lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250630131011.405219-1-fujita.tomonori@gmail.com>
Date: Mon, 30 Jun 2025 22:10:11 +0900
From: FUJITA Tomonori <fujita.tomonori@...il.com>
To: a.hindborg@...nel.org,
	alex.gaynor@...il.com,
	ojeda@...nel.org,
	boqun.feng@...il.com
Cc: aliceryhl@...gle.com,
	anna-maria@...utronix.de,
	bjorn3_gh@...tonmail.com,
	dakr@...nel.org,
	frederic@...nel.org,
	gary@...yguo.net,
	jstultz@...gle.com,
	linux-kernel@...r.kernel.org,
	lossin@...nel.org,
	lyude@...hat.com,
	rust-for-linux@...r.kernel.org,
	sboyd@...nel.org,
	tglx@...utronix.de,
	tmgross@...ch.edu
Subject: [PATCH v1] rust: time: make ClockSource unsafe trait

Mark the ClockSource trait as unsafe and document its safety
requirements. Specifically, implementers must guarantee that their
`ktime_get()` implementation returns a value in the inclusive range
[0, KTIME_MAX].

Update all existing implementations to use `unsafe impl` with
corresponding safety comments.

Note that there could be potential users of a customized clock source [1]
so we don't seal the trait.

Link: https://lore.kernel.org/rust-for-linux/Z9xb1r1x5tOzAIZT@boqun-archlinux/ [1]
Suggested-by: Boqun Feng <boqun.feng@...il.com>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@...il.com>
---
 rust/kernel/time.rs | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/rust/kernel/time.rs b/rust/kernel/time.rs
index 64c8dcf548d6..a90c386dda3a 100644
--- a/rust/kernel/time.rs
+++ b/rust/kernel/time.rs
@@ -59,7 +59,13 @@ pub fn msecs_to_jiffies(msecs: Msecs) -> Jiffies {
 /// cases the user of the clock has to decide which clock is best suited for the
 /// purpose. In most scenarios clock [`Monotonic`] is the best choice as it
 /// provides a accurate monotonic notion of time (leap second smearing ignored).
-pub trait ClockSource {
+///
+/// # Safety
+///
+/// Implementers must ensure that `ktime_get()` returns a value in the inclusive range
+/// [0, KTIME_MAX] (i.e., greater than or equal to 0 and less than or equal to
+/// `KTIME_MAX`, where `KTIME_MAX` equals `i64::MAX`).
+pub unsafe trait ClockSource {
     /// The kernel clock ID associated with this clock source.
     ///
     /// This constant corresponds to the C side `clockid_t` value.
@@ -67,7 +73,7 @@ pub trait ClockSource {
 
     /// Get the current time from the clock source.
     ///
-    /// The function must return a value in the range from 0 to `KTIME_MAX`.
+    /// The function must return a value in the range [0, KTIME_MAX].
     fn ktime_get() -> bindings::ktime_t;
 }
 
@@ -84,7 +90,9 @@ pub trait ClockSource {
 /// count time that the system is suspended.
 pub struct Monotonic;
 
-impl ClockSource for Monotonic {
+// SAFETY: The kernel's `ktime_get()` is guaranteed to return a value
+// in [0, KTIME_MAX].
+unsafe impl ClockSource for Monotonic {
     const ID: bindings::clockid_t = bindings::CLOCK_MONOTONIC as bindings::clockid_t;
 
     fn ktime_get() -> bindings::ktime_t {
@@ -109,7 +117,9 @@ fn ktime_get() -> bindings::ktime_t {
 /// the clock will experience discontinuity around leap second adjustment.
 pub struct RealTime;
 
-impl ClockSource for RealTime {
+// SAFETY: The kernel's `ktime_get_real()` is guaranteed to return a value
+// in [0, KTIME_MAX].
+unsafe impl ClockSource for RealTime {
     const ID: bindings::clockid_t = bindings::CLOCK_REALTIME as bindings::clockid_t;
 
     fn ktime_get() -> bindings::ktime_t {
@@ -127,7 +137,9 @@ fn ktime_get() -> bindings::ktime_t {
 /// discontinuities if the time is changed using settimeofday(2) or similar.
 pub struct BootTime;
 
-impl ClockSource for BootTime {
+// SAFETY: The kernel's `ktime_get_boottime()` is guaranteed to return a value
+// in [0, KTIME_MAX].
+unsafe impl ClockSource for BootTime {
     const ID: bindings::clockid_t = bindings::CLOCK_BOOTTIME as bindings::clockid_t;
 
     fn ktime_get() -> bindings::ktime_t {
@@ -149,7 +161,9 @@ fn ktime_get() -> bindings::ktime_t {
 /// The acronym TAI refers to International Atomic Time.
 pub struct Tai;
 
-impl ClockSource for Tai {
+// SAFETY: The kernel's `ktime_get_clocktai()` is guaranteed to return a value
+// in [0, KTIME_MAX].
+unsafe impl ClockSource for Tai {
     const ID: bindings::clockid_t = bindings::CLOCK_TAI as bindings::clockid_t;
 
     fn ktime_get() -> bindings::ktime_t {

base-commit: d4b29ddf82a458935f1bd4909b8a7a13df9d3bdc
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ