| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87v7hdh9m4.fsf@t14s.mail-host-address-is-not-set> Date: Wed, 07 Jan 2026 13:48:19 +0100 From: Andreas Hindborg <a.hindborg@...nel.org> To: Boqun Feng <boqun.feng@...il.com> Cc: FUJITA Tomonori <fujita.tomonori@...il.com>, aliceryhl@...gle.com, lyude@...hat.com, will@...nel.org, peterz@...radead.org, richard.henderson@...aro.org, mattst88@...il.com, linmag7@...il.com, catalin.marinas@....com, ojeda@...nel.org, gary@...yguo.net, bjorn3_gh@...tonmail.com, lossin@...nel.org, tmgross@...ch.edu, dakr@...nel.org, mark.rutland@....com, frederic@...nel.org, tglx@...utronix.de, anna-maria@...utronix.de, jstultz@...gle.com, sboyd@...nel.org, viro@...iv.linux.org.uk, brauner@...nel.org, jack@...e.cz, linux-kernel@...r.kernel.org, linux-alpha@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, rust-for-linux@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH 4/5] rust: hrtimer: use READ_ONCE instead of read_volatile Boqun Feng <boqun.feng@...il.com> writes: > On Wed, Jan 07, 2026 at 11:11:43AM +0100, Andreas Hindborg wrote: >> FUJITA Tomonori <fujita.tomonori@...il.com> writes: >> > [...] >> >>> >> >> >> >> This is a potentially racy read. As far as I recall, we determined that >> >> using read_once is the proper way to handle the situation. >> >> >> >> I do not think it makes a difference that the read is done by C code. >> > >> > What does "racy read" mean here? >> > >> > The C side doesn't use WRITE_ONCE() or READ_ONCE for node.expires. How >> > would using READ_ONCE() on the Rust side make a difference? >> >> Data races like this are UB in Rust. As far as I understand, using this >> READ_ONCE implementation or a relaxed atomic read would make the read >> well defined. I am not aware if this is only the case if all writes to >> the location from C also use atomic operations or WRITE_ONCE. @Boqun? >> > > I took a look into this, the current C code is probably fine (i.e. > without READ_ONCE() or WRITE_ONCE()) because the accesses are > > 1) protected by timer base locking or > 2) in a timer callback which provides exclusive accesses to .expires as > well. Note that hrtimer_cancel() doesn't need to access .expires, so > a timer callback racing with a hrtimer_cancel() is fine. > > (I may miss one or two cases, but most of the cases are fine) > > The problem in Rust code is that HrTimer::expires() is a pub function, > so in 2) a HrTimer::expires() can race with hrtimer_forward(), which > causes data races. > > We either change hrtimer C code to support such a usage (against data > races) or change the usage of this HrTimer::expires() function. Using > READ_ONCE() here won't work. (Yes, we could say assuming all plain > writes on .expires in C are atomic as some other code does, but hrtimer > doesn't rely on this, so I don't think we should either) I don't think we should change the C code, I think the Rust API is simply wrong. The function should have same constraints as `forward_now`, ie. call while having exclusive access to the timer (during setup for instance), or in callback context. We should change it to take `self: Pin<&mut Self>` and add it on `HrTimerCallbackContext` as well. @Tomo, do you know of any users of this function? Best regards, Andreas Hindborg
Powered by blists - more mailing lists