Btrfs: fix unprotected assignment of the left cursor for device replace

We were assigning new values to fields of the device replace object
without holding the respective lock after processing each device extent.
This is important for the left cursor field which can be accessed by a
concurrent task running __btrfs_map_block (which, correctly, takes the
device replace lock).
So change these fields while holding the device replace lock.

Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index 1611572d47bd..19a1eda70361 100644
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -3642,9 +3642,11 @@ int scrub_enumerate_chunks(struct scrub_ctx *sctx,
                         break;
                 }
 
+                btrfs_dev_replace_lock(&fs_info->dev_replace, 1);
                 dev_replace->cursor_right = found_key.offset + length;
                 dev_replace->cursor_left = found_key.offset;
                 dev_replace->item_needs_writeback = 1;
+                btrfs_dev_replace_unlock(&fs_info->dev_replace, 1);
                 ret = scrub_chunk(sctx, scrub_dev, chunk_offset, length,
                                   found_key.offset, cache, is_dev_replace);
 
@@ -3718,8 +3720,10 @@ int scrub_enumerate_chunks(struct scrub_ctx *sctx,
                         break;
                 }
 
+                btrfs_dev_replace_lock(&fs_info->dev_replace, 1);
                 dev_replace->cursor_left = dev_replace->cursor_right;
                 dev_replace->item_needs_writeback = 1;
+                btrfs_dev_replace_unlock(&fs_info->dev_replace, 1);
 skip:
                 key.offset = found_key.offset + length;
                 btrfs_release_path(path);