crash while accessing SPI device

[deepakmnvl]

ISSUE DETAILS UPDATED :
Hi ,
My current stack is AOSP8+OPTEE
https://github.com/linaro-swg/optee_android_manifest/tree/lcr-ref-hikey-o

I am accessing my SPI device through OPTEE (psedu TA mechanism)
normal world bin->user TA->pseudo TA
my project details are : #1461

Coming to the issue :
In pseudo TA code,
when I have local buffer as 1024*2 , everything is working fine
when I increase buffer to 1024*3 , I am getting below crash

F/TC:0 trace_syscall:128 syscall #7 (syscall_invoke_ta_command)
D/TC:0 invoke_command:434 has been called
D/TC:0 spi_cs_callback:159 pl022 done - set CS!
E/TC:0 Dead canary at end of 'stack_abt[7]'
E/TC:0 Panic at core/arch/arm/kernel/thread.c:206 <thread_check_canaries>
E/TC:0 Call stack:
E/TC:0  0x000000003f00ffec
[   51.250520] type=1400 audit(36.779:91): avc: denied { create } for pid=2786 comm="main" name="cgroup.procs" scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=0
[   51.267148] type=1400 audit(56.115:92): avc: denied { create } for pid=2811 comm="main" name="cgroup.procs" scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=0
[   72.701681] NMI watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [kworker/u16:1:57]
[   72.709443] Modules linked in: vfsspidrv(O)
[   72.713645]
[   72.715140] CPU: 5 PID: 57 Comm: kworker/u16:1 Tainted: G           O    4.9.81-04720-g7d75b86-dirty #2
[   72.724531] Hardware name: HiKey Development Board (DT)
[   72.729769] Workqueue: memcg_kmem_cache_create memcg_kmem_cache_create_func
[   72.736738] task: ffffffc0750c1080 task.stack: ffffffc0750dc000
[   72.742664] PC is at smp_call_function_many+0x274/0x2d8
[   72.747889] LR is at smp_call_function_many+0x234/0x2d8
[   72.753113] pc : [<ffffff800816a594>] lr : [<ffffff800816a554>] pstate: 80400145
[   72.760508] sp : ffffffc0750dfae0

crash is occurring in :

synaspi_write(
    uint32_t nParamTypes,
    TEE_Param pParams[TEE_NUM_PARAMS])
{
    TEE_Result  res                     = TEE_SUCCESS;
    //unsigned  int t = 0;

    uint8_t     tx[DEFAULT_BUFFER_SIZE] = {0}; 
    uint8_t     rx[DEFAULT_BUFFER_SIZE] = {0};
    size_t      num_txpkts              = 0;

    uint32_t    exp_param_types         = TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INOUT,
                    TEE_PARAM_TYPE_NONE, TEE_PARAM_TYPE_NONE, TEE_PARAM_TYPE_NONE);

    DMSG("has been called");

    if (nParamTypes != exp_param_types)
    {
        DMSG("nParamTypes mismatch \n");
        res = TEE_ERROR_BAD_PARAMETERS;
    }

    num_txpkts=pParams[0].memref.size;
    memcpy(tx, pParams[0].memref.buffer, num_txpkts);
    DMSG("vals 0x%x  %d", (tx[0]) , (uint8_t)num_txpkts);
    pl022_flush_fifo(&platform_pl022_data);
    spi_cs_callback(GPIO_LEVEL_LOW);
    platform_pl022_data.chip.ops->txrx8(&platform_pl022_data.chip,tx, rx, num_txpkts);
    spi_cs_callback(GPIO_LEVEL_HIGH);
    return res;
}

If I comment out " platform_pl022_data.chip.ops->txrx8" call , there's no crash

Do I need to make buffer allocations in any other place too
Any help is appreciated

Thanks

[vchong]

Asked @jenswi-linaro about this. You may be out of stack memory. Try increasing STACK_THREAD_SIZE in core/arch/arm/kernel/thread.c. Note that this is not just for the PTA but affects all threads, and there's probably not a lot of memory to spare for big arrays/buffers.

[github-actions]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.