From: Vincent Donnefort <vdonnefort@google.com>
To: tabba@google.com
Cc: Marc Zyngier <maz@kernel.org>, Oliver Upton <oupton@kernel.org>,
Will Deacon <will@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Quentin Perret <qperret@google.com>,
Sebastian Ene <sebastianene@google.com>,
Per Larsen <perlarsen@google.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
Joey Gouly <joey.gouly@arm.com>,
Steffen Eiden <seiden@linux.ibm.com>,
Mark Rutland <mark.rutland@arm.com>,
Jonathan Cameron <jonathan.cameron@huawei.com>,
Hyunwoo Kim <imv4bel@gmail.com>,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 02/11] KVM: arm64: Use guard(hyp_spinlock) in pKVM hypervisor code
Date: Mon, 15 Jun 2026 13:53:35 +0100 [thread overview]
Message-ID: <ai_1z13TyEXbHx4Q@google.com> (raw)
In-Reply-To: <20260612065925.755562-3-tabba@google.com>
On Fri, Jun 12, 2026 at 07:59:16AM +0100, tabba@google.com wrote:
> Convert the manual hyp_spin_lock()/hyp_spin_unlock() pairs in
> arch/arm64/kvm/hyp/nvhe/{pkvm,mm,page_alloc,ffa}.c to
> guard(hyp_spinlock) and scoped_guard(hyp_spinlock), dropping several
> unlock-only goto labels in favour of direct returns.
>
> hyp_fixblock_lock in mm.c is left as an explicit lock/unlock pair: it is
> acquired in hyp_fixblock_map() and released in hyp_fixblock_unmap(), so
> its critical section spans two functions and cannot be expressed as a
> single lexical scope.
>
> Signed-off-by: Fuad Tabba <tabba@google.com>
> ---
> arch/arm64/kvm/hyp/nvhe/ffa.c | 154 +++++++++++----------------
> arch/arm64/kvm/hyp/nvhe/mm.c | 37 ++-----
> arch/arm64/kvm/hyp/nvhe/page_alloc.c | 13 +--
> arch/arm64/kvm/hyp/nvhe/pkvm.c | 86 +++++----------
> 4 files changed, 105 insertions(+), 185 deletions(-)
>
> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> index 1af722771178..46cd4fa924be 100644
> --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> @@ -313,17 +313,16 @@ static void do_ffa_rxtx_unmap(struct arm_smccc_1_2_regs *res,
> struct kvm_cpu_context *ctxt)
> {
> DECLARE_REG(u32, id, ctxt, 1);
> - int ret = 0;
>
> if (id != HOST_FFA_ID) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> - hyp_spin_lock(&host_buffers.lock);
> + guard(hyp_spinlock)(&host_buffers.lock);
> if (!host_buffers.tx) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out_unlock;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> hyp_unpin_shared_mem(host_buffers.tx, host_buffers.tx + 1);
> @@ -336,10 +335,7 @@ static void do_ffa_rxtx_unmap(struct arm_smccc_1_2_regs *res,
>
> ffa_unmap_hyp_buffers();
>
> -out_unlock:
> - hyp_spin_unlock(&host_buffers.lock);
> -out:
> - ffa_to_smccc_res(res, ret);
> + ffa_to_smccc_res(res, 0);
> }
>
> static u32 __ffa_host_share_ranges(struct ffa_mem_region_addr_range *ranges,
> @@ -418,18 +414,20 @@ static void do_ffa_mem_frag_tx(struct arm_smccc_1_2_regs *res,
> DECLARE_REG(u32, fraglen, ctxt, 3);
> DECLARE_REG(u32, endpoint_id, ctxt, 4);
> struct ffa_mem_region_addr_range *buf;
> - int ret = FFA_RET_INVALID_PARAMETERS;
> + int ret;
> u32 nr_ranges;
nit: inverted christmas tree
>
> - if (fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)
> - goto out;
> + if (fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE ||
> + fraglen % sizeof(*buf)) {
nit: I don't know if we wouldn't want extra parenthesis here for readability.
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> + }
>
> - if (fraglen % sizeof(*buf))
> - goto out;
> -
> - hyp_spin_lock(&host_buffers.lock);
> - if (!host_buffers.tx)
> - goto out_unlock;
> + guard(hyp_spinlock)(&host_buffers.lock);
> + if (!host_buffers.tx) {
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> + }
>
> buf = hyp_buffers.tx;
> memcpy(buf, host_buffers.tx, fraglen);
> @@ -444,19 +442,14 @@ static void do_ffa_mem_frag_tx(struct arm_smccc_1_2_regs *res,
> */
> ffa_mem_reclaim(res, handle_lo, handle_hi, 0);
> WARN_ON(res->a0 != FFA_SUCCESS);
> - goto out_unlock;
> + ffa_to_smccc_res(res, ret);
> + return;
> }
>
> ffa_mem_frag_tx(res, handle_lo, handle_hi, fraglen, endpoint_id);
> if (res->a0 != FFA_SUCCESS && res->a0 != FFA_MEM_FRAG_RX)
> WARN_ON(ffa_host_unshare_ranges(buf, nr_ranges));
>
> -out_unlock:
> - hyp_spin_unlock(&host_buffers.lock);
> -out:
> - if (ret)
> - ffa_to_smccc_res(res, ret);
> -
> /*
> * If for any reason this did not succeed, we're in trouble as we have
> * now lost the content of the previous fragments and we can't rollback
> @@ -465,7 +458,6 @@ static void do_ffa_mem_frag_tx(struct arm_smccc_1_2_regs *res,
> * sharing/donating them again and may possibly lead to subsequent
> * failures, but this will not compromise confidentiality.
> */
> - return;
> }
>
> static void __do_ffa_mem_xfer(const u64 func_id,
> @@ -480,29 +472,29 @@ static void __do_ffa_mem_xfer(const u64 func_id,
> struct ffa_composite_mem_region *reg;
> struct ffa_mem_region *buf;
> u32 offset, nr_ranges, checked_offset;
> - int ret = 0;
> + int ret;
>
> if (addr_mbz || npages_mbz || fraglen > len ||
> fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> if (fraglen < sizeof(struct ffa_mem_region) +
> sizeof(struct ffa_mem_region_attributes)) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> - hyp_spin_lock(&host_buffers.lock);
> + guard(hyp_spinlock)(&host_buffers.lock);
> if (!host_buffers.tx) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out_unlock;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> if (len > ffa_desc_buf.len) {
> - ret = FFA_RET_NO_MEMORY;
> - goto out_unlock;
> + ffa_to_smccc_res(res, FFA_RET_NO_MEMORY);
> + return;
> }
>
> buf = hyp_buffers.tx;
> @@ -512,53 +504,41 @@ static void __do_ffa_mem_xfer(const u64 func_id,
> ffa_mem_desc_offset(buf, 0, hyp_ffa_version);
> offset = ep_mem_access->composite_off;
> if (!offset || buf->ep_count != 1 || buf->sender_id != HOST_FFA_ID) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out_unlock;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out_unlock;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> if (fraglen < checked_offset) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out_unlock;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> reg = (void *)buf + offset;
> nr_ranges = ((void *)buf + fraglen) - (void *)reg->constituents;
> if (nr_ranges % sizeof(reg->constituents[0])) {
> - ret = FFA_RET_INVALID_PARAMETERS;
> - goto out_unlock;
> + ffa_to_smccc_res(res, FFA_RET_INVALID_PARAMETERS);
> + return;
> }
>
> nr_ranges /= sizeof(reg->constituents[0]);
> ret = ffa_host_share_ranges(reg->constituents, nr_ranges);
> - if (ret)
> - goto out_unlock;
> + if (ret) {
> + ffa_to_smccc_res(res, ret);
> + return;
> + }
>
> ffa_mem_xfer(res, func_id, len, fraglen);
> if (fraglen != len) {
> - if (res->a0 != FFA_MEM_FRAG_RX)
> - goto err_unshare;
> -
> - if (res->a3 != fraglen)
> - goto err_unshare;
> + if (res->a0 != FFA_MEM_FRAG_RX || res->a3 != fraglen)
> + WARN_ON(ffa_host_unshare_ranges(reg->constituents, nr_ranges));
> } else if (res->a0 != FFA_SUCCESS) {
> - goto err_unshare;
> + WARN_ON(ffa_host_unshare_ranges(reg->constituents, nr_ranges));
I am not sure this is really better for this function. At least we had a single
callsite to this WARN_ON(ffa_host_unshare_ranges) ...
Or alternatively if we really want guard() this can just set ret = XXX and then
if (ret)
WARN_ON(ffa_host_unshare_ranges(reg->constituents, nr_ranges));
So we can keep a single call site for the rollback.
> }
> -
> -out_unlock:
> - hyp_spin_unlock(&host_buffers.lock);
> -out:
> - if (ret)
> - ffa_to_smccc_res(res, ret);
> - return;
> -
> -err_unshare:
> - WARN_ON(ffa_host_unshare_ranges(reg->constituents, nr_ranges));
> - goto out_unlock;
> }
>
[...]
> int __pkvm_finalize_teardown_vm(pkvm_handle_t handle)
> @@ -996,22 +975,19 @@ int __pkvm_finalize_teardown_vm(pkvm_handle_t handle)
> struct kvm *host_kvm;
> unsigned int idx;
> size_t vm_size;
> - int err;
>
> - hyp_spin_lock(&vm_table_lock);
> - hyp_vm = get_pkvm_unref_hyp_vm_locked(handle);
> - if (!hyp_vm || !hyp_vm->kvm.arch.pkvm.is_dying) {
> - err = -EINVAL;
> - goto err_unlock;
> + scoped_guard(hyp_spinlock, &vm_table_lock) {
> + hyp_vm = get_pkvm_unref_hyp_vm_locked(handle);
> + if (!hyp_vm || !hyp_vm->kvm.arch.pkvm.is_dying)
> + return -EINVAL;
> +
> + host_kvm = hyp_vm->host_kvm;
> +
> + /* Ensure the VMID is clean before it can be reallocated */
> + __kvm_tlb_flush_vmid(&hyp_vm->kvm.arch.mmu);
> + remove_vm_table_entry(handle);
> }
>
> - host_kvm = hyp_vm->host_kvm;
> -
> - /* Ensure the VMID is clean before it can be reallocated */
> - __kvm_tlb_flush_vmid(&hyp_vm->kvm.arch.mmu);
> - remove_vm_table_entry(handle);
> - hyp_spin_unlock(&vm_table_lock);
> -
> /* Reclaim guest pages (including page-table pages) */
> mc = &host_kvm->arch.pkvm.teardown_mc;
> stage2_mc = &host_kvm->arch.pkvm.stage2_teardown_mc;
> @@ -1042,10 +1018,6 @@ int __pkvm_finalize_teardown_vm(pkvm_handle_t handle)
> teardown_donated_memory(mc, hyp_vm, vm_size);
> hyp_unpin_shared_mem(host_kvm, host_kvm + 1);
> return 0;
> -
> -err_unlock:
> - hyp_spin_unlock(&vm_table_lock);
> - return err;
For this one too I doubt this is really interesting: only one path using
err_unlock and actually the entire label could be just removed to to simply do
hyp_spin_unlock() return -EINVAL;
This would avoid adding another tab with that scoped_guard(). But that's
probably my aversion to scoped_guard() talking.
> }
>
> static u64 __pkvm_memshare_page_req(struct kvm_vcpu *vcpu, u64 ipa)
> --
> 2.54.0.1136.gdb2ca164c4-goog
>
next prev parent reply other threads:[~2026-06-15 12:53 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 6:59 [PATCH v1 00/11] KVM: arm64: Rework pKVM vCPU state synchronisation tabba
2026-06-12 6:59 ` [PATCH v1 01/11] KVM: arm64: Add scoped resource management (guard) for hyp_spinlock tabba
2026-06-12 6:59 ` [PATCH v1 02/11] KVM: arm64: Use guard(hyp_spinlock) in pKVM hypervisor code tabba
2026-06-15 12:53 ` Vincent Donnefort [this message]
2026-06-15 13:11 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 03/11] KVM: arm64: Use guard()/scoped_guard() in arm64 KVM EL1 code tabba
2026-06-15 12:59 ` Vincent Donnefort
2026-06-15 13:17 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 04/11] KVM: arm64: Extract MPIDR computation into a shared header tabba
2026-06-12 6:59 ` [PATCH v1 05/11] KVM: arm64: Make vcpu_{read,write}_sys_reg available to HYP code tabba
2026-06-12 7:17 ` sashiko-bot
2026-06-12 7:53 ` Fuad Tabba
2026-06-15 13:11 ` Vincent Donnefort
2026-06-15 13:29 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 06/11] KVM: arm64: Factor out reusable vCPU reset helpers tabba
2026-06-15 13:16 ` Vincent Donnefort
2026-06-15 13:45 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 07/11] KVM: arm64: Move PSCI helper functions to a shared header tabba
2026-06-12 6:59 ` [PATCH v1 08/11] KVM: arm64: Add host and hypervisor vCPU lookup primitives tabba
2026-06-12 7:08 ` sashiko-bot
2026-06-12 7:15 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 09/11] KVM: arm64: Minimise EL2's exposure of host VGIC state during world switch tabba
2026-06-12 7:24 ` sashiko-bot
2026-06-12 8:05 ` Fuad Tabba
2026-06-12 8:09 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 10/11] KVM: arm64: Add primitives to flush/sync the VGIC state at EL2 tabba
2026-06-12 7:23 ` sashiko-bot
2026-06-12 8:14 ` Fuad Tabba
2026-06-12 6:59 ` [PATCH v1 11/11] KVM: arm64: Implement lazy vCPU state sync for non-protected guests tabba
2026-06-12 7:19 ` sashiko-bot
2026-06-12 9:51 ` Fuad Tabba
2026-06-15 16:25 ` Vincent Donnefort
2026-06-15 16:44 ` Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ai_1z13TyEXbHx4Q@google.com \
--to=vdonnefort@google.com \
--cc=catalin.marinas@arm.com \
--cc=imv4bel@gmail.com \
--cc=joey.gouly@arm.com \
--cc=jonathan.cameron@huawei.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=perlarsen@google.com \
--cc=qperret@google.com \
--cc=sebastianene@google.com \
--cc=seiden@linux.ibm.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.