fix(interrupts): use proper kernel stack when returning to idle loop (#82)

ryanbreen · Ryan Breen · claude · web-flow · commit 4f8782e17dfc · 2026-01-10T20:14:51.000-05:00
When returning to idle_loop from exception handlers (page fault, etc.),
we were using `current_rsp + 256` as the stack pointer. This is wrong
when running on IST stacks (page fault uses IST[1]).

IST stacks are small (~4KB) and meant only for exception handling.
When idle_loop runs on the IST stack and timer interrupts fire,
the interrupt frames and nested calls can overflow the small IST stack,
causing memory corruption and crashes.

This bug manifested as kernel page faults at 0xffffc97ffffffff0 (top of
PML4[402] region) - a corrupted RSP value. It only appeared on QEMU 8.x
(GitHub CI) but not QEMU 10.x (local) due to timing differences.

Fix: Use per_cpu::kernel_stack_top() which returns the idle thread's
actual kernel stack, which is large enough for normal execution.

Changed in two places:
- kernel/src/interrupts.rs: page fault handler recovery path
- kernel/src/interrupts/context_switch.rs: setup_idle_return()

Co-authored-by: Ryan Breen &lt;ryanbreen@gmail.com&gt;
Co-authored-by: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/kernel/src/interrupts.rs b/kernel/src/interrupts.rs
@@ -1217,10 +1217,12 @@ extern "x86-interrupt" fn page_fault_handler(
                     let flags_ptr = &mut frame.cpu_flags as *mut x86_64::registers::rflags::RFlags as *mut u64;
                     *flags_ptr = 0x202;
 
-                    // Set up kernel stack - use current RSP with some headroom
-                    let current_rsp: u64;
-                    core::arch::asm!("mov {}, rsp", out(reg) current_rsp);
-                    frame.stack_pointer = x86_64::VirtAddr::new(current_rsp + 256);
+                    // CRITICAL: Use the idle thread's actual kernel stack, NOT the IST stack!
+                    // The page fault handler runs on IST[1] which is small and not meant
+                    // for general execution. Using current_rsp would continue on IST stack
+                    // which can overflow when timer interrupts fire.
+                    let idle_stack = crate::per_cpu::kernel_stack_top();
+                    frame.stack_pointer = x86_64::VirtAddr::new(idle_stack);
                 });
             }
 
diff --git a/kernel/src/interrupts/context_switch.rs b/kernel/src/interrupts/context_switch.rs
@@ -668,13 +668,13 @@ fn setup_idle_return(interrupt_frame: &mut InterruptStackFrame) {
             let flags_ptr = &mut frame.cpu_flags as *mut x86_64::registers::rflags::RFlags as *mut u64;
             *flags_ptr = 0x202;
 
-            // CRITICAL: Must set kernel stack pointer when returning to idle!
-            // The idle thread runs in kernel mode and needs a kernel stack.
-            // Get the kernel stack pointer from the current CPU stack
-            let current_rsp: u64;
-            core::arch::asm!("mov {}, rsp", out(reg) current_rsp);
-            // Add some space to account for the interrupt frame
-            frame.stack_pointer = x86_64::VirtAddr::new(current_rsp + 256);
+            // CRITICAL: Use the idle thread's actual kernel stack!
+            // Do NOT use current_rsp because this function may be called from
+            // IST stacks (page fault, NMI, etc.) which are small and not meant
+            // for general execution. Using per_cpu::kernel_stack_top() ensures
+            // we return to the proper kernel stack that can handle interrupts.
+            let idle_stack = crate::per_cpu::kernel_stack_top();
+            frame.stack_pointer = x86_64::VirtAddr::new(idle_stack);
         });
 
         // NOTE: We do NOT switch page tables here. The userspace process page table
