[PATCH v4 06/35] cleanup: Basic compatibility with context analysis
Peter Zijlstra
peterz at infradead.org
Thu Dec 11 12:16:59 UTC 2025
On Thu, Nov 20, 2025 at 04:09:31PM +0100, Marco Elver wrote:
> Introduce basic compatibility with cleanup.h infrastructure: introduce
> DECLARE_LOCK_GUARD_*_ATTRS() helpers to add attributes to constructors
> and destructors respectively.
>
> Note: Due to the scoped cleanup helpers used for lock guards wrapping
> acquire and release around their own constructors/destructors that store
> pointers to the passed locks in a separate struct, we currently cannot
> accurately annotate *destructors* which lock was released. While it's
> possible to annotate the constructor to say which lock was acquired,
> that alone would result in false positives claiming the lock was not
> released on function return.
>
> Instead, to avoid false positives, we can claim that the constructor
> "assumes" that the taken lock is held via __assumes_ctx_guard().
What is the scope of this __assumes_ctx stuff? The way it is used in the
lock initializes seems to suggest it escapes scope. But then something
like:
scoped_guard (mutex, &foo) {
...
}
// context analysis would still assume foo held
is somewhat sub-optimal, no?
> Better support for Linux's scoped guard design could be added in
> future if deemed critical.
I would think so, per the above I don't think this is 'right'.
More information about the Linux-security-module-archive
mailing list