blk-mq: Do not invoke queue operations on a dead queue

[mirror_ubuntu-bionic-kernel.git] / block / blk-mq-debugfs.c

diff --git a/block/blk-mq-debugfs.c b/block/blk-mq-debugfs.c
index 1579af6fcbedcd6c9375687a48a4791e5d756b56..347fbb8e059cf3e3e45b5b8071fa529f94038835 100644 (file)
--- a/block/blk-mq-debugfs.c
+++ b/block/blk-mq-debugfs.c
@@ -102,6 +102,14 @@ static ssize_t queue_state_write(void *data, const char __user *buf,
        struct request_queue *q = data;
        char opbuf[16] = { }, *op;
 
+       /*
+        * The "state" attribute is removed after blk_cleanup_queue() has called
+        * blk_mq_free_queue(). Return if QUEUE_FLAG_DEAD has been set to avoid
+        * triggering a use-after-free.
+        */
+       if (blk_queue_dead(q))
+               return -ENOENT;
+
        if (count >= sizeof(opbuf)) {
                pr_err("%s: operation too long\n", __func__);
                goto inval;