diff --git a/debian/changelog b/debian/changelog
index c3e953a95..2c3039553 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -34,6 +34,9 @@ linux (4.19.7-1~exp1) UNRELEASED; urgency=medium
   * debian/rules: Mark more targets as phony
   * libcpupower: Hide private function and drop it from .symbols file
 
+  [ Salvatore Bonaccorso ]
+  * blk-mq: fix corruption with direct issue (Closes: #915666)
+
  -- Uwe Kleine-König <ukleinek@debian.org>  Wed, 28 Nov 2018 12:20:46 +0100
 
 linux (4.19.5-1~exp1) experimental; urgency=medium
diff --git a/debian/patches/bugfix/all/blk-mq-fix-corruption-with-direct-issue.patch b/debian/patches/bugfix/all/blk-mq-fix-corruption-with-direct-issue.patch
new file mode 100644
index 000000000..2cb95efa4
--- /dev/null
+++ b/debian/patches/bugfix/all/blk-mq-fix-corruption-with-direct-issue.patch
@@ -0,0 +1,99 @@
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 4 Dec 2018 20:06:48 -0700
+Subject: blk-mq: fix corruption with direct issue
+Origin: https://git.kernel.org/linus/ffe81d45322cc3cb140f0db080a4727ea284661e
+Bug-Debian: https://bugs.debian.org/915666
+
+If we attempt a direct issue to a SCSI device, and it returns BUSY, then
+we queue the request up normally. However, the SCSI layer may have
+already setup SG tables etc for this particular command. If we later
+merge with this request, then the old tables are no longer valid. Once
+we issue the IO, we only read/write the original part of the request,
+not the new state of it.
+
+This causes data corruption, and is most often noticed with the file
+system complaining about the just read data being invalid:
+
+[  235.934465] EXT4-fs error (device sda1): ext4_iget:4831: inode #7142: comm dpkg-query: bad extra_isize 24937 (inode size 256)
+
+because most of it is garbage...
+
+This doesn't happen from the normal issue path, as we will simply defer
+the request to the hardware queue dispatch list if we fail. Once it's on
+the dispatch list, we never merge with it.
+
+Fix this from the direct issue path by flagging the request as
+REQ_NOMERGE so we don't change the size of it before issue.
+
+See also:
+  https://bugzilla.kernel.org/show_bug.cgi?id=201685
+
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Fixes: 6ce3dd6eec1 ("blk-mq: issue directly if hw queue isn't busy in case of 'none'")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ block/blk-mq.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 3f91c6e5b17a..3262d83b9e07 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -1715,6 +1715,15 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx,
+ 		break;
+ 	case BLK_STS_RESOURCE:
+ 	case BLK_STS_DEV_RESOURCE:
++		/*
++		 * If direct dispatch fails, we cannot allow any merging on
++		 * this IO. Drivers (like SCSI) may have set up permanent state
++		 * for this request, like SG tables and mappings, and if we
++		 * merge to it later on then we'll still only do IO to the
++		 * original part.
++		 */
++		rq->cmd_flags |= REQ_NOMERGE;
++
+ 		blk_mq_update_dispatch_busy(hctx, true);
+ 		__blk_mq_requeue_request(rq);
+ 		break;
+@@ -1727,6 +1736,18 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx,
+ 	return ret;
+ }
+ 
++/*
++ * Don't allow direct dispatch of anything but regular reads/writes,
++ * as some of the other commands can potentially share request space
++ * with data we need for the IO scheduler. If we attempt a direct dispatch
++ * on those and fail, we can't safely add it to the scheduler afterwards
++ * without potentially overwriting data that the driver has already written.
++ */
++static bool blk_rq_can_direct_dispatch(struct request *rq)
++{
++	return req_op(rq) == REQ_OP_READ || req_op(rq) == REQ_OP_WRITE;
++}
++
+ static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx,
+ 						struct request *rq,
+ 						blk_qc_t *cookie,
+@@ -1748,7 +1769,7 @@ static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx,
+ 		goto insert;
+ 	}
+ 
+-	if (q->elevator && !bypass_insert)
++	if (!blk_rq_can_direct_dispatch(rq) || (q->elevator && !bypass_insert))
+ 		goto insert;
+ 
+ 	if (!blk_mq_get_dispatch_budget(hctx))
+@@ -1810,6 +1831,9 @@ void blk_mq_try_issue_list_directly(struct blk_mq_hw_ctx *hctx,
+ 		struct request *rq = list_first_entry(list, struct request,
+ 				queuelist);
+ 
++		if (!blk_rq_can_direct_dispatch(rq))
++			break;
++
+ 		list_del_init(&rq->queuelist);
+ 		ret = blk_mq_request_issue_directly(rq);
+ 		if (ret != BLK_STS_OK) {
+-- 
+2.20.0.rc2
+
diff --git a/debian/patches/series b/debian/patches/series
index b5191ac9b..8e0ab0b20 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -91,6 +91,7 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
 bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
 bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
 debian/revert-objtool-fix-config_stack_validation-y-warning.patch
+bugfix/all/blk-mq-fix-corruption-with-direct-issue.patch
 
 # Miscellaneous features