This is backport of the upstream commit that fixes memory corruption in dm-io. It is suitable for stable kernels 4.8 to 4.11. (the bug was already fixed in 4.12)

Mikulas

commit feb7695fe9fb83084aa29de0094774f4c9d4c9fc Author: Mike Snitzer snitzer@redhat.com Date: Tue Jun 20 19:14:30 2017 -0400

dm io: fix duplicate bio completion due to missing ref count

If only a subset of the devices associated with multiple regions support a given special operation (eg. DISCARD) then the dec_count() that is used to set error for the region must increment the io->count.

Otherwise, when the dec_count() is called it can cause the dm-io caller's bio to be completed multiple times. As was reported against the dm-mirror target that had mirror legs with a mix of discard capabilities.

Bug: https://bugzilla.kernel.org/show_bug.cgi?id=196077 Reported-by: Zhang Yi yizhan@redhat.com Signed-off-by: Mike Snitzer snitzer@redhat.com

--- drivers/md/dm-io.c | 1 + 1 file changed, 1 insertion(+)

Index: linux-stable/drivers/md/dm-io.c =================================================================== --- linux-stable.orig/drivers/md/dm-io.c 2018-03-06 14:13:59.000000000 +0100 +++ linux-stable/drivers/md/dm-io.c 2018-03-06 14:14:23.000000000 +0100 @@ -316,6 +316,7 @@ static void do_region(int op, int op_fla special_cmd_max_sectors = q->limits.max_write_same_sectors; if ((op == REQ_OP_DISCARD || op == REQ_OP_WRITE_SAME) && special_cmd_max_sectors == 0) { + atomic_inc(&io->count); dec_count(io, region, -EOPNOTSUPP); return; }