From nobody Fri Jun 12 16:03:35 2026 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A398F3B27DB for ; Wed, 13 May 2026 20:13:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778703216; cv=none; b=nk3U2W9KzbK14WvCCEjob8a81jt0kkljzlbOheUfNeIIIijCJQLC7HxNunnGyJju0GOdhl0UYcPwj5egZvrMVmT7PayF0zIa6wwA1tmyBswnLUyDUd/5bNz13776Hhlrpt+LzAtxSle/Fko+bdNMpIDVq2KZlYBpRUwG6FZGLYk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778703216; c=relaxed/simple; bh=c/uTj3eUMahseda4ijCDXZHTgGCnC+nQ71EeQCnj+V4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=iMc6wU10jMz39c4EsPL49YNzIPcto8hfuGG5ZLDPdA/Y0YWQ/ynsCeKbZrq6QhA9QjEKWlFwJbL4UdXWSLW4E8iTauHwwtB6fRHDdH+k4hiLjZWar2lm36ci33zbLyan0JNUbd23gH1D/e9c0yXYjyFp6sHbNwfDDJNMxJC7Cc8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ja6pzugG; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ja6pzugG" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-488a9033b2cso64484625e9.2 for ; Wed, 13 May 2026 13:13:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778703213; x=1779308013; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=mcwsrIgXQYyK1SppA08OyTKLgYONdYnS8FYyBfl9uV8=; b=Ja6pzugGGmBBciUf98d3vCdvIm0CZp15cvbqCnIj2NVSWG9Zr2Kvpm7Pa4fljogrWD APSSeiCDb9AQcSbA3vrOv6/BXRcc6uw4jWhpsO/ugwRt8qppFdX4A16V0v5DygNtxUb8 Chs6qZo0S3SBE+n4tUayYIAuyBVO0TkCDLHU3hQ0qUhcUFmzspzJv1lE9Q9F93VI2mRx 0lVMGUTfpjfOxrQTsXqo4f0+b9LMCja7I7Y9SRBd6o47vXK2qsWDTuWtTpwV5R9spudg pefOz9JsTC+FXOvyiAR+wKBU53/Fg+jklyv6vcjk7aXiu8pyOS1l7sfGQdnmlKt8+1PC 6cxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778703213; x=1779308013; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=mcwsrIgXQYyK1SppA08OyTKLgYONdYnS8FYyBfl9uV8=; b=JPVz/ou7TXP26jRunDg69j8usY3mjTg99UJpLuQzGlzf50WNsFMXouXN/3F5UZAM88 q+8PZw3ZalZZgMWmf6i0JgqMmdcYSUbHWQZQ9c0+Br+VL9rCOOgS8UPAZ0c/OV1pRSBQ gWc/PpgvylLl0Mt4wtp5gvyLj1MgbMG/UYo97HGdExZ/m1xtRuQP7UBKsULtRID+5GGT YNYQJozgyW8Dif9bCx5PXRJ5Re8XuAr9Fx4rtc6Bymie8laXxmJHvy8t2OZ47PUm/7cO tnvUPitsoCALrQZegYTXgEfgPl43Ep4BHTIhO+4I32Ngz6emIBMpkoeNeciFh1D1zZgA VDhw== X-Forwarded-Encrypted: i=1; AFNElJ/bwhogZP5Eop4bqo80+FvYGZ9pqRiPDAidII09CY3bI/Fj7meF2eV2+U+IltLxEAYD47jHlYTCK1ix59U=@vger.kernel.org X-Gm-Message-State: AOJu0Yw5FFQRrVo+s52b6u3khzsuivXl2CzsT1Xygxq7/rE4FLfCG4ct WyFW3B4iDvAkMuN7B68fc4nx2aDAOWSQhKkqJUE5LU5UbuEaD5hSxNOT X-Gm-Gg: Acq92OHE5MG+Znh0JGTk0nqEMSwkS/oRUr8S+yni834aW8wulOQuRv68YKlEMFGqhG6 TTIhLeXTMi9DBC7lO7Ce4Cc0PrxaYEtRf9is+dy/PuwAG+ypReM4bW1VR+XrRwrUEyD7bVaBw3l aT1SEaxemRDM5UKE11W/xQsUxq3Ew/frKmzsFrqALy+0UfLD9PHvPK7t/X4bzCMKZi5Con8ofeN HMbzbVWGeHe+tErjULwv91wuXW+rz452oFGSrx6/4x8cNp/yl8aF+vcp9vz4KD+sroiG5Pej9Ye Vn9g/Vf2qMR0EoGCc4/NHIXH6/CGJZ4GMV0R5tNuEBlme1mIuLPxVF7mN0+TVddBCMKjaLmW2zH Afc/a3h3fdevvV3nelfPvwxeW7RIkPaBAha2SCoXN8d/xrTHqtocrIvFX2Xk2WU7TZgdbGX/Hiu jb6SyIOqGzav2jhbGcsLZeKy9smAEdIDPHK6O03YYxEEmr3y9nIi+XEZgVNKBtfNknuzpPcgXLP ygkgwotn3CC5cCA8m6oDxm5N61VZLTWUA2Vbj3prsh8+nzu X-Received: by 2002:a05:600c:8b56:b0:488:c078:bfda with SMTP id 5b1f17b1804b1-48fc9a4bb0cmr78676015e9.26.1778703212855; Wed, 13 May 2026 13:13:32 -0700 (PDT) Received: from iku.Home ([2a06:5906:61b:2d00:3e5f:9005:e5d2:460e]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48fd649ea63sm11927465e9.8.2026.05.13.13.13.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 May 2026 13:13:32 -0700 (PDT) From: Prabhakar X-Google-Original-From: Prabhakar To: Ulf Hansson , Kees Cook , "Gustavo A. R. Silva" , Wolfram Sang , Geert Uytterhoeven Cc: linux-mmc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-renesas-soc@vger.kernel.org, Prabhakar , Biju Das , Fabrizio Castro , Lad Prabhakar Subject: [PATCH] mmc: mmc_test: Fix __counted_by handling after kzalloc_flex() conversion Date: Wed, 13 May 2026 21:13:15 +0100 Message-ID: <20260513201315.3186621-1-prabhakar.mahadev-lad.rj@bp.renesas.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Lad Prabhakar Fix logic issues introduced by the kzalloc_flex() conversion in mmc_test_alloc_mem() due to interaction with the __counted_by annotation on the flexible array. Bounds-checking sanitizers rely on the counter field reflecting the allocated array size before any array access occurs. However, use mem->cnt both as the allocation size and as the runtime insertion index, causing incorrect indexing and potentially invalid bounds tracking. Initialize mem->cnt to the maximum allocated number of segments immediately after kzalloc_flex(), then use a separate local index variable to track successfully allocated entries. Update mem->cnt to the actual number of initialized elements before returning or entering the cleanup path. Also rewrite mmc_test_free_mem() to use a forward for-loop, improving readability and ensuring only initialized entries are freed. Fixes: c3126dccfd7b ("mmc: mmc_test: use kzalloc_flex") Signed-off-by: Lad Prabhakar Reviewed-by: Geert Uytterhoeven --- drivers/mmc/core/mmc_test.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/drivers/mmc/core/mmc_test.c b/drivers/mmc/core/mmc_test.c index ab38e4c45a8d..e0e1b5df76dc 100644 --- a/drivers/mmc/core/mmc_test.c +++ b/drivers/mmc/core/mmc_test.c @@ -316,11 +316,13 @@ static int mmc_test_buffer_transfer(struct mmc_test_c= ard *test, =20 static void mmc_test_free_mem(struct mmc_test_mem *mem) { + unsigned int idx; + if (!mem) return; - while (mem->cnt--) - __free_pages(mem->arr[mem->cnt].page, - mem->arr[mem->cnt].order); + for (idx =3D 0; idx < mem->cnt; idx++) + __free_pages(mem->arr[idx].page, + mem->arr[idx].order); kfree(mem); } =20 @@ -341,6 +343,7 @@ static struct mmc_test_mem *mmc_test_alloc_mem(unsigned= long min_sz, unsigned long page_cnt =3D 0; unsigned long limit =3D nr_free_buffer_pages() >> 4; struct mmc_test_mem *mem; + unsigned int idx =3D 0; =20 if (max_page_cnt > limit) max_page_cnt =3D limit; @@ -356,6 +359,7 @@ static struct mmc_test_mem *mmc_test_alloc_mem(unsigned= long min_sz, mem =3D kzalloc_flex(*mem, arr, max_segs); if (!mem) return NULL; + mem->cnt =3D max_segs; =20 while (max_page_cnt) { struct page *page; @@ -375,23 +379,26 @@ static struct mmc_test_mem *mmc_test_alloc_mem(unsign= ed long min_sz, goto out_free; break; } - mem->arr[mem->cnt].page =3D page; - mem->arr[mem->cnt].order =3D order; - mem->cnt +=3D 1; + mem->arr[idx].page =3D page; + mem->arr[idx].order =3D order; + idx +=3D 1; if (max_page_cnt <=3D (1UL << order)) break; max_page_cnt -=3D 1UL << order; page_cnt +=3D 1UL << order; - if (mem->cnt >=3D max_segs) { + if (idx >=3D mem->cnt) { if (page_cnt < min_page_cnt) goto out_free; break; } } =20 + mem->cnt =3D idx; + return mem; =20 out_free: + mem->cnt =3D idx; mmc_test_free_mem(mem); return NULL; } --=20 2.54.0