git: 3c50e5f92ad4 - 2021Q3 - security/suricata: Add patch for upstream locking fix
Craig Leres
leres at FreeBSD.org
Tue Sep 7 22:28:29 UTC 2021
The branch 2021Q3 has been updated by leres:
URL: https://cgit.FreeBSD.org/ports/commit/?id=3c50e5f92ad40b4a917de1ecb99cd73068d761c7
commit 3c50e5f92ad40b4a917de1ecb99cd73068d761c7
Author: Craig Leres <leres at FreeBSD.org>
AuthorDate: 2021-09-07 21:55:24 +0000
Commit: Craig Leres <leres at FreeBSD.org>
CommitDate: 2021-09-07 22:27:27 +0000
security/suricata: Add patch for upstream locking fix
https://redmine.openinfosecfoundation.org/issues/4478
- Suricata 6 may stop forwarding traffic due to lock/unlock executed
between CPUs, which is undetermined behaviour.
PR: 258335
Approved by: Franco Fichtner (maintainer)
(cherry picked from commit b0c4eaac2a3aa9bc422c21b9d398e4dbfea18736)
---
security/suricata/Makefile | 6 +--
security/suricata/distinfo | 6 +--
security/suricata/files/patch-3c53a1601 | 78 +++++++++++++++++++++++++++++++++
security/suricata/pkg-plist | 3 +-
4 files changed, 86 insertions(+), 7 deletions(-)
diff --git a/security/suricata/Makefile b/security/suricata/Makefile
index f97ef9fc56f2..d2887b48c134 100644
--- a/security/suricata/Makefile
+++ b/security/suricata/Makefile
@@ -1,6 +1,6 @@
PORTNAME= suricata
-DISTVERSION= 6.0.2
-PORTREVISION= 3
+DISTVERSION= 6.0.3
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= https://www.openinfosecfoundation.org/download/
@@ -71,7 +71,7 @@ HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan
IPFW_CONFIGURE_ON= --enable-ipfw
-LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit
+LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty
LUAJIT_CONFIGURE_ON= --enable-luajit
LUA_USES= lua:51
diff --git a/security/suricata/distinfo b/security/suricata/distinfo
index 2e96b779479a..47cdde42ff52 100644
--- a/security/suricata/distinfo
+++ b/security/suricata/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1616753087
-SHA256 (suricata-6.0.2.tar.gz) = 5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52
-SIZE (suricata-6.0.2.tar.gz) = 30514801
+TIMESTAMP = 1628041281
+SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602
+SIZE (suricata-6.0.3.tar.gz) = 32421197
diff --git a/security/suricata/files/patch-3c53a1601 b/security/suricata/files/patch-3c53a1601
new file mode 100644
index 000000000000..d70b3c563e5a
--- /dev/null
+++ b/security/suricata/files/patch-3c53a1601
@@ -0,0 +1,78 @@
+From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001
+From: Victor Julien <victor at inliniac.net>
+Date: Wed, 18 Aug 2021 20:14:48 +0200
+Subject: [PATCH] threading: don't pass locked flow between threads
+
+Previously the flow manager would share evicted flows with the workers
+while keeping the flows mutex locked. This reduced the number of unlock/
+lock cycles while there was guaranteed to be no contention.
+
+This turns out to be undefined behavior. A lock is supposed to be locked
+and unlocked from the same thread. It appears that FreeBSD is stricter on
+this than Linux.
+
+This patch addresses the issue by unlocking before handing a flow off
+to another thread, and locking again from the new thread.
+
+Issue was reported and largely analyzed by Bill Meeks.
+
+Bug: #4478
+(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839)
+---
+ src/flow-hash.c | 1 +
+ src/flow-manager.c | 2 +-
+ src/flow-timeout.c | 1 +
+ src/flow-worker.c | 1 +
+ 4 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/flow-hash.c b/src/flow-hash.c
+index ebbd836e81a..760bc53e0a8 100644
+--- src/flow-hash.c
++++ src/flow-hash.c
+@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
+ f->fb = NULL;
+ f->next = NULL;
+ FlowQueuePrivateAppendFlow(&fls->work_queue, f);
++ FLOWLOCK_UNLOCK(f);
+ } else {
+ /* implied: TCP but our thread does not own it. So set it
+ * aside for the Flow Manager to pick it up. */
+diff --git a/src/flow-manager.c b/src/flow-manager.c
+index d58a49637d6..9228c88490c 100644
+--- src/flow-manager.c
++++ src/flow-manager.c
+@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount
+ FlowForceReassemblyNeedReassembly(f) == 1)
+ {
+ FlowForceReassemblyForFlow(f);
++ FLOWLOCK_UNLOCK(f);
+ /* flow ownership is passed to the worker thread */
+
+- /* flow remains locked */
+ counters->flows_aside_needs_work++;
+ continue;
+ }
+diff --git a/src/flow-timeout.c b/src/flow-timeout.c
+index 972b35076bd..d6cca490087 100644
+--- src/flow-timeout.c
++++ src/flow-timeout.c
+@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void)
+ RemoveFromHash(f, prev_f);
+ f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN;
+ FlowForceReassemblyForFlow(f);
++ FLOWLOCK_UNLOCK(f);
+ f = next_f;
+ continue;
+ }
+diff --git a/src/flow-worker.c b/src/flow-worker.c
+index 69dbb6ac575..dccf3581dd5 100644
+--- src/flow-worker.c
++++ src/flow-worker.c
+@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw,
+ {
+ Flow *f;
+ while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) {
++ FLOWLOCK_WRLOCK(f);
+ f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg
+
+ const FlowStateType state = f->flow_state;
diff --git a/security/suricata/pkg-plist b/security/suricata/pkg-plist
index 2b679f9da5c2..5fcb57aa716a 100644
--- a/security/suricata/pkg-plist
+++ b/security/suricata/pkg-plist
@@ -20,6 +20,7 @@ include/htp/htp_utf8_decoder.h
include/htp/htp_version.h
include/htp/lzma/7zTypes.h
include/htp/lzma/LzmaDec.h
+include/suricata-plugin.h
lib/libhtp.a
lib/libhtp.so
lib/libhtp.so.2
@@ -135,7 +136,7 @@ man/man1/suricata.1.gz
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc
-%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.1-py%%PYTHON_VER%%.egg-info
+%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc
%%DATADIR%%/rules/app-layer-events.rules
More information about the dev-commits-ports-all
mailing list