Merge pull request #649 from mkroening/provenance-casts

fix: enable strict provenance lints

Author: mkroening

src/arch/aarch64/kernel/mmio.rs

@@ -110,7 +110,7 @@ pub fn init_drivers() {
 							}
 
 							let virtio_region_start =
-								PhysAddr::new(virtio_region.starting_address as u64);
+								PhysAddr::from(virtio_region.starting_address.expose_provenance());
 
 							assert!(
 								virtio_region.size.unwrap()

src/arch/aarch64/kernel/scheduler.rs

@@ -177,7 +177,7 @@ impl TaskStacks {
 	}
 
 	pub fn from_boot_stacks() -> TaskStacks {
-		let stack = VirtAddr::new(CURRENT_STACK_ADDRESS.load(Ordering::Relaxed) as u64);
+		let stack = VirtAddr::from_ptr(CURRENT_STACK_ADDRESS.load(Ordering::Relaxed));
 		debug!("Using boot stack {stack:p}");
 
 		TaskStacks::Boot(BootStack { stack })
@@ -302,7 +302,7 @@ impl TaskFrame for Task {
 			let state = stack.as_mut_ptr::<State>();
 			#[cfg(not(feature = "common-os"))]
 			if let Some(tls) = &self.tls {
-				(*state).tpidr_el0 = tls.thread_ptr() as u64;
+				(*state).tpidr_el0 = tls.thread_ptr().expose_provenance() as u64;
 			}
 
 			/*

src/arch/riscv64/kernel/devicetree.rs

@@ -103,7 +103,7 @@ pub fn init_drivers() {
 					.next()
 					.unwrap();
 
-				let plic_region_start = PhysAddr::new(plic_region.starting_address as u64);
+				let plic_region_start = PhysAddr::from(plic_region.starting_address.addr());
 				debug!(
 					"Init PLIC at {:p}, size: {:x}",
 					plic_region_start,
@@ -119,9 +119,9 @@ pub fn init_drivers() {
 				// TODO: Determine correct context via devicetree and allow more than one context
 				match PLATFORM_MODEL {
 					Model::Virt | Model::Unknown => {
-						init_plic(plic_region.starting_address as usize, 1);
+						init_plic(plic_region.starting_address.expose_provenance(), 1);
 					}
-					Model::Fux40 => init_plic(plic_region.starting_address as usize, 2),
+					Model::Fux40 => init_plic(plic_region.starting_address.expose_provenance(), 2),
 				}
 			}
 
@@ -161,7 +161,8 @@ pub fn init_drivers() {
 					warn!("Expected ethernet-phy node, found something else");
 				}
 
-				let gem_region_start = PhysAddr::new(gem_region.starting_address as u64);
+				let gem_region_start =
+					PhysAddr::from(gem_region.starting_address.expose_provenance());
 				debug!("Init GEM at {gem_region_start:p}, irq: {irq}, phy_addr: {phy_addr}");
 				assert!(
 					gem_region.size.unwrap() < usize::try_from(paging::HugePageSize::SIZE).unwrap()
@@ -193,7 +194,8 @@ pub fn init_drivers() {
 					.next()
 					.unwrap();
 
-				let virtio_region_start = PhysAddr::new(virtio_region.starting_address as u64);
+				let virtio_region_start =
+					PhysAddr::from(virtio_region.starting_address.expose_provenance());
 
 				debug!("Init virtio_mmio at {virtio_region_start:p}, irq: {irq}");
 				assert!(

src/arch/riscv64/kernel/interrupts.rs

@@ -1,4 +1,5 @@
 use alloc::vec::Vec;
+use core::ptr;
 
 use ahash::RandomState;
 use hashbrown::HashMap;
@@ -128,18 +129,21 @@ pub(crate) fn install_handlers() {
 
 			// Set priority to 7 (highest on FU740)
 			let prio_address = *base_ptr + *irq_number as usize * 4;
-			core::ptr::write_volatile(prio_address as *mut u32, 1);
+			let prio_ptr = ptr::with_exposed_provenance_mut::<u32>(prio_address);
+			prio_ptr.write_volatile(1);
 			// Set Threshold to 0 (lowest)
 			let thresh_address = *base_ptr + 0x20_0000 + 0x1000 * (*context as usize);
-			core::ptr::write_volatile(thresh_address as *mut u32, 0);
+			let thresh_ptr = ptr::with_exposed_provenance_mut::<u32>(thresh_address);
+			thresh_ptr.write_volatile(0);
 			// Enable irq for context
 			const PLIC_ENABLE_OFFSET: usize = 0x0000_2000;
 			let enable_address = *base_ptr
 				+ PLIC_ENABLE_OFFSET
 				+ 0x80 * (*context as usize)
 				+ ((*irq_number / 32) * 4) as usize;
-			debug!("enable_address {enable_address:x}");
-			core::ptr::write_volatile(enable_address as *mut u32, 1 << (irq_number % 32));
+			let enable_ptr = ptr::with_exposed_provenance_mut::<u32>(enable_address);
+			debug!("enable_address {enable_ptr:p}");
+			enable_ptr.write_volatile(1 << (irq_number % 32));
 		}
 	}
 
@@ -193,7 +197,8 @@ fn external_handler() {
 	let base_ptr = PLIC_BASE.lock();
 	let context = PLIC_CONTEXT.lock();
 	let claim_address = *base_ptr + 0x20_0004 + 0x1000 * (*context as usize);
-	let irq = unsafe { core::ptr::read_volatile(claim_address as *mut u32) };
+	let claim_ptr = ptr::with_exposed_provenance_mut::<u32>(claim_address);
+	let irq = unsafe { claim_ptr.read_volatile() };
 
 	if irq != 0 {
 		debug!("External INT: {irq}");
@@ -219,7 +224,7 @@ fn external_handler() {
 
 		// Complete interrupt after handling
 		unsafe {
-			core::ptr::write_volatile(claim_address as *mut u32, irq);
+			claim_ptr.write_volatile(irq);
 		}
 
 		// Remove from active interrupts

src/arch/riscv64/kernel/mod.rs

@@ -156,8 +156,8 @@ pub fn boot_next_processor() {
 			let frame_layout = PageLayout::from_size(KERNEL_STACK_SIZE).unwrap();
 			let frame_range = FrameAlloc::allocate(frame_layout)
 				.expect("Failed to allocate boot stack for new core");
-			let stack = PhysAddr::from(frame_range.start());
-			CURRENT_STACK_ADDRESS.store(stack.as_usize() as _, Ordering::Relaxed);
+			let stack = ptr::with_exposed_provenance_mut(frame_range.start());
+			CURRENT_STACK_ADDRESS.store(stack, Ordering::Relaxed);
 		}
 
 		info!(
@@ -171,7 +171,7 @@ pub fn boot_next_processor() {
 
 		//When running bare-metal/QEMU we use the firmware to start the next hart
 		if !env::is_uhyve() {
-			let start_addr = start::_start as *const () as usize;
+			let start_addr = (start::_start as *const ()).expose_provenance();
 			sbi_rt::hart_start(next_hart_id as usize, start_addr, 0).unwrap();
 		}
 	} else {

src/arch/riscv64/kernel/scheduler.rs

@@ -328,7 +328,7 @@ impl TaskFrame for Task {
 			let state = stack.as_mut_ptr::<State>();
 			#[cfg(not(feature = "common-os"))]
 			if let Some(tls) = &self.tls {
-				(*state).tp = tls.thread_ptr() as usize;
+				(*state).tp = tls.thread_ptr().expose_provenance();
 			}
 			(*state).ra = task_start;
 			(*state).a0 = func as usize;

src/arch/riscv64/mm/paging.rs

@@ -473,8 +473,9 @@ where
 		let index = page.table_index::<L>();
 		// trace!("Index: {:#X}", index);
 		let subtable_address = self.entries[index].address().as_usize();
+		let subtable_ptr = ptr::with_exposed_provenance_mut(subtable_address);
 		// trace!("subtable_address: {:#X}", subtable_address);
-		unsafe { &mut *(subtable_address as *mut PageTable<L::SubtableLevel>) }
+		unsafe { &mut *subtable_ptr }
 	}
 
 	/// Maps a continuous range of pages.
@@ -577,7 +578,7 @@ pub fn virtual_to_physical(virtual_address: VirtAddr) -> Option<PhysAddr> {
 		} else {
 			//PTE is a pointer to the next level of the page table
 			assert!(i != 0); //pte should be a leaf if i=0
-			page_table_addr = pte.address().as_usize() as *mut PageTable<L2Table>;
+			page_table_addr = ptr::with_exposed_provenance_mut(pte.address().as_usize());
 			// trace!("PTE is pointer: {:?}", page_table_addr);
 		}
 	}

src/arch/x86_64/kernel/mod.rs

@@ -252,7 +252,8 @@ where
 		flags,
 	);
 
-	let code_slice = unsafe { slice::from_raw_parts_mut(LOADER_START as *mut u8, code_size) };
+	let loader_start_ptr = ptr::with_exposed_provenance_mut(LOADER_START);
+	let code_slice = unsafe { slice::from_raw_parts_mut(loader_start_ptr, code_size) };
 
 	if tls_size > 0 {
 		// To access TLS blocks on x86-64, TLS offsets are *subtracted* from the thread register value.
@@ -287,7 +288,7 @@ where
 		unsafe {
 			thread_ptr.cast::<*mut ()>().write(thread_ptr);
 		}
-		crate::arch::x86_64::kernel::processor::writefs(thread_ptr as usize);
+		crate::arch::x86_64::kernel::processor::writefs(thread_ptr.expose_provenance());
 
 		func(code_slice, Some(block))
 	} else {
@@ -314,7 +315,8 @@ pub unsafe fn jump_to_user_land(entry_point: usize, code_size: usize, arg: &[&st
 
 	let stack_pointer =
 		stack_pointer - 128 /* red zone */ - arg.len() * core::mem::size_of::<*mut u8>();
-	let argv = unsafe { core::slice::from_raw_parts_mut(stack_pointer as *mut *mut u8, arg.len()) };
+	let stack_ptr = ptr::with_exposed_provenance_mut::<*mut u8>(stack_pointer);
+	let argv = unsafe { core::slice::from_raw_parts_mut(stack_ptr, arg.len()) };
 	let len = arg.iter().fold(0, |acc, x| acc + x.len() + 1);
 	// align stack pointer to fulfill the requirements of the x86_64 ABI
 	let stack_pointer = (stack_pointer - len).align_down(16) - core::mem::size_of::<usize>();
@@ -323,7 +325,7 @@ pub unsafe fn jump_to_user_land(entry_point: usize, code_size: usize, arg: &[&st
 	for (i, s) in arg.iter().enumerate() {
 		if let Ok(s) = CString::new(*s) {
 			let bytes = s.as_bytes_with_nul();
-			argv[i] = (stack_pointer + pos) as *mut u8;
+			argv[i] = ptr::with_exposed_provenance_mut::<u8>(stack_pointer + pos);
 			pos += bytes.len();
 
 			unsafe {

src/arch/x86_64/kernel/vga.rs

@@ -1,3 +1,5 @@
+use core::ptr;
+
 use hermit_sync::SpinMutex;
 use memory_addresses::{PhysAddr, VirtAddr};
 use x86_64::instructions::port::Port;
@@ -47,7 +49,7 @@ unsafe impl Send for VgaScreen {}
 impl VgaScreen {
 	const fn new() -> Self {
 		Self {
-			buffer: VGA_BUFFER_ADDRESS.as_u64() as *mut _,
+			buffer: ptr::with_exposed_provenance_mut(VGA_BUFFER_ADDRESS.as_usize()),
 			current_col: 0,
 			current_row: 0,
 			is_initialized: false,

src/drivers/net/gem.rs

@@ -11,7 +11,7 @@ use alloc::vec::Vec;
 use core::alloc::Layout;
 use core::convert::TryInto;
 use core::ptr::NonNull;
-use core::{mem, slice};
+use core::{mem, ptr, slice};
 
 use align_address::Align;
 use memory_addresses::{PhysAddr, VirtAddr};
@@ -477,13 +477,10 @@ impl<'a> smoltcp::phy::RxToken for RxToken<'a> {
 
 		// SAFETY: This is a blatant lie and very unsound.
 		// The API must be fixed or the buffer may never touched again.
-		let buffer = unsafe {
-			core::slice::from_raw_parts_mut(
-				(self.rx_fields.rxbuffer.as_usize() + (self.buffer_index * RX_BUF_LEN) as usize)
-					as *mut u8,
-				length as usize,
-			)
-		};
+		let buffer_addr =
+			self.rx_fields.rxbuffer.as_usize() + (self.buffer_index * RX_BUF_LEN) as usize;
+		let buffer_ptr = ptr::with_exposed_provenance_mut::<u8>(buffer_addr);
+		let buffer = unsafe { core::slice::from_raw_parts_mut(buffer_ptr, length as usize) };
 		trace!("BUFFER: {buffer:x?}");
 		let res = f(buffer);
 		self.rx_buffer_consumed();