<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Wierd Segfault in sd_rtnl_message_unref (libnss_myhostname.so.2 by sshd )"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=88340">88340</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Wierd Segfault in sd_rtnl_message_unref (libnss_myhostname.so.2 by sshd )
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>critical
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>svenne@krap.dk
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>On Arch X64 using 218-1 (first packaging of 218) I have run into the
following wierd problem.

When trying to connect to a ssh server running dualstack (both ipv4 and
ipv6) by ipv6, ssh segfaults when I have loaded the full ipv4 bgp
routing table (~500k+ routes). IPv4 connections works for some reason,
and Ipv6 recovers if I kill the routing daemon (bird).

The stack trace of the core-file starts with

Stack trace of thread 515:
#0  0x00007f48334a3dd5 _int_free (libc.so.6)
#1  0x00007f4834a1e62a sd_rtnl_message_unref (libnss_myhostname.so.2)
#2  0x00007f4834a1e657 sd_rtnl_message_unref (libnss_myhostname.so.2)

And continues with that line (#1 and #2) until frame 63.

I have looked in src/libsystemd/sd-rtnl/rtnl-message.c and have two
observations (my C is very rusty so feel free to correct me).

Line 589, shouldn't the line
    if (m && REFCNT_DEC(m->n_ref) <=3D 0) {

be

    if (m && REFCNT_DEC(m->n_ref) >=3D 0) {

(I.e. greater-than-equal instead of less-than-equal)

Also, perhaps a test of whether m->next is equal to m on line 597....</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>