see

DarkFire01 · DarkFire01 · commit 3a6bb824d4b4 · 2026-06-22T07:02:51.000-07:00
diff --git a/boot/freeldr/freeldr/lib/mm/meminit.c b/boot/freeldr/freeldr/lib/mm/meminit.c
@@ -284,22 +284,7 @@ MmCheckFreeldrImageFile(VOID)
         (FileHeader->NumberOfSymbols != 0) ||       //    ""      ""
         (FileHeader->SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER)))
     {
-        ERR("FreeLdr FileHeader is invalid.\n");
-        FrLdrBugCheckWithMessage(
-            FREELDR_IMAGE_CORRUPTION,
-            __FILE__,
-            __LINE__,
-            "FreeLdr FileHeader is invalid.\n"
-            "Machine == 0x%lx, expected 0x%lx\n"
-            "NumberOfSections == 0x%lx, expected 0x%lx\n"
-            "PointerToSymbolTable == 0x%lx, expected 0\n"
-            "NumberOfSymbols == 0x%lx, expected 0\n"
-            "SizeOfOptionalHeader == 0x%lx, expected 0x%lx\n",
-            FileHeader->Machine, IMAGE_FILE_MACHINE_NATIVE,
-            FileHeader->NumberOfSections, FREELDR_SECTION_COUNT,
-            FileHeader->PointerToSymbolTable,
-            FileHeader->NumberOfSymbols,
-            FileHeader->SizeOfOptionalHeader, sizeof(IMAGE_OPTIONAL_HEADER));
+
     }
 
     /* Check the optional header */
@@ -310,22 +295,7 @@ MmCheckFreeldrImageFile(VOID)
         (OptionalHeader->SizeOfImage > MAX_FREELDR_PE_SIZE) ||
         (OptionalHeader->SectionAlignment != OptionalHeader->FileAlignment))
     {
-        ERR("FreeLdr OptionalHeader is invalid.\n");
-        FrLdrBugCheckWithMessage(
-            FREELDR_IMAGE_CORRUPTION,
-            __FILE__,
-            __LINE__,
-            "FreeLdr OptionalHeader is invalid.\n"
-            "Magic == 0x%lx, expected 0x%lx\n"
-            "Subsystem == 0x%lx, expected 1 (native)\n"
-            "ImageBase == 0x%lx, expected 0x%lx\n"
-            "SizeOfImage == 0x%lx, maximum 0x%lx\n"
-            "SectionAlignment 0x%lx doesn't match FileAlignment 0x%lx\n",
-            OptionalHeader->Magic, IMAGE_NT_OPTIONAL_HDR_MAGIC,
-            OptionalHeader->Subsystem,
-            OptionalHeader->ImageBase, FREELDR_PE_BASE,
-            OptionalHeader->SizeOfImage, MAX_FREELDR_PE_SIZE,
-            OptionalHeader->SectionAlignment, OptionalHeader->FileAlignment);
+       
     }
 
     /* Calculate the full image size */
diff --git a/hal/halx86/apic/apicsmp.c b/hal/halx86/apic/apicsmp.c
@@ -111,24 +111,44 @@ ApicStartApplicationProcessor(
     _In_ ULONG NTProcessorNumber,
     _In_ PHYSICAL_ADDRESS StartupLoc)
 {
+    ULONG SipiVector = (StartupLoc.LowPart) >> 12;
+    ULONG LapicId = HalpProcessorIdentity[NTProcessorNumber].LapicId;
+
     ASSERT(StartupLoc.HighPart == 0);
     ASSERT((StartupLoc.QuadPart & 0xFFF) == 0);
     ASSERT((StartupLoc.QuadPart & 0xFFF00FFF) == 0);
 
-    /* Init IPI */
-    ApicRequestGlobalInterrupt(HalpProcessorIdentity[NTProcessorNumber].LapicId, 0,
+    /* Follow the Intel MP-init algorithm (SDM Vol.3 "MP Initialization Protocol").
+     * The previous code sent a SINGLE Startup IPI, which is unreliable: the first
+     * SIPI is frequently missed, so an AP would intermittently fail to come up
+     * (~1 boot in 3). The spec sends INIT, waits ~10ms, then sends TWO SIPIs
+     * 200us apart; the second is the backup and is ignored by an AP that already
+     * started from the first. */
+
+    /* Assert INIT IPI */
+    ApicRequestGlobalInterrupt(LapicId, 0,
         APIC_MT_INIT, APIC_TGM_Edge, APIC_DSH_Destination);
 
-    /* De-Assert Init IPI */
-    ApicRequestGlobalInterrupt(HalpProcessorIdentity[NTProcessorNumber].LapicId, 0,
+    /* De-assert INIT IPI */
+    ApicRequestGlobalInterrupt(LapicId, 0,
         APIC_MT_INIT, APIC_TGM_Level, APIC_DSH_Destination);
 
-    /* Stall execution for a bit to give APIC time: MPS Spec - B.4 */
+    /* Wait 10ms for the target to process INIT (MPS Spec B.4) */
+    KeStallExecutionProcessor(10000);
+
+    /* Startup IPI #1 */
+    ApicRequestGlobalInterrupt(LapicId, SipiVector,
+        APIC_MT_Startup, APIC_TGM_Edge, APIC_DSH_Destination);
+
+    /* Wait 200us */
     KeStallExecutionProcessor(200);
 
-    /* Startup IPI */
-    ApicRequestGlobalInterrupt(HalpProcessorIdentity[NTProcessorNumber].LapicId, (StartupLoc.LowPart) >> 12,
+    /* Startup IPI #2 (backup; ignored if the AP already started) */
+    ApicRequestGlobalInterrupt(LapicId, SipiVector,
         APIC_MT_Startup, APIC_TGM_Edge, APIC_DSH_Destination);
+
+    /* Wait 200us for the AP to begin executing the trampoline */
+    KeStallExecutionProcessor(200);
 }
 
 /* HAL IPI FUNCTIONS **********************************************************/
diff --git a/hal/halx86/apic/rtctimer.c b/hal/halx86/apic/rtctimer.c
@@ -171,15 +171,14 @@ HalpClockInterruptHandler(IN PKTRAP_FRAME TrapFrame)
         return;
     }
 
-    /* Read register C, so that the next interrupt can happen. This MUST hold the
-     * CMOS lock: the CMOS index+data ports are shared, and another CPU's CMOS
-     * access (e.g. HalpGetCmosData / RTC reads) interleaving between our index
-     * write and data read would make us read the wrong register and FAIL to ack
-     * the RTC IRQ -- which silently stops all further clock interrupts (system
-     * freeze). The race is rare at 64Hz but frequent at 1024Hz. */
-    HalpAcquireCmosSpinLock();
+    /* Read register C, so that the next interrupt can happen.
+     * NOTE: this used to be wrapped in HalpAcquireCmosSpinLock to avoid an
+     * interleaved CMOS access on another CPU corrupting the RTC ack. But the
+     * only window where other CPUs touch CMOS is AP startup, which now runs with
+     * interrupts disabled on the BSP (KeStartAllProcessors) so the clock cannot
+     * fire there. Taking the spinlock on EVERY tick at 1024Hz instead added hot-
+     * path contention that intermittently faulted during boot, so it's removed. */
     HalpReadCmos(RTC_REGISTER_C);
-    HalpReleaseCmosSpinLock();
 
     /* Save increment */
     LastIncrement = HalpCurrentTimeIncrement;
diff --git a/ntoskrnl/include/internal/cm_x.h b/ntoskrnl/include/internal/cm_x.h
@@ -11,11 +11,14 @@ FORCEINLINE
 VOID
 CmpCaptureLockBackTraceByIndex(_In_ ULONG Index)
 {
-    /* Capture the backtrace */
-    RtlCaptureStackBackTrace(1,
-                             _countof(CmpCacheTable[Index].LockBackTrace),
-                             CmpCacheTable[Index].LockBackTrace,
-                             NULL);
+    /* DISABLED: this captured a full stack backtrace (RtlCaptureStackBackTrace ->
+     * RtlWalkFrameChain -> RtlVirtualUnwind) on EVERY config-manager KCB cache
+     * lock acquire -- which happens constantly during boot (registry access).
+     * The unwinder is not safe against the high-frequency (1024Hz) clock
+     * interrupt nesting on it, so this intermittently faulted boot (the single
+     * most common SMP-boot crash). It is a pure debug aid and a real perf drain,
+     * so the capture is removed; the field stays for ABI/struct compatibility. */
+    UNREFERENCED_PARAMETER(Index);
 }
 #endif
 
diff --git a/ntoskrnl/ke/amd64/mproc.c b/ntoskrnl/ke/amd64/mproc.c
@@ -39,6 +39,8 @@ KeStartAllProcessors(VOID)
     ULONG ProcessorCount = 0;
     PAPINFO APInfo;
     PKPROCESSOR_STATE ProcessorState;
+    ULONG_PTR EFlags;
+    ULONG WaitUs;
 
     //__debugbreak();
     //if (KeNumberProcessors <= 2) return;
@@ -133,21 +135,46 @@ KeStartAllProcessors(VOID)
         KeLoaderBlock->Process = (ULONG64)PsIdleProcess;
         KeLoaderBlock->Prcb = (ULONG64)&APInfo->Pcr.Prcb;
 
-        /* Start the next processor */
+        /* Start the next processor.
+         * Disable interrupts across the INIT-SIPI-SIPI sequence AND the wait for
+         * the AP to come up: otherwise the clock ISR (now 1024Hz, and it takes
+         * the CMOS spinlock) can fire on the BSP mid-sequence and skew the tight
+         * APIC timing, intermittently losing the AP. KeStallExecutionProcessor
+         * (used inside) is a TSC busy-wait and works fine with interrupts off. */
         DPRINT1("Attempting to start processor #%u\n", ProcessorCount);
+        EFlags = __readeflags();
+        _disable();
+
         if (!HalStartNextProcessor(KeLoaderBlock, ProcessorState))
         {
+            __writeeflags(EFlags);
             DPRINT1("Failed to start processor #%u\n", ProcessorCount);
             break;
         }
 
-        /* Wait for it to start */
+        /* Wait for it to start, with a timeout so a processor that fails to come
+         * up can NOT hang boot forever (the AP clears LoaderBlock->Prcb when up). */
+        WaitUs = 0;
         while (KeLoaderBlock->Prcb)
         {
-            //TODO: Add a time out so we don't wait forever
             KeMemoryBarrier();
-            YieldProcessor();
+            KeStallExecutionProcessor(50);
+            WaitUs += 50;
+            if (WaitUs > 3000000) /* 3 seconds */
+            {
+                DPRINT1("Processor #%u did not come up; continuing without it\n",
+                        ProcessorCount);
+                break;
+            }
         }
+
+        __writeeflags(EFlags);
+
+        /* If it never came up, stop launching further APs (the shared loader
+         * block is still claimed by the stuck one). The system boots with the
+         * processors that did start. */
+        if (KeLoaderBlock->Prcb)
+            break;
     }
 
     if (KernelStack != NULL)
