BUG_ON() when re-using RPC buffer to tee-supplicant #40

jforissier · 2016-01-12T12:56:08Z

In the code I am working on, data are sent in a loop to tee-supplicant. Two buffers are allocated using thread_optee_rpc_alloc_payload() (one for the request, one for the response) [here]. Then thread_rpc_cmd() is called several times [here], and finally the buffers are freed by thread_optee_rpc_free_payload() [here].

This code causes a kernel crash as thread_rpc_cmd() is called for the second time.

DBG TEE-CORE:tee_rpmb_write:1283: len 1040, block address 505, block count 5, byte offset 0
FLW TEE-CORE:tee_rpmb_write:1291: Branch 2
FLW TEE-CORE:tee_rpmb_read:1091: tee_rpmb_alloc returned 0x0
DBG TEE-CORE:tee_rpmb_read:1111: BLOCK READ 5 blocks at index 505
FLW TEE-CORE:tee_rpmb_resp_unpack_verify:742: tee_rpmb_data_cpy_mac_calc res=0x0
FLW TEE-CORE:tee_rpmb_read:1140: 0x0,0
DBG TEE-CORE:tee_rpmb_write:1301: tee_rpmb_read returned 0x0
DBG TEE-CORE:tee_rpmb_write_blk:1223: BLOCK WRITE 1 block at index 505
DBG TEE-CORE:tee_rpmb_write_blk:1223: BLOCK WRITE 1 block at index 506
misc opteearmtz00: Can't find shm for 000000003ef0a000
------------[ cut here ]------------
kernel BUG at ../optee_linuxdriver/core/tee_supp_com.c:221!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in: optee_armtz(O) optee(O)
CPU: 2 PID: 772 Comm: tee-supplicant Tainted: G           O    4.3.0 #115
[...]

There is no crash if the allocation and deallocation are moved inside the loop (see this commit).
Test environment: HiKey, project hikey_optee branch rpmbdev.

Please also note that the bug is not reproducible with the "generic driver".

The text was updated successfully, but these errors were encountered:

ghost · 2016-04-01T08:26:02Z

@jforissier Could you check the status of this issue with the new driver?

Allocate shared memory buffers once for the write loop instead of repeatedly allocating and freeing them. The previous code was needed due to a bug/limitation in optee_linudriver [1]. Now that we are using the "generic driver", the code can be optimized. [1] OP-TEE/optee_linuxdriver#40 Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)

jforissier · 2016-04-11T09:46:19Z

@pascal-brand-st still OK with new driver: https://github.com/linaro-swg/linux/tree/optee_v9

Allocate shared memory buffers once for the write loop instead of repeatedly allocating and freeing them. The previous code was needed due to a bug/limitation in optee_linudriver [1]. Now that we are using the "generic driver", the code can be optimized. [1] OP-TEE/optee_linuxdriver#40 Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey) Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

ghost · 2016-04-21T14:05:22Z

Will not fix as https://github.com/OP-TEE/optee_linuxdriver is deprecated. The generic driver is now used (cf. https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md#op-tee---version-200)

jforissier mentioned this issue Apr 11, 2016

RPMB: tee_rpmb_write_blk(): allocate buffers once OP-TEE/optee_os#739

Closed

ghost closed this as completed Apr 21, 2016

This issue was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BUG_ON() when re-using RPC buffer to tee-supplicant #40

BUG_ON() when re-using RPC buffer to tee-supplicant #40

jforissier commented Jan 12, 2016

ghost commented Apr 1, 2016

jforissier commented Apr 11, 2016

ghost commented Apr 21, 2016

BUG_ON() when re-using RPC buffer to tee-supplicant #40

BUG_ON() when re-using RPC buffer to tee-supplicant #40

Comments

jforissier commented Jan 12, 2016

ghost commented Apr 1, 2016

jforissier commented Apr 11, 2016

ghost commented Apr 21, 2016