1
diff --git a/debian/changelog b/debian/changelog
2
index e1685a4..45e547c 100644
3
--- a/debian/changelog
4
+++ b/debian/changelog
5
@@ -1,3 +1,13 @@
6
1
sssd (2.7.3-2ubuntu2.1) kinetic; urgency=medium
7
2
8
3
  * d/p/fix-client-fd-leak.patch (LP: #1996869):
9
4
    - close client socket at thread exit
10
5
    - only build lock-free client support if libc has required
11
6
      functionality for a proper cleanup
12
7
    - use proper mechanisms to init lock_mode only once
13
8
14
9
 -- Lena Voytek <lena.voytek@canonical.com>  Fri, 20 Jan 2023 11:03:59 -0700
15
10
16
1
sssd (2.7.3-2ubuntu2) kinetic; urgency=medium
11
sssd (2.7.3-2ubuntu2) kinetic; urgency=medium
17
2
12
18
3
  * d/p/initialize-uid-gid-main-functions.patch: Initialize UID/GID
13
  * d/p/initialize-uid-gid-main-functions.patch: Initialize UID/GID
19
diff --git a/debian/patches/fix-client-fd-leak.patch b/debian/patches/fix-client-fd-leak.patch
20
4
new file mode 100644
14
new file mode 100644
21
index 0000000..1521eee
22
--- /dev/null
23
+++ b/debian/patches/fix-client-fd-leak.patch
24
@@ -0,0 +1,268 @@
25
1
Description: Fix client fd leak
26
2
 Avoid leaking old client sockets by closing them properly on exit.
27
3
 Also note that Lock-free client support will only be built if libc provides
28
4
 `pthread_key_create()` and `pthread_once()`. This is relevant in glibc
29
5
 version 2.34+.
30
6
Author: Alexey Tikhonov <atikhono@redhat.com>
31
7
Origin: upstream, https://github.com/SSSD/sssd/commit/1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb
32
8
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1996869
33
9
Last-Update: 2023-01-25
34
10
---
35
11
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
36
12
--- a/configure.ac
37
13
+++ b/configure.ac
38
14
@@ -51,18 +51,39 @@
39
15
 m4_include([src/build_macros.m4])
40
16
 BUILD_WITH_SHARED_BUILD_DIR
41
17
 
42
18
-AC_COMPILE_IFELSE(
43
19
+
44
20
+SAVE_LIBS=$LIBS
45
21
+LIBS=
46
22
+AC_LINK_IFELSE(
47
23
     [AC_LANG_PROGRAM([[#include <pthread.h>]],
48
24
         [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
49
25
-          (void) m; /* unused */
50
26
+          pthread_mutex_lock(&m);
51
27
+          pthread_mutex_unlock(&m);
52
28
         ]])],
53
29
     [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.])
54
30
      HAVE_PTHREAD=1
55
31
     ],
56
32
-    [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])])
57
33
+    [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])])
58
34
+LIBS=$SAVE_LIBS
59
35
+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
60
36
 
61
37
 
62
38
-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
63
39
+SAVE_LIBS=$LIBS
64
40
+LIBS=
65
41
+AC_LINK_IFELSE(
66
42
+    [AC_LANG_PROGRAM([[#include <pthread.h>]],
67
43
+        [[static pthread_key_t k;
68
44
+          static pthread_once_t f = PTHREAD_ONCE_INIT;
69
45
+          pthread_once(&f, NULL);
70
46
+          pthread_key_create(&k, NULL);
71
47
+        ]])],
72
48
+    [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.])
73
49
+     HAVE_PTHREAD_EXT=1
74
50
+    ],
75
51
+    [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])])
76
52
+LIBS=$SAVE_LIBS
77
53
+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"])
78
54
+
79
55
 
80
56
 # Check library for the timer_create function
81
57
 SAVE_LIBS=$LIBS
82
58
--- a/src/man/Makefile.am
83
59
+++ b/src/man/Makefile.am
84
60
@@ -46,9 +46,12 @@
85
61
 if BUILD_KCM_RENEWAL
86
62
 KCM_RENEWAL_CONDS = ;enable_kcm_renewal
87
63
 endif
88
64
+if BUILD_LOCKFREE_CLIENT
89
65
+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support
90
66
+endif
91
67
 
92
68
 
93
69
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)
94
70
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)
95
71
 
96
72
 
97
73
 #Special Rules:
98
74
--- a/src/man/sssd.8.xml
99
75
+++ b/src/man/sssd.8.xml
100
76
@@ -240,7 +240,7 @@
101
77
             If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
102
78
             client applications will not use the fast in-memory cache.
103
79
         </para>
104
80
-        <para>
105
81
+        <para condition="enable_lockfree_support">
106
82
             If the environment variable SSS_LOCKFREE is set to "NO", requests
107
83
             from multiple threads of a single application will be serialized.
108
84
         </para>
109
85
--- a/src/sss_client/common.c
110
86
+++ b/src/sss_client/common.c
111
87
@@ -35,7 +35,6 @@
112
88
 #include <stdlib.h>
113
89
 #include <stdbool.h>
114
90
 #include <stdint.h>
115
91
-#include <stdatomic.h>
116
92
 #include <string.h>
117
93
 #include <fcntl.h>
118
94
 #include <poll.h>
119
95
@@ -62,8 +61,15 @@
120
96
 
121
97
 /* common functions */
122
98
 
123
99
+#ifdef HAVE_PTHREAD_EXT
124
100
+static pthread_key_t sss_sd_key;
125
101
+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
126
102
 static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
127
103
 static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
128
104
+#else
129
105
+static int sss_cli_sd = -1; /* the sss client socket descriptor */
130
106
+static struct stat sss_cli_sb; /* the sss client stat buffer */
131
107
+#endif
132
108
 
133
109
 #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
134
110
 __attribute__((destructor))
135
111
@@ -76,6 +82,18 @@
136
112
     }
137
113
 }
138
114
 
139
115
+#ifdef HAVE_PTHREAD_EXT
140
116
+static void sss_at_thread_exit(void *v)
141
117
+{
142
118
+    sss_cli_close_socket();
143
119
+}
144
120
+
145
121
+static void init_sd_key(void)
146
122
+{
147
123
+    pthread_key_create(&sss_sd_key, sss_at_thread_exit);
148
124
+}
149
125
+#endif
150
126
+
151
127
 /* Requests:
152
128
  *
153
129
  * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
154
130
@@ -553,6 +571,16 @@
155
131
         return -1;
156
132
     }
157
133
 
158
134
+#ifdef HAVE_PTHREAD_EXT
159
135
+    pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
160
136
+
161
137
+    /* It actually doesn't matter what value to set for a key.
162
138
+     * The only important thing: key must be non-NULL to ensure
163
139
+     * destructor is executed at thread exit.
164
140
+     */
165
141
+    pthread_setspecific(sss_sd_key, &sss_cli_sd);
166
142
+#endif
167
143
+
168
144
     /* set as non-blocking, close on exec, and make sure standard
169
145
      * descriptors are not used */
170
146
     sd = make_safe_fd(sd);
171
147
@@ -1129,41 +1157,38 @@
172
148
 }
173
149
 
174
150
 #if HAVE_PTHREAD
175
151
-bool sss_is_lockfree_mode(void)
176
152
+
177
153
+#ifdef HAVE_PTHREAD_EXT
178
154
+static bool sss_lock_free = true;
179
155
+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT;
180
156
+
181
157
+static void init_lock_mode(void)
182
158
 {
183
159
-    const char *env = NULL;
184
160
-    enum {
185
161
-        MODE_UNDEF,
186
162
-        MODE_LOCKING,
187
163
-        MODE_LOCKFREE
188
164
-    };
189
165
-    static atomic_int mode = MODE_UNDEF;
190
166
-
191
167
-    if (mode == MODE_UNDEF) {
192
168
-        env = getenv("SSS_LOCKFREE");
193
169
-        if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
194
170
-            mode = MODE_LOCKING;
195
171
-        } else {
196
172
-            mode = MODE_LOCKFREE;
197
173
-        }
198
174
+    const char *env = getenv("SSS_LOCKFREE");
199
175
+
200
176
+    if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
201
177
+        sss_lock_free = false;
202
178
     }
203
179
+}
204
180
 
205
181
-    return (mode == MODE_LOCKFREE);
206
182
+bool sss_is_lockfree_mode(void)
207
183
+{
208
184
+    pthread_once(&sss_lock_mode_initialized, init_lock_mode);
209
185
+    return sss_lock_free;
210
186
 }
211
187
+#endif
212
188
 
213
189
 struct sss_mutex sss_nss_mtx = { .mtx  = PTHREAD_MUTEX_INITIALIZER };
214
190
-
215
191
 static struct sss_mutex sss_pam_mtx = { .mtx  = PTHREAD_MUTEX_INITIALIZER };
216
192
-
217
193
-static struct sss_mutex sss_nss_mc_mtx = { .mtx  = PTHREAD_MUTEX_INITIALIZER };
218
194
-
219
195
 static struct sss_mutex sss_pac_mtx = { .mtx  = PTHREAD_MUTEX_INITIALIZER };
220
196
 
221
197
 static void sss_mt_lock(struct sss_mutex *m)
222
198
 {
223
199
+#ifdef HAVE_PTHREAD_EXT
224
200
     if (sss_is_lockfree_mode()) {
225
201
         return;
226
202
     }
227
203
+#endif
228
204
 
229
205
     pthread_mutex_lock(&m->mtx);
230
206
     pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
231
207
@@ -1171,9 +1196,11 @@
232
208
 
233
209
 static void sss_mt_unlock(struct sss_mutex *m)
234
210
 {
235
211
+#ifdef HAVE_PTHREAD_EXT
236
212
     if (sss_is_lockfree_mode()) {
237
213
         return;
238
214
     }
239
215
+#endif
240
216
 
241
217
     pthread_setcancelstate(m->old_cancel_state, NULL);
242
218
     pthread_mutex_unlock(&m->mtx);
243
219
@@ -1189,7 +1216,7 @@
244
220
     sss_mt_unlock(&sss_nss_mtx);
245
221
 }
246
222
 
247
223
-/* NSS mutex wrappers */
248
224
+/* PAM mutex wrappers */
249
225
 void sss_pam_lock(void)
250
226
 {
251
227
     sss_mt_lock(&sss_pam_mtx);
252
228
@@ -1199,16 +1226,6 @@
253
229
     sss_mt_unlock(&sss_pam_mtx);
254
230
 }
255
231
 
256
232
-/* NSS mutex wrappers */
257
233
-void sss_nss_mc_lock(void)
258
234
-{
259
235
-    sss_mt_lock(&sss_nss_mc_mtx);
260
236
-}
261
237
-void sss_nss_mc_unlock(void)
262
238
-{
263
239
-    sss_mt_unlock(&sss_nss_mc_mtx);
264
240
-}
265
241
-
266
242
 /* PAC mutex wrappers */
267
243
 void sss_pac_lock(void)
268
244
 {
269
245
--- a/src/sss_client/idmap/common_ex.c
270
246
+++ b/src/sss_client/idmap/common_ex.c
271
247
@@ -28,7 +28,9 @@
272
248
 #include "common_private.h"
273
249
 
274
250
 extern struct sss_mutex sss_nss_mtx;
275
251
+#ifdef HAVE_PTHREAD_EXT
276
252
 bool sss_is_lockfree_mode(void);
277
253
+#endif
278
254
 
279
255
 #define SEC_FROM_MSEC(ms) ((ms) / 1000)
280
256
 #define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
281
257
@@ -51,9 +53,11 @@
282
258
 {
283
259
     int ret;
284
260
 
285
261
+#ifdef HAVE_PTHREAD_EXT
286
262
     if (sss_is_lockfree_mode()) {
287
263
         return 0;
288
264
     }
289
265
+#endif
290
266
 
291
267
     ret = pthread_mutex_timedlock(&m->mtx, endtime);
292
268
     if (ret != 0) {
293
diff --git a/debian/patches/series b/debian/patches/series
294
index b5cc56b..f47c99f 100644
295
--- a/debian/patches/series
296
+++ b/debian/patches/series
297
@@ -3,3 +3,4 @@ default-to-socket-activated-services.diff
298
3
fix-shebang-on-sss_analyze.patch
3
fix-shebang-on-sss_analyze.patch
299
4
support-krb5-1.20.diff
4
support-krb5-1.20.diff
300
5
initialize-uid-gid-main-functions.patch
5
initialize-uid-gid-main-functions.patch
301
6
fix-client-fd-leak.patch
Reviewer	Date Requested	Status
git-ubuntu bot		Approve on 2023-02-08
Athos Ribeiro (community)	2023-02-03	Approve on 2023-02-08
Canonical Server Reporter	2023-02-06	Pending
Review via email: mp+436860@code.launchpad.net