From nobody Mon Feb 9 15:10:43 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=arm.com Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 17701403444601017.2414663323419; Tue, 3 Feb 2026 09:39:04 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.1219538.1528412 (Exim 4.92) (envelope-from ) id 1vnKMR-0000sG-Dz; Tue, 03 Feb 2026 17:38:47 +0000 Received: by outflank-mailman (output) from mailman id 1219538.1528412; Tue, 03 Feb 2026 17:38:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vnKMR-0000s6-9V; Tue, 03 Feb 2026 17:38:47 +0000 Received: by outflank-mailman (input) for mailman id 1219538; Tue, 03 Feb 2026 17:38:45 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vnKMP-0000Zt-EA for xen-devel@lists.xenproject.org; Tue, 03 Feb 2026 17:38:45 +0000 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by se1-gles-flk1.inumbo.com (Halon) with ESMTP id 2edc0ddb-0127-11f1-9ccf-f158ae23cfc8; Tue, 03 Feb 2026 18:38:43 +0100 (CET) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C66EC339; Tue, 3 Feb 2026 09:38:35 -0800 (PST) Received: from C3HXLD123V.arm.com (unknown [10.57.54.220]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 281583F632; Tue, 3 Feb 2026 09:38:41 -0800 (PST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2edc0ddb-0127-11f1-9ccf-f158ae23cfc8 From: Bertrand Marquis To: xen-devel@lists.xenproject.org Cc: Volodymyr Babchuk , Jens Wiklander , Stefano Stabellini , Julien Grall , Michal Orzel Subject: [PATCH 01/12] xen/arm: ffa: Add endpoint lookup helper Date: Tue, 3 Feb 2026 18:37:56 +0100 Message-ID: X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1770140347217154100 Content-Type: text/plain; charset="utf-8" Direct messaging paths duplicate endpoint validation and RCU domain lookup logic across multiple call sites, which makes the checks easy to drift and complicates maintenance. Introduce ffa_endpoint_domain_lookup() to centralize this logic. The helper validates the endpoint ID (rejecting ID 0 for the hypervisor), performs RCU domain lookup, ensures the domain is live and has an initialized FF-A context with a negotiated version, and returns the domain locked via RCU. Switch ffa_msg_send2_vm() to use the helper, replacing its open-coded validation sequence. This consolidates approximately 20 lines of duplicated checks into a single call. No functional changes. Signed-off-by: Bertrand Marquis Reviewed-by: Jens Wiklander --- xen/arch/arm/tee/ffa.c | 45 ++++++++++++++++++++++++++++++++++ xen/arch/arm/tee/ffa_msg.c | 24 +++--------------- xen/arch/arm/tee/ffa_private.h | 3 +++ 3 files changed, 51 insertions(+), 21 deletions(-) diff --git a/xen/arch/arm/tee/ffa.c b/xen/arch/arm/tee/ffa.c index ed18e76080d0..6de2b9f8ac8e 100644 --- a/xen/arch/arm/tee/ffa.c +++ b/xen/arch/arm/tee/ffa.c @@ -433,6 +433,51 @@ static bool ffa_handle_call(struct cpu_user_regs *regs) return true; } =20 +/* + * Look up a domain by its FF-A endpoint ID and validate it's ready for FF= -A. + * Returns FFA_RET_OK on success with domain locked via RCU. + * Caller must call rcu_unlock_domain() when done. + * + * Validates: + * - endpoint_id is not 0 (the hypervisor) + * - domain exists and is live + * - domain has FF-A context initialized + * - domain has negotiated an FF-A version + */ +int32_t ffa_endpoint_domain_lookup(uint16_t endpoint_id, struct domain **d= _out, + struct ffa_ctx **ctx_out) +{ + struct domain *d; + struct ffa_ctx *ctx; + int err; + + if ( endpoint_id =3D=3D 0 ) + return FFA_RET_INVALID_PARAMETERS; + + err =3D rcu_lock_live_remote_domain_by_id(endpoint_id - 1, &d); + if ( err ) + return FFA_RET_INVALID_PARAMETERS; + + if ( !d->arch.tee ) + { + rcu_unlock_domain(d); + return FFA_RET_INVALID_PARAMETERS; + } + + ctx =3D d->arch.tee; + if ( !ACCESS_ONCE(ctx->guest_vers) ) + { + rcu_unlock_domain(d); + return FFA_RET_INVALID_PARAMETERS; + } + + *d_out =3D d; + if ( ctx_out ) + *ctx_out =3D ctx; + + return FFA_RET_OK; +} + static int ffa_domain_init(struct domain *d) { struct ffa_ctx *ctx; diff --git a/xen/arch/arm/tee/ffa_msg.c b/xen/arch/arm/tee/ffa_msg.c index 4e26596461a9..10856fddcbc4 100644 --- a/xen/arch/arm/tee/ffa_msg.c +++ b/xen/arch/arm/tee/ffa_msg.c @@ -161,30 +161,12 @@ static int32_t ffa_msg_send2_vm(uint16_t dst_id, cons= t void *src_buf, struct ffa_part_msg_rxtx_1_2 *dst_msg; void *rx_buf; size_t rx_size; - int err; int32_t ret; =20 - if ( dst_id =3D=3D 0 ) - /* FF-A ID 0 is the hypervisor, this is not valid */ - return FFA_RET_INVALID_PARAMETERS; - /* This is also checking that dest is not src */ - err =3D rcu_lock_live_remote_domain_by_id(dst_id - 1, &dst_d); - if ( err ) - return FFA_RET_INVALID_PARAMETERS; - - if ( dst_d->arch.tee =3D=3D NULL ) - { - ret =3D FFA_RET_INVALID_PARAMETERS; - goto out_unlock; - } - - dst_ctx =3D dst_d->arch.tee; - if ( !ACCESS_ONCE(dst_ctx->guest_vers) ) - { - ret =3D FFA_RET_INVALID_PARAMETERS; - goto out_unlock; - } + ret =3D ffa_endpoint_domain_lookup(dst_id, &dst_d, &dst_ctx); + if ( ret ) + return ret; =20 /* This also checks that destination has set a Rx buffer */ ret =3D ffa_rx_acquire(dst_ctx , &rx_buf, &rx_size); diff --git a/xen/arch/arm/tee/ffa_private.h b/xen/arch/arm/tee/ffa_private.h index 282c105f3bce..cd7ecabc7eff 100644 --- a/xen/arch/arm/tee/ffa_private.h +++ b/xen/arch/arm/tee/ffa_private.h @@ -437,6 +437,9 @@ int32_t ffa_partinfo_domain_init(struct domain *d); bool ffa_partinfo_domain_destroy(struct domain *d); void ffa_handle_partition_info_get(struct cpu_user_regs *regs); =20 +int32_t ffa_endpoint_domain_lookup(uint16_t endpoint_id, struct domain **d= _out, + struct ffa_ctx **ctx_out); + bool ffa_rxtx_spmc_init(void); void ffa_rxtx_spmc_destroy(void); void *ffa_rxtx_spmc_rx_acquire(void); --=20 2.50.1 (Apple Git-155)