One of the debugfs attributes allows to run a queue. Since running a queue after a queue has entered the "dead" state is not allowed and triggers a use-after-free, unregister the debugfs attributes before a queue reaches the "dead" state. Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx> Reviewed-by: Hannes Reinecke <hare@xxxxxxxx> Reviewed-by: Omar Sandoval <osandov@xxxxxx> --- block/blk-core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/blk-core.c b/block/blk-core.c index a49b0830aaaf..33c91a4bee97 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -566,6 +566,11 @@ void blk_cleanup_queue(struct request_queue *q) spin_lock_irq(lock); if (!q->mq_ops) __blk_drain_queue(q, true); + spin_unlock_irq(lock); + + blk_mq_debugfs_unregister_mq(q); + + spin_lock_irq(lock); queue_flag_set(QUEUE_FLAG_DEAD, q); spin_unlock_irq(lock); -- 2.12.2
