[PATCH v6 2/2] KVM: arm64: Support FFA_MSG_SEND_DIRECT_REQ2 in host handler

Fuad Tabba tabba at google.com
Tue May 19 04:59:06 PDT 2026 

Hi Per,

On Fri, 1 May 2026 at 06:34, Per Larsen via B4 Relay
<devnull+perlarsen.google.com at kernel.org> wrote:
>
> From: Per Larsen <perlarsen at google.com>
>
> FF-A 1.2 adds the DIRECT_REQ2 messaging interface which is similar to
> the existing FFA_MSG_SEND_DIRECT_{REQ,RESP} functions and can use the
> existing handler function. Add support for FFA_MSG_SEND_DIRECT_REQ2 in
> the host ffa handler.
>
> Reviewed-by: Yeoreum Yun <yeoreum.yun at arm.com>
> Signed-off-by: Per Larsen <perlarsen at google.com>
> ---
>  arch/arm64/kvm/hyp/nvhe/ffa.c | 17 ++++++++++++++---
>  1 file changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> index 3a58e01d255f..e5718c0f1c31 100644
> --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> @@ -684,11 +684,12 @@ static bool ffa_call_supported(u64 func_id)
>         case FFA_NOTIFICATION_GET:
>         case FFA_NOTIFICATION_INFO_GET:
>         /* Optional interfaces added in FF-A 1.2 */
> -       case FFA_MSG_SEND_DIRECT_REQ2:          /* Optional per 7.5.1 */
>         case FFA_MSG_SEND_DIRECT_RESP2:         /* Optional per 7.5.1 */
>         case FFA_CONSOLE_LOG:                   /* Optional per 13.1: not in Table 13.1 */
>         case FFA_PARTITION_INFO_GET_REGS:       /* Optional for virtual instances per 13.1 */
>                 return false;
> +       case FFA_MSG_SEND_DIRECT_REQ2:          /* Optional per 7.5.1 */
> +               return hyp_ffa_version >= FFA_VERSION_1_2;
>         }
>
>         return true;
> @@ -865,6 +866,7 @@ static void do_ffa_part_get(struct arm_smccc_1_2_regs *res,
>  static void do_ffa_direct_msg(struct arm_smccc_1_2_regs *res,
>                               struct kvm_cpu_context *ctxt)
>  {
> +       DECLARE_REG(u64, func_id, ctxt, 0);
>         DECLARE_REG(u32, endp, ctxt, 1);
>         DECLARE_REG(u32, flags, ctxt, 2);
>
> @@ -875,8 +877,12 @@ static void do_ffa_direct_msg(struct arm_smccc_1_2_regs *res,
>                 return;
>         }
>
> -       /* filter out framework messages and validate SBZ/MBZ bits */
> -       if (flags) {
> +       /*
> +        * filter out framework messages and validate SBZ/MBZ flag bits.
> +        * FFA_MSG_SEND_DIRECT_REQ2 implies flag-less partition message.
> +        */
> +       if ((func_id == FFA_MSG_SEND_DIRECT_REQ ||
> +            func_id == FFA_FN64_MSG_SEND_DIRECT_REQ) && flags) {

I don't have much experience with FFA, however, Sashiko flagged this
[1], and I think it found a real issue.

handle_host_smc() in hyp-main.c clears ARM_SMCCC_CALL_HINTS from its
local func_id and rejects calls with non-zero x0[63:32] before
dispatching here, so the upper bits (u64) aren't the issue. The issue is
that the hint-bit clear in handle_host_smc() only touches the local variable.
host_ctxt->regs.regs[0] still carries whatever the host wrote.

The DECLARE_REG() you added re-reads the raw X0 from ctxt, so the
SVE_HINT bit (0x10000) reappears. With the host setting that bit,
func_id becomes 0x8401006F and the equality test against
FFA_MSG_SEND_DIRECT_REQ (0x8400006F) falls through, skipping the
flags check. Note this isn't u64-specific -- u32 would capture the
same bit.

I think it's safest to pass the canonicalised func_id from
kvm_host_ffa_handler() rather than re-deriving here, matching the
__do_ffa_mem_xfer() style.

Cheers,
/fuad

https://sashiko.dev/#/patchset/20260501-host-direct-messages-v6-0-3f4af727ed85%40google.com



>                 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
>                 return;
>         }
> @@ -942,6 +948,10 @@ bool kvm_host_ffa_handler(struct kvm_cpu_context *host_ctxt, u32 func_id)
>         case FFA_PARTITION_INFO_GET:
>                 do_ffa_part_get(&res, host_ctxt);
>                 goto out_handled;
> +       case FFA_MSG_SEND_DIRECT_REQ2:
> +               if (!ffa_call_supported(func_id))
> +                       goto out_not_supported;
> +               fallthrough;
>         case FFA_MSG_SEND_DIRECT_REQ:
>         case FFA_FN64_MSG_SEND_DIRECT_REQ:
>                 do_ffa_direct_msg(&res, host_ctxt);
> @@ -951,6 +961,7 @@ bool kvm_host_ffa_handler(struct kvm_cpu_context *host_ctxt, u32 func_id)
>         if (ffa_call_supported(func_id))
>                 return false; /* Pass through */
>
> +out_not_supported:
>         ffa_to_smccc_error(&res, FFA_RET_NOT_SUPPORTED);
>  out_handled:
>         ffa_set_retval(host_ctxt, &res);
>
> --
> 2.54.0.545.g6539524ca2-goog
>
>
>

More information about the linux-arm-kernel mailing list