From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 24 Nov 2021 18:29:52 +0000 (+0100)
Subject: drop fuse patch from older kernels
X-Git-Tag: v5.15.5~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7f34b89ddfef045bae14719904ac4c3e06fefbc;p=thirdparty%2Fkernel%2Fstable-queue.git

drop fuse patch from older kernels
---

diff --git a/queue-4.14/fuse-fix-page-stealing.patch b/queue-4.14/fuse-fix-page-stealing.patch
deleted file mode 100644
index 86be6ca5343..00000000000
--- a/queue-4.14/fuse-fix-page-stealing.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Tue, 2 Nov 2021 11:10:37 +0100
-Subject: fuse: fix page stealing
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
-
-It is possible to trigger a crash by splicing anon pipe bufs to the fuse
-device.
-
-The reason for this is that anon_pipe_buf_release() will reuse buf->page if
-the refcount is 1, but that page might have already been stolen and its
-flags modified (e.g. PG_lru added).
-
-This happens in the unlikely case of fuse_dev_splice_write() getting around
-to calling pipe_buf_release() after a page has been stolen, added to the
-page cache and removed from the page cache.
-
-Fix by calling pipe_buf_release() right after the page was inserted into
-the page cache.  In this case the page has an elevated refcount so any
-release function will know that the page isn't reusable.
-
-Reported-by: Frank Dinoff <fdinoff@google.com>
-Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
-Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
-Cc: <stable@vger.kernel.org> # v2.6.35
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/fuse/dev.c |   14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -897,6 +897,12 @@ static int fuse_try_move_page(struct fus
- 		goto out_put_old;
- 	}
- 
-+	/*
-+	 * Release while we have extra ref on stolen page.  Otherwise
-+	 * anon_pipe_buf_release() might think the page can be reused.
-+	 */
-+	pipe_buf_release(cs->pipe, buf);
-+
- 	get_page(newpage);
- 
- 	if (!(buf->flags & PIPE_BUF_FLAG_LRU))
-@@ -2046,8 +2052,12 @@ static ssize_t fuse_dev_splice_write(str
- 
- 	pipe_lock(pipe);
- out_free:
--	for (idx = 0; idx < nbuf; idx++)
--		pipe_buf_release(pipe, &bufs[idx]);
-+	for (idx = 0; idx < nbuf; idx++) {
-+		struct pipe_buffer *buf = &bufs[idx];
-+
-+		if (buf->ops)
-+			pipe_buf_release(pipe, buf);
-+	}
- 	pipe_unlock(pipe);
- 
- 	kfree(bufs);
diff --git a/queue-4.19/fuse-fix-page-stealing.patch b/queue-4.19/fuse-fix-page-stealing.patch
deleted file mode 100644
index 78d7e986dd5..00000000000
--- a/queue-4.19/fuse-fix-page-stealing.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Tue, 2 Nov 2021 11:10:37 +0100
-Subject: fuse: fix page stealing
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
-
-It is possible to trigger a crash by splicing anon pipe bufs to the fuse
-device.
-
-The reason for this is that anon_pipe_buf_release() will reuse buf->page if
-the refcount is 1, but that page might have already been stolen and its
-flags modified (e.g. PG_lru added).
-
-This happens in the unlikely case of fuse_dev_splice_write() getting around
-to calling pipe_buf_release() after a page has been stolen, added to the
-page cache and removed from the page cache.
-
-Fix by calling pipe_buf_release() right after the page was inserted into
-the page cache.  In this case the page has an elevated refcount so any
-release function will know that the page isn't reusable.
-
-Reported-by: Frank Dinoff <fdinoff@google.com>
-Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
-Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
-Cc: <stable@vger.kernel.org> # v2.6.35
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/fuse/dev.c |   14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -905,6 +905,12 @@ static int fuse_try_move_page(struct fus
- 		goto out_put_old;
- 	}
- 
-+	/*
-+	 * Release while we have extra ref on stolen page.  Otherwise
-+	 * anon_pipe_buf_release() might think the page can be reused.
-+	 */
-+	pipe_buf_release(cs->pipe, buf);
-+
- 	get_page(newpage);
- 
- 	if (!(buf->flags & PIPE_BUF_FLAG_LRU))
-@@ -2054,8 +2060,12 @@ static ssize_t fuse_dev_splice_write(str
- 
- 	pipe_lock(pipe);
- out_free:
--	for (idx = 0; idx < nbuf; idx++)
--		pipe_buf_release(pipe, &bufs[idx]);
-+	for (idx = 0; idx < nbuf; idx++) {
-+		struct pipe_buffer *buf = &bufs[idx];
-+
-+		if (buf->ops)
-+			pipe_buf_release(pipe, buf);
-+	}
- 	pipe_unlock(pipe);
- 
- 	kvfree(bufs);
diff --git a/queue-4.4/fuse-fix-page-stealing.patch b/queue-4.4/fuse-fix-page-stealing.patch
deleted file mode 100644
index 33cd2bb38b1..00000000000
--- a/queue-4.4/fuse-fix-page-stealing.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Tue, 2 Nov 2021 11:10:37 +0100
-Subject: fuse: fix page stealing
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
-
-It is possible to trigger a crash by splicing anon pipe bufs to the fuse
-device.
-
-The reason for this is that anon_pipe_buf_release() will reuse buf->page if
-the refcount is 1, but that page might have already been stolen and its
-flags modified (e.g. PG_lru added).
-
-This happens in the unlikely case of fuse_dev_splice_write() getting around
-to calling pipe_buf_release() after a page has been stolen, added to the
-page cache and removed from the page cache.
-
-Fix by calling pipe_buf_release() right after the page was inserted into
-the page cache.  In this case the page has an elevated refcount so any
-release function will know that the page isn't reusable.
-
-Reported-by: Frank Dinoff <fdinoff@google.com>
-Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
-Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
-Cc: <stable@vger.kernel.org> # v2.6.35
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/fuse/dev.c |   10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -922,6 +922,13 @@ static int fuse_try_move_page(struct fus
- 		return err;
- 	}
- 
-+	/*
-+	 * Release while we have extra ref on stolen page.  Otherwise
-+	 * anon_pipe_buf_release() might think the page can be reused.
-+	 */
-+	buf->ops->release(cs->pipe, buf);
-+	buf->ops = NULL;
-+
- 	page_cache_get(newpage);
- 
- 	if (!(buf->flags & PIPE_BUF_FLAG_LRU))
-@@ -2090,7 +2097,8 @@ static ssize_t fuse_dev_splice_write(str
- out_free:
- 	for (idx = 0; idx < nbuf; idx++) {
- 		struct pipe_buffer *buf = &bufs[idx];
--		buf->ops->release(pipe, buf);
-+		if (buf->ops)
-+			buf->ops->release(pipe, buf);
- 	}
- 	pipe_unlock(pipe);
- 
diff --git a/queue-4.9/fuse-fix-page-stealing.patch b/queue-4.9/fuse-fix-page-stealing.patch
deleted file mode 100644
index d9157c784e6..00000000000
--- a/queue-4.9/fuse-fix-page-stealing.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Tue, 2 Nov 2021 11:10:37 +0100
-Subject: fuse: fix page stealing
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
-
-It is possible to trigger a crash by splicing anon pipe bufs to the fuse
-device.
-
-The reason for this is that anon_pipe_buf_release() will reuse buf->page if
-the refcount is 1, but that page might have already been stolen and its
-flags modified (e.g. PG_lru added).
-
-This happens in the unlikely case of fuse_dev_splice_write() getting around
-to calling pipe_buf_release() after a page has been stolen, added to the
-page cache and removed from the page cache.
-
-Fix by calling pipe_buf_release() right after the page was inserted into
-the page cache.  In this case the page has an elevated refcount so any
-release function will know that the page isn't reusable.
-
-Reported-by: Frank Dinoff <fdinoff@google.com>
-Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
-Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
-Cc: <stable@vger.kernel.org> # v2.6.35
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/fuse/dev.c |   14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
---- a/fs/fuse/dev.c
-+++ b/fs/fuse/dev.c
-@@ -898,6 +898,12 @@ static int fuse_try_move_page(struct fus
- 		goto out_put_old;
- 	}
- 
-+	/*
-+	 * Release while we have extra ref on stolen page.  Otherwise
-+	 * anon_pipe_buf_release() might think the page can be reused.
-+	 */
-+	pipe_buf_release(cs->pipe, buf);
-+
- 	get_page(newpage);
- 
- 	if (!(buf->flags & PIPE_BUF_FLAG_LRU))
-@@ -2040,8 +2046,12 @@ static ssize_t fuse_dev_splice_write(str
- 
- 	pipe_lock(pipe);
- out_free:
--	for (idx = 0; idx < nbuf; idx++)
--		pipe_buf_release(pipe, &bufs[idx]);
-+	for (idx = 0; idx < nbuf; idx++) {
-+		struct pipe_buffer *buf = &bufs[idx];
-+
-+		if (buf->ops)
-+			pipe_buf_release(pipe, buf);
-+	}
- 	pipe_unlock(pipe);
- 
- 	kfree(bufs);