Btrfs: fix a out-of-bound access of raid_map

We add the number of stripes on target devices into bbio->num_stripes
if we are under device replacement, and we just sort the raid_map of
those stripes that not on the target devices, so if when we need
real raid_map, we need skip the stripes on the target devices.

Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Signed-off-by: Chris Mason <clm@fb.com>

diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index 53575a45f7d1b61f95e8f85870b9c219f8295284..673e32be88fad51acff3adf400d611e3488289e8 100644 (file)
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -1299,7 +1299,9 @@ out:
 static inline int scrub_nr_raid_mirrors(struct btrfs_bio *bbio, u64 *raid_map)
 {
        if (raid_map) {
-               if (raid_map[bbio->num_stripes - 1] == RAID6_Q_STRIPE)
+               int real_stripes = bbio->num_stripes - bbio->num_tgtdevs;
+
+               if (raid_map[real_stripes - 1] == RAID6_Q_STRIPE)
                        return 3;
                else
                        return 2;
@@ -1420,7 +1422,8 @@ leave_nomem:
 
                        scrub_stripe_index_and_offset(logical, raid_map,
                                                      mapped_length,
-                                                     bbio->num_stripes,
+                                                     bbio->num_stripes -
+                                                     bbio->num_tgtdevs,
                                                      mirror_index,
                                                      &stripe_index,
                                                      &stripe_offset);