[systemd-devel] [212] systemd-networkd crashes with simple network config

Tom Gundersen teg at jklm.no
Mon Mar 31 01:09:40 PDT 2014


On Mon, Mar 31, 2014 at 12:28 AM, Tom Gundersen <teg at jklm.no> wrote:
> On Sun, Mar 30, 2014 at 10:18 PM, Kai Krakow <hurikhan77 at gmail.com> wrote:
>> Tom Gundersen <teg at jklm.no> schrieb:
>>
>>> On Sun, Mar 30, 2014 at 6:07 PM, Kai Krakow <hurikhan77 at gmail.com> wrote:
>>>> Tom Gundersen <teg at jklm.no> schrieb:
>>>>
>>>>>> Starting it from command line shows:
>>>>>>
>>>>>> # /usr/lib/systemd/systemd-networkd
>>>>>> enp4s0: link is up
>>>>>> enp4s0: carrier on
>>>>>> segmentation fault (core dumped)
>>>>>
>>>>> If you could reproduce this with debug symbols included, that would be
>>>>> very helpful (I cannot reproduce it here).
>>>>
>>>> I managed to get at least this backtrace. Somehow gdb did not autoload
>>>> the symbols for systemd from /usr/lib/debug/usr/lib/systemd...
>>>>
>>>> It is probably more helpful now (at least I hope).
>>>>
>>>> #0  0x0000003c49a82a7d in __libc_calloc (n=<optimized out>,
>>>> elem_size=<optimized out>) at malloc.c:3172
>>>>         av = 0x3c49da9640 <main_arena>
>>>>         oldtop = 0x6884d0
>>>>         p = <optimized out>
>>>>         bytes = 88
>>>>         sz = 88
>>>>         csz = <optimized out>
>>>>         oldtopsize = 23344
>>>>         mem = 0x6715f0
>>>>         clearsize = <optimized out>
>>>>         nclears = <optimized out>
>>>>         d = <optimized out>
>>>>         hook = <optimized out>
>>>>         __func__ = "__libc_calloc"
>>>
>>> Hm, so the segfault happens in glibc... It is triggered by us calling
>>> calloc(1, 88), which I think is a supported thing to do ;) At least as
>>> far as I can tell this is not a bug on our side...
>>
>> BTW: It works when running through valgrind:
>>
>> ==6041== Memcheck, a memory error detector
>> ==6041== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
>> ==6041== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
>> ==6041== Command: /usr/lib/systemd/systemd-networkd
>> ==6041==
>> ==6041== Conditional jump or move depends on uninitialised value(s)
>> ==6041==    at 0x3C49617AB6: index (strchr.S:55)
>> ==6041==    by 0x3C49607A12: expand_dynamic_string_token (dl-load.c:431)
>> ==6041==    by 0x3C49608304: _dl_map_object (dl-load.c:2299)
>> ==6041==    by 0x3C4960181D: map_doit (rtld.c:626)
>> ==6041==    by 0x3C4960E985: _dl_catch_error (dl-error.c:177)
>> ==6041==    by 0x3C496010EF: do_preload (rtld.c:815)
>> ==6041==    by 0x3C496039D7: dl_main (rtld.c:1629)
>> ==6041==    by 0x3C496152B7: _dl_sysdep_start (dl-sysdep.c:241)
>> ==6041==    by 0x3C49604E94: _dl_start (rtld.c:331)
>> ==6041==    by 0x3C49601637: ??? (in /lib64/ld-2.17.so)
>> ==6041==
>> ==6041== Conditional jump or move depends on uninitialised value(s)
>> ==6041==    at 0x3C49617ABB: index (strchr.S:58)
>> ==6041==    by 0x3C49607A12: expand_dynamic_string_token (dl-load.c:431)
>> ==6041==    by 0x3C49608304: _dl_map_object (dl-load.c:2299)
>> ==6041==    by 0x3C4960181D: map_doit (rtld.c:626)
>> ==6041==    by 0x3C4960E985: _dl_catch_error (dl-error.c:177)
>> ==6041==    by 0x3C496010EF: do_preload (rtld.c:815)
>> ==6041==    by 0x3C496039D7: dl_main (rtld.c:1629)
>> ==6041==    by 0x3C496152B7: _dl_sysdep_start (dl-sysdep.c:241)
>> ==6041==    by 0x3C49604E94: _dl_start (rtld.c:331)
>> ==6041==    by 0x3C49601637: ??? (in /lib64/ld-2.17.so)
>> ==6041==
>> ==6041== Invalid read of size 8
>> ==6041==    at 0x40C617: rtnl_message_parse (rtnl-message.c:1090)
>> ==6041==    by 0x40CB11: sd_rtnl_message_rewind (rtnl-message.c:1276)
>> ==6041==    by 0x40CDA4: socket_read_message (rtnl-message.c:1213)
>> ==6041==    by 0x417DE1: sd_rtnl_process (sd-rtnl.c:274)
>> ==6041==    by 0x4180C2: io_callback (sd-rtnl.c:764)
>> ==6041==    by 0x415C9D: source_dispatch (sd-event.c:1943)
>> ==6041==    by 0x416500: sd_event_run (sd-event.c:2225)
>> ==6041==    by 0x416A47: sd_event_loop (sd-event.c:2244)
>> ==6041==    by 0x40401B: main (networkd.c:108)
>> ==6041==  Address 0x4cd28e8 is 0 bytes after a block of size 264 alloc'd
>> ==6041==    at 0x4A07462: calloc (vg_replace_malloc.c:593)
>> ==6041==    by 0x40C59E: rtnl_message_parse (rtnl-message.c:1076)
>> ==6041==    by 0x40CB11: sd_rtnl_message_rewind (rtnl-message.c:1276)
>> ==6041==    by 0x40CDA4: socket_read_message (rtnl-message.c:1213)
>> ==6041==    by 0x417DE1: sd_rtnl_process (sd-rtnl.c:274)
>> ==6041==    by 0x4180C2: io_callback (sd-rtnl.c:764)
>> ==6041==    by 0x415C9D: source_dispatch (sd-event.c:1943)
>> ==6041==    by 0x416500: sd_event_run (sd-event.c:2225)
>> ==6041==    by 0x416A47: sd_event_loop (sd-event.c:2244)
>> ==6041==    by 0x40401B: main (networkd.c:108)
>> ==6041==
>> ==6041== Invalid write of size 8
>> ==6041==    at 0x40C62E: rtnl_message_parse (rtnl-message.c:1093)
>> ==6041==    by 0x40CB11: sd_rtnl_message_rewind (rtnl-message.c:1276)
>> ==6041==    by 0x40CDA4: socket_read_message (rtnl-message.c:1213)
>> ==6041==    by 0x417DE1: sd_rtnl_process (sd-rtnl.c:274)
>> ==6041==    by 0x4180C2: io_callback (sd-rtnl.c:764)
>> ==6041==    by 0x415C9D: source_dispatch (sd-event.c:1943)
>> ==6041==    by 0x416500: sd_event_run (sd-event.c:2225)
>> ==6041==    by 0x416A47: sd_event_loop (sd-event.c:2244)
>> ==6041==    by 0x40401B: main (networkd.c:108)
>> ==6041==  Address 0x4cd28e8 is 0 bytes after a block of size 264 alloc'd
>> ==6041==    at 0x4A07462: calloc (vg_replace_malloc.c:593)
>> ==6041==    by 0x40C59E: rtnl_message_parse (rtnl-message.c:1076)
>> ==6041==    by 0x40CB11: sd_rtnl_message_rewind (rtnl-message.c:1276)
>> ==6041==    by 0x40CDA4: socket_read_message (rtnl-message.c:1213)
>> ==6041==    by 0x417DE1: sd_rtnl_process (sd-rtnl.c:274)
>> ==6041==    by 0x4180C2: io_callback (sd-rtnl.c:764)
>> ==6041==    by 0x415C9D: source_dispatch (sd-event.c:1943)
>> ==6041==    by 0x416500: sd_event_run (sd-event.c:2225)
>> ==6041==    by 0x416A47: sd_event_loop (sd-event.c:2244)
>> ==6041==    by 0x40401B: main (networkd.c:108)
>> ==6041==
>> enp4s0: link is up
>> enp4s0: carrier on
>> enp4s0: DHCPv4 address 192.168.4.45/24 via 192.168.4.254
>> enp4s0: link configured
>
> Thanks, that's useful. I'll have a look.

Steven's patch should have fixed this issue (the invalid read/write,
no idea about "Conditional jump or move depends on uninitialised
value(s)".

Care to try again?

Cheers,

Tom


More information about the systemd-devel mailing list