Issue
It was said that one of the reasons for having a kernel stack is to protect kernel data from user space access during the syscall. But this is the part I don't quite get, so there must be some knowledge gap here.
Imagine if there were no kernel stacks, and syscall reuses user space stack. Because the syscall won't return to user code unless it finishes, and by the time the syscall finishes, it would have unwound its stack already, I don't see what opportunities do user code have to access the transiently existed syscall stack frames and the data that resided on it.
Is it because user stack exists in user memory space in which any user code can access, therefore any other active threads could've read the stack frames of the aforementioned thread while it's still trapped inside the syscall? Is this the only way this accessing could have happened theoretically?
Solution
That isn't the only way it could happen. Another process could do the same via e.g. process_vm_readv()/process_vm_writev(), ptrace() and possibly other means. The stack could also also be re-mapped as shared memory and [ab]used by multiple processes at the same time. It could even be mapped to file for what it's worth.
Aside from accessing the stack during the syscall through other threads and/or processes and reading/writing kernel data though, you could also simply leak information from kernel space from the same thread when the syscall returns, unless the kernel carefully clears out all the frames that it used (it's not like when a function returns the frame is cleared and zeroed out, values are still there in memory).
Furthermore, having control of the stack, you can easily cause a kernel page fault at will by making the stack arbitrarily small and then invoking a syscall, thus causing a kernel panic that would be very hard to recover from, ending up just crashing your machine.
These are just some examples off the top of my head. There would be countless ways to break user/kernel space isolation if the kernel uses userspace stack for syscalls.
See also this question that has another answer of mine: Why do system calls use a different stack?
Answered By - Marco Bonelli Answer Checked By - Terry (WPSolving Volunteer)