[tor-bugs] #30871 [Core Tor/Tor]: circuit_mark_for_close_(): Bug: Duplicate call to circuit_mark_for_close at ../src/feature/hs/hs_service.c:3166 (first at ../src/feature/hs/hs_service.c:2385)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jun 18 12:26:10 UTC 2019
#30871: circuit_mark_for_close_(): Bug: Duplicate call to circuit_mark_for_close at
../src/feature/hs/hs_service.c:3166 (first at
../src/feature/hs/hs_service.c:2385)
-------------------------------------------------+-------------------------
Reporter: s7r | Owner: dgoulet
Type: defect | Status:
| assigned
Priority: Medium | Milestone: Tor:
| 0.4.1.x-final
Component: Core Tor/Tor | Version: Tor:
| 0.4.1.2-alpha
Severity: Normal | Resolution:
Keywords: tor-hs 041-should 041-regression? | Actual Points:
double-mark |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by dgoulet):
So the HS system (v2 or v3) will not launch introduction circuits until 3
things are true:
{{{
if (!have_completed_a_circuit() || net_is_disabled() ||
networkstatus_get_live_consensus(now) == NULL) {
goto end;
}
}}}
In _theory_ the `have_completed_a_circuit()` is the one telling us that
the Guard is usable because we were able to complete a full circuit
through it.
However, it seems that once those introduction circuits were launched, 3
of them ended up in waiting to "see how the guard performs". I bet it is
because the circuit went _back_ into "wait for guard state" after opening
some circuits which lead to this situation. In theory, it should be "fine"
I believe.
Now onto the main problem, the duplicate close. The warnings before are v2
... but that duplicate close is for the v3 which has no warnings. The
"exceeded limit" log is at info level for v3...
So roughly 5 minutes after bootstrap, the v3 introduction circuit finally
opened but the introduction point authentication key disappeared from our
state. This is all but too familiar (#28970 and #27471) ... Somehow, both
on client or service side, we loose track (or clean it) of the
authentication key of an IP leading to these BUG().
This duplicate mark for close is the hint I think. It appears we have a
code path in tor that can mark an intro circuit for close and then that
circuit is called with the "has opened" callback leading to this double
close.
The freeing of the circuit is deferred as a "post main loop" event. I'm
wondering if it is possible for this sequence to happen within a _single_
main loop run:
1) Intro circuit(s) is *mark* for close and thus cleaned up from the HS
state. Could be on descriptor rotation or build time out for instance.
2) The "circuit has opened" callback is called for the mark for close
circuit.
3) The freeing of that circuit is done post main loop.
If possible, then the (2) should never have been done on a marked for
close.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30871#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list