Re: kcsan -Wmaybe-uninitialized warning in ntfs3

[Arnd Bergmann]

On Tue, Apr 21, 2026, at 15:18, Marco Elver wrote:
> On Tue, Apr 21, 2026 at 02:28PM +0200, Arnd Bergmann wrote:
>
> There appear to be 2 options to fix, see patch below:
>
> 1. __kcsan_nodiag wrapper to disable warnings for the kcsan_check
>    helpers. Tested and seems to work in this case.
>
> 2. __attribute__((access(none, 1))) per 
> https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html:
>    "The access attribute enables the detection of invalid or unsafe
>    accesses by functions or their callers, as well as write-only
>    accesses to objects that are never read from. Such accesses may be
>    diagnosed by warnings such as -Wstringop-overflow, -Wuninitialized,
>    -Wunused, and others."
>
> Option #2 seems a lot simpler. While KCSAN does read the accessed
> memory, for the purpose of diagnostics hiding this fact from the
> compiler is perfectly fine as it's not part of "normal" kernel code.
>
> Preferences?

To me, 2 makes more sense. The attribute requires gcc-11 or higher,
so you need to wrap that in a compiler version specific macro,
but since I only saw the warning with gcc-12 and higher, that
should be fine.

I assume that gcc would be allowed to reorder code like

     int i = 1;
     __kcsan_check_write(&i, sizeof(i));

to defer the initialization until after the check with
the attribute((access(none, 1))) annotation. Is that a
problem for kcsan?

Looking through your change I also see

> diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
> index b041639ab406..088412189f16 100644
> --- a/fs/ntfs3/file.c
> +++ b/fs/ntfs3/file.c
> @@ -73,6 +73,7 @@ static int ntfs_ioctl_fitrim(struct ntfs_sb_info 
> *sbi, unsigned long arg)
>  	if (!bdev_max_discard_sectors(dev))
>  		return -EOPNOTSUPP;
> 
> +	kcsan_check_write(&range, sizeof(range));
>  	user_range = (struct fstrim_range __user *)arg;

This was probably not meant to be there.

> @@ -273,7 +283,7 @@ static inline void __kcsan_disable_current(void) { }
>   * @ptr: address of access
>   * @size: size of access
>   */
> -#define __kcsan_check_read(ptr, size) __kcsan_check_access(ptr, size, 
> 0)
> +#define __kcsan_check_read(ptr, size) 
> __kcsan_nodiag(__kcsan_check_access(ptr, size, 0))

I don't think we need to do anything about the read and read_write
code paths: if the compiler can see that the data passed here
is uninitialized, warning about this is better than not warning.
 
The problem I see was specifically for __kcsan_check_write()
with an uninitialized pointer

> @@ -282,7 +292,7 @@ static inline void __kcsan_disable_current(void) { }
>   * @size: size of access
>   */
>  #define __kcsan_check_write(ptr, size)                                 
>         \
> -	__kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
> +	__kcsan_nodiag(__kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE))

So if we end up using __diag_ignore(), it should be sufficient to
add it here directly, instead of another indirection.

      Arnd