Re: [PATCH] blkdev: Annotate struct request_queue with __counted_by_ptr

Next message: Michael Walle: "Re: [RFC PATCH v2 08/12] spi: cadence-quadspi: read 'has-dqs' DT property"
Previous message: Manivannan Sadhasivam: "Re: [PATCH v9 03/11] dmaengine: qcom: bam_dma: implement support for BAM locking"
In reply to: Bill Wendling: "[PATCH] blkdev: Annotate struct request_queue with __counted_by_ptr"
Next in thread: Bill Wendling: "Re: [PATCH] blkdev: Annotate struct request_queue with __counted_by_ptr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Daniel Wagner

Date: Thu Feb 19 2026 - 07:14:21 EST

On Thu, Feb 19, 2026 at 12:49:35AM +0000, Bill Wendling wrote:
> The queue_hw_ctx field in struct request_queue is an array of pointers to
> struct blk_mq_hw_ctx. The number of elements in this array is tracked by
> the nr_hw_queues field.
>
> The array is allocated in __blk_mq_realloc_hw_ctxs() using kcalloc_node()
> with set->nr_hw_queues elements. q->nr_hw_queues is subsequently updated
> to set->nr_hw_queues.
>
> When growing the array, the new array is assigned to queue_hw_ctx before
> nr_hw_queues is updated. This is safe because nr_hw_queues (the old
> smaller count) is used for bounds checking, which is within the new
> larger allocation.
>
> When shrinking the array, nr_hw_queues is updated to the smaller value,
> while queue_hw_ctx retains the larger allocation. This is also safe as
> the count is within the allocation bounds.
>
> Annotating queue_hw_ctx with __counted_by_ptr(nr_hw_queues) allows the
> compiler (with kSAN) to verify that accesses to queue_hw_ctx are within
> the valid range defined by nr_hw_queues.
>
> This patch was generated by Gemini and reviewed by Bill Wendling.
> Tested with bootup and running selftests.

There are some tests in blktests nvme/* which do change the number of
queues during runtime. Not sure if selftests have anything which is
related to this code path.