From: "Gary Guo" <gary@garyguo.net>
To: "FUJITA Tomonori" <tomo@aliasing.net>, <a.hindborg@kernel.org>,
<ojeda@kernel.org>
Cc: <dirk.behme@de.bosch.com>, <aliceryhl@google.com>,
<anna-maria@linutronix.de>, <bjorn3_gh@protonmail.com>,
<boqun@kernel.org>, <dakr@kernel.org>, <frederic@kernel.org>,
<gary@garyguo.net>, <jstultz@google.com>, <lossin@kernel.org>,
<lyude@redhat.com>, <sboyd@kernel.org>, <tglx@kernel.org>,
<tmgross@umich.edu>, <rust-for-linux@vger.kernel.org>,
"FUJITA Tomonori" <fujita.tomonori@gmail.com>
Subject: Re: [PATCH v2] rust: hrtimer: Restrict expires() to safe contexts
Date: Thu, 26 Feb 2026 11:42:39 +0000 [thread overview]
Message-ID: <DGOV7EXV8VO9.QR9UN9EV6DZK@garyguo.net> (raw)
In-Reply-To: <20260224132507.315637-1-tomo@aliasing.net>
On Tue Feb 24, 2026 at 1:25 PM GMT, FUJITA Tomonori wrote:
> From: FUJITA Tomonori <fujita.tomonori@gmail.com>
>
> HrTimer::expires() previously read node.expires via a volatile load, which
> can race with C-side updates. Rework the API so it is only callable with
> exclusive access or from the callback context.
>
> Introduce raw_expires() with an explicit safety contract, switch
> HrTimer::expires() to Pin<&mut Self>, add
> HrTimerCallbackContext::expires(), and route the read through
> hrtimer_get_expires() via a Rust helper.
>
> Fixes: 4b0147494275 ("rust: hrtimer: Add HrTimer::expires()")
> Closes: https://lore.kernel.org/rust-for-linux/87ldi7f4o1.fsf@t14s.mail-host-address-is-not-set/
> Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
> ---
> v2:
> - Add Fixes and Closes tags
> - Fix and improve comments
> v1: https://lore.kernel.org/rust-for-linux/20260110115838.3109895-1-fujita.tomonori@gmail.com/
> ---
> rust/helpers/time.c | 6 +++++
> rust/kernel/time/hrtimer.rs | 49 +++++++++++++++++++++++++++----------
> 2 files changed, 42 insertions(+), 13 deletions(-)
>
> diff --git a/rust/helpers/time.c b/rust/helpers/time.c
> index 32f495970493..ef8999621399 100644
> --- a/rust/helpers/time.c
> +++ b/rust/helpers/time.c
> @@ -2,6 +2,7 @@
>
> #include <linux/delay.h>
> #include <linux/ktime.h>
> +#include <linux/hrtimer.h>
> #include <linux/timekeeping.h>
>
> __rust_helper void rust_helper_fsleep(unsigned long usecs)
> @@ -38,3 +39,8 @@ __rust_helper void rust_helper_udelay(unsigned long usec)
> {
> udelay(usec);
> }
> +
> +__rust_helper ktime_t rust_helper_hrtimer_get_expires(const struct hrtimer *timer)
> +{
> + return hrtimer_get_expires(timer);
> +}
> diff --git a/rust/kernel/time/hrtimer.rs b/rust/kernel/time/hrtimer.rs
> index 856d2d929a00..78e2343fd016 100644
> --- a/rust/kernel/time/hrtimer.rs
> +++ b/rust/kernel/time/hrtimer.rs
> @@ -224,27 +224,39 @@ pub fn forward_now(self: Pin<&mut Self>, interval: Delta) -> u64
> self.forward(HrTimerInstant::<T>::now(), interval)
> }
>
> + /// Return the time expiry for this [`HrTimer`].
> + ///
> + /// # Safety
> + ///
> + /// - `self_ptr` must point to a valid `Self`.
> + /// - The caller must either have exclusive access to the data pointed to by `self_ptr`, or be
> + /// within the context of the timer callback.
> + #[inline]
> + unsafe fn raw_expires(self_ptr: *const Self) -> HrTimerInstant<T>
I guess the signature of this can also be
`unsafe fn raw_expires(&self) -> HrTimerInstant<T>`? Then you can remove the
first safety requirement.
Best,
Gary
> + where
> + T: HasHrTimer<T>,
> + {
> + // SAFETY:
> + // - The C API requirements for this function are fulfilled by our safety contract.
> + // - `self_ptr` is guaranteed to point to a valid `Self` via our safety contract.
> + // - Timers cannot have negative `ktime_t` values as their expiration time.
> + unsafe { Instant::from_ktime(bindings::hrtimer_get_expires(Self::raw_get(self_ptr))) }
> + }
> +
> /// Return the time expiry for this [`HrTimer`].
> ///
> /// This value should only be used as a snapshot, as the actual expiry time could change after
> /// this function is called.
> - pub fn expires(&self) -> HrTimerInstant<T>
> + pub fn expires(self: Pin<&mut Self>) -> HrTimerInstant<T>
> where
> T: HasHrTimer<T>,
> {
> - // SAFETY: `self` is an immutable reference and thus always points to a valid `HrTimer`.
> - let c_timer_ptr = unsafe { HrTimer::raw_get(self) };
> + // SAFETY: `raw_expires` does not move `Self`.
> + let this = unsafe { self.get_unchecked_mut() };
>
> - // SAFETY:
> - // - Timers cannot have negative ktime_t values as their expiration time.
> - // - There's no actual locking here, a racy read is fine and expected
> - unsafe {
> - Instant::from_ktime(
> - // This `read_volatile` is intended to correspond to a READ_ONCE call.
> - // FIXME(read_once): Replace with `read_once` when available on the Rust side.
> - core::ptr::read_volatile(&raw const ((*c_timer_ptr).node.expires)),
> - )
> - }
> + // SAFETY: By existence of `Pin<&mut Self>`, the pointer passed to `raw_expires` points to a
> + // valid `Self` that we have exclusive access to.
> + unsafe { Self::raw_expires(this) }
> }
> }
>
> @@ -729,6 +741,17 @@ pub fn forward(&mut self, now: HrTimerInstant<T>, interval: Delta) -> u64 {
> pub fn forward_now(&mut self, duration: Delta) -> u64 {
> self.forward(HrTimerInstant::<T>::now(), duration)
> }
> +
> + /// Return the time expiry for this [`HrTimer`].
> + ///
> + /// This function is identical to [`HrTimer::expires()`] except that it may only be used from
> + /// within the context of a [`HrTimer`] callback.
> + pub fn expires(&self) -> HrTimerInstant<T> {
> + // SAFETY:
> + // - We are guaranteed to be within the context of a timer callback by our type invariants.
> + // - By our type invariants, `self.0` always points to a valid `HrTimer<T>`.
> + unsafe { HrTimer::<T>::raw_expires(self.0.as_ptr()) }
> + }
> }
>
> /// Use to implement the [`HasHrTimer<T>`] trait.
>
> base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
next prev parent reply other threads:[~2026-02-26 11:42 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 13:25 [PATCH v2] rust: hrtimer: Restrict expires() to safe contexts FUJITA Tomonori
2026-02-26 11:42 ` Gary Guo [this message]
2026-02-26 12:50 ` FUJITA Tomonori
2026-02-26 13:19 ` Andreas Hindborg
2026-02-26 14:16 ` Gary Guo
2026-02-26 18:33 ` Andreas Hindborg
2026-02-27 12:32 ` Gary Guo
2026-02-28 1:26 ` FUJITA Tomonori
2026-02-28 13:02 ` Gary Guo
2026-02-28 21:23 ` FUJITA Tomonori
2026-03-10 8:24 ` Andreas Hindborg
2026-03-23 12:41 ` Gary Guo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGOV7EXV8VO9.QR9UN9EV6DZK@garyguo.net \
--to=gary@garyguo.net \
--cc=a.hindborg@kernel.org \
--cc=aliceryhl@google.com \
--cc=anna-maria@linutronix.de \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=dakr@kernel.org \
--cc=dirk.behme@de.bosch.com \
--cc=frederic@kernel.org \
--cc=fujita.tomonori@gmail.com \
--cc=jstultz@google.com \
--cc=lossin@kernel.org \
--cc=lyude@redhat.com \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=sboyd@kernel.org \
--cc=tglx@kernel.org \
--cc=tmgross@umich.edu \
--cc=tomo@aliasing.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox