btrfs_init_dev_replace_tgtdev reads certain values from the source
device (such as commit_total_bytes) which are updated during transaction
commit. Currently this function is called before committing any pending
transaction, leading to possibly reading outdated values.
Fix this by moving the function below the transaction commit, at this
point the EXCL_OP bit it set hence once transaction is complete the
total size of the device cannot be changed (it's usually changed by
resize/remove ops which are blocked).
Fixes: 9e271ae27e44 ("Btrfs: kernel operation should come after user input has been verified")
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
                return -ETXTBSY;
        }
 
-       ret = btrfs_init_dev_replace_tgtdev(fs_info, tgtdev_name,
-                                           src_device, &tgt_device);
-       if (ret)
-               return ret;
-
        /*
         * Here we commit the transaction to make sure commit_total_bytes
         * of all the devices are updated.
                return PTR_ERR(trans);
        }
 
+       ret = btrfs_init_dev_replace_tgtdev(fs_info, tgtdev_name,
+                                           src_device, &tgt_device);
+       if (ret)
+               return ret;
+
        need_unlock = true;
        down_write(&dev_replace->rwsem);
        switch (dev_replace->replace_state) {