On 11/28/21 11:27, Heinrich Schuchardt wrote:
Hello Ilias,
I have compiled qemu_arm64_defconfig with CONFIG_CMD_EFIDEBUG=y and
CONFIG_CMD_UNBIND.
When I execute the commands
efidebug dh
unbind tpm 0
a crash occurs in tpm_tis_ready().
tpm_tis_remove() calls iounmmap() before calling tpm_tis_cleanup() which
invokes tpm_tis_ready(). tpm_tis_ready() writes to the unmapped IO.
You should not unmap the IO region before accessing it in
tpm_tis_ready(). But swapping these calls is not enough to fix the problem.
Best regards
Heinrich
The crash is in mmio_write_bytes(). The call chain is:
In the call chain device_remove -> tpm_tis_remove -> tpm_tis_cleanup ->
tpm_tis_ready -> mmio_write_bytes
chip->locality is -1 in tpm_tis_remove. This leads to mmio_write_bytes
being called with address = 0xfffff018
ret = tpm_tis_request_locality(dev, 0); is missing.
Best regards
Heinrich
