[systemd-devel] Wierd Segfault in sd_rtnl_message_unref (libnss_myhostname.so.2 by sshd )

Thu Jan 15 11:25:06 PST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Tom,

I will be happy to run different tests, but I need a serious amount of
handholding, as I haven't done this kind of work for ages...

You could start with how I run it through Valgrind... (which I do have
installed, but no clue how to use in this context...)

Svenne

On 13-01-2015 23:33, Tom Gundersen wrote:
> Hi Svenne,
>
> On Mon, Jan 12, 2015 at 10:08 PM, Svenne Krap <svenne.lists at krap.dk>
wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hi.
>>
>> On Arch X64 using 218-1 (first packaging of 218) I have run into the
>> following wierd problem.
>>
>> When trying to connect to a ssh server running dualstack (both ipv4 and
>> ipv6) by ipv6, ssh segfaults when I have loaded the full ipv4 bgp
>> routing table (~500k+ routes). IPv4 connections works for some reason,
>> and Ipv6 recovers if I kill the routing daemon (bird).
>>
>> The stack trace of the core-file starts with
>>
>> Stack trace of thread 515:
>> #0  0x00007f48334a3dd5 _int_free (libc.so.6)
>> #1  0x00007f4834a1e62a sd_rtnl_message_unref (libnss_myhostname.so.2)
>> #2  0x00007f4834a1e657 sd_rtnl_message_unref (libnss_myhostname.so.2)
>>
>> And continues with that line (#1 and #2) until frame 63.
>>
>> I have looked in src/libsystemd/sd-rtnl/rtnl-message.c and have two
>> observations (my C is very rusty so feel free to correct me).
>>
>> Line 589, shouldn't the line
>>     if (m && REFCNT_DEC(m->n_ref) <= 0) {
>>
>> be
>>
>>     if (m && REFCNT_DEC(m->n_ref) >= 0) {
>>
>> (I.e. greater-than-equal instead of less-than-equal)
>
> As Zbigniew explained, this is actually correct, but misleading. I
> fixed it to use equality now, which should hopefully make it clearer.
>
> Any chance you could run this through valgrind to get a bit more info
> about what's going wrong?
>
>> Also, perhaps a test of whether m->next is equal to m on line 597....
>
> Hm, well, if there is a loop in the message list we are in trouble,
> but checking just for two messages pointing at each other is not
> enough, as the loop could be bigger. That said, such a loop can only
> happen if there is a real bug in our code, so I don't think we should
> be checking for that all the time.
>
> Thanks for the report!
>
> Tom
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI5BAEBCAAjBQJUuBQPHBpodHRwOi8vc3Zlbm5lLmRrL3BncC9wb2xpY3kACgkQ
/zLSj+olL/J/9w//VsorJ1y93yQzSw5SiOegSEr1tZulWP4v41mNRW32ufx22uaz
5KnBbUaokyueArHw2iNRoYpydSK/7yadp/hU9yFTwVnwEuwd/PwFSzPuIpdye2Xz
STpIAlu4bBYgP5I4Tmue64VZDXxmrj24BbHd0yM5ycwApGxMtTdYnvrzfeRv0Hkf
B0G6W/uRmYkFs2/oFf/4brhikK1EZuZzJPeV0v77SCQBxFyVrllwFcvnoW3cyFMa
Co5Mz+5vgCpA2J8mOMFSTDJ3S+kUe6iwS1N5ijC3cM8mvIsQKEGG6xzKJ+mlLkdz
J5E7OHoqBT7rEvKBq0LcHMsOC0wpIb9SG3YtXNeUuJNGm01FM0tvqyP57q63DW0r
vH7u4y75DMQHeM0e/0uEuCiLVb1FHxQxH49NdwhLhFbA8hR6dq6nFL1zB0XnMTvi
lPZdAnEv0WKkkMEVsWH1xABvoYF+VxV3DE/g1Ju/SUW2xmHNQABsp6RB9roDPrGF
8u9FnCbpu/QjM7C4MQR1OH1Z6r4sE/hLcDeNkBQRQRk//8V4W7AkIWQoi7clEAyi
OsJc4YQVfIAebFDRukIEd3xKhNvgsH5ERPQSJPJ8FE/2BwXb8b7qzbiJyTfjQQLs
RWq2zm1rB2UXjZtazEsZFx9VLmwly9blPolpXxSDYHSMp/uBMSS3KrXj2vk=
=kUqi
-----END PGP SIGNATURE-----