BUG_ON() when re-using RPC buffer to tee-supplicant

[jforissier]

In the code I am working on, data are sent in a loop to tee-supplicant. Two buffers are allocated using thread_optee_rpc_alloc_payload() (one for the request, one for the response) [here]. Then thread_rpc_cmd() is called several times [here], and finally the buffers are freed by thread_optee_rpc_free_payload() [here].

This code causes a kernel crash as thread_rpc_cmd() is called for the second time.

DBG TEE-CORE:tee_rpmb_write:1283: len 1040, block address 505, block count 5, byte offset 0
FLW TEE-CORE:tee_rpmb_write:1291: Branch 2
FLW TEE-CORE:tee_rpmb_read:1091: tee_rpmb_alloc returned 0x0
DBG TEE-CORE:tee_rpmb_read:1111: BLOCK READ 5 blocks at index 505
FLW TEE-CORE:tee_rpmb_resp_unpack_verify:742: tee_rpmb_data_cpy_mac_calc res=0x0
FLW TEE-CORE:tee_rpmb_read:1140: 0x0,0
DBG TEE-CORE:tee_rpmb_write:1301: tee_rpmb_read returned 0x0
DBG TEE-CORE:tee_rpmb_write_blk:1223: BLOCK WRITE 1 block at index 505
DBG TEE-CORE:tee_rpmb_write_blk:1223: BLOCK WRITE 1 block at index 506
misc opteearmtz00: Can't find shm for 000000003ef0a000
------------[ cut here ]------------
kernel BUG at ../optee_linuxdriver/core/tee_supp_com.c:221!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in: optee_armtz(O) optee(O)
CPU: 2 PID: 772 Comm: tee-supplicant Tainted: G           O    4.3.0 #115
[...]

There is no crash if the allocation and deallocation are moved inside the loop (see this commit). Test environment: HiKey, project hikey_optee branch rpmbdev.

Please also note that the bug is not reproducible with the "generic driver".

[ghost]

@jforissier Could you check the status of this issue with the new driver?

[jforissier]

@pascal-brand-st still OK with new driver: https://github.com/linaro-swg/linux/tree/optee_v9

[ghost]

Will not fix as https://github.com/OP-TEE/optee_linuxdriver is deprecated. The generic driver is now used (cf. https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md#op-tee---version-200)