[PATCH] md: use READ_ONCE() for rdev_attr_show() mddev check

From: Runyu Xiao

Date: Thu Jun 11 2026 - 04:41:14 EST


md_kick_rdev_from_array() clears rdev->mddev with
WRITE_ONCE(rdev->mddev, NULL), and rdev_attr_store() already snapshots
that same shared pointer with READ_ONCE(rdev->mddev). rdev_attr_show()
still tests the pointer with a plain lockless `if (!rdev->mddev)` before
calling entry->show().

A running system can reach this by reading rdev sysfs attributes while a
device removal path is tearing the same md_rdev down. In that window,
rdev_attr_show() can pass a stale plain guard while sibling
rdev_attr_store() already observes NULL and returns -ENODEV, leaving the
show path to operate after the shared mddev pointer has been revoked.

Use READ_ONCE() in rdev_attr_show() so this sysfs read side matches the
existing visibility contract on rdev->mddev.

Fixes: 9cfcf99e7ed6 ("md: get rdev->mddev with READ_ONCE()")
Signed-off-by: Runyu Xiao <runyu.xiao@xxxxxxxxxx>
---
drivers/md/md.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 92ec4be20db8..a021cf4a798d 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3704,7 +3704,7 @@ rdev_attr_show(struct kobject *kobj, struct attribute *attr, char *page)

if (!entry->show)
return -EIO;
- if (!rdev->mddev)
+ if (!READ_ONCE(rdev->mddev))
return -ENODEV;
return entry->show(rdev, page);
}
--
2.34.1