From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+117843+7686176+12367111@groups.io>
Received: from mail04.groups.io (mail04.groups.io [45.79.224.9])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 008A9740032
	for <rebecca@openfw.io>; Tue, 16 Apr 2024 03:52:50 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=mv7Xsibu4zPPui25VdCaLahr/3aMIMOH+DT14dfECz0=;
 c=relaxed/simple; d=groups.io;
 h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:msip_labels:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type;
 s=20240206; t=1713239569; v=1;
 b=Z16yIuW3AL5CH6/jyqpvW4IZTQPvnrDnx7h0QvJ2WcHH6iv2zUkHV96T0cbWvq1dmbMlegsv
 bg74i15LY77/I78VOsZxF/N2njqb/BSYpUAmsrAZnb3T42dsrvRx9KeBN7Ol4rCUA5ivLSdYJ5c
 mleSKXfjFsSUnctoW4kC4JJlfBcaC+c9l0D7HC3OUYXF0SARIjYGvCvY0sblQeITtuDIuc/6CGT
 RPGQLBJ+4y2eEZFLRFPG71q513RvDZQJu/tWZtGXG+zKA+VLe78RTBJdcmCcA6ytiQfIChxj+VQ
 yMQiD8+jl401ufxL+89mUam4NsdzVbQf3RW0FZGG6v3Xg==
X-Received: by 127.0.0.2 with SMTP id MT9lYY7687511xA3vBb6UoO9; Mon, 15 Apr 2024 20:52:49 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.12])
 by mx.groups.io with SMTP id smtpd.web10.12028.1713239563832599145
 for <devel@edk2.groups.io>;
 Mon, 15 Apr 2024 20:52:44 -0700
X-CSE-ConnectionGUID: 4IapurdlQJWazK+IQxEqQg==
X-CSE-MsgGUID: V1gKrYpESuOlYqPdEXQf1g==
X-IronPort-AV: E=McAfee;i="6600,9927,11045"; a="20078277"
X-IronPort-AV: E=Sophos;i="6.07,204,1708416000"; 
   d="scan'208,217";a="20078277"
X-Received: from fmviesa006.fm.intel.com ([10.60.135.146])
  by orvoesa104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Apr 2024 20:52:43 -0700
X-CSE-ConnectionGUID: IbC21vAlS3y/X6ATXz8/Lg==
X-CSE-MsgGUID: XacEtsekQJWd82clJU4TbA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.07,204,1708416000"; 
   d="scan'208,217";a="22197918"
X-Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16])
  by fmviesa006.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 15 Apr 2024 20:52:43 -0700
X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by
 ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35; Mon, 15 Apr 2024 20:52:41 -0700
X-Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by
 orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35 via Frontend Transport; Mon, 15 Apr 2024 20:52:41 -0700
X-Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.169)
 by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.35; Mon, 15 Apr 2024 20:52:41 -0700
X-Received: from MN6PR11MB8244.namprd11.prod.outlook.com (2603:10b6:208:470::14)
 by MN2PR11MB4712.namprd11.prod.outlook.com (2603:10b6:208:264::15) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.30; Tue, 16 Apr
 2024 03:52:39 +0000
X-Received: from MN6PR11MB8244.namprd11.prod.outlook.com
 ([fe80::8774:81a7:c5b7:5c2c]) by MN6PR11MB8244.namprd11.prod.outlook.com
 ([fe80::8774:81a7:c5b7:5c2c%7]) with mapi id 15.20.7452.049; Tue, 16 Apr 2024
 03:52:39 +0000
From: "Ni, Ray" <ray.ni@intel.com>
To: "Liu, Zhiguang" <zhiguang.liu@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: Liming Gao <gaoliming@byosoft.com.cn>, "Wu, Jiaxin" <jiaxin.wu@intel.com>,
	Laszlo Ersek <lersek@redhat.com>, Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Sami Mujawar <sami.mujawar@arm.com>
Subject: Re: [edk2-devel] [PATCH v4 6/6] StandaloneMmPkg: Support to unregister MMI handler in MMI handlers
Thread-Topic: [PATCH v4 6/6] StandaloneMmPkg: Support to unregister MMI
 handler in MMI handlers
Thread-Index: AQHaj6ebtxDmKha+rkiiZJVfD50C57FqQ6OH
Date: Tue, 16 Apr 2024 03:52:39 +0000
Message-ID: <MN6PR11MB8244477F43A77A889C9A597A8C082@MN6PR11MB8244.namprd11.prod.outlook.com>
References: <20240416024108.1358-1-zhiguang.liu@intel.com>
 <20240416024108.1358-7-zhiguang.liu@intel.com>
In-Reply-To: <20240416024108.1358-7-zhiguang.liu@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN6PR11MB8244:EE_|MN2PR11MB4712:EE_
x-ms-office365-filtering-correlation-id: 3882f10b-9d1b-442e-654e-08dc5dc8a98a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam-message-info: 1LZiVAsOYsC78P2gGSSoBE2mCiILc0VtiZGXZUP0USj85OpATKbVNRapVrqhZjoqum/+piCToNggzgJmsi9mXxbCGdsI9prfyL0btjkKaPCpQcT04l7Uo0pHSNGbRa3neHeNbtXrr90ye50EsNgQyUybB9T+5maF3SW/iwmLMsAjNQO03KnI7JDyJxFLsyJMbj3pKUqCzC7KeQiF28/O6IsNIDVx2t08zDE+VNCNtsbWLjiCOoW9fi3ZPBWAZg5+5c4IInfgsxI+qQpUVsaCUQBOphB7cBOoMHgBDf8z60Q8aLYmUcEgZCJzjEphqzEKXReY48eN/7ubC5YMiKWtXARXhVXmqFLRRT7gu850sBVu+HdC/ijKVZpJbzk7xi+tl/7GWQ8evD+IslCtiOAUabwf1S0NMkER8uwG7A3RFEYzfKgDcBeL21HEDh+wQNIlofByRG/0JbXFoX1KjF2dp9aagdEcqAIMIjN60FvTVQ6bRopUKb62iGZhXmhFcrSu2JMFSxfL17COYHkNgd9fI4Be0Qm+CfWtyC2fjKgfMm6Oo5dNyKQwnkxp9BBshzVf0R0+kGnJIMljKA0z9jFuYDsNkZnOn3dYxtHItPEMyhgJ/7/CHSWQIpC9d51X5zbWl27K/He5NQM3GQrVESM7W+Sdn0mEjBeiMtkguxc+vuPY+JrDCQva7YrMxoFfn1YqwH/s68hhWrO1I2RYNjln29Ut9VlWRV+875lb9kvtMdk=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?0m7nuzmnGFHAxy5Rr3aid3sJKnChdpY7tpjAffTtCy6Ju5He9xNfVbpLDpy8?=
 =?us-ascii?Q?JPXdcgUizt7Ngi8+ibmWwtti5CjXzeCSKLv7VzWvu1d4dUJs05gkahjAgyEk?=
 =?us-ascii?Q?K3vzsl146KDWmKTcLXrVeCCiL3ZR7/a1/cyFW+hc6m7F7vEqGv+fiBCxpKHc?=
 =?us-ascii?Q?zCsVu6lU2ia2GDp422fGqJz7OQojyiaAky938PdEOcavSCwmDU4lbmLHwSiN?=
 =?us-ascii?Q?UaV11EdoipSTMyQjieDVD7MMjPYJ3uy4wEl9l6KBeeqBtVWXhMiruVaK+vbC?=
 =?us-ascii?Q?RoFXvQWNeTmz/tyvf6B0lYWe0BcjVNNLrwhpfsWP2bm8i+EI6FEiPP7lgDuE?=
 =?us-ascii?Q?jikdwp9huLztnCk/nnRdd5/h5GNcv8RXr8D9wj/GQOh29/6yLesUZ9iwuz3f?=
 =?us-ascii?Q?OLMjYLWiS5TOZcdLIK3MNA0w4vYTo491iOKjYXB3f9Qe/da2cX235Y0wPoNZ?=
 =?us-ascii?Q?/D6x/ZXsvV0Xd8d0nfc86NLHB5xbS5HAjOarZtTaWhjbRpHFXzP0kTfDMu1u?=
 =?us-ascii?Q?Tql6Nzi3GgzzPyTuFR8YWMKS+d6kAEAR0TA3WLMfj8Wfhwfa0wHxGmGXcEPY?=
 =?us-ascii?Q?/ejjZ+bI2Cvt8xphnDMAXx2Vk4kjGKoc1+Q2RIWtJ7L1Jfy8nqXLxgGlROpk?=
 =?us-ascii?Q?/bsoQVAHc+lqZdeAiXnNxraeyUkRoksZCNEnHJYzWDqY65xhYzpwY7domcYc?=
 =?us-ascii?Q?WITXjfEoUbqnrETtrgA2ucIg5R2/ilsgL5ZqaqA+p8A8iKXPWBnhnYzcAvXo?=
 =?us-ascii?Q?fFi3jYrSjWGiT3jNrUXf4xi/DMjlFsjclLHtYHLbl90JFWpHsHN/t9JkAeUH?=
 =?us-ascii?Q?ufcBLdW7LhaW04sYOhdh16lRoaFDf6w4I4DCNv74+SE3Eitw5Cn0amxrIy0D?=
 =?us-ascii?Q?+J917Qw1m+wz38TzPWTiHHVNH+uaZZ3cr+1kIy8p3YVKxqKYvmScvSpcxyYv?=
 =?us-ascii?Q?G+bFJR8t0nd/kegpOGi/f2AIRcWSKVTMSQ40xmANSLRF1PP1Mmk4jCrUvHz/?=
 =?us-ascii?Q?oM4nNRQpeiNtEi3sLVkOz6FK/fyKDdn7VOpYxJ6EPjmWmwHofMlboygnKUOd?=
 =?us-ascii?Q?8ya/L66/Be+tGc+5F7FD8FZqRFyUJDenn7DZiUD6UWlXMlVsJrGhcnl4HB3y?=
 =?us-ascii?Q?EQ9AwCfuZR3GuNHiLxjsx+Yv1kCe4yulUxnOTk+hkzRExohblgtN/NCC/1K+?=
 =?us-ascii?Q?9mLqBvfU4WJQj2KeZbguekGmeYvA18Wuun4W90+z1wxH/8afJugWiYAqmHau?=
 =?us-ascii?Q?ZYaufluatQkAep2rKXCqWGxOSDfwYXA4kfS/UPZiMxOZv5kNXz2o+e483MEh?=
 =?us-ascii?Q?/t8DJhSB4XuxGTXorVGd1hze3/mSGf4xbDohXKB3/kbHunOIQoPaclcpBydP?=
 =?us-ascii?Q?NC5LnOqsmzLOnahMX6L5vxouvn3gTI4kDCz9wSlglV3ItLJBo1UEujVyuBYA?=
 =?us-ascii?Q?8YyENYq4VhcIdqSyETfqlhq02oehxm3Kc/UM8QlD2kp64OjDlozdsoOs4qBz?=
 =?us-ascii?Q?qsRt1WhDPzLkBqG7XlHe9I5mebmVlKnMsIMK4CeDVNbHhPoxBpC5zowHpcWe?=
 =?us-ascii?Q?I0x/xJclBOo7h3lSRTc=3D?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN6PR11MB8244.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3882f10b-9d1b-442e-654e-08dc5dc8a98a
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2024 03:52:39.8871
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HSroE5x/LG3YOBa5xkvUxZPWlfmfh0xJ3OW5sxuqxjwv0bRhIGwOHYKqkH7EKq45RRNm6lajB/+lrQv3RA2XBQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4712
X-OriginatorOrg: intel.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Resent-Date: Mon, 15 Apr 2024 20:52:44 -0700
Resent-From: ray.ni@intel.com
Reply-To: devel@edk2.groups.io,ray.ni@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: 3RxDsRuS4mQalwEFDITvithux7686176AA=
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_MN6PR11MB8244477F43A77A889C9A597A8C082MN6PR11MB8244namp_"
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20240206 header.b=Z16yIuW3;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.9 as permitted sender) smtp.mailfrom=bounce@groups.io

--_000_MN6PR11MB8244477F43A77A889C9A597A8C082MN6PR11MB8244namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Ray Ni <ray.ni@intel.com>

Thanks,
Ray
________________________________
From: Liu, Zhiguang <zhiguang.liu@intel.com>
Sent: Tuesday, April 16, 2024 10:41
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Liu, Zhiguang <zhiguang.liu@intel.com>; Liming Gao <gaoliming@byosoft.c=
om.cn>; Wu, Jiaxin <jiaxin.wu@intel.com>; Ni, Ray <ray.ni@intel.com>; Laszl=
o Ersek <lersek@redhat.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Sa=
mi Mujawar <sami.mujawar@arm.com>
Subject: [PATCH v4 6/6] StandaloneMmPkg: Support to unregister MMI handler =
in MMI handlers

This patch fix a use-after-free issue where unregistering an
MMI handler could lead to the deletion of the MMI_HANDLER while it is
still in use by MmiManage(). The fix involves modifying
MmiHandlerUnRegister() to detect whether it is being called from
within the MmiManage() stack. If so, the removal of the MMI_HANDLER
is deferred until MmiManage() has finished executing.
Additionally, due to the possibility of recursive MmiManage() calls,
the unregistration and subsequent removal of the MMI_HANDLER are
ensured to occur only after the outermost MmiManage() invocation has
completed.

Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Zhiguang Liu <zhiguang.liu@intel.com>
---
 StandaloneMmPkg/Core/Mmi.c | 161 +++++++++++++++++++++++++++++++------
 1 file changed, 136 insertions(+), 25 deletions(-)

diff --git a/StandaloneMmPkg/Core/Mmi.c b/StandaloneMmPkg/Core/Mmi.c
index 0de6fd17fc..e035245c87 100644
--- a/StandaloneMmPkg/Core/Mmi.c
+++ b/StandaloneMmPkg/Core/Mmi.c
@@ -34,11 +34,51 @@ typedef struct {
   LIST_ENTRY                    Link;        // Link on MMI_ENTRY.MmiHandl=
ers
   EFI_MM_HANDLER_ENTRY_POINT    Handler;     // The mm handler's entry poi=
nt
   MMI_ENTRY                     *MmiEntry;
+  BOOLEAN                       ToRemove;    // To remove this MMI_HANDLER=
 later
 } MMI_HANDLER;

+//
+// mMmiManageCallingDepth is used to track the depth of recursive calls of=
 MmiManage.
+//
+UINTN  mMmiManageCallingDepth =3D 0;
+
 LIST_ENTRY  mRootMmiHandlerList =3D INITIALIZE_LIST_HEAD_VARIABLE (mRootMm=
iHandlerList);
 LIST_ENTRY  mMmiEntryList       =3D INITIALIZE_LIST_HEAD_VARIABLE (mMmiEnt=
ryList);

+/**
+  Remove MmiHandler and free the memory it used.
+  If MmiEntry is empty, remove MmiEntry and free the memory it used.
+
+  @param  MmiHandler  Points to MMI handler.
+  @param  MmiEntry    Points to MMI Entry or NULL for root MMI handlers.
+
+  @retval TRUE        MmiEntry is removed.
+  @retval FALSE       MmiEntry is not removed.
+**/
+BOOLEAN
+RemoveMmiHandler (
+  IN MMI_HANDLER  *MmiHandler,
+  IN MMI_ENTRY    *MmiEntry
+  )
+{
+  ASSERT (MmiHandler->ToRemove);
+  RemoveEntryList (&MmiHandler->Link);
+  FreePool (MmiHandler);
+
+  //
+  // Remove the MMI_ENTRY if all handlers have been removed.
+  //
+  if (MmiEntry !=3D NULL) {
+    if (IsListEmpty (&MmiEntry->MmiHandlers)) {
+      RemoveEntryList (&MmiEntry->AllEntries);
+      FreePool (MmiEntry);
+      return TRUE;
+    }
+  }
+
+  return FALSE;
+}
+
 /**
   Finds the MMI entry for the requested handler type.

@@ -126,13 +166,16 @@ MmiManage (
 {
   LIST_ENTRY   *Link;
   LIST_ENTRY   *Head;
+  LIST_ENTRY   *EntryLink;
   MMI_ENTRY    *MmiEntry;
   MMI_HANDLER  *MmiHandler;
-  BOOLEAN      SuccessReturn;
+  EFI_STATUS   ReturnStatus;
+  BOOLEAN      WillReturn;
   EFI_STATUS   Status;

-  Status        =3D EFI_NOT_FOUND;
-  SuccessReturn =3D FALSE;
+  mMmiManageCallingDepth++;
+  Status       =3D EFI_NOT_FOUND;
+  ReturnStatus =3D Status;
   if (HandlerType =3D=3D NULL) {
     //
     // Root MMI handler
@@ -171,7 +214,16 @@ MmiManage (
         // no additional handlers will be processed and EFI_INTERRUPT_PEND=
ING will be returned.
         //
         if (HandlerType !=3D NULL) {
-          return EFI_INTERRUPT_PENDING;
+          ReturnStatus =3D EFI_INTERRUPT_PENDING;
+          WillReturn   =3D TRUE;
+        } else {
+          //
+          // If any other handler's result sets ReturnStatus as EFI_SUCCES=
S, the return status
+          // will be EFI_SUCCESS.
+          //
+          if (ReturnStatus !=3D EFI_SUCCESS) {
+            ReturnStatus =3D Status;
+          }
         }

         break;
@@ -183,10 +235,10 @@ MmiManage (
         // additional handlers will be processed.
         //
         if (HandlerType !=3D NULL) {
-          return EFI_SUCCESS;
+          WillReturn =3D TRUE;
         }

-        SuccessReturn =3D TRUE;
+        ReturnStatus =3D EFI_SUCCESS;
         break;

       case EFI_WARN_INTERRUPT_SOURCE_QUIESCED:
@@ -194,7 +246,7 @@ MmiManage (
         // If at least one of the handlers returns EFI_WARN_INTERRUPT_SOUR=
CE_QUIESCED
         // then the function will return EFI_SUCCESS.
         //
-        SuccessReturn =3D TRUE;
+        ReturnStatus =3D EFI_SUCCESS;
         break;

       case EFI_WARN_INTERRUPT_SOURCE_PENDING:
@@ -202,6 +254,10 @@ MmiManage (
         // If all the handlers returned EFI_WARN_INTERRUPT_SOURCE_PENDING
         // then EFI_WARN_INTERRUPT_SOURCE_PENDING will be returned.
         //
+        if (ReturnStatus !=3D EFI_SUCCESS) {
+          ReturnStatus =3D Status;
+        }
+
         break;

       default:
@@ -211,13 +267,76 @@ MmiManage (
         ASSERT_EFI_ERROR (Status);
         break;
     }
+
+    if (WillReturn) {
+      break;
+    }
   }

-  if (SuccessReturn) {
-    Status =3D EFI_SUCCESS;
+  ASSERT (mMmiManageCallingDepth > 0);
+  mMmiManageCallingDepth--;
+
+  //
+  // MmiHandlerUnRegister() calls from MMI handlers are deferred till this=
 point.
+  // Before returned from MmiManage, delete the MmiHandler which is
+  // marked as ToRemove.
+  // Note that MmiManage can be called recursively.
+  //
+  if (mMmiManageCallingDepth =3D=3D 0) {
+    //
+    // Go through all MmiHandler in root Mmi handlers
+    //
+    for ( Link =3D GetFirstNode (&mRootMmiHandlerList)
+          ; !IsNull (&mRootMmiHandlerList, Link);
+          )
+    {
+      //
+      // MmiHandler might be removed in below, so cache the next link in L=
ink
+      //
+      MmiHandler =3D CR (Link, MMI_HANDLER, Link, MMI_HANDLER_SIGNATURE);
+      Link       =3D GetNextNode (&mRootMmiHandlerList, Link);
+      if (MmiHandler->ToRemove) {
+        //
+        // Remove MmiHandler if the ToRemove is set.
+        //
+        RemoveMmiHandler (MmiHandler, NULL);
+      }
+    }
+
+    //
+    // Go through all MmiHandler in non-root MMI handlers
+    //
+    for ( EntryLink =3D GetFirstNode (&mMmiEntryList)
+          ; !IsNull (&mMmiEntryList, EntryLink);
+          )
+    {
+      //
+      // MmiEntry might be removed in below, so cache the next link in Ent=
ryLink
+      //
+      MmiEntry  =3D CR (EntryLink, MMI_ENTRY, AllEntries, MMI_ENTRY_SIGNAT=
URE);
+      EntryLink =3D GetNextNode (&mMmiEntryList, EntryLink);
+      for ( Link =3D GetFirstNode (&MmiEntry->MmiHandlers)
+            ; !IsNull (&MmiEntry->MmiHandlers, Link);
+            )
+      {
+        //
+        // MmiHandler might be removed in below, so cache the next link in=
 Link
+        //
+        MmiHandler =3D CR (Link, MMI_HANDLER, Link, MMI_HANDLER_SIGNATURE)=
;
+        Link       =3D GetNextNode (&MmiEntry->MmiHandlers, Link);
+        if (MmiHandler->ToRemove) {
+          //
+          // Remove MmiHandler if the ToRemove is set.
+          //
+          if (RemoveMmiHandler (MmiHandler, MmiEntry)) {
+            break;
+          }
+        }
+      }
+    }
   }

-  return Status;
+  return ReturnStatus;
 }

 /**
@@ -254,6 +373,7 @@ MmiHandlerRegister (

   MmiHandler->Signature =3D MMI_HANDLER_SIGNATURE;
   MmiHandler->Handler   =3D Handler;
+  MmiHandler->ToRemove  =3D FALSE;

   if (HandlerType =3D=3D NULL) {
     //
@@ -309,26 +429,17 @@ MmiHandlerUnRegister (
     return EFI_INVALID_PARAMETER;
   }

-  MmiEntry =3D MmiHandler->MmiEntry;
-
-  RemoveEntryList (&MmiHandler->Link);
-  FreePool (MmiHandler);
-
-  if (MmiEntry =3D=3D NULL) {
+  MmiHandler->ToRemove =3D TRUE;
+  if (mMmiManageCallingDepth > 0) {
     //
-    // This is root MMI handler
+    // This function is called from MmiManage()
+    // Do not delete or remove MmiHandler or MmiEntry now.
     //
     return EFI_SUCCESS;
   }

-  if (IsListEmpty (&MmiEntry->MmiHandlers)) {
-    //
-    // No handler registered for this interrupt now, remove the MMI_ENTRY
-    //
-    RemoveEntryList (&MmiEntry->AllEntries);
-
-    FreePool (MmiEntry);
-  }
+  MmiEntry =3D MmiHandler->MmiEntry;
+  RemoveMmiHandler (MmiHandler, MmiEntry);

   return EFI_SUCCESS;
 }
--
2.31.1.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117843): https://edk2.groups.io/g/devel/message/117843
Mute This Topic: https://groups.io/mt/105550122/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-



--_000_MN6PR11MB8244477F43A77A889C9A597A8C082MN6PR11MB8244namp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
Reviewed-by: Ray Ni &lt;ray.ni@intel.com&gt;</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div id=3D"Signature">
<div style=3D"font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, =
Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Thanks,</div>
<div style=3D"font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, =
Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Ray</div>
</div>
<div id=3D"appendonsend"></div>
<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" st=
yle=3D"font-size:11pt" color=3D"#000000"><b>From:</b> Liu, Zhiguang &lt;zhi=
guang.liu@intel.com&gt;<br>
<b>Sent:</b> Tuesday, April 16, 2024 10:41<br>
<b>To:</b> devel@edk2.groups.io &lt;devel@edk2.groups.io&gt;<br>
<b>Cc:</b> Liu, Zhiguang &lt;zhiguang.liu@intel.com&gt;; Liming Gao &lt;gao=
liming@byosoft.com.cn&gt;; Wu, Jiaxin &lt;jiaxin.wu@intel.com&gt;; Ni, Ray =
&lt;ray.ni@intel.com&gt;; Laszlo Ersek &lt;lersek@redhat.com&gt;; Ard Biesh=
euvel &lt;ardb+tianocore@kernel.org&gt;; Sami Mujawar &lt;sami.mujawar@arm.=
com&gt;<br>
<b>Subject:</b> [PATCH v4 6/6] StandaloneMmPkg: Support to unregister MMI h=
andler in MMI handlers</font>
<div>&nbsp;</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt;=
">
<div class=3D"PlainText">This patch fix a use-after-free issue where unregi=
stering an<br>
MMI handler could lead to the deletion of the MMI_HANDLER while it is<br>
still in use by MmiManage(). The fix involves modifying<br>
MmiHandlerUnRegister() to detect whether it is being called from<br>
within the MmiManage() stack. If so, the removal of the MMI_HANDLER<br>
is deferred until MmiManage() has finished executing.<br>
Additionally, due to the possibility of recursive MmiManage() calls,<br>
the unregistration and subsequent removal of the MMI_HANDLER are<br>
ensured to occur only after the outermost MmiManage() invocation has<br>
completed.<br>
<br>
Cc: Liming Gao &lt;gaoliming@byosoft.com.cn&gt;<br>
Cc: Jiaxin Wu &lt;jiaxin.wu@intel.com&gt;<br>
Cc: Ray Ni &lt;ray.ni@intel.com&gt;<br>
Cc: Laszlo Ersek &lt;lersek@redhat.com&gt;<br>
Cc: Ard Biesheuvel &lt;ardb+tianocore@kernel.org&gt;<br>
Cc: Sami Mujawar &lt;sami.mujawar@arm.com&gt;<br>
Signed-off-by: Zhiguang Liu &lt;zhiguang.liu@intel.com&gt;<br>
---<br>
&nbsp;StandaloneMmPkg/Core/Mmi.c | 161 +++++++++++++++++++++++++++++++-----=
-<br>
&nbsp;1 file changed, 136 insertions(+), 25 deletions(-)<br>
<br>
diff --git a/StandaloneMmPkg/Core/Mmi.c b/StandaloneMmPkg/Core/Mmi.c<br>
index 0de6fd17fc..e035245c87 100644<br>
--- a/StandaloneMmPkg/Core/Mmi.c<br>
+++ b/StandaloneMmPkg/Core/Mmi.c<br>
@@ -34,11 +34,51 @@ typedef struct {<br>
&nbsp;&nbsp; LIST_ENTRY&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Link;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Link on MMI_ENTRY.MmiHandlers<br>
&nbsp;&nbsp; EFI_MM_HANDLER_ENTRY_POINT&nbsp;&nbsp;&nbsp; Handler;&nbsp;&nb=
sp;&nbsp;&nbsp; // The mm handler's entry point<br>
&nbsp;&nbsp; MMI_ENTRY&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *MmiEnt=
ry;<br>
+&nbsp; BOOLEAN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To=
Remove;&nbsp;&nbsp;&nbsp; // To remove this MMI_HANDLER later<br>
&nbsp;} MMI_HANDLER;<br>
&nbsp;<br>
+//<br>
+// mMmiManageCallingDepth is used to track the depth of recursive calls of=
 MmiManage.<br>
+//<br>
+UINTN&nbsp; mMmiManageCallingDepth =3D 0;<br>
+<br>
&nbsp;LIST_ENTRY&nbsp; mRootMmiHandlerList =3D INITIALIZE_LIST_HEAD_VARIABL=
E (mRootMmiHandlerList);<br>
&nbsp;LIST_ENTRY&nbsp; mMmiEntryList&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
=3D INITIALIZE_LIST_HEAD_VARIABLE (mMmiEntryList);<br>
&nbsp;<br>
+/**<br>
+&nbsp; Remove MmiHandler and free the memory it used.<br>
+&nbsp; If MmiEntry is empty, remove MmiEntry and free the memory it used.<=
br>
+<br>
+&nbsp; @param&nbsp; MmiHandler&nbsp; Points to MMI handler.<br>
+&nbsp; @param&nbsp; MmiEntry&nbsp;&nbsp;&nbsp; Points to MMI Entry or NULL=
 for root MMI handlers.<br>
+<br>
+&nbsp; @retval TRUE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MmiEntry is =
removed.<br>
+&nbsp; @retval FALSE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MmiEntry is not r=
emoved.<br>
+**/<br>
+BOOLEAN<br>
+RemoveMmiHandler (<br>
+&nbsp; IN MMI_HANDLER&nbsp; *MmiHandler,<br>
+&nbsp; IN MMI_ENTRY&nbsp;&nbsp;&nbsp; *MmiEntry<br>
+&nbsp; )<br>
+{<br>
+&nbsp; ASSERT (MmiHandler-&gt;ToRemove);<br>
+&nbsp; RemoveEntryList (&amp;MmiHandler-&gt;Link);<br>
+&nbsp; FreePool (MmiHandler);<br>
+<br>
+&nbsp; //<br>
+&nbsp; // Remove the MMI_ENTRY if all handlers have been removed.<br>
+&nbsp; //<br>
+&nbsp; if (MmiEntry !=3D NULL) {<br>
+&nbsp;&nbsp;&nbsp; if (IsListEmpty (&amp;MmiEntry-&gt;MmiHandlers)) {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RemoveEntryList (&amp;MmiEntry-&gt;AllEntri=
es);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FreePool (MmiEntry);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return TRUE;<br>
+&nbsp;&nbsp;&nbsp; }<br>
+&nbsp; }<br>
+<br>
+&nbsp; return FALSE;<br>
+}<br>
+<br>
&nbsp;/**<br>
&nbsp;&nbsp; Finds the MMI entry for the requested handler type.<br>
&nbsp;<br>
@@ -126,13 +166,16 @@ MmiManage (<br>
&nbsp;{<br>
&nbsp;&nbsp; LIST_ENTRY&nbsp;&nbsp; *Link;<br>
&nbsp;&nbsp; LIST_ENTRY&nbsp;&nbsp; *Head;<br>
+&nbsp; LIST_ENTRY&nbsp;&nbsp; *EntryLink;<br>
&nbsp;&nbsp; MMI_ENTRY&nbsp;&nbsp;&nbsp; *MmiEntry;<br>
&nbsp;&nbsp; MMI_HANDLER&nbsp; *MmiHandler;<br>
-&nbsp; BOOLEAN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SuccessReturn;<br>
+&nbsp; EFI_STATUS&nbsp;&nbsp; ReturnStatus;<br>
+&nbsp; BOOLEAN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WillReturn;<br>
&nbsp;&nbsp; EFI_STATUS&nbsp;&nbsp; Status;<br>
&nbsp;<br>
-&nbsp; Status&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =3D EFI_NOT_FOUND;=
<br>
-&nbsp; SuccessReturn =3D FALSE;<br>
+&nbsp; mMmiManageCallingDepth++;<br>
+&nbsp; Status&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =3D EFI_NOT_FOUND;<br>
+&nbsp; ReturnStatus =3D Status;<br>
&nbsp;&nbsp; if (HandlerType =3D=3D NULL) {<br>
&nbsp;&nbsp;&nbsp;&nbsp; //<br>
&nbsp;&nbsp;&nbsp;&nbsp; // Root MMI handler<br>
@@ -171,7 +214,16 @@ MmiManage (<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // no additional handlers =
will be processed and EFI_INTERRUPT_PENDING will be returned.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (HandlerType !=3D NULL)=
 {<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return EFI_INTERRUP=
T_PENDING;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReturnStatus =3D EF=
I_INTERRUPT_PENDING;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WillReturn&nbsp;&nb=
sp; =3D TRUE;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // If any other han=
dler's result sets ReturnStatus as EFI_SUCCESS, the return status<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // will be EFI_SUCC=
ESS.<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (ReturnStatus !=
=3D EFI_SUCCESS) {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReturnS=
tatus =3D Status;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<br>
@@ -183,10 +235,10 @@ MmiManage (<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // additional handlers wil=
l be processed.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (HandlerType !=3D NULL)=
 {<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return EFI_SUCCESS;=
<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WillReturn =3D TRUE=
;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
&nbsp;<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SuccessReturn =3D TRUE;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReturnStatus =3D EFI_SUCCESS;<b=
r>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case EFI_WARN_INTERRUPT_SOURCE_QUIESCE=
D:<br>
@@ -194,7 +246,7 @@ MmiManage (<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // If at least one of the =
handlers returns EFI_WARN_INTERRUPT_SOURCE_QUIESCED<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // then the function will =
return EFI_SUCCESS.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SuccessReturn =3D TRUE;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReturnStatus =3D EFI_SUCCESS;<b=
r>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case EFI_WARN_INTERRUPT_SOURCE_PENDING=
:<br>
@@ -202,6 +254,10 @@ MmiManage (<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // If all the handlers ret=
urned EFI_WARN_INTERRUPT_SOURCE_PENDING<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // then EFI_WARN_INTERRUPT=
_SOURCE_PENDING will be returned.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (ReturnStatus !=3D EFI_SUCCE=
SS) {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReturnStatus =3D St=
atus;<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
+<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; default:<br>
@@ -211,13 +267,76 @@ MmiManage (<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ASSERT_EFI_ERROR (Status);=
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<br>
&nbsp;&nbsp;&nbsp;&nbsp; }<br>
+<br>
+&nbsp;&nbsp;&nbsp; if (WillReturn) {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<br>
+&nbsp;&nbsp;&nbsp; }<br>
&nbsp;&nbsp; }<br>
&nbsp;<br>
-&nbsp; if (SuccessReturn) {<br>
-&nbsp;&nbsp;&nbsp; Status =3D EFI_SUCCESS;<br>
+&nbsp; ASSERT (mMmiManageCallingDepth &gt; 0);<br>
+&nbsp; mMmiManageCallingDepth--;<br>
+<br>
+&nbsp; //<br>
+&nbsp; // MmiHandlerUnRegister() calls from MMI handlers are deferred till=
 this point.<br>
+&nbsp; // Before returned from MmiManage, delete the MmiHandler which is<b=
r>
+&nbsp; // marked as ToRemove.<br>
+&nbsp; // Note that MmiManage can be called recursively.<br>
+&nbsp; //<br>
+&nbsp; if (mMmiManageCallingDepth =3D=3D 0) {<br>
+&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp; // Go through all MmiHandler in root Mmi handlers<br>
+&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp; for ( Link =3D GetFirstNode (&amp;mRootMmiHandlerList)<=
br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; !IsNull (&amp;mRo=
otMmiHandlerList, Link);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br>
+&nbsp;&nbsp;&nbsp; {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // MmiHandler might be removed in below, so=
 cache the next link in Link<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MmiHandler =3D CR (Link, MMI_HANDLER, Link,=
 MMI_HANDLER_SIGNATURE);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Link&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
=3D GetNextNode (&amp;mRootMmiHandlerList, Link);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (MmiHandler-&gt;ToRemove) {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Remove MmiHandler if the ToR=
emove is set.<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RemoveMmiHandler (MmiHandler, N=
ULL);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
+&nbsp;&nbsp;&nbsp; }<br>
+<br>
+&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp; // Go through all MmiHandler in non-root MMI handlers<b=
r>
+&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp; for ( EntryLink =3D GetFirstNode (&amp;mMmiEntryList)<b=
r>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; !IsNull (&amp;mMm=
iEntryList, EntryLink);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br>
+&nbsp;&nbsp;&nbsp; {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // MmiEntry might be removed in below, so c=
ache the next link in EntryLink<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MmiEntry&nbsp; =3D CR (EntryLink, MMI_ENTRY=
, AllEntries, MMI_ENTRY_SIGNATURE);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; EntryLink =3D GetNextNode (&amp;mMmiEntryLi=
st, EntryLink);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for ( Link =3D GetFirstNode (&amp;MmiEntry-=
&gt;MmiHandlers)<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; !IsNu=
ll (&amp;MmiEntry-&gt;MmiHandlers, Link);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // MmiHandler might be removed =
in below, so cache the next link in Link<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MmiHandler =3D CR (Link, MMI_HA=
NDLER, Link, MMI_HANDLER_SIGNATURE);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Link&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; =3D GetNextNode (&amp;MmiEntry-&gt;MmiHandlers, Link);<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (MmiHandler-&gt;ToRemove) {<=
br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Remove MmiHandle=
r if the ToRemove is set.<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (RemoveMmiHandle=
r (MmiHandler, MmiEntry)) {<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<=
br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
+&nbsp;&nbsp;&nbsp; }<br>
&nbsp;&nbsp; }<br>
&nbsp;<br>
-&nbsp; return Status;<br>
+&nbsp; return ReturnStatus;<br>
&nbsp;}<br>
&nbsp;<br>
&nbsp;/**<br>
@@ -254,6 +373,7 @@ MmiHandlerRegister (<br>
&nbsp;<br>
&nbsp;&nbsp; MmiHandler-&gt;Signature =3D MMI_HANDLER_SIGNATURE;<br>
&nbsp;&nbsp; MmiHandler-&gt;Handler&nbsp;&nbsp; =3D Handler;<br>
+&nbsp; MmiHandler-&gt;ToRemove&nbsp; =3D FALSE;<br>
&nbsp;<br>
&nbsp;&nbsp; if (HandlerType =3D=3D NULL) {<br>
&nbsp;&nbsp;&nbsp;&nbsp; //<br>
@@ -309,26 +429,17 @@ MmiHandlerUnRegister (<br>
&nbsp;&nbsp;&nbsp;&nbsp; return EFI_INVALID_PARAMETER;<br>
&nbsp;&nbsp; }<br>
&nbsp;<br>
-&nbsp; MmiEntry =3D MmiHandler-&gt;MmiEntry;<br>
-<br>
-&nbsp; RemoveEntryList (&amp;MmiHandler-&gt;Link);<br>
-&nbsp; FreePool (MmiHandler);<br>
-<br>
-&nbsp; if (MmiEntry =3D=3D NULL) {<br>
+&nbsp; MmiHandler-&gt;ToRemove =3D TRUE;<br>
+&nbsp; if (mMmiManageCallingDepth &gt; 0) {<br>
&nbsp;&nbsp;&nbsp;&nbsp; //<br>
-&nbsp;&nbsp;&nbsp; // This is root MMI handler<br>
+&nbsp;&nbsp;&nbsp; // This function is called from MmiManage()<br>
+&nbsp;&nbsp;&nbsp; // Do not delete or remove MmiHandler or MmiEntry now.<=
br>
&nbsp;&nbsp;&nbsp;&nbsp; //<br>
&nbsp;&nbsp;&nbsp;&nbsp; return EFI_SUCCESS;<br>
&nbsp;&nbsp; }<br>
&nbsp;<br>
-&nbsp; if (IsListEmpty (&amp;MmiEntry-&gt;MmiHandlers)) {<br>
-&nbsp;&nbsp;&nbsp; //<br>
-&nbsp;&nbsp;&nbsp; // No handler registered for this interrupt now, remove=
 the MMI_ENTRY<br>
-&nbsp;&nbsp;&nbsp; //<br>
-&nbsp;&nbsp;&nbsp; RemoveEntryList (&amp;MmiEntry-&gt;AllEntries);<br>
-<br>
-&nbsp;&nbsp;&nbsp; FreePool (MmiEntry);<br>
-&nbsp; }<br>
+&nbsp; MmiEntry =3D MmiHandler-&gt;MmiEntry;<br>
+&nbsp; RemoveMmiHandler (MmiHandler, MmiEntry);<br>
&nbsp;<br>
&nbsp;&nbsp; return EFI_SUCCESS;<br>
&nbsp;}<br>
-- <br>
2.31.1.windows.1<br>
<br>
</div>
</span></font></div>
</body>
</html>


<div width=3D"1" style=3D"color:white;clear:both">_._,_._,_</div>
<hr>


Groups.io Links:<p>


 =20
    You receive all messages sent to this group.
 =20
 =20


<p>
<a target=3D"_blank" href=3D"https://edk2.groups.io/g/devel/message/117843"=
>View/Reply Online (#117843)</a> |


 =20

|

  <a target=3D"_blank" href=3D"https://groups.io/mt/105550122/7686176">Mute=
 This Topic</a>


| <a href=3D"https://edk2.groups.io/g/devel/post">New Topic</a>

<br>




<a href=3D"https://edk2.groups.io/g/devel/editsub/7686176">Your Subscriptio=
n</a> |
<a href=3D"mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> |

<a href=3D"https://edk2.groups.io/g/devel/unsub">Unsubscribe</a>

 [rebecca@openfw.io]<br>
<div width=3D"1" style=3D"color:white;clear:both">_._,_._,_</div>


--_000_MN6PR11MB8244477F43A77A889C9A597A8C082MN6PR11MB8244namp_--