On Wed, Jun 01, 2022 at 08:54:30AM +0800, Ming Lei wrote:
> This way can't be safe, who can guarantee that all sync submission
> activities are gone after queue is frozen? We had lots of reports on
> blk_mq_sched_has_work() which triggers UAF.
Yes, we probably need a blk_mq_quiesce_queue call like in the incremental
patch below. Do you have any good reproducer, though?
diff --git a/block/genhd.c b/block/genhd.c
index 9914d0f24fecd..155b64ff991f6 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -652,9 +652,13 @@ void del_gendisk(struct gendisk *disk)
blk_mq_cancel_work_sync(q);
if (q->elevator) {
+ blk_mq_quiesce_queue(q);
+
mutex_lock(&q->sysfs_lock);
elevator_exit(q);
mutex_unlock(&q->sysfs_lock);
+
+ blk_mq_unquiesce_queue(q);
}
rq_qos_exit(q);
