Re: [PATCH] md: use READ_ONCE() for rdev_attr_show() mddev check

Next message: Christophe JAILLET: "[PATCH] dm-inlinecrypt: Fix an error handling path in inlinecrypt_ctr()"
Previous message: Andrew Lunn: "Re: [PATCH net] net: phylink: print correct c45 phy id when missing PHY driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: yu kuai

Date: Sat Jun 20 2026 - 15:29:31 EST

Hi,

在 2026/6/11 16:35, Runyu Xiao 写道:
> md_kick_rdev_from_array() clears rdev->mddev with
> WRITE_ONCE(rdev->mddev, NULL), and rdev_attr_store() already snapshots
> that same shared pointer with READ_ONCE(rdev->mddev). rdev_attr_show()
> still tests the pointer with a plain lockless `if (!rdev->mddev)` before
> calling entry->show().
>
> A running system can reach this by reading rdev sysfs attributes while a
> device removal path is tearing the same md_rdev down. In that window,
> rdev_attr_show() can pass a stale plain guard while sibling
> rdev_attr_store() already observes NULL and returns -ENODEV, leaving the
> show path to operate after the shared mddev pointer has been revoked.
>
> Use READ_ONCE() in rdev_attr_show() so this sysfs read side matches the
> existing visibility contract on rdev->mddev.
>
> Fixes: 9cfcf99e7ed6 ("md: get rdev->mddev with READ_ONCE()")
> Signed-off-by: Runyu Xiao <runyu.xiao@xxxxxxxxxx>
> ---
> drivers/md/md.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 92ec4be20db8..a021cf4a798d 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -3704,7 +3704,7 @@ rdev_attr_show(struct kobject *kobj, struct attribute *attr, char *page)
>
> if (!entry->show)
> return -EIO;
> - if (!rdev->mddev)
> + if (!READ_ONCE(rdev->mddev))
> return -ENODEV;

unlike rdev_attr_store(), kernel can panic if abnormal value is read. However, this is just a
read and the value is not used at all, READ_ONCE() is not used here on purpose by 9cfcf99e7ed6.

> return entry->show(rdev, page);
> }

--
Thanks,
Kuai