Re: kcsan -Wmaybe-uninitialized warning in ntfs3

[Marco Elver]

On Tue, 21 Apr 2026 at 16:11, Arnd Bergmann <arnd@xxxxxxxx> wrote:
>
> On Tue, Apr 21, 2026, at 15:18, Marco Elver wrote:
> > On Tue, Apr 21, 2026 at 02:28PM +0200, Arnd Bergmann wrote:
> >
> > There appear to be 2 options to fix, see patch below:
> >
> > 1. __kcsan_nodiag wrapper to disable warnings for the kcsan_check
> >    helpers. Tested and seems to work in this case.
> >
> > 2. __attribute__((access(none, 1))) per
> > https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html:
> >    "The access attribute enables the detection of invalid or unsafe
> >    accesses by functions or their callers, as well as write-only
> >    accesses to objects that are never read from. Such accesses may be
> >    diagnosed by warnings such as -Wstringop-overflow, -Wuninitialized,
> >    -Wunused, and others."
> >
> > Option #2 seems a lot simpler. While KCSAN does read the accessed
> > memory, for the purpose of diagnostics hiding this fact from the
> > compiler is perfectly fine as it's not part of "normal" kernel code.
> >
> > Preferences?
>
> To me, 2 makes more sense. The attribute requires gcc-11 or higher,
> so you need to wrap that in a compiler version specific macro,
> but since I only saw the warning with gcc-12 and higher, that
> should be fine.
>
> I assume that gcc would be allowed to reorder code like
>
>      int i = 1;
>      __kcsan_check_write(&i, sizeof(i));
>
> to defer the initialization until after the check with
> the attribute((access(none, 1))) annotation. Is that a
> problem for kcsan?

No - kcsan is just looking for races, and in this case there'd
trivially be no race if the stack var couldn't escape (the compiler
instrumentation eliminates such stack accesses).

> Looking through your change I also see
>
> > diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
> > index b041639ab406..088412189f16 100644
> > --- a/fs/ntfs3/file.c
> > +++ b/fs/ntfs3/file.c
> > @@ -73,6 +73,7 @@ static int ntfs_ioctl_fitrim(struct ntfs_sb_info
> > *sbi, unsigned long arg)
> >       if (!bdev_max_discard_sectors(dev))
> >               return -EOPNOTSUPP;
> >
> > +     kcsan_check_write(&range, sizeof(range));
> >       user_range = (struct fstrim_range __user *)arg;
>
> This was probably not meant to be there.

Yes, just for testing something else.

> > @@ -273,7 +283,7 @@ static inline void __kcsan_disable_current(void) { }
> >   * @ptr: address of access
> >   * @size: size of access
> >   */
> > -#define __kcsan_check_read(ptr, size) __kcsan_check_access(ptr, size,
> > 0)
> > +#define __kcsan_check_read(ptr, size)
> > __kcsan_nodiag(__kcsan_check_access(ptr, size, 0))
>
> I don't think we need to do anything about the read and read_write
> code paths: if the compiler can see that the data passed here
> is uninitialized, warning about this is better than not warning.
>
> The problem I see was specifically for __kcsan_check_write()
> with an uninitialized pointer
>
> > @@ -282,7 +292,7 @@ static inline void __kcsan_disable_current(void) { }
> >   * @size: size of access
> >   */
> >  #define __kcsan_check_write(ptr, size)
> >         \
> > -     __kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
> > +     __kcsan_nodiag(__kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE))
>
> So if we end up using __diag_ignore(), it should be sufficient to
> add it here directly, instead of another indirection.

I merged the 2 experiments, but you get the idea.

I think I'll drop the __kcsan_nodiag stuff and just add the access
attribute - but that would go on the __kcsan_check_access function, so
it'd apply to any kind of access (read or write). The GCC docs promise
that the 'access' attribute is only for diagnostics, and should not
affect codegen.