.3-2ubuntu2.1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../sssd_2.7.3-2ubuntu2.1_source.changes: Valid signature from 34B8AD7D9529E793
Checking signature on .dsc
gpg: ../sssd_2.7.3-2ubuntu2.1.dsc: Valid signature from 34B8AD7D9529E793
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading sssd_2.7.3-2ubuntu2.1.dsc: done.
  Uploading sssd_2.7.3-2ubuntu2.1.debian.tar.xz: done.
  Uploading sssd_2.7.3-2ubuntu2.1_source.buildinfo: done.
  Uploading sssd_2.7.3-2ubuntu2.1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index e1685a4..45e547c 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+sssd (2.7.3-2ubuntu2.1) kinetic; urgency=medium
7+
8+ * d/p/fix-client-fd-leak.patch (LP: #1996869):
9+ - close client socket at thread exit
10+ - only build lock-free client support if libc has required
11+ functionality for a proper cleanup
12+ - use proper mechanisms to init lock_mode only once
13+
14+ -- Lena Voytek <lena.voytek@canonical.com> Fri, 20 Jan 2023 11:03:59 -0700
15+
16 sssd (2.7.3-2ubuntu2) kinetic; urgency=medium
17
18 * d/p/initialize-uid-gid-main-functions.patch: Initialize UID/GID
19diff --git a/debian/patches/fix-client-fd-leak.patch b/debian/patches/fix-client-fd-leak.patch
20new file mode 100644
21index 0000000..1521eee
22--- /dev/null
23+++ b/debian/patches/fix-client-fd-leak.patch
24@@ -0,0 +1,268 @@
25+Description: Fix client fd leak
26+ Avoid leaking old client sockets by closing them properly on exit.
27+ Also note that Lock-free client support will only be built if libc provides
28+ `pthread_key_create()` and `pthread_once()`. This is relevant in glibc
29+ version 2.34+.
30+Author: Alexey Tikhonov <atikhono@redhat.com>
31+Origin: upstream, https://github.com/SSSD/sssd/commit/1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb
32+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1996869
33+Last-Update: 2023-01-25
34+---
35+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
36+--- a/configure.ac
37++++ b/configure.ac
38+@@ -51,18 +51,39 @@
39+ m4_include([src/build_macros.m4])
40+ BUILD_WITH_SHARED_BUILD_DIR
41+
42+-AC_COMPILE_IFELSE(
43++
44++SAVE_LIBS=$LIBS
45++LIBS=
46++AC_LINK_IFELSE(
47+ [AC_LANG_PROGRAM([[#include <pthread.h>]],
48+ [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
49+- (void) m; /* unused */
50++ pthread_mutex_lock(&m);
51++ pthread_mutex_unlock(&m);
52+ ]])],
53+ [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.])
54+ HAVE_PTHREAD=1
55+ ],
56+- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])])
57++ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])])
58++LIBS=$SAVE_LIBS
59++AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
60+
61+
62+-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
63++SAVE_LIBS=$LIBS
64++LIBS=
65++AC_LINK_IFELSE(
66++ [AC_LANG_PROGRAM([[#include <pthread.h>]],
67++ [[static pthread_key_t k;
68++ static pthread_once_t f = PTHREAD_ONCE_INIT;
69++ pthread_once(&f, NULL);
70++ pthread_key_create(&k, NULL);
71++ ]])],
72++ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.])
73++ HAVE_PTHREAD_EXT=1
74++ ],
75++ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])])
76++LIBS=$SAVE_LIBS
77++AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"])
78++
79+
80+ # Check library for the timer_create function
81+ SAVE_LIBS=$LIBS
82+--- a/src/man/Makefile.am
83++++ b/src/man/Makefile.am
84+@@ -46,9 +46,12 @@
85+ if BUILD_KCM_RENEWAL
86+ KCM_RENEWAL_CONDS = ;enable_kcm_renewal
87+ endif
88++if BUILD_LOCKFREE_CLIENT
89++LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support
90++endif
91+
92+
93+-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)
94++CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)
95+
96+
97+ #Special Rules:
98+--- a/src/man/sssd.8.xml
99++++ b/src/man/sssd.8.xml
100+@@ -240,7 +240,7 @@
101+ If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
102+ client applications will not use the fast in-memory cache.
103+ </para>
104+- <para>
105++ <para condition="enable_lockfree_support">
106+ If the environment variable SSS_LOCKFREE is set to "NO", requests
107+ from multiple threads of a single application will be serialized.
108+ </para>
109+--- a/src/sss_client/common.c
110++++ b/src/sss_client/common.c
111+@@ -35,7 +35,6 @@
112+ #include <stdlib.h>
113+ #include <stdbool.h>
114+ #include <stdint.h>
115+-#include <stdatomic.h>
116+ #include <string.h>
117+ #include <fcntl.h>
118+ #include <poll.h>
119+@@ -62,8 +61,15 @@
120+
121+ /* common functions */
122+
123++#ifdef HAVE_PTHREAD_EXT
124++static pthread_key_t sss_sd_key;
125++static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
126+ static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
127+ static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
128++#else
129++static int sss_cli_sd = -1; /* the sss client socket descriptor */
130++static struct stat sss_cli_sb; /* the sss client stat buffer */
131++#endif
132+
133+ #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
134+ __attribute__((destructor))
135+@@ -76,6 +82,18 @@
136+ }
137+ }
138+
139++#ifdef HAVE_PTHREAD_EXT
140++static void sss_at_thread_exit(void *v)
141++{
142++ sss_cli_close_socket();
143++}
144++
145++static void init_sd_key(void)
146++{
147++ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
148++}
149++#endif
150++
151+ /* Requests:
152+ *
153+ * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
154+@@ -553,6 +571,16 @@
155+ return -1;
156+ }
157+
158++#ifdef HAVE_PTHREAD_EXT
159++ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
160++
161++ /* It actually doesn't matter what value to set for a key.
162++ * The only important thing: key must be non-NULL to ensure
163++ * destructor is executed at thread exit.
164++ */
165++ pthread_setspecific(sss_sd_key, &sss_cli_sd);
166++#endif
167++
168+ /* set as non-blocking, close on exec, and make sure standard
169+ * descriptors are not used */
170+ sd = make_safe_fd(sd);
171+@@ -1129,41 +1157,38 @@
172+ }
173+
174+ #if HAVE_PTHREAD
175+-bool sss_is_lockfree_mode(void)
176++
177++#ifdef HAVE_PTHREAD_EXT
178++static bool sss_lock_free = true;
179++static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT;
180++
181++static void init_lock_mode(void)
182+ {
183+- const char *env = NULL;
184+- enum {
185+- MODE_UNDEF,
186+- MODE_LOCKING,
187+- MODE_LOCKFREE
188+- };
189+- static atomic_int mode = MODE_UNDEF;
190+-
191+- if (mode == MODE_UNDEF) {
192+- env = getenv("SSS_LOCKFREE");
193+- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
194+- mode = MODE_LOCKING;
195+- } else {
196+- mode = MODE_LOCKFREE;
197+- }
198++ const char *env = getenv("SSS_LOCKFREE");
199++
200++ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
201++ sss_lock_free = false;
202+ }
203++}
204+
205+- return (mode == MODE_LOCKFREE);
206++bool sss_is_lockfree_mode(void)
207++{
208++ pthread_once(&sss_lock_mode_initialized, init_lock_mode);
209++ return sss_lock_free;
210+ }
211++#endif
212+
213+ struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
214+-
215+ static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
216+-
217+-static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
218+-
219+ static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
220+
221+ static void sss_mt_lock(struct sss_mutex *m)
222+ {
223++#ifdef HAVE_PTHREAD_EXT
224+ if (sss_is_lockfree_mode()) {
225+ return;
226+ }
227++#endif
228+
229+ pthread_mutex_lock(&m->mtx);
230+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
231+@@ -1171,9 +1196,11 @@
232+
233+ static void sss_mt_unlock(struct sss_mutex *m)
234+ {
235++#ifdef HAVE_PTHREAD_EXT
236+ if (sss_is_lockfree_mode()) {
237+ return;
238+ }
239++#endif
240+
241+ pthread_setcancelstate(m->old_cancel_state, NULL);
242+ pthread_mutex_unlock(&m->mtx);
243+@@ -1189,7 +1216,7 @@
244+ sss_mt_unlock(&sss_nss_mtx);
245+ }
246+
247+-/* NSS mutex wrappers */
248++/* PAM mutex wrappers */
249+ void sss_pam_lock(void)
250+ {
251+ sss_mt_lock(&sss_pam_mtx);
252+@@ -1199,16 +1226,6 @@
253+ sss_mt_unlock(&sss_pam_mtx);
254+ }
255+
256+-/* NSS mutex wrappers */
257+-void sss_nss_mc_lock(void)
258+-{
259+- sss_mt_lock(&sss_nss_mc_mtx);
260+-}
261+-void sss_nss_mc_unlock(void)
262+-{
263+- sss_mt_unlock(&sss_nss_mc_mtx);
264+-}
265+-
266+ /* PAC mutex wrappers */
267+ void sss_pac_lock(void)
268+ {
269+--- a/src/sss_client/idmap/common_ex.c
270++++ b/src/sss_client/idmap/common_ex.c
271+@@ -28,7 +28,9 @@
272+ #include "common_private.h"
273+
274+ extern struct sss_mutex sss_nss_mtx;
275++#ifdef HAVE_PTHREAD_EXT
276+ bool sss_is_lockfree_mode(void);
277++#endif
278+
279+ #define SEC_FROM_MSEC(ms) ((ms) / 1000)
280+ #define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
281+@@ -51,9 +53,11 @@
282+ {
283+ int ret;
284+
285++#ifdef HAVE_PTHREAD_EXT
286+ if (sss_is_lockfree_mode()) {
287+ return 0;
288+ }
289++#endif
290+
291+ ret = pthread_mutex_timedlock(&m->mtx, endtime);
292+ if (ret != 0) {
293diff --git a/debian/patches/series b/debian/patches/series
294index b5cc56b..f47c99f 100644
295--- a/debian/patches/series
296+++ b/debian/patches/series
297@@ -3,3 +3,4 @@ default-to-socket-activated-services.diff
298 fix-shebang-on-sss_analyze.patch
299 support-krb5-1.20.diff
300 initialize-uid-gid-main-functions.patch
301+fix-client-fd-leak.patch

Subscribers

People subscribed via source and target branches