From f428b01f801b3fbd7528812a3ff6eb4afff97aaa Mon Sep 17 00:00:00 2001 From: Jon Lange Date: Tue, 10 Dec 2024 10:50:41 -0800 Subject: [PATCH] task: fix safety Any function that takes a raw virtual address must be `unsafe`. Manipulation of interrupts in the task start logic is not unsafe. Signed-off-by: Jon Lange --- kernel/src/task/tasks.rs | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/kernel/src/task/tasks.rs b/kernel/src/task/tasks.rs index a8c4c579e..8e98c6b41 100644 --- a/kernel/src/task/tasks.rs +++ b/kernel/src/task/tasks.rs @@ -691,8 +691,10 @@ pub fn is_task_fault(vaddr: VirtAddr) -> bool { /// Runs the first time a new task is scheduled, in the context of the new /// task. Any first-time initialization and setup work for a new task that /// needs to happen in its context must be done here. +/// # Safety +/// The caller is required to verify the correctness of the save area address. #[no_mangle] -fn setup_new_task(xsa_addr: u64) { +unsafe fn setup_new_task(xsa_addr: u64) { // Re-enable IRQs here, as they are still disabled from the // schedule()/sched_init() functions. After the context switch the IrqGuard // from the previous task is not dropped, which causes IRQs to stay @@ -701,16 +703,21 @@ fn setup_new_task(xsa_addr: u64) { // subsequent task switches will go through schedule() and there the guard // is dropped, re-enabling IRQs. - // SAFETY: Safe because this matches the IrqGuard drop in - // schedule()/schedule_init(). See description above. + irqs_enable(); + + // SAFETY: The caller takes responsibility for the correctness of the save + // area address. unsafe { - irqs_enable(); sse_restore_context(xsa_addr); } } extern "C" fn run_kernel_task(entry: extern "C" fn(), xsa_addr: u64) { - setup_new_task(xsa_addr); + // SAFETY: the save area address is provided by the context switch assembly + // code. + unsafe { + setup_new_task(xsa_addr); + } entry(); }