[PATCHv2 05/17] nvme: add Clang context annotations for nvme_ns_head::current_path
Nilay Shroff
nilay at linux.ibm.com
Sun Jun 28 22:20:39 PDT 2026
On 6/28/26 9:37 PM, Paul E. McKenney wrote:
> On Sun, Jun 28, 2026 at 08:00:00AM +0200, Marco Elver wrote:
>> On Sat, 27 Jun 2026 at 19:14, Paul E. McKenney <paulmck at kernel.org> wrote:
>>>
>>> On Sat, Jun 27, 2026 at 05:38:44PM +0200, Marco Elver wrote:
>>>> On Fri, 26 Jun 2026 at 20:36, Paul E. McKenney <paulmck at kernel.org> wrote:
>>>>> On Fri, Jun 26, 2026 at 08:40:50AM +0200, Christoph Hellwig wrote:
>>>>>> On Sun, Jun 14, 2026 at 06:45:20PM +0530, Nilay Shroff wrote:
>>>>>>> +++ b/drivers/nvme/host/multipath.c
>>>>>>> @@ -231,8 +231,16 @@ bool nvme_mpath_clear_current_path(struct nvme_ns *ns)
>>>>>>> bool changed = false;
>>>>>>> int node;
>>>>>>>
>>>>>>> + /*
>>>>>>> + * This helper is used by namespace failover/teardown and I/O policy
>>>>>>> + * update paths. We only compare the head->current_path[] pointer value
>>>>>>> + * and do not dereference the referenced namespace, so suppress the
>>>>>>> + * context analysis warning for this lockless inspection of the
>>>>>>> + * __rcu_guarded pointer.
>>>>>>> + */
>>>>>>> for_each_node(node) {
>>>>>>> - if (ns == rcu_access_pointer(head->current_path[node])) {
>>>>>>> + if (context_unsafe(ns ==
>>>>>>> + rcu_access_pointer(head->current_path[node]))) {
>>>>>>
>>>>>> I think we need a helper for this, as for a simple pointer value
>>>>>> comparison without a dereference we don't really need either
>>>>>> rcu_access_pointer nor locking.
>>>>>>
>>>>>> Maybe somthing like a
>>>>>>
>>>>>> rcu_compare_pointer(rcu_pointer, nonrcu_pointer)
>>>>>>
>>>>>> ?
>>>>>
>>>>> We could provide something like this:
>>>>>
>>>>> #define rcu_compare_pointer(rcu_pointer, nonrcu_pointer) \
>>>>> context_unsafe(rcu_access_pointer(rcu_pointer) == (nonrcu_pointer))
>>>>>
>>>>> Or maybe rcu_pointer_equals()?
>>>>>
>>>>> Marco, thoughts?
>>>>
>>>> I see 2 options:
>>>>
>>>> 1. rcu_compare_pointer / rcu_pointer_equals as proposed. It's more
>>>> explicit but does add some friction during Context Analysis
>>>> enablement. But this only makes sense if there are cases where
>>>> rcu_access_pointer() should be used under the RCU reader lock, which
>>>> led me to the next suggestion...
>>>>
>>>> 2. Redefine rcu_access_pointer() to just not require the RCU read-side
>>>> lock to be held as:
>>>>
>>>>> #define rcu_access_pointer(p) context_unsafe(__rcu_access_pointer((p), __UNIQUE_ID(rcu), __rcu))
>>>>
>>>> [ Or alternatively wrap __rcu_access_pointer() in context_unsafe()
>>>> (similar to rcu_assign_pointer and friends). ]
>>>>
>>>> I think rcu_access_pointer() is in the same category as the other RCU
>>>> pointer helpers, although currently only the pointer update helpers
>>>> imply context_unsafe(); I think it might have been an oversight
>>>> initially, and we should change rcu_access_pointer() to match. There
>>>> should be no reason why an rcu_access_pointer() should be protected by
>>>> the RCU read-side critical section, since it's not meant for
>>>> dereferencing the pointer (that'd be a bug; its documentation also
>>>> says "Return the value of the specified RCU-protected pointer, but
>>>> omit the lockdep checks for being in an RCU read-side critical section
>>>> [...]").
>>>>
>>>> If you agree there should be no cases where an rcu_access_pointer()
>>>> should be guarded by an RCU read-side critical section, then I think
>>>> this is the simplest and correct design, and avoids expanding the RCU
>>>> API.
>>>
>>> I don't know of any uses of rcu_access_pointer() within an RCU read-side
>>> critical section, but code in a function that might be called both within
>>> and outside of a critical section might well use rcu_access_pointer().
>>> In other words, it should be OK to use rcu_access_pointer() within an
>>> RCU read-side critical section as well as outside of one.
>>
>> Thanks, yes, that's what I wanted to confirm; i.e. it's ok to use
>> rcu_access_pointer() within and outside an RCU read-side critical
>> section.
>>
>> In which case, my proposal (2) to make rcu_access_pointer() not warn
>> on accessing __rcu_guarded pointers outside an RCU read-side critical
>> section should be the simpler and more generic change (vs. adding a
>> new rcu_pointer_equals() helper).
>
> As shown below?
>
> My guess is that this change makes it unnecessary to have a separate
> RCU-protected-pointer comparison macro, but please let me know if I am
> missing something.
>
> Thanx, Paul
>
> ------------------------------------------------------------------------
>
> commit 32c1e63fee171f7ed8cc986ec64f576ee80bccab
> Author: Paul E. McKenney <paulmck at kernel.org>
> Date: Sun Jun 28 09:00:01 2026 -0700
>
> rcu: Mark __rcu_access_pointer() as context_unsafe()
>
> A simple comparison of a pointer returned by rcu_access_pointer() results
> in a context-analysis warning for lockless inspection of the RCU-protected
> (also known as __rcu-protected) pointer. This can be suppressed by
> placing context_unsafe() calls around calls rcu_access_pointer(),
> but this is messy and distracting. This commit therefore wraps the
> underlying __rcu_access_pointer() macro with a call to context_unsafe(),
> thereby informing the context-analysis code that rcu_access_pointer()
> may safely be invoked outside of an RCU read-side critical section.
>
> Reported-by: Christoph Hellwig <hch at lst.de>
> Suggested-by: Marco Elver <elver at google.com>
> Signed-off-by: Paul E. McKenney <paulmck at kernel.org>
>
> diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
> index 5e95acc33989b6..e40dc2e20c5b1f 100644
> --- a/include/linux/rcupdate.h
> +++ b/include/linux/rcupdate.h
> @@ -490,12 +490,12 @@ context_unsafe( \
> */
> #define unrcu_pointer(p) __unrcu_pointer(p, __UNIQUE_ID(rcu))
>
> -#define __rcu_access_pointer(p, local, space) \
> +#define __rcu_access_pointer(p, local, space) context_unsafe( \
> ({ \
> typeof(*p) *local = (typeof(*p) *__force)READ_ONCE(p); \
> rcu_check_sparse(p, space); \
> ((typeof(*p) __force __kernel *)(local)); \
> -})
> +}) )
> #define __rcu_dereference_check(p, local, c, space) \
> ({ \
> /* Dependency order vs. p above. */ \
I have tested the above patch with an __rcu_guarded pointer accessed
outside an RCU read-side critical section while Clang context analysis
is enabled. I can confirm that this change suppresses the context
analysis warning when the pointer is accessed via rcu_access_pointer().
With that, if you send out this change, please add:
Tested-by: Nilay Shroff <nilay at linux.ibm.com>
Thanks,
--Nilay
More information about the Linux-nvme
mailing list