|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] EFI GetNextVariableName crashes when running under Xen, but not under Linux. efi-rs=0 works. No memmap issues
On Tue, Jan 27, 2015 at 09:18:58PM +0100, Daniel Kiper wrote:
> On Tue, Jan 27, 2015 at 07:54:30AM +0000, Jan Beulich wrote:
> > (re-adding xen-devel)
> >
> > >>> On 27.01.15 at 01:32, <andrew.cooper3@xxxxxxxxxx> wrote:
> > > On 27/01/2015 00:02, Daniel Kiper wrote:
> > >> On Mon, Jan 26, 2015 at 05:00:41PM +0000, Jan Beulich wrote:
> > >>>>>> On 26.01.15 at 17:27, <konrad.wilk@xxxxxxxxxx> wrote:
> > >>>> Anyhow I am bit stuck:
> > >>>> 1) It works with Linux, so what is it that Linux does that
> > >>>> Xen does not?
> > >>> They map more than just what is marked for runtime use.
And they call SetVirtualAddressMap which we do not (and if I define
USE_SET_VIRTUAL_ADDRESS_MAP Xen blows up during bootup).
> > >> IIRC, Linux maps boot services unconditionally (and states in comment
> > >> that this is not in line with spec). We do not have such mechanism.
.. snip..
I've found that the issue is that the EFI firmware code assumes
that if you have not called SetVirtualAddressMap then you must
have not called ExitBootServices. But we do, and part of
ExitBootServices job is to wipe out its system function table
to zero. And since we did that - the system function table
would point to zeros .. and the code would happily execute
code at location 0 <facepalm>.
The "fix" was to not call ExitBootServices. See patches - which
are really just for diagnostic purposes. Daniel - thank you
for suggesting that!
P.S.
Marcos, you might want to run with these patches (except
the #4 patch) - and see how it works on your Dell machine
(without the efi-rs=0 workaround).
For those that are interested, here is the heavily annotated
efi_rs->GetNextVariableName code on this Lenovo Thinkpad along
with snippets from memory:
The first [] is when running under Linux, the second is
when running under Xen. The [S] means it had the same value
when running w/ calling ExitBootServices under Xen.
0: 48 89 5c 24 08 mov %rbx,0x8(%rsp)
5: 48 89 6c 24 10 mov %rbp,0x10(%rsp)
a: 48 89 74 24 18 mov %rsi,0x18(%rsp)
f: 57 push %rdi
10: 41 54 push %r12
12: 41 55 push %r13
14: 48 83 ec 20 sub $0x20,%rsp
18: 45 33 ed xor %r13d,%r13d
1b: 48 85 c9 test %rcx,%rcx
1e: 4d 8b e0 mov %r8,%r12
21: 48 8b fa mov %rdx,%rdi
24: 48 8b e9 mov %rcx,%rbp
27: 0f 84 09 01 00 00 je 0x136
2d: 48 85 d2 test %rdx,%rdx
30: 0f 84 00 01 00 00 je 0x136
36: 4d 85 c0 test %r8,%r8
39: 0f 84 f7 00 00 00 je 0x136
3f: 48 8b 05 76 11 00 00 mov 0x1176(%rip),%rax # 0x11bc
[20 53 c3 fa fe ff ff ff] [20 53 a3 d6 00 00 00 00][S]
46: 48 8d 15 af 11 00 00 lea 0x11af(%rip),%rdx # 0x11fc
[00 54 f3 41 60 06 1c 8] [00 6d 15 d8 d6 db 40 8d][S]
4d: 48 8b c8 mov %rax,%rcx
50: ff 50 20 callq *0x20(%rax)
53: 80 3d a2 11 00 00 01 cmpb $0x1,0x11a2(%rip) # 0x11fc
[00 54 f3 41 60 06 1c 8] [00 6d 15 d8 d6 db 40 8d][S]
5a: 75 1b jne 0x77
5c: 48 8b 05 81 11 00 00 mov 0x1181(%rip),%rax # 0x11e4
[80 62 2b db 00 00 00 00] [80 62 2b db 00 00 00 0][S]
63: 4d 8b c4 mov %r12,%r8
66: 48 8b d7 mov %rdi,%rdx
69: 48 8b cd mov %rbp,%rcx
6c: ff 50 08 callq *0x8(%rax)
6f: 48 8b d8 mov %rax,%rbx
72: e9 ba 00 00 00 jmpq 0x131
77: 48 8b cf mov %rdi,%rcx
7a: e8 bd 0f 00 00 callq 0x103c
7f: 48 3d 00 01 00 00 cmp $0x100,%rax
85: 0f 87 ab 00 00 00 ja 0x136
8b: 44 38 2d c2 10 00 00 cmp %r13b,0x10c2(%rip) # 0x1154
[01 01 00 00 00 00 00 00] [00 01 00 00 00 00 00 00][S]
[Here we figure out whether to use BootServices.
r13 is zero (see @18)]
92: 75 12 jne 0xa6
[Linux: 01 != 00, hence go to @a6, Xen keeps on going]
94: 48 8b 05 d1 10 00 00 mov 0x10d1(%rip),%rax # 0x116c
[70 a2 db cf 00 00 00 00][70 a2 db cf 00 00 00 00][S]
9b: b9 1f 00 00 00 mov $0x1f,%ecx
w/o ExitBootServices:
[@cfdba270: 42 4f 4f 54 53 45 52 56]
[@cfdba270+0x18: 48 30 dc cf 00 00 00 00]
[@0: 68 02 00 f0 68 02 00 f0 6]..
w/ ExitBootServices they
[@cfdba270: 00 00 00 ...]
[@cfdba270+0x18: 00 00 00 ..]
[@0: 68 02 00 f0 68 02 00 f0 6]..
a0: ff 50 18 callq *0x18(%rax)
.. and the rest is unintersting - as right now Xen would
crash when calling code at @0 which ends is full of garbage.
If however we did not call ExitBootServices, we jump
to cfdc3048 which is:
0: 48 89 5c 24 08 mov %rbx,0x8(%rsp)
5: 57 push %rdi
6: 48 83 ec 20 sub $0x20,%rsp
a: 48 8b 1d 57 81 ff ff mov -0x7ea9(%rip),%rbx #
0xffffffffffff8168
11: 48 8b f9 mov %rcx,%rdi
14: 48 3b cb cmp %rbx,%rcx
17: 72 1a jb 0x33
19: 48 83 f9 1f cmp $0x1f,%rcx
1d: 72 0d jb 0x2c
1f: 48 83 fb 1f cmp $0x1f,%rbx
23: 73 07 jae 0x2c
25: 33 c9 xor %ecx,%ecx
27: e8 9c ff ff ff callq 0xffffffffffffffc8
2c: 48 89 3d 35 81 ff ff mov %rdi,-0x7ecb(%rip) #
0xffffffffffff8168
33: 48 8b c3 mov %rbx,%rax
36: 48 8b 5c 24 30 mov 0x30(%rsp),%rbx
3b: 48 83 c4 20 add $0x20,%rsp
3f: 5f pop %rdi
40: c3 retq
a3: 4c 8b e8 mov %rax,%r13
a6: 48 8b 35 27 11 00 00 mov 0x1127(%rip),%rsi # 0x11d4
[10 d0 87 fa fe ff ff ff][10 d0 47 da 00 00 00 00][S]
ad: 48 8b d7 mov %rdi,%rdx
b0: c6 06 5a movb $0x5a,(%rsi)
b3: c6 46 01 6b movb $0x6b,0x1(%rsi)
b7: 48 8b 4d 00 mov 0x0(%rbp),%rcx
bb: 48 89 4e 18 mov %rcx,0x18(%rsi)
bf: 48 8d 4e 20 lea 0x20(%rsi),%rcx
c3: e8 58 0f 00 00 callq 0x1020
c8: 48 8d 8e 20 02 00 00 lea 0x220(%rsi),%rcx
cf: 41 b8 10 00 00 00 mov $0x10,%r8d
d5: 49 8b d4 mov %r12,%rdx
d8: e8 ff 0e 00 00 callq 0xfdc
dd: e8 3a fb ff ff callq 0xfffffffffffffc1c
e2: 44 8a 1e mov (%rsi),%r11b
e5: 41 80 fb 5a cmp $0x5a,%r11b
e9: 74 bb je 0xa6
eb: 48 8b 5e 08 mov 0x8(%rsi),%rbx
ef: 48 8b 46 18 mov 0x18(%rsi),%rax
f3: 48 85 db test %rbx,%rbx
f6: 48 89 45 00 mov %rax,0x0(%rbp)
fa: 75 1f jne 0x11b
fc: 48 8d 56 20 lea 0x20(%rsi),%rdx
100: 48 8b cf mov %rdi,%rcx
103: e8 18 0f 00 00 callq 0x1020
108: 48 8d 96 20 02 00 00 lea 0x220(%rsi),%rdx
10f: 44 8d 43 10 lea 0x10(%rbx),%r8d
113: 49 8b cc mov %r12,%rcx
116: e8 c1 0e 00 00 callq 0xfdc
11b: 80 3d 32 10 00 00 00 cmpb $0x0,0x1032(%rip) # 0x1154
[70 a2 db cf 00 00 00 00][00 01 00 00 00 00 00 00][S]
122: 75 0d jne 0x131
124: 48 8b 05 41 10 00 00 mov 0x1041(%rip),%rax # 0x116c
[70 a2 db cf 00 00 00 00][70 a2 db cf 00 00 00 00][S]
12b: 49 8b cd mov %r13,%rcx
12e: ff 50 20 callq *0x20(%rax)
131: 48 8b c3 mov %rbx,%rax
134: eb 0a jmp 0x140
136: 48 b8 02 00 00 00 00 movabs $0x8000000000000002,%rax
13d: 00 00 80
140: 48 8b 5c 24 40 mov 0x40(%rsp),%rbx
145: 48 8b 6c 24 48 mov 0x48(%rsp),%rbp
14a: 48 8b 74 24 50 mov 0x50(%rsp),%rsi
14f: 48 83 c4 20 add $0x20,%rsp
153: 41 5d pop %r13
155: 41 5c pop %r12
157: 5f pop %rdi
158: c3 retq
159: cc int3
15a: cc int3
15b: cc int3
Attachment:
0001-EFI-Map-also-BootServicesData-and-BootServicesCode.patch Attachment:
0002-EFI-early-Implement-GetNextVariableName-and-query-an.patch Attachment:
0003-EFI-early-Swap-noexitboot-to-exitboot-and-by-default.patch Attachment:
0004-EFI-Dump-0xcfda270-and-the-other-address.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |