From: "Gary Guo" <gary@garyguo.net>
To: "FUJITA Tomonori" <tomo@flapping.org>, <a.hindborg@kernel.org>
Cc: <tomo@aliasing.net>, <ojeda@kernel.org>, <gary@garyguo.net>,
<dirk.behme@de.bosch.com>, <aliceryhl@google.com>,
<anna-maria@linutronix.de>, <bjorn3_gh@protonmail.com>,
<boqun@kernel.org>, <dakr@kernel.org>, <frederic@kernel.org>,
<jstultz@google.com>, <lossin@kernel.org>, <lyude@redhat.com>,
<sboyd@kernel.org>, <tglx@kernel.org>, <tmgross@umich.edu>,
<rust-for-linux@vger.kernel.org>, <fujita.tomonori@gmail.com>
Subject: Re: [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts
Date: Wed, 15 Jul 2026 15:51:23 +0100 [thread overview]
Message-ID: <DJZ89N38SHOS.11AK80GIQXGDX@garyguo.net> (raw)
In-Reply-To: <20260715.202254.38223441240127219.tomo@flapping.org>
On Wed Jul 15, 2026 at 12:22 PM BST, FUJITA Tomonori wrote:
> On Thu, 18 Jun 2026 11:56:59 +0200
> Andreas Hindborg <a.hindborg@kernel.org> wrote:
>
>> "FUJITA Tomonori" <tomo@aliasing.net> writes:
>>
>>> From: FUJITA Tomonori <fujita.tomonori@gmail.com>
>>>
>>> HrTimer::expires() previously read node.expires via a volatile load, which
>>> can race with C-side updates. Rework the API so it is only callable with
>>> exclusive access or from the callback context.
>>>
>>> Introduce expires_unchecked() with an explicit safety contract, switch
>>> HrTimer::expires() to Pin<&mut Self>, add
>>> HrTimerCallbackContext::expires(), and route the read through
>>> hrtimer_get_expires() via a Rust helper.
>>>
>>> Fixes: 4b0147494275 ("rust: hrtimer: Add HrTimer::expires()")
>>> Closes: https://lore.kernel.org/rust-for-linux/87ldi7f4o1.fsf@t14s.mail-host-address-is-not-set/
>>> Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
>>
>> Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
>
> One thing I'd like to double check before merging this,
> HrTImerCallbackContext::expires() now does:
>
> unsafe { self.0.as_ref().expires_unchecked() }
>
> which briefly makes a &HrTimer<T> from the NonNull<HrTimer<T>>.
>
> This is only sound today because `HrTimer<T>`'s sole field is
> `Opaque<bindings::hrtimer>`. As you pointed out earlier, if we add a
> field to HrTimer, "stuff breaks".
What breaks? You're just converting it to shared reference.
Best,
Gary
>
> Should `expires_unchecked` just keep taking `self_ptr: *const Self`,
> like `raw_forward()` (and like v2 did), so
> `HrTimerCallbackContext::expires()` can stay on `self.0.as_ptr()` and
> never form the reference at all?
prev parent reply other threads:[~2026-07-15 14:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <hGNrgHLZgzaLAav_TQCJaAHYX3aWSPyoHeXEf7u3ioJunfoFTIPF9Q8PnCvfRKXq2SS-fNdOn35uMiTaF90nKA==@protonmail.internalid>
2026-03-03 6:10 ` [PATCH v3] rust: hrtimer: Restrict expires() to safe contexts FUJITA Tomonori
2026-06-18 9:56 ` Andreas Hindborg
2026-06-18 10:36 ` Miguel Ojeda
2026-06-19 9:56 ` Andreas Hindborg
2026-07-15 11:22 ` FUJITA Tomonori
2026-07-15 13:37 ` Andreas Hindborg
2026-07-15 15:09 ` Miguel Ojeda
2026-07-15 14:51 ` Gary Guo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJZ89N38SHOS.11AK80GIQXGDX@garyguo.net \
--to=gary@garyguo.net \
--cc=a.hindborg@kernel.org \
--cc=aliceryhl@google.com \
--cc=anna-maria@linutronix.de \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=dakr@kernel.org \
--cc=dirk.behme@de.bosch.com \
--cc=frederic@kernel.org \
--cc=fujita.tomonori@gmail.com \
--cc=jstultz@google.com \
--cc=lossin@kernel.org \
--cc=lyude@redhat.com \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=sboyd@kernel.org \
--cc=tglx@kernel.org \
--cc=tmgross@umich.edu \
--cc=tomo@aliasing.net \
--cc=tomo@flapping.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox