From nobody Sat Feb  7 19:00:25 2026
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D948381732
	for <linux-kernel@vger.kernel.org>; Fri, 30 Jan 2026 06:03:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769753008; cv=none;
 b=Zokmp4nXIE785SYjlPBgaPGZZAoKvuWIIQ5hQlkPztmAJHBIJ4FzjfX1lZ9uhGOXW9zGrmCDDt0tOHWbOS9JjlkI90LfS6lLWLbLgoe5nHUZaSpoq7ODeQC+b+vgG1kSXYCA7oBrnI7zz0ReUcz4SG1lOvoK7muSLnQHEKr/PFI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769753008; c=relaxed/simple;
	bh=FDpUgpVlPFoTn178RChwSuN+C4S/NM+JSPAu9IDwR9Y=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=AmueTCEp5mi2OFADu9dlSDmFgxMGyZWvMZzq0nkTuyMJ3EHviWb7+67XmVCQA5V+5l/Z1hqqprVe1pOXg4FnwwYXeWIOespGPxtSMKn+uLgWKxXXLZuq4nT9hpY1XhN6o2FHRgaexGm/nBjRXjG7JAMvu2WCv7rbYGqNdOAdxw4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=VbR4DY7M; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="VbR4DY7M"
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-81f4f4d4822so910751b3a.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 29 Jan 2026 22:03:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769753006; x=1770357806;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=yxpWVUjA/Dk4DqI/BdoVtgZaX6ZoJNnGLpzCchKUxFs=;
        b=VbR4DY7MMni3MLq3DJ2k5lDUeXAqpD85u+XY3Jt/AIX9KSDMdQ+HhB2jokk3SUbmJZ
         Yf+PjKAJVl0o1Ka98UH1q3TVs6PmVYufFnzEIXvtkWsaPeYXE19MV00rPbgIM3v4/D57
         uMVG0HSCgytzkcK4fikrXBjRkEieUGFzUbAC7/T4Y71wjyZTTJbc3MqZnT9m8KT2baoK
         xeqN1GKbbz3tgsT6+k2xV+INI6y0EiZrN9ccTBu/8C5s6rVTMRmvcHxI9CeJJnEYbE6a
         97DqbILrluP82Mhroho67jJWSL3xij5rjaDJ/74f1vxrjU3CurDde+qUQg9bHAsHCiz6
         QrEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769753006; x=1770357806;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yxpWVUjA/Dk4DqI/BdoVtgZaX6ZoJNnGLpzCchKUxFs=;
        b=lZte0TRalfuRfgN8FUL1NvzOR4j8L114jhWaw4blybtAiXNIvDgcC6Ytiu8G7jtUlU
         0iNhlFD81vAMT1gGc+/rRtaxdQeNzh7eSA3d2xYhtCCAATcwiv7NLW+VwQzqr07u6LAN
         f8s8qdkd+h3fmQ/Z1Cd0RePie3KT8EzsohH4OWi35oP43mD+WryySoS1Wv1jzlGRHX7T
         5vlJEAM3m+mv/5dT4OxkaOKMKM3KYdgaiyKKz3LylO0tTQQ3GnHho/vy8RSq6u7z7ex6
         TuDcKDEwAMn9i5YoimPhJndr3P7UxtxsYNiejRl7MzgtmWVYOR8ND3apU/3x4CbqpEXy
         FkTQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWcLdQzlXu1IQNIOzvYAUNly+sbdfAWpA3ZFxj6HbO/wTvvC7WFDtlUU7yyzd4cdhlM56UTzlwcUBVy2FQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YxM/RQ4RfReXkxkqO9qZ5Cm7X5R4QDL+hsjh6JsqH/pbjz4qQgL
	gG/IpCySAtB18cEwtvH8VytGlcscRvaWdrMb+LqJot4C7cgK0fI80/YP
X-Gm-Gg: AZuq6aIDcjqFYq0Bl0T1puF5PtUyJeNCbOcl0sPJD/m3Sej6fLtX1eo3YwWCvgxIGLM
	joEsx5fpPUqEob4hoNSPiO2E2OtqVsNHzfZbHehEgZSXuc5OaXjFFp9dDcbWjS/Cv5hgSmbcTLl
	fH8nl3c03XITCoRRaAHpbvzGSMJXH7Ibh2vOyXcgqOGJjPIhUyGXwkKzBPidKHpR2TGVQOGd6JV
	m/vPXmNzseA9Xxk3Qy3bJ32LNypa4ycUCESZFFR6oYAYxeqtJLlkmGd8uSoEcZO10EGI7Xb80Jp
	4Hlfv8ojyT6ha9lkwxaLx2z39pyT5wQ52Kh8xXT/G3oQISC2tVcSXFD4Px3AGo/zXX6IxdVdDw/
	sjHLrB6YXNrx8mXmSJcyhC2XjMXSfubkpPydPzhFLm84aza9IBrhbtjQOFa7QP/jgZ+JODlJI6t
	LxPaJFElZxwg3ss4tAbGSejmPIbwSjcSI1sv3rAbRBwBghs/U7gXkwzkS1LeP/4f8E4SDEuAmnf
	Ya9
X-Received: by 2002:a05:6a00:bb84:b0:81f:4abd:f15b with SMTP id
 d2e1a72fcca58-823aab730e0mr1865736b3a.58.1769753006110;
        Thu, 29 Jan 2026 22:03:26 -0800 (PST)
Received: from deepanshu-kernel-hacker..
 ([2405:201:682f:389d:46b0:a00:42ac:8b2c])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82379b1ee2bsm7474508b3a.3.2026.01.29.22.03.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 29 Jan 2026 22:03:25 -0800 (PST)
From: Deepanshu Kartikey <kartikey406@gmail.com>
To: rostedt@goodmis.org,
	mhiramat@kernel.org,
	mathieu.desnoyers@efficios.com
Cc: m.szyprowski@samsung.com,
	leon@kernel.org,
	jgg@ziepe.ca,
	ptesarik@suse.com,
	kbusch@kernel.org,
	linux-kernel@vger.kernel.org,
	linux-trace-kernel@vger.kernel.org,
	Deepanshu Kartikey <kartikey406@gmail.com>,
	syzbot+28cea38c382fd15e751a@syzkaller.appspotmail.com,
	Deepanshu Kartikey <Kartikey406@gmail.com>
Subject: [PATCH] tracing/dma: Cap dma_map_sg tracepoint arrays to prevent
 buffer overflow
Date: Fri, 30 Jan 2026 11:33:17 +0530
Message-ID: <20260130060317.54522-1-kartikey406@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The dma_map_sg tracepoint can trigger a perf buffer overflow when
tracing large scatter-gather lists. With devices like virtio-gpu
creating large DRM buffers, nents can exceed 1000 entries, resulting
in:

  phys_addrs: 1000 * 8 bytes =3D 8,000 bytes
  dma_addrs:  1000 * 8 bytes =3D 8,000 bytes
  lengths:    1000 * 4 bytes =3D 4,000 bytes
  Total: ~20,000 bytes

This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:

  WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405
  perf buffer not large enough, wanted 24620, have 8192

Cap all three dynamic arrays at a fixed size of 128 entries. This limits
the total event size to approximately 2,760 bytes, safely under the 8KB
limit while still providing sufficient debugging information for typical
cases.

The tracepoint now records the full nents/ents counts and a truncated
flag so users can see when data has been capped.

Reported-by: syzbot+28cea38c382fd15e751a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D28cea38c382fd15e751a
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 include/trace/events/dma.h | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/include/trace/events/dma.h b/include/trace/events/dma.h
index b3fef140ae15..c4e1a9f0c9c4 100644
--- a/include/trace/events/dma.h
+++ b/include/trace/events/dma.h
@@ -275,6 +275,8 @@ TRACE_EVENT(dma_free_sgt,
 				sizeof(u64), sizeof(u64)))
 );
=20
+#define DMA_TRACE_MAX_ENTRIES 128
+
 TRACE_EVENT(dma_map_sg,
 	TP_PROTO(struct device *dev, struct scatterlist *sgl, int nents,
 		 int ents, enum dma_data_direction dir, unsigned long attrs),
@@ -282,9 +284,12 @@ TRACE_EVENT(dma_map_sg,
=20
 	TP_STRUCT__entry(
 		__string(device, dev_name(dev))
-		__dynamic_array(u64, phys_addrs, nents)
-		__dynamic_array(u64, dma_addrs, ents)
-		__dynamic_array(unsigned int, lengths, ents)
+		__field(int, full_nents)
+		__field(int, full_ents)
+		__field(bool, truncated)
+		__dynamic_array(u64, phys_addrs,  DMA_TRACE_MAX_ENTRIES)
+		__dynamic_array(u64, dma_addrs, DMA_TRACE_MAX_ENTRIES)
+		__dynamic_array(unsigned int, lengths, DMA_TRACE_MAX_ENTRIES)
 		__field(enum dma_data_direction, dir)
 		__field(unsigned long, attrs)
 	),
@@ -292,11 +297,16 @@ TRACE_EVENT(dma_map_sg,
 	TP_fast_assign(
 		struct scatterlist *sg;
 		int i;
+		int traced_nents =3D min_t(int, nents, DMA_TRACE_MAX_ENTRIES);
+		int traced_ents =3D min_t(int, ents, DMA_TRACE_MAX_ENTRIES);
=20
 		__assign_str(device);
-		for_each_sg(sgl, sg, nents, i)
+		__entry->full_nents =3D nents;
+		__entry->full_ents =3D ents;
+		__entry->truncated =3D (nents > DMA_TRACE_MAX_ENTRIES) || (ents > DMA_TR=
ACE_MAX_ENTRIES);
+		for_each_sg(sgl, sg, traced_nents, i)
 			((u64 *)__get_dynamic_array(phys_addrs))[i] =3D sg_phys(sg);
-		for_each_sg(sgl, sg, ents, i) {
+		for_each_sg(sgl, sg, traced_ents, i) {
 			((u64 *)__get_dynamic_array(dma_addrs))[i] =3D
 				sg_dma_address(sg);
 			((unsigned int *)__get_dynamic_array(lengths))[i] =3D
@@ -306,9 +316,12 @@ TRACE_EVENT(dma_map_sg,
 		__entry->attrs =3D attrs;
 	),
=20
-	TP_printk("%s dir=3D%s dma_addrs=3D%s sizes=3D%s phys_addrs=3D%s attrs=3D=
%s",
+	TP_printk("%s dir=3D%s nents=3D%d/%d ents=3D%d/%d%s dma_addrs=3D%s sizes=
=3D%s phys_addrs=3D%s attrs=3D%s",
 		__get_str(device),
 		decode_dma_data_direction(__entry->dir),
+		min_t(int, __entry->full_nents, DMA_TRACE_MAX_ENTRIES), __entry->full_ne=
nts,
+		min_t(int, __entry->full_ents, DMA_TRACE_MAX_ENTRIES), __entry->full_ent=
s,
+		__entry->truncated ? " [TRUNCATED]" : "",
 		__print_array(__get_dynamic_array(dma_addrs),
 			      __get_dynamic_array_len(dma_addrs) /
 				sizeof(u64), sizeof(u64)),
--=20
2.43.0