Merge pull request #1890 from hermit-os/kernel_stack-transmute-reg

mkroening · web-flow · commit 5f7d19f82049 · 2025-09-09T13:00:26.000Z
fix(kernel_stack): don't transmute args via memory
diff --git a/hermit-macro/src/system.rs b/hermit-macro/src/system.rs
@@ -179,7 +179,7 @@ fn emit_func(func: ItemFn, sig: &ParsedSig, errno: bool) -> Result<ItemFn> {
 					feature = "kernel-stack",
 					not(any(target_arch = "riscv64", feature = "common-os")),
 				))] {
-					unsafe { crate::arch::kernel::kernel_stack::#kernel_function_ident(#kernel_ident, #(#args),*) }
+					unsafe { crate::arch::kernel::kernel_stack::#kernel_function_ident(#(#args,)* #kernel_ident) }
 				} else {
 					#unsafety { #kernel_ident(#(#args),*) }
 				}
@@ -259,7 +259,7 @@ mod tests {
 						feature = "kernel-stack",
 						not(any(target_arch = "riscv64", feature = "common-os")),
 					))] {
-						unsafe { crate::arch::kernel::kernel_stack::kernel_function2(_sys_test, a, b) }
+						unsafe { crate::arch::kernel::kernel_stack::kernel_function2(a, b, _sys_test) }
 					} else {
 						{ _sys_test(a, b) }
 					}
@@ -327,7 +327,7 @@ mod tests {
 						feature = "kernel-stack",
 						not(any(target_arch = "riscv64", feature = "common-os")),
 					))] {
-						unsafe { crate::arch::kernel::kernel_stack::kernel_function2(_sys_test, a, b) }
+						unsafe { crate::arch::kernel::kernel_stack::kernel_function2(a, b, _sys_test) }
 					} else {
 						unsafe { _sys_test(a, b) }
 					}
@@ -397,7 +397,7 @@ mod tests {
 						feature = "kernel-stack",
 						not(any(target_arch = "riscv64", feature = "common-os")),
 					))] {
-						unsafe { crate::arch::kernel::kernel_stack::kernel_function2(_sys_test, a, b) }
+						unsafe { crate::arch::kernel::kernel_stack::kernel_function2(a, b, _sys_test) }
 					} else {
 						{ _sys_test(a, b) }
 					}
diff --git a/src/arch/aarch64/kernel/kernel_stack.rs b/src/arch/aarch64/kernel/kernel_stack.rs
@@ -1,96 +1,79 @@
-use core::arch::asm;
-use core::{mem, ptr};
+use core::mem;
+
+type Reg = core::mem::MaybeUninit<usize>;
+
+#[unsafe(naked)]
+pub unsafe extern "C" fn call_with_kernel_stack(
+	x0: Reg,
+	x1: Reg,
+	x2: Reg,
+	x3: Reg,
+	x4: Reg,
+	x5: Reg,
+	f: unsafe extern "C" fn(x0: Reg, x1: Reg, x2: Reg, x3: Reg, x4: Reg, x5: Reg) -> Reg,
+) -> Reg {
+	core::arch::naked_asm!(
+		// Disable IRQs and FIQs while changing stack pointer
+		"msr daifset, #0b11",
+		// Preserve return address on the stack
+		"str x30, [sp, #-16]!",
+		// Switch to kernel stack
+		"msr spsel, #1",
+		// Re-enable IRQs and FIQs
+		"msr daifclr, #0b11",
+		// Call the function pointer (stored in x6)
+		"blr x6",
+		// Disable IRQs and FIQs before restoring stack
+		"msr daifset, #0b11",
+		// Switch back to user stack
+		"msr spsel, #0",
+		// Restore return address from the stack
+		"ldr x30, [sp], 16",
+		// Re-enable IRQs and FIQs
+		"msr daifclr, #0b11",
+		// Return to caller (return value is in x0)
+		"ret",
+	)
+}
 
 macro_rules! kernel_function_impl {
-	($kernel_function:ident($($arg:ident: $A:ident),*) { $($operands:tt)* }) => {
+	($kernel_function:ident($($arg:ident: $A:ident),*; $($z:ident: Reg),*)) => {
 		/// Executes `f` on the kernel stack.
 		#[allow(dead_code)]
-		pub unsafe fn $kernel_function<R, $($A),*>(f: unsafe extern "C" fn($($A),*) -> R, $($arg: $A),*) -> R {
+		#[inline]
+		pub unsafe extern "C" fn $kernel_function<R, $($A),*>($($arg: $A,)* f: unsafe extern "C" fn($($A),*) -> R) -> R {
 			unsafe {
-				assert!(mem::size_of::<R>() <= mem::size_of::<usize>());
-
 				$(
-					assert!(mem::size_of::<$A>() <= mem::size_of::<usize>());
-					let $arg = {
-						let mut reg = 0usize;
-						// SAFETY: $A is smaller than usize and directly fits in a register
-						// Since f takes $A as argument via C calling convention, any upper bytes do not matter.
-						ptr::write(ptr::from_mut(&mut reg).cast(), $arg);
-						reg
-					};
+					assert!(mem::size_of::<$A>() <= mem::size_of::<Reg>());
 				)*
+				assert!(mem::size_of::<R>() <= mem::size_of::<Reg>());
 
-				let ret: u64;
-				asm!(
-					// Switch to kernel stack
-					"msr spsel, {l1}",
-
-					// To make sure, Rust manages the stack in `f` correctly,
-					// we keep all arguments and return values in registers
-					// until we switch the stack back. Thus follows the sizing
-					// requirements for arguments and return types.
-					"blr {f}",
-
-					// Switch back to user stack
-					"msr spsel, {l0}",
+				let call_with_kernel_stack = mem::transmute::<*const (), unsafe extern "C" fn(
+					$($arg: $A,)*
+					$($z: Reg,)*
+					f: unsafe extern "C" fn(
+						$($arg: $A,)*
+					) -> R,
+				) -> R>(call_with_kernel_stack as *const ());
 
-					l0 = const 0,
-					l1 = const 1,
-					f = in(reg) f,
-
-					$($operands)*
-
-					// Return argument in x0
-					lateout("x0") ret,
-
-					clobber_abi("C"),
-				);
+				$(
+					let $z = Reg::uninit();
+				)*
 
-				// SAFETY: R is smaller than usize and directly fits in rax
-				// Since f returns R, we can safely convert ret to R
-				mem::transmute_copy(&ret)
+				call_with_kernel_stack(
+					$($arg,)*
+					$($z,)*
+					f,
+				)
 			}
 		}
 	};
 }
 
-kernel_function_impl!(kernel_function0() {});
-
-kernel_function_impl!(kernel_function1(arg1: A1) {
-	in("x0") arg1,
-});
-
-kernel_function_impl!(kernel_function2(arg1: A1, arg2: A2) {
-	in("x0") arg1,
-	in("x1") arg2,
-});
-
-kernel_function_impl!(kernel_function3(arg1: A1, arg2: A2, arg3: A3) {
-	in("x0") arg1,
-	in("x1") arg2,
-	in("x2") arg3,
-});
-
-kernel_function_impl!(kernel_function4(arg1: A1, arg2: A2, arg3: A3, arg4: A4) {
-	in("x0") arg1,
-	in("x1") arg2,
-	in("x2") arg3,
-	in("x3") arg4,
-});
-
-kernel_function_impl!(kernel_function5(arg1: A1, arg2: A2, arg3: A3, arg4: A4, arg5: A5) {
-	in("x0") arg1,
-	in("x1") arg2,
-	in("x2") arg3,
-	in("x3") arg4,
-	in("x4") arg5,
-});
-
-kernel_function_impl!(kernel_function6(arg1: A1, arg2: A2, arg3: A3, arg4: A4, arg5: A5, arg6: A6) {
-	in("x0") arg1,
-	in("x1") arg2,
-	in("x2") arg3,
-	in("x3") arg4,
-	in("x4") arg5,
-	in("x5") arg6,
-});
+kernel_function_impl!(kernel_function0(; u1: Reg, u2: Reg, u3: Reg, u4: Reg, u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function1(arg1: A1; u2: Reg, u3: Reg, u4: Reg, u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function2(arg1: A1, arg2: A2; u3: Reg, u4: Reg, u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function3(arg1: A1, arg2: A2, arg3: A3; u4: Reg, u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function4(arg1: A1, arg2: A2, arg3: A3, arg4: A4; u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function5(arg1: A1, arg2: A2, arg3: A3, arg4: A4, arg5: A5; u6: Reg));
+kernel_function_impl!(kernel_function6(arg1: A1, arg2: A2, arg3: A3, arg4: A4, arg5: A5, arg6: A6; ));
diff --git a/src/arch/x86_64/kernel/kernel_stack.rs b/src/arch/x86_64/kernel/kernel_stack.rs
@@ -1,105 +1,80 @@
-use core::arch::asm;
-use core::{mem, ptr};
+use core::mem;
 
 use crate::core_local::CoreLocal;
 
+type Reg = core::mem::MaybeUninit<usize>;
+
+#[unsafe(naked)]
+pub unsafe extern "C" fn call_with_stack(
+	rdi: Reg,
+	rsi: Reg,
+	rdx: Reg,
+	rcx: Reg,
+	r8: Reg,
+	r9: Reg,
+	f: unsafe extern "C" fn(rdi: Reg, rsi: Reg, rdx: Reg, rcx: Reg, r8: Reg, r9: Reg) -> Reg,
+	stack_ptr: *mut (),
+) -> Reg {
+	core::arch::naked_asm!(
+		// Save user stack pointer and switch to supplied stack
+		"cli",
+		"push r12",
+		"mov r12, rsp",
+		"mov rsp, [rsp + 24]",
+		"sti",
+		// Call f
+		"call [r12 + 16]",
+		// Switch back to previous stack
+		"cli",
+		"mov rsp, r12",
+		"pop r12",
+		"sti",
+		"ret",
+	)
+}
+
 macro_rules! kernel_function_impl {
-	($kernel_function:ident($($arg:ident: $A:ident),*) { $($operands:tt)* }) => {
+	($kernel_function:ident($($arg:ident: $A:ident),*; $($z:ident: Reg),*)) => {
 		/// Executes `f` on the kernel stack.
 		#[allow(dead_code)]
-		pub unsafe fn $kernel_function<R, $($A),*>(f: unsafe extern "C" fn($($A),*) -> R, $($arg: $A),*) -> R {
+		#[inline]
+		pub unsafe extern "C" fn $kernel_function<R, $($A),*>($($arg: $A,)* f: unsafe extern "C" fn($($A),*) -> R) -> R {
 			unsafe {
-				assert!(mem::size_of::<R>() <= mem::size_of::<usize>());
-
 				$(
-					assert!(mem::size_of::<$A>() <= mem::size_of::<usize>());
-					let $arg = {
-						let mut reg = 0usize;
-						// SAFETY: $A is smaller than usize and directly fits in a register
-						// Since f takes $A as argument via C calling convention, any upper bytes do not matter.
-						ptr::write(ptr::from_mut(&mut reg).cast(), $arg);
-						reg
-					};
+					assert!(mem::size_of::<$A>() <= mem::size_of::<Reg>());
 				)*
+				assert!(mem::size_of::<R>() <= mem::size_of::<Reg>());
 
-				let ret: u64;
-				asm!(
-					// Save user stack pointer and switch to kernel stack
-					"cli",
-					"mov r12, rsp",
-					"mov rsp, {kernel_stack_ptr}",
-					"sti",
-
-					// To make sure, Rust manages the stack in `f` correctly,
-					// we keep all arguments and return values in registers
-					// until we switch the stack back. Thus follows the sizing
-					// requirements for arguments and return types.
-					"call {f}",
-
-					// Switch back to user stack
-					"cli",
-					"mov rsp, r12",
-					"sti",
-
-					f = in(reg) f,
-					kernel_stack_ptr = in(reg) CoreLocal::get().kernel_stack.get(),
-
-					$($operands)*
-
-					// user_stack_ptr saved in r12
-					out("r12") _,
+				let call_with_stack = mem::transmute::<*const (), unsafe extern "C" fn(
+					$($arg: $A,)*
+					$($z: Reg,)*
+					f: unsafe extern "C" fn(
+						$($arg: $A,)*
+					) -> R,
+					stack_ptr: *mut (),
+				) -> R>(call_with_stack as *const ());
 
-					// Return argument in rax
-					out("rax") ret,
+				$(
+					let $z = Reg::uninit();
+				)*
 
-					clobber_abi("C"),
-				);
+				let kernel_stack = CoreLocal::get().kernel_stack.get().cast();
 
-				// SAFETY: R is smaller than usize and directly fits in rax
-				// Since f returns R, we can safely convert ret to R
-				mem::transmute_copy(&ret)
+				call_with_stack(
+					$($arg,)*
+					$($z,)*
+					f,
+					kernel_stack,
+				)
 			}
 		}
 	};
 }
 
-kernel_function_impl!(kernel_function0() {});
-
-kernel_function_impl!(kernel_function1(arg1: A1) {
-	in("rdi") arg1,
-});
-
-kernel_function_impl!(kernel_function2(arg1: A1, arg2: A2) {
-	in("rdi") arg1,
-	in("rsi") arg2,
-});
-
-kernel_function_impl!(kernel_function3(arg1: A1, arg2: A2, arg3: A3) {
-	in("rdi") arg1,
-	in("rsi") arg2,
-	in("rdx") arg3,
-});
-
-kernel_function_impl!(kernel_function4(arg1: A1, arg2: A2, arg3: A3, arg4: A4) {
-	in("rdi") arg1,
-	in("rsi") arg2,
-	in("rdx") arg3,
-	in("rcx") arg4,
-});
-
-kernel_function_impl!(kernel_function5(arg1: A1, arg2: A2, arg3: A3, arg4: A4, arg5: A5) {
-	in("rdi") arg1,
-	in("rsi") arg2,
-	in("rdx") arg3,
-	in("rcx") arg4,
-	in("r8") arg5,
-});
-
-kernel_function_impl!(kernel_function6(arg1: A1, arg2: A2, arg3: A3, arg4: A4, arg5: A5, arg6: A6) {
-	in("rdi") arg1,
-	in("rsi") arg2,
-	in("rdx") arg3,
-	in("rcx") arg4,
-	in("r8") arg5,
-	in("r9") arg6,
-});
+kernel_function_impl!(kernel_function0(; u1: Reg, u2: Reg, u3: Reg, u4: Reg, u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function1(arg1: A1; u2: Reg, u3: Reg, u4: Reg, u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function2(arg1: A1, arg2: A2; u3: Reg, u4: Reg, u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function3(arg1: A1, arg2: A2, arg3: A3; u4: Reg, u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function4(arg1: A1, arg2: A2, arg3: A3, arg4: A4; u5: Reg, u6: Reg));
+kernel_function_impl!(kernel_function5(arg1: A1, arg2: A2, arg3: A3, arg4: A4, arg5: A5; u6: Reg));
+kernel_function_impl!(kernel_function6(arg1: A1, arg2: A2, arg3: A3, arg4: A4, arg5: A5, arg6: A6; ));
