From: Eric Sandeen <sandeen@redhat.com>
Date: Thu, 18 Feb 2010 18:24:53 -0500
Subject: [fs] ext4: avoid divide by 0 when mounting corrupted fs
Message-id: <4B7D85F5.9030008@redhat.com>
Patchwork-id: 23349
O-Subject: [PATCH RHEL5] ext4: avoid divide by zero when trying to mount a
	corrupted file system
Bugzilla: 547253
RH-Acked-by: Josef Bacik <josef@redhat.com>
RH-Acked-by: Jarod Wilson <jarod@redhat.com>
RH-Acked-by: Anton Arapov <Anton@redhat.com>

This is for bug 547253 / CVE-2009-4307 kernel:
ext4: avoid divide by zero when trying to mount a corrupted file system

Upstream patch follows.

Thanks,
-Eric

commit 503358ae01b70ce6909d19dd01287093f6b6271c
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Mon Nov 23 07:24:46 2009 -0500

    ext4: avoid divide by zero when trying to mount a corrupted file system

    If s_log_groups_per_flex is greater than 31, then groups_per_flex will
    will overflow and cause a divide by zero error.  This can cause kernel
    BUG if such a file system is mounted.

    Thanks to Nageswara R Sastry for analyzing the failure and providing
    an initial patch.

    http://bugzilla.kernel.org/show_bug.cgi?id=14287

    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@kernel.org

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 939244e..0c7c35c 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1685,14 +1685,14 @@ static int ext4_fill_flex_info(struct super_block *sb)
 	size_t size;
 	int i;
 
-	if (!sbi->s_es->s_log_groups_per_flex) {
+	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
+	if (groups_per_flex < 2) {
 		sbi->s_log_groups_per_flex = 0;
 		return 1;
 	}
 
-	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
-	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
-
 	/* We allocate both existing and potentially added groups */
 	flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
 			((le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) + 1) <<