On Mon, Nov 30, 2015 at 11:01:48AM -0500, David Miller wrote:

From: Andrew Lunn <andrew@lunn.ch>
Date: Wed, 25 Nov 2015 21:15:36 +0100

quoted

@@ -2126,7 +2126,7 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
 	ASSERT_RTNL();
 
 	in_dev = ip_mc_find_dev(net, imr);
-	if (!in_dev) {
+	if (!imr->imr_ifindex && !imr->imr_address.s_addr && !in_dev) {
 		ret = -ENODEV;
 		goto out;
 	}

Now, ip_mc_dec_group() below can take a NULL pointer dereference.  One example
is if imr_ifindex is specified and the lookup returns NULL in ip_mc_find_dev().

Agreed. Earlier code had an if (in_dev) before the call to
ip_mc_dec_group(). It got removed along the way and now needs adding
back. A v2 patch will follow soon.
 

This is so rediculously complicated, just looking at this code breaks something.

Yep. I think part of the problem comes from the code being designed
before interfaces were hot plugable.