[BUG] tpm2_tis_mmio driver crashes on device_remove()
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Sun Nov 28 23:48:36 CET 2021
On 11/28/21 11:27, Heinrich Schuchardt wrote:
> Hello Ilias,
>
> I have compiled qemu_arm64_defconfig with CONFIG_CMD_EFIDEBUG=y and
> CONFIG_CMD_UNBIND.
>
> When I execute the commands
>
> efidebug dh
> unbind tpm 0
>
> a crash occurs in tpm_tis_ready().
>
> tpm_tis_remove() calls iounmmap() before calling tpm_tis_cleanup() which
> invokes tpm_tis_ready(). tpm_tis_ready() writes to the unmapped IO.
>
> You should not unmap the IO region before accessing it in
> tpm_tis_ready(). But swapping these calls is not enough to fix the problem.
>
> Best regards
>
> Heinrich
>
The crash is in mmio_write_bytes(). The call chain is:
In the call chain device_remove -> tpm_tis_remove -> tpm_tis_cleanup ->
tpm_tis_ready -> mmio_write_bytes
chip->locality is -1 in tpm_tis_remove. This leads to mmio_write_bytes
being called with address = 0xfffff018
ret = tpm_tis_request_locality(dev, 0); is missing.
Best regards
Heinrich
More information about the U-Boot
mailing list