Subject: Re: Dom0: ACPI panic
To: None <port-xen@netbsd.org>
From: Christoph Egger <Christoph_Egger@gmx.de>
List: port-xen
Date: 09/06/2007 11:51:03
--Boundary-00=_H283GxgzAAWsAZj
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline



AcpiTbGetTableHeader() reads the ACPI Header from the BIOS
which contains the wrong Header->Length value.
=> buggy BIOS

The attached patch adds a sanity check. I don't know, if AE_LIMIT is the
correct error code, but NetBSD/Xen now boots on this machine.

The new boot messages:

[...]
BIOS32 rev. 0 found at 0xfb3f0
mainbus0 (root)
mainbus0: scanning 0x9fc00 to 0x9fff0 for MP signature
mainbus0: scanning 0x9f800 to 0x9fbf0 for MP signature
mainbus0: scanning 0xf0000 to 0xffff0 for MP signature
mainbus0: MP floating pointer found in bios at 0xf5c80
mainbus0: MP fps invalid: no default config and no configuration table
ACPI Exception (tbrsdt-0358): AE_LIMIT, Could not get the RSDT/XSDT [20060217]
ACPI Exception (tbxface-0182): AE_LIMIT, Could not load RSDT [20060217]
ACPI Exception (tbxface-0211): AE_LIMIT, Could not load tables [20060217]
ACPI: unable to load tables: AE_LIMIT
cpu0 at mainbus0: (uniprocessor)
hypervisor0 at mainbus0
vcpu0 at hypervisor0: (uniprocessor)
[...]


Please someone review and commit this patch.


Christoph


On Thursday 06 September 2007 10:25:31 Christoph Egger wrote:
> Hi!
>
> AcpiTbGetThisTable() calls acpi_md_OsMapMemory() with a
> size value (= f000e816) that can't be right. I don't know where it comes
> from. It leads to an "overflow" panic in x86_mem_add_mapping().
>
> This is the output:
>
> (The lines starting with "x86_mem_add_mapping: " comes from additional
> debug printf's I added. Two lines belong to one call.)
>
>
> (XEN) Xen-e820 RAM map:
> (XEN)  0000000000000000 - 000000000009f000 (usable)
> (XEN)  000000000009fc00 - 00000000000a0000 (reserved)
> (XEN)  00000000000f0000 - 0000000000100000 (reserved)
> (XEN)  0000000000100000 - 000000003fff0000 (usable)
> (XEN)  000000003fff0000 - 000000003fff3000 (ACPI NVS)
> (XEN)  000000003fff3000 - 0000000040000000 (ACPI data)
> (XEN)  00000000fec00000 - 00000000fec01000 (reserved)
> (XEN)  00000000fee00000 - 00000000fee01000 (reserved)
> (XEN)  00000000ffff0000 - 0000000100000000 (reserved)
> (XEN) System RAM: 1023MB (1048124kB)
> (XEN) ACPI: RSDP (v000 AMD-K8                                ) @ 0x000f7880
> (XEN) ACPI: RSDT (v001 AMD-K8 AWRDACPI 0x42302e31 AMD  0x00000001) @
> 0x3fff3000
> (XEN) ACPI: FADT (v001 AMD-K8 AWRDACPI 0x42302e31 AMD  0x00000001) @
> 0x3fff3040
> (XEN) ACPI: SSDT (v001 AMD-K8 100Dummy 0x42302e31 AMD  0x00000001) @
> 0x3fff7500
> (XEN) ACPI: MADT (v001 AMD-K8 AWRDACPI 0x42302e31 AMD  0x00000001) @
> 0x3fff7480
> (XEN) ACPI: DSDT (v001 AMD-K8 AWRDACPI 0x00001000 MSFT 0x0100000c) @
> 0x00000000
> (XEN) NUMA turned off
> (XEN) Faking a node at 0000000000000000-000000003fff0000
> (XEN) Xen heap: 9MB (10200kB)
> (XEN) Domain heap initialised: DMA width 32 bits
> (XEN) PAE disabled.
> (XEN) found SMP MP-table at 000f5c80
> (XEN) DMI not present.
> (XEN) Using APIC driver default
> (XEN) ACPI: PM-Timer IO Port: 0x5008
> (XEN) ACPI: ACPI SLEEP INFO: pm1x_cnt[5004,0], pm1x_evt[5000,0]
> (XEN) ACPI:                  wakeup_vec[3fff000c], vec_size[20]
> (XEN) ACPI: Local APIC address 0xfee00000
> (XEN) ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
> (XEN) Processor #0 15:4 APIC version 16
> (XEN) ACPI: LAPIC_NMI (acpi_id[0x00] high edge lint[0x1])
> (XEN) ACPI: IOAPIC (id[0x02] address[0xfec00000] gsi_base[0])
> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-23
> (XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 high dfl)
> (XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 low level)
> (XEN) ACPI: IRQ0 used by override.
> (XEN) ACPI: IRQ2 used by override.
> (XEN) ACPI: IRQ9 used by override.
> (XEN) Enabling APIC mode:  Flat.  Using 1 I/O APICs
> (XEN) ACPI: HPET id: 0x102282a0 base: 0xf0000000
> (XEN) Using ACPI (MADT) for SMP configuration information
> [...]
> Loaded initial symtab at 0xc09e31b8, strtab at 0xc0a4475c, # entries 23434
> Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
>     2006, 2007
>     The NetBSD Foundation, Inc.  All rights reserved.
> Copyright (c) 1982, 1986, 1989, 1991, 1993
>     The Regents of the University of California.  All rights reserved.
>
> NetBSD 4.99.30 (XEN3_DOM0) #126: Thu Sep  6 10:09:03 UTC 2007
>         root@tulln:/usr/src/sys/arch/i386/compile/XEN3_DOM0
> total memory = 512 MB
> avail memory = 490 MB
> timecounter: Timecounters tick every 10.000 msec
> BIOS32 rev. 0 found at 0xfb3f0
> mainbus0 (root)
> mainbus0: scanning 0x9fc00 to 0x9fff0 for MP signature
> mainbus0: scanning 0x9f800 to 0x9fbf0 for MP signature
> mainbus0: scanning 0xf0000 to 0xffff0 for MP signature
> mainbus0: MP floating pointer found in bios at 0xf5c80
> mainbus0: MP fps invalid: no default config and no configuration table
> x86_mem_add_mapping: bpa 40e, size 2, bpa + size 410
> x86_mem_add_mapping: pa 0, endpa 1000
> x86_mem_add_mapping: bpa 9fc00, size 400, bpa + size a0000
> x86_mem_add_mapping: pa 9f000, endpa a0000
> x86_mem_add_mapping: bpa e0000, size 20000, bpa + size 100000
> x86_mem_add_mapping: pa e0000, endpa 100000
> x86_mem_add_mapping: bpa f7880, size 24, bpa + size f78a4
> x86_mem_add_mapping: pa f7000, endpa f8000
> x86_mem_add_mapping: bpa 3fff3000, size 24, bpa + size 3fff3024
> x86_mem_add_mapping: pa 3fff3000, endpa 3fff4000
> x86_mem_add_mapping: bpa 3fff3000, size f000e816, bpa + size 30001816
> x86_mem_add_mapping: pa 3fff3000, endpa 30002000
> panic: x86_mem_add_mapping: overflow
> Stopped in pid 0.1 (system) at  netbsd:cpu_Debugger+0x4:        popl   
> %ebp db> bt
> cpu_Debugger(c08b470a,c0b2b934,c0b2b928,c047936b,d) at
> netbsd:cpu_Debugger+0x4 panic(c089ab97,c074d0f4,3fff3000,30002000,30001816)
> at netbsd:panic+0x155
> x86_mem_add_mapping(3fff3000,f000e816,0,c0b2b9d8,c0b2b9d8) at
> netbsd:x86_mem_add_mapping+0x29a
> acpi_md_OsMapMemory(3fff3000,0,f000e816,c0b2b9d8,c0688e95) at
> netbsd:acpi_md_OsMapMemory+0x2d
> AcpiTbGetThisTable(c0b2ba58,c0b2ba18,24,c0b2ba18,9) at
> netbsd:AcpiTbGetThisTable+0xf6
> AcpiTbGetTableBody(c0b2bad4,c0b2ba58,c0b2baac,c06a5dec,9) at
> netbsd:AcpiTbGetTableBody+0xb3
> AcpiTbGetTable(c0b2bad4,c0b2baac,c0b2bae8,c06a2724,0) at
> netbsd:AcpiTbGetTable+0x49
> AcpiTbGetTableRsdt(c0b2bb04,c0b2bb04,c0b2bb18,c06a6dc5,d) at
> netbsd:AcpiTbGetTableRsdt+0x26
> AcpiLoadTables(c09e1de4,3,0,c1472f80,c1472f80) at
> netbsd:AcpiLoadTables+0x8b acpi_probe(c1472f80,d,c0b2bb88,c04797dc,d) at
> netbsd:acpi_probe+0x68 mainbus_attach(0,c1472f80,0,c046bb5e,c08771d6) at
> netbsd:mainbus_attach+0x89 config_attach_loc(0,c091e740,0,0,0) at
> netbsd:config_attach_loc+0x156 config_attach(0,c091e740,0,0,c09d2120) at
> netbsd:config_attach+0x2c
> config_rootfound(c08771d6,0,c0b2bc28,c046d3b3,c09a8164) at
> netbsd:config_rootfound+0x44
> cpu_configure(c09a8164,2,0,c09d2120,b28000) at netbsd:cpu_configure+0x26
> configure(c096daa0,2,0,c0b2bc4c,c051a619) at netbsd:configure+0x33
> main(c01001df,c01001e7,0,0,0) at netbsd:main+0x16f
> db>



--Boundary-00=_H283GxgzAAWsAZj
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="acpica_tbget.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="acpica_tbget.diff"

Index: tbget.c
===================================================================
RCS file: /cvsroot/src/sys/dist/acpica/tbget.c,v
retrieving revision 1.1
diff -u -p -r1.1 tbget.c
--- tbget.c	23 Mar 2006 13:36:31 -0000	1.1
+++ tbget.c	6 Sep 2007 09:42:11 -0000
@@ -251,6 +251,12 @@ AcpiTbGetTableHeader (
 
         ACPI_MEMCPY (ReturnHeader, Header, sizeof (ACPI_TABLE_HEADER));
         AcpiOsUnmapMemory (Header, sizeof (ACPI_TABLE_HEADER));
+
+        if (Address->Pointer.Physical <=
+	    (Address->Pointer.Physical + ReturnHeader->Length))
+        {
+            return_ACPI_STATUS (AE_LIMIT);
+        }
         break;
 
 

--Boundary-00=_H283GxgzAAWsAZj--