On Mon, Mar 30, 2026 at 11:16:59AM +0200, Jens Wiklander wrote:
Hi,
On Mon, Mar 30, 2026 at 6:07 AM Shf Chen (陳少甫) via OP-TEE op-tee@lists.trustedfirmware.org wrote:
On Fri, 2026-03-27 at 15:31 +0530, Sumit Garg wrote:
On Fri, Mar 27, 2026 at 09:01:15AM +0000, Shf Chen (陳少甫) via OP-TEE wrote:
Hi,
We found a possible race condition issue during OP-TEE kernel driver probing the device. A NULL pointer dereference exception can happen when another kernel driver open OP-TEE context with tee_client_open_context() then do a SMC call to OP-TEE. Below is the exception:
How is your kernel driver being probed? Have you registered it as a proper TEE bus driver? Any custom ways to invoke TEE kernel client APIs are surely susceptible to races like the one you mentioned below.
-Sumit
Hi,
Our kernel driver does not registered as a TEE bus driver for some reasons, and we need to use other API to ensure the OP-TEE driver is probed to workaround this issue. But, we think this is error-prone for module developer that need to call to OP-TEE.
The kernel modules API for OP-TEE is via TEE bus only.
Although this is not the case, I think that after calling tee_device_register(), the optee device is shown under `/dev/` filesystem. There is a very small chance for userspace program to trigger this race condition, and they don't have clue on whether the device is properly being probed yet.
I think you're on to something. After calling tee_device_register(), the driver must be able to handle requests, at least without crashing. optee_enumerate_devices() requires the devices to be registered, so that must happen after those calls. But other than that, I think the calls to tee_device_register() should be the last thing in the probe function.
Sumit, do you agree?
Sounds reasonable to me if it's something that can be reproduced via the user-space client.
-Sumit