4.19-stable patches

added patches:
	drm-msm-fix-of-child-node-lookup.patch
	fuse-fix-blocked_waitq-wakeup.patch
	fuse-fix-use-after-free-in-fuse_dev_do_read.patch
	fuse-fix-use-after-free-in-fuse_dev_do_write.patch
	fuse-set-fr_sent-while-locked.patch
	scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
	scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
	scsi-qla2xxx-fix-nvme-target-discovery.patch
	vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch

diff --git a/queue-4.19/drm-msm-fix-of-child-node-lookup.patch b/queue-4.19/drm-msm-fix-of-child-node-lookup.patch
new file mode 100644 (file)
index 0000000..0a26ad6
--- /dev/null
+++ b/queue-4.19/drm-msm-fix-of-child-node-lookup.patch
@@ -0,0 +1,52 @@
+From f9a7082327e26f54067a49cac2316d31e0cc8ba7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:47 +0200
+Subject: drm/msm: fix OF child-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f9a7082327e26f54067a49cac2316d31e0cc8ba7 upstream.
+
+Use the new of_get_compatible_child() helper to lookup the legacy
+pwrlevels child node instead of using of_find_compatible_node(), which
+searches the entire tree from a given start node and thus can return an
+unrelated (i.e.  non-child) node.
+
+This also addresses a potential use-after-free (e.g. after probe
+deferral) as the tree-wide helper drops a reference to its first
+argument (i.e. the probed device's node).
+
+While at it, also fix the related child-node reference leak.
+
+Fixes: e2af8b6b0ca1 ("drm/msm: gpu: Use OPP tables if we can")
+Cc: stable <stable@vger.kernel.org>     # 4.12
+Cc: Jordan Crouse <jcrouse@codeaurora.org>
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: David Airlie <airlied@linux.ie>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+index da1363a0c54d..93d70f4a2154 100644
+--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+@@ -633,8 +633,7 @@ static int adreno_get_legacy_pwrlevels(struct device *dev)
+       struct device_node *child, *node;
+       int ret;
+ 
+-      node = of_find_compatible_node(dev->of_node, NULL,
+-              "qcom,gpu-pwrlevels");
++      node = of_get_compatible_child(dev->of_node, "qcom,gpu-pwrlevels");
+       if (!node) {
+               dev_err(dev, "Could not find the GPU powerlevels\n");
+               return -ENXIO;
+@@ -655,6 +654,8 @@ static int adreno_get_legacy_pwrlevels(struct device *dev)
+                       dev_pm_opp_add(dev, val, 0);
+       }
+ 
++      of_node_put(node);
++
+       return 0;
+ }
+ 

diff --git a/queue-4.19/fuse-fix-blocked_waitq-wakeup.patch b/queue-4.19/fuse-fix-blocked_waitq-wakeup.patch
new file mode 100644 (file)
index 0000000..602eaa8
--- /dev/null
+++ b/queue-4.19/fuse-fix-blocked_waitq-wakeup.patch
@@ -0,0 +1,49 @@
+From 908a572b80f6e9577b45e81b3dfe2e22111286b8 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 28 Sep 2018 16:43:22 +0200
+Subject: fuse: fix blocked_waitq wakeup
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 908a572b80f6e9577b45e81b3dfe2e22111286b8 upstream.
+
+Using waitqueue_active() is racy.  Make sure we issue a wake_up()
+unconditionally after storing into fc->blocked.  After that it's okay to
+optimize with waitqueue_active() since the first wake up provides the
+necessary barrier for all waiters, not the just the woken one.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 3c18ef8117f0 ("fuse: optimize wake_up")
+Cc: <stable@vger.kernel.org> # v3.10
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |   15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -391,12 +391,19 @@ static void request_end(struct fuse_conn
+       if (test_bit(FR_BACKGROUND, &req->flags)) {
+               spin_lock(&fc->lock);
+               clear_bit(FR_BACKGROUND, &req->flags);
+-              if (fc->num_background == fc->max_background)
++              if (fc->num_background == fc->max_background) {
+                       fc->blocked = 0;
+-
+-              /* Wake up next waiter, if any */
+-              if (!fc->blocked && waitqueue_active(&fc->blocked_waitq))
+                       wake_up(&fc->blocked_waitq);
++              } else if (!fc->blocked) {
++                      /*
++                       * Wake up next waiter, if any.  It's okay to use
++                       * waitqueue_active(), as we've already synced up
++                       * fc->blocked with waiters with the wake_up() call
++                       * above.
++                       */
++                      if (waitqueue_active(&fc->blocked_waitq))
++                              wake_up(&fc->blocked_waitq);
++              }
+ 
+               if (fc->num_background == fc->congestion_threshold && fc->sb) {
+                       clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);

diff --git a/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_read.patch b/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_read.patch
new file mode 100644 (file)
index 0000000..9f6ffe2
--- /dev/null
+++ b/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_read.patch
@@ -0,0 +1,50 @@
+From bc78abbd55dd28e2287ec6d6502b842321a17c87 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 25 Sep 2018 12:28:55 +0300
+Subject: fuse: Fix use-after-free in fuse_dev_do_read()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit bc78abbd55dd28e2287ec6d6502b842321a17c87 upstream.
+
+We may pick freed req in this way:
+
+[cpu0]                                  [cpu1]
+fuse_dev_do_read()                      fuse_dev_do_write()
+   list_move_tail(&req->list, ...);     ...
+   spin_unlock(&fpq->lock);             ...
+   ...                                  request_end(fc, req);
+   ...                                    fuse_put_request(fc, req);
+   if (test_bit(FR_INTERRUPTED, ...))
+         queue_interrupt(fiq, req);
+
+Fix that by keeping req alive until we finish all manipulations.
+
+Reported-by: syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1311,12 +1311,14 @@ static ssize_t fuse_dev_do_read(struct f
+               goto out_end;
+       }
+       list_move_tail(&req->list, &fpq->processing);
++      __fuse_get_request(req);
+       spin_unlock(&fpq->lock);
+       set_bit(FR_SENT, &req->flags);
+       /* matches barrier in request_wait_answer() */
+       smp_mb__after_atomic();
+       if (test_bit(FR_INTERRUPTED, &req->flags))
+               queue_interrupt(fiq, req);
++      fuse_put_request(fc, req);
+ 
+       return reqsize;
+ 

diff --git a/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_write.patch b/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_write.patch
new file mode 100644 (file)
index 0000000..ad33fd9
--- /dev/null
+++ b/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_write.patch
@@ -0,0 +1,60 @@
+From d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 25 Sep 2018 12:52:42 +0300
+Subject: fuse: Fix use-after-free in fuse_dev_do_write()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 upstream.
+
+After we found req in request_find() and released the lock,
+everything may happen with the req in parallel:
+
+cpu0                              cpu1
+fuse_dev_do_write()               fuse_dev_do_write()
+  req = request_find(fpq, ...)    ...
+  spin_unlock(&fpq->lock)         ...
+  ...                             req = request_find(fpq, oh.unique)
+  ...                             spin_unlock(&fpq->lock)
+  queue_interrupt(&fc->iq, req);   ...
+  ...                              ...
+  ...                              ...
+  request_end(fc, req);
+    fuse_put_request(fc, req);
+  ...                              queue_interrupt(&fc->iq, req);
+
+
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1877,16 +1877,20 @@ static ssize_t fuse_dev_do_write(struct
+ 
+       /* Is it an interrupt reply? */
+       if (req->intr_unique == oh.unique) {
++              __fuse_get_request(req);
+               spin_unlock(&fpq->lock);
+ 
+               err = -EINVAL;
+-              if (nbytes != sizeof(struct fuse_out_header))
++              if (nbytes != sizeof(struct fuse_out_header)) {
++                      fuse_put_request(fc, req);
+                       goto err_finish;
++              }
+ 
+               if (oh.error == -ENOSYS)
+                       fc->no_interrupt = 1;
+               else if (oh.error == -EAGAIN)
+                       queue_interrupt(&fc->iq, req);
++              fuse_put_request(fc, req);
+ 
+               fuse_copy_finish(cs);
+               return nbytes;

diff --git a/queue-4.19/fuse-set-fr_sent-while-locked.patch b/queue-4.19/fuse-set-fr_sent-while-locked.patch
new file mode 100644 (file)
index 0000000..ef4b622
--- /dev/null
+++ b/queue-4.19/fuse-set-fr_sent-while-locked.patch
@@ -0,0 +1,35 @@
+From 4c316f2f3ff315cb48efb7435621e5bfb81df96d Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 28 Sep 2018 16:43:22 +0200
+Subject: fuse: set FR_SENT while locked
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 4c316f2f3ff315cb48efb7435621e5bfb81df96d upstream.
+
+Otherwise fuse_dev_do_write() could come in and finish off the request, and
+the set_bit(FR_SENT, ...) could trigger the WARN_ON(test_bit(FR_SENT, ...))
+in request_end().
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reported-by: syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmai
+Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
+Cc: <stable@vger.kernel.org> # v4.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1319,8 +1319,8 @@ static ssize_t fuse_dev_do_read(struct f
+       }
+       list_move_tail(&req->list, &fpq->processing);
+       __fuse_get_request(req);
+-      spin_unlock(&fpq->lock);
+       set_bit(FR_SENT, &req->flags);
++      spin_unlock(&fpq->lock);
+       /* matches barrier in request_wait_answer() */
+       smp_mb__after_atomic();
+       if (test_bit(FR_INTERRUPTED, &req->flags))

diff --git a/queue-4.19/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch b/queue-4.19/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
new file mode 100644 (file)
index 0000000..263a0ca
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
@@ -0,0 +1,36 @@
+From 39553065f77c297239308470ee313841f4e07db4 Mon Sep 17 00:00:00 2001
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+Date: Wed, 26 Sep 2018 22:05:15 -0700
+Subject: scsi: qla2xxx: Fix driver hang when FC-NVMe LUNs are configured
+
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+
+commit 39553065f77c297239308470ee313841f4e07db4 upstream.
+
+This patch fixes multiple call for qla_nvme_unregister_remote_port() as part
+of qlt_schedule_session_for_deletion(), Do not call it again during
+qla_nvme_delete()
+
+Fixes: e473b3074104 ("scsi: qla2xxx: Add FC-NVMe abort processing")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_nvme.c |    3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -660,9 +660,6 @@ void qla_nvme_delete(struct scsi_qla_hos
+                   __func__, fcport);
+ 
+               nvme_fc_set_remoteport_devloss(fcport->nvme_remote_port, 0);
+-              init_completion(&fcport->nvme_del_done);
+-              nvme_fc_unregister_remoteport(fcport->nvme_remote_port);
+-              wait_for_completion(&fcport->nvme_del_done);
+       }
+ 
+       if (vha->nvme_local_port) {

diff --git a/queue-4.19/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch b/queue-4.19/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
new file mode 100644 (file)
index 0000000..98fb4b4
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
@@ -0,0 +1,40 @@
+From 732ee9a912cf2d9a50c5f9c4213cdc2f885d6aa6 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 26 Sep 2018 22:05:13 -0700
+Subject: scsi: qla2xxx: Fix duplicate switch database entries
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit 732ee9a912cf2d9a50c5f9c4213cdc2f885d6aa6 upstream.
+
+The response data buffer used in switch scan is reused 4 times.  (For example,
+for commands GPN_FT, GNN_FT for FCP and FC-NVME) Before driver reuses this
+buffer, clear it to prevent duplicate entries in our database.
+
+Fixes: a4239945b8ad1 ("scsi: qla2xxx: Add switch command to simplify fabric discovery"
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_gs.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -4447,9 +4447,9 @@ int qla24xx_async_gpnft(scsi_qla_host_t
+       sp->u.iocb_cmd.timeout = qla2x00_async_iocb_timeout;
+       qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
+ 
+-      rspsz = sizeof(struct ct_sns_gpnft_rsp) +
+-              ((vha->hw->max_fibre_devices - 1) *
+-                  sizeof(struct ct_sns_gpn_ft_data));
++      rspsz = sp->u.iocb_cmd.u.ctarg.rsp_size;
++      memset(sp->u.iocb_cmd.u.ctarg.rsp, 0, sp->u.iocb_cmd.u.ctarg.rsp_size);
++      memset(sp->u.iocb_cmd.u.ctarg.req, 0, sp->u.iocb_cmd.u.ctarg.req_size);
+ 
+       ct_sns = (struct ct_sns_pkt *)sp->u.iocb_cmd.u.ctarg.req;
+       /* CT_IU preamble  */

diff --git a/queue-4.19/scsi-qla2xxx-fix-nvme-target-discovery.patch b/queue-4.19/scsi-qla2xxx-fix-nvme-target-discovery.patch
new file mode 100644 (file)
index 0000000..c0d25fd
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-fix-nvme-target-discovery.patch
@@ -0,0 +1,43 @@
+From db186382af21e926e90df19499475f2552192b77 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 26 Sep 2018 22:05:12 -0700
+Subject: scsi: qla2xxx: Fix NVMe Target discovery
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit db186382af21e926e90df19499475f2552192b77 upstream.
+
+This patch fixes issue when remoteport registers itself as both FCP and
+FC-NVMe with the switch, driver will pick FC-NVMe personality as default when
+scanning for targets.
+
+Driver was using comaprative operator instead of bitwise operator to check for
+fc4_type for both FCP and FC-NVME.
+
+Fixes: 2b5b96473efc ("scsi: qla2xxx: Fix FC-NVMe LUN discovery")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -4808,10 +4808,10 @@ void qla24xx_create_new_sess(struct scsi
+                       fcport->d_id = e->u.new_sess.id;
+                       fcport->flags |= FCF_FABRIC_DEVICE;
+                       fcport->fw_login_state = DSC_LS_PLOGI_PEND;
+-                      if (e->u.new_sess.fc4_type == FS_FC4TYPE_FCP)
++                      if (e->u.new_sess.fc4_type & FS_FC4TYPE_FCP)
+                               fcport->fc4_type = FC4_TYPE_FCP_SCSI;
+ 
+-                      if (e->u.new_sess.fc4_type == FS_FC4TYPE_NVME) {
++                      if (e->u.new_sess.fc4_type & FS_FC4TYPE_NVME) {
+                               fcport->fc4_type = FC4_TYPE_OTHER;
+                               fcport->fc4f_nvme = FC4_TYPE_NVME;
+                       }

diff --git a/queue-4.19/series b/queue-4.19/series
index f59cb64ffddcc061f9125f1f5a038f1b1f8da3e3..c701c934651fc1e3ae5330656adc9bc3abd7c9c8 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -57,3 +57,12 @@ scsi-qla2xxx-reject-bsg-request-if-chip-is-down.patch
 scsi-qla2xxx-fix-re-using-loopid-when-handle-is-in-use.patch
 scsi-qla2xxx-fix-for-double-free-of-srb-structure.patch
 scsi-qla2xxx-fix-nvme-session-hang-on-unload.patch
+scsi-qla2xxx-fix-nvme-target-discovery.patch
+scsi-qla2xxx-fix-duplicate-switch-database-entries.patch
+scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch
+vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch
+fuse-fix-use-after-free-in-fuse_dev_do_read.patch
+fuse-fix-use-after-free-in-fuse_dev_do_write.patch
+fuse-fix-blocked_waitq-wakeup.patch
+fuse-set-fr_sent-while-locked.patch
+drm-msm-fix-of-child-node-lookup.patch

diff --git a/queue-4.19/vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch b/queue-4.19/vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch
new file mode 100644 (file)
index 0000000..3be3ee7
--- /dev/null
+++ b/queue-4.19/vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch
@@ -0,0 +1,38 @@
+From 8f97d1e99149a7f1aa19e47a51b09764382a482e Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 11 Oct 2018 17:38:14 +0300
+Subject: vfs: fix FIGETBSZ ioctl on an overlayfs file
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 8f97d1e99149a7f1aa19e47a51b09764382a482e upstream.
+
+Some anon_bdev filesystems (e.g. overlayfs, ceph) don't have s_blocksize
+set. Returning zero from FIGETBSZ ioctl results in a Floating point
+exception from the e2fsprogs utility filefrag, which divides the size of
+the file with the value returned by FIGETBSZ.
+
+Fix the interface by returning -EINVAL for these filesystems.
+
+Fixes: d1d04ef8572b ("ovl: stack file ops")
+Cc: <stable@vger.kernel.org> # v4.19
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ioctl.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ioctl.c
++++ b/fs/ioctl.c
+@@ -669,6 +669,9 @@ int do_vfs_ioctl(struct file *filp, unsi
+               return ioctl_fiemap(filp, arg);
+ 
+       case FIGETBSZ:
++              /* anon_bdev filesystems may not have a block size */
++              if (!inode->i_sb->s_blocksize)
++                      return -EINVAL;
+               return put_user(inode->i_sb->s_blocksize, argp);
+ 
+       case FICLONE: