Re: [PATCH] blkdev: Annotate struct request_queue with __counted_by_ptr

[Bill Wendling]

On Thu, Feb 19, 2026 at 4:14 AM Daniel Wagner <dwagner@xxxxxxx> wrote:
>
> On Thu, Feb 19, 2026 at 12:49:35AM +0000, Bill Wendling wrote:
> > The queue_hw_ctx field in struct request_queue is an array of pointers to
> > struct blk_mq_hw_ctx. The number of elements in this array is tracked by
> > the nr_hw_queues field.
> >
> > The array is allocated in __blk_mq_realloc_hw_ctxs() using kcalloc_node()
> > with set->nr_hw_queues elements. q->nr_hw_queues is subsequently updated
> > to set->nr_hw_queues.
> >
> > When growing the array, the new array is assigned to queue_hw_ctx before
> > nr_hw_queues is updated. This is safe because nr_hw_queues (the old
> > smaller count) is used for bounds checking, which is within the new
> > larger allocation.
> >
> > When shrinking the array, nr_hw_queues is updated to the smaller value,
> > while queue_hw_ctx retains the larger allocation. This is also safe as
> > the count is within the allocation bounds.
> >
> > Annotating queue_hw_ctx with __counted_by_ptr(nr_hw_queues) allows the
> > compiler (with kSAN) to verify that accesses to queue_hw_ctx are within
> > the valid range defined by nr_hw_queues.
> >
> > This patch was generated by Gemini and reviewed by Bill Wendling.
> > Tested with bootup and running selftests.
>
> There are some tests in blktests nvme/* which do change the number of
> queues during runtime. Not sure if selftests have anything which is
> related to this code path.
>
It's normally fine to change the queue count just as long as either
(1) the pointer to the queues is also reallocated, or (2) the count
never goes over the original allocated value. (The second one is more
difficult to check, of course.) The bounds safety features that Apple
developed, and which are slowly being sent upstream, enforces (1).

I'll run the other tests, but I'm not familiar with the blktests (I
downloaded them but haven't looked too deeply into them). Do you have
some pointers on how to run them with a newly built kernel?

-bw