segfault when toggling ethernet link #584
Description
Hi,
Using dhcpcd 1:10.3.0-7 as packaged by Debian.
I'm using PPPoE. When repeatedly toggling the ethernet link with ip link set enp5s0 down; ip link set enp5s0 up I can get dhcpcd to segfault.
Config:
hostname
duid
persistent
vendorclassid
option domain_name_servers, domain_name, domain_search
option classless_static_routes
option interface_mtu
option host_name
option rapid_commit
require dhcp_server_identifier
slaac private
background
noipv6rs
ipv6only
nohook resolv.conf, yp, hostname, ntp
allowinterfaces ppp0
interface ppp0
nodelay
ipv6rs
iaid 1
ia_pd 2/xxxx:xxxx:xxxx:xxxx::/64 enp2s0/0
Coredump:
$ coredumpctl debug
PID: 508 (dhcpcd)
UID: 100 (dhcpcd)
GID: 65534 (nogroup)
Signal: 11 (SEGV)
Timestamp: Thu 2026-02-19 11:21:08 UTC (2h 2min ago)
Command Line: $'dhcpcd: [manager] [ip6]'
Executable: /usr/sbin/dhcpcd
Control Group: /system.slice/dhcpcd.service
Unit: dhcpcd.service
Slice: system.slice
Boot ID: 661d78c42537418ab968248015d482d1
Machine ID: ce9f646bb29044a98a222cfef874d248
Hostname: rt0
Storage: /var/lib/systemd/coredump/core.dhcpcd.100.661d78c42537418ab968248015d482d1.508.1771500068000000.zst (present)
Size on Disk: 128.1K
Message: Process 508 (dhcpcd) of user 100 dumped core.
Module libzstd.so.1 from deb libzstd-1.5.7+dfsg-3+b1.amd64
Stack trace of thread 508:
#0 0x000055a44f4a3b27 ipv6nd_expire (/usr/sbin/dhcpcd + 0x36b27)
#1 0x000055a44f47ef82 eloop_start (/usr/sbin/dhcpcd + 0x11f82)
#2 0x000055a44f4774b2 main (/usr/sbin/dhcpcd + 0xa4b2)
#3 0x00007fbced833f75 n/a (libc.so.6 + 0x29f75)
#4 0x00007fbced834027 __libc_start_main (libc.so.6 + 0x2a027)
#5 0x000055a44f478381 _start (/usr/sbin/dhcpcd + 0xb381)
ELF object binary architecture: AMD x86-64
GNU gdb (Debian 17.1-3) 17.1
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/dhcpcd...
Reading symbols from /usr/lib/debug/.build-id/47/1d8fe0f719f4317bdcd4a35200a0ffb29185ef.debug...
[New LWP 508]
This GDB supports auto-downloading debuginfo from the following URLs:
<https://debuginfod.debian.net>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
Downloading 5.21 M separate debug info for /usr/lib/x86_64-linux-gnu/libcrypto.so.3
Downloading 4.13 M separate debug info for /usr/lib/x86_64-linux-gnu/libc.so.6
Downloading 123.90 K separate debug info for /usr/lib/x86_64-linux-gnu/libz.so.1
Downloading 2.11 M separate debug info for /usr/lib/x86_64-linux-gnu/libzstd.so.1
Downloading 557.05 K separate debug info for /lib64/ld-linux-x86-64.so.2
Downloading 47.80 K separate debug info for system-supplied DSO at 0x7fbcee18c000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/dhcpcd -q -b'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055a44f4a3b27 in ipv6nd_expire (arg=0x55a48d5b2440) at ./src/ipv6nd.c:448
448 if (ifp->ctx->ra_routers == NULL)
(gdb) bt
#0 0x000055a44f4a3b27 in ipv6nd_expire (arg=0x55a48d5b2440) at ./src/ipv6nd.c:448
#1 0x000055a44f47ef82 in eloop_start (eloop=0x55a48d58e380) at ./src/eloop.c:1060
#2 0x000055a44f4774b2 in main (argc=<optimized out>, argv=0x7fff94572c38, envp=<optimized out>) at ./src/dhcpcd.c:2741
(gdb) exit
journal:
Feb 19 11:19:52 rt0 pppd[595]: Sent PADT
Feb 19 11:19:56 rt0 pppd[595]: error receiving pppoe packet: Network is down
Feb 19 11:19:59 rt0 pppd[595]: error receiving pppoe packet: Network is down
Feb 19 11:20:02 rt0 pppd[595]: error receiving pppoe packet: Network is down
Feb 19 11:20:06 rt0 pppd[595]: error receiving pppoe packet: Network is down
Feb 19 11:20:07 rt0 pppd[595]: error receiving pppoe packet: Network is down
Feb 19 11:20:08 rt0 pppd[595]: error receiving pppoe packet: Network is down
Feb 19 11:20:12 rt0 kernel: igc 0000:05:00.0 enp5s0: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Feb 19 11:20:15 rt0 pppd[595]: error receiving pppoe packet: Network is down
Feb 19 11:20:19 rt0 kernel: igc 0000:05:00.0 enp5s0: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Feb 19 11:20:27 rt0 pppd[595]: Timeout waiting for PADO packets
Feb 19 11:20:27 rt0 pppd[595]: Unable to complete PPPoE Discovery phase 1
Feb 19 11:20:32 rt0 kernel: igc 0000:05:00.0 enp5s0: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Feb 19 11:20:33 rt0 pppd[595]: error receiving pppoe packet: Network is down
Feb 19 11:20:39 rt0 kernel: igc 0000:05:00.0 enp5s0: NIC Link is Up 10 Mbps Half Duplex, Flow Control: None
Feb 19 11:20:40 rt0 kernel: igc 0000:05:00.0 enp5s0: NIC Link is Down
Feb 19 11:20:44 rt0 kernel: igc 0000:05:00.0 enp5s0: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Feb 19 11:20:51 rt0 pppd[595]: PPP session is 2455
Feb 19 11:20:51 rt0 pppd[595]: Connected to xx:xx:xx:xx:xx:xx via interface enp5s0
Feb 19 11:20:51 rt0 pppd[595]: Using interface ppp0
Feb 19 11:20:51 rt0 pppd[595]: Connect: ppp0 <--> enp5s0
Feb 19 11:20:51 rt0 dhcpcd[509]: ppp0: waiting for carrier
Feb 19 11:20:51 rt0 dhcpcd[509]: ppp0: carrier acquired
Feb 19 11:20:51 rt0 dhcpcd[509]: ppp0: IAID 00:00:00:01
Feb 19 11:20:51 rt0 dhcpcd[509]: ppp0: IA type 25 IAID 00:00:00:02
Feb 19 11:20:54 rt0 pppd[595]: Remote message: Authentication success,Welcome!
Feb 19 11:20:54 rt0 pppd[595]: PAP authentication succeeded
Feb 19 11:20:54 rt0 pppd[595]: peer from calling number xx:xx:xx:xx:xx:xx authorized
Feb 19 11:20:54 rt0 pppd[595]: local LL address fe80::xxxx:xxxx:xxxx:xxxx
Feb 19 11:20:54 rt0 pppd[595]: remote LL address fe80::xxxx:xxxx:xxxx:xxxx
Feb 19 11:20:54 rt0 dhcpcd[509]: ppp0: soliciting an IPv6 router
Feb 19 11:20:54 rt0 dhcpcd[509]: ppp0: rebinding prior DHCPv6 lease
Feb 19 11:20:54 rt0 dhcpcd[509]: ppp0: Router Advertisement from fe80::xxxx:xxxx:xxxx:xxxx
Feb 19 11:20:54 rt0 dhcpcd[509]: ppp0: no global addresses for default route
Feb 19 11:20:54 rt0 dhcpcd[509]: lo: adding reject route to xxxx:xxxx:xxxx:xxxx::/64
Feb 19 11:20:54 rt0 pppd[595]: local IP address xx.xx.xx.xx
Feb 19 11:20:54 rt0 pppd[595]: remote IP address xx.xx.xx.xx
Feb 19 11:20:54 rt0 pppd[595]: primary DNS address xx.xx.xx.xx
Feb 19 11:20:54 rt0 pppd[595]: secondary DNS address xx.xx.xx.xx
Feb 19 11:21:02 rt0 pppd[595]: Modem hangup
Feb 19 11:21:02 rt0 pppd[595]: Connect time 0.2 minutes.
Feb 19 11:21:02 rt0 pppd[595]: Sent 48737 bytes, received 78133 bytes.
Feb 19 11:21:02 rt0 dhcpcd[509]: ppp0: carrier lost
Feb 19 11:21:02 rt0 pppd[595]: Connection terminated.
Feb 19 11:21:02 rt0 dhcpcd[509]: lo: deleting reject route to xxxx:xxxx:xxxx:xxxx::/64
Feb 19 11:21:02 rt0 dhcpcd[509]: ppp0: removing interface
Feb 19 11:21:02 rt0 pppd[595]: Sent PADT
Feb 19 11:21:05 rt0 kernel: igc 0000:05:00.0 enp5s0: NIC Link is Up 10 Mbps Half Duplex, Flow Control: None
Feb 19 11:21:05 rt0 kernel: igc 0000:05:00.0 enp5s0: NIC Link is Down
Feb 19 11:21:08 rt0 kernel: dhcpcd[508]: segfault at 55a48d94a ip 000055a44f4a3b27 sp 00007fff94572658 error 4 in dhcpcd[36b27,55a44f476000+41000] likely on CPU 0 (core 0, socket 0)
Feb 19 11:21:08 rt0 kernel: Code: e9 1e fe ff ff 66 0f 1f 44 00 00 41 bc 01 00 00 00 e9 0d fe ff ff e8 28 2b fd ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 8b 07 <48> 8b 80 98 03 00 00 48 85 c0 74 3d 66 90 66 66 2e 0f 1f 84 00 00
Feb 19 11:21:08 rt0 systemd-coredump[1284]: Process 508 (dhcpcd) of user 100 terminated abnormally with signal 11/SEGV, processing...
Feb 19 11:21:08 rt0 systemd[1]: Created slice system-systemd\x2dcoredump.slice - Slice /system/systemd-coredump.
Feb 19 11:21:08 rt0 systemd[1]: Started systemd-coredump@0-1-1284_1285-0.service - Process Core Dump (PID 1284/UID 0).
Feb 19 11:21:08 rt0 systemd-coredump[1285]: [🡕] Process 508 (dhcpcd) of user 100 dumped core.
Module libzstd.so.1 from deb libzstd-1.5.7+dfsg-3+b1.amd64
Stack trace of thread 508:
#0 0x000055a44f4a3b27 ipv6nd_expire (/usr/sbin/dhcpcd + 0x36b27)
#1 0x000055a44f47ef82 eloop_start (/usr/sbin/dhcpcd + 0x11f82)
#2 0x000055a44f4774b2 main (/usr/sbin/dhcpcd + 0xa4b2)
#3 0x00007fbced833f75 n/a (libc.so.6 + 0x29f75)
#4 0x00007fbced834027 __libc_start_main (libc.so.6 + 0x2a027)
#5 0x000055a44f478381 _start (/usr/sbin/dhcpcd + 0xb381)
ELF object binary architecture: AMD x86-64