* [edk2-devel] [PATCH 1/1] OvmfPkg/VirtNorFlashDxe: fix shadowbuffer reads @ 2024-01-11 13:36 Gerd Hoffmann 2024-01-12 9:47 ` Laszlo Ersek 0 siblings, 1 reply; 3+ messages in thread From: Gerd Hoffmann @ 2024-01-11 13:36 UTC (permalink / raw) To: devel; +Cc: oliver, Jiewen Yao, Gerd Hoffmann, Laszlo Ersek, Ard Biesheuvel In some cases (specifically when the flash update region is small but crosses a multiple of P30_MAX_BUFFER_SIZE_IN_BYTES) NorFlashWriteSingleBlock reads only one instead of two P30_MAX_BUFFER_SIZE_IN_BYTES blocks into the shadow buffer. That leads to random crap being written to the second block, which in turn can corrupt both the variable store and the FTW work space. This patch fixes the calculation. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c index 1afd60ce66eb..cdc809d75e3d 100644 --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c @@ -566,7 +566,7 @@ NorFlashWriteSingleBlock ( Instance, Lba, Offset & ~BOUNDARY_OF_32_WORDS, - (*NumBytes | BOUNDARY_OF_32_WORDS) + 1, + (((Offset & BOUNDARY_OF_32_WORDS) + *NumBytes) | BOUNDARY_OF_32_WORDS) + 1, Instance->ShadowBuffer ); if (EFI_ERROR (Status)) { -- 2.43.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113618): https://edk2.groups.io/g/devel/message/113618 Mute This Topic: https://groups.io/mt/103661868/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] OvmfPkg/VirtNorFlashDxe: fix shadowbuffer reads 2024-01-11 13:36 [edk2-devel] [PATCH 1/1] OvmfPkg/VirtNorFlashDxe: fix shadowbuffer reads Gerd Hoffmann @ 2024-01-12 9:47 ` Laszlo Ersek 2024-01-12 11:26 ` Gerd Hoffmann 0 siblings, 1 reply; 3+ messages in thread From: Laszlo Ersek @ 2024-01-12 9:47 UTC (permalink / raw) To: Gerd Hoffmann, devel; +Cc: oliver, Jiewen Yao, Ard Biesheuvel On 1/11/24 14:36, Gerd Hoffmann wrote: > In some cases (specifically when the flash update region is > small but crosses a multiple of P30_MAX_BUFFER_SIZE_IN_BYTES) > NorFlashWriteSingleBlock reads only one instead of two > P30_MAX_BUFFER_SIZE_IN_BYTES blocks into the shadow buffer. > > That leads to random crap being written to the second block, > which in turn can corrupt both the variable store and the > FTW work space. > > This patch fixes the calculation. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c > index 1afd60ce66eb..cdc809d75e3d 100644 > --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c > +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c > @@ -566,7 +566,7 @@ NorFlashWriteSingleBlock ( > Instance, > Lba, > Offset & ~BOUNDARY_OF_32_WORDS, > - (*NumBytes | BOUNDARY_OF_32_WORDS) + 1, > + (((Offset & BOUNDARY_OF_32_WORDS) + *NumBytes) | BOUNDARY_OF_32_WORDS) + 1, > Instance->ShadowBuffer > ); > if (EFI_ERROR (Status)) { This patch looks like the output of an excellent bug analysis. I'll need more time to review this. If you have a ticket with the analysis captured (actual numbers, debugging logs, a concrete backtrace / call chain triggering the issue, etc), I'd appreciate a reference. (Perhaps include some of the key items in the commit message too?) Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113705): https://edk2.groups.io/g/devel/message/113705 Mute This Topic: https://groups.io/mt/103661868/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH 1/1] OvmfPkg/VirtNorFlashDxe: fix shadowbuffer reads 2024-01-12 9:47 ` Laszlo Ersek @ 2024-01-12 11:26 ` Gerd Hoffmann 0 siblings, 0 replies; 3+ messages in thread From: Gerd Hoffmann @ 2024-01-12 11:26 UTC (permalink / raw) To: Laszlo Ersek; +Cc: devel, oliver, Jiewen Yao, Ard Biesheuvel On Fri, Jan 12, 2024 at 10:47:43AM +0100, Laszlo Ersek wrote: > On 1/11/24 14:36, Gerd Hoffmann wrote: > > In some cases (specifically when the flash update region is > > small but crosses a multiple of P30_MAX_BUFFER_SIZE_IN_BYTES) > > NorFlashWriteSingleBlock reads only one instead of two > > P30_MAX_BUFFER_SIZE_IN_BYTES blocks into the shadow buffer. > > > > That leads to random crap being written to the second block, > > which in turn can corrupt both the variable store and the > > FTW work space. > > > > This patch fixes the calculation. > > > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > --- > > OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c > > index 1afd60ce66eb..cdc809d75e3d 100644 > > --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c > > +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c > > @@ -566,7 +566,7 @@ NorFlashWriteSingleBlock ( > > Instance, > > Lba, > > Offset & ~BOUNDARY_OF_32_WORDS, > > - (*NumBytes | BOUNDARY_OF_32_WORDS) + 1, > > + (((Offset & BOUNDARY_OF_32_WORDS) + *NumBytes) | BOUNDARY_OF_32_WORDS) + 1, > > Instance->ShadowBuffer > > ); > > if (EFI_ERROR (Status)) { > > This patch looks like the output of an excellent bug analysis. I'll need > more time to review this. If you have a ticket with the analysis > captured (actual numbers, debugging logs, a concrete backtrace / call > chain triggering the issue, etc), I'd appreciate a reference. Yea, that was a few days browsing through the flash and Ftw code, sprinkling in debug logging, learning how all this works. Have a shell script resetting a VM in a loop with slowly increasing delay, to trigger the code paths recovering from interrupted flash writes. Finding 0xaf (aka PcdDebugClearMemoryValue) in not-yet used places of the ftw log (which should have been 0xff) was the bit of information which finally made me find the root cause of the flash corruption. I have some followup patches I'll send out as patch series in a moment, one of them adds variables here to make the whole logic easier to understand. stay tuned & take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113711): https://edk2.groups.io/g/devel/message/113711 Mute This Topic: https://groups.io/mt/103661868/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-12 11:26 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-01-11 13:36 [edk2-devel] [PATCH 1/1] OvmfPkg/VirtNorFlashDxe: fix shadowbuffer reads Gerd Hoffmann 2024-01-12 9:47 ` Laszlo Ersek 2024-01-12 11:26 ` Gerd Hoffmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox