[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [XEN PATCH 3/6] xen/arm: ffa: separate memory sharing routines
Hi Jens, > On 25 Mar 2024, at 10:39, Jens Wiklander <jens.wiklander@xxxxxxxxxx> wrote: > > Move memory sharing routines into a separate file for easier navigation > in the source code. > > Add ffa_shm_domain_destroy() to isolate the ffa_shm things in > ffa_domain_teardown_continue(). > > Signed-off-by: Jens Wiklander <jens.wiklander@xxxxxxxxxx> With the copyright date mentioned after fixed (which can be done on commit): Reviewed-by: Bertrand Marquis <bertrand.marquis@xxxxxxx > --- > xen/arch/arm/tee/Makefile | 1 + > xen/arch/arm/tee/ffa.c | 708 +-------------------------------- > xen/arch/arm/tee/ffa_private.h | 10 + > xen/arch/arm/tee/ffa_shm.c | 708 +++++++++++++++++++++++++++++++++ > 4 files changed, 729 insertions(+), 698 deletions(-) > create mode 100644 xen/arch/arm/tee/ffa_shm.c > > diff --git a/xen/arch/arm/tee/Makefile b/xen/arch/arm/tee/Makefile > index 58a1015e40e0..0e683d23aa9d 100644 > --- a/xen/arch/arm/tee/Makefile > +++ b/xen/arch/arm/tee/Makefile > @@ -1,3 +1,4 @@ > obj-$(CONFIG_FFA) += ffa.o > +obj-$(CONFIG_FFA) += ffa_shm.o > obj-y += tee.o > obj-$(CONFIG_OPTEE) += optee.o > diff --git a/xen/arch/arm/tee/ffa.c b/xen/arch/arm/tee/ffa.c > index 259851f20bdb..db36292dc52f 100644 > --- a/xen/arch/arm/tee/ffa.c > +++ b/xen/arch/arm/tee/ffa.c > @@ -84,92 +84,6 @@ struct ffa_partition_info_1_1 { > uint8_t uuid[16]; > }; > > -/* Constituent memory region descriptor */ > -struct ffa_address_range { > - uint64_t address; > - uint32_t page_count; > - uint32_t reserved; > -}; > - > -/* Composite memory region descriptor */ > -struct ffa_mem_region { > - uint32_t total_page_count; > - uint32_t address_range_count; > - uint64_t reserved; > - struct ffa_address_range address_range_array[]; > -}; > - > -/* Memory access permissions descriptor */ > -struct ffa_mem_access_perm { > - uint16_t endpoint_id; > - uint8_t perm; > - uint8_t flags; > -}; > - > -/* Endpoint memory access descriptor */ > -struct ffa_mem_access { > - struct ffa_mem_access_perm access_perm; > - uint32_t region_offs; > - uint64_t reserved; > -}; > - > -/* Lend, donate or share memory transaction descriptor */ > -struct ffa_mem_transaction_1_0 { > - uint16_t sender_id; > - uint8_t mem_reg_attr; > - uint8_t reserved0; > - uint32_t flags; > - uint64_t handle; > - uint64_t tag; > - uint32_t reserved1; > - uint32_t mem_access_count; > - struct ffa_mem_access mem_access_array[]; > -}; > - > -struct ffa_mem_transaction_1_1 { > - uint16_t sender_id; > - uint16_t mem_reg_attr; > - uint32_t flags; > - uint64_t handle; > - uint64_t tag; > - uint32_t mem_access_size; > - uint32_t mem_access_count; > - uint32_t mem_access_offs; > - uint8_t reserved[12]; > -}; > - > -/* Calculate offset of struct ffa_mem_access from start of buffer */ > -#define MEM_ACCESS_OFFSET(access_idx) \ > - ( sizeof(struct ffa_mem_transaction_1_1) + \ > - ( access_idx ) * sizeof(struct ffa_mem_access) ) > - > -/* Calculate offset of struct ffa_mem_region from start of buffer */ > -#define REGION_OFFSET(access_count, region_idx) \ > - ( MEM_ACCESS_OFFSET(access_count) + \ > - ( region_idx ) * sizeof(struct ffa_mem_region) ) > - > -/* Calculate offset of struct ffa_address_range from start of buffer */ > -#define ADDR_RANGE_OFFSET(access_count, region_count, range_idx) \ > - ( REGION_OFFSET(access_count, region_count) + \ > - ( range_idx ) * sizeof(struct ffa_address_range) ) > - > -/* > - * The parts needed from struct ffa_mem_transaction_1_0 or struct > - * ffa_mem_transaction_1_1, used to provide an abstraction of difference in > - * data structures between version 1.0 and 1.1. This is just an internal > - * interface and can be changed without changing any ABI. > - */ > -struct ffa_mem_transaction_int { > - uint16_t sender_id; > - uint8_t mem_reg_attr; > - uint8_t flags; > - uint8_t mem_access_size; > - uint8_t mem_access_count; > - uint16_t mem_access_offs; > - uint64_t handle; > - uint64_t tag; > -}; > - > /* Endpoint RX/TX descriptor */ > struct ffa_endpoint_rxtx_descriptor_1_0 { > uint16_t sender_id; > @@ -185,15 +99,6 @@ struct ffa_endpoint_rxtx_descriptor_1_1 { > uint32_t tx_region_offs; > }; > > -struct ffa_shm_mem { > - struct list_head list; > - uint16_t sender_id; > - uint16_t ep_id; /* endpoint, the one lending */ > - uint64_t handle; /* FFA_HANDLE_INVALID if not set yet */ > - unsigned int page_count; > - struct page_info *pages[]; > -}; > - > /* Negotiated FF-A version to use with the SPMC */ > static uint32_t __ro_after_init ffa_version; > > @@ -212,10 +117,10 @@ static uint16_t subscr_vm_destroyed_count __read_mostly; > * for calls which uses our RX buffer to deliver a result we must call > * ffa_rx_release() to let the SPMC know that we're done with the buffer. > */ > -static void *ffa_rx __read_mostly; > -static void *ffa_tx __read_mostly; > -static DEFINE_SPINLOCK(ffa_rx_buffer_lock); > -static DEFINE_SPINLOCK(ffa_tx_buffer_lock); > +void *ffa_rx __read_mostly; > +void *ffa_tx __read_mostly; > +DEFINE_SPINLOCK(ffa_rx_buffer_lock); > +DEFINE_SPINLOCK(ffa_tx_buffer_lock); > > > /* Used to track domains that could not be torn down immediately. */ > @@ -297,47 +202,6 @@ static int32_t ffa_rx_release(void) > return ffa_simple_call(FFA_RX_RELEASE, 0, 0, 0, 0); > } > > -static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > - register_t addr, uint32_t pg_count, > - uint64_t *handle) > -{ > - struct arm_smccc_1_2_regs arg = { > - .a0 = FFA_MEM_SHARE_64, > - .a1 = tot_len, > - .a2 = frag_len, > - .a3 = addr, > - .a4 = pg_count, > - }; > - struct arm_smccc_1_2_regs resp; > - > - arm_smccc_1_2_smc(&arg, &resp); > - > - switch ( resp.a0 ) > - { > - case FFA_ERROR: > - if ( resp.a2 ) > - return resp.a2; > - else > - return FFA_RET_NOT_SUPPORTED; > - case FFA_SUCCESS_32: > - *handle = regpair_to_uint64(resp.a3, resp.a2); > - return FFA_RET_OK; > - case FFA_MEM_FRAG_RX: > - *handle = regpair_to_uint64(resp.a2, resp.a1); > - if ( resp.a3 > INT32_MAX ) /* Impossible value */ > - return FFA_RET_ABORTED; > - return resp.a3 & INT32_MAX; > - default: > - return FFA_RET_NOT_SUPPORTED; > - } > -} > - > -static int32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > - uint32_t flags) > -{ > - return ffa_simple_call(FFA_MEM_RECLAIM, handle_lo, handle_hi, flags, 0); > -} > - > static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, > uint8_t msg) > { > @@ -660,506 +524,6 @@ out: > resp.a7 & mask); > } > > -/* > - * Gets all page and assigns them to the supplied shared memory object. If > - * this function fails then the caller is still expected to call > - * put_shm_pages() as a cleanup. > - */ > -static int get_shm_pages(struct domain *d, struct ffa_shm_mem *shm, > - const struct ffa_address_range *range, > - uint32_t range_count, unsigned int start_page_idx, > - unsigned int *last_page_idx) > -{ > - unsigned int pg_idx = start_page_idx; > - gfn_t gfn; > - unsigned int n; > - unsigned int m; > - p2m_type_t t; > - uint64_t addr; > - uint64_t page_count; > - > - for ( n = 0; n < range_count; n++ ) > - { > - page_count = read_atomic(&range[n].page_count); > - addr = read_atomic(&range[n].address); > - for ( m = 0; m < page_count; m++ ) > - { > - if ( pg_idx >= shm->page_count ) > - return FFA_RET_INVALID_PARAMETERS; > - > - gfn = gaddr_to_gfn(addr + m * FFA_PAGE_SIZE); > - shm->pages[pg_idx] = get_page_from_gfn(d, gfn_x(gfn), &t, > - P2M_ALLOC); > - if ( !shm->pages[pg_idx] ) > - return FFA_RET_DENIED; > - /* Only normal RW RAM for now */ > - if ( t != p2m_ram_rw ) > - return FFA_RET_DENIED; > - pg_idx++; > - } > - } > - > - *last_page_idx = pg_idx; > - > - return FFA_RET_OK; > -} > - > -static void put_shm_pages(struct ffa_shm_mem *shm) > -{ > - unsigned int n; > - > - for ( n = 0; n < shm->page_count && shm->pages[n]; n++ ) > - { > - put_page(shm->pages[n]); > - shm->pages[n] = NULL; > - } > -} > - > -static bool inc_ctx_shm_count(struct domain *d, struct ffa_ctx *ctx) > -{ > - bool ret = true; > - > - spin_lock(&ctx->lock); > - > - if ( ctx->shm_count >= FFA_MAX_SHM_COUNT ) > - { > - ret = false; > - } > - else > - { > - /* > - * If this is the first shm added, increase the domain reference > - * counter as we need to keep domain around a bit longer to reclaim > - * the shared memory in the teardown path. > - */ > - if ( !ctx->shm_count ) > - get_knownalive_domain(d); > - > - ctx->shm_count++; > - } > - > - spin_unlock(&ctx->lock); > - > - return ret; > -} > - > -static void dec_ctx_shm_count(struct domain *d, struct ffa_ctx *ctx) > -{ > - bool drop_ref; > - > - spin_lock(&ctx->lock); > - > - ASSERT(ctx->shm_count > 0); > - ctx->shm_count--; > - > - /* > - * If this was the last shm removed, let go of the domain reference we > - * took in inc_ctx_shm_count() above. > - */ > - drop_ref = !ctx->shm_count; > - > - spin_unlock(&ctx->lock); > - > - if ( drop_ref ) > - put_domain(d); > -} > - > -static struct ffa_shm_mem *alloc_ffa_shm_mem(struct domain *d, > - unsigned int page_count) > -{ > - struct ffa_ctx *ctx = d->arch.tee; > - struct ffa_shm_mem *shm; > - > - if ( page_count >= FFA_MAX_SHM_PAGE_COUNT ) > - return NULL; > - if ( !inc_ctx_shm_count(d, ctx) ) > - return NULL; > - > - shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count); > - if ( shm ) > - shm->page_count = page_count; > - else > - dec_ctx_shm_count(d, ctx); > - > - return shm; > -} > - > -static void free_ffa_shm_mem(struct domain *d, struct ffa_shm_mem *shm) > -{ > - struct ffa_ctx *ctx = d->arch.tee; > - > - if ( !shm ) > - return; > - > - dec_ctx_shm_count(d, ctx); > - put_shm_pages(shm); > - xfree(shm); > -} > - > -static void init_range(struct ffa_address_range *addr_range, > - paddr_t pa) > -{ > - memset(addr_range, 0, sizeof(*addr_range)); > - addr_range->address = pa; > - addr_range->page_count = 1; > -} > - > -/* > - * This function uses the ffa_tx buffer to transmit the memory transaction > - * descriptor. The function depends ffa_tx_buffer_lock to be used to guard > - * the buffer from concurrent use. > - */ > -static int share_shm(struct ffa_shm_mem *shm) > -{ > - const uint32_t max_frag_len = FFA_RXTX_PAGE_COUNT * FFA_PAGE_SIZE; > - struct ffa_mem_access *mem_access_array; > - struct ffa_mem_transaction_1_1 *descr; > - struct ffa_address_range *addr_range; > - struct ffa_mem_region *region_descr; > - const unsigned int region_count = 1; > - void *buf = ffa_tx; > - uint32_t frag_len; > - uint32_t tot_len; > - paddr_t last_pa; > - unsigned int n; > - paddr_t pa; > - > - ASSERT(spin_is_locked(&ffa_tx_buffer_lock)); > - ASSERT(shm->page_count); > - > - descr = buf; > - memset(descr, 0, sizeof(*descr)); > - descr->sender_id = shm->sender_id; > - descr->handle = shm->handle; > - descr->mem_reg_attr = FFA_NORMAL_MEM_REG_ATTR; > - descr->mem_access_count = 1; > - descr->mem_access_size = sizeof(*mem_access_array); > - descr->mem_access_offs = MEM_ACCESS_OFFSET(0); > - > - mem_access_array = buf + descr->mem_access_offs; > - memset(mem_access_array, 0, sizeof(*mem_access_array)); > - mem_access_array[0].access_perm.endpoint_id = shm->ep_id; > - mem_access_array[0].access_perm.perm = FFA_MEM_ACC_RW; > - mem_access_array[0].region_offs = REGION_OFFSET(descr->mem_access_count, > 0); > - > - region_descr = buf + mem_access_array[0].region_offs; > - memset(region_descr, 0, sizeof(*region_descr)); > - region_descr->total_page_count = shm->page_count; > - > - region_descr->address_range_count = 1; > - last_pa = page_to_maddr(shm->pages[0]); > - for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > - { > - pa = page_to_maddr(shm->pages[n]); > - if ( last_pa + FFA_PAGE_SIZE == pa ) > - continue; > - region_descr->address_range_count++; > - } > - > - tot_len = ADDR_RANGE_OFFSET(descr->mem_access_count, region_count, > - region_descr->address_range_count); > - if ( tot_len > max_frag_len ) > - return FFA_RET_NOT_SUPPORTED; > - > - addr_range = region_descr->address_range_array; > - frag_len = ADDR_RANGE_OFFSET(descr->mem_access_count, region_count, 1); > - last_pa = page_to_maddr(shm->pages[0]); > - init_range(addr_range, last_pa); > - for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > - { > - pa = page_to_maddr(shm->pages[n]); > - if ( last_pa + FFA_PAGE_SIZE == pa ) > - { > - addr_range->page_count++; > - continue; > - } > - > - frag_len += sizeof(*addr_range); > - addr_range++; > - init_range(addr_range, pa); > - } > - > - return ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > -} > - > -static int read_mem_transaction(uint32_t ffa_vers, const void *buf, size_t > blen, > - struct ffa_mem_transaction_int *trans) > -{ > - uint16_t mem_reg_attr; > - uint32_t flags; > - uint32_t count; > - uint32_t offs; > - uint32_t size; > - > - if ( ffa_vers >= FFA_VERSION_1_1 ) > - { > - const struct ffa_mem_transaction_1_1 *descr; > - > - if ( blen < sizeof(*descr) ) > - return FFA_RET_INVALID_PARAMETERS; > - > - descr = buf; > - trans->sender_id = descr->sender_id; > - mem_reg_attr = descr->mem_reg_attr; > - flags = descr->flags; > - trans->handle = descr->handle; > - trans->tag = descr->tag; > - > - count = descr->mem_access_count; > - size = descr->mem_access_size; > - offs = descr->mem_access_offs; > - } > - else > - { > - const struct ffa_mem_transaction_1_0 *descr; > - > - if ( blen < sizeof(*descr) ) > - return FFA_RET_INVALID_PARAMETERS; > - > - descr = buf; > - trans->sender_id = descr->sender_id; > - mem_reg_attr = descr->mem_reg_attr; > - flags = descr->flags; > - trans->handle = descr->handle; > - trans->tag = descr->tag; > - > - count = descr->mem_access_count; > - size = sizeof(struct ffa_mem_access); > - offs = offsetof(struct ffa_mem_transaction_1_0, mem_access_array); > - } > - /* > - * Make sure that "descr" which is shared with the guest isn't accessed > - * again after this point. > - */ > - barrier(); > - > - /* > - * We're doing a rough check to see that no information is lost when > - * tranfering the values into a struct ffa_mem_transaction_int below. > - * The fields in struct ffa_mem_transaction_int are wide enough to hold > - * any valid value so being out of range means that something is wrong. > - */ > - if ( mem_reg_attr > UINT8_MAX || flags > UINT8_MAX || size > UINT8_MAX || > - count > UINT8_MAX || offs > UINT16_MAX ) > - return FFA_RET_INVALID_PARAMETERS; > - > - /* Check that the endpoint memory access descriptor array fits */ > - if ( size * count + offs > blen ) > - return FFA_RET_INVALID_PARAMETERS; > - > - trans->mem_reg_attr = mem_reg_attr; > - trans->flags = flags; > - trans->mem_access_size = size; > - trans->mem_access_count = count; > - trans->mem_access_offs = offs; > - > - return 0; > -} > - > -static void ffa_handle_mem_share(struct cpu_user_regs *regs) > -{ > - uint32_t tot_len = get_user_reg(regs, 1); > - uint32_t frag_len = get_user_reg(regs, 2); > - uint64_t addr = get_user_reg(regs, 3); > - uint32_t page_count = get_user_reg(regs, 4); > - const struct ffa_mem_region *region_descr; > - const struct ffa_mem_access *mem_access; > - struct ffa_mem_transaction_int trans; > - struct domain *d = current->domain; > - struct ffa_ctx *ctx = d->arch.tee; > - struct ffa_shm_mem *shm = NULL; > - unsigned int last_page_idx = 0; > - register_t handle_hi = 0; > - register_t handle_lo = 0; > - int ret = FFA_RET_DENIED; > - uint32_t range_count; > - uint32_t region_offs; > - > - /* > - * We're only accepting memory transaction descriptors via the rx/tx > - * buffer. > - */ > - if ( addr ) > - { > - ret = FFA_RET_NOT_SUPPORTED; > - goto out_set_ret; > - } > - > - /* Check that fragment length doesn't exceed total length */ > - if ( frag_len > tot_len ) > - { > - ret = FFA_RET_INVALID_PARAMETERS; > - goto out_set_ret; > - } > - > - /* We currently only support a single fragment */ > - if ( frag_len != tot_len ) > - { > - ret = FFA_RET_NOT_SUPPORTED; > - goto out_set_ret; > - } > - > - if ( !spin_trylock(&ctx->tx_lock) ) > - { > - ret = FFA_RET_BUSY; > - goto out_set_ret; > - } > - > - if ( frag_len > ctx->page_count * FFA_PAGE_SIZE ) > - goto out_unlock; > - > - ret = read_mem_transaction(ctx->guest_vers, ctx->tx, frag_len, &trans); > - if ( ret ) > - goto out_unlock; > - > - if ( trans.mem_reg_attr != FFA_NORMAL_MEM_REG_ATTR ) > - { > - ret = FFA_RET_NOT_SUPPORTED; > - goto out_unlock; > - } > - > - /* Only supports sharing it with one SP for now */ > - if ( trans.mem_access_count != 1 ) > - { > - ret = FFA_RET_NOT_SUPPORTED; > - goto out_unlock; > - } > - > - if ( trans.sender_id != ffa_get_vm_id(d) ) > - { > - ret = FFA_RET_INVALID_PARAMETERS; > - goto out_unlock; > - } > - > - /* Check that it fits in the supplied data */ > - if ( trans.mem_access_offs + trans.mem_access_size > frag_len ) > - goto out_unlock; > - > - mem_access = ctx->tx + trans.mem_access_offs; > - if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) > - { > - ret = FFA_RET_NOT_SUPPORTED; > - goto out_unlock; > - } > - > - region_offs = read_atomic(&mem_access->region_offs); > - if ( sizeof(*region_descr) + region_offs > frag_len ) > - { > - ret = FFA_RET_NOT_SUPPORTED; > - goto out_unlock; > - } > - > - region_descr = ctx->tx + region_offs; > - range_count = read_atomic(®ion_descr->address_range_count); > - page_count = read_atomic(®ion_descr->total_page_count); > - > - if ( !page_count ) > - { > - ret = FFA_RET_INVALID_PARAMETERS; > - goto out_unlock; > - } > - > - shm = alloc_ffa_shm_mem(d, page_count); > - if ( !shm ) > - { > - ret = FFA_RET_NO_MEMORY; > - goto out_unlock; > - } > - shm->sender_id = trans.sender_id; > - shm->ep_id = read_atomic(&mem_access->access_perm.endpoint_id); > - > - /* > - * Check that the Composite memory region descriptor fits. > - */ > - if ( sizeof(*region_descr) + region_offs + > - range_count * sizeof(struct ffa_address_range) > frag_len ) > - { > - ret = FFA_RET_INVALID_PARAMETERS; > - goto out; > - } > - > - ret = get_shm_pages(d, shm, region_descr->address_range_array, > range_count, > - 0, &last_page_idx); > - if ( ret ) > - goto out; > - if ( last_page_idx != shm->page_count ) > - { > - ret = FFA_RET_INVALID_PARAMETERS; > - goto out; > - } > - > - /* Note that share_shm() uses our tx buffer */ > - spin_lock(&ffa_tx_buffer_lock); > - ret = share_shm(shm); > - spin_unlock(&ffa_tx_buffer_lock); > - if ( ret ) > - goto out; > - > - spin_lock(&ctx->lock); > - list_add_tail(&shm->list, &ctx->shm_list); > - spin_unlock(&ctx->lock); > - > - uint64_to_regpair(&handle_hi, &handle_lo, shm->handle); > - > -out: > - if ( ret ) > - free_ffa_shm_mem(d, shm); > -out_unlock: > - spin_unlock(&ctx->tx_lock); > - > -out_set_ret: > - if ( ret == 0) > - ffa_set_regs_success(regs, handle_lo, handle_hi); > - else > - ffa_set_regs_error(regs, ret); > -} > - > -/* Must only be called with ctx->lock held */ > -static struct ffa_shm_mem *find_shm_mem(struct ffa_ctx *ctx, uint64_t handle) > -{ > - struct ffa_shm_mem *shm; > - > - list_for_each_entry(shm, &ctx->shm_list, list) > - if ( shm->handle == handle ) > - return shm; > - > - return NULL; > -} > - > -static int ffa_handle_mem_reclaim(uint64_t handle, uint32_t flags) > -{ > - struct domain *d = current->domain; > - struct ffa_ctx *ctx = d->arch.tee; > - struct ffa_shm_mem *shm; > - register_t handle_hi; > - register_t handle_lo; > - int ret; > - > - spin_lock(&ctx->lock); > - shm = find_shm_mem(ctx, handle); > - if ( shm ) > - list_del(&shm->list); > - spin_unlock(&ctx->lock); > - if ( !shm ) > - return FFA_RET_INVALID_PARAMETERS; > - > - uint64_to_regpair(&handle_hi, &handle_lo, handle); > - ret = ffa_mem_reclaim(handle_lo, handle_hi, flags); > - > - if ( ret ) > - { > - spin_lock(&ctx->lock); > - list_add_tail(&shm->list, &ctx->shm_list); > - spin_unlock(&ctx->lock); > - } > - else > - { > - free_ffa_shm_mem(d, shm); > - } > - > - return ret; > -} > - > static bool ffa_handle_call(struct cpu_user_regs *regs) > { > uint32_t fid = get_user_reg(regs, 0); > @@ -1284,8 +648,8 @@ static int ffa_domain_init(struct domain *d) > if ( !ffa_version ) > return -ENODEV; > /* > - * We can't use that last possible domain ID or get_vm_id() would cause > - * an overflow. > + * We can't use that last possible domain ID or ffa_get_vm_id() would > + * cause an overflow. Nit: this should have been in patch 1 but no need to change unless there is a new version of the serie. > */ > if ( d->domain_id >= UINT16_MAX) > return -ERANGE; > @@ -1348,68 +712,16 @@ static void send_vm_destroyed(struct domain *d) > } > } > > -static void ffa_reclaim_shms(struct domain *d) > -{ > - struct ffa_ctx *ctx = d->arch.tee; > - struct ffa_shm_mem *shm, *tmp; > - int32_t res; > - > - list_for_each_entry_safe(shm, tmp, &ctx->shm_list, list) > - { > - register_t handle_hi; > - register_t handle_lo; > - > - uint64_to_regpair(&handle_hi, &handle_lo, shm->handle); > - res = ffa_mem_reclaim(handle_lo, handle_hi, 0); > - switch ( res ) { > - case FFA_RET_OK: > - printk(XENLOG_G_DEBUG "%pd: ffa: Reclaimed handle %#lx\n", > - d, shm->handle); > - list_del(&shm->list); > - free_ffa_shm_mem(d, shm); > - break; > - case FFA_RET_DENIED: > - /* > - * A temporary error that may get resolved a bit later, it's > - * worth retrying. > - */ > - printk(XENLOG_G_INFO "%pd: ffa: Failed to reclaim handle %#lx : > %d\n", > - d, shm->handle, res); > - break; /* We will retry later */ > - default: > - /* > - * The rest of the error codes are not expected and are assumed > - * to be of a permanent nature. It not in our control to handle > - * the error properly so the object in this case is to try to > - * minimize the damage. > - * > - * FFA_RET_NO_MEMORY might be a temporary error as it it could > - * succeed if retried later, but treat it as permanent for now. > - */ > - printk(XENLOG_G_INFO "%pd: ffa: Permanent failure to reclaim > handle %#lx : %d\n", > - d, shm->handle, res); > - > - /* > - * Remove the shm from the list and free it, but don't drop > - * references. This results in having the shared physical pages > - * permanently allocate and also keeps the domain as a zombie > - * domain. > - */ > - list_del(&shm->list); > - xfree(shm); > - break; > - } > - } > -} > - > static void ffa_domain_teardown_continue(struct ffa_ctx *ctx, bool first_time) > { > struct ffa_ctx *next_ctx = NULL; > + bool retry = false; > > send_vm_destroyed(ctx->teardown_d); > - ffa_reclaim_shms(ctx->teardown_d); > + if ( !ffa_shm_domain_destroy(ctx->teardown_d) ) > + retry = true; > > - if ( ctx->shm_count || > + if ( retry || > !bitmap_empty(ctx->vm_destroy_bitmap, subscr_vm_destroyed_count) ) > { > printk(XENLOG_G_INFO "%pd: ffa: Remaining cleanup, retrying\n", > ctx->teardown_d); > diff --git a/xen/arch/arm/tee/ffa_private.h b/xen/arch/arm/tee/ffa_private.h > index 8352b6b55a9a..f3e2f42e573e 100644 > --- a/xen/arch/arm/tee/ffa_private.h > +++ b/xen/arch/arm/tee/ffa_private.h > @@ -247,6 +247,16 @@ struct ffa_ctx { > unsigned long vm_destroy_bitmap[]; > }; > > +extern void *ffa_rx; > +extern void *ffa_tx; > +extern spinlock_t ffa_rx_buffer_lock; > +extern spinlock_t ffa_tx_buffer_lock; > + > +bool ffa_shm_domain_destroy(struct domain *d); > +void ffa_handle_mem_share(struct cpu_user_regs *regs); > +int ffa_handle_mem_reclaim(uint64_t handle, uint32_t flags); > + > + > static inline uint16_t ffa_get_vm_id(const struct domain *d) > { > /* +1 since 0 is reserved for the hypervisor in FF-A */ > diff --git a/xen/arch/arm/tee/ffa_shm.c b/xen/arch/arm/tee/ffa_shm.c > new file mode 100644 > index 000000000000..13dc44683b45 > --- /dev/null > +++ b/xen/arch/arm/tee/ffa_shm.c > @@ -0,0 +1,708 @@ > +/* SPDX-License-Identifier: GPL-2.0-only */ > +/* > + * Copyright (C) 2023 Linaro Limited Nit: The copyright has a wrong date. Cheers Bertrand > + */ > + > +#include <xen/const.h> > +#include <xen/sizes.h> > +#include <xen/types.h> > +#include <xen/mm.h> > +#include <xen/list.h> > +#include <xen/spinlock.h> > + > +#include <asm/smccc.h> > +#include <asm/regs.h> > + > +#include "ffa_private.h" > + > +/* Constituent memory region descriptor */ > +struct ffa_address_range { > + uint64_t address; > + uint32_t page_count; > + uint32_t reserved; > +}; > + > +/* Composite memory region descriptor */ > +struct ffa_mem_region { > + uint32_t total_page_count; > + uint32_t address_range_count; > + uint64_t reserved; > + struct ffa_address_range address_range_array[]; > +}; > + > +/* Memory access permissions descriptor */ > +struct ffa_mem_access_perm { > + uint16_t endpoint_id; > + uint8_t perm; > + uint8_t flags; > +}; > + > +/* Endpoint memory access descriptor */ > +struct ffa_mem_access { > + struct ffa_mem_access_perm access_perm; > + uint32_t region_offs; > + uint64_t reserved; > +}; > + > +/* Lend, donate or share memory transaction descriptor */ > +struct ffa_mem_transaction_1_0 { > + uint16_t sender_id; > + uint8_t mem_reg_attr; > + uint8_t reserved0; > + uint32_t flags; > + uint64_t handle; > + uint64_t tag; > + uint32_t reserved1; > + uint32_t mem_access_count; > + struct ffa_mem_access mem_access_array[]; > +}; > + > +struct ffa_mem_transaction_1_1 { > + uint16_t sender_id; > + uint16_t mem_reg_attr; > + uint32_t flags; > + uint64_t handle; > + uint64_t tag; > + uint32_t mem_access_size; > + uint32_t mem_access_count; > + uint32_t mem_access_offs; > + uint8_t reserved[12]; > +}; > + > +/* Calculate offset of struct ffa_mem_access from start of buffer */ > +#define MEM_ACCESS_OFFSET(access_idx) \ > + ( sizeof(struct ffa_mem_transaction_1_1) + \ > + ( access_idx ) * sizeof(struct ffa_mem_access) ) > + > +/* Calculate offset of struct ffa_mem_region from start of buffer */ > +#define REGION_OFFSET(access_count, region_idx) \ > + ( MEM_ACCESS_OFFSET(access_count) + \ > + ( region_idx ) * sizeof(struct ffa_mem_region) ) > + > +/* Calculate offset of struct ffa_address_range from start of buffer */ > +#define ADDR_RANGE_OFFSET(access_count, region_count, range_idx) \ > + ( REGION_OFFSET(access_count, region_count) + \ > + ( range_idx ) * sizeof(struct ffa_address_range) ) > + > +/* > + * The parts needed from struct ffa_mem_transaction_1_0 or struct > + * ffa_mem_transaction_1_1, used to provide an abstraction of difference in > + * data structures between version 1.0 and 1.1. This is just an internal > + * interface and can be changed without changing any ABI. > + */ > +struct ffa_mem_transaction_int { > + uint16_t sender_id; > + uint8_t mem_reg_attr; > + uint8_t flags; > + uint8_t mem_access_size; > + uint8_t mem_access_count; > + uint16_t mem_access_offs; > + uint64_t handle; > + uint64_t tag; > +}; > + > +struct ffa_shm_mem { > + struct list_head list; > + uint16_t sender_id; > + uint16_t ep_id; /* endpoint, the one lending */ > + uint64_t handle; /* FFA_HANDLE_INVALID if not set yet */ > + unsigned int page_count; > + struct page_info *pages[]; > +}; > + > +static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > + register_t addr, uint32_t pg_count, > + uint64_t *handle) > +{ > + struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_SHARE_64, > + .a1 = tot_len, > + .a2 = frag_len, > + .a3 = addr, > + .a4 = pg_count, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_ERROR: > + if ( resp.a2 ) > + return resp.a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + *handle = regpair_to_uint64(resp.a3, resp.a2); > + return FFA_RET_OK; > + case FFA_MEM_FRAG_RX: > + *handle = regpair_to_uint64(resp.a2, resp.a1); > + if ( resp.a3 > INT32_MAX ) /* Impossible value */ > + return FFA_RET_ABORTED; > + return resp.a3 & INT32_MAX; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static int32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > + uint32_t flags) > +{ > + return ffa_simple_call(FFA_MEM_RECLAIM, handle_lo, handle_hi, flags, 0); > +} > + > +/* > + * Gets all page and assigns them to the supplied shared memory object. If > + * this function fails then the caller is still expected to call > + * put_shm_pages() as a cleanup. > + */ > +static int get_shm_pages(struct domain *d, struct ffa_shm_mem *shm, > + const struct ffa_address_range *range, > + uint32_t range_count, unsigned int start_page_idx, > + unsigned int *last_page_idx) > +{ > + unsigned int pg_idx = start_page_idx; > + gfn_t gfn; > + unsigned int n; > + unsigned int m; > + p2m_type_t t; > + uint64_t addr; > + uint64_t page_count; > + > + for ( n = 0; n < range_count; n++ ) > + { > + page_count = read_atomic(&range[n].page_count); > + addr = read_atomic(&range[n].address); > + for ( m = 0; m < page_count; m++ ) > + { > + if ( pg_idx >= shm->page_count ) > + return FFA_RET_INVALID_PARAMETERS; > + > + gfn = gaddr_to_gfn(addr + m * FFA_PAGE_SIZE); > + shm->pages[pg_idx] = get_page_from_gfn(d, gfn_x(gfn), &t, > + P2M_ALLOC); > + if ( !shm->pages[pg_idx] ) > + return FFA_RET_DENIED; > + /* Only normal RW RAM for now */ > + if ( t != p2m_ram_rw ) > + return FFA_RET_DENIED; > + pg_idx++; > + } > + } > + > + *last_page_idx = pg_idx; > + > + return FFA_RET_OK; > +} > + > +static void put_shm_pages(struct ffa_shm_mem *shm) > +{ > + unsigned int n; > + > + for ( n = 0; n < shm->page_count && shm->pages[n]; n++ ) > + { > + put_page(shm->pages[n]); > + shm->pages[n] = NULL; > + } > +} > + > +static bool inc_ctx_shm_count(struct domain *d, struct ffa_ctx *ctx) > +{ > + bool ret = true; > + > + spin_lock(&ctx->lock); > + > + if ( ctx->shm_count >= FFA_MAX_SHM_COUNT ) > + { > + ret = false; > + } > + else > + { > + /* > + * If this is the first shm added, increase the domain reference > + * counter as we need to keep domain around a bit longer to reclaim > + * the shared memory in the teardown path. > + */ > + if ( !ctx->shm_count ) > + get_knownalive_domain(d); > + > + ctx->shm_count++; > + } > + > + spin_unlock(&ctx->lock); > + > + return ret; > +} > + > +static void dec_ctx_shm_count(struct domain *d, struct ffa_ctx *ctx) > +{ > + bool drop_ref; > + > + spin_lock(&ctx->lock); > + > + ASSERT(ctx->shm_count > 0); > + ctx->shm_count--; > + > + /* > + * If this was the last shm removed, let go of the domain reference we > + * took in inc_ctx_shm_count() above. > + */ > + drop_ref = !ctx->shm_count; > + > + spin_unlock(&ctx->lock); > + > + if ( drop_ref ) > + put_domain(d); > +} > + > +static struct ffa_shm_mem *alloc_ffa_shm_mem(struct domain *d, > + unsigned int page_count) > +{ > + struct ffa_ctx *ctx = d->arch.tee; > + struct ffa_shm_mem *shm; > + > + if ( page_count >= FFA_MAX_SHM_PAGE_COUNT ) > + return NULL; > + if ( !inc_ctx_shm_count(d, ctx) ) > + return NULL; > + > + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count); > + if ( shm ) > + shm->page_count = page_count; > + else > + dec_ctx_shm_count(d, ctx); > + > + return shm; > +} > + > +static void free_ffa_shm_mem(struct domain *d, struct ffa_shm_mem *shm) > +{ > + struct ffa_ctx *ctx = d->arch.tee; > + > + if ( !shm ) > + return; > + > + dec_ctx_shm_count(d, ctx); > + put_shm_pages(shm); > + xfree(shm); > +} > + > +static void init_range(struct ffa_address_range *addr_range, > + paddr_t pa) > +{ > + memset(addr_range, 0, sizeof(*addr_range)); > + addr_range->address = pa; > + addr_range->page_count = 1; > +} > + > +/* > + * This function uses the ffa_tx buffer to transmit the memory transaction > + * descriptor. The function depends ffa_tx_buffer_lock to be used to guard > + * the buffer from concurrent use. > + */ > +static int share_shm(struct ffa_shm_mem *shm) > +{ > + const uint32_t max_frag_len = FFA_RXTX_PAGE_COUNT * FFA_PAGE_SIZE; > + struct ffa_mem_access *mem_access_array; > + struct ffa_mem_transaction_1_1 *descr; > + struct ffa_address_range *addr_range; > + struct ffa_mem_region *region_descr; > + const unsigned int region_count = 1; > + void *buf = ffa_tx; > + uint32_t frag_len; > + uint32_t tot_len; > + paddr_t last_pa; > + unsigned int n; > + paddr_t pa; > + > + ASSERT(spin_is_locked(&ffa_tx_buffer_lock)); > + ASSERT(shm->page_count); > + > + descr = buf; > + memset(descr, 0, sizeof(*descr)); > + descr->sender_id = shm->sender_id; > + descr->handle = shm->handle; > + descr->mem_reg_attr = FFA_NORMAL_MEM_REG_ATTR; > + descr->mem_access_count = 1; > + descr->mem_access_size = sizeof(*mem_access_array); > + descr->mem_access_offs = MEM_ACCESS_OFFSET(0); > + > + mem_access_array = buf + descr->mem_access_offs; > + memset(mem_access_array, 0, sizeof(*mem_access_array)); > + mem_access_array[0].access_perm.endpoint_id = shm->ep_id; > + mem_access_array[0].access_perm.perm = FFA_MEM_ACC_RW; > + mem_access_array[0].region_offs = REGION_OFFSET(descr->mem_access_count, > 0); > + > + region_descr = buf + mem_access_array[0].region_offs; > + memset(region_descr, 0, sizeof(*region_descr)); > + region_descr->total_page_count = shm->page_count; > + > + region_descr->address_range_count = 1; > + last_pa = page_to_maddr(shm->pages[0]); > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > + { > + pa = page_to_maddr(shm->pages[n]); > + if ( last_pa + FFA_PAGE_SIZE == pa ) > + continue; > + region_descr->address_range_count++; > + } > + > + tot_len = ADDR_RANGE_OFFSET(descr->mem_access_count, region_count, > + region_descr->address_range_count); > + if ( tot_len > max_frag_len ) > + return FFA_RET_NOT_SUPPORTED; > + > + addr_range = region_descr->address_range_array; > + frag_len = ADDR_RANGE_OFFSET(descr->mem_access_count, region_count, 1); > + last_pa = page_to_maddr(shm->pages[0]); > + init_range(addr_range, last_pa); > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > + { > + pa = page_to_maddr(shm->pages[n]); > + if ( last_pa + FFA_PAGE_SIZE == pa ) > + { > + addr_range->page_count++; > + continue; > + } > + > + frag_len += sizeof(*addr_range); > + addr_range++; > + init_range(addr_range, pa); > + } > + > + return ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > +} > + > +static int read_mem_transaction(uint32_t ffa_vers, const void *buf, size_t > blen, > + struct ffa_mem_transaction_int *trans) > +{ > + uint16_t mem_reg_attr; > + uint32_t flags; > + uint32_t count; > + uint32_t offs; > + uint32_t size; > + > + if ( ffa_vers >= FFA_VERSION_1_1 ) > + { > + const struct ffa_mem_transaction_1_1 *descr; > + > + if ( blen < sizeof(*descr) ) > + return FFA_RET_INVALID_PARAMETERS; > + > + descr = buf; > + trans->sender_id = descr->sender_id; > + mem_reg_attr = descr->mem_reg_attr; > + flags = descr->flags; > + trans->handle = descr->handle; > + trans->tag = descr->tag; > + > + count = descr->mem_access_count; > + size = descr->mem_access_size; > + offs = descr->mem_access_offs; > + } > + else > + { > + const struct ffa_mem_transaction_1_0 *descr; > + > + if ( blen < sizeof(*descr) ) > + return FFA_RET_INVALID_PARAMETERS; > + > + descr = buf; > + trans->sender_id = descr->sender_id; > + mem_reg_attr = descr->mem_reg_attr; > + flags = descr->flags; > + trans->handle = descr->handle; > + trans->tag = descr->tag; > + > + count = descr->mem_access_count; > + size = sizeof(struct ffa_mem_access); > + offs = offsetof(struct ffa_mem_transaction_1_0, mem_access_array); > + } > + /* > + * Make sure that "descr" which is shared with the guest isn't accessed > + * again after this point. > + */ > + barrier(); > + > + /* > + * We're doing a rough check to see that no information is lost when > + * tranfering the values into a struct ffa_mem_transaction_int below. > + * The fields in struct ffa_mem_transaction_int are wide enough to hold > + * any valid value so being out of range means that something is wrong. > + */ > + if ( mem_reg_attr > UINT8_MAX || flags > UINT8_MAX || size > UINT8_MAX || > + count > UINT8_MAX || offs > UINT16_MAX ) > + return FFA_RET_INVALID_PARAMETERS; > + > + /* Check that the endpoint memory access descriptor array fits */ > + if ( size * count + offs > blen ) > + return FFA_RET_INVALID_PARAMETERS; > + > + trans->mem_reg_attr = mem_reg_attr; > + trans->flags = flags; > + trans->mem_access_size = size; > + trans->mem_access_count = count; > + trans->mem_access_offs = offs; > + > + return 0; > +} > + > +void ffa_handle_mem_share(struct cpu_user_regs *regs) > +{ > + uint32_t tot_len = get_user_reg(regs, 1); > + uint32_t frag_len = get_user_reg(regs, 2); > + uint64_t addr = get_user_reg(regs, 3); > + uint32_t page_count = get_user_reg(regs, 4); > + const struct ffa_mem_region *region_descr; > + const struct ffa_mem_access *mem_access; > + struct ffa_mem_transaction_int trans; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.tee; > + struct ffa_shm_mem *shm = NULL; > + unsigned int last_page_idx = 0; > + register_t handle_hi = 0; > + register_t handle_lo = 0; > + int ret = FFA_RET_DENIED; > + uint32_t range_count; > + uint32_t region_offs; > + > + /* > + * We're only accepting memory transaction descriptors via the rx/tx > + * buffer. > + */ > + if ( addr ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_set_ret; > + } > + > + /* Check that fragment length doesn't exceed total length */ > + if ( frag_len > tot_len ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_set_ret; > + } > + > + /* We currently only support a single fragment */ > + if ( frag_len != tot_len ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_set_ret; > + } > + > + if ( !spin_trylock(&ctx->tx_lock) ) > + { > + ret = FFA_RET_BUSY; > + goto out_set_ret; > + } > + > + if ( frag_len > ctx->page_count * FFA_PAGE_SIZE ) > + goto out_unlock; > + > + ret = read_mem_transaction(ctx->guest_vers, ctx->tx, frag_len, &trans); > + if ( ret ) > + goto out_unlock; > + > + if ( trans.mem_reg_attr != FFA_NORMAL_MEM_REG_ATTR ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + /* Only supports sharing it with one SP for now */ > + if ( trans.mem_access_count != 1 ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + if ( trans.sender_id != ffa_get_vm_id(d) ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } > + > + /* Check that it fits in the supplied data */ > + if ( trans.mem_access_offs + trans.mem_access_size > frag_len ) > + goto out_unlock; > + > + mem_access = ctx->tx + trans.mem_access_offs; > + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + region_offs = read_atomic(&mem_access->region_offs); > + if ( sizeof(*region_descr) + region_offs > frag_len ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + region_descr = ctx->tx + region_offs; > + range_count = read_atomic(®ion_descr->address_range_count); > + page_count = read_atomic(®ion_descr->total_page_count); > + > + if ( !page_count ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } > + > + shm = alloc_ffa_shm_mem(d, page_count); > + if ( !shm ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out_unlock; > + } > + shm->sender_id = trans.sender_id; > + shm->ep_id = read_atomic(&mem_access->access_perm.endpoint_id); > + > + /* > + * Check that the Composite memory region descriptor fits. > + */ > + if ( sizeof(*region_descr) + region_offs + > + range_count * sizeof(struct ffa_address_range) > frag_len ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + ret = get_shm_pages(d, shm, region_descr->address_range_array, > range_count, > + 0, &last_page_idx); > + if ( ret ) > + goto out; > + if ( last_page_idx != shm->page_count ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + /* Note that share_shm() uses our tx buffer */ > + spin_lock(&ffa_tx_buffer_lock); > + ret = share_shm(shm); > + spin_unlock(&ffa_tx_buffer_lock); > + if ( ret ) > + goto out; > + > + spin_lock(&ctx->lock); > + list_add_tail(&shm->list, &ctx->shm_list); > + spin_unlock(&ctx->lock); > + > + uint64_to_regpair(&handle_hi, &handle_lo, shm->handle); > + > +out: > + if ( ret ) > + free_ffa_shm_mem(d, shm); > +out_unlock: > + spin_unlock(&ctx->tx_lock); > + > +out_set_ret: > + if ( ret == 0) > + ffa_set_regs_success(regs, handle_lo, handle_hi); > + else > + ffa_set_regs_error(regs, ret); > +} > + > +/* Must only be called with ctx->lock held */ > +static struct ffa_shm_mem *find_shm_mem(struct ffa_ctx *ctx, uint64_t handle) > +{ > + struct ffa_shm_mem *shm; > + > + list_for_each_entry(shm, &ctx->shm_list, list) > + if ( shm->handle == handle ) > + return shm; > + > + return NULL; > +} > + > +int ffa_handle_mem_reclaim(uint64_t handle, uint32_t flags) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.tee; > + struct ffa_shm_mem *shm; > + register_t handle_hi; > + register_t handle_lo; > + int ret; > + > + spin_lock(&ctx->lock); > + shm = find_shm_mem(ctx, handle); > + if ( shm ) > + list_del(&shm->list); > + spin_unlock(&ctx->lock); > + if ( !shm ) > + return FFA_RET_INVALID_PARAMETERS; > + > + uint64_to_regpair(&handle_hi, &handle_lo, handle); > + ret = ffa_mem_reclaim(handle_lo, handle_hi, flags); > + > + if ( ret ) > + { > + spin_lock(&ctx->lock); > + list_add_tail(&shm->list, &ctx->shm_list); > + spin_unlock(&ctx->lock); > + } > + else > + { > + free_ffa_shm_mem(d, shm); > + } > + > + return ret; > +} > + > +bool ffa_shm_domain_destroy(struct domain *d) > +{ > + struct ffa_ctx *ctx = d->arch.tee; > + struct ffa_shm_mem *shm, *tmp; > + int32_t res; > + > + list_for_each_entry_safe(shm, tmp, &ctx->shm_list, list) > + { > + register_t handle_hi; > + register_t handle_lo; > + > + uint64_to_regpair(&handle_hi, &handle_lo, shm->handle); > + res = ffa_mem_reclaim(handle_lo, handle_hi, 0); > + switch ( res ) { > + case FFA_RET_OK: > + printk(XENLOG_G_DEBUG "%pd: ffa: Reclaimed handle %#lx\n", > + d, shm->handle); > + list_del(&shm->list); > + free_ffa_shm_mem(d, shm); > + break; > + case FFA_RET_DENIED: > + /* > + * A temporary error that may get resolved a bit later, it's > + * worth retrying. > + */ > + printk(XENLOG_G_INFO "%pd: ffa: Failed to reclaim handle %#lx : > %d\n", > + d, shm->handle, res); > + break; /* We will retry later */ > + default: > + /* > + * The rest of the error codes are not expected and are assumed > + * to be of a permanent nature. It not in our control to handle > + * the error properly so the object in this case is to try to > + * minimize the damage. > + * > + * FFA_RET_NO_MEMORY might be a temporary error as it it could > + * succeed if retried later, but treat it as permanent for now. > + */ > + printk(XENLOG_G_INFO "%pd: ffa: Permanent failure to reclaim > handle %#lx : %d\n", > + d, shm->handle, res); > + > + /* > + * Remove the shm from the list and free it, but don't drop > + * references. This results in having the shared physical pages > + * permanently allocate and also keeps the domain as a zombie > + * domain. > + */ > + list_del(&shm->list); > + xfree(shm); > + break; > + } > + } > + > + return !ctx->shm_count; > +} > -- > 2.34.1 >
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |