* [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? @ 2016-08-12 23:25 Andrew Fish 2016-08-13 1:46 ` Marvin H?user 2016-08-15 15:54 ` Gao, Liming 0 siblings, 2 replies; 6+ messages in thread From: Andrew Fish @ 2016-08-12 23:25 UTC (permalink / raw) To: edk2-devel I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize. When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong. This adjustment does not seem right to me? https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768 // // Heap Offset // BaseOfNewHeap = TopOfNewStack; if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) { Private->HeapOffsetPositive = TRUE; Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase); } else { Private->HeapOffsetPositive = FALSE; Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap); } The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core. https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796 // // Temporary Ram Support PPI is provided by platform, it will copy // temporary memory to permenent memory and do stack switching. // After invoking Temporary Ram Support PPI, the following code's // stack is in permanent memory. // TemporaryRamSupportPpi->TemporaryRamMigration ( PeiServices, TemporaryRamBase, (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize), TemporaryRamSize ); And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case. The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path? If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase; Thanks, Andrew Fish PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen. https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107 #if 0 // Tell the PEI Core to not use our buffer in temp RAM SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase; SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize); SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize; #else { // // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug // or I don't understand temp RAM correctly? // EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; SecPpiList = &PpiArray[0]; ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize); } #endif ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? 2016-08-12 23:25 [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? Andrew Fish @ 2016-08-13 1:46 ` Marvin H?user 2016-08-14 2:24 ` Marvin H?user 2016-08-15 15:54 ` Gao, Liming 1 sibling, 1 reply; 6+ messages in thread From: Marvin H?user @ 2016-08-13 1:46 UTC (permalink / raw) To: edk2-devel@lists.01.org; +Cc: Andrew Fish Hello Andrew, Unfortunately I cannot test anything right now and I don't have a whole lot of knowledge in this area, though I might have a hint for you. While PpiList is equal to the original TempRam base, the TempRam based passed to PEI is equal to the original TempRam base + the size of the PpiList, hence PpiList is smaller than the base address passed to PEI. The PpiList is then installed via the PeiServicesInstallPpi () function: call: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c#L386 implementation: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L183 The list is then added to PpiData.PpiListPtrs. https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L229 I am not sure at which point of time you are experiencing the crash, but after permanent memory is available, ConvertPpiPointers () is called, which then calls ConverSinglePpiPointer () for old heap, old stack and old hole (I'm afraid I do not know what TempRam Hole is and if it is related). ConvertPpiPointers () call: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c#L237 Old Heap ConverSinglePpiPointer () call: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L127 The call for the old heap conversion passes the TempRam base, which has been incremented as we know, and thus the comparison to TempBottom will fail, as TempBottom is PeiTemporaryRamBase, which is larger than PpiList, which is one of the items in PpiListPtrs, which is the object of the conversion. comparison to TempBottom: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L60 As the pointer to the PpiList passed by SecCore is probably not converted as detailed above, I assume something post-mem attempts to access this former PpiList by the old temporary RAM address and that somehow causes trouble; I assume the SEC PpiList being part of the PEI memory is an assumption made by the person who wrote this code. I'm not sure about why it crashes, as I do not know the entire PEI control flow, though I hope this can help you in some way. Please excuse me if I have made a mistake in understanding the referenced code and wasted your time. Regards, Marvin. > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Andrew Fish > Sent: Saturday, August 13, 2016 1:25 AM > To: edk2-devel <edk2-devel@lists.01.org> > Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI > Core by grabbing memory from PeiTemporaryRamBase? > > I grabbed some memory between SEC and the PEI Core by adjusting > SecCoreData-> PeiTemporaryRamBase and SecCoreData-> > PeiTemporaryRamSize. > > When looking at the code I don't really understand the logic of the algorithm? > So maybe I'm doing something wrong. > > This adjustment does not seem right to me? > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Dispatcher/Dispatcher.c#L768 > // > // Heap Offset > // > BaseOfNewHeap = TopOfNewStack; > if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) { > Private->HeapOffsetPositive = TRUE; > Private->HeapOffset = (UINTN)(BaseOfNewHeap - > (UINTN)SecCoreData->PeiTemporaryRamBase); > } else { > Private->HeapOffsetPositive = FALSE; > Private->HeapOffset = (UINTN)((UINTN)SecCoreData- > >PeiTemporaryRamBase - BaseOfNewHeap); > } > > > The above code seems to be making a very strange adjustment. I noticed the > adjustment in my failing case was off by 0xC0 which is the amount of > memory I carved out prior to entering the PEI Core. > > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Dispatcher/Dispatcher.c#L796 > > // > // Temporary Ram Support PPI is provided by platform, it will copy > // temporary memory to permenent memory and do stack switching. > // After invoking Temporary Ram Support PPI, the following code's > // stack is in permanent memory. > // > TemporaryRamSupportPpi->TemporaryRamMigration ( > PeiServices, > TemporaryRamBase, > (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - > TemporaryStackSize), > TemporaryRamSize > ); > > > And this is also a case in which the stack got bigger. But it seems to me the > shift if really defined by TemporaryRamBase, TopOfNewStack, and > TemporaryStackSize in this case. > > The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI > was called the system crashed. Is this a bug in the > gEfiTemporaryRamSupportPpiGuid path? > > If I changed the HeadOffset algorithm my crash went away? Private- > >HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - > TemporaryRamBase; > > Thanks, > > Andrew Fish > > PS My failure case was the EmulatorPkg. I've not had a chance to verify this > failure in the open source yet, but I'm guessing reversing this #if will make it > happen. > > > https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L1 > 07 > > #if 0 > // Tell the PEI Core to not use our buffer in temp RAM > SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData- > >PeiTemporaryRamBase; > SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData- > >PeiTemporaryRamBase + SecReseveredMemorySize); > SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize; #else > { > // > // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core > crashes? Either there is a bug > // or I don't understand temp RAM correctly? > // > EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; > > SecPpiList = &PpiArray[0]; > ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize); > } > #endif > > > > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? 2016-08-13 1:46 ` Marvin H?user @ 2016-08-14 2:24 ` Marvin H?user 0 siblings, 0 replies; 6+ messages in thread From: Marvin H?user @ 2016-08-14 2:24 UTC (permalink / raw) To: edk2-devel@lists.01.org; +Cc: afish@apple.com Sorry. For some reason, I didn't get to read the paragraph about TemporaryRamSupportPpi and shomehow skipped to the PS. I suppose my hint is not related to the crash then, though I hope it was still helpful in some way, as it seems to assume that the PPI List is in the temporary heap nevertheless. Regards, Marvin. > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Marvin H?user > Sent: Saturday, August 13, 2016 3:47 AM > To: edk2-devel@lists.01.org > Cc: Andrew Fish <afish@apple.com> > Subject: Re: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the > PEI Core by grabbing memory from PeiTemporaryRamBase? > > Hello Andrew, > > Unfortunately I cannot test anything right now and I don't have a whole lot of > knowledge in this area, though I might have a hint for you. > > While PpiList is equal to the original TempRam base, the TempRam based > passed to PEI is equal to the original TempRam base + the size of the PpiList, > hence PpiList is smaller than the base address passed to PEI. The PpiList is > then installed via the PeiServicesInstallPpi () function: > > call: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > PeiMain/PeiMain.c#L386 > implementation: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Ppi/Ppi.c#L183 > > The list is then added to PpiData.PpiListPtrs. > > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Ppi/Ppi.c#L229 > > I am not sure at which point of time you are experiencing the crash, but after > permanent memory is available, ConvertPpiPointers () is called, which then > calls ConverSinglePpiPointer () for old heap, old stack and old hole (I'm afraid > I do not know what TempRam Hole is and if it is related). > > ConvertPpiPointers () call: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > PeiMain/PeiMain.c#L237 > Old Heap ConverSinglePpiPointer () call: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Ppi/Ppi.c#L127 > > The call for the old heap conversion passes the TempRam base, which has > been incremented as we know, and thus the comparison to TempBottom will > fail, as TempBottom is PeiTemporaryRamBase, which is larger than PpiList, > which is one of the items in PpiListPtrs, which is the object of the conversion. > > comparison to TempBottom: > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Ppi/Ppi.c#L60 > > As the pointer to the PpiList passed by SecCore is probably not converted as > detailed above, I assume something post-mem attempts to access this > former PpiList by the old temporary RAM address and that somehow causes > trouble; I assume the SEC PpiList being part of the PEI memory is an > assumption made by the person who wrote this code. I'm not sure about > why it crashes, as I do not know the entire PEI control flow, though I hope > this can help you in some way. > > Please excuse me if I have made a mistake in understanding the referenced > code and wasted your time. > > Regards, > Marvin. > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Andrew Fish > > Sent: Saturday, August 13, 2016 1:25 AM > > To: edk2-devel <edk2-devel@lists.01.org> > > Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the > > PEI Core by grabbing memory from PeiTemporaryRamBase? > > > > I grabbed some memory between SEC and the PEI Core by adjusting > > SecCoreData-> PeiTemporaryRamBase and SecCoreData-> > > PeiTemporaryRamSize. > > > > When looking at the code I don't really understand the logic of the > algorithm? > > So maybe I'm doing something wrong. > > > > This adjustment does not seem right to me? > > > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > > Dispatcher/Dispatcher.c#L768 > > // > > // Heap Offset > > // > > BaseOfNewHeap = TopOfNewStack; > > if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) { > > Private->HeapOffsetPositive = TRUE; > > Private->HeapOffset = (UINTN)(BaseOfNewHeap - > > (UINTN)SecCoreData->PeiTemporaryRamBase); > > } else { > > Private->HeapOffsetPositive = FALSE; > > Private->HeapOffset = (UINTN)((UINTN)SecCoreData- > > >PeiTemporaryRamBase - BaseOfNewHeap); > > } > > > > > > The above code seems to be making a very strange adjustment. I noticed > > the adjustment in my failing case was off by 0xC0 which is the amount > > of memory I carved out prior to entering the PEI Core. > > > > > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > > Dispatcher/Dispatcher.c#L796 > > > > // > > // Temporary Ram Support PPI is provided by platform, it will copy > > // temporary memory to permenent memory and do stack switching. > > // After invoking Temporary Ram Support PPI, the following code's > > // stack is in permanent memory. > > // > > TemporaryRamSupportPpi->TemporaryRamMigration ( > > PeiServices, > > TemporaryRamBase, > > > > (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize), > > TemporaryRamSize > > ); > > > > > > And this is also a case in which the stack got bigger. But it seems to > > me the shift if really defined by TemporaryRamBase, TopOfNewStack, and > > TemporaryStackSize in this case. > > > > The failure I hit was OldCoreData->Fv pointer was shifted so when the > > PPI was called the system crashed. Is this a bug in the > > gEfiTemporaryRamSupportPpiGuid path? > > > > If I changed the HeadOffset algorithm my crash went away? Private- > > >HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - > > TemporaryRamBase; > > > > Thanks, > > > > Andrew Fish > > > > PS My failure case was the EmulatorPkg. I've not had a chance to > > verify this failure in the open source yet, but I'm guessing reversing > > this #if will make it happen. > > > > > > > https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L1 > > 07 > > > > #if 0 > > // Tell the PEI Core to not use our buffer in temp RAM > > SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData- > > >PeiTemporaryRamBase; > > SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData- > > >PeiTemporaryRamBase + SecReseveredMemorySize); > > SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize; #else > > { > > // > > // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core > > crashes? Either there is a bug > > // or I don't understand temp RAM correctly? > > // > > EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; > > > > SecPpiList = &PpiArray[0]; > > ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize); > > } > > #endif > > > > > > > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? 2016-08-12 23:25 [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? Andrew Fish 2016-08-13 1:46 ` Marvin H?user @ 2016-08-15 15:54 ` Gao, Liming 2016-08-15 16:11 ` Andrew Fish 1 sibling, 1 reply; 6+ messages in thread From: Gao, Liming @ 2016-08-15 15:54 UTC (permalink / raw) To: Andrew Fish, edk2-devel Andrew: In permanent memory, PeiCore places heap base as stack top. Heap is above stack. There is no hole between them. SEC needs to follow this layout and migrate the temporary memory to permanent memory. It should copy TemporaryRam HEAP and STACK range separately. HEAP range is specified by PeiTemporaryRamBase and PeiTemporaryRamSize, and STACK range is specified by StackBase and StackSize. The grabbed memory is not migrated, because PeiCore doesn't know it. But, EmulatorPkg Sec SecTemporaryRamSupport() migrates the whole temporary memory together. The grabbed memory is also migrated and wrongly regarded as heap data. So, the fix is to update SecTemporaryRamSupport() implementation in SEC. Thanks Liming -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andrew Fish Sent: Saturday, August 13, 2016 7:25 AM To: edk2-devel <edk2-devel@lists.01.org> Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize. When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong. This adjustment does not seem right to me? https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768 // // Heap Offset // BaseOfNewHeap = TopOfNewStack; if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) { Private->HeapOffsetPositive = TRUE; Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase); } else { Private->HeapOffsetPositive = FALSE; Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap); } The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core. https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796 // // Temporary Ram Support PPI is provided by platform, it will copy // temporary memory to permenent memory and do stack switching. // After invoking Temporary Ram Support PPI, the following code's // stack is in permanent memory. // TemporaryRamSupportPpi->TemporaryRamMigration ( PeiServices, TemporaryRamBase, (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize), TemporaryRamSize ); And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case. The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path? If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase; Thanks, Andrew Fish PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen. https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107 #if 0 // Tell the PEI Core to not use our buffer in temp RAM SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase; SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize); SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize; #else { // // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug // or I don't understand temp RAM correctly? // EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; SecPpiList = &PpiArray[0]; ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize); } #endif _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? 2016-08-15 15:54 ` Gao, Liming @ 2016-08-15 16:11 ` Andrew Fish 2016-08-16 16:49 ` Gao, Liming 0 siblings, 1 reply; 6+ messages in thread From: Andrew Fish @ 2016-08-15 16:11 UTC (permalink / raw) To: Gao, Liming; +Cc: edk2-devel > On Aug 15, 2016, at 8:54 AM, Gao, Liming <liming.gao@intel.com> wrote: > > Andrew: > In permanent memory, PeiCore places heap base as stack top. Heap is above stack. There is no hole between them. SEC needs to follow this layout and migrate the temporary memory to permanent memory. It should copy TemporaryRam HEAP and STACK range separately. HEAP range is specified by PeiTemporaryRamBase and PeiTemporaryRamSize, and STACK range is specified by StackBase and StackSize. The grabbed memory is not migrated, because PeiCore doesn't know it. But, EmulatorPkg Sec SecTemporaryRamSupport() migrates the whole temporary memory together. The grabbed memory is also migrated and wrongly regarded as heap data. So, the fix is to update SecTemporaryRamSupport() implementation in SEC. > Limiing, I don't see any info in the PPI definition or the PI spec that defines the heap and stack are copied separately? The PPI just passes the entire ranges? That is why I assumes in the PPI case the offsets should be relative to the big shift? /** This service of the EFI_PEI_TEMPORARY_RAM_SUPPORT_PPI that migrates temporary RAM into permanent memory. @param PeiServices Pointer to the PEI Services Table. @param TemporaryMemoryBase Source Address in temporary memory from which the SEC or PEIM will copy the Temporary RAM contents. @param PermanentMemoryBase Destination Address in permanent memory into which the SEC or PEIM will copy the Temporary RAM contents. @param CopySize Amount of memory to migrate from temporary to permanent memory. @retval EFI_SUCCESS The data was successfully returned. @retval EFI_INVALID_PARAMETER PermanentMemoryBase + CopySize > TemporaryMemoryBase when TemporaryMemoryBase > PermanentMemoryBase. **/ typedef EFI_STATUS (EFIAPI * TEMPORARY_RAM_MIGRATION)( IN CONST EFI_PEI_SERVICES **PeiServices, IN EFI_PHYSICAL_ADDRESS TemporaryMemoryBase, IN EFI_PHYSICAL_ADDRESS PermanentMemoryBase, IN UINTN CopySize ); Thanks, Andrew Fish > Thanks > Liming > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andrew Fish > Sent: Saturday, August 13, 2016 7:25 AM > To: edk2-devel <edk2-devel@lists.01.org> > Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? > > I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize. > > When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong. > > This adjustment does not seem right to me? > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768 > // > // Heap Offset > // > BaseOfNewHeap = TopOfNewStack; > if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) { > Private->HeapOffsetPositive = TRUE; > Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase); > } else { > Private->HeapOffsetPositive = FALSE; > Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap); > } > > > The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core. > > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796 > > // > // Temporary Ram Support PPI is provided by platform, it will copy > // temporary memory to permenent memory and do stack switching. > // After invoking Temporary Ram Support PPI, the following code's > // stack is in permanent memory. > // > TemporaryRamSupportPpi->TemporaryRamMigration ( > PeiServices, > TemporaryRamBase, > (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize), > TemporaryRamSize > ); > > > And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case. > > The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path? > > If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase; > > Thanks, > > Andrew Fish > > PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen. > > > https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107 > > #if 0 > // Tell the PEI Core to not use our buffer in temp RAM > SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase; > SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize); > SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize; > #else > { > // > // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug > // or I don't understand temp RAM correctly? > // > EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; > > SecPpiList = &PpiArray[0]; > ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize); > } > #endif > > > > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? 2016-08-15 16:11 ` Andrew Fish @ 2016-08-16 16:49 ` Gao, Liming 0 siblings, 0 replies; 6+ messages in thread From: Gao, Liming @ 2016-08-16 16:49 UTC (permalink / raw) To: Andrew Fish; +Cc: edk2-devel Andrew: PI spec has not defined such information. But, PPI implementation and PeiCore needs to align new heap and stack layout. The full PPI should include new heap base and new stack base. Current PPI has only one Base. Then, PPI implementation needs mach PeiCore implementation. Thanks Liming From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andrew Fish Sent: Tuesday, August 16, 2016 12:12 AM To: Gao, Liming <liming.gao@intel.com> Cc: edk2-devel <edk2-devel@lists.01.org> Subject: Re: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? > On Aug 15, 2016, at 8:54 AM, Gao, Liming wrote: > > Andrew: > In permanent memory, PeiCore places heap base as stack top. Heap is above stack. There is no hole between them. SEC needs to follow this layout and migrate the temporary memory to permanent memory. It should copy TemporaryRam HEAP and STACK range separately. HEAP range is specified by PeiTemporaryRamBase and PeiTemporaryRamSize, and STACK range is specified by StackBase and StackSize. The grabbed memory is not migrated, because PeiCore doesn't know it. But, EmulatorPkg Sec SecTemporaryRamSupport() migrates the whole temporary memory together. The grabbed memory is also migrated and wrongly regarded as heap data. So, the fix is to update SecTemporaryRamSupport() implementation in SEC. > Limiing, I don't see any info in the PPI definition or the PI spec that defines the heap and stack are copied separately? The PPI just passes the entire ranges? That is why I assumes in the PPI case the offsets should be relative to the big shift? /** This service of the EFI_PEI_TEMPORARY_RAM_SUPPORT_PPI that migrates temporary RAM into permanent memory. @param PeiServices Pointer to the PEI Services Table. @param TemporaryMemoryBase Source Address in temporary memory from which the SEC or PEIM will copy the Temporary RAM contents. @param PermanentMemoryBase Destination Address in permanent memory into which the SEC or PEIM will copy the Temporary RAM contents. @param CopySize Amount of memory to migrate from temporary to permanent memory. @retval EFI_SUCCESS The data was successfully returned. @retval EFI_INVALID_PARAMETER PermanentMemoryBase + CopySize > TemporaryMemoryBase when TemporaryMemoryBase > PermanentMemoryBase. **/ typedef EFI_STATUS (EFIAPI * TEMPORARY_RAM_MIGRATION)( IN CONST EFI_PEI_SERVICES **PeiServices, IN EFI_PHYSICAL_ADDRESS TemporaryMemoryBase, IN EFI_PHYSICAL_ADDRESS PermanentMemoryBase, IN UINTN CopySize ); Thanks, Andrew Fish > Thanks > Liming > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Andrew Fish > Sent: Saturday, August 13, 2016 7:25 AM > To: edk2-devel > Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? > > I grabbed some memory between SEC and the PEI Core by adjusting SecCoreData-> PeiTemporaryRamBase and SecCoreData-> PeiTemporaryRamSize. > > When looking at the code I don't really understand the logic of the algorithm? So maybe I'm doing something wrong. > > This adjustment does not seem right to me? > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L768 > // > // Heap Offset > // > BaseOfNewHeap = TopOfNewStack; > if (BaseOfNewHeap >= (UINTN)SecCoreData->PeiTemporaryRamBase) { > Private->HeapOffsetPositive = TRUE; > Private->HeapOffset = (UINTN)(BaseOfNewHeap - (UINTN)SecCoreData->PeiTemporaryRamBase); > } else { > Private->HeapOffsetPositive = FALSE; > Private->HeapOffset = (UINTN)((UINTN)SecCoreData->PeiTemporaryRamBase - BaseOfNewHeap); > } > > > The above code seems to be making a very strange adjustment. I noticed the adjustment in my failing case was off by 0xC0 which is the amount of memory I carved out prior to entering the PEI Core. > > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c#L796 > > // > // Temporary Ram Support PPI is provided by platform, it will copy > // temporary memory to permenent memory and do stack switching. > // After invoking Temporary Ram Support PPI, the following code's > // stack is in permanent memory. > // > TemporaryRamSupportPpi->TemporaryRamMigration ( > PeiServices, > TemporaryRamBase, > (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewStack - TemporaryStackSize), > TemporaryRamSize > ); > > > And this is also a case in which the stack got bigger. But it seems to me the shift if really defined by TemporaryRamBase, TopOfNewStack, and TemporaryStackSize in this case. > > The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI was called the system crashed. Is this a bug in the gEfiTemporaryRamSupportPpiGuid path? > > If I changed the HeadOffset algorithm my crash went away? Private->HeapOffset = ((UINTN)TopOfNewStack - TemporaryStackSize) - TemporaryRamBase; > > Thanks, > > Andrew Fish > > PS My failure case was the EmulatorPkg. I've not had a chance to verify this failure in the open source yet, but I'm guessing reversing this #if will make it happen. > > > https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L107 > > #if 0 > // Tell the PEI Core to not use our buffer in temp RAM > SecPpiList = (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData->PeiTemporaryRamBase; > SecCoreData->PeiTemporaryRamBase = (VOID *)((UINTN)SecCoreData->PeiTemporaryRamBase + SecReseveredMemorySize); > SecCoreData->PeiTemporaryRamSize -= SecReseveredMemorySize; > #else > { > // > // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core crashes? Either there is a bug > // or I don't understand temp RAM correctly? > // > EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; > > SecPpiList = &PpiArray[0]; > ASSERT (sizeof (PpiArray) >= SecReseveredMemorySize); > } > #endif > > > > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-08-16 16:49 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-08-12 23:25 [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? Andrew Fish 2016-08-13 1:46 ` Marvin H?user 2016-08-14 2:24 ` Marvin H?user 2016-08-15 15:54 ` Gao, Liming 2016-08-15 16:11 ` Andrew Fish 2016-08-16 16:49 ` Gao, Liming
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox