[systemd-devel] Wierd Segfault in sd_rtnl_message_unref (libnss_myhostname.so.2 by sshd )
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Mon Jan 12 13:53:09 PST 2015
On Mon, Jan 12, 2015 at 10:08:30PM +0100, Svenne Krap wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi.
>
> On Arch X64 using 218-1 (first packaging of 218) I have run into the
> following wierd problem.
>
> When trying to connect to a ssh server running dualstack (both ipv4 and
> ipv6) by ipv6, ssh segfaults when I have loaded the full ipv4 bgp
> routing table (~500k+ routes). IPv4 connections works for some reason,
> and Ipv6 recovers if I kill the routing daemon (bird).
>
> The stack trace of the core-file starts with
>
> Stack trace of thread 515:
> #0 0x00007f48334a3dd5 _int_free (libc.so.6)
> #1 0x00007f4834a1e62a sd_rtnl_message_unref (libnss_myhostname.so.2)
> #2 0x00007f4834a1e657 sd_rtnl_message_unref (libnss_myhostname.so.2)
The reference counting might be broken. It is in other places
unfortunately.
> And continues with that line (#1 and #2) until frame 63.
>
> I have looked in src/libsystemd/sd-rtnl/rtnl-message.c and have two
> observations (my C is very rusty so feel free to correct me).
>
> Line 589, shouldn't the line
> if (m && REFCNT_DEC(m->n_ref) <= 0) {
No, it's supposed to do the freeing when it reaches 0. It is spelled as <= 0
but that is either simply misleading, or a workaround for a bug.
Zbyszek
More information about the systemd-devel
mailing list