Date: Tue, 7 Sep 2021 22:28:29 GMT From: Craig Leres <leres@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: 3c50e5f92ad4 - 2021Q3 - security/suricata: Add patch for upstream locking fix Message-ID: <202109072228.187MSTLe017918@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch 2021Q3 has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=3c50e5f92ad40b4a917de1ecb99cd73068d761c7 commit 3c50e5f92ad40b4a917de1ecb99cd73068d761c7 Author: Craig Leres <leres@FreeBSD.org> AuthorDate: 2021-09-07 21:55:24 +0000 Commit: Craig Leres <leres@FreeBSD.org> CommitDate: 2021-09-07 22:27:27 +0000 security/suricata: Add patch for upstream locking fix https://redmine.openinfosecfoundation.org/issues/4478 - Suricata 6 may stop forwarding traffic due to lock/unlock executed between CPUs, which is undetermined behaviour. PR: 258335 Approved by: Franco Fichtner (maintainer) (cherry picked from commit b0c4eaac2a3aa9bc422c21b9d398e4dbfea18736) --- security/suricata/Makefile | 6 +-- security/suricata/distinfo | 6 +-- security/suricata/files/patch-3c53a1601 | 78 +++++++++++++++++++++++++++++++++ security/suricata/pkg-plist | 3 +- 4 files changed, 86 insertions(+), 7 deletions(-) diff --git a/security/suricata/Makefile b/security/suricata/Makefile index f97ef9fc56f2..d2887b48c134 100644 --- a/security/suricata/Makefile +++ b/security/suricata/Makefile @@ -1,6 +1,6 @@ PORTNAME= suricata -DISTVERSION= 6.0.2 -PORTREVISION= 3 +DISTVERSION= 6.0.3 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= https://www.openinfosecfoundation.org/download/ @@ -71,7 +71,7 @@ HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan IPFW_CONFIGURE_ON= --enable-ipfw -LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit +LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty LUAJIT_CONFIGURE_ON= --enable-luajit LUA_USES= lua:51 diff --git a/security/suricata/distinfo b/security/suricata/distinfo index 2e96b779479a..47cdde42ff52 100644 --- a/security/suricata/distinfo +++ b/security/suricata/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1616753087 -SHA256 (suricata-6.0.2.tar.gz) = 5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52 -SIZE (suricata-6.0.2.tar.gz) = 30514801 +TIMESTAMP = 1628041281 +SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602 +SIZE (suricata-6.0.3.tar.gz) = 32421197 diff --git a/security/suricata/files/patch-3c53a1601 b/security/suricata/files/patch-3c53a1601 new file mode 100644 index 000000000000..d70b3c563e5a --- /dev/null +++ b/security/suricata/files/patch-3c53a1601 @@ -0,0 +1,78 @@ +From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001 +From: Victor Julien <victor@inliniac.net> +Date: Wed, 18 Aug 2021 20:14:48 +0200 +Subject: [PATCH] threading: don't pass locked flow between threads + +Previously the flow manager would share evicted flows with the workers +while keeping the flows mutex locked. This reduced the number of unlock/ +lock cycles while there was guaranteed to be no contention. + +This turns out to be undefined behavior. A lock is supposed to be locked +and unlocked from the same thread. It appears that FreeBSD is stricter on +this than Linux. + +This patch addresses the issue by unlocking before handing a flow off +to another thread, and locking again from the new thread. + +Issue was reported and largely analyzed by Bill Meeks. + +Bug: #4478 +(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839) +--- + src/flow-hash.c | 1 + + src/flow-manager.c | 2 +- + src/flow-timeout.c | 1 + + src/flow-worker.c | 1 + + 4 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/flow-hash.c b/src/flow-hash.c +index ebbd836e81a..760bc53e0a8 100644 +--- src/flow-hash.c ++++ src/flow-hash.c +@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls, + f->fb = NULL; + f->next = NULL; + FlowQueuePrivateAppendFlow(&fls->work_queue, f); ++ FLOWLOCK_UNLOCK(f); + } else { + /* implied: TCP but our thread does not own it. So set it + * aside for the Flow Manager to pick it up. */ +diff --git a/src/flow-manager.c b/src/flow-manager.c +index d58a49637d6..9228c88490c 100644 +--- src/flow-manager.c ++++ src/flow-manager.c +@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount + FlowForceReassemblyNeedReassembly(f) == 1) + { + FlowForceReassemblyForFlow(f); ++ FLOWLOCK_UNLOCK(f); + /* flow ownership is passed to the worker thread */ + +- /* flow remains locked */ + counters->flows_aside_needs_work++; + continue; + } +diff --git a/src/flow-timeout.c b/src/flow-timeout.c +index 972b35076bd..d6cca490087 100644 +--- src/flow-timeout.c ++++ src/flow-timeout.c +@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void) + RemoveFromHash(f, prev_f); + f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN; + FlowForceReassemblyForFlow(f); ++ FLOWLOCK_UNLOCK(f); + f = next_f; + continue; + } +diff --git a/src/flow-worker.c b/src/flow-worker.c +index 69dbb6ac575..dccf3581dd5 100644 +--- src/flow-worker.c ++++ src/flow-worker.c +@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw, + { + Flow *f; + while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) { ++ FLOWLOCK_WRLOCK(f); + f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg + + const FlowStateType state = f->flow_state; diff --git a/security/suricata/pkg-plist b/security/suricata/pkg-plist index 2b679f9da5c2..5fcb57aa716a 100644 --- a/security/suricata/pkg-plist +++ b/security/suricata/pkg-plist @@ -20,6 +20,7 @@ include/htp/htp_utf8_decoder.h include/htp/htp_version.h include/htp/lzma/7zTypes.h include/htp/lzma/LzmaDec.h +include/suricata-plugin.h lib/libhtp.a lib/libhtp.so lib/libhtp.so.2 @@ -135,7 +136,7 @@ man/man1/suricata.1.gz %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc -%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.1-py%%PYTHON_VER%%.egg-info +%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc %%DATADIR%%/rules/app-layer-events.rules
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109072228.187MSTLe017918>