[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 07/12] xen/arm: ffa: Fix RXTX_UNMAP ownership race

  • To: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Wed, 11 Feb 2026 10:50:06 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=linaro.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6rRZIxxlIJTUwcNVYlYSRiYc/S3lxzSgBWmsMURHLyA=; b=cPK9NOxdzReH7CPZfUr/EB5pD/I1oAPqVoIyFi596L5fyd4sFbBTYqCpzh6DanrwrbQbGDPpD0W3YlK6lhxRdGPApHTANhkJ4oHu2CVpZaXwnRq/8RES23HwhX4YlIPvf3i8vqL3EGw0nWfQZeMPZbhfe3DYatV9lyalMVtg+RpmCHWx/3pctyLh0WKsKpkFjR4nu+4NIvz0iC16moWP8r1tBnn8OE1Gg1SvIdZ4dGAjPKVnQPGu6QKC4z9AwG58DSgTXcrJYC6pVDd5bl7GvdKGD0nJRsc1aZZAvUBLrKanBFCZYxh1xO7ABKtc7799eXbhQsExeGhW9O79gnHAhQ==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6rRZIxxlIJTUwcNVYlYSRiYc/S3lxzSgBWmsMURHLyA=; b=dDHumdEfkyIFRNuxe1ycjGS++p7hO2Ne+0RsT+cC0PRmRiEqDlKoXETQvDj9Cc9yYBzjtbILy8tznaKCnQSnccHMk75HzpeZuj2aE3RW/2TomcQSag2EOpnGTOO0WFzVXzMYiSmVNZKtprKvZd3BHGhsoN8aGYqvqZkYFG86Mb1Oeih1e78GxAnkYFOxfKZlecxHOS2kmRhb3iL7o0gJeqya2k7xhYRBYchdmbqXpAsIo3Tx7wj8SpapKI13riisa6en0figYjl4Rz7tEYI1y4T0Lu4uFmGgxA9AZy/uo1lFtX7uWhMTpHuLgBoYm3tJnFoRKUysksTwEXwXq2z7gw==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=oRq/knzzI90w1W3xcSnvUb8TSyRK3shSDgknn2/zk8jmgEoPM80Uocw6mjwrf+CTmlm14I4W9ZsrOrfx4933WcAk8KS3YEjoAk980+aOT/ehxyRkYhqJO9L+SjqVZEiD70HSVZceNCnHSUXE7XZo0+DQI/55MnfXLm/1Z3qw6GTb/NgQze8AMzQ3bah6e+BzZpvf51SyIHyVodswAp/BFWkNgijBMCXHM8vrfcmIQdRFUZDwYjB2LZCWVJakm5L43n8YDKr3/zMTBU8QCSi2sLxGEAh0l3QQytZ1F/GskwH9o73PMo0lL6KPITFY1Ab3wbU/rP8ii6fGd6//ZOsl+Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Bsix+ojcXpoF3ayUqdsIoVdD4IQAbB4rRR0xytpIlAtXRRMmKQn+jvW6w0BLpzVGURm+umjKW7hdn6ogaGrn7+MuNVR1XE0APQzpSw4Xt3qIhtlwGxBCl2GPdeJYxK/7kvXYmaT0VsVUSTs3/X9dQsKbkOmt9GlAncxexOumhEuFYFYB3oVcliqEDywC3jKMNUMzv5Iqzhh3M8fcZHubG+SbHKd7ibDvhBDCG7INY9V7RVy00GAWhJO5azgL6EIcyI/6h7nT0P7k0GWiaBgYU2fDSykVDCAaDhlmm/MV02Df4S7EecBegekaFeJKehLCAlKzbvKwIM6+eTkOKoVA1w==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Wed, 11 Feb 2026 10:51:23 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Thread-index: AQHclTQA4+TBlGja902+I8ruNzCv87V9KKCAgAA1SQA=
  • Thread-topic: [PATCH 07/12] xen/arm: ffa: Fix RXTX_UNMAP ownership race
Hi Jens,

> On 11 Feb 2026, at 08:39, Jens Wiklander <jens.wiklander@xxxxxxxxxx> wrote:
> 
> Hi Bertrand,
> 
> On Tue, Feb 3, 2026 at 6:38 PM Bertrand Marquis
> <bertrand.marquis@xxxxxxx> wrote:
>> 
>> rxtx_unmap() checks RX ownership without holding the RX/TX locks and
>> only enforces the ownership rule when FFA_RX_ACQUIRE is supported. This
>> allows a vCPU to acquire RX between the check and unmap, and it lets
>> RXTX_UNMAP proceed while RX is owned when buffers are not forwarded to
>> firmware.
>> 
>> Hold rx_lock/tx_lock across the ownership check and unmap, and deny
>> RXTX_UNMAP whenever RX is owned, independent of RX_ACQUIRE support. For
>> teardown, release RX ownership under the same lock window; use
>> FFA_RX_RELEASE directly because rx_lock is held, and clear the local
>> flag when the firmware path is unavailable.
>> 
>> Functional impact: RXTX_UNMAP now reliably returns DENIED while RX is
>> owned, and teardown releases/clears ownership without a race.
>> 
>> Signed-off-by: Bertrand Marquis <bertrand.marquis@xxxxxxx>
>> ---
>> xen/arch/arm/tee/ffa_rxtx.c | 36 +++++++++++++++++++++++++++++++++---
>> 1 file changed, 33 insertions(+), 3 deletions(-)
>> 
>> diff --git a/xen/arch/arm/tee/ffa_rxtx.c b/xen/arch/arm/tee/ffa_rxtx.c
>> index eff95a7955d7..450ce102cbdc 100644
>> --- a/xen/arch/arm/tee/ffa_rxtx.c
>> +++ b/xen/arch/arm/tee/ffa_rxtx.c
>> @@ -220,7 +220,7 @@ err_unlock_rxtx:
>>     return ret;
>> }
>> 
>> -static int32_t rxtx_unmap(struct domain *d)
>> +static int32_t rxtx_unmap(struct domain *d, bool teardown)
>> {
>>     struct ffa_ctx *ctx = d->arch.tee;
>>     int32_t ret = FFA_RET_OK;
>> @@ -234,6 +234,36 @@ static int32_t rxtx_unmap(struct domain *d)
>>         goto err_unlock_rxtx;
>>     }
>> 
>> +    if ( !ctx->rx_is_free )
>> +    {
>> +        if ( teardown )
>> +        {
>> +            if ( ffa_fw_supports_fid(FFA_RX_ACQUIRE) )
>> +            {
>> +                int32_t rel_ret;
>> +
>> +                /* Can't use ffa_rx_release() while holding rx_lock. */
>> +                rel_ret = ffa_simple_call(FFA_RX_RELEASE, ctx->ffa_id,
>> +                                          0, 0, 0);
>> +                if ( rel_ret )
>> +                    gdprintk(XENLOG_DEBUG,
>> +                             "ffa: RX release during teardown failed: %d\n",
>> +                             rel_ret);
>> +                else
>> +                    ctx->rx_is_free = true;
> 
> I don't see why this assignment is needed, or the one just below.

True, in the teardown case we do not care at all.
I will remove those 2.

> 
>> +            }
>> +            else
>> +                ctx->rx_is_free = true;
>> +        }
>> +        else
>> +        {
>> +            gdprintk(XENLOG_DEBUG,
>> +                     "ffa: RXTX_UNMAP denied, RX buffer owned by VM\n");
>> +            ret = FFA_RET_DENIED;
>> +            goto err_unlock_rxtx;
>> +        }
>> +    }
>> +
>>     if ( ffa_fw_supports_fid(FFA_RX_ACQUIRE) )
>>     {
>>         ret = ffa_rxtx_unmap(ffa_get_vm_id(d));
>> @@ -261,7 +291,7 @@ err_unlock_rxtx:
>> 
>> int32_t ffa_handle_rxtx_unmap(void)
>> {
>> -    return rxtx_unmap(current->domain);
>> +    return rxtx_unmap(current->domain, false);
>> }
>> 
>> int32_t ffa_rx_acquire(struct ffa_ctx *ctx, void **buf, size_t *buf_size)
>> @@ -369,7 +399,7 @@ int32_t ffa_rxtx_domain_init(struct domain *d)
>> 
>> void ffa_rxtx_domain_destroy(struct domain *d)
>> {
>> -    rxtx_unmap(d);
>> +    rxtx_unmap(d, true);
> 
> How about adding a /* teardown */ just after true as a reminder of
> what true is supposed to represent.
> 
> Adding such comments isn't very common, but we're doing it at a few
> places in the source tree, and I think it helps when reading the code.

Agree i will add /* teardown */ just after true here.

Cheers
Bertrand

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.