[PATCH 0/2] Add __counted_by_ptr macro

[PATCH 0/2] Add __counted_by_ptr macro

[Bill Wendling]

These patches add the __counted_by_ptr macro and then uses it in
mm/memblock.h. The name of the __counted_by_ptr attribute is the same as
__counted_by, but two different macros are needed, because of feature
skew in GCC and clang. Once the minmum versions of the compilers support
'counted_by' on both flexible array members and pointers in structs,
this macro will become obsolete.

Bill Wendling (2):
  Compiler Attributes: Add __counted_by_ptr macro
  memblock: annotate struct memblock_type with __counted_by_ptr

 include/linux/compiler_types.h | 11 +++++++++++
 include/linux/memblock.h       |  2 +-
 init/Kconfig                   |  5 +++++
 3 files changed, 17 insertions(+), 1 deletion(-)

-- 
2.52.0.rc2.455.g230fcf2819-goog

[PATCH 1/2] Compiler Attributes: Add __counted_by_ptr macro

[Bill Wendling]

Clang and GCC are expanding the '__counted_by' attribute to support
pointers in structs. Clang has support for it since version 21. This
requires defining a separate macro, '__counted_by_ptr', because, while
the attribute has the same name for both a pointer and a flexible array
member, minimal compiler versions need to catch up.

The effect of this feature is the same as for __counted_by on flexible
array members. It provides hardening the ability to perform run-time
bounds checking on otherwise unknown-size pointers.

Cc: Kees Cook <kees@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
Cc: Uros Bizjak <ubizjak@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jeff Xu <jeffxu@chromium.org>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: John Stultz <jstultz@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
Signed-off-by: Bill Wendling <morbo@google.com>
---
 include/linux/compiler_types.h | 11 +++++++++++
 init/Kconfig                   |  5 +++++
 2 files changed, 16 insertions(+)

diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 0a1b9598940d..2b0251bb951c 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -351,6 +351,17 @@ struct ftrace_likely_data {
 # define __assume(expr)
 #endif
 
+/*
+ * Optional: only supported since clang >= 21
+ *
+ * clang: https://github.com/llvm/llvm-project/pull/137250
+ */
+#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER
+#define __counted_by_ptr(member)	__attribute__((__counted_by__(member)))
+#else
+#define __counted_by_ptr(member)
+#endif
+
 /*
  * Optional: only supported since gcc >= 15
  * Optional: only supported since clang >= 18
diff --git a/init/Kconfig b/init/Kconfig
index cab3ad28ca49..298c94c4c1b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -139,6 +139,11 @@ config CC_HAS_COUNTED_BY
 	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
 	default y if CC_IS_GCC && GCC_VERSION >= 150100
 
+config CC_HAS_COUNTED_BY_ON_POINTERS
+	bool
+	# Needs clang 21.1.0 or higher.
+	default y if CC_IS_CLANG && CLANG_VERSION >= 210100
+
 config CC_HAS_MULTIDIMENSIONAL_NONSTRING
 	def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
 
-- 
2.52.0.rc2.455.g230fcf2819-goog

[PATCH 2/2] memblock: annotate struct memblock_type with __counted_by_ptr

[Bill Wendling]

Add the '__counted_by_ptr' attribute to the 'regions' field of 'struct
memblock_type'. The 'regions' field is an array of 'struct
memblock_region' and its size is tracked by the 'max' field, which
represents the total number of allocated regions.

This annotation allows the Kernel Address Sanitizer (KASAN) to detect
out-of-bounds accesses to the 'regions' array.

Cc: Kees Cook <kees@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
Cc: Uros Bizjak <ubizjak@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jeff Xu <jeffxu@chromium.org>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: John Stultz <jstultz@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: linux-mm@kvack.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
Signed-off-by: Bill Wendling <morbo@google.com>
---
 include/linux/memblock.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/memblock.h b/include/linux/memblock.h
index 221118b5a16e..ba7f7c999a45 100644
--- a/include/linux/memblock.h
+++ b/include/linux/memblock.h
@@ -91,7 +91,7 @@ struct memblock_type {
 	unsigned long cnt;
 	unsigned long max;
 	phys_addr_t total_size;
-	struct memblock_region *regions;
+	struct memblock_region *regions __counted_by_ptr(max);
 	char *name;
 };
 
-- 
2.52.0.rc2.455.g230fcf2819-goog

Re: [PATCH 1/2] Compiler Attributes: Add __counted_by_ptr macro

[Bill Wendling]

On Fri, Nov 21, 2025 at 11:40 AM Bill Wendling <morbo@google.com> wrote:
>
> Clang and GCC are expanding the '__counted_by' attribute to support
> pointers in structs. Clang has support for it since version 21. This
> requires defining a separate macro, '__counted_by_ptr', because, while
> the attribute has the same name for both a pointer and a flexible array
> member, minimal compiler versions need to catch up.
>
> The effect of this feature is the same as for __counted_by on flexible
> array members. It provides hardening the ability to perform run-time
> bounds checking on otherwise unknown-size pointers.
>
> Cc: Kees Cook <kees@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
> Cc: Justin Stitt <justinstitt@google.com>
> Cc: Miguel Ojeda <ojeda@kernel.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Heiko Carstens <hca@linux.ibm.com>
> Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
> Cc: Uros Bizjak <ubizjak@gmail.com>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Jeff Xu <jeffxu@chromium.org>
> Cc: "Michal Koutný" <mkoutny@suse.com>
> Cc: Shakeel Butt <shakeel.butt@linux.dev>
> Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
> Cc: John Stultz <jstultz@google.com>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: Randy Dunlap <rdunlap@infradead.org>
> Cc: Brian Gerst <brgerst@gmail.com>
> Cc: Masahiro Yamada <masahiroy@kernel.org>
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Signed-off-by: Bill Wendling <morbo@google.com>
> ---
>  include/linux/compiler_types.h | 11 +++++++++++
>  init/Kconfig                   |  5 +++++
>  2 files changed, 16 insertions(+)
>
> diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> index 0a1b9598940d..2b0251bb951c 100644
> --- a/include/linux/compiler_types.h
> +++ b/include/linux/compiler_types.h
> @@ -351,6 +351,17 @@ struct ftrace_likely_data {
>  # define __assume(expr)
>  #endif
>
> +/*
> + * Optional: only supported since clang >= 21
> + *
> + * clang: https://github.com/llvm/llvm-project/pull/137250
> + */
> +#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER
> +#define __counted_by_ptr(member)       __attribute__((__counted_by__(member)))
> +#else
> +#define __counted_by_ptr(member)
> +#endif
> +
>  /*
>   * Optional: only supported since gcc >= 15
>   * Optional: only supported since clang >= 18
> diff --git a/init/Kconfig b/init/Kconfig
> index cab3ad28ca49..298c94c4c1b1 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -139,6 +139,11 @@ config CC_HAS_COUNTED_BY
>         # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
>         default y if CC_IS_GCC && GCC_VERSION >= 150100
>
> +config CC_HAS_COUNTED_BY_ON_POINTERS
> +       bool
> +       # Needs clang 21.1.0 or higher.
> +       default y if CC_IS_CLANG && CLANG_VERSION >= 210100
> +
I mistakenly left out GCC from here. I'll roll that in with v2.

-bw

>  config CC_HAS_MULTIDIMENSIONAL_NONSTRING
>         def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
>
> --
> 2.52.0.rc2.455.g230fcf2819-goog
>

[PATCH v2 1/2] Compiler Attributes: Add __counted_by_ptr macro

[Bill Wendling]

Clang and GCC are expanding the '__counted_by' attribute to support
pointers in structs. Clang has support for it since version 21. This
requires defining a separate macro, '__counted_by_ptr', because, while
the attribute has the same name for both a pointer and a flexible array
member, minimal compiler versions need to catch up.

The effect of this feature is the same as for __counted_by on flexible
array members. It provides hardening the ability to perform run-time
bounds checking on otherwise unknown-size pointers.

Cc: Kees Cook <kees@kernel.org>
Cc: Qing Zhao <qing.zhao@oracle.com>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
Cc: Uros Bizjak <ubizjak@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jeff Xu <jeffxu@chromium.org>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: John Stultz <jstultz@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
Signed-off-by: Bill Wendling <morbo@google.com>
---
v2 - Add support for GCC.
---
 include/linux/compiler_types.h | 11 +++++++++++
 init/Kconfig                   |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 0a1b9598940d..2b0251bb951c 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -351,6 +351,17 @@ struct ftrace_likely_data {
 # define __assume(expr)
 #endif
 
+/*
+ * Optional: only supported since clang >= 21
+ *
+ * clang: https://github.com/llvm/llvm-project/pull/137250
+ */
+#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER
+#define __counted_by_ptr(member)	__attribute__((__counted_by__(member)))
+#else
+#define __counted_by_ptr(member)
+#endif
+
 /*
  * Optional: only supported since gcc >= 15
  * Optional: only supported since clang >= 18
diff --git a/init/Kconfig b/init/Kconfig
index cab3ad28ca49..f947f242bca8 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -139,6 +139,13 @@ config CC_HAS_COUNTED_BY
 	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
 	default y if CC_IS_GCC && GCC_VERSION >= 150100
 
+config CC_HAS_COUNTED_BY_ON_POINTERS
+	bool
+	# supported since clang 21.1.0
+	default y if CC_IS_CLANG && CLANG_VERSION >= 210100
+	# supported since gcc 16.0.0
+	default y if CC_IS_GCC && GCC_VERSION >= 160000
+
 config CC_HAS_MULTIDIMENSIONAL_NONSTRING
 	def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
 
-- 
2.52.0.rc2.455.g230fcf2819-goog

Re: [PATCH v2 1/2] Compiler Attributes: Add __counted_by_ptr macro

[Miguel Ojeda]

On Fri, Nov 21, 2025 at 8:55 PM Bill Wendling <morbo@google.com> wrote:
>
> +/*
> + * Optional: only supported since clang >= 21
> + *
> + * clang: https://github.com/llvm/llvm-project/pull/137250
> + */
> +#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER
> +#define __counted_by_ptr(member)       __attribute__((__counted_by__(member)))
> +#else
> +#define __counted_by_ptr(member)
> +#endif

I guess there is a reason for this name, but it sounds to me a bit
like the thing between parenthesis is a pointer, i.e. that perhaps it
is the pointee that one that counts.

Hmm... what about `__ptr_counted_by`?

In addition, could we please provide a bit of context in the
documentation? i.e. links to the attribute docs in both Clang and GCC.

And perhaps explaining why this cannot use `__has_attribute`, i.e.
what the commit log mentions.

Thanks!

Cheers,
Miguel

Re: [PATCH 0/2] Add __counted_by_ptr macro

[Kees Cook]

On Fri, Nov 21, 2025 at 07:39:42PM +0000, Bill Wendling wrote:
> These patches add the __counted_by_ptr macro and then uses it in
> mm/memblock.h. The name of the __counted_by_ptr attribute is the same as
> __counted_by, but two different macros are needed, because of feature
> skew in GCC and clang. Once the minmum versions of the compilers support
> 'counted_by' on both flexible array members and pointers in structs,
> this macro will become obsolete.
> 
> Bill Wendling (2):
>   Compiler Attributes: Add __counted_by_ptr macro
>   memblock: annotate struct memblock_type with __counted_by_ptr

Based on this[1] thread, I think we'll need to wait for GCC and Clang to
release with the "void *" support first, and then push the counted_by up
to that version to cover flexible arrays, pointers, and void *.

-Kees

[1] https://lore.kernel.org/lkml/20251021095447.GL3245006@noisy.programming.kicks-ass.net/

-Kees

-- 
Kees Cook

Re: [PATCH 2/2] memblock: annotate struct memblock_type with __counted_by_ptr

[Kees Cook]

On Fri, Nov 21, 2025 at 07:39:44PM +0000, Bill Wendling wrote:
> Add the '__counted_by_ptr' attribute to the 'regions' field of 'struct
> memblock_type'. The 'regions' field is an array of 'struct
> memblock_region' and its size is tracked by the 'max' field, which
> represents the total number of allocated regions.

As part of any counted_by annotation patch, there needs to be discussion
in the commit log about how it's been shown to be a safe annotation
to make. e.g. in this case, if all allocations of "regions" have a
corresponding "max" assignment, etc. If just "git grep" can't find them
all, using something like Coccinelle or CodeQL to search for struct
memblock_type::regions assignments can work.

Here's what I used in the past for flexible arrays, but it was slow
due to Coccinelle needing --recursive-includes to see the structs,
but should be adaptable for counted_by on pointers:

@flex_match@
identifier STRUCT, COUNTED, ARRAY;
type COUNTED_TYPE, ARRAY_TYPE;
attribute name __counted_by;
@@

        struct STRUCT {
                ...
                COUNTED_TYPE COUNTED;
                ...
                ARRAY_TYPE ARRAY[] __counted_by(COUNTED);
        };

@missed_counted_assignment@
identifier flex_match.STRUCT;
struct STRUCT *P;
identifier flex_match.COUNTED;
identifier flex_match.ARRAY;
identifier ALLOC =~ ".*alloc.*";
@@

        P = ALLOC(...);
        ... when != P->COUNTED
*       P->ARRAY


> This annotation allows the Kernel Address Sanitizer (KASAN) to detect
> out-of-bounds accesses to the 'regions' array.

I think you mean UBSan here (and CONFIG_FORTIFY_SOURCE)?

> ---
>  include/linux/memblock.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/memblock.h b/include/linux/memblock.h
> index 221118b5a16e..ba7f7c999a45 100644
> --- a/include/linux/memblock.h
> +++ b/include/linux/memblock.h
> @@ -91,7 +91,7 @@ struct memblock_type {
>  	unsigned long cnt;
>  	unsigned long max;
>  	phys_addr_t total_size;
> -	struct memblock_region *regions;
> +	struct memblock_region *regions __counted_by_ptr(max);
>  	char *name;
>  };

For the handful of places I spot checked, yeah, it looks like a nice
annotation.

-Kees

-- 
Kees Cook

Re: [PATCH 2/2] memblock: annotate struct memblock_type with __counted_by_ptr

[Andrew Morton]

On Fri, 21 Nov 2025 16:30:43 -0800 Kees Cook <kees@kernel.org> wrote:

> On Fri, Nov 21, 2025 at 07:39:44PM +0000, Bill Wendling wrote:
> > Add the '__counted_by_ptr' attribute to the 'regions' field of 'struct
> > memblock_type'. The 'regions' field is an array of 'struct
> > memblock_region' and its size is tracked by the 'max' field, which
> > represents the total number of allocated regions.
> 
> As part of any counted_by annotation patch, there needs to be discussion
> in the commit log about how it's been shown to be a safe annotation
> to make. e.g. in this case, if all allocations of "regions" have a
> corresponding "max" assignment, etc. If just "git grep" can't find them
> all, using something like Coccinelle or CodeQL to search for struct
> memblock_type::regions assignments can work.

How is anyone to know these things?  I can't find anything about this
in include/ or Documentation/ or in the relevant commits.

There should be a comment at the __counted_by() definition site, please.

And possibly write a Documentation/ file then change checkpatch to
direct people to that file if they add a counted_by?

Re: [PATCH 2/2] memblock: annotate struct memblock_type with __counted_by_ptr

[Kees Cook]

On Sat, Nov 22, 2025 at 02:16:14PM -0800, Andrew Morton wrote:
> On Fri, 21 Nov 2025 16:30:43 -0800 Kees Cook <kees@kernel.org> wrote:
> 
> > On Fri, Nov 21, 2025 at 07:39:44PM +0000, Bill Wendling wrote:
> > > Add the '__counted_by_ptr' attribute to the 'regions' field of 'struct
> > > memblock_type'. The 'regions' field is an array of 'struct
> > > memblock_region' and its size is tracked by the 'max' field, which
> > > represents the total number of allocated regions.
> > 
> > As part of any counted_by annotation patch, there needs to be discussion
> > in the commit log about how it's been shown to be a safe annotation
> > to make. e.g. in this case, if all allocations of "regions" have a
> > corresponding "max" assignment, etc. If just "git grep" can't find them
> > all, using something like Coccinelle or CodeQL to search for struct
> > memblock_type::regions assignments can work.
> 
> How is anyone to know these things?  I can't find anything about this
> in include/ or Documentation/ or in the relevant commits.
> 
> There should be a comment at the __counted_by() definition site, please.
> 
> And possibly write a Documentation/ file then change checkpatch to
> direct people to that file if they add a counted_by?

This is a fair point, yes. The documentation and discussions around
counted_by are very big in my mind (and for Bill), so it was mostly a
consolidation/reminder and some extra detail on prior solutions, but
for anyone new to that annotation, we should have collected common
guidance. I will write something up.

-- 
Kees Cook

Re: [PATCH v2 1/2] Compiler Attributes: Add __counted_by_ptr macro

[Bill Wendling]

On Fri, Nov 21, 2025 at 1:48 PM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
> On Fri, Nov 21, 2025 at 8:55 PM Bill Wendling <morbo@google.com> wrote:
> >
> > +/*
> > + * Optional: only supported since clang >= 21
> > + *
> > + * clang: https://github.com/llvm/llvm-project/pull/137250
> > + */
> > +#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER
> > +#define __counted_by_ptr(member)       __attribute__((__counted_by__(member)))
> > +#else
> > +#define __counted_by_ptr(member)
> > +#endif
>
> I guess there is a reason for this name, but it sounds to me a bit
> like the thing between parenthesis is a pointer, i.e. that perhaps it
> is the pointee that one that counts.
>
> Hmm... what about `__ptr_counted_by`?
>
> In addition, could we please provide a bit of context in the
> documentation? i.e. links to the attribute docs in both Clang and GCC.
>
> And perhaps explaining why this cannot use `__has_attribute`, i.e.
> what the commit log mentions.
>
The attribute used to be hidden behind "__has_attribute" (git show
c8248faf3ca2), but was converted to a 'CONFIG_' variable due to (I
assume) bug fixes that occurred at different compiler versions (git
show f06e108a3dc53). Also "__has_attribute" won't work in this
situation, because the attribute name, "__counted_by__", is used for
both a pointer field (unsupported) and the flexible array member
(supported).

The naming of the macro is flexible of course. I have a preference for
adding a suffix, because there are other expansions of this and other
bounds safety attributes where, during discussions about the
attributes' syntaxes, we've been using suffixes. I.e., Clang supports
a limited form of context-free expressions as the argument to the
attribute. We want to add support for that in the future, but there
are issues with adding that support to GCC that haven't been ironed
out yet. We've been calling that macro "__counted_by_expr", because
again the attribute name is the same. This is not to say that it's the
*best* name for the macro, but it does seem natural.

I'll add these explanations to the commit message in a new version
after I collect all feedback. :-)

Thanks!
-bw

Re: [PATCH 0/2] Add __counted_by_ptr macro

[Bill Wendling]

On Fri, Nov 21, 2025 at 3:25 PM Kees Cook <kees@kernel.org> wrote:
> On Fri, Nov 21, 2025 at 07:39:42PM +0000, Bill Wendling wrote:
> > These patches add the __counted_by_ptr macro and then uses it in
> > mm/memblock.h. The name of the __counted_by_ptr attribute is the same as
> > __counted_by, but two different macros are needed, because of feature
> > skew in GCC and clang. Once the minmum versions of the compilers support
> > 'counted_by' on both flexible array members and pointers in structs,
> > this macro will become obsolete.
> >
> > Bill Wendling (2):
> >   Compiler Attributes: Add __counted_by_ptr macro
> >   memblock: annotate struct memblock_type with __counted_by_ptr
>
> Based on this[1] thread, I think we'll need to wait for GCC and Clang to
> release with the "void *" support first, and then push the counted_by up
> to that version to cover flexible arrays, pointers, and void *.
>
> [1] https://lore.kernel.org/lkml/20251021095447.GL3245006@noisy.programming.kicks-ass.net/
>
Would it make sense to add it with the expected compiler version
releases so that (1) we'll be ready when the compilers are released,
and (2) people could test the new features with compiler RCs?

-bw

Re: [PATCH 2/2] memblock: annotate struct memblock_type with __counted_by_ptr

[Bill Wendling]

On Mon, Nov 24, 2025 at 11:19 AM Kees Cook <kees@kernel.org> wrote:
>
> On Sat, Nov 22, 2025 at 02:16:14PM -0800, Andrew Morton wrote:
> > On Fri, 21 Nov 2025 16:30:43 -0800 Kees Cook <kees@kernel.org> wrote:
> >
> > > On Fri, Nov 21, 2025 at 07:39:44PM +0000, Bill Wendling wrote:
> > > > Add the '__counted_by_ptr' attribute to the 'regions' field of 'struct
> > > > memblock_type'. The 'regions' field is an array of 'struct
> > > > memblock_region' and its size is tracked by the 'max' field, which
> > > > represents the total number of allocated regions.
> > >
> > > As part of any counted_by annotation patch, there needs to be discussion
> > > in the commit log about how it's been shown to be a safe annotation
> > > to make. e.g. in this case, if all allocations of "regions" have a
> > > corresponding "max" assignment, etc. If just "git grep" can't find them
> > > all, using something like Coccinelle or CodeQL to search for struct
> > > memblock_type::regions assignments can work.
> >
> > How is anyone to know these things?  I can't find anything about this
> > in include/ or Documentation/ or in the relevant commits.
> >
> > There should be a comment at the __counted_by() definition site, please.
> >
> > And possibly write a Documentation/ file then change checkpatch to
> > direct people to that file if they add a counted_by?
>
> This is a fair point, yes. The documentation and discussions around
> counted_by are very big in my mind (and for Bill), so it was mostly a
> consolidation/reminder and some extra detail on prior solutions, but
> for anyone new to that annotation, we should have collected common
> guidance. I will write something up.
>
Good point. I'll add documentation for these attributes both in
Documentation/ and at the macro site. The frustrating thing is that
we're likely to have at least one other macro flavor (something like
"__counted_by_expr"), though that's the only foreseeable one. All of
these macros are wrappers around the same attribute because of
compiler skew.

-bw