fix: plug memory map leak, save sp_el0, dynamic UART, kill loop

- Bootloader: reallocate memory map buffer when ExitBootServices fails,
  so GetMemoryMap doesn't scribble past the old allocation on retry.
- vectors.S: actually store sp_el0 into the exception frame. Previously
  it was read into x24 and then… vanished. EL0 tasks would wake up with
  a corrupted stack pointer. Not great.
- Serial: split hardcoded 0x09000000 into a fallback default; add
  SerialUpdate() so the DTB-parsed UART address actually gets used.
- DTB: add bounds check on reserved[] with PMM's 3 extra slots accounted
  for, so malformed/overstuffed DTBs don't silently corrupt memory.
- PMM.h: bump kVMMaxReservedRegions 128→256, define kPMMReservedRegionCount.
- Types.h: remove `#define loop while(1)`. while(true) is fine.
- Rename IOSerial* → Serial* — the IO prefix was redundant, Serial.c
  already lives under IO/.

Bootloader/Source/main.c

@@ -192,6 +192,7 @@ static efi_status_t populate_memory_map(Bootinfo* boot_info) {
     while (1) {
         status = gBS->GetMemoryMap(&map_size, map, &map_key, &descriptor_size, &descriptor_version);
         if (EFI_ERROR(status)) {
+            gBS->FreePool(map);
             return status;
         }
 
@@ -206,7 +207,12 @@ static efi_status_t populate_memory_map(Bootinfo* boot_info) {
             return EFI_SUCCESS;
         }
 
+        gBS->FreePool(map);
         map_size += 2 * descriptor_size;
+        status = gBS->AllocatePool(EfiLoaderData, map_size, (void**)&map);
+        if (EFI_ERROR(status)) {
+            return status;
+        }
     }
 }