[tor-bugs] #29508 [Core Tor/Tor]: KIST does not check the right channel's sched_heap_idx when readding channels

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 14 20:28:52 UTC 2019 

#29508: KIST does not check the right channel's sched_heap_idx when readding
channels
------------------------------+--------------------------------
     Reporter:  pastly        |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.4.1.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 Link to the section of code as of right now:
 https://gitweb.torproject.org/tor.git/tree/src/core/or/scheduler_kist.c#n724

 The buggy code

 {{{
   /* Re-add any channels we need to */
   if (to_readd) {
     SMARTLIST_FOREACH_BEGIN(to_readd, channel_t *, readd_chan) {
       scheduler_set_channel_state(readd_chan, SCHED_CHAN_PENDING);
       if (!smartlist_contains(cp, readd_chan)) {
         if (!SCHED_BUG(chan->sched_heap_idx != -1, chan)) {
           /* XXXX Note that the check above is in theory redundant with
            * the smartlist_contains check.  But let's make sure we're
            * not messing anything up, and leave them both for now. */
           smartlist_pqueue_add(cp, scheduler_compare_channels,
                              offsetof(channel_t, sched_heap_idx),
 readd_chan);
         }
       }
     } SMARTLIST_FOREACH_END(readd_chan);
     smartlist_free(to_readd);
   }
 }}}

 The code wrapped in`SCHED_BUG` should be checking `readd_chan` not `chan`.

 This has never been an issue in mainline-Tor because the scheduler never
 leaves its while loop with channels in `channels_pending`. But if you make
 changes to Tor's code that allow for the scheduler to leave its loop
 without emptying `channels_pending`, then this condition will often fail,
 which cumulates in  tor ultimately seemingly forgetting about the channel
 and letting it sit idle.

 Branch incoming.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29508>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list