From ce8d77c00da0994bc080537ff7ac781ffa757176 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 Aug 2018 12:51:27 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
---
 ...-gadget-in-ext4_mb_regular_allocator.patch | 54 +++++++++++++++++++
 queue-4.9/series                              |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 queue-4.9/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch

diff --git a/queue-4.9/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch b/queue-4.9/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
new file mode 100644
index 00000000000..5fdcd9df98a
--- /dev/null
+++ b/queue-4.9/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
@@ -0,0 +1,54 @@
+From 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Thu, 2 Aug 2018 00:03:40 -0400
+Subject: ext4: fix spectre gadget in ext4_mb_regular_allocator()
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 upstream.
+
+'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
+derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
+index arrays which makes it a potential spectre gadget. Fix this by
+sanitizing the value assigned to 'ac->ac2_order'.  This covers the
+following accesses found with the help of smatch:
+
+* fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
+  spectre issue 'grp->bb_counters' [w] (local cap)
+
+* fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
+  'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)
+
+* fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
+  'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)
+
+Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/mballoc.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -26,6 +26,7 @@
+ #include <linux/log2.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+ #include <linux/backing-dev.h>
+ #include <trace/events/ext4.h>
+ 
+@@ -2144,7 +2145,8 @@ ext4_mb_regular_allocator(struct ext4_al
+ 		 * This should tell if fe_len is exactly power of 2
+ 		 */
+ 		if ((ac->ac_g_ex.fe_len & (~(1 << (i - 1)))) == 0)
+-			ac->ac_2order = i - 1;
++			ac->ac_2order = array_index_nospec(i - 1,
++							   sb->s_blocksize_bits + 2);
+ 	}
+ 
+ 	/* if stream allocation is enabled, use global goal */
diff --git a/queue-4.9/series b/queue-4.9/series
index acd96b2e9d8..81ba2f13691 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -117,3 +117,4 @@ net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch
 net-qca_spi-fix-log-level-if-probe-fails.patch
 tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch
 kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch
+ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
-- 
2.47.3