[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] QEMU TCG issue when executing UEFI
|
From: |
Peter Maydell |
|
Subject: |
Re: [Qemu-devel] QEMU TCG issue when executing UEFI |
|
Date: |
Thu, 18 Aug 2016 15:10:37 +0100 |
On 16 August 2016 at 13:08, Ard Biesheuvel <address@hidden> wrote:
> Bad ram pointer 0x54
> Aborted (core dumped)
So the reason this happens is that get_page_addr_code() doesn't
correctly handle the case of the memory region being a
ROM that's not in ROMD mode. That is, the flash memory can
be either in "reads map directly to guest memory" (normal)
mode or "reads are MMIO to a device" (ROMD) mode. QEMU
can't execute from devices, so the best case here would
be that we print the "Sorry, we can't execute from a device"
message and stop execution.
Treating the flash device's "return the current status"
bytes as code probably wasn't what you wanted to do anyway :-)
In more detail: when we call get_page_addr_code() for this
address, we notice that there is no TLB entry for it, and
so we call cpu_ldub_code() which is supposed to fill the TLB.
This ends up calling tlb_set_page_with_attrs(), which for a
not-RAM-not-ROMD MR will set the addend to 0 and then OR
TLB_MMIO into the address field (rather than setting the
addend to the right offset to get between the guest
address and the host RAM address). get_page_addr_code()
unfortunately then uses a different condition when it
distinguishes "is this an IO address we can't handle"
from "is this RAM", which means it takes the path for
"treat the addend as the offset between guest and host",
resulting in a completely bogus host address.
thanks
-- PMM