ip multicast bug

ip multicast bug

[Karlis Peisenieks]

[-- Attachment #1: Type: text/plain, Size: 579 bytes --]

Hello,

Patch below fixes kernel crash when multicast group is joined on 
disabled interface with IP address added.

The problem is 
ip_mc_join_group->ip_mc_inc_group->igmp_group_added
->igmp_ifc_event->igmp_ifc_start_timer which does mod_timer on 
uninitialized timer_struct (mr_ifc_timer). As soon as timer fires, 
kernel crashes.

Multicast related fields of in_device are only initialized in ip_mc_up
which gets called when device is enabled.

Perhaps somebody with more clue on multicast implementation can comment 
on this fix - is this fix enough or maybe wrong.


Karlis

[-- Attachment #2: igmp.c.patch --]
[-- Type: text/plain, Size: 496 bytes --]

--- igmp.c	2 Dec 2003 08:53:00 -0000	1.1.1.7
+++ igmp.c	17 Feb 2004 15:51:58 -0000
@@ -1151,12 +1151,14 @@
 	im->next=in_dev->mc_list;
 	in_dev->mc_list=im;
 	write_unlock_bh(&in_dev->lock);
+
+	if (in_dev->dev->flags & IFF_UP) {
 #ifdef CONFIG_IP_MULTICAST
-	igmpv3_del_delrec(in_dev, im->multiaddr);
+		igmpv3_del_delrec(in_dev, im->multiaddr);
 #endif
-	igmp_group_added(im);
-	if (in_dev->dev->flags & IFF_UP)
+		igmp_group_added(im);
 		ip_rt_multicast_event(in_dev);
+	}
 out:
 	return;
 }

Re: ip multicast bug

[David Stevens]

[-- Attachment #1: Type: text/plain, Size: 236 bytes --]






> Patch below fixes kernel crash when multicast group is joined on
> disabled interface with IP address added.

Karlis,
      How exactly did you do this, and what version of the kernel
are you using?

                        +-DLS

[-- Attachment #2: Type: text/html, Size: 315 bytes --]

Re: ip multicast bug

[David Stevens]

[-- Attachment #1.1: Type: text/plain, Size: 1249 bytes --]





Karlis,
      I was able to reproduce your problem, finally. Your patch does have
a couple problems, though. First, the igmpv3_del_delrec() call should be
there
whether or not the interface is IFF_UP (to prevent a memory leak) and
second,
portions of igmp_group_added should still be run when the interface is
down,
so that the group will properly be joined when the interface is brought up.
      I think the patch below fixes the problem. Thanks for reporting it!

                              +-DLS

--- linux-2.6.3-rc4/net/ipv4/igmp.c 2004-02-17 12:19:51.000000000 -0800
+++ linux-2.6.3-rc4F1/net/ipv4/igmp.c     2004-02-17 13:25:39.334792760 -0800
@@ -1067,7 +1067,7 @@
      reporter = im->reporter;
      igmp_stop_timer(im);

-     if (!in_dev->dead) {
+     if (!in_dev->dead && (in_dev->dev->flags & IFF_UP)) {
            if (IGMP_V1_SEEN(in_dev))
                  goto done;
            if (IGMP_V2_SEEN(in_dev)) {
@@ -1098,7 +1098,7 @@
      if (im->multiaddr == IGMP_ALL_HOSTS)
            return;

-     if (in_dev->dead)
+     if (in_dev->dead || !(in_dev->dev->flags & IFF_UP))
            return;
      if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev)) {
            spin_lock_bh(&im->lock);
(See attached file: igmpf1.patch)

[-- Attachment #1.2: Type: text/html, Size: 1337 bytes --]

[-- Attachment #2: igmpf1.patch --]
[-- Type: application/octet-stream, Size: 615 bytes --]

--- linux-2.6.3-rc4/net/ipv4/igmp.c	2004-02-17 12:19:51.000000000 -0800
+++ linux-2.6.3-rc4F1/net/ipv4/igmp.c	2004-02-17 13:25:39.334792760 -0800
@@ -1067,7 +1067,7 @@
 	reporter = im->reporter;
 	igmp_stop_timer(im);
 
-	if (!in_dev->dead) {
+	if (!in_dev->dead && (in_dev->dev->flags & IFF_UP)) {
 		if (IGMP_V1_SEEN(in_dev))
 			goto done;
 		if (IGMP_V2_SEEN(in_dev)) {
@@ -1098,7 +1098,7 @@
 	if (im->multiaddr == IGMP_ALL_HOSTS)
 		return;
 
-	if (in_dev->dead)
+	if (in_dev->dead || !(in_dev->dev->flags & IFF_UP))
 		return;
 	if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev)) {
 		spin_lock_bh(&im->lock);