blk-mq: Do not invoke queue operations on a dead queue

In commit e869b5462f83 ("blk-mq: Unregister debugfs attributes
earlier"), we shuffled the debugfs cleanup around so that the "state"
attribute was removed before we freed the blk-mq data structures.
However, later changes are going to undo that, so we need to explicitly
disallow running a dead queue.

[Omar: rebased and updated commit message]
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Jens Axboe <axboe@fb.com>

block/blk-mq-debugfs.c

@@ -102,6 +102,14 @@ static ssize_t queue_state_write(void *data, const char __user *buf,
 	struct request_queue *q = data;
 	char opbuf[16] = { }, *op;
 
+	/*
+	 * The "state" attribute is removed after blk_cleanup_queue() has called
+	 * blk_mq_free_queue(). Return if QUEUE_FLAG_DEAD has been set to avoid
+	 * triggering a use-after-free.
+	 */
+	if (blk_queue_dead(q))
+		return -ENOENT;
+
 	if (count >= sizeof(opbuf)) {
 		pr_err("%s: operation too long\n", __func__);
 		goto inval;