diff --git a/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
new file mode 100644
index 0000000..fdc756a
--- /dev/null
+++ b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
@@ -0,0 +1,58 @@
+From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 3 Feb 2023 11:35:42 +0100
+Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
+ read/write/check helpers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
+error condition is detected, regular `POLLIN/POLLOUT` won't be set.
+Error code set by error condition should have a priority. This enables
+users of this helper to retry attempt (as designed).
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
+---
+ src/sss_client/common.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index 2c888faa9..27e09f6f3 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
+ case 1:
+ if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
+ *errnop = EPIPE;
+- }
+- if (!(pfd.revents & POLLOUT)) {
++ } else if (!(pfd.revents & POLLOUT)) {
+ *errnop = EBUSY;
+ }
+ break;
+@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
+ }
+ if (pfd.revents & (POLLERR | POLLNVAL)) {
+ *errnop = EPIPE;
+- }
+- if (!(pfd.revents & POLLIN)) {
++ } else if (!(pfd.revents & POLLIN)) {
+ *errnop = EBUSY;
+ }
+ break;
+@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
+ case 1:
+ if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
+ *errnop = EPIPE;
+- }
+- if (!(pfd.revents & (POLLIN | POLLOUT))) {
++ } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
+ *errnop = EBUSY;
+ }
+ break;
+--
+2.37.3
+
diff --git a/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
new file mode 100644
index 0000000..d7c875f
--- /dev/null
+++ b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
@@ -0,0 +1,63 @@
+From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 8 Feb 2023 17:48:52 +0100
+Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
+ alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
+ there is a risk to close "foreign" socket opened in another thread.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
+---
+ src/sss_client/common.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index 27e09f6f3..c8ade645b 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
+ *errnop = ETIME;
+ break;
+ case 1:
+- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
++ if (pfd.revents & (POLLERR | POLLHUP)) {
++ *errnop = EPIPE;
++ } else if (pfd.revents & POLLNVAL) {
++ /* Invalid request: fd is not opened */
++ sss_cli_sd = -1;
+ *errnop = EPIPE;
+ } else if (!(pfd.revents & POLLOUT)) {
+ *errnop = EBUSY;
+@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
+ if (pfd.revents & (POLLHUP)) {
+ pollhup = true;
+ }
+- if (pfd.revents & (POLLERR | POLLNVAL)) {
++ if (pfd.revents & POLLERR) {
++ *errnop = EPIPE;
++ } else if (pfd.revents & POLLNVAL) {
++ /* Invalid request: fd is not opened */
++ sss_cli_sd = -1;
+ *errnop = EPIPE;
+ } else if (!(pfd.revents & POLLIN)) {
+ *errnop = EBUSY;
+@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
+ *errnop = ETIME;
+ break;
+ case 1:
+- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
++ if (pfd.revents & (POLLERR | POLLHUP)) {
++ *errnop = EPIPE;
++ } else if (pfd.revents & POLLNVAL) {
++ /* Invalid request: fd is not opened */
++ sss_cli_sd = -1;
+ *errnop = EPIPE;
+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
+ *errnop = EBUSY;
+--
+2.37.3
+
diff --git a/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
new file mode 100644
index 0000000..dee9c9d
--- /dev/null
+++ b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
@@ -0,0 +1,53 @@
+From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 8 Feb 2023 18:58:37 +0100
+Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with
+ mutex. Otherwise a thread calling pam_end() can close socket mid pam
+ transaction in another thread.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug only manifested on platforms where "lockfree client"
+feature wasn't built.
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082)
+---
+ src/sss_client/pam_sss.c | 3 +++
+ src/sss_client/pam_sss_gss.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
+index afbdef59a..39ad17188 100644
+--- a/src/sss_client/pam_sss.c
++++ b/src/sss_client/pam_sss.c
+@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
+ #endif /* PAM_DATA_REPLACE */
+
+ D(("Closing the fd"));
++
++ sss_pam_lock();
+ sss_cli_close_socket();
++ sss_pam_unlock();
+ }
+
+ struct cert_auth_info {
+diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
+index 1109ec570..dd578ae5d 100644
+--- a/src/sss_client/pam_sss_gss.c
++++ b/src/sss_client/pam_sss_gss.c
+@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,
+ }
+
+ done:
++ sss_pam_lock();
+ sss_cli_close_socket();
++ sss_pam_unlock();
+ free(username);
+ free(domain);
+ free(target);
+--
+2.37.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index d91753f..c395105 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -19,7 +19,7 @@
Name: sssd
Version: 2.8.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -28,6 +28,9 @@ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{versio
### Patches ###
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
+Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
+Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
+Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
### Downstream Patches ###
@@ -1210,6 +1213,9 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
+* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
+- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
+
* Mon Dec 19 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.