From nobody Sun Dec 14 11:58:17 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=arm.com Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1764258793830515.6039559351925; Thu, 27 Nov 2025 07:53:13 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.1174079.1499071 (Exim 4.92) (envelope-from ) id 1vOeIi-0004YG-FE; Thu, 27 Nov 2025 15:52:56 +0000 Received: by outflank-mailman (output) from mailman id 1174079.1499071; Thu, 27 Nov 2025 15:52:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vOeIi-0004Y5-CG; Thu, 27 Nov 2025 15:52:56 +0000 Received: by outflank-mailman (input) for mailman id 1174079; Thu, 27 Nov 2025 15:52:55 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vOeIh-0003dB-1O for xen-devel@lists.xenproject.org; Thu, 27 Nov 2025 15:52:55 +0000 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by se1-gles-sth1.inumbo.com (Halon) with ESMTP id 2299b985-cba9-11f0-9d18-b5c5bf9af7f9; Thu, 27 Nov 2025 16:52:54 +0100 (CET) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 1467B176A; Thu, 27 Nov 2025 07:52:46 -0800 (PST) Received: from C3HXLD123V.arm.com (unknown [10.57.89.94]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 22BE53F73B; Thu, 27 Nov 2025 07:52:51 -0800 (PST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2299b985-cba9-11f0-9d18-b5c5bf9af7f9 From: Bertrand Marquis To: xen-devel@lists.xenproject.org Cc: jens.wiklander@linaro.org, Volodymyr Babchuk , Stefano Stabellini , Julien Grall , Michal Orzel Subject: [PATCH 03/10] xen/arm: ffa: harden RX/TX mapping Date: Thu, 27 Nov 2025 16:51:34 +0100 Message-ID: X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1764258794645019200 Content-Type: text/plain; charset="utf-8" Harden the RX/TX mapping paths and keep signed FF-A return codes end-to-end. Reject zero-length mappings and insist on page-aligned RX/TX buffer addresses before touching the P2M. The unmap plumbing is switched to use the same signed helpers so dispatcher error handling is consistent across map and unmap operations. This avoids partially mapped or silently truncated buffers and makes the mediator behaviour match the FF-A error model more closely. While there also introduce a domain_rxtx_init to properly initialize the rxtx buffers spinlocks. Signed-off-by: Bertrand Marquis Reviewed-by: Jens Wiklander --- xen/arch/arm/tee/ffa.c | 4 ++++ xen/arch/arm/tee/ffa_private.h | 5 +++-- xen/arch/arm/tee/ffa_rxtx.c | 28 +++++++++++++++++++++------- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/xen/arch/arm/tee/ffa.c b/xen/arch/arm/tee/ffa.c index 3309ca875ec4..47f426e85864 100644 --- a/xen/arch/arm/tee/ffa.c +++ b/xen/arch/arm/tee/ffa.c @@ -446,6 +446,10 @@ static int ffa_domain_init(struct domain *d) if ( ret ) return ret; =20 + ret =3D ffa_rxtx_domain_init(d); + if ( ret ) + return ret; + return ffa_notif_domain_init(d); } =20 diff --git a/xen/arch/arm/tee/ffa_private.h b/xen/arch/arm/tee/ffa_private.h index 88b85c7c453a..4272afd37343 100644 --- a/xen/arch/arm/tee/ffa_private.h +++ b/xen/arch/arm/tee/ffa_private.h @@ -427,10 +427,11 @@ void ffa_handle_partition_info_get(struct cpu_user_re= gs *regs); =20 bool ffa_rxtx_init(void); void ffa_rxtx_destroy(void); +int32_t ffa_rxtx_domain_init(struct domain *d); void ffa_rxtx_domain_destroy(struct domain *d); -uint32_t ffa_handle_rxtx_map(uint32_t fid, register_t tx_addr, +int32_t ffa_handle_rxtx_map(uint32_t fid, register_t tx_addr, register_t rx_addr, uint32_t page_count); -uint32_t ffa_handle_rxtx_unmap(void); +int32_t ffa_handle_rxtx_unmap(void); int32_t ffa_rx_acquire(struct domain *d); int32_t ffa_rx_release(struct domain *d); =20 diff --git a/xen/arch/arm/tee/ffa_rxtx.c b/xen/arch/arm/tee/ffa_rxtx.c index a40e5b32e3a5..cd467d1dba68 100644 --- a/xen/arch/arm/tee/ffa_rxtx.c +++ b/xen/arch/arm/tee/ffa_rxtx.c @@ -41,10 +41,10 @@ static int32_t ffa_rxtx_unmap(uint16_t id) return ffa_simple_call(FFA_RXTX_UNMAP, ((uint64_t)id) << 16, 0, 0, 0); } =20 -uint32_t ffa_handle_rxtx_map(uint32_t fid, register_t tx_addr, +int32_t ffa_handle_rxtx_map(uint32_t fid, register_t tx_addr, register_t rx_addr, uint32_t page_count) { - uint32_t ret =3D FFA_RET_INVALID_PARAMETERS; + int32_t ret =3D FFA_RET_INVALID_PARAMETERS; struct domain *d =3D current->domain; struct ffa_ctx *ctx =3D d->arch.tee; struct page_info *tx_pg; @@ -66,13 +66,17 @@ uint32_t ffa_handle_rxtx_map(uint32_t fid, register_t t= x_addr, rx_addr &=3D UINT32_MAX; } =20 - if ( page_count > FFA_MAX_RXTX_PAGE_COUNT ) + if ( page_count > FFA_MAX_RXTX_PAGE_COUNT || !page_count ) { printk(XENLOG_ERR "ffa: RXTX_MAP: error: %u pages requested (limit= %u)\n", page_count, FFA_MAX_RXTX_PAGE_COUNT); return FFA_RET_INVALID_PARAMETERS; } =20 + if ( !IS_ALIGNED(tx_addr, FFA_PAGE_SIZE) || + !IS_ALIGNED(rx_addr, FFA_PAGE_SIZE) ) + return FFA_RET_INVALID_PARAMETERS; + /* Already mapped */ if ( ctx->rx ) return FFA_RET_DENIED; @@ -181,7 +185,7 @@ err_put_tx_pg: return ret; } =20 -static uint32_t rxtx_unmap(struct domain *d) +static int32_t rxtx_unmap(struct domain *d) { struct ffa_ctx *ctx =3D d->arch.tee; =20 @@ -190,7 +194,7 @@ static uint32_t rxtx_unmap(struct domain *d) =20 if ( ffa_fw_supports_fid(FFA_RX_ACQUIRE) ) { - uint32_t ret; + int32_t ret; =20 ret =3D ffa_rxtx_unmap(ffa_get_vm_id(d)); if ( ret !=3D FFA_RET_OK ) @@ -211,7 +215,7 @@ static uint32_t rxtx_unmap(struct domain *d) return FFA_RET_OK; } =20 -uint32_t ffa_handle_rxtx_unmap(void) +int32_t ffa_handle_rxtx_unmap(void) { return rxtx_unmap(current->domain); } @@ -272,6 +276,16 @@ out: return ret; } =20 +int32_t ffa_rxtx_domain_init(struct domain *d) +{ + struct ffa_ctx *ctx =3D d->arch.tee; + + spin_lock_init(&ctx->rx_lock); + spin_lock_init(&ctx->tx_lock); + + return 0; +} + void ffa_rxtx_domain_destroy(struct domain *d) { rxtx_unmap(d); @@ -298,7 +312,7 @@ void ffa_rxtx_destroy(void) =20 bool ffa_rxtx_init(void) { - int e; + int32_t e; =20 /* Firmware not there or not supporting */ if ( !ffa_fw_supports_fid(FFA_RXTX_MAP_64) ) --=20 2.51.2