[systemd-devel] systemd-networkd DHCPv6 segfault

Steven Noonan steven at uplinklabs.net
Thu Jul 3 19:19:09 PDT 2014


There's a bug in the DHCPv6 implementation somewhere. systemd-networkd
was crashing every time it started, so I took a look in gdb:

# gdb /usr/lib/systemd/systemd-networkd
GNU gdb (GDB) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/systemd/systemd-networkd...Reading
symbols from /usr/lib/debug//usr/lib/systemd/systemd-networkd.debug...done.
done.
(gdb) run
Starting program: /usr/lib/systemd/systemd-networkd
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[/etc/systemd/network/bridge-dhcp.network:5] Unknown section 'DHCP'. Ignoring.
br0             : netdev ready
br0             : gained carrier
enp3s0          : gained carrier
lo              : gained carrier
[New Thread 0x7ffff71fe700 (LWP 1407)]
[Thread 0x7ffff71fe700 (LWP 1407) exited]
br0             : link configured
enp3s0          : link configured
br0             : DHCPv4 address 192.168.106.64/24 via 192.168.106.1
[New Thread 0x7ffff71fe700 (LWP 1408)]
br0             : link configured

Program received signal SIGSEGV, Segmentation fault.
0x00005555555d3006 in dhcp6_lease_clear_timers (ia=0x20) at
src/libsystemd-network/sd-dhcp6-lease.c:30
30      src/libsystemd-network/sd-dhcp6-lease.c: No such file or directory.
(gdb) thread apply all bt full

Thread 3 (Thread 0x7ffff71fe700 (LWP 1408)):
#0  0x00007ffff77c06cd in close () from /usr/lib/libpthread.so.0
No symbol table info available.
#1  0x00005555555a7ea2 in close_nointr (fd=9) at src/shared/util.c:169
        r = 0
        __PRETTY_FUNCTION__ = "close_nointr"
#2  0x00005555555a7f02 in safe_close (fd=9) at src/shared/util.c:205
        _saved_errno_ = 0
        __PRETTY_FUNCTION__ = "safe_close"
#3  0x00005555555d6331 in close_thread (p=0x9) at src/shared/async.c:76
No locals.
#4  0x00007ffff77b9124 in start_thread () from /usr/lib/libpthread.so.0
No symbol table info available.
#5  0x00007ffff74ed4bd in clone () from /usr/lib/libc.so.6
No symbol table info available.

Thread 1 (Thread 0x7ffff7fe97c0 (LWP 1403)):
#0  0x00005555555d3006 in dhcp6_lease_clear_timers (ia=0x20) at
src/libsystemd-network/sd-dhcp6-lease.c:30
        __PRETTY_FUNCTION__ = "dhcp6_lease_clear_timers"
#1  0x00005555555d1e9a in client_receive_reply (client=0x555555616fd0,
reply=0x555555611f20, len=126)
    at src/libsystemd-network/sd-dhcp6-client.c:711
        r = 0
        lease = 0x55555560e200
        rapid_commit = true
#2  0x00005555555d2302 in client_receive_message (s=0x555555617460,
fd=11, revents=1, userdata=0x555555616fd0)
    at src/libsystemd-network/sd-dhcp6-client.c:823
        client = 0x555555616fd0
        _dont_destroy_client = 0x555555616fd0
        message = 0x555555611f20
        r = 0
        buflen = 126
        len = 126
        __PRETTY_FUNCTION__ = "client_receive_message"
        __func__ = "client_receive_message"
#3  0x0000555555576a24 in source_dispatch (s=0x555555617460) at
src/libsystemd/sd-event/sd-event.c:2001
        r = 0
        __PRETTY_FUNCTION__ = "source_dispatch"
        __func__ = "source_dispatch"
#4  0x0000555555577920 in sd_event_run (e=0x55555560d500,
timeout=18446744073709551615)
    at src/libsystemd/sd-event/sd-event.c:2288
        ev_queue = 0x7fffffffda40
        ev_queue_max = 15
        p = 0x555555617460
        r = 0
        i = 1
        m = 1
        timedout = false
        __PRETTY_FUNCTION__ = "sd_event_run"
#5  0x0000555555577a36 in sd_event_loop (e=0x55555560d500) at
src/libsystemd/sd-event/sd-event.c:2307
        r = 1
        __PRETTY_FUNCTION__ = "sd_event_loop"
#6  0x000055555555d3d7 in main (argc=1, argv=0x7fffffffdcd8) at
src/network/networkd.c:118
        m = 0x55555560d480
        user = 0x5555555dd280 "systemd-network"
        uid = 193
        gid = 193
        r = 1
        __func__ = "main"
(gdb) up
#1  0x00005555555d1e9a in client_receive_reply (client=0x555555616fd0,
reply=0x555555611f20, len=126)
    at src/libsystemd-network/sd-dhcp6-client.c:711
711     src/libsystemd-network/sd-dhcp6-client.c: No such file or directory.
(gdb) inspect client->lease
$1 = (struct sd_dhcp6_lease *) 0x0
(gdb)

In sd-dhcp6-client.c:711, client->lease is NULL, causing the
dhcp6_lease_clear_timers call to break (it asserts whether 'ia' is
NULL or not, but since 'ia' is offset into the lease structure, the
address it gets is 0x20, so it's non-NULL).

Any idea why client->lease would be null at that point? Presumably
just because it didn't have a previous lease?

I guess dhcp6_lease_clear_timers should be called only if
client->lease is non-NULL, correct?

- Steven


More information about the systemd-devel mailing list