sss: handle poll events correctly in clevis-decrypt-sss

When a pin's file descriptor is closed after reading, it must be removed
from the poll set. Unlike epoll (which automatically removes closed fds),
poll() will continue to return events for closed fds.

Additionally, poll() can return POLLHUP/POLLERR/POLLNVAL when a child
process exits or encounters errors. These events must be handled to
avoid infinite loops, but only when there's no data to read (POLLIN not
set) - otherwise we might discard valid data from a process that wrote
output then exited.

This fix:
- Sets closed fds to -1 in the pollfds array (poll ignores negative fds)
- Handles error/hangup events by cleaning up failed pins, but only when
  POLLIN is not set, ensuring we read all available data first

Author: sini

src/pins/sss/clevis-decrypt-sss.c

@@ -227,8 +227,22 @@ main(int argc, char *argv[])
             }
             if (pi >= nfds)
                 continue;
-            if (!(pollfds[pi].revents & (POLLIN | POLLPRI)))
+
+            /* If no data available but pipe closed/errored, mark as failed */
+            if (!(pollfds[pi].revents & (POLLIN | POLLPRI))) {
+                if (pollfds[pi].revents & (POLLERR | POLLHUP | POLLNVAL)) {
+                    fclose(pin->file);
+                    pin->file = NULL;
+                    pollfds[pi].fd = -1;
+                    waitpid(pin->pid, NULL, 0);
+                    pin->pid = 0;
+                    pin->next->prev = pin->prev;
+                    pin->prev->next = pin->next;
+                    free(pin);
+                    break;
+                }
                 continue;
+            }
 
             {
                 const size_t ptl = pl * 2;
@@ -260,6 +274,8 @@ main(int argc, char *argv[])
 
             fclose(pin->file);
             pin->file = NULL;
+            /* Remove closed fd from poll set (poll ignores negative fds) */
+            pollfds[pi].fd = -1;
 
             waitpid(pin->pid, NULL, 0);
             pin->pid = 0;