Re: [PATCH 2/2] xfs: fix buffer lookup vs release race

["Lai, Yi" <yi1.lai@linux.intel.com>]

Hi Christoph Hellwig,

Greetings!

I used Syzkaller and found that there is possible deadlock in xfs_buf_get_map in linux-next tag - next-20250121.

After bisection and the first bad commit is:
"
ee10f6fcdb96 xfs: fix buffer lookup vs release race
"

All detailed into can be found at:
https://github.com/laifryiee/syzkaller_logs/tree/main/250124_181030_xfs_buf_get_map
Syzkaller repro code:
https://github.com/laifryiee/syzkaller_logs/tree/main/250124_181030_xfs_buf_get_map/repro.c
Syzkaller repro syscall steps:
https://github.com/laifryiee/syzkaller_logs/tree/main/250124_181030_xfs_buf_get_map/repro.prog
Syzkaller report:
https://github.com/laifryiee/syzkaller_logs/tree/main/250124_181030_xfs_buf_get_map/repro.report
Kconfig(make olddefconfig):
https://github.com/laifryiee/syzkaller_logs/tree/main/250124_181030_xfs_buf_get_map/kconfig_origin
Bisect info:
https://github.com/laifryiee/syzkaller_logs/tree/main/250124_181030_xfs_buf_get_map/bisect_info.log
bzImage:
https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/250124_181030_xfs_buf_get_map/bzImage_f066b5a6c7a06adfb666b7652cc99b4ff264f4ed
Issue dmesg:
https://github.com/laifryiee/syzkaller_logs/blob/main/250124_181030_xfs_buf_get_map/f066b5a6c7a06adfb666b7652cc99b4ff264f4ed_dmesg.log

"
[   57.155207] ======================================================
[   57.155506] WARNING: possible circular locking dependency detected
[   57.155814] 6.13.0-next-20250121-f066b5a6c7a0-dirty #1 Not tainted
[   57.156126] ------------------------------------------------------
[   57.156434] repro/749 is trying to acquire lock:
[   57.156672] ffff888023a9daa0 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_get_map+0x1ba3/0x2fb0
[   57.157105]
[   57.157105] but task is already holding lock:
[   57.157389] ffff88801f182980 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_get_map+0x156f/0x2fb0
[   57.157816]
[   57.157816] which lock already depends on the new lock.
[   57.157816]
[   57.158210]
[   57.158210] the existing dependency chain (in reverse order) is:
[   57.158575]
[   57.158575] -> #1 (&bch->bc_lock){+.+.}-{3:3}:
[   57.158880]        _raw_spin_lock+0x38/0x50
[   57.159114]        xfs_buf_rele+0x2c1/0x1670
[   57.159331]        xfs_trans_brelse+0x385/0x410
[   57.159569]        xfs_imap_lookup+0x38d/0x5a0
[   57.159803]        xfs_imap+0x668/0xc80
[   57.160006]        xfs_iget+0x875/0x2dd0
[   57.160219]        xfs_mountfs+0x121d/0x2130
[   57.160444]        xfs_fs_fill_super+0x12bb/0x1ed0
[   57.160697]        get_tree_bdev_flags+0x3d8/0x6c0
[   57.160952]        get_tree_bdev+0x29/0x40
[   57.161166]        xfs_fs_get_tree+0x26/0x30
[   57.161389]        vfs_get_tree+0x9e/0x390
[   57.161600]        path_mount+0x707/0x2000
[   57.161820]        __x64_sys_mount+0x2a8/0x330
[   57.162055]        x64_sys_call+0x1e1d/0x2140
[   57.162288]        do_syscall_64+0x6d/0x140
[   57.162512]        entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   57.162796]
[   57.162796] -> #0 (&bp->b_lock){+.+.}-{3:3}:
[   57.163093]        __lock_acquire+0x2ff8/0x5d60
[   57.163329]        lock_acquire+0x1bd/0x550
[   57.163541]        _raw_spin_lock+0x38/0x50
[   57.163756]        xfs_buf_get_map+0x1ba3/0x2fb0
[   57.163968]        xfs_buf_read_map+0xe8/0xaa0
[   57.164191]        xfs_trans_read_buf_map+0x12f/0x990
[   57.164452]        xfs_read_agf+0x259/0x5a0
[   57.164654]        xfs_alloc_read_agf+0x127/0xb50
[   57.164889]        xfs_ioc_trim+0x1369/0x22f0
[   57.165116]        xfs_file_ioctl+0x18a0/0x2270
[   57.165349]        __x64_sys_ioctl+0x1ba/0x220
[   57.165583]        x64_sys_call+0x1227/0x2140
[   57.165810]        do_syscall_64+0x6d/0x140
[   57.166031]        entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   57.166314]
[   57.166314] other info that might help us debug this:
[   57.166314]
[   57.166677]  Possible unsafe locking scenario:
[   57.166677]
[   57.166973]        CPU0                    CPU1
[   57.167198]        ----                    ----
[   57.167425]   lock(&bch->bc_lock);
[   57.167604]                                lock(&bp->b_lock);
[   57.167890]                                lock(&bch->bc_lock);
[   57.168184]   lock(&bp->b_lock);
[   57.168355]
[   57.168355]  *** DEADLOCK ***
[   57.168355]
[   57.168623] 1 lock held by repro/749:
[   57.168791]  #0: ffff88801f182980 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_get_map+0x156f/0x2fb0
[   57.169238]
[   57.169238] stack backtrace:
[   57.169464] CPU: 1 UID: 0 PID: 749 Comm: repro Not tainted 6.13.0-next-20250121-f066b5a6c7a0-dirty #1
[   57.169915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/014
[   57.170448] Call Trace:
[   57.170585]  <TASK>
[   57.170703]  dump_stack_lvl+0xea/0x150
[   57.170915]  dump_stack+0x19/0x20
[   57.171096]  print_circular_bug+0x47f/0x750
[   57.171320]  check_noncircular+0x2f4/0x3e0
[   57.171536]  ? __pfx_check_noncircular+0x10/0x10
[   57.171777]  ? register_lock_class+0xbf/0x10f0
[   57.172009]  ? __pfx_lockdep_lock+0x10/0x10
[   57.172223]  ? xfs_trans_read_buf_map+0x12f/0x990
[   57.172486]  __lock_acquire+0x2ff8/0x5d60
[   57.172699]  ? __pfx___lock_acquire+0x10/0x10
[   57.172922]  ? __pfx___lock_acquire+0x10/0x10
[   57.173144]  ? __pfx_mark_lock.part.0+0x10/0x10
[   57.173375]  lock_acquire+0x1bd/0x550
[   57.173564]  ? xfs_buf_get_map+0x1ba3/0x2fb0
[   57.173782]  ? __pfx_lock_acquire+0x10/0x10
[   57.173997]  ? lock_release+0x441/0x870
[   57.174196]  ? __pfx_lock_release+0x10/0x10
[   57.174414]  _raw_spin_lock+0x38/0x50
[   57.174606]  ? xfs_buf_get_map+0x1ba3/0x2fb0
[   57.174822]  xfs_buf_get_map+0x1ba3/0x2fb0
[   57.175034]  ? __pfx_xfs_buf_get_map+0x10/0x10
[   57.175264]  ? kasan_save_alloc_info+0x3c/0x50
[   57.175505]  ? kmem_cache_alloc_noprof+0x13e/0x440
[   57.175754]  ? xfs_trans_alloc+0x86/0x860
[   57.175970]  ? xfs_trans_alloc_empty+0x92/0xc0
[   57.176199]  ? __x64_sys_ioctl+0x1ba/0x220
[   57.176429]  ? x64_sys_call+0x1227/0x2140
[   57.176641]  ? do_syscall_64+0x6d/0x140
[   57.176841]  ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   57.177115]  xfs_buf_read_map+0xe8/0xaa0
[   57.177316]  ? xfs_read_agf+0x259/0x5a0
[   57.177518]  ? __pfx_xfs_buf_read_map+0x10/0x10
[   57.177749]  ? __sanitizer_cov_trace_cmp4+0x1a/0x20
[   57.178009]  ? xfs_trans_buf_item_match+0x257/0x300
[   57.178263]  xfs_trans_read_buf_map+0x12f/0x990
[   57.178499]  ? xfs_read_agf+0x259/0x5a0
[   57.178701]  ? __pfx_xfs_trans_read_buf_map+0x10/0x10
[   57.178962]  ? xfs_trans_alloc+0x86/0x860
[   57.179175]  xfs_read_agf+0x259/0x5a0
[   57.179368]  ? rcu_is_watching+0x19/0xc0
[   57.179579]  ? __pfx_xfs_read_agf+0x10/0x10
[   57.179806]  ? xfs_trans_alloc_empty+0x92/0xc0
[   57.180039]  xfs_alloc_read_agf+0x127/0xb50
[   57.180252]  ? __pfx_xfs_alloc_read_agf+0x10/0x10
[   57.180495]  ? xfs_log_force+0x351/0xa40
[   57.180702]  xfs_ioc_trim+0x1369/0x22f0
[   57.180910]  ? __pfx_xfs_ioc_trim+0x10/0x10
[   57.181106]  ? __kasan_check_read+0x15/0x20
[   57.181317]  ? mark_lock.part.0+0xf3/0x17b0
[   57.181540]  ? __kasan_check_read+0x15/0x20
[   57.181760]  ? __kasan_check_read+0x15/0x20
[   57.181983]  ? mark_lock.part.0+0xf3/0x17b0
[   57.182201]  ? mark_lock.part.0+0xf3/0x17b0
[   57.182420]  ? __pfx_mark_lock.part.0+0x10/0x10
[   57.182655]  xfs_file_ioctl+0x18a0/0x2270
[   57.182859]  ? xfs_file_ioctl+0x18a0/0x2270
[   57.183077]  ? __pfx_xfs_file_ioctl+0x10/0x10
[   57.183306]  ? __kasan_check_read+0x15/0x20
[   57.183526]  ? __lock_acquire+0xdb8/0x5d60
[   57.183738]  ? __sanitizer_cov_trace_switch+0x58/0xa0
[   57.184004]  ? do_vfs_ioctl+0x4fa/0x1920
[   57.184212]  ? __pfx___lock_acquire+0x10/0x10
[   57.184441]  ? __pfx_do_vfs_ioctl+0x10/0x10
[   57.184662]  ? __this_cpu_preempt_check+0x21/0x30
[   57.184911]  ? lock_release+0x441/0x870
[   57.185114]  ? __pfx_lock_release+0x10/0x10
[   57.185334]  ? __fget_files+0x1fb/0x3a0
[   57.185533]  ? __pfx_xfs_file_ioctl+0x10/0x10
[   57.185755]  __x64_sys_ioctl+0x1ba/0x220
[   57.185964]  x64_sys_call+0x1227/0x2140
[   57.186170]  do_syscall_64+0x6d/0x140
[   57.186369]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   57.186631] RIP: 0033:0x7f9490a3ee5d
[   57.186829] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c88
[   57.187726] RSP: 002b:00007f94909fedf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   57.188108] RAX: ffffffffffffffda RBX: 00007f94909ff640 RCX: 00007f9490a3ee5d
[   57.188460] RDX: 0000000020000000 RSI: 00000000c0185879 RDI: 0000000000000004
[   57.188813] RBP: 00007f94909fee20 R08: 00007ffe62e59aaf R09: 0000000000000000
[   57.189162] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94909ff640
[   57.189518] R13: 0000000000000006 R14: 00007f9490a9f560 R15: 0000000000000000
[   57.189876]  </TASK>
"

Hope this cound be insightful to you.

Regards,
Yi Lai

---

If you don't need the following environment to reproduce the problem or if you
already have one reproduced environment, please ignore the following information.

How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
  // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
  // You could change the bzImage_xxx as you want
  // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
You could use below command to log in, there is no password for root.
ssh -p 10023 root@localhost

After login vm(virtual machine) successfully, you could transfer reproduced
binary to the vm by below way, and reproduce the problem in vm:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@localhost:/root/

Get the bzImage for target kernel:
Please use target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage           //x should equal or less than cpu num your pc has

Fill the bzImage file into above start3.sh to load the target kernel in vm.


Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
yum -y install libslirp-devel.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
make
make install 

On Thu, Jan 16, 2025 at 07:01:42AM +0100, Christoph Hellwig wrote:
> Since commit 298f34224506 ("xfs: lockless buffer lookup") the buffer
> lookup fastpath is done without a hash-wide lock (then pag_buf_lock, now
> bc_lock) and only under RCU protection.  But this means that nothing
> serializes lookups against the temporary 0 reference count for buffers
> that are added to the LRU after dropping the last regular reference,
> and a concurrent lookup would fail to find them.
> 
> Fix this by doing all b_hold modifications under b_lock.  We're already
> doing this for release so this "only" ~ doubles the b_lock round trips.
> We'll later look into the lockref infrastructure to optimize the number
> of lock round trips again.
> 
> Signed-off-by: Christoph Hellwig <hch@lst.de>
> Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
> ---
>  fs/xfs/xfs_buf.c   | 93 ++++++++++++++++++++++++----------------------
>  fs/xfs/xfs_buf.h   |  2 +-
>  fs/xfs/xfs_trace.h | 10 ++---
>  3 files changed, 54 insertions(+), 51 deletions(-)
> 
> diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
> index f80e39fde53b..dc219678003c 100644
> --- a/fs/xfs/xfs_buf.c
> +++ b/fs/xfs/xfs_buf.c
> @@ -133,15 +133,6 @@ __xfs_buf_ioacct_dec(
>  	}
>  }
>  
> -static inline void
> -xfs_buf_ioacct_dec(
> -	struct xfs_buf	*bp)
> -{
> -	spin_lock(&bp->b_lock);
> -	__xfs_buf_ioacct_dec(bp);
> -	spin_unlock(&bp->b_lock);
> -}
> -
>  /*
>   * When we mark a buffer stale, we remove the buffer from the LRU and clear the
>   * b_lru_ref count so that the buffer is freed immediately when the buffer
> @@ -177,9 +168,9 @@ xfs_buf_stale(
>  	atomic_set(&bp->b_lru_ref, 0);
>  	if (!(bp->b_state & XFS_BSTATE_DISPOSE) &&
>  	    (list_lru_del_obj(&bp->b_target->bt_lru, &bp->b_lru)))
> -		atomic_dec(&bp->b_hold);
> +		bp->b_hold--;
>  
> -	ASSERT(atomic_read(&bp->b_hold) >= 1);
> +	ASSERT(bp->b_hold >= 1);
>  	spin_unlock(&bp->b_lock);
>  }
>  
> @@ -238,14 +229,14 @@ _xfs_buf_alloc(
>  	 */
>  	flags &= ~(XBF_UNMAPPED | XBF_TRYLOCK | XBF_ASYNC | XBF_READ_AHEAD);
>  
> -	atomic_set(&bp->b_hold, 1);
> +	spin_lock_init(&bp->b_lock);
> +	bp->b_hold = 1;
>  	atomic_set(&bp->b_lru_ref, 1);
>  	init_completion(&bp->b_iowait);
>  	INIT_LIST_HEAD(&bp->b_lru);
>  	INIT_LIST_HEAD(&bp->b_list);
>  	INIT_LIST_HEAD(&bp->b_li_list);
>  	sema_init(&bp->b_sema, 0); /* held, no waiters */
> -	spin_lock_init(&bp->b_lock);
>  	bp->b_target = target;
>  	bp->b_mount = target->bt_mount;
>  	bp->b_flags = flags;
> @@ -589,6 +580,20 @@ xfs_buf_find_lock(
>  	return 0;
>  }
>  
> +static bool
> +xfs_buf_try_hold(
> +	struct xfs_buf		*bp)
> +{
> +	spin_lock(&bp->b_lock);
> +	if (bp->b_hold == 0) {
> +		spin_unlock(&bp->b_lock);
> +		return false;
> +	}
> +	bp->b_hold++;
> +	spin_unlock(&bp->b_lock);
> +	return true;
> +}
> +
>  static inline int
>  xfs_buf_lookup(
>  	struct xfs_buf_cache	*bch,
> @@ -601,7 +606,7 @@ xfs_buf_lookup(
>  
>  	rcu_read_lock();
>  	bp = rhashtable_lookup(&bch->bc_hash, map, xfs_buf_hash_params);
> -	if (!bp || !atomic_inc_not_zero(&bp->b_hold)) {
> +	if (!bp || !xfs_buf_try_hold(bp)) {
>  		rcu_read_unlock();
>  		return -ENOENT;
>  	}
> @@ -664,7 +669,7 @@ xfs_buf_find_insert(
>  		spin_unlock(&bch->bc_lock);
>  		goto out_free_buf;
>  	}
> -	if (bp && atomic_inc_not_zero(&bp->b_hold)) {
> +	if (bp && xfs_buf_try_hold(bp)) {
>  		/* found an existing buffer */
>  		spin_unlock(&bch->bc_lock);
>  		error = xfs_buf_find_lock(bp, flags);
> @@ -1043,7 +1048,10 @@ xfs_buf_hold(
>  	struct xfs_buf		*bp)
>  {
>  	trace_xfs_buf_hold(bp, _RET_IP_);
> -	atomic_inc(&bp->b_hold);
> +
> +	spin_lock(&bp->b_lock);
> +	bp->b_hold++;
> +	spin_unlock(&bp->b_lock);
>  }
>  
>  static void
> @@ -1051,10 +1059,15 @@ xfs_buf_rele_uncached(
>  	struct xfs_buf		*bp)
>  {
>  	ASSERT(list_empty(&bp->b_lru));
> -	if (atomic_dec_and_test(&bp->b_hold)) {
> -		xfs_buf_ioacct_dec(bp);
> -		xfs_buf_free(bp);
> +
> +	spin_lock(&bp->b_lock);
> +	if (--bp->b_hold) {
> +		spin_unlock(&bp->b_lock);
> +		return;
>  	}
> +	__xfs_buf_ioacct_dec(bp);
> +	spin_unlock(&bp->b_lock);
> +	xfs_buf_free(bp);
>  }
>  
>  static void
> @@ -1064,51 +1077,40 @@ xfs_buf_rele_cached(
>  	struct xfs_buftarg	*btp = bp->b_target;
>  	struct xfs_perag	*pag = bp->b_pag;
>  	struct xfs_buf_cache	*bch = xfs_buftarg_buf_cache(btp, pag);
> -	bool			release;
>  	bool			freebuf = false;
>  
>  	trace_xfs_buf_rele(bp, _RET_IP_);
>  
> -	ASSERT(atomic_read(&bp->b_hold) > 0);
> -
> -	/*
> -	 * We grab the b_lock here first to serialise racing xfs_buf_rele()
> -	 * calls. The pag_buf_lock being taken on the last reference only
> -	 * serialises against racing lookups in xfs_buf_find(). IOWs, the second
> -	 * to last reference we drop here is not serialised against the last
> -	 * reference until we take bp->b_lock. Hence if we don't grab b_lock
> -	 * first, the last "release" reference can win the race to the lock and
> -	 * free the buffer before the second-to-last reference is processed,
> -	 * leading to a use-after-free scenario.
> -	 */
>  	spin_lock(&bp->b_lock);
> -	release = atomic_dec_and_lock(&bp->b_hold, &bch->bc_lock);
> -	if (!release) {
> +	ASSERT(bp->b_hold >= 1);
> +	if (bp->b_hold > 1) {
>  		/*
>  		 * Drop the in-flight state if the buffer is already on the LRU
>  		 * and it holds the only reference. This is racy because we
>  		 * haven't acquired the pag lock, but the use of _XBF_IN_FLIGHT
>  		 * ensures the decrement occurs only once per-buf.
>  		 */
> -		if ((atomic_read(&bp->b_hold) == 1) && !list_empty(&bp->b_lru))
> +		if (--bp->b_hold == 1 && !list_empty(&bp->b_lru))
>  			__xfs_buf_ioacct_dec(bp);
>  		goto out_unlock;
>  	}
>  
> -	/* the last reference has been dropped ... */
> +	/* we are asked to drop the last reference */
> +	spin_lock(&bch->bc_lock);
>  	__xfs_buf_ioacct_dec(bp);
>  	if (!(bp->b_flags & XBF_STALE) && atomic_read(&bp->b_lru_ref)) {
>  		/*
> -		 * If the buffer is added to the LRU take a new reference to the
> +		 * If the buffer is added to the LRU, keep the reference to the
>  		 * buffer for the LRU and clear the (now stale) dispose list
> -		 * state flag
> +		 * state flag, else drop the reference.
>  		 */
> -		if (list_lru_add_obj(&btp->bt_lru, &bp->b_lru)) {
> +		if (list_lru_add_obj(&btp->bt_lru, &bp->b_lru))
>  			bp->b_state &= ~XFS_BSTATE_DISPOSE;
> -			atomic_inc(&bp->b_hold);
> -		}
> +		else
> +			bp->b_hold--;
>  		spin_unlock(&bch->bc_lock);
>  	} else {
> +		bp->b_hold--;
>  		/*
>  		 * most of the time buffers will already be removed from the
>  		 * LRU, so optimise that case by checking for the
> @@ -1863,13 +1865,14 @@ xfs_buftarg_drain_rele(
>  	struct xfs_buf		*bp = container_of(item, struct xfs_buf, b_lru);
>  	struct list_head	*dispose = arg;
>  
> -	if (atomic_read(&bp->b_hold) > 1) {
> +	if (!spin_trylock(&bp->b_lock))
> +		return LRU_SKIP;
> +	if (bp->b_hold > 1) {
>  		/* need to wait, so skip it this pass */
> +		spin_unlock(&bp->b_lock);
>  		trace_xfs_buf_drain_buftarg(bp, _RET_IP_);
>  		return LRU_SKIP;
>  	}
> -	if (!spin_trylock(&bp->b_lock))
> -		return LRU_SKIP;
>  
>  	/*
>  	 * clear the LRU reference count so the buffer doesn't get
> @@ -2208,7 +2211,7 @@ xfs_buf_delwri_queue(
>  	 */
>  	bp->b_flags |= _XBF_DELWRI_Q;
>  	if (list_empty(&bp->b_list)) {
> -		atomic_inc(&bp->b_hold);
> +		xfs_buf_hold(bp);
>  		list_add_tail(&bp->b_list, list);
>  	}
>  
> diff --git a/fs/xfs/xfs_buf.h b/fs/xfs/xfs_buf.h
> index 3d56bc7a35cc..9ccc6f93f636 100644
> --- a/fs/xfs/xfs_buf.h
> +++ b/fs/xfs/xfs_buf.h
> @@ -172,7 +172,7 @@ struct xfs_buf {
>  
>  	xfs_daddr_t		b_rhash_key;	/* buffer cache index */
>  	int			b_length;	/* size of buffer in BBs */
> -	atomic_t		b_hold;		/* reference count */
> +	unsigned int		b_hold;		/* reference count */
>  	atomic_t		b_lru_ref;	/* lru reclaim ref count */
>  	xfs_buf_flags_t		b_flags;	/* status flags */
>  	struct semaphore	b_sema;		/* semaphore for lockables */
> diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
> index 4fe689410eb6..b29462363b81 100644
> --- a/fs/xfs/xfs_trace.h
> +++ b/fs/xfs/xfs_trace.h
> @@ -498,7 +498,7 @@ DECLARE_EVENT_CLASS(xfs_buf_class,
>  		__entry->dev = bp->b_target->bt_dev;
>  		__entry->bno = xfs_buf_daddr(bp);
>  		__entry->nblks = bp->b_length;
> -		__entry->hold = atomic_read(&bp->b_hold);
> +		__entry->hold = bp->b_hold;
>  		__entry->pincount = atomic_read(&bp->b_pin_count);
>  		__entry->lockval = bp->b_sema.count;
>  		__entry->flags = bp->b_flags;
> @@ -569,7 +569,7 @@ DECLARE_EVENT_CLASS(xfs_buf_flags_class,
>  		__entry->bno = xfs_buf_daddr(bp);
>  		__entry->length = bp->b_length;
>  		__entry->flags = flags;
> -		__entry->hold = atomic_read(&bp->b_hold);
> +		__entry->hold = bp->b_hold;
>  		__entry->pincount = atomic_read(&bp->b_pin_count);
>  		__entry->lockval = bp->b_sema.count;
>  		__entry->caller_ip = caller_ip;
> @@ -612,7 +612,7 @@ TRACE_EVENT(xfs_buf_ioerror,
>  		__entry->dev = bp->b_target->bt_dev;
>  		__entry->bno = xfs_buf_daddr(bp);
>  		__entry->length = bp->b_length;
> -		__entry->hold = atomic_read(&bp->b_hold);
> +		__entry->hold = bp->b_hold;
>  		__entry->pincount = atomic_read(&bp->b_pin_count);
>  		__entry->lockval = bp->b_sema.count;
>  		__entry->error = error;
> @@ -656,7 +656,7 @@ DECLARE_EVENT_CLASS(xfs_buf_item_class,
>  		__entry->buf_bno = xfs_buf_daddr(bip->bli_buf);
>  		__entry->buf_len = bip->bli_buf->b_length;
>  		__entry->buf_flags = bip->bli_buf->b_flags;
> -		__entry->buf_hold = atomic_read(&bip->bli_buf->b_hold);
> +		__entry->buf_hold = bip->bli_buf->b_hold;
>  		__entry->buf_pincount = atomic_read(&bip->bli_buf->b_pin_count);
>  		__entry->buf_lockval = bip->bli_buf->b_sema.count;
>  		__entry->li_flags = bip->bli_item.li_flags;
> @@ -4978,7 +4978,7 @@ DECLARE_EVENT_CLASS(xfbtree_buf_class,
>  		__entry->xfino = file_inode(xfbt->target->bt_file)->i_ino;
>  		__entry->bno = xfs_buf_daddr(bp);
>  		__entry->nblks = bp->b_length;
> -		__entry->hold = atomic_read(&bp->b_hold);
> +		__entry->hold = bp->b_hold;
>  		__entry->pincount = atomic_read(&bp->b_pin_count);
>  		__entry->lockval = bp->b_sema.count;
>  		__entry->flags = bp->b_flags;
> -- 
> 2.45.2
>