From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from SNT004-OMC1S26.hotmail.com (snt004-omc1s26.hotmail.com [65.55.90.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5B7EF1A1DF4 for ; Fri, 12 Aug 2016 18:47:15 -0700 (PDT) Received: from EUR01-HE1-obe.outbound.protection.outlook.com ([65.55.90.7]) by SNT004-OMC1S26.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Fri, 12 Aug 2016 18:47:14 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bbTktsIihlVuP9tyYmOVBOSXGiatAnfDF4FEs/lm008=; b=VfVeBTLBHNqUtd+dDiIdqsXvcGWOtXzMS7NLW1v+GgkXtP1/B6iTUfPN/g4yKKmoL7RUPU8NULNhjqkyJ5eJpEUubTwDXoaxWaIxYu25sXgsNJ2us8WI/gtCbxY0XNQnPNed0x9RZHGqipaOuE1rJcGHfmJqXagB+CvKYqIiNa+VhAMSqoqkin761rnnca9MybtK0aXuo9SX+pHHZcikzl7a0JB3PuJ6OP4FhRkpriToUV4LDcygGEvkuzsMUlD8EaFLYVZSscxdS7N86dP1dB29xskglFRlUjhxmnJVcOhBM8ZYwvLxhUpopwPD2/DGB3X+UkSSjVbzmRwjqg555Q== Received: from DB5EUR01FT058.eop-EUR01.prod.protection.outlook.com (10.152.4.60) by DB5EUR01HT198.eop-EUR01.prod.protection.outlook.com (10.152.5.132) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.567.7; Sat, 13 Aug 2016 01:46:40 +0000 Received: from VI1PR06MB1792.eurprd06.prod.outlook.com (10.152.4.55) by DB5EUR01FT058.mail.protection.outlook.com (10.152.5.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.567.7 via Frontend Transport; Sat, 13 Aug 2016 01:46:40 +0000 Received: from VI1PR06MB1792.eurprd06.prod.outlook.com ([10.165.237.146]) by VI1PR06MB1792.eurprd06.prod.outlook.com ([10.165.237.146]) with mapi id 15.01.0549.026; Sat, 13 Aug 2016 01:46:38 +0000 From: Marvin H?user To: "edk2-devel@lists.01.org" CC: Andrew Fish Thread-Topic: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? Thread-Index: AQHR9PDLw0IWHW1VKkGn9Xki7O1tPKBGFpBg Date: Sat, 13 Aug 2016 01:46:38 +0000 Message-ID: References: <7B465500-570A-4B78-B1F2-458C36E7DC08@apple.com> In-Reply-To: <7B465500-570A-4B78-B1F2-458C36E7DC08@apple.com> Accept-Language: de-DE, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=softfail (sender IP is 10.152.4.55) smtp.mailfrom=outlook.com; lists.01.org; dkim=none (message not signed) header.d=none;lists.01.org; dmarc=fail action=none header.from=outlook.com; received-spf: SoftFail (protection.outlook.com: domain of transitioning outlook.com discourages use of 10.152.4.55 as permitted sender) x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [pbmW3YGflCGsvnVE8FQAyroS2m3PHRIlMONyBs7bGbLxdz2tEl48U4iz4r2QhKRh] x-eopattributedmessage: 0 x-forefront-antispam-report: CIP:10.152.4.55; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:DB5EUR01HT198; H:VI1PR06MB1792.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; x-microsoft-exchange-diagnostics: 1; DB5EUR01HT198; 6:uplf/ymADMquwkwYhw2NiJzXzs0BedKj74Lwt+siNEm1mwdrBtI2iuylKdlG955RR8y2pBk6DQbZRjM3lXUcVfCe3YxuO0nqWu1P6f2SDKpgKEBTvCurQ3uWB5QqFo7lTGz7kxryQEi8mut/7N+9Gsk91RwMrK6blhg/b/jo4hdqGILFea2M+pA996vC4sU83e3VCsfDrShLu/GLbh8UDjjz4LS1jsslUs3Vnsr7t6EW15iHMMK3sItv6QuNbUCJ2mtusisjR61529pvz+stm+SLd0+d5NHxgkXf0lh40wBOdrunGljl7/6CnM5MdmGb; 5:oD+9cnB8hE6+oi4e+DsqR72nfDaRer1dE9mYh6cSntttbXHIdvkwww/9lq3sT42fybGJ3meldeHglp3wSJnVb3Ld1FVGAKa54SMCEnVxFETQVpo753zzu/hjaTzoQfr7YC31Xsu49GVsWJMeX4rghg==; 24:ReZEUXDhZO5iVOCbt1OPTIfnxkkXCE/LjZ5xGTi9HO4YMrbl21z5vBuEtI7F3YG3fb3e9K1wH35aDigJphukunLlmoPFtmBBms+/kcP+wRo=; 7:xGrwxa+ZHBOLBEgF1ljN5UGyJu5QdtxJszyTGKu0LnfCsKHFa2bK8kpFTn4XWTOx7QMtQo3ufej6Uav9wXawlcwKY6thtJDFcw63dBbQVyscMijz85VfJbHasSovJU2Jl5w90sGpn+dZ4AqE5+HWFeFOSI8Qgf7yv3eRXbgiPBoqoLAM2y/37MKL+xDr74QBrCueq5g13RYyuN8biqkO6rY2ac/REy9gAX7woNssmpXsrQa3cA2obkLAVbGzTmeT x-ms-office365-filtering-correlation-id: d3bb8eb2-2a63-4af9-bf4f-08d3c31bab00 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601125047); SRVR:DB5EUR01HT198; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:DB5EUR01HT198; BCL:0; PCL:0; RULEID:; SRVR:DB5EUR01HT198; x-forefront-prvs: 0033AAD26D spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2016 01:46:38.8216 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5EUR01HT198 X-OriginalArrivalTime: 13 Aug 2016 01:47:14.0641 (UTC) FILETIME=[9DCA4C10:01D1F504] Subject: Re: [MdeModulePkg][PeiCore] I seemed to have crashed the PEI Core by grabbing memory from PeiTemporaryRamBase? X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Aug 2016 01:47:15 -0000 Content-Language: de-DE Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello Andrew, Unfortunately I cannot test anything right now and I don't have a whole lot= of knowledge in this area, though I might have a hint for you. While PpiList is equal to the original TempRam base, the TempRam based pass= ed to PEI is equal to the original TempRam base + the size of the PpiList, = hence PpiList is smaller than the base address passed to PEI. The PpiList i= s then installed via the PeiServicesInstallPpi () function: call: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/P= eiMain/PeiMain.c#L386 implementation: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/= Core/Pei/Ppi/Ppi.c#L183 The list is then added to PpiData.PpiListPtrs. https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi= .c#L229 I am not sure at which point of time you are experiencing the crash, but af= ter permanent memory is available, ConvertPpiPointers () is called, which t= hen calls ConverSinglePpiPointer () for old heap, old stack and old hole (I= 'm afraid I do not know what TempRam Hole is and if it is related). ConvertPpiPointers () call: https://github.com/tianocore/edk2/blob/master/M= deModulePkg/Core/Pei/PeiMain/PeiMain.c#L237 Old Heap ConverSinglePpiPointer () call: https://github.com/tianocore/edk2/= blob/master/MdeModulePkg/Core/Pei/Ppi/Ppi.c#L127 The call for the old heap conversion passes the TempRam base, which has bee= n incremented as we know, and thus the comparison to TempBottom will fail, = as TempBottom is PeiTemporaryRamBase, which is larger than PpiList, which i= s one of the items in PpiListPtrs, which is the object of the conversion. comparison to TempBottom: https://github.com/tianocore/edk2/blob/master/Mde= ModulePkg/Core/Pei/Ppi/Ppi.c#L60 As the pointer to the PpiList passed by SecCore is probably not converted a= s detailed above, I assume something post-mem attempts to access this forme= r PpiList by the old temporary RAM address and that somehow causes trouble;= I assume the SEC PpiList being part of the PEI memory is an assumption mad= e by the person who wrote this code. I'm not sure about why it crashes, as = I do not know the entire PEI control flow, though I hope this can help you = in some way. Please excuse me if I have made a mistake in understanding the referenced c= ode and wasted your time. Regards, Marvin. > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Andrew Fish > Sent: Saturday, August 13, 2016 1:25 AM > To: edk2-devel > Subject: [edk2] [MdeModulePkg][PeiCore] I seemed to have crashed the PEI > Core by grabbing memory from PeiTemporaryRamBase? >=20 > I grabbed some memory between SEC and the PEI Core by adjusting > SecCoreData-> PeiTemporaryRamBase and SecCoreData-> > PeiTemporaryRamSize. >=20 > When looking at the code I don't really understand the logic of the algor= ithm? > So maybe I'm doing something wrong. >=20 > This adjustment does not seem right to me? > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Dispatcher/Dispatcher.c#L768 > // > // Heap Offset > // > BaseOfNewHeap =3D TopOfNewStack; > if (BaseOfNewHeap >=3D (UINTN)SecCoreData->PeiTemporaryRamBase) { > Private->HeapOffsetPositive =3D TRUE; > Private->HeapOffset =3D (UINTN)(BaseOfNewHeap - > (UINTN)SecCoreData->PeiTemporaryRamBase); > } else { > Private->HeapOffsetPositive =3D FALSE; > Private->HeapOffset =3D (UINTN)((UINTN)SecCoreData- > >PeiTemporaryRamBase - BaseOfNewHeap); > } >=20 >=20 > The above code seems to be making a very strange adjustment. I noticed th= e > adjustment in my failing case was off by 0xC0 which is the amount of > memory I carved out prior to entering the PEI Core. >=20 > https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Pei/ > Dispatcher/Dispatcher.c#L796 >=20 > // > // Temporary Ram Support PPI is provided by platform, it will copy > // temporary memory to permenent memory and do stack switching. > // After invoking Temporary Ram Support PPI, the following code's > // stack is in permanent memory. > // > TemporaryRamSupportPpi->TemporaryRamMigration ( > PeiServices, > TemporaryRamBase, > (EFI_PHYSICAL_ADDRESS)(UINTN)(TopOfNewSta= ck - > TemporaryStackSize), > TemporaryRamSize > ); >=20 >=20 > And this is also a case in which the stack got bigger. But it seems to me= the > shift if really defined by TemporaryRamBase, TopOfNewStack, and > TemporaryStackSize in this case. >=20 > The failure I hit was OldCoreData->Fv pointer was shifted so when the PPI > was called the system crashed. Is this a bug in the > gEfiTemporaryRamSupportPpiGuid path? >=20 > If I changed the HeadOffset algorithm my crash went away? Private- > >HeapOffset =3D ((UINTN)TopOfNewStack - TemporaryStackSize) - > TemporaryRamBase; >=20 > Thanks, >=20 > Andrew Fish >=20 > PS My failure case was the EmulatorPkg. I've not had a chance to verify t= his > failure in the open source yet, but I'm guessing reversing this #if will = make it > happen. >=20 >=20 > https://github.com/tianocore/edk2/blob/master/EmulatorPkg/Sec/Sec.c#L1 > 07 >=20 > #if 0 > // Tell the PEI Core to not use our buffer in temp RAM > SecPpiList =3D (EFI_PEI_PPI_DESCRIPTOR *)SecCoreData- > >PeiTemporaryRamBase; > SecCoreData->PeiTemporaryRamBase =3D (VOID *)((UINTN)SecCoreData- > >PeiTemporaryRamBase + SecReseveredMemorySize); > SecCoreData->PeiTemporaryRamSize -=3D SecReseveredMemorySize; #else > { > // > // When I subtrack from SecCoreData->PeiTemporaryRamBase PEI Core > crashes? Either there is a bug > // or I don't understand temp RAM correctly? > // > EFI_PEI_PPI_DESCRIPTOR PpiArray[10]; >=20 > SecPpiList =3D &PpiArray[0]; > ASSERT (sizeof (PpiArray) >=3D SecReseveredMemorySize); > } > #endif >=20 >=20 >=20 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel