On Sat, 2013-05-11 at 16:11 -0700, David Miller wrote:

From: Cong Wang <redacted>
Date: Wed,  8 May 2013 15:41:54 +0800

quoted

@@ -1369,7 +1370,7 @@ static struct sk_buff *mld_newpack(struct net_device *dev, int size)
 
 	skb_reserve(skb, hlen);
 
-	if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) {
+	if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) {
 		/* <draft-ietf-magma-mld-source-05.txt>:
 		 * use unspecified address as the source address
 		 * when a valid link-local address is not available.

You aren't necessarily going to be holding idev->lock, therefore you can't
just do a lockless traversal of idev->addr_list here.

Yes, you can elide the rcu_read_lock() because you have a known reference
to 'idev' in these paths, but you can't get rid of the address list locking
altogether.

(Apologize for the delay...)

The upper callers of mld_newpack() already take
read_lock_bh(&idev->lock): 


mld_newpack() ...-> add_grec() -|-> mld_send_cr()     LOCKED
                                |-> mld_send_report() LOCKED


therefore it is safe to travel idev->addr_list locklessly here.