The issue occurs in blk_mq_has_sqsched() function which accesses q->elevator pointer and its members without any protection. During device state changes, related memory structures might be freed, causing a Use-After-Free vulnerability. This patch introduces a QUEUE_FLAG_SQ_SCHED flag that is set during scheduler initialization, eliminating the need for runtime checks of scheduler features. This removes the need to access q->elevator at unsafe moments, resolving the UAF issue. Bart Van Assche (1): block: Decode all flag names in the debugfs output Christoph Hellwig (1): block: remove QUEUE_FLAG_DEAD Ming Lei (2): blk-mq: protect q->elevator by ->sysfs_lock in blk_mq_elv_switch_none blk-mq: avoid to touch q->elevator without any protection block/bfq-iosched.c | 3 +++ block/blk-core.c | 2 -- block/blk-mq-debugfs.c | 9 ++++----- block/blk-mq-sched.c | 1 + block/blk-mq.c | 22 +++++----------------- block/kyber-iosched.c | 3 ++- block/mq-deadline.c | 3 +++ drivers/block/mtip32xx/mtip32xx.c | 2 +- include/linux/blkdev.h | 4 ++-- include/linux/elevator.h | 2 -- 10 files changed, 21 insertions(+), 30 deletions(-) -- 2.39.2