From nobody Mon Feb 9 09:22:22 2026 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 617EF340DB2 for ; Sat, 10 Jan 2026 11:59:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768046345; cv=none; b=tFQfOdJsl1m/tqbNcUMyKafCnJIKzgbArmg2QQkIPHp1/UYLnUEOfj5X9huYpN/cteyTHHm4HDmPj5EJkStOqVB/jynsIuB+hgvZGOTv33B9SSficAdbmx0T09QC6uKn0+ryEz47XvFtavsg+9S5WAPLRJ059YvbgGmh1Zbdr7Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768046345; c=relaxed/simple; bh=UhbVMPRFiQTqCXLdIye1S0xYbgyzM2roj8jhKNwBUZ0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Ru5ejov14YD50Dayx9uubwMiVcdh4r0sQDIL2mxLqGVxGjb8TlPVygB5hEjGpOkxyzpi85i8tXy2f2IA716LjSYXFes+PfSuyGUhYEtvprEBKvhDJstZWlQRmoqXu4ZKV+3puUp5ecpEm7bACFl46TQeRtc2sEc18hTTLe05sZ8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OIIshU+L; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OIIshU+L" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-81f42a49437so107395b3a.0 for ; Sat, 10 Jan 2026 03:59:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768046342; x=1768651142; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=vxSuJwccsvaU5TI9v9x0V6y0M+w0NKTt2Mn5k9QlaNQ=; b=OIIshU+LDwBQKHZTv/fbW0JvaEBI2JLEeIPs54s4I9glZa4tmU8IzHN96JllrBZgm1 ttdS3MTXWFvMKYo18FTpGz2WKuedu7iSyB+XmebXYXIUn4l/HZQOxiWGPDo4XtcEeI49 Npycq960UDFrwFnHqKkhcOOTTGk0xLXEFo0TNVpVJ2LvlfcRcU/fl/o7pwnRxmFCoVIG +ksZmuOj4tXojEnf1jYo0KicKC8IwBMRkF4RysFMOmqX15cneOc7jBMgPw0b5n26eTvE wBx7fm/0XlnkNhMDOj9f0gi5Mq9ILCk5Yyek3C2j/uVKHZPubPbh+Wm7K2hFe7RvepYB r5CQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768046342; x=1768651142; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vxSuJwccsvaU5TI9v9x0V6y0M+w0NKTt2Mn5k9QlaNQ=; b=qNUUvZgB+ykod6n1au/YqBjShW8DiMlNqXDs6LKKJid2OSP3ltDn34hCfKd/xubLat Q0W845Vl9mpoG33xiAdyMg8VrmY415q0ViEWTmu70+74aPATKYMucjL95H9HhdnlSUhZ idykEndfkC3PiaZdMfAJN91fi3HB0E6gmEh4EePeGUGmrSqwYu9LaQt2fC0cwySBGyK+ IowZGxU3Z1Si59/o0TMRMMZ48FI2tDVTYt9Ytze6wk6k+LfcDItCX2MwdJvsDUTJ5G+z klLkQupTfNYbAbaqFOqg1ZgoUOK/TisAAMcuOTMTEc2v+hO8MG/k22MQ2+5ykJsw8K5M AC4Q== X-Forwarded-Encrypted: i=1; AJvYcCWkU6OoprNNn7NEjE5cVR8Y9s6+26CM2Tm82ZCbS2FxNmKvK6O5jC4NjBbNzkQpesvbnFSC/Oy6VdJXpR0=@vger.kernel.org X-Gm-Message-State: AOJu0YwGgkmvYHhpCiNuv4ERaAy7kShvEIUODYidITqK4dwRZfxglp9o T2OWOWm0eb5M+lOzxwkJIgQSPT+AJPIjo2auQ8P7Bq7ZxowuPxS4e+do X-Gm-Gg: AY/fxX57BZ1c5n+/Cq50O5zMyKBzf6/kgAw8m+sObW+ng3FD6g1S47VxAYqSBFoQcM0 ooAg+pWlUSQNbhOVZ7oJEdWWK8SEXKRAESNf+5Vo8OOEcTHkd+mX1zwigjPBjEFXMLfsHly8ZRE oQe6omnx1bN2j55plYE4LcVrGQuIO+tbkVXKcANDKlwi1c5otnPkJiypHYqPhdVqc21ubJR0bak pCgl5N+5yry26qe0HdHpFrdHyQE9s0hpdz0Fo1ZDeRaprIsg5mwQuiqI/+Bov10tVEbi0lHv945 UQBejtvRErgY6Tkk3/eYkzWg59orSUxUxGfgYvb8TWhNVvSLt5LcwvkkKhWVwtnQeJQcXyCo7oY Auj72jp+qFBXxJ4E+2OJXoU9hSlqgU5PBUNqjiTpeONVERXAtOx9LvoEUqodSkSACKJNtGEYFeT nPqya/cwvXKMhUBUjqAHCL+FwU42at9SGwuPAqAXcinQNVbMs3QjEdzooSCu5hT35/kqjlIPXD X-Google-Smtp-Source: AGHT+IFQYAC4SLR7DWLAtIrYcl3jcFs69GoJHOdJQKSMkqfLKLr55d7JQe6xJeKgwQejkNVlx8iRgg== X-Received: by 2002:a05:6a20:3d0c:b0:389:8e23:f43b with SMTP id adf61e73a8af0-3898fa1fef0mr11445752637.69.1768046341955; Sat, 10 Jan 2026 03:59:01 -0800 (PST) Received: from bee.. (p5342157-ipxg23901hodogaya.kanagawa.ocn.ne.jp. [180.39.242.157]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c4cc8d2952dsm223117a12.17.2026.01.10.03.58.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jan 2026 03:59:01 -0800 (PST) From: FUJITA Tomonori To: a.hindborg@kernel.org, ojeda@kernel.org Cc: aliceryhl@google.com, anna-maria@linutronix.de, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, dakr@kernel.org, frederic@kernel.org, gary@garyguo.net, jstultz@google.com, lossin@kernel.org, lyude@redhat.com, sboyd@kernel.org, tglx@linutronix.de, tmgross@umich.edu, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org Subject: [PATCH v1] rust: hrtimer: Restrict expires() to safe contexts Date: Sat, 10 Jan 2026 20:58:38 +0900 Message-ID: <20260110115838.3109895-1-fujita.tomonori@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" HrTimer::expires() previously read node.expires via a volatile load, which can race with C-side updates. Rework the API so it is only callable with exclusive access or from the callback context. Introduce raw_expires() with an explicit safety contract, switch HrTimer::expires() to Pin<&mut Self>, add HrTimerCallbackContext::expires(), and route the read through hrtimer_get_expires() via a Rust helper. Signed-off-by: FUJITA Tomonori --- rust/helpers/time.c | 6 +++++ rust/kernel/time/hrtimer.rs | 49 +++++++++++++++++++++++++++---------- 2 files changed, 42 insertions(+), 13 deletions(-) diff --git a/rust/helpers/time.c b/rust/helpers/time.c index 67a36ccc3ec4..5be4170dc429 100644 --- a/rust/helpers/time.c +++ b/rust/helpers/time.c @@ -2,6 +2,7 @@ =20 #include #include +#include #include =20 void rust_helper_fsleep(unsigned long usecs) @@ -38,3 +39,8 @@ void rust_helper_udelay(unsigned long usec) { udelay(usec); } + +__rust_helper ktime_t rust_helper_hrtimer_get_expires(const struct hrtimer= *timer) +{ + return hrtimer_get_expires(timer); +} diff --git a/rust/kernel/time/hrtimer.rs b/rust/kernel/time/hrtimer.rs index 856d2d929a00..2c6340db1a09 100644 --- a/rust/kernel/time/hrtimer.rs +++ b/rust/kernel/time/hrtimer.rs @@ -224,27 +224,39 @@ pub fn forward_now(self: Pin<&mut Self>, interval: De= lta) -> u64 self.forward(HrTimerInstant::::now(), interval) } =20 + /// Return the time expiry for this [`HrTimer`]. + /// + /// # Safety + /// + /// - `self_ptr` must point to a valid `Self`. + /// - The caller must either have exclusive access to the data pointed= at by `self_ptr`, or be + /// within the context of the timer callback. + #[inline] + unsafe fn raw_expires(self_ptr: *const Self) -> HrTimerInstant + where + T: HasHrTimer, + { + // SAFETY: + // - The C API requirements for this function are fulfilled by our= safety contract. + // - `self_ptr` is guaranteed to point to a valid `Self` via our s= afety contract. + // - Timers cannot have negative ktime_t values as their expiratio= n time. + unsafe { Instant::from_ktime(bindings::hrtimer_get_expires(Self::r= aw_get(self_ptr))) } + } + /// Return the time expiry for this [`HrTimer`]. /// /// This value should only be used as a snapshot, as the actual expiry= time could change after /// this function is called. - pub fn expires(&self) -> HrTimerInstant + pub fn expires(self: Pin<&mut Self>) -> HrTimerInstant where T: HasHrTimer, { - // SAFETY: `self` is an immutable reference and thus always points= to a valid `HrTimer`. - let c_timer_ptr =3D unsafe { HrTimer::raw_get(self) }; + // SAFETY: `raw_expires` does not move `Self` + let this =3D unsafe { self.get_unchecked_mut() }; =20 - // SAFETY: - // - Timers cannot have negative ktime_t values as their expiratio= n time. - // - There's no actual locking here, a racy read is fine and expec= ted - unsafe { - Instant::from_ktime( - // This `read_volatile` is intended to correspond to a REA= D_ONCE call. - // FIXME(read_once): Replace with `read_once` when availab= le on the Rust side. - core::ptr::read_volatile(&raw const ((*c_timer_ptr).node.e= xpires)), - ) - } + // SAFETY: By existence of `Pin<&mut Self>`, the pointer passed to= `raw_expires` points to a + // valid `Self` that we have exclusive access to. + unsafe { Self::raw_expires(this) } } } =20 @@ -729,6 +741,17 @@ pub fn forward(&mut self, now: HrTimerInstant, inte= rval: Delta) -> u64 { pub fn forward_now(&mut self, duration: Delta) -> u64 { self.forward(HrTimerInstant::::now(), duration) } + + /// Return the time expiry for this [`HrTimer`]. + /// + /// This function is identical to [`HrTimer::expires()`] except that i= t may only be used from + /// within the context of a [`HrTimer`] callback. + pub fn expires(&self) -> HrTimerInstant { + // SAFETY: + // - We are guaranteed to be within the context of a timer callbac= k by our type invariants. + // - By our type invariants, `self.0` always points to a valid `Hr= Timer`. + unsafe { HrTimer::::raw_expires(self.0.as_ptr()) } + } } =20 /// Use to implement the [`HasHrTimer`] trait. base-commit: 9ace4753a5202b02191d54e9fdf7f9e3d02b85eb --=20 2.43.0