All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
@ 2026-03-03  6:10 ` FUJITA Tomonori
  2026-06-18  9:56   ` Andreas Hindborg
  0 siblings, 1 reply; 8+ messages in thread
From: FUJITA Tomonori @ 2026-03-03  6:10 UTC (permalink / raw)
  To: a.hindborg, ojeda, gary
  Cc: dirk.behme, aliceryhl, anna-maria, bjorn3_gh, boqun, dakr,
	frederic, jstultz, lossin, lyude, sboyd, tglx, tmgross,
	rust-for-linux, FUJITA Tomonori

From: FUJITA Tomonori <fujita.tomonori@gmail.com>

HrTimer::expires() previously read node.expires via a volatile load, which
can race with C-side updates. Rework the API so it is only callable with
exclusive access or from the callback context.

Introduce expires_unchecked() with an explicit safety contract, switch
HrTimer::expires() to Pin<&mut Self>, add
HrTimerCallbackContext::expires(), and route the read through
hrtimer_get_expires() via a Rust helper.

Fixes: 4b0147494275 ("rust: hrtimer: Add HrTimer::expires()")
Closes: https://lore.kernel.org/rust-for-linux/87ldi7f4o1.fsf@t14s.mail-host-address-is-not-set/
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
---

Note that I will send a separate patch to remove
HrTimerCallbackContext after the discussion concludes.

v3:
- Change the signature of raw_expires()
- Rename raw_expires() to expires_unchecked()
v2: https://lore.kernel.org/rust-for-linux/20260224132507.315637-1-tomo@aliasing.net/
- Add Fixes and Closes tags
- Fix and improve comments
v1: https://lore.kernel.org/rust-for-linux/20260110115838.3109895-1-fujita.tomonori@gmail.com/
---
 rust/helpers/time.c         |  6 +++++
 rust/kernel/time/hrtimer.rs | 46 ++++++++++++++++++++++++++-----------
 2 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/rust/helpers/time.c b/rust/helpers/time.c
index 32f495970493..ef8999621399 100644
--- a/rust/helpers/time.c
+++ b/rust/helpers/time.c
@@ -2,6 +2,7 @@
 
 #include <linux/delay.h>
 #include <linux/ktime.h>
+#include <linux/hrtimer.h>
 #include <linux/timekeeping.h>
 
 __rust_helper void rust_helper_fsleep(unsigned long usecs)
@@ -38,3 +39,8 @@ __rust_helper void rust_helper_udelay(unsigned long usec)
 {
 	udelay(usec);
 }
+
+__rust_helper ktime_t rust_helper_hrtimer_get_expires(const struct hrtimer *timer)
+{
+	return hrtimer_get_expires(timer);
+}
diff --git a/rust/kernel/time/hrtimer.rs b/rust/kernel/time/hrtimer.rs
index 856d2d929a00..a4aea06e2c2d 100644
--- a/rust/kernel/time/hrtimer.rs
+++ b/rust/kernel/time/hrtimer.rs
@@ -224,27 +224,36 @@ pub fn forward_now(self: Pin<&mut Self>, interval: Delta) -> u64
         self.forward(HrTimerInstant::<T>::now(), interval)
     }
 
+    /// Return the time expiry for this [`HrTimer`].
+    ///
+    /// # Safety
+    ///
+    /// The caller must either have exclusive access to `self`, or be within the context of the
+    /// timer callback.
+    #[inline]
+    unsafe fn expires_unchecked(&self) -> HrTimerInstant<T>
+    where
+        T: HasHrTimer<T>,
+    {
+        // SAFETY:
+        // - The C API requirements for this function are fulfilled by our safety contract.
+        // - Timers cannot have negative `ktime_t` values as their expiration time.
+        unsafe { Instant::from_ktime(bindings::hrtimer_get_expires(Self::raw_get(self))) }
+    }
+
     /// Return the time expiry for this [`HrTimer`].
     ///
     /// This value should only be used as a snapshot, as the actual expiry time could change after
     /// this function is called.
-    pub fn expires(&self) -> HrTimerInstant<T>
+    pub fn expires(self: Pin<&mut Self>) -> HrTimerInstant<T>
     where
         T: HasHrTimer<T>,
     {
-        // SAFETY: `self` is an immutable reference and thus always points to a valid `HrTimer`.
-        let c_timer_ptr = unsafe { HrTimer::raw_get(self) };
+        // SAFETY: `expires_unchecked` does not move `Self`.
+        let this = unsafe { self.get_unchecked_mut() };
 
-        // SAFETY:
-        // - Timers cannot have negative ktime_t values as their expiration time.
-        // - There's no actual locking here, a racy read is fine and expected
-        unsafe {
-            Instant::from_ktime(
-                // This `read_volatile` is intended to correspond to a READ_ONCE call.
-                // FIXME(read_once): Replace with `read_once` when available on the Rust side.
-                core::ptr::read_volatile(&raw const ((*c_timer_ptr).node.expires)),
-            )
-        }
+        // SAFETY: By existence of `Pin<&mut Self>`, we have exclusive access to `Self`.
+        unsafe { this.expires_unchecked() }
     }
 }
 
@@ -729,6 +738,17 @@ pub fn forward(&mut self, now: HrTimerInstant<T>, interval: Delta) -> u64 {
     pub fn forward_now(&mut self, duration: Delta) -> u64 {
         self.forward(HrTimerInstant::<T>::now(), duration)
     }
+
+    /// Return the time expiry for the timer.
+    ///
+    /// This function is identical to [`HrTimer::expires()`] except that it may only be used from
+    /// within the context of a [`HrTimer`] callback.
+    pub fn expires(&self) -> HrTimerInstant<T> {
+        // SAFETY:
+        // - We are guaranteed to be within the context of a timer callback by our type invariants.
+        // - By our type invariants, `self.0` always points to a valid `HrTimer<T>`.
+        unsafe { self.0.as_ref().expires_unchecked() }
+    }
 }
 
 /// Use to implement the [`HasHrTimer<T>`] trait.

base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
  2026-03-03  6:10 ` [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts FUJITA Tomonori
@ 2026-06-18  9:56   ` Andreas Hindborg
  2026-06-18 10:36     ` Miguel Ojeda
  2026-07-15 11:22     ` FUJITA Tomonori
  0 siblings, 2 replies; 8+ messages in thread
From: Andreas Hindborg @ 2026-06-18  9:56 UTC (permalink / raw)
  To: FUJITA Tomonori, ojeda, gary
  Cc: dirk.behme, aliceryhl, anna-maria, bjorn3_gh, boqun, dakr,
	frederic, jstultz, lossin, lyude, sboyd, tglx, tmgross,
	rust-for-linux, FUJITA Tomonori

"FUJITA Tomonori" <tomo@aliasing.net> writes:

> From: FUJITA Tomonori <fujita.tomonori@gmail.com>
>
> HrTimer::expires() previously read node.expires via a volatile load, which
> can race with C-side updates. Rework the API so it is only callable with
> exclusive access or from the callback context.
>
> Introduce expires_unchecked() with an explicit safety contract, switch
> HrTimer::expires() to Pin<&mut Self>, add
> HrTimerCallbackContext::expires(), and route the read through
> hrtimer_get_expires() via a Rust helper.
>
> Fixes: 4b0147494275 ("rust: hrtimer: Add HrTimer::expires()")
> Closes: https://lore.kernel.org/rust-for-linux/87ldi7f4o1.fsf@t14s.mail-host-address-is-not-set/
> Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>

Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>

Best regards,
Andreas Hindborg



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
  2026-06-18  9:56   ` Andreas Hindborg
@ 2026-06-18 10:36     ` Miguel Ojeda
  2026-06-19  9:56       ` Andreas Hindborg
  2026-07-15 11:22     ` FUJITA Tomonori
  1 sibling, 1 reply; 8+ messages in thread
From: Miguel Ojeda @ 2026-06-18 10:36 UTC (permalink / raw)
  To: Andreas Hindborg
  Cc: FUJITA Tomonori, ojeda, gary, dirk.behme, aliceryhl, anna-maria,
	bjorn3_gh, boqun, dakr, frederic, jstultz, lossin, lyude, sboyd,
	tglx, tmgross, rust-for-linux, FUJITA Tomonori

On Thu, Jun 18, 2026 at 11:57 AM Andreas Hindborg <a.hindborg@kernel.org> wrote:
>
> Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>

Does this mean you will pick it up via timekeeping-next or should this
go through rust-fixes? (asking since sometimes you give a review tag
but then pick it up yourself)

Thanks!

Cheers,
Miguel

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
  2026-06-18 10:36     ` Miguel Ojeda
@ 2026-06-19  9:56       ` Andreas Hindborg
  0 siblings, 0 replies; 8+ messages in thread
From: Andreas Hindborg @ 2026-06-19  9:56 UTC (permalink / raw)
  To: Miguel Ojeda
  Cc: FUJITA Tomonori, ojeda, gary, dirk.behme, aliceryhl, anna-maria,
	bjorn3_gh, boqun, dakr, frederic, jstultz, lossin, lyude, sboyd,
	tglx, tmgross, rust-for-linux, FUJITA Tomonori

Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> writes:

> On Thu, Jun 18, 2026 at 11:57 AM Andreas Hindborg <a.hindborg@kernel.org> wrote:
>>
>> Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
>
> Does this mean you will pick it up via timekeeping-next or should this
> go through rust-fixes? (asking since sometimes you give a review tag
> but then pick it up yourself)

I was planning to take it for the next one. I don't think it is urgent.


Best regards,
Andreas Hindborg



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
  2026-06-18  9:56   ` Andreas Hindborg
  2026-06-18 10:36     ` Miguel Ojeda
@ 2026-07-15 11:22     ` FUJITA Tomonori
  2026-07-15 13:37       ` Andreas Hindborg
  2026-07-15 14:51       ` Gary Guo
  1 sibling, 2 replies; 8+ messages in thread
From: FUJITA Tomonori @ 2026-07-15 11:22 UTC (permalink / raw)
  To: a.hindborg
  Cc: tomo, ojeda, gary, dirk.behme, aliceryhl, anna-maria, bjorn3_gh,
	boqun, dakr, frederic, jstultz, lossin, lyude, sboyd, tglx,
	tmgross, rust-for-linux, fujita.tomonori

On Thu, 18 Jun 2026 11:56:59 +0200
Andreas Hindborg <a.hindborg@kernel.org> wrote:

> "FUJITA Tomonori" <tomo@aliasing.net> writes:
> 
>> From: FUJITA Tomonori <fujita.tomonori@gmail.com>
>>
>> HrTimer::expires() previously read node.expires via a volatile load, which
>> can race with C-side updates. Rework the API so it is only callable with
>> exclusive access or from the callback context.
>>
>> Introduce expires_unchecked() with an explicit safety contract, switch
>> HrTimer::expires() to Pin<&mut Self>, add
>> HrTimerCallbackContext::expires(), and route the read through
>> hrtimer_get_expires() via a Rust helper.
>>
>> Fixes: 4b0147494275 ("rust: hrtimer: Add HrTimer::expires()")
>> Closes: https://lore.kernel.org/rust-for-linux/87ldi7f4o1.fsf@t14s.mail-host-address-is-not-set/
>> Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
> 
> Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>

One thing I'd like to double check before merging this,
HrTImerCallbackContext::expires() now does:

unsafe { self.0.as_ref().expires_unchecked() }

which briefly makes a &HrTimer<T> from the NonNull<HrTimer<T>>.

This is only sound today because `HrTimer<T>`'s sole field is
`Opaque<bindings::hrtimer>`. As you pointed out earlier, if we add a
field to HrTimer, "stuff breaks".

Should `expires_unchecked` just keep taking `self_ptr: *const Self`,
like `raw_forward()` (and like v2 did), so
`HrTimerCallbackContext::expires()` can stay on `self.0.as_ptr()` and
never form the reference at all?

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
  2026-07-15 11:22     ` FUJITA Tomonori
@ 2026-07-15 13:37       ` Andreas Hindborg
  2026-07-15 15:09         ` Miguel Ojeda
  2026-07-15 14:51       ` Gary Guo
  1 sibling, 1 reply; 8+ messages in thread
From: Andreas Hindborg @ 2026-07-15 13:37 UTC (permalink / raw)
  To: FUJITA Tomonori
  Cc: tomo, ojeda, gary, dirk.behme, aliceryhl, anna-maria, bjorn3_gh,
	boqun, dakr, frederic, jstultz, lossin, lyude, sboyd, tglx,
	tmgross, rust-for-linux, fujita.tomonori

FUJITA Tomonori <tomo@flapping.org> writes:

> On Thu, 18 Jun 2026 11:56:59 +0200
> Andreas Hindborg <a.hindborg@kernel.org> wrote:
>
>> "FUJITA Tomonori" <tomo@aliasing.net> writes:
>> 
>>> From: FUJITA Tomonori <fujita.tomonori@gmail.com>
>>>
>>> HrTimer::expires() previously read node.expires via a volatile load, which
>>> can race with C-side updates. Rework the API so it is only callable with
>>> exclusive access or from the callback context.
>>>
>>> Introduce expires_unchecked() with an explicit safety contract, switch
>>> HrTimer::expires() to Pin<&mut Self>, add
>>> HrTimerCallbackContext::expires(), and route the read through
>>> hrtimer_get_expires() via a Rust helper.
>>>
>>> Fixes: 4b0147494275 ("rust: hrtimer: Add HrTimer::expires()")
>>> Closes: https://lore.kernel.org/rust-for-linux/87ldi7f4o1.fsf@t14s.mail-host-address-is-not-set/
>>> Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
>> 
>> Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
>
> One thing I'd like to double check before merging this,
> HrTImerCallbackContext::expires() now does:
>
> unsafe { self.0.as_ref().expires_unchecked() }
>
> which briefly makes a &HrTimer<T> from the NonNull<HrTimer<T>>.
>
> This is only sound today because `HrTimer<T>`'s sole field is
> `Opaque<bindings::hrtimer>`. As you pointed out earlier, if we add a
> field to HrTimer, "stuff breaks".
>
> Should `expires_unchecked` just keep taking `self_ptr: *const Self`,
> like `raw_forward()` (and like v2 did), so
> `HrTimerCallbackContext::expires()` can stay on `self.0.as_ptr()` and
> never form the reference at all?

Either way is fine for me, but Gary seems to gravitate towards the
current solution, so maybe keep that? We can add a "// NOTE:" on the
struct definition saying that soundness depends on all fields being OK
with this caveat.


Best regards,
Andreas Hindborg



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
  2026-07-15 11:22     ` FUJITA Tomonori
  2026-07-15 13:37       ` Andreas Hindborg
@ 2026-07-15 14:51       ` Gary Guo
  1 sibling, 0 replies; 8+ messages in thread
From: Gary Guo @ 2026-07-15 14:51 UTC (permalink / raw)
  To: FUJITA Tomonori, a.hindborg
  Cc: tomo, ojeda, gary, dirk.behme, aliceryhl, anna-maria, bjorn3_gh,
	boqun, dakr, frederic, jstultz, lossin, lyude, sboyd, tglx,
	tmgross, rust-for-linux, fujita.tomonori

On Wed Jul 15, 2026 at 12:22 PM BST, FUJITA Tomonori wrote:
> On Thu, 18 Jun 2026 11:56:59 +0200
> Andreas Hindborg <a.hindborg@kernel.org> wrote:
>
>> "FUJITA Tomonori" <tomo@aliasing.net> writes:
>> 
>>> From: FUJITA Tomonori <fujita.tomonori@gmail.com>
>>>
>>> HrTimer::expires() previously read node.expires via a volatile load, which
>>> can race with C-side updates. Rework the API so it is only callable with
>>> exclusive access or from the callback context.
>>>
>>> Introduce expires_unchecked() with an explicit safety contract, switch
>>> HrTimer::expires() to Pin<&mut Self>, add
>>> HrTimerCallbackContext::expires(), and route the read through
>>> hrtimer_get_expires() via a Rust helper.
>>>
>>> Fixes: 4b0147494275 ("rust: hrtimer: Add HrTimer::expires()")
>>> Closes: https://lore.kernel.org/rust-for-linux/87ldi7f4o1.fsf@t14s.mail-host-address-is-not-set/
>>> Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
>> 
>> Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
>
> One thing I'd like to double check before merging this,
> HrTImerCallbackContext::expires() now does:
>
> unsafe { self.0.as_ref().expires_unchecked() }
>
> which briefly makes a &HrTimer<T> from the NonNull<HrTimer<T>>.
>
> This is only sound today because `HrTimer<T>`'s sole field is
> `Opaque<bindings::hrtimer>`. As you pointed out earlier, if we add a
> field to HrTimer, "stuff breaks".

What breaks? You're just converting it to shared reference.

Best,
Gary

>
> Should `expires_unchecked` just keep taking `self_ptr: *const Self`,
> like `raw_forward()` (and like v2 did), so
> `HrTimerCallbackContext::expires()` can stay on `self.0.as_ptr()` and
> never form the reference at all?



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
  2026-07-15 13:37       ` Andreas Hindborg
@ 2026-07-15 15:09         ` Miguel Ojeda
  0 siblings, 0 replies; 8+ messages in thread
From: Miguel Ojeda @ 2026-07-15 15:09 UTC (permalink / raw)
  To: Andreas Hindborg
  Cc: FUJITA Tomonori, tomo, ojeda, gary, dirk.behme, aliceryhl,
	anna-maria, bjorn3_gh, boqun, dakr, frederic, jstultz, lossin,
	lyude, sboyd, tglx, tmgross, rust-for-linux, fujita.tomonori

On Wed, Jul 15, 2026 at 3:37 PM Andreas Hindborg <a.hindborg@kernel.org> wrote:
>
> Either way is fine for me, but Gary seems to gravitate towards the
> current solution, so maybe keep that? We can add a "// NOTE:" on the
> struct definition saying that soundness depends on all fields being OK
> with this caveat.

If something actually breaks, then apart from the note, what about
`repr(transparent)` to enforce it?

Cheers,
Miguel

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2026-07-15 15:09 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <hGNrgHLZgzaLAav_TQCJaAHYX3aWSPyoHeXEf7u3ioJunfoFTIPF9Q8PnCvfRKXq2SS-fNdOn35uMiTaF90nKA==@protonmail.internalid>
2026-03-03  6:10 ` [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts FUJITA Tomonori
2026-06-18  9:56   ` Andreas Hindborg
2026-06-18 10:36     ` Miguel Ojeda
2026-06-19  9:56       ` Andreas Hindborg
2026-07-15 11:22     ` FUJITA Tomonori
2026-07-15 13:37       ` Andreas Hindborg
2026-07-15 15:09         ` Miguel Ojeda
2026-07-15 14:51       ` Gary Guo

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.