Re: [PATCHv2 05/17] nvme: add Clang context annotations for nvme_ns_head::current_path

From: Paul E. McKenney

Date: Mon Jun 29 2026 - 11:39:26 EST


On Mon, Jun 29, 2026 at 10:48:43AM +0200, Marco Elver wrote:
> On Mon, 29 Jun 2026 at 07:20, Nilay Shroff <nilay@xxxxxxxxxxxxx> wrote:
> >
> > On 6/28/26 9:37 PM, Paul E. McKenney wrote:
> > > On Sun, Jun 28, 2026 at 08:00:00AM +0200, Marco Elver wrote:
> > >> On Sat, 27 Jun 2026 at 19:14, Paul E. McKenney <paulmck@xxxxxxxxxx> wrote:
> > >>>
> > >>> On Sat, Jun 27, 2026 at 05:38:44PM +0200, Marco Elver wrote:
> > >>>> On Fri, 26 Jun 2026 at 20:36, Paul E. McKenney <paulmck@xxxxxxxxxx> wrote:
> > >>>>> On Fri, Jun 26, 2026 at 08:40:50AM +0200, Christoph Hellwig wrote:
> > >>>>>> On Sun, Jun 14, 2026 at 06:45:20PM +0530, Nilay Shroff wrote:
> > >>>>>>> +++ b/drivers/nvme/host/multipath.c
> > >>>>>>> @@ -231,8 +231,16 @@ bool nvme_mpath_clear_current_path(struct nvme_ns *ns)
> > >>>>>>> bool changed = false;
> > >>>>>>> int node;
> > >>>>>>>
> > >>>>>>> + /*
> > >>>>>>> + * This helper is used by namespace failover/teardown and I/O policy
> > >>>>>>> + * update paths. We only compare the head->current_path[] pointer value
> > >>>>>>> + * and do not dereference the referenced namespace, so suppress the
> > >>>>>>> + * context analysis warning for this lockless inspection of the
> > >>>>>>> + * __rcu_guarded pointer.
> > >>>>>>> + */
> > >>>>>>> for_each_node(node) {
> > >>>>>>> - if (ns == rcu_access_pointer(head->current_path[node])) {
> > >>>>>>> + if (context_unsafe(ns ==
> > >>>>>>> + rcu_access_pointer(head->current_path[node]))) {
> > >>>>>>
> > >>>>>> I think we need a helper for this, as for a simple pointer value
> > >>>>>> comparison without a dereference we don't really need either
> > >>>>>> rcu_access_pointer nor locking.
> > >>>>>>
> > >>>>>> Maybe somthing like a
> > >>>>>>
> > >>>>>> rcu_compare_pointer(rcu_pointer, nonrcu_pointer)
> > >>>>>>
> > >>>>>> ?
> > >>>>>
> > >>>>> We could provide something like this:
> > >>>>>
> > >>>>> #define rcu_compare_pointer(rcu_pointer, nonrcu_pointer) \
> > >>>>> context_unsafe(rcu_access_pointer(rcu_pointer) == (nonrcu_pointer))
> > >>>>>
> > >>>>> Or maybe rcu_pointer_equals()?
> > >>>>>
> > >>>>> Marco, thoughts?
> > >>>>
> > >>>> I see 2 options:
> > >>>>
> > >>>> 1. rcu_compare_pointer / rcu_pointer_equals as proposed. It's more
> > >>>> explicit but does add some friction during Context Analysis
> > >>>> enablement. But this only makes sense if there are cases where
> > >>>> rcu_access_pointer() should be used under the RCU reader lock, which
> > >>>> led me to the next suggestion...
> > >>>>
> > >>>> 2. Redefine rcu_access_pointer() to just not require the RCU read-side
> > >>>> lock to be held as:
> > >>>>
> > >>>>> #define rcu_access_pointer(p) context_unsafe(__rcu_access_pointer((p), __UNIQUE_ID(rcu), __rcu))
> > >>>>
> > >>>> [ Or alternatively wrap __rcu_access_pointer() in context_unsafe()
> > >>>> (similar to rcu_assign_pointer and friends). ]
> > >>>>
> > >>>> I think rcu_access_pointer() is in the same category as the other RCU
> > >>>> pointer helpers, although currently only the pointer update helpers
> > >>>> imply context_unsafe(); I think it might have been an oversight
> > >>>> initially, and we should change rcu_access_pointer() to match. There
> > >>>> should be no reason why an rcu_access_pointer() should be protected by
> > >>>> the RCU read-side critical section, since it's not meant for
> > >>>> dereferencing the pointer (that'd be a bug; its documentation also
> > >>>> says "Return the value of the specified RCU-protected pointer, but
> > >>>> omit the lockdep checks for being in an RCU read-side critical section
> > >>>> [...]").
> > >>>>
> > >>>> If you agree there should be no cases where an rcu_access_pointer()
> > >>>> should be guarded by an RCU read-side critical section, then I think
> > >>>> this is the simplest and correct design, and avoids expanding the RCU
> > >>>> API.
> > >>>
> > >>> I don't know of any uses of rcu_access_pointer() within an RCU read-side
> > >>> critical section, but code in a function that might be called both within
> > >>> and outside of a critical section might well use rcu_access_pointer().
> > >>> In other words, it should be OK to use rcu_access_pointer() within an
> > >>> RCU read-side critical section as well as outside of one.
> > >>
> > >> Thanks, yes, that's what I wanted to confirm; i.e. it's ok to use
> > >> rcu_access_pointer() within and outside an RCU read-side critical
> > >> section.
> > >>
> > >> In which case, my proposal (2) to make rcu_access_pointer() not warn
> > >> on accessing __rcu_guarded pointers outside an RCU read-side critical
> > >> section should be the simpler and more generic change (vs. adding a
> > >> new rcu_pointer_equals() helper).
> > >
> > > As shown below?
> > >
> > > My guess is that this change makes it unnecessary to have a separate
> > > RCU-protected-pointer comparison macro, but please let me know if I am
> > > missing something.
> > >
> > > Thanx, Paul
> > >
> > > ------------------------------------------------------------------------
> > >
> > > commit 32c1e63fee171f7ed8cc986ec64f576ee80bccab
> > > Author: Paul E. McKenney <paulmck@xxxxxxxxxx>
> > > Date: Sun Jun 28 09:00:01 2026 -0700
> > >
> > > rcu: Mark __rcu_access_pointer() as context_unsafe()
> > >
> > > A simple comparison of a pointer returned by rcu_access_pointer() results
> > > in a context-analysis warning for lockless inspection of the RCU-protected
> > > (also known as __rcu-protected) pointer. This can be suppressed by
> > > placing context_unsafe() calls around calls rcu_access_pointer(),
> > > but this is messy and distracting. This commit therefore wraps the
> > > underlying __rcu_access_pointer() macro with a call to context_unsafe(),
> > > thereby informing the context-analysis code that rcu_access_pointer()
> > > may safely be invoked outside of an RCU read-side critical section.
> > >
> > > Reported-by: Christoph Hellwig <hch@xxxxxx>
> > > Suggested-by: Marco Elver <elver@xxxxxxxxxx>
> > > Signed-off-by: Paul E. McKenney <paulmck@xxxxxxxxxx>
> > >
> > > diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
> > > index 5e95acc33989b6..e40dc2e20c5b1f 100644
> > > --- a/include/linux/rcupdate.h
> > > +++ b/include/linux/rcupdate.h
> > > @@ -490,12 +490,12 @@ context_unsafe( \
> > > */
> > > #define unrcu_pointer(p) __unrcu_pointer(p, __UNIQUE_ID(rcu))
> > >
> > > -#define __rcu_access_pointer(p, local, space) \
> > > +#define __rcu_access_pointer(p, local, space) context_unsafe( \
> > > ({ \
> > > typeof(*p) *local = (typeof(*p) *__force)READ_ONCE(p); \
> > > rcu_check_sparse(p, space); \
> > > ((typeof(*p) __force __kernel *)(local)); \
> > > -})
> > > +}) )
> > > #define __rcu_dereference_check(p, local, c, space) \
> > > ({ \
> > > /* Dependency order vs. p above. */ \
> >
> > I have tested the above patch with an __rcu_guarded pointer accessed
> > outside an RCU read-side critical section while Clang context analysis
> > is enabled. I can confirm that this change suppresses the context
> > analysis warning when the pointer is accessed via rcu_access_pointer().
> >
> > With that, if you send out this change, please add:
> >
> > Tested-by: Nilay Shroff <nilay@xxxxxxxxxxxxx>
>
> Thanks for double-checking.
>
> Reviewed-by: Marco Elver <elver@xxxxxxxxxx>

Thank you all!

By default, I will push this into the upcoming v7.3 merge window. If you
need it earlier, we would have to make a case for this being a regression.
Which I could probably do, but first, is v7.3 too late for you?

Thanx, Paul