In __blkdev_direct_IO(), when bio_integrity_map_iter() fails on a bio after earlier bios have already been submitted, the goto fail path frees only the current bio and returns the error directly to the caller. This is incorrect because the fail label does not decrement dio->ref for the current bio, and does not return -EIOCBQUEUED. The in-flight bios each hold a reference via dio->ref, which was incremented before their submission. When they eventually complete, blkdev_bio_end_io() decrements dio->ref but it will never reach zero since the failing bio did not participate in the completion mechanism. This permanently leaks the embedded dio/bio structure from blkdev_dio_pool. The trigger is deterministic: a multi-segment direct IO with integrity metadata where the user-provided metadata buffer is too small for all segments causes bio_integrity_map_iter() to return -EINVAL on a later bio after earlier bios are already in flight. Fix this by handling the integrity mapping failure the same way blkdev_iov_iter_get_pages() failure is handled: set bi_status and call bio_endio() to enter the normal completion path, then break out of the loop so the function returns -EIOCBQUEUED for async IO. Fixes: 3d8b5a22d404 ("block: add support to pass user meta buffer") Cc: stable@vger.kernel.org Signed-off-by: Aaron Esau --- block/fops.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/block/fops.c b/block/fops.c index bb6642b459..39280d761c 100644 --- a/block/fops.c +++ b/block/fops.c @@ -239,8 +239,11 @@ static ssize_t __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, } if (iocb->ki_flags & IOCB_HAS_METADATA) { ret = bio_integrity_map_iter(bio, iocb->private); - if (unlikely(ret)) - goto fail; + if (unlikely(ret)) { + bio->bi_status = BLK_STS_IOERR; + bio_endio(bio); + break; + } } if (is_read) { -- 2.54.0