From 554f46241edf9a2c43af7fd5b7d54a70d91aac20 Mon Sep 17 00:00:00 2001
From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Sat, 17 Dec 2016 08:02:35 -0900
Subject: bcache: fix an integer overflow in journal compaction code

---
 drivers/md/bcache/journal.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
index ab057cc1293d..4239844b6dec 100644
--- a/drivers/md/bcache/journal.c
+++ b/drivers/md/bcache/journal.c
@@ -1899,7 +1899,8 @@ static void journal_write_compact(struct jset *jset)
 		    i->btree_id == prev->btree_id &&
 		    i->level	== prev->level &&
 		    JOURNAL_ENTRY_TYPE(i) == JOURNAL_ENTRY_TYPE(prev) &&
-		    JOURNAL_ENTRY_TYPE(i) == JOURNAL_ENTRY_BTREE_KEYS) {
+		    JOURNAL_ENTRY_TYPE(i) == JOURNAL_ENTRY_BTREE_KEYS &&
+		    le16_to_cpu(prev->u64s) + u64s <= U16_MAX) {
 			memmove_u64s_down(jset_keys_next(prev),
 					  i->_data,
 					  u64s);
-- 
cgit v1.2.3