[PATCH v2] kcsan: Silence -Wmaybe-uninitialized when calling __kcsan_check_access()

[PATCH v2] kcsan: Silence -Wmaybe-uninitialized when calling __kcsan_check_access()

[Marco Elver]

Some subsystems enable -Wmaybe-uninitialized [1], which can trigger
false positives when KCSAN is enabled. Specifically, passing an
uninitialized variable to functions that instrument accesses (e.g.,
copy_from_user()) results in calls to __kcsan_check_access().

Because __kcsan_check_access() takes a `const volatile void *ptr`, GCC
infers that the function may only read the memory location, and thus
warns if the passed variable is uninitialized.

However, KCSAN is a dynamic analysis tool for data race detection; while
it does read the memory location to detect concurrent modifications, the
"initialized'ness" of the memory location is irrelevant for its analysis.

Use absolute_pointer() in __kcsan_check_write(), kcsan_check_write(),
and kcsan_check_atomic_write() to hide the pointer from the compiler,
preventing it from concluding that the pointer passed points to
uninitialized memory.

This fixes warnings like:

|   CC      fs/ntfs3/file.o
| In file included from include/asm-generic/rwonce.h:27,
|                  from arch/arm64/include/asm/rwonce.h:81,
|                  from include/linux/compiler.h:369,
|                  from include/linux/array_size.h:5,
|                  from include/linux/kernel.h:16,
|                  from include/linux/backing-dev.h:12,
|                  from fs/ntfs3/file.c:10:
| In function 'instrument_copy_from_user_before',
|     inlined from '_inline_copy_from_user' at include/linux/uaccess.h:184:2,
|     inlined from 'copy_from_user' at include/linux/uaccess.h:221:9,
|     inlined from 'ntfs_ioctl_fitrim' at fs/ntfs3/file.c:77:6,
|     inlined from 'ntfs_ioctl' at fs/ntfs3/file.c:164:10:
| include/linux/kcsan-checks.h:220:28: error: 'range' may be used uninitialized [-Werror=maybe-uninitialized]
|   220 | #define kcsan_check_access __kcsan_check_access
|       |                            ^
| include/linux/kcsan-checks.h:311:9: note: in expansion of macro 'kcsan_check_access'
|   311 |         kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
|       |         ^~~~~~~~~~~~~~~~~~
| include/linux/instrumented.h:147:9: note: in expansion of macro 'kcsan_check_write'
|   147 |         kcsan_check_write(to, n);
|       |         ^~~~~~~~~~~~~~~~~
| include/linux/kcsan-checks.h: In function 'ntfs_ioctl':
| include/linux/kcsan-checks.h:37:6: note: by argument 1 of type 'const volatile void *' to '__kcsan_check_access' declared here
|    37 | void __kcsan_check_access(const volatile void *ptr, size_t size, int type);
|       |      ^~~~~~~~~~~~~~~~~~~~
| fs/ntfs3/file.c:65:29: note: 'range' declared here
|    65 |         struct fstrim_range range;
|       |                             ^~~~~

Link: https://lore.kernel.org/all/5da10cca-875b-418d-b54e-6be3ea32c266@app.fastmail.com/ [1]
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Marco Elver <elver@google.com>
---
v2:
* Switch from __attribute__((access)) to absolute_pointer() to silence
  the warnings instead of introducing new ones.
---
 include/linux/kcsan-checks.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/linux/kcsan-checks.h b/include/linux/kcsan-checks.h
index 92f3843d9ebb..e135dacaa90f 100644
--- a/include/linux/kcsan-checks.h
+++ b/include/linux/kcsan-checks.h
@@ -282,7 +282,7 @@ static inline void __kcsan_disable_current(void) { }
  * @size: size of access
  */
 #define __kcsan_check_write(ptr, size)                                         \
-	__kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
+	__kcsan_check_access(absolute_pointer(ptr), size, KCSAN_ACCESS_WRITE)
 
 /**
  * __kcsan_check_read_write - check regular read-write access for races
@@ -308,7 +308,7 @@ static inline void __kcsan_disable_current(void) { }
  * @size: size of access
  */
 #define kcsan_check_write(ptr, size)                                           \
-	kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
+	kcsan_check_access(absolute_pointer(ptr), size, KCSAN_ACCESS_WRITE)
 
 /**
  * kcsan_check_read_write - check regular read-write access for races
@@ -331,7 +331,7 @@ static inline void __kcsan_disable_current(void) { }
 #define kcsan_check_atomic_read(ptr, size)                                     \
 	kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC)
 #define kcsan_check_atomic_write(ptr, size)                                    \
-	kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE)
+	kcsan_check_access(absolute_pointer(ptr), size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE)
 #define kcsan_check_atomic_read_write(ptr, size)                               \
 	kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE | KCSAN_ACCESS_COMPOUND)
 #endif
-- 
2.54.0.rc2.533.g4f5dca5207-goog

Re: [PATCH v2] kcsan: Silence -Wmaybe-uninitialized when calling __kcsan_check_access()

[Marco Elver]

On Wed, 22 Apr 2026 at 14:53, Marco Elver <elver@google.com> wrote:
>
> Some subsystems enable -Wmaybe-uninitialized [1], which can trigger
> false positives when KCSAN is enabled. Specifically, passing an
> uninitialized variable to functions that instrument accesses (e.g.,
> copy_from_user()) results in calls to __kcsan_check_access().
>
> Because __kcsan_check_access() takes a `const volatile void *ptr`, GCC
> infers that the function may only read the memory location, and thus
> warns if the passed variable is uninitialized.
>
> However, KCSAN is a dynamic analysis tool for data race detection; while
> it does read the memory location to detect concurrent modifications, the
> "initialized'ness" of the memory location is irrelevant for its analysis.
>
> Use absolute_pointer() in __kcsan_check_write(), kcsan_check_write(),
> and kcsan_check_atomic_write() to hide the pointer from the compiler,
> preventing it from concluding that the pointer passed points to
> uninitialized memory.
>
> This fixes warnings like:
>
> |   CC      fs/ntfs3/file.o
> | In file included from include/asm-generic/rwonce.h:27,
> |                  from arch/arm64/include/asm/rwonce.h:81,
> |                  from include/linux/compiler.h:369,
> |                  from include/linux/array_size.h:5,
> |                  from include/linux/kernel.h:16,
> |                  from include/linux/backing-dev.h:12,
> |                  from fs/ntfs3/file.c:10:
> | In function 'instrument_copy_from_user_before',
> |     inlined from '_inline_copy_from_user' at include/linux/uaccess.h:184:2,
> |     inlined from 'copy_from_user' at include/linux/uaccess.h:221:9,
> |     inlined from 'ntfs_ioctl_fitrim' at fs/ntfs3/file.c:77:6,
> |     inlined from 'ntfs_ioctl' at fs/ntfs3/file.c:164:10:
> | include/linux/kcsan-checks.h:220:28: error: 'range' may be used uninitialized [-Werror=maybe-uninitialized]
> |   220 | #define kcsan_check_access __kcsan_check_access
> |       |                            ^
> | include/linux/kcsan-checks.h:311:9: note: in expansion of macro 'kcsan_check_access'
> |   311 |         kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
> |       |         ^~~~~~~~~~~~~~~~~~
> | include/linux/instrumented.h:147:9: note: in expansion of macro 'kcsan_check_write'
> |   147 |         kcsan_check_write(to, n);
> |       |         ^~~~~~~~~~~~~~~~~
> | include/linux/kcsan-checks.h: In function 'ntfs_ioctl':
> | include/linux/kcsan-checks.h:37:6: note: by argument 1 of type 'const volatile void *' to '__kcsan_check_access' declared here
> |    37 | void __kcsan_check_access(const volatile void *ptr, size_t size, int type);
> |       |      ^~~~~~~~~~~~~~~~~~~~
> | fs/ntfs3/file.c:65:29: note: 'range' declared here
> |    65 |         struct fstrim_range range;
> |       |                             ^~~~~
>
> Link: https://lore.kernel.org/all/5da10cca-875b-418d-b54e-6be3ea32c266@app.fastmail.com/ [1]
> Reported-by: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Marco Elver <elver@google.com>

Arnd, are you ok with this version?

I don't think there's a simpler option - the name "absolute_pointer"
might be misleading, but the underlying RELOC_HIDE is what we need
here. Could use RELOC_HIDE directly.

The attribute would have been nice, but comes with a whole set of new
problems. :-/

> ---
> v2:
> * Switch from __attribute__((access)) to absolute_pointer() to silence
>   the warnings instead of introducing new ones.
> ---
>  include/linux/kcsan-checks.h | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/kcsan-checks.h b/include/linux/kcsan-checks.h
> index 92f3843d9ebb..e135dacaa90f 100644
> --- a/include/linux/kcsan-checks.h
> +++ b/include/linux/kcsan-checks.h
> @@ -282,7 +282,7 @@ static inline void __kcsan_disable_current(void) { }
>   * @size: size of access
>   */
>  #define __kcsan_check_write(ptr, size)                                         \
> -       __kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
> +       __kcsan_check_access(absolute_pointer(ptr), size, KCSAN_ACCESS_WRITE)
>
>  /**
>   * __kcsan_check_read_write - check regular read-write access for races
> @@ -308,7 +308,7 @@ static inline void __kcsan_disable_current(void) { }
>   * @size: size of access
>   */
>  #define kcsan_check_write(ptr, size)                                           \
> -       kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
> +       kcsan_check_access(absolute_pointer(ptr), size, KCSAN_ACCESS_WRITE)
>
>  /**
>   * kcsan_check_read_write - check regular read-write access for races
> @@ -331,7 +331,7 @@ static inline void __kcsan_disable_current(void) { }
>  #define kcsan_check_atomic_read(ptr, size)                                     \
>         kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC)
>  #define kcsan_check_atomic_write(ptr, size)                                    \
> -       kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE)
> +       kcsan_check_access(absolute_pointer(ptr), size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE)
>  #define kcsan_check_atomic_read_write(ptr, size)                               \
>         kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE | KCSAN_ACCESS_COMPOUND)
>  #endif
> --
> 2.54.0.rc2.533.g4f5dca5207-goog

Re: [PATCH v2] kcsan: Silence -Wmaybe-uninitialized when calling __kcsan_check_access()

[Arnd Bergmann]

On Thu, Apr 30, 2026, at 15:30, Marco Elver wrote:
> On Wed, 22 Apr 2026 at 14:53, Marco Elver <elver@google.com> wrote:

>>
>> Link: https://lore.kernel.org/all/5da10cca-875b-418d-b54e-6be3ea32c266@app.fastmail.com/ [1]
>> Reported-by: Arnd Bergmann <arnd@arndb.de>
>> Signed-off-by: Marco Elver <elver@google.com>
>
> Arnd, are you ok with this version?
>
> I don't think there's a simpler option - the name "absolute_pointer"
> might be misleading, but the underlying RELOC_HIDE is what we need
> here. Could use RELOC_HIDE directly.
>
> The attribute would have been nice, but comes with a whole set of new
> problems. :-/

Agreed, I had tried a few things but haven't been able to come up
with anything better than this or my original patch.

I've tested this version in my randconfig tree using gcc-16
and found no more regressions.

Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Tested-by: Arnd Bergmann <arnd@arndb.de>

Re: [PATCH v2] kcsan: Silence -Wmaybe-uninitialized when calling __kcsan_check_access()

[Marco Elver]

On Thu, 30 Apr 2026 at 15:35, Arnd Bergmann <arnd@arndb.de> wrote:
>
> On Thu, Apr 30, 2026, at 15:30, Marco Elver wrote:
> > On Wed, 22 Apr 2026 at 14:53, Marco Elver <elver@google.com> wrote:
>
> >>
> >> Link: https://lore.kernel.org/all/5da10cca-875b-418d-b54e-6be3ea32c266@app.fastmail.com/ [1]
> >> Reported-by: Arnd Bergmann <arnd@arndb.de>
> >> Signed-off-by: Marco Elver <elver@google.com>
> >
> > Arnd, are you ok with this version?
> >
> > I don't think there's a simpler option - the name "absolute_pointer"
> > might be misleading, but the underlying RELOC_HIDE is what we need
> > here. Could use RELOC_HIDE directly.
> >
> > The attribute would have been nice, but comes with a whole set of new
> > problems. :-/
>
> Agreed, I had tried a few things but haven't been able to come up
> with anything better than this or my original patch.
>
> I've tested this version in my randconfig tree using gcc-16
> and found no more regressions.
>
> Reviewed-by: Arnd Bergmann <arnd@arndb.de>
> Tested-by: Arnd Bergmann <arnd@arndb.de>

Thanks, I've applied it to the kcsan tree.