From nobody Mon Jun 8 05:28:33 2026 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DBF634B1AD for ; Tue, 2 Jun 2026 20:13:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780431231; cv=none; b=pm1eYPjIrYx8m2yTXRGoZxYeOh4AVaz3otq+cFtNTzO3hZOLKgkq6u0T60K0wb3sRNr2EjRGiFEz/HMEE0mrcVRHfM+o/+rA4pF2lEXTOtvaqourL/u26kC1MGtGntc2oCfqg86dc7ImfoPCx18E7ZbPjwKXoz324aZe+ZnOAV4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780431231; c=relaxed/simple; bh=nkKc9eAxXqQ+Dnqg7a5iNB9iiMTxfr611IbVN0vr3yE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=BfYQ2V/qoDA235RtFzRip2qAbd6MLgkx+R487UyMY/ZGg4TieIdAu7WvqA+SFXRDAZvfx0S9fH6+BQqK5/U1sZn61ZbcYo0VTxFHRFpSy2kknlFpwHbTrFxRVSvARaSBZBPw9cUQNpw7/UH7sNE0UV3DEa4ub4jiGo8gn/Yoa/E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DujbOkL/; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DujbOkL/" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-490b3637b90so9250195e9.3 for ; Tue, 02 Jun 2026 13:13:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780431229; x=1781036029; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Cg5WhaKDN5P0G6TtyP193M1YCM4tZRnE2W1nIni4O0k=; b=DujbOkL/dJwStcwCC8tOaqiZK4y/msKUOFAqeeNcYMQxI3k+kIuEy9uRDBR8wNfnco 3E2CAOmOtd4qEaxxuJ0qxfVUeQrJgeNhI/NBsbmodpNBCx4WumdjHd9r1HPCdaMpp1i5 YGJc7SuOaoeO0bYEIC3FaHjXQKfyE0hoqKccxdmeXMzk0UbGg9VMrRuCOJpcWSw/zygF nJEgCJ5z35+w8nSWFWDKZwA4up4lI0YTs66AvA8nCmlfKCxbgj7SwAj8hDLvnZPWSNJd O03RmIAJmjmcp2abnnBV62ag1ipI3pOEN2hoV88pfSTnG5fH0etO7aag9rE4mVM12wa8 4iFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780431229; x=1781036029; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Cg5WhaKDN5P0G6TtyP193M1YCM4tZRnE2W1nIni4O0k=; b=JAx41VnR5vUSNgJCBdOQ9XbT35ZoM3MFXli0SYdA6IazdoO8RWah65Slm+dmfArs2N YlAKjCrUXUvjrSYHRL9Mb6absj4z86n9JQTQTCKNABLN6G/LjChUx5parqRcxAQORln2 5jFAW3z6PfHriXekPREMQDZlwLlwJBQcvdmmwOuszpdCht1xOYT0I0eJdsNv0IOJIcq2 VJDvMCoy1aTQQfWzd4XTOVGPppJwaEOuWZ7EgNRpSlkM0l2x50L9xs1on+AxTVZgUQkw rmWhoKGbha3Mj+1NzZ4xIKuASbBAOetljV4GZXyhhW6pBGmFsE6/QFtjpf0spQg5ssBm eeZQ== X-Forwarded-Encrypted: i=1; AFNElJ/2aB7fSauY7WF7CLboi6IdSTI+IP2JyfiIeC4Ya34yE4BIQvnB/JQ4+ELfdBWItHAJ2ZZ3axP3rWnrwLM=@vger.kernel.org X-Gm-Message-State: AOJu0Yx+CUGfueWMafjQDSsSshr7ePyFRuGi9LLtWvibwgcFwOvfPBLI KlWOSRtc1P31QxAFy157ca+w2xowskfp7Nz69s3lfLp0hIoHmJn6p8mS X-Gm-Gg: Acq92OFX+EiORPS4D1ExV0hydwsU90WxghUo69bhT23TrAHUealT3jHrXQ+yia0l6DZ cbLexePp0serd0aZ2Azupud9IIy+kbYGO4ltO4jNPqkACLoaJW39+epJEJMh2HLJQbGt/G0U5O1 tC1wh1z56K/upkoBGQyaHWkkCaIozk7auWkN+qBLf/exNUz/Z9QdvKJxohy4g8qOw1T+l+ZS9da mkLso7mhh6w1qzht21tav2eB3AAUwr0rVQN/oJkqwoDlESuew1IUjZwoz/kDRo8bu/eign4DKJ9 N0h7z66xiuK8/nrJoGpAZFjZ1lCnZwpCr7n8c5YCOmXmhZfnQELQHkXMVjqFmf/33/2lrKMqatP u6jWPPBTBsuYbPsydRRgqi2YojdMoYZCvVZ128nCl8BHjcbDpoLmY3J969kgQWHb81hc8rDdW32 H+7sn96+3jD6IRkXDLXAef+24ZNt+xEPBpYR5hlQd9mlxsOl62l1FvawbI8/6UVzSPT/1d9HFDE ETVENmv9Rjs9r1Lr27YBUNF/ORgkZgczqoCOjbxXgU1z4M3QX026U92R6YIoLI7Nw8= X-Received: by 2002:a05:600c:458b:b0:490:9804:afdc with SMTP id 5b1f17b1804b1-490b5fda3c3mr5787925e9.23.1780431228585; Tue, 02 Jun 2026 13:13:48 -0700 (PDT) Received: from iku.example.org ([2a06:5906:61b:2d00:5ef:9913:4a77:3bcf]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-490b613f167sm1017515e9.22.2026.06.02.13.13.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jun 2026 13:13:48 -0700 (PDT) From: Prabhakar X-Google-Original-From: Prabhakar To: Ulf Hansson , Kees Cook , "Gustavo A. R. Silva" , Petr Mladek , Geert Uytterhoeven Cc: linux-mmc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-renesas-soc@vger.kernel.org, Prabhakar , Biju Das , Fabrizio Castro , Lad Prabhakar Subject: [PATCH v3] mmc: mmc_test: Fix __counted_by handling after kzalloc_flex() conversion Date: Tue, 2 Jun 2026 21:13:44 +0100 Message-ID: <20260602201344.1809801-1-prabhakar.mahadev-lad.rj@bp.renesas.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Lad Prabhakar Fix logic issues introduced by the kzalloc_flex() conversion in mmc_test_alloc_mem() due to interaction with the __counted_by annotation on the flexible array. Bounds-checking sanitizers rely on the counter field reflecting the allocated array size before any array access occurs. However, use mem->cnt both as the allocation size and as the runtime insertion index, causing incorrect indexing and potentially invalid bounds tracking. Initialize mem->cnt to the maximum allocated number of segments immediately after kzalloc_flex(), then use a separate local index variable to track successfully allocated entries. Update mem->cnt to the actual number of initialized elements before returning or entering the cleanup path. Also rewrite mmc_test_free_mem() to use a forward for-loop, improving readability and ensuring only initialized entries are freed. Fixes: c3126dccfd7b ("mmc: mmc_test: use kzalloc_flex") Signed-off-by: Lad Prabhakar Reviewed-by: Geert Uytterhoeven --- v2->v3: - Switched back to v1 version of the patch. - Addressed review comments from Geert. - Add RB tag from Geert which was received on v1. v1->v2: - Started with cnt =3D 0 and incremented before assignment to ensure accurate tracking of initialized entries in mmc_test_alloc_mem(). - In mmc_test_free_mem(), replaced the while loop with a forward for-loop to safely iterate over initialized entries without risking underflow. - Updated commit message to clarify the issue and the fix. v2: https://lore.kernel.org/all/20260519133025.618255-1-prabhakar.mahadev-l= ad.rj@bp.renesas.com/ v1: https://lore.kernel.org/all/20260513201315.3186621-1-prabhakar.mahadev-= lad.rj@bp.renesas.com/ --- drivers/mmc/core/mmc_test.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/mmc/core/mmc_test.c b/drivers/mmc/core/mmc_test.c index ab38e4c45a8d..4dc16649e61d 100644 --- a/drivers/mmc/core/mmc_test.c +++ b/drivers/mmc/core/mmc_test.c @@ -318,9 +318,9 @@ static void mmc_test_free_mem(struct mmc_test_mem *mem) { if (!mem) return; - while (mem->cnt--) - __free_pages(mem->arr[mem->cnt].page, - mem->arr[mem->cnt].order); + for (unsigned int i =3D 0; i < mem->cnt; i++) + __free_pages(mem->arr[i].page, + mem->arr[i].order); kfree(mem); } =20 @@ -341,6 +341,7 @@ static struct mmc_test_mem *mmc_test_alloc_mem(unsigned= long min_sz, unsigned long page_cnt =3D 0; unsigned long limit =3D nr_free_buffer_pages() >> 4; struct mmc_test_mem *mem; + unsigned int idx =3D 0; =20 if (max_page_cnt > limit) max_page_cnt =3D limit; @@ -375,23 +376,26 @@ static struct mmc_test_mem *mmc_test_alloc_mem(unsign= ed long min_sz, goto out_free; break; } - mem->arr[mem->cnt].page =3D page; - mem->arr[mem->cnt].order =3D order; - mem->cnt +=3D 1; + mem->arr[idx].page =3D page; + mem->arr[idx].order =3D order; + idx +=3D 1; if (max_page_cnt <=3D (1UL << order)) break; max_page_cnt -=3D 1UL << order; page_cnt +=3D 1UL << order; - if (mem->cnt >=3D max_segs) { + if (idx >=3D mem->cnt) { if (page_cnt < min_page_cnt) goto out_free; break; } } =20 + mem->cnt =3D idx; + return mem; =20 out_free: + mem->cnt =3D idx; mmc_test_free_mem(mem); return NULL; } --=20 2.54.0