Re: [PATCHv2 14/17] nvme: fix Clang context analysis warning in rdma.c

From: Marco Elver

Date: Tue Jun 30 2026 - 06:40:27 EST


On Tue, Jun 30, 2026 at 03:05PM +0530, Nilay Shroff wrote:
> On 6/30/26 4:17 AM, Marco Elver wrote:
> > On Mon, 29 Jun 2026 at 14:50, Christoph Hellwig <hch@xxxxxx> wrote:
> > >
> > > On Fri, Jun 26, 2026 at 09:01:20PM +0530, Nilay Shroff wrote:
> > > > > Does switching to list_empty_careful fix this? If not, does
> > > > > list_empty_careful need annotations to make this work?
> > > > >
> > > >
> > > > I tried using list_empty_careful() but clang still throws the
> > > > same warning. And yes it needs same annotation to suppress
> > > > the warning.
> > >
> > > Sounds like we should have annotations (or just use of data_race)
> > > in list_empty_careful, as it is designed to be used without holding
> > > the relevant lock used for modifications?
> >
> > Given list_empty_careful() is a real inline function (not a macro),
> > you can just add __no_context_analysis to list_empty_careful(), which
> > should also suppress warnings about pointer-to-guarded-variable being
> > passed as an argument into it. data_race() wouldn't work, as the
> > warning is generated in the caller, but when the attribute is added to
> > the callee, it also suppresses warnings about arguments in the caller.
>
> That sounds reasonable. So you're suggesting adding __no_context_analysis
> to list_empty_careful(). If we agree that's the right approach, I think
> it would make sense as a separate infrastructure patch rather than embedding
> it in an NVMe-specific change. So are you planning to send such a patch?

See patch below; to avoid more dependency issues for you, I suggest you
pick it up and carry it as part of this series unless someone else wants
it before for other reasons.

Only lightly tested, please test.

------ >8 ------

From: Marco Elver <elver@xxxxxxxxxx>
Date: Tue, 30 Jun 2026 12:01:26 +0200
Subject: [PATCH] list: Permit context-unguarded access with
list_empty_careful()

With Context Analysis (viz. Clang's Thread Safety Analysis), list_heads
that are __guarded_by(..) require holding the appropriate context lock
when accessing and manipulating them via the list API. Because Clang's
warning diagnostics do not perform inter-procedural analysis, this is
enforced by Clang with -Wthread-safety-pointer in the caller at the call
boundary; a warning is produced when passing a pointer to a guarded
variable without holding the appropriate context locks:

warning: passing pointer to variable 'list' requires holding [...] [-Wthread-safety-pointer]
if (list_empty(&ctrl->list))

An exception is list_empty_careful(), which is like list_empty(), except
that it is permitted to use without holding any context lock (carefully).

Mark list_empty_careful() __context_unsafe, which disables context
analysis within list_empty_careful(), but also suppresses warnings
generated in callers related to its pointer arguments.

Signed-off-by: Marco Elver <elver@xxxxxxxxxx>
---
include/linux/list.h | 1 +
1 file changed, 1 insertion(+)

diff --git a/include/linux/list.h b/include/linux/list.h
index 09d979976b3b..ba3c255f6112 100644
--- a/include/linux/list.h
+++ b/include/linux/list.h
@@ -436,6 +436,7 @@ static inline void list_del_init_careful(struct list_head *entry)
* if another CPU could re-list_add() it.
*/
static inline int list_empty_careful(const struct list_head *head)
+ __context_unsafe(/* intentional lockless access to @head */)
{
struct list_head *next = smp_load_acquire(&head->next);
return list_is_head(next, head) && (next == READ_ONCE(head->prev));
--
2.55.0.rc2.803.g1fd1e6609c-goog