The mddev->lock spinlock doesn't protect against the removal of conf->log in r5l_exit_log() so conf->log may be freed before it is used. To fix this, take the mddev_lock() insteaad of the mddev->lock spinlock. Signed-off-by: Logan Gunthorpe <logang@xxxxxxxxxxxx> --- drivers/md/raid5-cache.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/md/raid5-cache.c b/drivers/md/raid5-cache.c index 83c184eddbda..69b95005abca 100644 --- a/drivers/md/raid5-cache.c +++ b/drivers/md/raid5-cache.c @@ -2534,10 +2534,13 @@ static ssize_t r5c_journal_mode_show(struct mddev *mddev, char *page) struct r5conf *conf; int ret; - spin_lock(&mddev->lock); + ret = mddev_lock(mddev); + if (ret) + return ret; + conf = mddev->private; if (!conf || !conf->log) { - spin_unlock(&mddev->lock); + mddev_unlock(mddev); return 0; } @@ -2557,7 +2560,7 @@ static ssize_t r5c_journal_mode_show(struct mddev *mddev, char *page) default: ret = 0; } - spin_unlock(&mddev->lock); + mddev_unlock(mddev); return ret; } @@ -3167,6 +3170,8 @@ void r5l_exit_log(struct r5conf *conf) { struct r5l_log *log = conf->log; + lockdep_assert_held(&conf->mddev->reconfig_mutex); + conf->log = NULL; synchronize_rcu(); -- 2.30.2