blkdev: Annotate struct request_queue with __counted_by_ptr

The queue_hw_ctx field in struct request_queue is an array of pointers to
struct blk_mq_hw_ctx. The number of elements in this array is tracked by
the nr_hw_queues field.

The array is allocated in __blk_mq_realloc_hw_ctxs() using kcalloc_node()
with set->nr_hw_queues elements. q->nr_hw_queues is subsequently updated
to set->nr_hw_queues.

When growing the array, the new array is assigned to queue_hw_ctx before
nr_hw_queues is updated. This is safe because nr_hw_queues (the old
smaller count) is used for bounds checking, which is within the new
larger allocation.

When shrinking the array, nr_hw_queues is updated to the smaller value,
while queue_hw_ctx retains the larger allocation. This is also safe as
the count is within the allocation bounds.

Annotating queue_hw_ctx with __counted_by_ptr(nr_hw_queues) allows the
compiler (with kSAN) to verify that accesses to queue_hw_ctx are within
the valid range defined by nr_hw_queues.

This patch was generated by Gemini and reviewed by Bill Wendling.
Tested with bootup and running selftests.

Signed-off-by: Bill Wendling <morbo@google.com>

Author: bwendling

include/linux/blkdev.h

@@ -502,7 +502,7 @@ struct request_queue {
 
 	/* hw dispatch queues */
 	unsigned int		nr_hw_queues;
-	struct blk_mq_hw_ctx * __rcu *queue_hw_ctx;
+	struct blk_mq_hw_ctx * __rcu *queue_hw_ctx __counted_by_ptr(nr_hw_queues);
 
 	struct percpu_ref	q_usage_counter;
 	struct lock_class_key	io_lock_cls_key;