1. Patchew
  2. linux
  3. View series

[PATCH] coresight: tmc: Fix overflow when calculating is bigger than 2GiB

Leo Yan posted 1 patch 1 month, 2 weeks ago 
drivers/hwtracing/coresight/coresight-tmc-etr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] coresight: tmc: Fix overflow when calculating is bigger than 2GiB
Posted by Leo Yan 1 month, 2 weeks ago 
When specifying a 2GB AUX buffer, the ETR driver ends up allocating only
a 1MB buffer instead:

  # echo 'file coresight-tmc-etr.c +p' > \
	/sys/kernel/debug/dynamic_debug/control
  # perf record -e cs_etm/@tmc_etr0,timestamp=0/u -C 0 -m ,2G -- test
  coresight tmc_etr0: allocated buffer of size 1024KB in mode 0

The page index is an 'int' type, and shifting it by PAGE_SHIFT overflows
when the resulting value exceeds 2GB.  This produces a negative value,
causing the driver to fall back to the minimum buffer size (1MB).

Cast the page index to a wider type to accommodate large buffer sizes.
Also fix a similar issue in the buffer offset calculation.

Reported-by: Michiel van Tol <michiel.vantol@arm.com>
Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework")
Fixes: eebe8dbd8630 ("coresight: tmc: Decouple the perf buffer allocation from sysfs mode")
Signed-off-by: Leo Yan <leo.yan@arm.com>
---
 drivers/hwtracing/coresight/coresight-tmc-etr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
index cee82e52c4ea96b035f1db71b2d9a006bfc1c51e..990bbb721e1d712d7b93f1e36087fdaf9d3baa3b 100644
--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
+++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
@@ -154,7 +154,7 @@ tmc_pages_get_offset(struct tmc_pages *tmc_pages, dma_addr_t addr)
 	for (i = 0; i < tmc_pages->nr_pages; i++) {
 		page_start = tmc_pages->daddrs[i];
 		if (addr >= page_start && addr < (page_start + PAGE_SIZE))
-			return i * PAGE_SIZE + (addr - page_start);
+			return (long)i * PAGE_SIZE + (addr - page_start);
 	}
 
 	return -EINVAL;
@@ -1381,7 +1381,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event,
 	node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
 
 	/* Use the minimum limit if the required size is smaller */
-	size = nr_pages << PAGE_SHIFT;
+	size = (ssize_t)nr_pages << PAGE_SHIFT;
 	size = max_t(ssize_t, size, TMC_ETR_PERF_MIN_BUF_SIZE);
 
 	/*

---
base-commit: eebe8dbd8630f51cf70b1f68a440cd3d7f7a914d
change-id: 20260217-arm_coresight_fix_big_buffer_size-a8a41298369d

Best regards,
-- 
Leo Yan <leo.yan@arm.com>
Re: [PATCH] coresight: tmc: Fix overflow when calculating is bigger than 2GiB
Posted by Suzuki K Poulose 1 month, 1 week ago 
Hi Leo

On 17/02/2026 13:19, Leo Yan wrote:
> When specifying a 2GB AUX buffer, the ETR driver ends up allocating only
> a 1MB buffer instead:
> 
>    # echo 'file coresight-tmc-etr.c +p' > \
> 	/sys/kernel/debug/dynamic_debug/control
>    # perf record -e cs_etm/@tmc_etr0,timestamp=0/u -C 0 -m ,2G -- test
>    coresight tmc_etr0: allocated buffer of size 1024KB in mode 0
> 
> The page index is an 'int' type, and shifting it by PAGE_SHIFT overflows
> when the resulting value exceeds 2GB.  This produces a negative value,
> causing the driver to fall back to the minimum buffer size (1MB).
> 
> Cast the page index to a wider type to accommodate large buffer sizes.
> Also fix a similar issue in the buffer offset calculation.
> 
> Reported-by: Michiel van Tol <michiel.vantol@arm.com>
> Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework")
> Fixes: eebe8dbd8630 ("coresight: tmc: Decouple the perf buffer allocation from sysfs mode")
> Signed-off-by: Leo Yan <leo.yan@arm.com>
> ---
>   drivers/hwtracing/coresight/coresight-tmc-etr.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> index cee82e52c4ea96b035f1db71b2d9a006bfc1c51e..990bbb721e1d712d7b93f1e36087fdaf9d3baa3b 100644
> --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
> +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> @@ -154,7 +154,7 @@ tmc_pages_get_offset(struct tmc_pages *tmc_pages, dma_addr_t addr)
>   	for (i = 0; i < tmc_pages->nr_pages; i++) {
>   		page_start = tmc_pages->daddrs[i];
>   		if (addr >= page_start && addr < (page_start + PAGE_SIZE))
> -			return i * PAGE_SIZE + (addr - page_start);
> +			return (long)i * PAGE_SIZE + (addr - page_start);
>   	}
>   
>   	return -EINVAL;
> @@ -1381,7 +1381,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event,
>   	node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
>   
>   	/* Use the minimum limit if the required size is smaller */
> -	size = nr_pages << PAGE_SHIFT;
> +	size = (ssize_t)nr_pages << PAGE_SHIFT;
>   	size = max_t(ssize_t, size, TMC_ETR_PERF_MIN_BUF_SIZE);
>   
>   	/*
> 

Thanks for the fix. Could we not fix the declaration of the variables 
instead ?  (Also add a comment to make sure people don't revert it back )

Cheers
Suzuki



> ---
> base-commit: eebe8dbd8630f51cf70b1f68a440cd3d7f7a914d
> change-id: 20260217-arm_coresight_fix_big_buffer_size-a8a41298369d
> 
> Best regards,
Re: [PATCH] coresight: tmc: Fix overflow when calculating is bigger than 2GiB
Posted by Leo Yan 1 month, 1 week ago 
On Mon, Feb 23, 2026 at 09:50:41AM +0000, Suzuki K Poulose wrote:

[...]

> > --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
> > +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> > @@ -154,7 +154,7 @@ tmc_pages_get_offset(struct tmc_pages *tmc_pages, dma_addr_t addr)
> >   	for (i = 0; i < tmc_pages->nr_pages; i++) {
> >   		page_start = tmc_pages->daddrs[i];
> >   		if (addr >= page_start && addr < (page_start + PAGE_SIZE))
> > -			return i * PAGE_SIZE + (addr - page_start);
> > +			return (long)i * PAGE_SIZE + (addr - page_start);
> >   	}
> >   	return -EINVAL;
> > @@ -1381,7 +1381,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event,
> >   	node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
> >   	/* Use the minimum limit if the required size is smaller */
> > -	size = nr_pages << PAGE_SHIFT;
> > +	size = (ssize_t)nr_pages << PAGE_SHIFT;
> >   	size = max_t(ssize_t, size, TMC_ETR_PERF_MIN_BUF_SIZE);
> >   	/*
> > 
> 
> Thanks for the fix. Could we not fix the declaration of the variables
> instead ?  (Also add a comment to make sure people don't revert it back )

I thought a bit the variable declaration when worked on the patch, but
it is tricky.

"nr_pages" is passed down from the perf core layer as an int type.  In
CoreSight, the value is passed down through several functions using the
same type, and it does not seem necessary to change the type in every
function in the call path.

We could silently use wider type for the "nr_pages" argument or the
index variable "i".  As you said, we need comments to remind future
changing.  This might be more error-prone than using an explicit
cast at the point of calculation ?

Thanks,
Leo

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.