[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 07/12] xen/arm: ffa: Fix RXTX_UNMAP ownership race

  • To: Bertrand Marquis <bertrand.marquis@xxxxxxx>
  • From: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
  • Date: Thu, 12 Feb 2026 15:39:51 +0100
  • Arc-authentication-results: i=1; mx.google.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Yn2zkDk6FP6Yc0FCN+IL9bgNIWDmfWx9UBf0hazkhSM=; fh=wNLC6Hyb5Ukz/ErppBRQBwv8vwa/OMsdh6R8bnNsiPU=; b=j7PHmZhHdnhWGvy/QQwxAUrEl90bEPl1NbEDyXTfgBdRUjI6HTJqik8dJDIo6GGXUw axxdk8JsEeR4Mbhf3nRshBYT56kflQ28qE0dtkh8bpZAzvC7xHWHLYmtFJ+zO/w/1hGB pp0gi9QkiZQrq3iUFQn5OGAEbEmlyN9VX3pNZ75ktegpeW9w2p4r3Z6j8sMXb2VfNbii jVgKtWgNdyZBTwbrdg7PDXC55Aiz+2StiTSbr2vx00i5hV+dDmX7UoUxJ5T76jz7zNT2 /uOGl4fFZ6EVW7V3QUukKJ7nXqmjgSBE7brkr6TNbz0+8Rhpl5T+OXSXk02mVX2EnWcS Inqg==; darn=lists.xenproject.org
  • Arc-seal: i=1; a=rsa-sha256; t=1770907204; cv=none; d=google.com; s=arc-20240605; b=JAnDMZnJWpzO7tSt/LiWFa9inaKQdTNw1gPwoA0HbH5Kn0PheVSbFlkRgcJC7X/fvO I/DIlgaSvCkSIup7Zz/Trq78h9Q2Ou0P55AVgjxtUgSHl8fs+pm7PHVZOaRXMRs2KpGV 7rLY6gtFCePN+nuYvQA7y+eJrQqsQUT4+uu+IACEfl6/QQ4OMr649+YeTl74oQOy/Bvr LosU073ytw8vsPAYjOByB/ba0VRPuN3kiFSr636Ft3nT9XZwTyf1isd3URtlEKT8+6XG gCmIJZuBNLd/CmiGaB3vgYajcl2Ba2iumXk4U1XyheV5Wvg9PceSArXnWVtRDHz4sapA CtJQ==
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Thu, 12 Feb 2026 14:40:11 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Hi Bertrand,

On Wed, Feb 11, 2026 at 6:16 PM Bertrand Marquis
<bertrand.marquis@xxxxxxx> wrote:
>
> rxtx_unmap() checks RX ownership without holding the RX/TX locks and
> only enforces the ownership rule when FFA_RX_ACQUIRE is supported. This
> allows a vCPU to acquire RX between the check and unmap, and it lets
> RXTX_UNMAP proceed while RX is owned when buffers are not forwarded to
> firmware.
>
> Hold rx_lock/tx_lock across the ownership check and unmap, and deny
> RXTX_UNMAP whenever RX is owned, independent of RX_ACQUIRE support. For
> teardown, release RX ownership under the same lock window; use
> FFA_RX_RELEASE directly because rx_lock is held, and clear the local
> flag when the firmware path is unavailable.
>
> Functional impact: RXTX_UNMAP now reliably returns DENIED while RX is
> owned, and teardown releases/clears ownership without a race.
>
> Signed-off-by: Bertrand Marquis <bertrand.marquis@xxxxxxx>
> ---
> Changes since v1:
> - Remove marking rx buffer as free during teardown as it is useless
> - Add a comment when calling rxtx_unmap during teardown to remind code
>   readers that true is for teardown mode
> ---
>  xen/arch/arm/tee/ffa_rxtx.c | 32 +++++++++++++++++++++++++++++---
>  1 file changed, 29 insertions(+), 3 deletions(-)

Looks good:
Reviewed-by: Jens Wiklander <jens.wiklander@xxxxxxxxxx>

Cheers,
Jens

>
> diff --git a/xen/arch/arm/tee/ffa_rxtx.c b/xen/arch/arm/tee/ffa_rxtx.c
> index eff95a7955d7..c4fc4c4934af 100644
> --- a/xen/arch/arm/tee/ffa_rxtx.c
> +++ b/xen/arch/arm/tee/ffa_rxtx.c
> @@ -220,7 +220,7 @@ err_unlock_rxtx:
>      return ret;
>  }
>
> -static int32_t rxtx_unmap(struct domain *d)
> +static int32_t rxtx_unmap(struct domain *d, bool teardown)
>  {
>      struct ffa_ctx *ctx = d->arch.tee;
>      int32_t ret = FFA_RET_OK;
> @@ -234,6 +234,32 @@ static int32_t rxtx_unmap(struct domain *d)
>          goto err_unlock_rxtx;
>      }
>
> +    if ( !ctx->rx_is_free )
> +    {
> +        if ( teardown )
> +        {
> +            if ( ffa_fw_supports_fid(FFA_RX_ACQUIRE) )
> +            {
> +                int32_t rel_ret;
> +
> +                /* Can't use ffa_rx_release() while holding rx_lock. */
> +                rel_ret = ffa_simple_call(FFA_RX_RELEASE, ctx->ffa_id,
> +                                          0, 0, 0);
> +                if ( rel_ret )
> +                    gdprintk(XENLOG_DEBUG,
> +                             "ffa: RX release during teardown failed: %d\n",
> +                             rel_ret);
> +            }
> +        }
> +        else
> +        {
> +            gdprintk(XENLOG_DEBUG,
> +                     "ffa: RXTX_UNMAP denied, RX buffer owned by VM\n");
> +            ret = FFA_RET_DENIED;
> +            goto err_unlock_rxtx;
> +        }
> +    }
> +
>      if ( ffa_fw_supports_fid(FFA_RX_ACQUIRE) )
>      {
>          ret = ffa_rxtx_unmap(ffa_get_vm_id(d));
> @@ -261,7 +287,7 @@ err_unlock_rxtx:
>
>  int32_t ffa_handle_rxtx_unmap(void)
>  {
> -    return rxtx_unmap(current->domain);
> +    return rxtx_unmap(current->domain, false);
>  }
>
>  int32_t ffa_rx_acquire(struct ffa_ctx *ctx, void **buf, size_t *buf_size)
> @@ -369,7 +395,7 @@ int32_t ffa_rxtx_domain_init(struct domain *d)
>
>  void ffa_rxtx_domain_destroy(struct domain *d)
>  {
> -    rxtx_unmap(d);
> +    rxtx_unmap(d, true /* teardown */);
>  }
>
>  void *ffa_rxtx_spmc_rx_acquire(void)
> --
> 2.52.0
>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.