[PATCH 4/5] rust: hrtimer: use READ_ONCE instead of read_volatile
Boqun Feng
boqun.feng at gmail.com
Wed Jan 7 03:51:29 PST 2026
On Wed, Jan 07, 2026 at 11:11:43AM +0100, Andreas Hindborg wrote:
> FUJITA Tomonori <fujita.tomonori at gmail.com> writes:
>
[...]
> >>>
> >>
> >> This is a potentially racy read. As far as I recall, we determined that
> >> using read_once is the proper way to handle the situation.
> >>
> >> I do not think it makes a difference that the read is done by C code.
> >
> > What does "racy read" mean here?
> >
> > The C side doesn't use WRITE_ONCE() or READ_ONCE for node.expires. How
> > would using READ_ONCE() on the Rust side make a difference?
>
> Data races like this are UB in Rust. As far as I understand, using this
> READ_ONCE implementation or a relaxed atomic read would make the read
> well defined. I am not aware if this is only the case if all writes to
> the location from C also use atomic operations or WRITE_ONCE. @Boqun?
>
I took a look into this, the current C code is probably fine (i.e.
without READ_ONCE() or WRITE_ONCE()) because the accesses are
1) protected by timer base locking or
2) in a timer callback which provides exclusive accesses to .expires as
well. Note that hrtimer_cancel() doesn't need to access .expires, so
a timer callback racing with a hrtimer_cancel() is fine.
(I may miss one or two cases, but most of the cases are fine)
The problem in Rust code is that HrTimer::expires() is a pub function,
so in 2) a HrTimer::expires() can race with hrtimer_forward(), which
causes data races.
We either change hrtimer C code to support such a usage (against data
races) or change the usage of this HrTimer::expires() function. Using
READ_ONCE() here won't work. (Yes, we could say assuming all plain
writes on .expires in C are atomic as some other code does, but hrtimer
doesn't rely on this, so I don't think we should either)
Regards,
Boqun
>
> Best regards,
> Andreas Hindborg
>
>
More information about the linux-arm-kernel
mailing list