[systemd-devel] Wierd Segfault in sd_rtnl_message_unref (libnss_myhostname.so.2 by sshd )

Tom Gundersen teg at jklm.no
Tue Jan 13 14:33:54 PST 2015

Hi Svenne,

On Mon, Jan 12, 2015 at 10:08 PM, Svenne Krap <svenne.lists at krap.dk> wrote:
> Hash: SHA256
> Hi.
> On Arch X64 using 218-1 (first packaging of 218) I have run into the
> following wierd problem.
> When trying to connect to a ssh server running dualstack (both ipv4 and
> ipv6) by ipv6, ssh segfaults when I have loaded the full ipv4 bgp
> routing table (~500k+ routes). IPv4 connections works for some reason,
> and Ipv6 recovers if I kill the routing daemon (bird).
> The stack trace of the core-file starts with
> Stack trace of thread 515:
> #0  0x00007f48334a3dd5 _int_free (libc.so.6)
> #1  0x00007f4834a1e62a sd_rtnl_message_unref (libnss_myhostname.so.2)
> #2  0x00007f4834a1e657 sd_rtnl_message_unref (libnss_myhostname.so.2)
> And continues with that line (#1 and #2) until frame 63.
> I have looked in src/libsystemd/sd-rtnl/rtnl-message.c and have two
> observations (my C is very rusty so feel free to correct me).
> Line 589, shouldn't the line
>     if (m && REFCNT_DEC(m->n_ref) <= 0) {
> be
>     if (m && REFCNT_DEC(m->n_ref) >= 0) {
> (I.e. greater-than-equal instead of less-than-equal)

As Zbigniew explained, this is actually correct, but misleading. I
fixed it to use equality now, which should hopefully make it clearer.

Any chance you could run this through valgrind to get a bit more info
about what's going wrong?

> Also, perhaps a test of whether m->next is equal to m on line 597....

Hm, well, if there is a loop in the message list we are in trouble,
but checking just for two messages pointing at each other is not
enough, as the loop could be bigger. That said, such a loop can only
happen if there is a real bug in our code, so I don't think we should
be checking for that all the time.

Thanks for the report!


More information about the systemd-devel mailing list