drop fuse patch from older kernels

diff --git a/queue-4.14/fuse-fix-page-stealing.patch b/queue-4.14/fuse-fix-page-stealing.patch
deleted file mode 100644 (file)
index 86be6ca..0000000
--- a/queue-4.14/fuse-fix-page-stealing.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Tue, 2 Nov 2021 11:10:37 +0100
-Subject: fuse: fix page stealing
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
-
-It is possible to trigger a crash by splicing anon pipe bufs to the fuse
-device.
-
-The reason for this is that anon_pipe_buf_release() will reuse buf->page if
-the refcount is 1, but that page might have already been stolen and its
-flags modified (e.g. PG_lru added).
-
-This happens in the unlikely case of fuse_dev_splice_write() getting around
-to calling pipe_buf_release() after a page has been stolen, added to the
-page cache and removed from the page cache.
-
-Fix by calling pipe_buf_release() right after the page was inserted into
-the page cache.  In this case the page has an elevated refcount so any
-release function will know that the page isn't reusable.
-
-Reported-by: Frank Dinoff <fdinoff@google.com>
-Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
-Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
-Cc: <stable@vger.kernel.org> # v2.6.35
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/fuse/dev.c |   14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -897,6 +897,12 @@ static int fuse_try_move_page(struct fus
-               goto out_put_old;
-       }
- 
-+      /*
-+       * Release while we have extra ref on stolen page.  Otherwise
-+       * anon_pipe_buf_release() might think the page can be reused.
-+       */
-+      pipe_buf_release(cs->pipe, buf);
-+
-       get_page(newpage);
- 
-       if (!(buf->flags & PIPE_BUF_FLAG_LRU))
-@@ -2046,8 +2052,12 @@ static ssize_t fuse_dev_splice_write(str
- 
-       pipe_lock(pipe);
- out_free:
--      for (idx = 0; idx < nbuf; idx++)
--              pipe_buf_release(pipe, &bufs[idx]);
-+      for (idx = 0; idx < nbuf; idx++) {
-+              struct pipe_buffer *buf = &bufs[idx];
-+
-+              if (buf->ops)
-+                      pipe_buf_release(pipe, buf);
-+      }
-       pipe_unlock(pipe);
- 
-       kfree(bufs);

diff --git a/queue-4.19/fuse-fix-page-stealing.patch b/queue-4.19/fuse-fix-page-stealing.patch
deleted file mode 100644 (file)
index 78d7e98..0000000
--- a/queue-4.19/fuse-fix-page-stealing.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Tue, 2 Nov 2021 11:10:37 +0100
-Subject: fuse: fix page stealing
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
-
-It is possible to trigger a crash by splicing anon pipe bufs to the fuse
-device.
-
-The reason for this is that anon_pipe_buf_release() will reuse buf->page if
-the refcount is 1, but that page might have already been stolen and its
-flags modified (e.g. PG_lru added).
-
-This happens in the unlikely case of fuse_dev_splice_write() getting around
-to calling pipe_buf_release() after a page has been stolen, added to the
-page cache and removed from the page cache.
-
-Fix by calling pipe_buf_release() right after the page was inserted into
-the page cache.  In this case the page has an elevated refcount so any
-release function will know that the page isn't reusable.
-
-Reported-by: Frank Dinoff <fdinoff@google.com>
-Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
-Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
-Cc: <stable@vger.kernel.org> # v2.6.35
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/fuse/dev.c |   14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -905,6 +905,12 @@ static int fuse_try_move_page(struct fus
-               goto out_put_old;
-       }
- 
-+      /*
-+       * Release while we have extra ref on stolen page.  Otherwise
-+       * anon_pipe_buf_release() might think the page can be reused.
-+       */
-+      pipe_buf_release(cs->pipe, buf);
-+
-       get_page(newpage);
- 
-       if (!(buf->flags & PIPE_BUF_FLAG_LRU))
-@@ -2054,8 +2060,12 @@ static ssize_t fuse_dev_splice_write(str
- 
-       pipe_lock(pipe);
- out_free:
--      for (idx = 0; idx < nbuf; idx++)
--              pipe_buf_release(pipe, &bufs[idx]);
-+      for (idx = 0; idx < nbuf; idx++) {
-+              struct pipe_buffer *buf = &bufs[idx];
-+
-+              if (buf->ops)
-+                      pipe_buf_release(pipe, buf);
-+      }
-       pipe_unlock(pipe);
- 
-       kvfree(bufs);

diff --git a/queue-4.4/fuse-fix-page-stealing.patch b/queue-4.4/fuse-fix-page-stealing.patch
deleted file mode 100644 (file)
index 33cd2bb..0000000
--- a/queue-4.4/fuse-fix-page-stealing.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Tue, 2 Nov 2021 11:10:37 +0100
-Subject: fuse: fix page stealing
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
-
-It is possible to trigger a crash by splicing anon pipe bufs to the fuse
-device.
-
-The reason for this is that anon_pipe_buf_release() will reuse buf->page if
-the refcount is 1, but that page might have already been stolen and its
-flags modified (e.g. PG_lru added).
-
-This happens in the unlikely case of fuse_dev_splice_write() getting around
-to calling pipe_buf_release() after a page has been stolen, added to the
-page cache and removed from the page cache.
-
-Fix by calling pipe_buf_release() right after the page was inserted into
-the page cache.  In this case the page has an elevated refcount so any
-release function will know that the page isn't reusable.
-
-Reported-by: Frank Dinoff <fdinoff@google.com>
-Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
-Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
-Cc: <stable@vger.kernel.org> # v2.6.35
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/fuse/dev.c |   10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -922,6 +922,13 @@ static int fuse_try_move_page(struct fus
-               return err;
-       }
- 
-+      /*
-+       * Release while we have extra ref on stolen page.  Otherwise
-+       * anon_pipe_buf_release() might think the page can be reused.
-+       */
-+      buf->ops->release(cs->pipe, buf);
-+      buf->ops = NULL;
-+
-       page_cache_get(newpage);
- 
-       if (!(buf->flags & PIPE_BUF_FLAG_LRU))
-@@ -2090,7 +2097,8 @@ static ssize_t fuse_dev_splice_write(str
- out_free:
-       for (idx = 0; idx < nbuf; idx++) {
-               struct pipe_buffer *buf = &bufs[idx];
--              buf->ops->release(pipe, buf);
-+              if (buf->ops)
-+                      buf->ops->release(pipe, buf);
-       }
-       pipe_unlock(pipe);
- 

diff --git a/queue-4.9/fuse-fix-page-stealing.patch b/queue-4.9/fuse-fix-page-stealing.patch
deleted file mode 100644 (file)
index d9157c7..0000000
--- a/queue-4.9/fuse-fix-page-stealing.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Tue, 2 Nov 2021 11:10:37 +0100
-Subject: fuse: fix page stealing
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
-
-It is possible to trigger a crash by splicing anon pipe bufs to the fuse
-device.
-
-The reason for this is that anon_pipe_buf_release() will reuse buf->page if
-the refcount is 1, but that page might have already been stolen and its
-flags modified (e.g. PG_lru added).
-
-This happens in the unlikely case of fuse_dev_splice_write() getting around
-to calling pipe_buf_release() after a page has been stolen, added to the
-page cache and removed from the page cache.
-
-Fix by calling pipe_buf_release() right after the page was inserted into
-the page cache.  In this case the page has an elevated refcount so any
-release function will know that the page isn't reusable.
-
-Reported-by: Frank Dinoff <fdinoff@google.com>
-Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
-Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
-Cc: <stable@vger.kernel.org> # v2.6.35
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/fuse/dev.c |   14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -898,6 +898,12 @@ static int fuse_try_move_page(struct fus
-               goto out_put_old;
-       }
- 
-+      /*
-+       * Release while we have extra ref on stolen page.  Otherwise
-+       * anon_pipe_buf_release() might think the page can be reused.
-+       */
-+      pipe_buf_release(cs->pipe, buf);
-+
-       get_page(newpage);
- 
-       if (!(buf->flags & PIPE_BUF_FLAG_LRU))
-@@ -2040,8 +2046,12 @@ static ssize_t fuse_dev_splice_write(str
- 
-       pipe_lock(pipe);
- out_free:
--      for (idx = 0; idx < nbuf; idx++)
--              pipe_buf_release(pipe, &bufs[idx]);
-+      for (idx = 0; idx < nbuf; idx++) {
-+              struct pipe_buffer *buf = &bufs[idx];
-+
-+              if (buf->ops)
-+                      pipe_buf_release(pipe, buf);
-+      }
-       pipe_unlock(pipe);
- 
-       kfree(bufs);