tee-supplicant panic & ta panic

[neil1899]

hi，all：
sometimes when i run the tee-supplicant on Android, it will happen

shell@p200:/ # insmod boot/optee.ko  
[  121.786304@0] 
[  121.786304@0] TEE Core Framework initialization (ver 1:0.1)
shell@p200:/ # insmod boot/op  
optee.ko        optee_armtz.ko  
shell@p200:/ # insmod boot/optee_armtz.ko  
[  125.487853@0] TEE armv7 Driver initialization
[  125.490195@0] tz_tee_probe: name="armv7sec", id=0, pdev_name="armv7sec.0"
[  125.493321@0] TEE core: Alloc the misc device "opteearmtz00" (id=0)
[  125.501229@0] TEE Core: Register the misc device "opteearmtz00" (id=0,minor=46)
shell@p200:/ # tee-supplicant &  
[1] 3900
shell@p200:/ # 
It has hung. there is no any  response

sometimes when i run tee_helloworld.
shell@p200:/ # tee_helloworld  
[   34.148492@0] misc opteearmtz00: tee_session_create_and_open: ERROR ret=0 (err=0xffff000f, org=3,  sessid=0x00000000)
[   34.276094@0] tee_helloworld[3833]: unhandled level 1 translation fault (11) at 0x00000000, esr 0x83000005
[   34.280225@0] pgd = ffffffc019eed000
[   34.283641@0] [00000000] *pgd=0000000000000000
[   34.294093@0] 
[   34.294122@0] CPU: 0 PID: 3833 Comm: tee_helloworld Tainted: G           O 3.14.29-gf020d86 #1
[   34.298978@0] task: ffffffc01333f000 ti: ffffffc019e64000 task.ti: ffffffc019e64000
[   34.306579@0] PC is at 0x0
[   34.309311@0] LR is at 0xf709af1b
[   34.312454@0] pc : [<0000000000000000>] lr : [<00000000f709af1b>] pstate: 000f0010
[   34.320136@0] sp : 00000000ffdb0320
[   34.323402@0] x12: 00000000f70b7644 
[   34.326870@0] x11: 00000000f703fee8 x10: 000000000000013a 
[   34.332306@0] x9 : 0000000000000001 x8 : 00000000ffdb078c 
[   34.337743@0] x7 : 00000000ffdb0600 x6 : 00000000f703ffbc 
[   34.343171@0] x5 : 00000000ffdb03cc x4 : 0000000000000100 
[   34.348613@0] x3 : 00000000ffdb0600 x2 : 0000000000000014 
[   34.354043@0] x1 : 0000000000000000 x0 : 00000000ffdb032c 
[   34.359477@0] 
[   34.361471@3] sh[3214]: unhandled level 2 translation fault (11) at 0x330469db, esr 0x92000006
[   34.369798@3] pgd = ffffffc0151bc000
[   34.373186@3] [330469db] *pgd=0000000015060003, *pmd=0000000000000000
[   34.380284@3] 
[   34.381209@3] CPU: 3 PID: 3214 Comm: sh Tainted: G           O 3.14.29-gf020d86 #1
[   34.388781@3] task: ffffffc021b3a000 ti: ffffffc0151dc000 task.ti: ffffffc0151dc000
[   34.396306@3] PC is at 0x1a70e
[   34.399344@3] LR is at 0x1a6f7
[   34.402337@3] pc : [<000000000001a70e>] lr : [<000000000001a6f7>] pstate: 20010030
[   34.409882@3] sp : 00000000ffb5d618
[   34.413290@3] x12: 0000000000000000 
[   34.416824@3] x11: 000000000057e6fc x10: 0000000000000000 
[   34.422258@3] x9 : 00000000000398bc x8 : 0000000000000002 
[   34.427694@3] x7 : 0000000000000c8e x6 : 00000000000398bc 
[   34.433126@3] x5 : 00000000109b1ad3 x4 : 0000000000037ff4 
[   34.438563@3] x3 : 00000000330469bb x2 : 00000000ffffff78 
[   34.443993@3] x1 : 000000000003ac24 x0 : 00000000000394e4 
[   34.449429@3] 
[   34.451645@0] init: untracked pid 3833 killed by signal 11
Segmentation fault 
139|shell@p200:/ $ [   34.744001@1] GCDaemon[3159]: unhandled level 2 translation fault (11) at 0x0000003c, esr 0x92000006
[   34.747480@1] pgd = ffffffc01deb3000
[   34.751076@1] [0000003c] *pgd=0000000015f72003, *pmd=0000000000000000
[   34.757391@1] 
[   34.759070@1] CPU: 1 PID: 3159 Comm: GCDaemon Tainted: G           O 3.14.29-gf020d86 #1
[   34.767058@1] task: ffffffc015018000 ti: ffffffc015040000 task.ti: ffffffc015040000
[   34.774709@1] PC is at 0xf57cbd3c
[   34.777950@1] LR is at 0xf5808911
[   34.781199@1] pc : [<00000000f57cbd3c>] lr : [<00000000f5808911>] pstate: 200d0030
[   34.788767@1] sp : 00000000f48b6820
[   34.792154@1] x12: 00000000aba54964 
[   34.795686@1] x11: 00000000effc4a4c x10: 00000000abbbbe58 
[   34.801120@1] x9 : 0000000000000000 x8 : 00000000aba54960 
[   34.806553@1] x7 : 00000000f580897d x6 : 00000000f48b69b8 
[   34.811987@1] x5 : 00000000f74f6dd4 x4 : 00000000effc4a38 
[   34.817421@1] x3 : 000000002e802629 x2 : 00000000abbbbe54 
[   34.822855@1] x1 : 00000000f580897d x0 : 0000000000000000 
[   34.828290@1] 
[   35.891108@0] CPU1: shutdown
139|shell@p200:/ $ e[   37.361068@0] CPU3: shutdown
1|shell@p200:/ $ [   53.769711@1] sdcard[3819]: unhandled level 1 translation fault (11) at 0x00020000, esr 0x92000005
[   53.773012@1] pgd = ffffffc011e4d000
[   53.776543@1] [00020000] *pgd=0000000000000000
[   53.780942@1] 
[   53.782586@1] CPU: 1 PID: 3819 Comm: sdcard Tainted: G           O 3.14.29-gf020d86 #1
[   53.790438@1] task: ffffffc011e7e000 ti: ffffffc011970000 task.ti: ffffffc011970000
[   53.798065@1] PC is at 0xf76bfa94
[   53.801297@1] LR is at 0xaaf37673
[   53.804574@1] pc : [<00000000f76bfa94>] lr : [<00000000aaf37673>] pstate: a00f0010
[   53.812088@1] sp : 00000000f7552c00
[   53.815528@1] x12: 00000000f7575038 
[   53.819064@1] x11: 00000000f7554dd0 x10: 00000000f7553d59 
[   53.824497@1] x9 : 00000000f7553d3c x8 : 00000000ff9de638 
[   53.829932@1] x7 : 0000000000000000 x6 : 00000000ffffffff 
[   53.835365@1] x5 : 00000000ab59ab58 x4 : 00000000f7555038 
[   53.840798@1] x3 : 000000006566696e x2 : 00000000616d6c64 
[   53.846232@1] x1 : 0000000000020000 x0 : 00000000f7555040 

what's the reason of this case?

thanks in advance!

[neil1899]

hi,all
when i run the hello world test on the latest version.
i write the shell to test the stability of opteeos such as:

#!/system/xbin/sh
while [ 1 ]
do
tee-supplicant&
tee_helloworld
kill -9 $(pidof tee-supplicant)
sleep 1
done

it always occurs kernel panic:

[  117.547355@0] Unable to handle kernel paging request at virtual address d0c30001b80709ca
[  117.551245@0] pgd = ffffffc01cfdb000
[  117.555710@0] [d0c30001b80709ca] *pgd=0000000000000000
[  117.559808@0] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[  117.565423@0] Modules linked in: optee_armtz(O) optee(O) dwc_otg aml_thermal(O) mali(O)
[  117.573391@0] CPU: 0 PID: 3965 Comm: tee_helloworld Tainted: G           O 3.14.29-gf020d86-dirty #3
[  117.582424@0] task: ffffffc01cf7b000 ti: ffffffc01d5dc000 task.ti: ffffffc01d5dc000
[  117.590076@0] PC is at tee_shm_free+0x40/0x68 [optee]
[  117.595045@0] LR is at tee_shm_free+0x34/0x68 [optee]
[  117.600015@0] pc : [<ffffffbffc0e928c>] lr : [<ffffffbffc0e9280>] pstate: 80000145
[  117.607505@0] sp : ffffffc01d5dfa50
[  117.610957@0] x29: ffffffc01d5dfa50 x28: 0000000000000000 
[  117.616390@0] x27: ffffff8005f00000 x26: 00000000ffff5701 
[  117.621822@0] x25: 0000000032000003 x24: ffffff8005f0100c 
[  117.627254@0] x23: 0000000000000008 x22: ffffffc01d5dfb38 
[  117.632689@0] x21: ffffffc022ce6018 x20: ffffffc022cd3818 
[  117.638124@0] x19: ffffffc022ce6168 x18: 0000000000000000 
[  117.643555@0] x17: 0000000000000000 x16: 0000000000000000 
[  117.648989@0] x15: 0000000000000000 x14: 0000000000000000 
[  117.654423@0] x13: 0000000000000000 x12: 0000000000000000 
[  117.659856@0] x11: 0000000000000000 x10: 0000000000000000 
[  117.665290@0] x9 : 0000000000000000 x8 : 0000000000000000 
[  117.670723@0] x7 : 0000000000000000 x6 : 0000000000000000 
[  117.676156@0] x5 : 0000000000000000 x4 : ffffffc022ce6168 

[jenswi-linaro]

Hi,

Which platform are you using? Which kernel version? Are you booting with UEFI?

Regards,
Jens

[neil1899]

hi,all
when i run the hello world test on the latest version.
i write the shell to test the stability of opteeos such as:

#!/system/xbin/sh
while [ 1 ]
do
tee-supplicant&
tee_helloworld
kill -9 $(pidof tee-supplicant)
sleep 1
done
it always occurs kernel panic:

[ 117.547355@0] Unable to handle kernel paging request at virtual address d0c30001b80709ca
[ 117.551245@0] pgd = ffffffc01cfdb000
[ 117.555710@0] [d0c30001b80709ca] *pgd=0000000000000000
[ 117.559808@0] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 117.565423@0] Modules linked in: optee_armtz(O) optee(O) dwc_otg aml_thermal(O) mali(O)
[ 117.573391@0] CPU: 0 PID: 3965 Comm: tee_helloworld Tainted: G O 3.14.29-gf020d86-dirty #3
[ 117.582424@0] task: ffffffc01cf7b000 ti: ffffffc01d5dc000 task.ti: ffffffc01d5dc000
[ 117.590076@0] PC is at tee_shm_free+0x40/0x68 [optee]
[ 117.595045@0] LR is at tee_shm_free+0x34/0x68 [optee]
[ 117.600015@0] pc : [] lr : [] pstate: 80000145
[ 117.607505@0] sp : ffffffc01d5dfa50
[ 117.610957@0] x29: ffffffc01d5dfa50 x28: 0000000000000000
[ 117.616390@0] x27: ffffff8005f00000 x26: 00000000ffff5701
[ 117.621822@0] x25: 0000000032000003 x24: ffffff8005f0100c
[ 117.627254@0] x23: 0000000000000008 x22: ffffffc01d5dfb38
[ 117.632689@0] x21: ffffffc022ce6018 x20: ffffffc022cd3818
[ 117.638124@0] x19: ffffffc022ce6168 x18: 0000000000000000
[ 117.643555@0] x17: 0000000000000000 x16: 0000000000000000
[ 117.648989@0] x15: 0000000000000000 x14: 0000000000000000
[ 117.654423@0] x13: 0000000000000000 x12: 0000000000000000
[ 117.659856@0] x11: 0000000000000000 x10: 0000000000000000
[ 117.665290@0] x9 : 0000000000000000 x8 : 0000000000000000
[ 117.670723@0] x7 : 0000000000000000 x6 : 0000000000000000
[ 117.676156@0] x5 : 0000000000000000 x4 : ffffffc022ce6168

[neil1899]

hi， jenswi
my platform is amlogic soc， arm-core is A53, kernel version is 3.14

[jenswi-linaro]

From what I've seen so far it looks like the shared memory isn't properly reserved and may be used for other purposes by the kernel too.

[neil1899]

Dear jenswi:
thanks for you reply

on my platform, I have define the optee ram size
#define TZDRAM_BASE 0x05300000
#define TZDRAM_SIZE 0x01000000

my dts file has change such as:
secos_reserved:linux,secos {

•              compatible = "aml_secos_memory";
  

•              reg = <0x0 0x05300000 0x0 0x1000000>;
  

•              no-map;
  

•           };
  

but the issue also reappear

my shell is
#!/system/xbin/sh
while [ 1 ]
do
tee-supplicant&
tee_helloworld
kill -9 $(pidof tee-supplicant)
sleep 1
done
to test the opteeos

[neil1899]

if i don't do the job of kill -9 $(pidof tee-supplicant). i mean the shell just do the tee_helloworld, it can run all day

but if i kill the tee-supplicant and run it again, about 3~4mins the tee_helloworld will occus kernel panic

[jenswi-linaro]

I think due to the killing different pages are used for user space memory making the problem visible earlier. Are you sure that the kernel doesn't use 0x05300000..0x053FFFFF for other purposes?

[neil1899]

yes, I'm sure i have rever the memory from 0x05300000 to 0x06300000

secos: share mem setup
[ 0.000000@0] Reserved memory: initialized node linux,secos, compatible id aml_secos_memory

[neil1899]

hi，jenswi：
I change my shell again:
while [ 1 ]
do
tee-supplicant&
sleep 2
tee_helloworld
kill -9 $(pidof tee-supplicant)
sleep 2
done

it runs ok either.
sum up:
if i don't do sleep between tee-supplicant& with tee_helloworld, it will occur kernel panic.

another thing is that: sometimes when i run tee-supplicant& the system has no any response.
it has been hung. do you meet this case?

such as
shell@p200:/ # tee-supplicant &

[1] 3900
shell@p200:/ # (I can't execute any command)

[jbech-linaro]

I suggest that we keep this issue open, even though I don't think we will do any further analysis right now. Indeed it shouldn't crash and there shouldn't be any timing related issues when loading/unloading the binaries and drivers.

[neil1899]

hi，jbech：
that means on your platform, do this test, it's ok? such as:

while [ 1 ]
do
tee-supplicant&
tee_helloworld
kill -9 $(pidof tee-supplicant)
sleep 2
done

I think if it's true, i would close this case, and analyse other module.

[jbech-linaro]

@neil1899 no it doesn't work and that is why I suggested that we keep this particular issue posted by you open until the issue has been resolved. However, it will get a little bit lower priority to solve from our side, since that test sequence is somewhat unrealistic in real world use cases.

[jbech-linaro]

@neil1899 , yesterday we released OP-TEE 2.1.0 and this time we kind of officially supports AOSP also (please see the note about AOSP in the CHANGELOG.md).

Would you mind to check whether the issue you reported still exists?

[jbech-linaro]

@neil1899 , this issue is becoming very old and we haven't really been able to reproduce it. Would you mind give a try on the 2.2.0 tag? If not, then I'm going to close the issue for now and then I'd suggest to re-open it later again if the error still shows up.

[github-actions]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.