Clang and GCC are expanding the '__counted_by' attribute to support
pointers in structs. Clang has support for it since version 21. This
requires defining a separate macro, '__counted_by_ptr', because, while
the attribute has the same name for both a pointer and a flexible array
member, minimal compiler versions need to catch up.
The effect of this feature is the same as for __counted_by on flexible
array members. It provides hardening the ability to perform run-time
bounds checking on otherwise unknown-size pointers.
Cc: Kees Cook <kees@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
Cc: Uros Bizjak <ubizjak@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jeff Xu <jeffxu@chromium.org>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: John Stultz <jstultz@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
Signed-off-by: Bill Wendling <morbo@google.com>
---
include/linux/compiler_types.h | 11 +++++++++++
init/Kconfig | 5 +++++
2 files changed, 16 insertions(+)
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 0a1b9598940d..2b0251bb951c 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -351,6 +351,17 @@ struct ftrace_likely_data {
# define __assume(expr)
#endif
+/*
+ * Optional: only supported since clang >= 21
+ *
+ * clang: https://github.com/llvm/llvm-project/pull/137250
+ */
+#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER
+#define __counted_by_ptr(member) __attribute__((__counted_by__(member)))
+#else
+#define __counted_by_ptr(member)
+#endif
+
/*
* Optional: only supported since gcc >= 15
* Optional: only supported since clang >= 18
diff --git a/init/Kconfig b/init/Kconfig
index cab3ad28ca49..298c94c4c1b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -139,6 +139,11 @@ config CC_HAS_COUNTED_BY
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
default y if CC_IS_GCC && GCC_VERSION >= 150100
+config CC_HAS_COUNTED_BY_ON_POINTERS
+ bool
+ # Needs clang 21.1.0 or higher.
+ default y if CC_IS_CLANG && CLANG_VERSION >= 210100
+
config CC_HAS_MULTIDIMENSIONAL_NONSTRING
def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
--
2.52.0.rc2.455.g230fcf2819-googOn Fri, Nov 21, 2025 at 11:40 AM Bill Wendling <morbo@google.com> wrote:
>
> Clang and GCC are expanding the '__counted_by' attribute to support
> pointers in structs. Clang has support for it since version 21. This
> requires defining a separate macro, '__counted_by_ptr', because, while
> the attribute has the same name for both a pointer and a flexible array
> member, minimal compiler versions need to catch up.
>
> The effect of this feature is the same as for __counted_by on flexible
> array members. It provides hardening the ability to perform run-time
> bounds checking on otherwise unknown-size pointers.
>
> Cc: Kees Cook <kees@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
> Cc: Justin Stitt <justinstitt@google.com>
> Cc: Miguel Ojeda <ojeda@kernel.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Heiko Carstens <hca@linux.ibm.com>
> Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
> Cc: Uros Bizjak <ubizjak@gmail.com>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Jeff Xu <jeffxu@chromium.org>
> Cc: "Michal Koutný" <mkoutny@suse.com>
> Cc: Shakeel Butt <shakeel.butt@linux.dev>
> Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
> Cc: John Stultz <jstultz@google.com>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: Randy Dunlap <rdunlap@infradead.org>
> Cc: Brian Gerst <brgerst@gmail.com>
> Cc: Masahiro Yamada <masahiroy@kernel.org>
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Signed-off-by: Bill Wendling <morbo@google.com>
> ---
> include/linux/compiler_types.h | 11 +++++++++++
> init/Kconfig | 5 +++++
> 2 files changed, 16 insertions(+)
>
> diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> index 0a1b9598940d..2b0251bb951c 100644
> --- a/include/linux/compiler_types.h
> +++ b/include/linux/compiler_types.h
> @@ -351,6 +351,17 @@ struct ftrace_likely_data {
> # define __assume(expr)
> #endif
>
> +/*
> + * Optional: only supported since clang >= 21
> + *
> + * clang: https://github.com/llvm/llvm-project/pull/137250
> + */
> +#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER
> +#define __counted_by_ptr(member) __attribute__((__counted_by__(member)))
> +#else
> +#define __counted_by_ptr(member)
> +#endif
> +
> /*
> * Optional: only supported since gcc >= 15
> * Optional: only supported since clang >= 18
> diff --git a/init/Kconfig b/init/Kconfig
> index cab3ad28ca49..298c94c4c1b1 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -139,6 +139,11 @@ config CC_HAS_COUNTED_BY
> # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
> default y if CC_IS_GCC && GCC_VERSION >= 150100
>
> +config CC_HAS_COUNTED_BY_ON_POINTERS
> + bool
> + # Needs clang 21.1.0 or higher.
> + default y if CC_IS_CLANG && CLANG_VERSION >= 210100
> +
I mistakenly left out GCC from here. I'll roll that in with v2.
-bw
> config CC_HAS_MULTIDIMENSIONAL_NONSTRING
> def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
>
> --
> 2.52.0.rc2.455.g230fcf2819-goog
>
Clang and GCC are expanding the '__counted_by' attribute to support
pointers in structs. Clang has support for it since version 21. This
requires defining a separate macro, '__counted_by_ptr', because, while
the attribute has the same name for both a pointer and a flexible array
member, minimal compiler versions need to catch up.
The effect of this feature is the same as for __counted_by on flexible
array members. It provides hardening the ability to perform run-time
bounds checking on otherwise unknown-size pointers.
Cc: Kees Cook <kees@kernel.org>
Cc: Qing Zhao <qing.zhao@oracle.com>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
Cc: Uros Bizjak <ubizjak@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jeff Xu <jeffxu@chromium.org>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: John Stultz <jstultz@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
Signed-off-by: Bill Wendling <morbo@google.com>
---
v2 - Add support for GCC.
---
include/linux/compiler_types.h | 11 +++++++++++
init/Kconfig | 7 +++++++
2 files changed, 18 insertions(+)
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 0a1b9598940d..2b0251bb951c 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -351,6 +351,17 @@ struct ftrace_likely_data {
# define __assume(expr)
#endif
+/*
+ * Optional: only supported since clang >= 21
+ *
+ * clang: https://github.com/llvm/llvm-project/pull/137250
+ */
+#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER
+#define __counted_by_ptr(member) __attribute__((__counted_by__(member)))
+#else
+#define __counted_by_ptr(member)
+#endif
+
/*
* Optional: only supported since gcc >= 15
* Optional: only supported since clang >= 18
diff --git a/init/Kconfig b/init/Kconfig
index cab3ad28ca49..f947f242bca8 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -139,6 +139,13 @@ config CC_HAS_COUNTED_BY
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
default y if CC_IS_GCC && GCC_VERSION >= 150100
+config CC_HAS_COUNTED_BY_ON_POINTERS
+ bool
+ # supported since clang 21.1.0
+ default y if CC_IS_CLANG && CLANG_VERSION >= 210100
+ # supported since gcc 16.0.0
+ default y if CC_IS_GCC && GCC_VERSION >= 160000
+
config CC_HAS_MULTIDIMENSIONAL_NONSTRING
def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
--
2.52.0.rc2.455.g230fcf2819-googOn Fri, Nov 21, 2025 at 8:55 PM Bill Wendling <morbo@google.com> wrote: > > +/* > + * Optional: only supported since clang >= 21 > + * > + * clang: https://github.com/llvm/llvm-project/pull/137250 > + */ > +#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER > +#define __counted_by_ptr(member) __attribute__((__counted_by__(member))) > +#else > +#define __counted_by_ptr(member) > +#endif I guess there is a reason for this name, but it sounds to me a bit like the thing between parenthesis is a pointer, i.e. that perhaps it is the pointee that one that counts. Hmm... what about `__ptr_counted_by`? In addition, could we please provide a bit of context in the documentation? i.e. links to the attribute docs in both Clang and GCC. And perhaps explaining why this cannot use `__has_attribute`, i.e. what the commit log mentions. Thanks! Cheers, Miguel
On Fri, Nov 21, 2025 at 10:47:45PM +0100, Miguel Ojeda wrote: > On Fri, Nov 21, 2025 at 8:55 PM Bill Wendling <morbo@google.com> wrote: > > > > +/* > > + * Optional: only supported since clang >= 21 > > + * > > + * clang: https://github.com/llvm/llvm-project/pull/137250 > > + */ > > +#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER > > +#define __counted_by_ptr(member) __attribute__((__counted_by__(member))) > > +#else > > +#define __counted_by_ptr(member) > > +#endif > > I guess there is a reason for this name, but it sounds to me a bit > like the thing between parenthesis is a pointer, i.e. that perhaps it > is the pointee that one that counts. > > Hmm... what about `__ptr_counted_by`? Kees promised to drop this attribute once GCC-16 releases by basically doing 's/__counted_by_ptr/__counted_by/' and unifying things again. This split out state will only exist for a very short while until GCC has a release with this feature on.
On Fri, Jan 16, 2026 at 9:35 AM Peter Zijlstra <peterz@infradead.org> wrote: > > Kees promised to drop this attribute once GCC-16 releases by basically > doing 's/__counted_by_ptr/__counted_by/' and unifying things again. > > This split out state will only exist for a very short while until GCC > has a release with this feature on. Ah, I see, thanks! (even if it happens later, that sounds fine) Cheers, Miguel
On Fri, Jan 16, 2026 at 09:35:16AM +0100, Peter Zijlstra wrote: > On Fri, Nov 21, 2025 at 10:47:45PM +0100, Miguel Ojeda wrote: > > On Fri, Nov 21, 2025 at 8:55 PM Bill Wendling <morbo@google.com> wrote: > > > > > > +/* > > > + * Optional: only supported since clang >= 21 > > > + * > > > + * clang: https://github.com/llvm/llvm-project/pull/137250 > > > + */ > > > +#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER > > > +#define __counted_by_ptr(member) __attribute__((__counted_by__(member))) > > > +#else > > > +#define __counted_by_ptr(member) > > > +#endif > > > > I guess there is a reason for this name, but it sounds to me a bit > > like the thing between parenthesis is a pointer, i.e. that perhaps it > > is the pointee that one that counts. > > > > Hmm... what about `__ptr_counted_by`? > > Kees promised to drop this attribute once GCC-16 releases by basically > doing 's/__counted_by_ptr/__counted_by/' and unifying things again. Yeah, this will effectively raise "counted_by" support to GCC 16 (from 15) and to Clang 22 (from 20). I'd still prefer to keep the earlier support, but we'll see how it goes. -Kees -- Kees Cook
On Fri, Nov 21, 2025 at 1:48 PM Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote: > On Fri, Nov 21, 2025 at 8:55 PM Bill Wendling <morbo@google.com> wrote: > > > > +/* > > + * Optional: only supported since clang >= 21 > > + * > > + * clang: https://github.com/llvm/llvm-project/pull/137250 > > + */ > > +#ifdef CONFIG_CC_HAS_COUNTED_BY_FOR_POINTER > > +#define __counted_by_ptr(member) __attribute__((__counted_by__(member))) > > +#else > > +#define __counted_by_ptr(member) > > +#endif > > I guess there is a reason for this name, but it sounds to me a bit > like the thing between parenthesis is a pointer, i.e. that perhaps it > is the pointee that one that counts. > > Hmm... what about `__ptr_counted_by`? > > In addition, could we please provide a bit of context in the > documentation? i.e. links to the attribute docs in both Clang and GCC. > > And perhaps explaining why this cannot use `__has_attribute`, i.e. > what the commit log mentions. > The attribute used to be hidden behind "__has_attribute" (git show c8248faf3ca2), but was converted to a 'CONFIG_' variable due to (I assume) bug fixes that occurred at different compiler versions (git show f06e108a3dc53). Also "__has_attribute" won't work in this situation, because the attribute name, "__counted_by__", is used for both a pointer field (unsupported) and the flexible array member (supported). The naming of the macro is flexible of course. I have a preference for adding a suffix, because there are other expansions of this and other bounds safety attributes where, during discussions about the attributes' syntaxes, we've been using suffixes. I.e., Clang supports a limited form of context-free expressions as the argument to the attribute. We want to add support for that in the future, but there are issues with adding that support to GCC that haven't been ironed out yet. We've been calling that macro "__counted_by_expr", because again the attribute name is the same. This is not to say that it's the *best* name for the macro, but it does seem natural. I'll add these explanations to the commit message in a new version after I collect all feedback. :-) Thanks! -bw
Introduce __counted_by_ptr(), which works like __counted_by(), but for
pointer struct members.
struct foo {
int a, b, c;
char *buffer __counted_by_ptr(bytes);
short nr_bars;
struct bar *bars __counted_by_ptr(nr_bars);
size_t bytes;
};
Because "counted_by" can only be applied to pointer members in very
recent compiler versions, its application ends up needing to be distinct
from flexibe array "counted_by" annotations, hence a separate macro.
Note that Clang's support for "void *" members will be in version 22.
So, when using Clang, you'll need to wait until its release before using
the feature with "void *". No such restriction applies to GCC's version
16.
This is a reworking of Kees' previous patch [1].
Link: https://lore.kernel.org/all/20251020220118.1226740-1-kees@kernel.org/ [1]
Co-developed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Bill Wendling <morbo@google.com>
---
Cc: Kees Cook <kees@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
Cc: Uros Bizjak <ubizjak@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jeff Xu <jeffxu@chromium.org>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: John Stultz <jstultz@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
---
v3 - Replace the previous code with a modified version of Kees' previous patch
[1].
- The question about the naming of the macro was considered, but we decided
to keep the original naming (__counted_by_ptr), because it mirrors the current
macros like "__counted_by_{le,be}".
v2 - Add support for GCC.
---
Makefile | 6 ++++++
include/linux/compiler_types.h | 18 +++++++++++++++++-
include/uapi/linux/stddef.h | 4 ++++
init/Kconfig | 7 +++++++
4 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 9d38125263fb..6b029f694bc2 100644
--- a/Makefile
+++ b/Makefile
@@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
endif
endif
+ifdef CONFIG_CC_IS_CLANG
+ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
+KBUILD_CFLAGS += -fexperimental-late-parse-attributes
+endif
+endif
+
# Explicitly clear padding bits during variable initialization
KBUILD_CFLAGS += $(call cc-option,-fzero-init-padding-bits=all)
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index d3318a3c2577..e597c814d60b 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -369,7 +369,7 @@ struct ftrace_likely_data {
* Optional: only supported since clang >= 18
*
* gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
- * clang: https://github.com/llvm/llvm-project/pull/76348
+ * clang: https://clang.llvm.org/docs/AttributeReference.html#counted-by-counted-by-or-null-sized-by-sized-by-or-null
*
* __bdos on clang < 19.1.2 can erroneously return 0:
* https://github.com/llvm/llvm-project/pull/110497
@@ -383,6 +383,22 @@ struct ftrace_likely_data {
# define __counted_by(member)
#endif
+/*
+ * Runtime track number of objects pointed to by a pointer member for use by
+ * CONFIG_FORTIFY_SOURCE and CONFIG_UBSAN_BOUNDS.
+ *
+ * Optional: only supported since gcc >= 16
+ * Optional: only supported since clang >= 21.1
+ *
+ * gcc: https://gcc.gnu.org/pipermail/gcc-patches/2025-April/681727.html
+ * clang: https://github.com/llvm/llvm-project/pull/137250
+ */
+#ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
+#define __counted_by_ptr(member) __attribute__((__counted_by__(member)))
+#else
+#define __counted_by_ptr(member)
+#endif
+
/*
* Optional: only supported since gcc >= 15
* Optional: not supported by Clang
diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
index 9a28f7d9a334..111b097ec00b 100644
--- a/include/uapi/linux/stddef.h
+++ b/include/uapi/linux/stddef.h
@@ -72,6 +72,10 @@
#define __counted_by_be(m)
#endif
+#ifndef __counted_by_ptr
+#define __counted_by_ptr(m)
+#endif
+
#ifdef __KERNEL__
#define __kernel_nonstring __nonstring
#else
diff --git a/init/Kconfig b/init/Kconfig
index fa79feb8fe57..dc27b998d111 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -143,6 +143,13 @@ config CC_HAS_COUNTED_BY
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
default y if CC_IS_GCC && GCC_VERSION >= 150100
+config CC_HAS_COUNTED_BY_PTR
+ bool
+ # supported since clang 21.1.0
+ default y if CC_IS_CLANG && CLANG_VERSION >= 210100
+ # supported since gcc 16.0.0
+ default y if CC_IS_GCC && GCC_VERSION >= 160000
+
config CC_HAS_MULTIDIMENSIONAL_NONSTRING
def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
--
2.52.0.457.g6b5491de43-googOn Wed, Jan 14, 2026 at 07:36:47PM +0000, Bill Wendling wrote:
> Introduce __counted_by_ptr(), which works like __counted_by(), but for
> pointer struct members.
>
> struct foo {
> int a, b, c;
> char *buffer __counted_by_ptr(bytes);
> short nr_bars;
> struct bar *bars __counted_by_ptr(nr_bars);
> size_t bytes;
> };
>
> Because "counted_by" can only be applied to pointer members in very
> recent compiler versions, its application ends up needing to be distinct
> from flexibe array "counted_by" annotations, hence a separate macro.
>
> Note that Clang's support for "void *" members will be in version 22.
> So, when using Clang, you'll need to wait until its release before using
> the feature with "void *". No such restriction applies to GCC's version
> 16.
I think to keep operational parity, we should limit counted_ptr on Clang
to version 22 then, otherwise we'll have problems using it on void *.
> This is a reworking of Kees' previous patch [1].
Thanks for this!
>
> Link: https://lore.kernel.org/all/20251020220118.1226740-1-kees@kernel.org/ [1]
> Co-developed-by: Kees Cook <kees@kernel.org>
This needs to be followed by my S-o-b, I think? checkpatch.pl ought to
check this.
> Signed-off-by: Bill Wendling <morbo@google.com>
> ---
> Cc: Kees Cook <kees@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
> Cc: Justin Stitt <justinstitt@google.com>
> Cc: Miguel Ojeda <ojeda@kernel.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Heiko Carstens <hca@linux.ibm.com>
> Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
> Cc: Uros Bizjak <ubizjak@gmail.com>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Jeff Xu <jeffxu@chromium.org>
> Cc: "Michal Koutný" <mkoutny@suse.com>
> Cc: Shakeel Butt <shakeel.butt@linux.dev>
> Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
> Cc: John Stultz <jstultz@google.com>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: Randy Dunlap <rdunlap@infradead.org>
> Cc: Brian Gerst <brgerst@gmail.com>
> Cc: Masahiro Yamada <masahiroy@kernel.org>
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> Cc: llvm@lists.linux.dev
> ---
> v3 - Replace the previous code with a modified version of Kees' previous patch
> [1].
> - The question about the naming of the macro was considered, but we decided
> to keep the original naming (__counted_by_ptr), because it mirrors the current
> macros like "__counted_by_{le,be}".
> v2 - Add support for GCC.
> ---
> Makefile | 6 ++++++
> include/linux/compiler_types.h | 18 +++++++++++++++++-
> include/uapi/linux/stddef.h | 4 ++++
> init/Kconfig | 7 +++++++
> 4 files changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/Makefile b/Makefile
> index 9d38125263fb..6b029f694bc2 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
> endif
> endif
>
> +ifdef CONFIG_CC_IS_CLANG
> +ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> +KBUILD_CFLAGS += -fexperimental-late-parse-attributes
> +endif
> +endif
> +
> # Explicitly clear padding bits during variable initialization
> KBUILD_CFLAGS += $(call cc-option,-fzero-init-padding-bits=all)
>
> diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> index d3318a3c2577..e597c814d60b 100644
> --- a/include/linux/compiler_types.h
> +++ b/include/linux/compiler_types.h
> @@ -369,7 +369,7 @@ struct ftrace_likely_data {
> * Optional: only supported since clang >= 18
> *
> * gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
> - * clang: https://github.com/llvm/llvm-project/pull/76348
> + * clang: https://clang.llvm.org/docs/AttributeReference.html#counted-by-counted-by-or-null-sized-by-sized-by-or-null
> *
> * __bdos on clang < 19.1.2 can erroneously return 0:
> * https://github.com/llvm/llvm-project/pull/110497
> @@ -383,6 +383,22 @@ struct ftrace_likely_data {
> # define __counted_by(member)
> #endif
>
> +/*
> + * Runtime track number of objects pointed to by a pointer member for use by
> + * CONFIG_FORTIFY_SOURCE and CONFIG_UBSAN_BOUNDS.
> + *
> + * Optional: only supported since gcc >= 16
> + * Optional: only supported since clang >= 21.1
As I mention above, let's make this 22
> + *
> + * gcc: https://gcc.gnu.org/pipermail/gcc-patches/2025-April/681727.html
> + * clang: https://github.com/llvm/llvm-project/pull/137250
Oh, hm, did the docs for
https://clang.llvm.org/docs/AttributeReference.html#counted-by-counted-by-or-null-sized-by-sized-by-or-null
not get updated by the above PR? Docs should get added to LLVM for this
so we can link to the same AttributeReference.html as above.
And, actually, same question for GCC, now that I'm looking at this...
> + */
> +#ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> +#define __counted_by_ptr(member) __attribute__((__counted_by__(member)))
> +#else
> +#define __counted_by_ptr(member)
> +#endif
> +
> /*
> * Optional: only supported since gcc >= 15
> * Optional: not supported by Clang
> diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
> index 9a28f7d9a334..111b097ec00b 100644
> --- a/include/uapi/linux/stddef.h
> +++ b/include/uapi/linux/stddef.h
> @@ -72,6 +72,10 @@
> #define __counted_by_be(m)
> #endif
>
> +#ifndef __counted_by_ptr
> +#define __counted_by_ptr(m)
> +#endif
> +
> #ifdef __KERNEL__
> #define __kernel_nonstring __nonstring
> #else
> diff --git a/init/Kconfig b/init/Kconfig
> index fa79feb8fe57..dc27b998d111 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -143,6 +143,13 @@ config CC_HAS_COUNTED_BY
> # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
> default y if CC_IS_GCC && GCC_VERSION >= 150100
>
> +config CC_HAS_COUNTED_BY_PTR
> + bool
> + # supported since clang 21.1.0
> + default y if CC_IS_CLANG && CLANG_VERSION >= 210100
Let's do 22
> + # supported since gcc 16.0.0
> + default y if CC_IS_GCC && GCC_VERSION >= 160000
> +
> config CC_HAS_MULTIDIMENSIONAL_NONSTRING
> def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
>
> --
> 2.52.0.457.g6b5491de43-goog
>
Great! Once this is fixed up, I'll snag the other 2 patches from my
original series too.
Thanks!
-Kees
--
Kees Cook
On Wed, Jan 14, 2026 at 08:00:54PM -0800, Kees Cook wrote:
> On Wed, Jan 14, 2026 at 07:36:47PM +0000, Bill Wendling wrote:
> > Introduce __counted_by_ptr(), which works like __counted_by(), but for
> > pointer struct members.
> >
> > struct foo {
> > int a, b, c;
> > char *buffer __counted_by_ptr(bytes);
> > short nr_bars;
> > struct bar *bars __counted_by_ptr(nr_bars);
> > size_t bytes;
> > };
> >
> > Because "counted_by" can only be applied to pointer members in very
> > recent compiler versions, its application ends up needing to be distinct
> > from flexibe array "counted_by" annotations, hence a separate macro.
> >
> > Note that Clang's support for "void *" members will be in version 22.
> > So, when using Clang, you'll need to wait until its release before using
> > the feature with "void *". No such restriction applies to GCC's version
> > 16.
>
> I think to keep operational parity, we should limit counted_ptr on Clang
> to version 22 then, otherwise we'll have problems using it on void *.
Ooh, you got that fixed! Nice!
On Fri, Jan 16, 2026 at 09:36:04AM +0100, Peter Zijlstra wrote: > On Wed, Jan 14, 2026 at 08:00:54PM -0800, Kees Cook wrote: > > I think to keep operational parity, we should limit counted_ptr on Clang > > to version 22 then, otherwise we'll have problems using it on void *. > > Ooh, you got that fixed! Nice! Yes, to my great relief, I was able to convince both GCC and Clang. -- Kees Cook
On Wed, Jan 14, 2026 at 8:00 PM Kees Cook <kees@kernel.org> wrote:
>
> On Wed, Jan 14, 2026 at 07:36:47PM +0000, Bill Wendling wrote:
> > Introduce __counted_by_ptr(), which works like __counted_by(), but for
> > pointer struct members.
> >
> > struct foo {
> > int a, b, c;
> > char *buffer __counted_by_ptr(bytes);
> > short nr_bars;
> > struct bar *bars __counted_by_ptr(nr_bars);
> > size_t bytes;
> > };
> >
> > Because "counted_by" can only be applied to pointer members in very
> > recent compiler versions, its application ends up needing to be distinct
> > from flexibe array "counted_by" annotations, hence a separate macro.
> >
> > Note that Clang's support for "void *" members will be in version 22.
> > So, when using Clang, you'll need to wait until its release before using
> > the feature with "void *". No such restriction applies to GCC's version
> > 16.
>
> I think to keep operational parity, we should limit counted_ptr on Clang
> to version 22 then, otherwise we'll have problems using it on void *.
>
> > This is a reworking of Kees' previous patch [1].
>
> Thanks for this!
>
> >
> > Link: https://lore.kernel.org/all/20251020220118.1226740-1-kees@kernel.org/ [1]
> > Co-developed-by: Kees Cook <kees@kernel.org>
>
> This needs to be followed by my S-o-b, I think? checkpatch.pl ought to
> check this.
>
> > Signed-off-by: Bill Wendling <morbo@google.com>
> > ---
> > Cc: Kees Cook <kees@kernel.org>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Cc: Nathan Chancellor <nathan@kernel.org>
> > Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
> > Cc: Justin Stitt <justinstitt@google.com>
> > Cc: Miguel Ojeda <ojeda@kernel.org>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Heiko Carstens <hca@linux.ibm.com>
> > Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
> > Cc: Uros Bizjak <ubizjak@gmail.com>
> > Cc: Tejun Heo <tj@kernel.org>
> > Cc: Jeff Xu <jeffxu@chromium.org>
> > Cc: "Michal Koutný" <mkoutny@suse.com>
> > Cc: Shakeel Butt <shakeel.butt@linux.dev>
> > Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
> > Cc: John Stultz <jstultz@google.com>
> > Cc: Christian Brauner <brauner@kernel.org>
> > Cc: Randy Dunlap <rdunlap@infradead.org>
> > Cc: Brian Gerst <brgerst@gmail.com>
> > Cc: Masahiro Yamada <masahiroy@kernel.org>
> > Cc: linux-kernel@vger.kernel.org
> > Cc: linux-hardening@vger.kernel.org
> > Cc: llvm@lists.linux.dev
> > ---
> > v3 - Replace the previous code with a modified version of Kees' previous patch
> > [1].
> > - The question about the naming of the macro was considered, but we decided
> > to keep the original naming (__counted_by_ptr), because it mirrors the current
> > macros like "__counted_by_{le,be}".
> > v2 - Add support for GCC.
> > ---
> > Makefile | 6 ++++++
> > include/linux/compiler_types.h | 18 +++++++++++++++++-
> > include/uapi/linux/stddef.h | 4 ++++
> > init/Kconfig | 7 +++++++
> > 4 files changed, 34 insertions(+), 1 deletion(-)
> >
> > diff --git a/Makefile b/Makefile
> > index 9d38125263fb..6b029f694bc2 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
> > endif
> > endif
> >
> > +ifdef CONFIG_CC_IS_CLANG
> > +ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> > +KBUILD_CFLAGS += -fexperimental-late-parse-attributes
> > +endif
> > +endif
> > +
> > # Explicitly clear padding bits during variable initialization
> > KBUILD_CFLAGS += $(call cc-option,-fzero-init-padding-bits=all)
> >
> > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> > index d3318a3c2577..e597c814d60b 100644
> > --- a/include/linux/compiler_types.h
> > +++ b/include/linux/compiler_types.h
> > @@ -369,7 +369,7 @@ struct ftrace_likely_data {
> > * Optional: only supported since clang >= 18
> > *
> > * gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
> > - * clang: https://github.com/llvm/llvm-project/pull/76348
> > + * clang: https://clang.llvm.org/docs/AttributeReference.html#counted-by-counted-by-or-null-sized-by-sized-by-or-null
> > *
> > * __bdos on clang < 19.1.2 can erroneously return 0:
> > * https://github.com/llvm/llvm-project/pull/110497
> > @@ -383,6 +383,22 @@ struct ftrace_likely_data {
> > # define __counted_by(member)
> > #endif
> >
> > +/*
> > + * Runtime track number of objects pointed to by a pointer member for use by
> > + * CONFIG_FORTIFY_SOURCE and CONFIG_UBSAN_BOUNDS.
> > + *
> > + * Optional: only supported since gcc >= 16
> > + * Optional: only supported since clang >= 21.1
>
> As I mention above, let's make this 22
>
> > + *
> > + * gcc: https://gcc.gnu.org/pipermail/gcc-patches/2025-April/681727.html
> > + * clang: https://github.com/llvm/llvm-project/pull/137250
>
> Oh, hm, did the docs for
> https://clang.llvm.org/docs/AttributeReference.html#counted-by-counted-by-or-null-sized-by-sized-by-or-null
> not get updated by the above PR? Docs should get added to LLVM for this
> so we can link to the same AttributeReference.html as above.
>
> And, actually, same question for GCC, now that I'm looking at this...
>
>
> > + */
> > +#ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> > +#define __counted_by_ptr(member) __attribute__((__counted_by__(member)))
> > +#else
> > +#define __counted_by_ptr(member)
> > +#endif
> > +
> > /*
> > * Optional: only supported since gcc >= 15
> > * Optional: not supported by Clang
> > diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
> > index 9a28f7d9a334..111b097ec00b 100644
> > --- a/include/uapi/linux/stddef.h
> > +++ b/include/uapi/linux/stddef.h
> > @@ -72,6 +72,10 @@
> > #define __counted_by_be(m)
> > #endif
> >
> > +#ifndef __counted_by_ptr
> > +#define __counted_by_ptr(m)
> > +#endif
> > +
> > #ifdef __KERNEL__
> > #define __kernel_nonstring __nonstring
> > #else
> > diff --git a/init/Kconfig b/init/Kconfig
> > index fa79feb8fe57..dc27b998d111 100644
> > --- a/init/Kconfig
> > +++ b/init/Kconfig
> > @@ -143,6 +143,13 @@ config CC_HAS_COUNTED_BY
> > # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
> > default y if CC_IS_GCC && GCC_VERSION >= 150100
> >
> > +config CC_HAS_COUNTED_BY_PTR
> > + bool
> > + # supported since clang 21.1.0
> > + default y if CC_IS_CLANG && CLANG_VERSION >= 210100
>
> Let's do 22
>
> > + # supported since gcc 16.0.0
> > + default y if CC_IS_GCC && GCC_VERSION >= 160000
> > +
> > config CC_HAS_MULTIDIMENSIONAL_NONSTRING
> > def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
> >
> > --
> > 2.52.0.457.g6b5491de43-goog
> >
>
> Great! Once this is fixed up, I'll snag the other 2 patches from my
> original series too.
>
Should be corrected now. PTAL.
-bw
Introduce __counted_by_ptr(), which works like __counted_by(), but for
pointer struct members.
struct foo {
int a, b, c;
char *buffer __counted_by_ptr(bytes);
short nr_bars;
struct bar *bars __counted_by_ptr(nr_bars);
size_t bytes;
};
Because "counted_by" can only be applied to pointer members in very
recent compiler versions, its application ends up needing to be distinct
from flexibe array "counted_by" annotations, hence a separate macro.
This is a reworking of Kees' previous patch [1].
Link: https://lore.kernel.org/all/20251020220118.1226740-1-kees@kernel.org/ [1]
Co-developed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Bill Wendling <morbo@google.com>
---
v4 - Default to Clang's version 22, which has support for "void *".
- Add the missing S-o-b notation.
v3 - Replace the previous code with a modified version of Kees'
previous patch [1].
- The question about the naming of the macro was considered, but we
decided to keep the original naming (__counted_by_ptr), because it
mirrors the current macros like "__counted_by_{le,be}".
v2 - Add support for GCC.
---
Cc: Kees Cook <kees@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Marc Herbert <Marc.Herbert@linux.intel.com>
Cc: Uros Bizjak <ubizjak@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jeff Xu <jeffxu@chromium.org>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: John Stultz <jstultz@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Cc: llvm@lists.linux.dev
---
Makefile | 6 ++++++
include/linux/compiler_types.h | 18 +++++++++++++++++-
include/uapi/linux/stddef.h | 4 ++++
init/Kconfig | 7 +++++++
4 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 9d38125263fb..6b029f694bc2 100644
--- a/Makefile
+++ b/Makefile
@@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
endif
endif
+ifdef CONFIG_CC_IS_CLANG
+ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
+KBUILD_CFLAGS += -fexperimental-late-parse-attributes
+endif
+endif
+
# Explicitly clear padding bits during variable initialization
KBUILD_CFLAGS += $(call cc-option,-fzero-init-padding-bits=all)
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index d3318a3c2577..d095beb904ea 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -369,7 +369,7 @@ struct ftrace_likely_data {
* Optional: only supported since clang >= 18
*
* gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
- * clang: https://github.com/llvm/llvm-project/pull/76348
+ * clang: https://clang.llvm.org/docs/AttributeReference.html#counted-by-counted-by-or-null-sized-by-sized-by-or-null
*
* __bdos on clang < 19.1.2 can erroneously return 0:
* https://github.com/llvm/llvm-project/pull/110497
@@ -383,6 +383,22 @@ struct ftrace_likely_data {
# define __counted_by(member)
#endif
+/*
+ * Runtime track number of objects pointed to by a pointer member for use by
+ * CONFIG_FORTIFY_SOURCE and CONFIG_UBSAN_BOUNDS.
+ *
+ * Optional: only supported since gcc >= 16
+ * Optional: only supported since clang >= 22
+ *
+ * gcc: https://gcc.gnu.org/pipermail/gcc-patches/2025-April/681727.html
+ * clang: https://clang.llvm.org/docs/AttributeReference.html#counted-by-counted-by-or-null-sized-by-sized-by-or-null
+ */
+#ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
+#define __counted_by_ptr(member) __attribute__((__counted_by__(member)))
+#else
+#define __counted_by_ptr(member)
+#endif
+
/*
* Optional: only supported since gcc >= 15
* Optional: not supported by Clang
diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
index 9a28f7d9a334..111b097ec00b 100644
--- a/include/uapi/linux/stddef.h
+++ b/include/uapi/linux/stddef.h
@@ -72,6 +72,10 @@
#define __counted_by_be(m)
#endif
+#ifndef __counted_by_ptr
+#define __counted_by_ptr(m)
+#endif
+
#ifdef __KERNEL__
#define __kernel_nonstring __nonstring
#else
diff --git a/init/Kconfig b/init/Kconfig
index fa79feb8fe57..96b7cd481eaa 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -143,6 +143,13 @@ config CC_HAS_COUNTED_BY
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
default y if CC_IS_GCC && GCC_VERSION >= 150100
+config CC_HAS_COUNTED_BY_PTR
+ bool
+ # supported since clang 22
+ default y if CC_IS_CLANG && CLANG_VERSION >= 220000
+ # supported since gcc 16.0.0
+ default y if CC_IS_GCC && GCC_VERSION >= 160000
+
config CC_HAS_MULTIDIMENSIONAL_NONSTRING
def_bool $(success,echo 'char tag[][4] __attribute__((__nonstring__)) = { };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
--
2.52.0.457.g6b5491de43-googOn Fri, 16 Jan 2026 00:57:57 +0000, Bill Wendling wrote:
> Introduce __counted_by_ptr(), which works like __counted_by(), but for
> pointer struct members.
>
> struct foo {
> int a, b, c;
> char *buffer __counted_by_ptr(bytes);
> short nr_bars;
> struct bar *bars __counted_by_ptr(nr_bars);
> size_t bytes;
> };
>
> [...]
Applied to for-next/hardening, thanks!
[1/2] Compiler Attributes: Add __counted_by_ptr macro
https://git.kernel.org/kees/c/150a04d817d8
Take care,
--
Kees Cook
On Fri, 16 Jan 2026 00:57:57 +0000
Bill Wendling <morbo@google.com> wrote:
> Introduce __counted_by_ptr(), which works like __counted_by(), but for
> pointer struct members.
>
> struct foo {
> int a, b, c;
> char *buffer __counted_by_ptr(bytes);
> short nr_bars;
> struct bar *bars __counted_by_ptr(nr_bars);
> size_t bytes;
> };
>
> Because "counted_by" can only be applied to pointer members in very
> recent compiler versions, its application ends up needing to be distinct
> from flexibe array "counted_by" annotations, hence a separate macro.
...
> diff --git a/Makefile b/Makefile
> index 9d38125263fb..6b029f694bc2 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
> endif
> endif
>
> +ifdef CONFIG_CC_IS_CLANG
> +ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> +KBUILD_CFLAGS += -fexperimental-late-parse-attributes
> +endif
> +endif
Will that still be needed for clang 22?
Looks a bit like a temporary flag to avoid regressions.
Probably ought to at least have a comment that it won't be needed
by some future clang version so that it gets tidied up.
David
On Fri, Jan 16, 2026 at 1:53 AM David Laight
<david.laight.linux@gmail.com> wrote:
>
> On Fri, 16 Jan 2026 00:57:57 +0000
> Bill Wendling <morbo@google.com> wrote:
>
> > Introduce __counted_by_ptr(), which works like __counted_by(), but for
> > pointer struct members.
> >
> > struct foo {
> > int a, b, c;
> > char *buffer __counted_by_ptr(bytes);
> > short nr_bars;
> > struct bar *bars __counted_by_ptr(nr_bars);
> > size_t bytes;
> > };
> >
> > Because "counted_by" can only be applied to pointer members in very
> > recent compiler versions, its application ends up needing to be distinct
> > from flexibe array "counted_by" annotations, hence a separate macro.
> ...
> > diff --git a/Makefile b/Makefile
> > index 9d38125263fb..6b029f694bc2 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
> > endif
> > endif
> >
> > +ifdef CONFIG_CC_IS_CLANG
> > +ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> > +KBUILD_CFLAGS += -fexperimental-late-parse-attributes
> > +endif
> > +endif
>
> Will that still be needed for clang 22?
> Looks a bit like a temporary flag to avoid regressions.
> Probably ought to at least have a comment that it won't be needed
> by some future clang version so that it gets tidied up.
I don't believe that there's a timeline for removing this flag, but I
agree that it should go at some point.
-bw
On Fri, Jan 16, 2026 at 09:53:18AM +0000, David Laight wrote:
> On Fri, 16 Jan 2026 00:57:57 +0000
> Bill Wendling <morbo@google.com> wrote:
>
> > Introduce __counted_by_ptr(), which works like __counted_by(), but for
> > pointer struct members.
> >
> > struct foo {
> > int a, b, c;
> > char *buffer __counted_by_ptr(bytes);
> > short nr_bars;
> > struct bar *bars __counted_by_ptr(nr_bars);
> > size_t bytes;
> > };
> >
> > Because "counted_by" can only be applied to pointer members in very
> > recent compiler versions, its application ends up needing to be distinct
> > from flexibe array "counted_by" annotations, hence a separate macro.
> ...
> > diff --git a/Makefile b/Makefile
> > index 9d38125263fb..6b029f694bc2 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
> > endif
> > endif
> >
> > +ifdef CONFIG_CC_IS_CLANG
> > +ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> > +KBUILD_CFLAGS += -fexperimental-late-parse-attributes
> > +endif
> > +endif
>
> Will that still be needed for clang 22?
AFAIK, yes. AIUI, this flag will remain while -fbounds-safety continues
to be upstreamed into LLVM.
> Looks a bit like a temporary flag to avoid regressions.
> Probably ought to at least have a comment that it won't be needed
> by some future clang version so that it gets tidied up.
Once it's no longer needed, yes, I will want it removed from the
Makefile.
--
Kees Cook
On Sat, Jan 17, 2026 at 11:07 AM Kees Cook <kees@kernel.org> wrote:
>
> On Fri, Jan 16, 2026 at 09:53:18AM +0000, David Laight wrote:
> > On Fri, 16 Jan 2026 00:57:57 +0000
> > Bill Wendling <morbo@google.com> wrote:
> >
> > > Introduce __counted_by_ptr(), which works like __counted_by(), but for
> > > pointer struct members.
> > >
> > > struct foo {
> > > int a, b, c;
> > > char *buffer __counted_by_ptr(bytes);
> > > short nr_bars;
> > > struct bar *bars __counted_by_ptr(nr_bars);
> > > size_t bytes;
> > > };
> > >
> > > Because "counted_by" can only be applied to pointer members in very
> > > recent compiler versions, its application ends up needing to be distinct
> > > from flexibe array "counted_by" annotations, hence a separate macro.
> > ...
> > > diff --git a/Makefile b/Makefile
> > > index 9d38125263fb..6b029f694bc2 100644
> > > --- a/Makefile
> > > +++ b/Makefile
> > > @@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
> > > endif
> > > endif
> > >
> > > +ifdef CONFIG_CC_IS_CLANG
> > > +ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> > > +KBUILD_CFLAGS += -fexperimental-late-parse-attributes
> > > +endif
> > > +endif
> >
> > Will that still be needed for clang 22?
>
> AFAIK, yes. AIUI, this flag will remain while -fbounds-safety continues
> to be upstreamed into LLVM.
>
> > Looks a bit like a temporary flag to avoid regressions.
> > Probably ought to at least have a comment that it won't be needed
> > by some future clang version so that it gets tidied up.
>
> Once it's no longer needed, yes, I will want it removed from the
> Makefile.
>
Would it be good to 'fixup' a comment in the Makefile for that?
-bw
On Tue, 20 Jan 2026 10:12:34 -0800
Bill Wendling <morbo@google.com> wrote:
> On Sat, Jan 17, 2026 at 11:07 AM Kees Cook <kees@kernel.org> wrote:
> >
> > On Fri, Jan 16, 2026 at 09:53:18AM +0000, David Laight wrote:
> > > On Fri, 16 Jan 2026 00:57:57 +0000
> > > Bill Wendling <morbo@google.com> wrote:
> > >
> > > > Introduce __counted_by_ptr(), which works like __counted_by(), but for
> > > > pointer struct members.
> > > >
> > > > struct foo {
> > > > int a, b, c;
> > > > char *buffer __counted_by_ptr(bytes);
> > > > short nr_bars;
> > > > struct bar *bars __counted_by_ptr(nr_bars);
> > > > size_t bytes;
> > > > };
> > > >
> > > > Because "counted_by" can only be applied to pointer members in very
> > > > recent compiler versions, its application ends up needing to be distinct
> > > > from flexibe array "counted_by" annotations, hence a separate macro.
> > > ...
> > > > diff --git a/Makefile b/Makefile
> > > > index 9d38125263fb..6b029f694bc2 100644
> > > > --- a/Makefile
> > > > +++ b/Makefile
> > > > @@ -952,6 +952,12 @@ KBUILD_CFLAGS += $(CC_AUTO_VAR_INIT_ZERO_ENABLER)
> > > > endif
> > > > endif
> > > >
> > > > +ifdef CONFIG_CC_IS_CLANG
> > > > +ifdef CONFIG_CC_HAS_COUNTED_BY_PTR
> > > > +KBUILD_CFLAGS += -fexperimental-late-parse-attributes
> > > > +endif
> > > > +endif
> > >
> > > Will that still be needed for clang 22?
> >
> > AFAIK, yes. AIUI, this flag will remain while -fbounds-safety continues
> > to be upstreamed into LLVM.
> >
> > > Looks a bit like a temporary flag to avoid regressions.
> > > Probably ought to at least have a comment that it won't be needed
> > > by some future clang version so that it gets tidied up.
> >
> > Once it's no longer needed, yes, I will want it removed from the
> > Makefile.
> >
> Would it be good to 'fixup' a comment in the Makefile for that?
Wrap with:
# Update version when no longer required
ifneq ($(call clang-min-version, 999999),y)
Although you might one day need the -f option for something entirely different.
So perhaps the logic that enables CC_HAS_COUNTER_BY_PTR need to do the
extra version check and set something so that -fexperimental-late-parse-attributes
is added here (so it only added once if needed by multiple things).
David
© 2016 - 2026 Red Hat, Inc.