From: Marco Elver <elver@google.com>
To: elver@google.com, Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>, Boqun Feng <boqun.feng@gmail.com>,
Waiman Long <longman@redhat.com>, Christoph Hellwig <hch@lst.de>,
Steven Rostedt <rostedt@goodmis.org>,
Bart Van Assche <bvanassche@acm.org>,
kasan-dev@googlegroups.com, llvm@lists.linux.dev,
linux-crypto@vger.kernel.org, linux-doc@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH tip/locking/core 0/6] compiler-context-analysis: Scoped init guards
Date: Mon, 19 Jan 2026 10:05:50 +0100 [thread overview]
Message-ID: <20260119094029.1344361-1-elver@google.com> (raw)
Current context analysis treats lock_init() as implicitly "holding" the
lock to allow initializing guarded members. This causes false-positive
"double lock" reports if the lock is acquired immediately after
initialization in the same scope; for example:
mutex_init(&d->mtx);
/* ... counter is guarded by mtx ... */
d->counter = 0; /* ok, but mtx is now "held" */
...
mutex_lock(&d->mtx); /* warning: acquiring mutex already held */
This series proposes a solution to this by introducing scoped init
guards which Peter suggested, using the guard(type_init)(&lock) or
scoped_guard(type_init, ..) interface. This explicitly marks init scope
where we can initialize guarded members. With that we can revert the
"implicitly hold" after init annotations, which allows use after
initialization scope as follows:
scoped_guard(mutex_init, &d->mtx) {
d->counter = 0;
}
...
mutex_lock(&d->mtx); /* ok */
Note: Scoped guarded initialization remains optional, and normal
initialization can still be used if no guarded members are being
initialized. Another alternative is to just disable context analysis to
initialize guarded members with `context_unsafe(var = init)` or adding
the `__context_unsafe(init)` function attribute (the latter not being
recommended for non-trivial functions due to lack of any checking):
mutex_init(&d->mtx);
context_unsafe(d->counter = 0); /* ok */
...
mutex_lock(&d->mtx);
This series is an alternative to the approach in [1]:
* Scoped init guards (this series): Sound interface, requires use of
guard(type_init)(&lock) or scoped_guard(type_init, ..) for guarded
member initialization.
* Reentrant init [1]: Less intrusive, type_init() just works, and
also allows guarded member initialization with later lock use in
the same function. But unsound, and e.g. misses double-lock bugs
immediately after init, trading false positives for false negatives.
[1] https://lore.kernel.org/all/20260115005231.1211866-1-elver@google.com/
Marco Elver (6):
cleanup: Make __DEFINE_LOCK_GUARD handle commas in initializers
compiler-context-analysis: Introduce scoped init guards
kcov: Use scoped init guard
crypto: Use scoped init guard
tomoyo: Use scoped init guard
compiler-context-analysis: Remove __assume_ctx_lock from initializers
Documentation/dev-tools/context-analysis.rst | 30 ++++++++++++++++++--
crypto/crypto_engine.c | 2 +-
crypto/drbg.c | 2 +-
include/linux/cleanup.h | 8 +++---
include/linux/compiler-context-analysis.h | 9 ++----
include/linux/local_lock.h | 8 ++++++
include/linux/local_lock_internal.h | 4 +--
include/linux/mutex.h | 4 ++-
include/linux/rwlock.h | 3 +-
include/linux/rwlock_rt.h | 1 -
include/linux/rwsem.h | 6 ++--
include/linux/seqlock.h | 6 +++-
include/linux/spinlock.h | 17 ++++++++---
include/linux/spinlock_rt.h | 1 -
include/linux/ww_mutex.h | 1 -
kernel/kcov.c | 2 +-
lib/test_context-analysis.c | 22 ++++++--------
security/tomoyo/common.c | 2 +-
18 files changed, 80 insertions(+), 48 deletions(-)
--
2.52.0.457.g6b5491de43-goog
next reply other threads:[~2026-01-19 9:40 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-19 9:05 Marco Elver [this message]
2026-01-19 9:05 ` [PATCH tip/locking/core 1/6] cleanup: Make __DEFINE_LOCK_GUARD handle commas in initializers Marco Elver
2026-01-19 9:05 ` [PATCH tip/locking/core 2/6] compiler-context-analysis: Introduce scoped init guards Marco Elver
2026-01-19 9:05 ` [PATCH tip/locking/core 3/6] kcov: Use scoped init guard Marco Elver
2026-01-19 9:05 ` [PATCH tip/locking/core 4/6] crypto: " Marco Elver
2026-01-19 9:05 ` [PATCH tip/locking/core 5/6] tomoyo: " Marco Elver
2026-01-19 9:05 ` [PATCH tip/locking/core 6/6] compiler-context-analysis: Remove __assume_ctx_lock from initializers Marco Elver
2026-01-20 7:24 ` [PATCH tip/locking/core 0/6] compiler-context-analysis: Scoped init guards Christoph Hellwig
2026-01-20 10:52 ` Peter Zijlstra
2026-01-22 6:30 ` Christoph Hellwig
2026-01-23 8:44 ` Peter Zijlstra
2026-01-20 18:24 ` Bart Van Assche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260119094029.1344361-1-elver@google.com \
--to=elver@google.com \
--cc=boqun.feng@gmail.com \
--cc=bvanassche@acm.org \
--cc=hch@lst.de \
--cc=kasan-dev@googlegroups.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=longman@redhat.com \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox