From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by ml01.01.org (Postfix) with ESMTP id 4EA5B1A1E30 for ; Mon, 15 Aug 2016 08:54:19 -0700 (PDT) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP; 15 Aug 2016 08:54:20 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,525,1464678000"; d="scan'208";a="1025727169" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga001.fm.intel.com with ESMTP; 15 Aug 2016 08:54:20 -0700 Received: from fmsmsx122.amr.corp.intel.com (10.18.125.37) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 15 Aug 2016 08:54:18 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx122.amr.corp.intel.com (10.18.125.37) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 15 Aug 2016 08:54:18 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.147]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.8]) with mapi id 14.03.0248.002; Mon, 15 Aug 2016 23:54:16 +0800 From: "Gao, Liming" To: Andrew Fish , edk2-devel Thread-Topic: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? Thread-Index: AQHR9PDNwlm4FMm6pUCkk1sIU0rVj6BKLCyw Date: Mon, 15 Aug 2016 15:54:15 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A1155EB470@shsmsx102.ccr.corp.intel.com> References: <7B465500-570A-4B78-B1F2-458C36E7DC08@apple.com> In-Reply-To: <7B465500-570A-4B78-B1F2-458C36E7DC08@apple.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_IC x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiODE2ODA0YzQtODY5Zi00YWEwLWEwZTctOGM5OWEyMTkyNjhmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6ImI4dmNwYWNnRGZyVm5xTVV1ZFNVU1RPZGZEMlNVbDFSU1IwV3ZYV2tZams9In0= x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2016 15:54:19 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Andrew: In permanent memory, PeiCore places heap base as stack top. Heap is above= stack. There is no hole between them. SEC needs to follow this layout and = migrate the temporary memory to permanent memory. It should copy TemporaryR= am HEAP and STACK range separately. HEAP range is specified by PeiTemporary= RamBase and PeiTemporaryRamSize, and STACK range is specified by StackBase = and StackSize. The grabbed memory is not migrated, because PeiCore doesn't = know it. But, EmulatorPkg Sec SecTemporaryRamSupport() migrates the whole t= emporary memory together. The grabbed memory is also migrated and wrongly r= egarded as heap data. So, the fix is to update SecTemporaryRamSupport() imp= lementation in SEC.=20 Thanks Liming -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andr= ew Fish Sent: Saturday, August 13, 2016 7:25 AM To: edk2-devel Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Co= re by grabbing memory from PeiTemporaryRamBase? I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData= -> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize. When looking at the code I don't really understand the logic of the algorit= hm? So maybe I'm doing something wrong.=20 This adjustment does not seem right to me? https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatc= her/Dispatcher.c#L768 // // Heap Offset // BaseOfNewHeap =3D TopOfNewStack; if (BaseOfNewHeap >=3D (UINTN)SecCoreData->PeiTemporaryRamBase) { Private->HeapOffsetPositive =3D TRUE; Private->HeapOffset =3D (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData-= >PeiTemporaryRamBase); } else { Private->HeapOffsetPositive =3D FALSE; Private->HeapOffset =3D (UINTN)((UINTN)SecCoreData->PeiTemporaryRam= Base - BaseOfNewHeap); } The above code seems to be making a very strange adjustment. I noticed the = adjustment in my failing case was off by 0xC0 which is the amount of memory= I carved out prior to entering the PEI Core.=20 https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatc= her/Dispatcher.c#L796 // // Temporary Ram Support PPI is provided by platform, it will copy=20 // temporary memory to permenent memory and do stack switching. // After invoking Temporary Ram Support PPI, the following code's=20 // stack is in permanent memory. // TemporaryRamSupportPpi->TemporaryRamMigration ( PeiServices, TemporaryRamBase, (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack= - TemporaryStackSize), TemporaryRamSize ); And this is also a case in which the stack got bigger. But it seems to me t= he shift if really defined by TemporaryRamBase, TopOfNewStack, and Temporar= yStackSize in this case.=20 The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI w= as called the system crashed. Is this a bug in the gEfiTemporaryRamSupportP= piGuid path? If I changed the HeadOffset algorithm my crash went away? Private->HeapOffs= et =3D ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase; Thanks, Andrew Fish PS My failure case was the EmulatorPkg. I've not had a chance to verify thi= s failure in the open source yet, but I'm guessing reversing this #if will = make it happen. https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107 #if 0 // Tell the PEI Core to not use our buffer in temp RAM SecPpiList =3D (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase= ; SecCoreData->PeiTemporaryRamBase =3D (VOID *)((UINTN)SecCoreData->PeiTemp= oraryRamBase + SecReseveredMemorySize); SecCoreData->PeiTemporaryRamSize -=3D SecReseveredMemorySize; #else { // // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crash= es? Either there is a bug // or I don't understand temp RAM correctly? // EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; SecPpiList =3D &PpiArray[0]; ASSERT (sizeof (PpiArray) >=3D SecReseveredMemorySize); } #endif _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel