btrfs-progs: sanity check global roots key.offset

For !extent tree v2 we should validate the key.offset == 0, and for
extent tree v2 we should validate that key.offset < nr_global_roots.  If
this fails we need to fail to load the global root so that the
appropriate action is taken.

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>

kernel-shared/ctree.h

@@ -1233,6 +1233,7 @@ struct btrfs_fs_info {
 
 	u64 super_bytenr;
 	u64 total_pinned;
+	u64 nr_global_roots;
 
 	struct list_head dirty_cowonly_roots;
 	struct list_head recow_ebs;

kernel-shared/disk-io.c

@@ -933,7 +933,9 @@ struct btrfs_fs_info *btrfs_new_fs_info(int writable, u64 sb_bytenr)
 	fs_info->data_alloc_profile = (u64)-1;
 	fs_info->metadata_alloc_profile = (u64)-1;
 	fs_info->system_alloc_profile = fs_info->metadata_alloc_profile;
+	fs_info->nr_global_roots = 1;
 	return fs_info;
+
 free_all:
 	btrfs_free_fs_info(fs_info);
 	return NULL;
@@ -1075,6 +1077,13 @@ static int load_global_roots_objectid(struct btrfs_fs_info *fs_info,
 		if (key.objectid != objectid)
 			break;
 
+		if (key.offset >= fs_info->nr_global_roots) {
+			warning("global root with too large of an offset [%llu %llu]",
+				key.objectid, key.offset);
+			ret = -EINVAL;
+			break;
+		}
+
 		root = calloc(1, sizeof(*root));
 		if (!root) {
 			ret = -ENOMEM;