Re: [PATCHv2 05/17] nvme: add Clang context annotations for nvme_ns_head::current_path
From: Nilay Shroff
Date: Mon Jun 29 2026 - 01:21:43 EST
On 6/28/26 9:37 PM, Paul E. McKenney wrote:
On Sun, Jun 28, 2026 at 08:00:00AM +0200, Marco Elver wrote:
On Sat, 27 Jun 2026 at 19:14, Paul E. McKenney <paulmck@xxxxxxxxxx> wrote:
On Sat, Jun 27, 2026 at 05:38:44PM +0200, Marco Elver wrote:
On Fri, 26 Jun 2026 at 20:36, Paul E. McKenney <paulmck@xxxxxxxxxx> wrote:
On Fri, Jun 26, 2026 at 08:40:50AM +0200, Christoph Hellwig wrote:
On Sun, Jun 14, 2026 at 06:45:20PM +0530, Nilay Shroff wrote:
+++ b/drivers/nvme/host/multipath.c
@@ -231,8 +231,16 @@ bool nvme_mpath_clear_current_path(struct nvme_ns *ns)
bool changed = false;
int node;
+ /*
+ * This helper is used by namespace failover/teardown and I/O policy
+ * update paths. We only compare the head->current_path[] pointer value
+ * and do not dereference the referenced namespace, so suppress the
+ * context analysis warning for this lockless inspection of the
+ * __rcu_guarded pointer.
+ */
for_each_node(node) {
- if (ns == rcu_access_pointer(head->current_path[node])) {
+ if (context_unsafe(ns ==
+ rcu_access_pointer(head->current_path[node]))) {
I think we need a helper for this, as for a simple pointer value
comparison without a dereference we don't really need either
rcu_access_pointer nor locking.
Maybe somthing like a
rcu_compare_pointer(rcu_pointer, nonrcu_pointer)
?
We could provide something like this:
#define rcu_compare_pointer(rcu_pointer, nonrcu_pointer) \
context_unsafe(rcu_access_pointer(rcu_pointer) == (nonrcu_pointer))
Or maybe rcu_pointer_equals()?
Marco, thoughts?
I see 2 options:
1. rcu_compare_pointer / rcu_pointer_equals as proposed. It's more
explicit but does add some friction during Context Analysis
enablement. But this only makes sense if there are cases where
rcu_access_pointer() should be used under the RCU reader lock, which
led me to the next suggestion...
2. Redefine rcu_access_pointer() to just not require the RCU read-side
lock to be held as:
#define rcu_access_pointer(p) context_unsafe(__rcu_access_pointer((p), __UNIQUE_ID(rcu), __rcu))
[ Or alternatively wrap __rcu_access_pointer() in context_unsafe()
(similar to rcu_assign_pointer and friends). ]
I think rcu_access_pointer() is in the same category as the other RCU
pointer helpers, although currently only the pointer update helpers
imply context_unsafe(); I think it might have been an oversight
initially, and we should change rcu_access_pointer() to match. There
should be no reason why an rcu_access_pointer() should be protected by
the RCU read-side critical section, since it's not meant for
dereferencing the pointer (that'd be a bug; its documentation also
says "Return the value of the specified RCU-protected pointer, but
omit the lockdep checks for being in an RCU read-side critical section
[...]").
If you agree there should be no cases where an rcu_access_pointer()
should be guarded by an RCU read-side critical section, then I think
this is the simplest and correct design, and avoids expanding the RCU
API.
I don't know of any uses of rcu_access_pointer() within an RCU read-side
critical section, but code in a function that might be called both within
and outside of a critical section might well use rcu_access_pointer().
In other words, it should be OK to use rcu_access_pointer() within an
RCU read-side critical section as well as outside of one.
Thanks, yes, that's what I wanted to confirm; i.e. it's ok to use
rcu_access_pointer() within and outside an RCU read-side critical
section.
In which case, my proposal (2) to make rcu_access_pointer() not warn
on accessing __rcu_guarded pointers outside an RCU read-side critical
section should be the simpler and more generic change (vs. adding a
new rcu_pointer_equals() helper).
As shown below?
My guess is that this change makes it unnecessary to have a separate
RCU-protected-pointer comparison macro, but please let me know if I am
missing something.
Thanx, Paul
------------------------------------------------------------------------
commit 32c1e63fee171f7ed8cc986ec64f576ee80bccab
Author: Paul E. McKenney <paulmck@xxxxxxxxxx>
Date: Sun Jun 28 09:00:01 2026 -0700
rcu: Mark __rcu_access_pointer() as context_unsafe()
A simple comparison of a pointer returned by rcu_access_pointer() results
in a context-analysis warning for lockless inspection of the RCU-protected
(also known as __rcu-protected) pointer. This can be suppressed by
placing context_unsafe() calls around calls rcu_access_pointer(),
but this is messy and distracting. This commit therefore wraps the
underlying __rcu_access_pointer() macro with a call to context_unsafe(),
thereby informing the context-analysis code that rcu_access_pointer()
may safely be invoked outside of an RCU read-side critical section.
Reported-by: Christoph Hellwig <hch@xxxxxx>
Suggested-by: Marco Elver <elver@xxxxxxxxxx>
Signed-off-by: Paul E. McKenney <paulmck@xxxxxxxxxx>
diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
index 5e95acc33989b6..e40dc2e20c5b1f 100644
--- a/include/linux/rcupdate.h
+++ b/include/linux/rcupdate.h
@@ -490,12 +490,12 @@ context_unsafe( \
*/
#define unrcu_pointer(p) __unrcu_pointer(p, __UNIQUE_ID(rcu))
-#define __rcu_access_pointer(p, local, space) \
+#define __rcu_access_pointer(p, local, space) context_unsafe( \
({ \
typeof(*p) *local = (typeof(*p) *__force)READ_ONCE(p); \
rcu_check_sparse(p, space); \
((typeof(*p) __force __kernel *)(local)); \
-})
+}) )
#define __rcu_dereference_check(p, local, c, space) \
({ \
/* Dependency order vs. p above. */ \
I have tested the above patch with an __rcu_guarded pointer accessed
outside an RCU read-side critical section while Clang context analysis
is enabled. I can confirm that this change suppresses the context
analysis warning when the pointer is accessed via rcu_access_pointer().
With that, if you send out this change, please add:
Tested-by: Nilay Shroff <nilay@xxxxxxxxxxxxx>
Thanks,
--Nilay