Re: [PATCHv2 05/17] nvme: add Clang context annotations for nvme_ns_head::current_path

[Marco Elver]

On Mon, 29 Jun 2026 at 07:20, Nilay Shroff <nilay@xxxxxxxxxxxxx> wrote:
>
> On 6/28/26 9:37 PM, Paul E. McKenney wrote:
> > On Sun, Jun 28, 2026 at 08:00:00AM +0200, Marco Elver wrote:
> >> On Sat, 27 Jun 2026 at 19:14, Paul E. McKenney <paulmck@xxxxxxxxxx> wrote:
> >>>
> >>> On Sat, Jun 27, 2026 at 05:38:44PM +0200, Marco Elver wrote:
> >>>> On Fri, 26 Jun 2026 at 20:36, Paul E. McKenney <paulmck@xxxxxxxxxx> wrote:
> >>>>> On Fri, Jun 26, 2026 at 08:40:50AM +0200, Christoph Hellwig wrote:
> >>>>>> On Sun, Jun 14, 2026 at 06:45:20PM +0530, Nilay Shroff wrote:
> >>>>>>> +++ b/drivers/nvme/host/multipath.c
> >>>>>>> @@ -231,8 +231,16 @@ bool nvme_mpath_clear_current_path(struct nvme_ns *ns)
> >>>>>>>      bool changed = false;
> >>>>>>>      int node;
> >>>>>>>
> >>>>>>> +   /*
> >>>>>>> +    * This helper is used by namespace failover/teardown and I/O policy
> >>>>>>> +    * update paths. We only compare the head->current_path[] pointer value
> >>>>>>> +    * and do not dereference the referenced namespace, so suppress the
> >>>>>>> +    * context analysis warning for this lockless inspection of the
> >>>>>>> +    * __rcu_guarded pointer.
> >>>>>>> +    */
> >>>>>>>      for_each_node(node) {
> >>>>>>> -           if (ns == rcu_access_pointer(head->current_path[node])) {
> >>>>>>> +           if (context_unsafe(ns ==
> >>>>>>> +                           rcu_access_pointer(head->current_path[node]))) {
> >>>>>>
> >>>>>> I think we need a helper for this, as for a simple pointer value
> >>>>>> comparison without a dereference we don't really need either
> >>>>>> rcu_access_pointer nor locking.
> >>>>>>
> >>>>>> Maybe somthing like a
> >>>>>>
> >>>>>>        rcu_compare_pointer(rcu_pointer, nonrcu_pointer)
> >>>>>>
> >>>>>> ?
> >>>>>
> >>>>> We could provide something like this:
> >>>>>
> >>>>> #define rcu_compare_pointer(rcu_pointer, nonrcu_pointer) \
> >>>>>          context_unsafe(rcu_access_pointer(rcu_pointer) == (nonrcu_pointer))
> >>>>>
> >>>>> Or maybe rcu_pointer_equals()?
> >>>>>
> >>>>> Marco, thoughts?
> >>>>
> >>>> I see 2 options:
> >>>>
> >>>> 1. rcu_compare_pointer / rcu_pointer_equals as proposed. It's more
> >>>> explicit but does add some friction during Context Analysis
> >>>> enablement. But this only makes sense if there are cases where
> >>>> rcu_access_pointer() should be used under the RCU reader lock, which
> >>>> led me to the next suggestion...
> >>>>
> >>>> 2. Redefine rcu_access_pointer() to just not require the RCU read-side
> >>>> lock to be held as:
> >>>>
> >>>>> #define rcu_access_pointer(p) context_unsafe(__rcu_access_pointer((p), __UNIQUE_ID(rcu), __rcu))
> >>>>
> >>>> [ Or alternatively wrap __rcu_access_pointer() in context_unsafe()
> >>>>    (similar to rcu_assign_pointer and friends). ]
> >>>>
> >>>> I think rcu_access_pointer() is in the same category as the other RCU
> >>>> pointer helpers, although currently only the pointer update helpers
> >>>> imply context_unsafe(); I think it might have been an oversight
> >>>> initially, and we should change rcu_access_pointer() to match. There
> >>>> should be no reason why an rcu_access_pointer() should be protected by
> >>>> the RCU read-side critical section, since it's not meant for
> >>>> dereferencing the pointer (that'd be a bug; its documentation also
> >>>> says "Return the value of the specified RCU-protected pointer, but
> >>>> omit the lockdep checks for being in an RCU read-side critical section
> >>>> [...]").
> >>>>
> >>>> If you agree there should be no cases where an rcu_access_pointer()
> >>>> should be guarded by an RCU read-side critical section, then I think
> >>>> this is the simplest and correct design, and avoids expanding the RCU
> >>>> API.
> >>>
> >>> I don't know of any uses of rcu_access_pointer() within an RCU read-side
> >>> critical section, but code in a function that might be called both within
> >>> and outside of a critical section might well use rcu_access_pointer().
> >>> In other words, it should be OK to use rcu_access_pointer() within an
> >>> RCU read-side critical section as well as outside of one.
> >>
> >> Thanks, yes, that's what I wanted to confirm; i.e. it's ok to use
> >> rcu_access_pointer() within and outside an RCU read-side critical
> >> section.
> >>
> >> In which case, my proposal (2) to make rcu_access_pointer() not warn
> >> on accessing __rcu_guarded pointers outside an RCU read-side critical
> >> section should be the simpler and more generic change (vs. adding a
> >> new rcu_pointer_equals() helper).
> >
> > As shown below?
> >
> > My guess is that this change makes it unnecessary to have a separate
> > RCU-protected-pointer comparison macro, but please let me know if I am
> > missing something.
> >
> >                                                       Thanx, Paul
> >
> > ------------------------------------------------------------------------
> >
> > commit 32c1e63fee171f7ed8cc986ec64f576ee80bccab
> > Author: Paul E. McKenney <paulmck@xxxxxxxxxx>
> > Date:   Sun Jun 28 09:00:01 2026 -0700
> >
> >      rcu: Mark __rcu_access_pointer() as context_unsafe()
> >
> >      A simple comparison of a pointer returned by rcu_access_pointer() results
> >      in a context-analysis warning for lockless inspection of the RCU-protected
> >      (also known as __rcu-protected) pointer.  This can be suppressed by
> >      placing context_unsafe() calls around calls rcu_access_pointer(),
> >      but this is messy and distracting.  This commit therefore wraps the
> >      underlying __rcu_access_pointer() macro with a call to context_unsafe(),
> >      thereby informing the context-analysis code that rcu_access_pointer()
> >      may safely be invoked outside of an RCU read-side critical section.
> >
> >      Reported-by: Christoph Hellwig <hch@xxxxxx>
> >      Suggested-by: Marco Elver <elver@xxxxxxxxxx>
> >      Signed-off-by: Paul E. McKenney <paulmck@xxxxxxxxxx>
> >
> > diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
> > index 5e95acc33989b6..e40dc2e20c5b1f 100644
> > --- a/include/linux/rcupdate.h
> > +++ b/include/linux/rcupdate.h
> > @@ -490,12 +490,12 @@ context_unsafe(                                                         \
> >    */
> >   #define unrcu_pointer(p) __unrcu_pointer(p, __UNIQUE_ID(rcu))
> >
> > -#define __rcu_access_pointer(p, local, space) \
> > +#define __rcu_access_pointer(p, local, space) context_unsafe( \
> >   ({ \
> >       typeof(*p) *local = (typeof(*p) *__force)READ_ONCE(p); \
> >       rcu_check_sparse(p, space); \
> >       ((typeof(*p) __force __kernel *)(local)); \
> > -})
> > +}) )
> >   #define __rcu_dereference_check(p, local, c, space) \
> >   ({ \
> >       /* Dependency order vs. p above. */ \
>
> I have tested the above patch with an __rcu_guarded pointer accessed
> outside an RCU read-side critical section while Clang context analysis
> is enabled. I can confirm that this change suppresses the context
> analysis warning when the pointer is accessed via rcu_access_pointer().
>
> With that, if you send out this change, please add:
>
> Tested-by: Nilay Shroff <nilay@xxxxxxxxxxxxx>

Thanks for double-checking.

Reviewed-by: Marco Elver <elver@xxxxxxxxxx>