From nobody Sat Feb  7 21:53:12 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 362CA20966B;
	Mon, 20 Oct 2025 22:01:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1760997679; cv=none;
 b=mu/SWYuimaMzUh/1keCRJ9edZ0c0SWNqVauSfkf+ohQ1mNav2kHudYedcscpHN72GNLa4NeRSNnJKFqQX7FgIoKADQfEmF28UFjmEccg6yRD+ddI2sBA+eTepeZ861ksa6yeypXPjSnINJWrCNX9VcSarAnOZCv65wsIQJAtbHM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1760997679; c=relaxed/simple;
	bh=/jk04nuQCuJInz/KNpaoxJIfVcgkemJOGj6M7ncv4Qs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ZQfJ+dUIjxZzDJQ0jV5M/4oOSqZRVOnTUet7hWQGk9JUKKGxab883UNVo/xw29KF0LEpowrt0LS3SWHtLbLyxtlvOwrQWILvrHcWKcxwNGb9m2G7tXDjAUcWkug3MI4UQZLGSDm0sFDxBT5r7siajb6OFKkytvdc79QSdiUSKKc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=dVxw38Ss; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="dVxw38Ss"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A5B51C113D0;
	Mon, 20 Oct 2025 22:01:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1760997678;
	bh=/jk04nuQCuJInz/KNpaoxJIfVcgkemJOGj6M7ncv4Qs=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=dVxw38SsaEBpGnRxtU9fHqd60UIUWUzTHw2ty+G4BbTMWORiV4MyiTJpF4KvhA6HZ
	 rK9O1qOcWPaMXfeuHLiq0Bg8hKfdQXw9y8RkDHhh1iGeRwrutb187DsBvlrr90Q0Yq
	 UBCTl/Nhx7ZnlWdgXKJei3iaZ4IrEpPJnszNExWSnU6rT64deH90moN6HekTC4upNz
	 ZE93XY/NHce1wV/p7KSNacI805banw6BNKIzg6mRncZBrnhhXoeEl7uIHg5hp7y7ZY
	 ddd3VWurUVb14fYcAjR71HOJH+00gBMsy5hJa9Zq6tBdO0P9XtEZQLSKlyuP9lrhdq
	 GrNIDqrpXG13g==
From: Kees Cook <kees@kernel.org>
To: Miguel Ojeda <ojeda@kernel.org>
Cc: Kees Cook <kees@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Marco Elver <elver@google.com>,
	Przemek Kitszel <przemyslaw.kitszel@intel.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Masahiro Yamada <masahiroy@kernel.org>,
	Christophe Leroy <christophe.leroy@csgroup.eu>,
	Johannes Weiner <hannes@cmpxchg.org>,
	llvm@lists.linux.dev,
	Al Viro <viro@zeniv.linux.org.uk>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	Nicolas Schier <nicolas.schier@linux.dev>,
	Shuah Khan <shuah@kernel.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	=?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas.weissschuh@linutronix.de>,
	Tamir Duberstein <tamird@gmail.com>,
	Michael Kelley <mhklinux@outlook.com>,
	kernel test robot <lkp@intel.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Uros Bizjak <ubizjak@gmail.com>,
	Jan Hendrik Farr <kernel@jfarr.cc>,
	Yafang Shao <laoar.shao@gmail.com>,
	Marc Herbert <Marc.Herbert@linux.intel.com>,
	Christopher Ferris <cferris@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Alexander Lobakin <aleksander.lobakin@intel.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Tejun Heo <tj@kernel.org>,
	Jeff Xu <jeffxu@chromium.org>,
	=?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>,
	Shakeel Butt <shakeel.butt@linux.dev>,
	Randy Dunlap <rdunlap@infradead.org>,
	Brian Gerst <brgerst@gmail.com>,
	linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org,
	linux-kbuild@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: [PATCH 1/3] compiler_types: Introduce __counted_by_ptr()
Date: Mon, 20 Oct 2025 15:01:15 -0700
Message-Id: <20251020220118.1226740-1-kees@kernel.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20251020220005.work.095-kees@kernel.org>
References: <20251020220005.work.095-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=5213; i=kees@kernel.org;
 h=from:subject; bh=/jk04nuQCuJInz/KNpaoxJIfVcgkemJOGj6M7ncv4Qs=;
 b=owGbwMvMwCVmps19z/KJym7G02pJDBnfNuq8mHjJ6c3aRUtcjppaq+Zv9Uh+dn63Am9N/aT/H
 Bkcr3e/6ShlYRDjYpAVU2QJsnOPc/F42x7uPlcRZg4rE8gQBi5OAZiI+1lGhruzI19PnOUiJKb2
 9kFKjBXH8+zPFi2rGKLSSzfFTHrxPpKR4ckJ1sSFxw6u68oRYcwszNzRt6CJ5b1t9ZuKQ3PZu+c
 eZQMA
X-Developer-Key: i=kees@kernel.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Introduce __counted_by_ptr(), which works like __counted_by(), but for
pointer struct members:

struct foo {
	int a, b, c;
	char *buffer __counted_by_ptr(bytes);
	short nr_bars;
	struct bar *bars __counted_by_ptr(nr_bars);
	size_t bytes;
};

Since "counted_by" can only be applied to pointer members in very recent
compiler versions, its application ends up needing to be distinct from
flexible array "counted_by" annotations, hence a separate macro.

Unfortunately, this annotation cannot be used for "void *" members
(since such a member is considered a pointer to an incomplete type,
and neither Clang nor GCC developers could be convinced otherwise[1],
even in the face of the GNU extension that "void *" has size "1 byte"
for pointer arithmetic). For "void *" members, we must use the coming
"sized_by" attribute.

Link: https://gcc.gnu.org/pipermail/gcc-patches/2025-May/683136.html [1]
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Marco Elver <elver@google.com>
Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: <llvm@lists.linux.dev>
---
 init/Kconfig                   | 11 +++++++++++
 Makefile                       |  4 ++++
 include/linux/compiler_types.h | 21 ++++++++++++++++++++-
 include/uapi/linux/stddef.h    |  4 ++++
 4 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/init/Kconfig b/init/Kconfig
index cab3ad28ca49..54691b086bc6 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -139,6 +139,17 @@ config CC_HAS_COUNTED_BY
 	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108896
 	default y if CC_IS_GCC && GCC_VERSION >=3D 150100
=20
+config CC_HAS_COUNTED_BY_PTR_BARE
+	def_bool $(success,echo 'struct foo { int *ptr __attribute__((__counted_b=
y__(count))); int count; };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null =
-Werror)
+
+config CC_HAS_COUNTED_BY_PTR_EXP
+	def_bool $(success,echo 'struct foo { int *ptr __attribute__((__counted_b=
y__(count))); int count; };' | $(CC) $(CLANG_FLAGS) -fexperimental-late-par=
se-attributes -x c - -c -o /dev/null -Werror)
+	depends on !CC_HAS_COUNTED_BY_PTR_BARE
+
+config CC_HAS_COUNTED_BY_PTR
+	def_bool y
+	depends on CC_HAS_COUNTED_BY_PTR_BARE || CC_HAS_COUNTED_BY_PTR_EXP
+
 config CC_HAS_MULTIDIMENSIONAL_NONSTRING
 	def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) =3D=
 { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
=20
diff --git a/Makefile b/Makefile
index d14824792227..1b297dcbb0df 100644
--- a/Makefile
+++ b/Makefile
@@ -933,6 +933,10 @@ KBUILD_CFLAGS	+=3D $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
 endif
 endif
=20
+ifdef CONFIG_CC_HAS_COUNTED_BY_PTR_EXP
+KBUILD_CFLAGS	+=3D -fexperimental-late-parse-attributes
+endif
+
 # Explicitly clear padding bits during variable initialization
 KBUILD_CFLAGS +=3D $(call cc-option,-fzero-init-padding-bits=3Dall)
=20
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 59288a2c1ad2..f197ea03b593 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -353,11 +353,14 @@ struct ftrace_likely_data {
 #endif
=20
 /*
+ * Runtime track number of flexible array member elements for use by
+ * CONFIG_FORTIFY_SOURCE and CONFIG_UBSAN_BOUNDS.
+ *
  * Optional: only supported since gcc >=3D 15
  * Optional: only supported since clang >=3D 18
  *
  *   gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108896
- * clang: https://github.com/llvm/llvm-project/pull/76348
+ * clang: https://clang.llvm.org/docs/AttributeReference.html#counted-by-c=
ounted-by-or-null-sized-by-sized-by-or-null
  *
  * __bdos on clang < 19.1.2 can erroneously return 0:
  * https://github.com/llvm/llvm-project/pull/110497
@@ -371,6 +374,22 @@ struct ftrace_likely_data {
 # define __counted_by(member)
 #endif
=20
+/*
+ * Runtime track number of objects pointed to by a pointer member for
+ * use by CONFIG_FORTIFY_SOURCE and CONFIG_UBSAN_BOUNDS.
+ *
+ * Optional: only supported since gcc >=3D 16
+ * Optional: only supported since clang >=3D 20
+ *
+ *   gcc: https://gcc.gnu.org/pipermail/gcc-patches/2025-April/681727.html
+ * clang: ...
+ */
+#ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
+# define __counted_by_ptr(member)	__attribute__((__counted_by__(member)))
+#else
+# define __counted_by_ptr(member)
+#endif
+
 /*
  * Optional: only supported since gcc >=3D 15
  * Optional: not supported by Clang
diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
index 9a28f7d9a334..111b097ec00b 100644
--- a/include/uapi/linux/stddef.h
+++ b/include/uapi/linux/stddef.h
@@ -72,6 +72,10 @@
 #define __counted_by_be(m)
 #endif
=20
+#ifndef __counted_by_ptr
+#define __counted_by_ptr(m)
+#endif
+
 #ifdef __KERNEL__
 #define __kernel_nonstring	__nonstring
 #else
--=20
2.34.1
From nobody Sat Feb  7 21:53:12 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5509E2D0C62;
	Mon, 20 Oct 2025 22:01:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1760997679; cv=none;
 b=fJfQ856Q8Am7NpJt8otykHEU5mhziRQHq7UmDqcD5CatawAaisltP8+wMS2rAKsjlslNgcwTSa0CdgMP9xUOIVa/j3ko1U93D75Mmu0Won+MzSE24M05V43r8ZSbm/6MH7bN1W8EY8ZtGZU4E65UNoKYeYHhsuJd1lbdo+R5TPs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1760997679; c=relaxed/simple;
	bh=7+0qu+Gu0CqwtZbcxHs4OLhPuV8Fj8KuBq9/KFtLGnY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=un0aObGtPLr8f0Gr40N3bJhoZoZgajBoq/MCf8Y1ckNcKw3N0wo3ZoGS23TE+huOd9ccwQq2OvGI27R6W9FKdJyy1uQoKWLx8SX40QIugjT0Y+/qiiVDKlg+ckH0PcXUkcDQugZ76h62ofsrJpoA2NyfNElrSJPljHUJIxLs/OI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=IE0pAF6g; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="IE0pAF6g"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B7890C116D0;
	Mon, 20 Oct 2025 22:01:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1760997678;
	bh=7+0qu+Gu0CqwtZbcxHs4OLhPuV8Fj8KuBq9/KFtLGnY=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=IE0pAF6gtzyz+Wp8tXsF0dcWrkIeTEu5HXMsKrLz1Z9AR8nJ4i4ZMkUDzDgF0m8pH
	 Fjt3tygypFFzHVgFYMT2f+r1oNO5zwEOIBGwUcjiGqYE/xr3XggqMnGsDo3wWBv9TR
	 wbeGozBQhFYF5UGcf84xMxcqIZVtsQsvySEucBErs96Cz8c9qYhJpS1oDRGTMOVGrx
	 a/23yabAl6nMWrW5Y8caWSxwlQHom8Ik9mBsjxGDFEzbHhwZs8sw52J3DpGqwhyw5b
	 WPMRpd/NuB6s0Xa24OAPH2EUn0/sJmpyybDyZtzsB6roGJK/V5tqj/XcbIQqFBRmR3
	 3sFq4LqpwHz4w==
From: Kees Cook <kees@kernel.org>
To: Miguel Ojeda <ojeda@kernel.org>
Cc: Kees Cook <kees@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Marco Elver <elver@google.com>,
	Przemek Kitszel <przemyslaw.kitszel@intel.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Masahiro Yamada <masahiroy@kernel.org>,
	Christophe Leroy <christophe.leroy@csgroup.eu>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	Nicolas Schier <nicolas.schier@linux.dev>,
	Shuah Khan <shuah@kernel.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	=?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas.weissschuh@linutronix.de>,
	Tamir Duberstein <tamird@gmail.com>,
	Michael Kelley <mhklinux@outlook.com>,
	kernel test robot <lkp@intel.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Uros Bizjak <ubizjak@gmail.com>,
	Jan Hendrik Farr <kernel@jfarr.cc>,
	Yafang Shao <laoar.shao@gmail.com>,
	Marc Herbert <Marc.Herbert@linux.intel.com>,
	Christopher Ferris <cferris@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Alexander Lobakin <aleksander.lobakin@intel.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Tejun Heo <tj@kernel.org>,
	Jeff Xu <jeffxu@chromium.org>,
	=?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>,
	Shakeel Butt <shakeel.butt@linux.dev>,
	Randy Dunlap <rdunlap@infradead.org>,
	Brian Gerst <brgerst@gmail.com>,
	linux-kernel@vger.kernel.org,
	llvm@lists.linux.dev,
	linux-fsdevel@vger.kernel.org,
	linux-kbuild@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: [PATCH 2/3] lkdtm/bugs: Add __counted_by_ptr() test PTR_BOUNDS
Date: Mon, 20 Oct 2025 15:01:16 -0700
Message-Id: <20251020220118.1226740-2-kees@kernel.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20251020220005.work.095-kees@kernel.org>
References: <20251020220005.work.095-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4744; i=kees@kernel.org;
 h=from:subject; bh=7+0qu+Gu0CqwtZbcxHs4OLhPuV8Fj8KuBq9/KFtLGnY=;
 b=owGbwMvMwCVmps19z/KJym7G02pJDBnfNur8unplg3+cLl+j6ZMb02M/feXZ4V00bcPbk1vlZ
 +jW/als7ihlYRDjYpAVU2QJsnOPc/F42x7uPlcRZg4rE8gQBi5OAZjIvWxGhkPTVYrmBLvdX/wt
 U/qSt9K/luwf/Nk3j4kVfTOWj/9UcoOR4VjH9uQz1wTE5fNa7zXVOzzu7dT9G6dts8N6e9Orshm
 MDAA=
X-Developer-Key: i=kees@kernel.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Provide run-time validation of the __counted_by_ptr() annotation via
newly added PTR_BOUNDS LKDTM test.

Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/lkdtm/bugs.c               | 90 ++++++++++++++++++++++---
 tools/testing/selftests/lkdtm/tests.txt |  2 +
 2 files changed, 84 insertions(+), 8 deletions(-)

diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index 376047beea3d..a069a7d686fc 100644
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -414,32 +414,32 @@ static void lkdtm_ARRAY_BOUNDS(void)
 		pr_expected_config(CONFIG_UBSAN_BOUNDS);
 }
=20
-struct lkdtm_annotated {
+struct lkdtm_cb_fam {
 	unsigned long flags;
 	int count;
 	int array[] __counted_by(count);
 };
=20
-static volatile int fam_count =3D 4;
+static volatile int element_count =3D 4;
=20
 static void lkdtm_FAM_BOUNDS(void)
 {
-	struct lkdtm_annotated *inst;
+	struct lkdtm_cb_fam *inst;
=20
-	inst =3D kzalloc(struct_size(inst, array, fam_count + 1), GFP_KERNEL);
+	inst =3D kzalloc(struct_size(inst, array, element_count + 1), GFP_KERNEL);
 	if (!inst) {
 		pr_err("FAIL: could not allocate test struct!\n");
 		return;
 	}
=20
-	inst->count =3D fam_count;
+	inst->count =3D element_count;
 	pr_info("Array access within bounds ...\n");
-	inst->array[1] =3D fam_count;
+	inst->array[1] =3D element_count;
 	ignored =3D inst->array[1];
=20
 	pr_info("Array access beyond bounds ...\n");
-	inst->array[fam_count] =3D fam_count;
-	ignored =3D inst->array[fam_count];
+	inst->array[element_count] =3D element_count;
+	ignored =3D inst->array[element_count];
=20
 	kfree(inst);
=20
@@ -454,6 +454,79 @@ static void lkdtm_FAM_BOUNDS(void)
 		pr_expected_config(CONFIG_UBSAN_BOUNDS);
 }
=20
+struct lkdtm_extra {
+	short a, b;
+	u16 sixteen;
+	u32 bigger;
+	u64 biggest;
+};
+
+struct lkdtm_cb_ptr {
+	int a, b, c;
+	int nr_extra;
+	char *buf __counted_by_ptr(len);
+	size_t len;
+	struct lkdtm_extra *extra __counted_by_ptr(nr_extra);
+};
+
+static noinline void check_ptr_len(struct lkdtm_cb_ptr *p, size_t len)
+{
+	if (__member_size(p->buf) !=3D len)
+		pr_err("FAIL: could not determine size of inst->buf: %zu\n",
+			__member_size(p->buf));
+	else
+		pr_info("good: inst->buf length is %zu\n", len);
+}
+
+static void lkdtm_PTR_BOUNDS(void)
+{
+	struct lkdtm_cb_ptr *inst;
+
+	inst =3D kzalloc(sizeof(*inst), GFP_KERNEL);
+	if (!inst) {
+		pr_err("FAIL: could not allocate struct lkdtm_cb_ptr!\n");
+		return;
+	}
+
+	inst->buf =3D kzalloc(element_count, GFP_KERNEL);
+	if (!inst->buf) {
+		pr_err("FAIL: could not allocate inst->buf!\n");
+		return;
+	}
+	inst->len =3D element_count;
+
+	/* Double element_count */
+	inst->extra =3D kcalloc(element_count * 2, sizeof(*inst->extra), GFP_KERN=
EL);
+	inst->nr_extra =3D element_count * 2;
+
+	pr_info("Pointer access within bounds ...\n");
+	check_ptr_len(inst, 4);
+	/* All 4 bytes */
+	inst->buf[0] =3D 'A';
+	inst->buf[1] =3D 'B';
+	inst->buf[2] =3D 'C';
+	inst->buf[3] =3D 'D';
+	/* Halfway into the array */
+	inst->extra[element_count].biggest =3D 0x1000;
+
+	pr_info("Pointer access beyond bounds ...\n");
+	ignored =3D inst->extra[inst->nr_extra].b;
+
+	kfree(inst->extra);
+	kfree(inst->buf);
+	kfree(inst);
+
+	pr_err("FAIL: survived access of invalid pointer member offset!\n");
+
+	if (!IS_ENABLED(CONFIG_CC_HAS_COUNTED_BY_PTR))
+		pr_warn("This is expected since this %s was built with a compiler that d=
oes not support __counted_by_ptr\n",
+			lkdtm_kernel_info);
+	else if (IS_ENABLED(CONFIG_UBSAN_BOUNDS))
+		pr_expected_config(CONFIG_UBSAN_TRAP);
+	else
+		pr_expected_config(CONFIG_UBSAN_BOUNDS);
+}
+
 static void lkdtm_CORRUPT_LIST_ADD(void)
 {
 	/*
@@ -716,6 +789,7 @@ static struct crashtype crashtypes[] =3D {
 	CRASHTYPE(OVERFLOW_UNSIGNED),
 	CRASHTYPE(ARRAY_BOUNDS),
 	CRASHTYPE(FAM_BOUNDS),
+	CRASHTYPE(PTR_BOUNDS),
 	CRASHTYPE(CORRUPT_LIST_ADD),
 	CRASHTYPE(CORRUPT_LIST_DEL),
 	CRASHTYPE(STACK_GUARD_PAGE_LEADING),
diff --git a/tools/testing/selftests/lkdtm/tests.txt b/tools/testing/selfte=
sts/lkdtm/tests.txt
index cff124c1eddd..204d4a669632 100644
--- a/tools/testing/selftests/lkdtm/tests.txt
+++ b/tools/testing/selftests/lkdtm/tests.txt
@@ -9,6 +9,8 @@ EXCEPTION
 #CORRUPT_STACK Crashes entire system on success
 #CORRUPT_STACK_STRONG Crashes entire system on success
 ARRAY_BOUNDS call trace:|UBSAN: array-index-out-of-bounds
+FAM_BOUNDS call trace:|UBSAN: array-index-out-of-bounds
+PTR_BOUNDS call trace:|UBSAN: array-index-out-of-bounds
 CORRUPT_LIST_ADD list_add corruption
 CORRUPT_LIST_DEL list_del corruption
 STACK_GUARD_PAGE_LEADING
--=20
2.34.1
From nobody Sat Feb  7 21:53:12 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86F722EF67A;
	Mon, 20 Oct 2025 22:01:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1760997679; cv=none;
 b=KLqt5jShxZLiwOhVguBQCIXgQwiO5C3WimrtDcwzDLYjI+EKZY0u4QA8fkOokS4wQ4fyXee42qrhajfjZifz6nNu7ji1AJi9sQwJ0ht+uxpCgqy6EGDh0Tvx2r7zHs1enWp7OlHtB02eEu2oQZuZzndm/CzAY/PP+F26KDS2y8E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1760997679; c=relaxed/simple;
	bh=6ooqboEeSC/M2BVGV1rj5vMoK7jclehBAHjVVTCFn4k=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=DNECF8iRljwD08sY8JarHo/vGWW7+iWisG/HAiNGp5YS11Cws2CxGBV5s4Pv6D22OG/o5WEI5/cuynjj2+T2lLWcgSjreMeERCPfp5tzAdb4QcgQs6sG7YvW+qEiUIvk4GfK05xbak4j3FZm+19vuurjjjFtU7S9YdZHTRGA2u8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=i6rh+lwl; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="i6rh+lwl"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C2A7EC19422;
	Mon, 20 Oct 2025 22:01:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1760997678;
	bh=6ooqboEeSC/M2BVGV1rj5vMoK7jclehBAHjVVTCFn4k=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=i6rh+lwlR7mlHL8QrmRRJrUqLPXobrHQxNTkAqLGKcZ76PCulxXUDXr71kg5oQqjD
	 OtflfYW+deT7q1mfPHlQSbdOJh8d8KiDWpKYQCbclAs0PnLPvZdwMS2JrDIXqJYjbK
	 Q5afeiUW3E2QU3ZjBP/WOXM5yP7CfRVhiVc+KQ4IaFBSFODP8wYzn5An6Y4ZKD1e8V
	 p7OiKdmC27vXkEGKTNi9leyi1ybAME5dfzCqNqMRlT5JwnrOpi+CfcOclexNfKkiMh
	 cZuY9iG9f9/9dFcw+izTUcqMVE5BLgrZeCOCVf3lyiDOEc92oOBPwfR4wOdqKy5v/w
	 OYlENfFCiUnEQ==
From: Kees Cook <kees@kernel.org>
To: Miguel Ojeda <ojeda@kernel.org>
Cc: Kees Cook <kees@kernel.org>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
	Bill Wendling <morbo@google.com>,
	Justin Stitt <justinstitt@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Marco Elver <elver@google.com>,
	Przemek Kitszel <przemyslaw.kitszel@intel.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Masahiro Yamada <masahiroy@kernel.org>,
	Christophe Leroy <christophe.leroy@csgroup.eu>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Nicolas Schier <nicolas.schier@linux.dev>,
	Shuah Khan <shuah@kernel.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	=?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas.weissschuh@linutronix.de>,
	Tamir Duberstein <tamird@gmail.com>,
	Michael Kelley <mhklinux@outlook.com>,
	kernel test robot <lkp@intel.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Uros Bizjak <ubizjak@gmail.com>,
	Jan Hendrik Farr <kernel@jfarr.cc>,
	Yafang Shao <laoar.shao@gmail.com>,
	Marc Herbert <Marc.Herbert@linux.intel.com>,
	Christopher Ferris <cferris@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Alexander Lobakin <aleksander.lobakin@intel.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Tejun Heo <tj@kernel.org>,
	Jeff Xu <jeffxu@chromium.org>,
	=?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>,
	Shakeel Butt <shakeel.butt@linux.dev>,
	Randy Dunlap <rdunlap@infradead.org>,
	Brian Gerst <brgerst@gmail.com>,
	linux-kernel@vger.kernel.org,
	llvm@lists.linux.dev,
	linux-kbuild@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: [PATCH 3/3] coredump: Use __counted_by_ptr for struct
 core_name::corename
Date: Mon, 20 Oct 2025 15:01:17 -0700
Message-Id: <20251020220118.1226740-3-kees@kernel.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20251020220005.work.095-kees@kernel.org>
References: <20251020220005.work.095-kees@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1204; i=kees@kernel.org;
 h=from:subject; bh=6ooqboEeSC/M2BVGV1rj5vMoK7jclehBAHjVVTCFn4k=;
 b=owGbwMvMwCVmps19z/KJym7G02pJDBnfNuqYTSg5uLShwczqrLnczJkftJk7S+Q45f7NyXjK/
 fj0nmt8HaUsDGJcDLJiiixBdu5xLh5v28Pd5yrCzGFlAhnCwMUpABPxZGH4Z+Kjc/X/NVaGC/O6
 pyxpkCruKDr1/6O8z7WNHGqfyi3mXmb4XzRFd7KO/fet1rnaL5laLWdsSE5N5PFNuWEU9MB0+ZY
 WDgA=
X-Developer-Key: i=kees@kernel.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Use the __counted_by annotation now available for struct pointer
members, __counted_by_ptr(). Move assignments to immediately
after allocation.

Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: <linux-fsdevel@vger.kernel.org>
---
 fs/coredump.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/coredump.c b/fs/coredump.c
index 5c1c381ee380..876f1cdb756f 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -92,7 +92,7 @@ enum coredump_type_t {
 };
=20
 struct core_name {
-	char *corename;
+	char *corename __counted_by_ptr(size);
 	int used, size;
 	unsigned int core_pipe_limit;
 	bool core_dumped;
@@ -106,15 +106,15 @@ static int expand_corename(struct core_name *cn, int =
size)
=20
 	size =3D kmalloc_size_roundup(size);
 	corename =3D krealloc(cn->corename, size, GFP_KERNEL);
-
 	if (!corename)
 		return -ENOMEM;
=20
+	cn->corename =3D corename;
+	cn->size =3D size;
+
 	if (size > core_name_size) /* racy but harmless */
 		core_name_size =3D size;
=20
-	cn->size =3D size;
-	cn->corename =3D corename;
 	return 0;
 }
=20
--=20
2.34.1