From: Leo Yan <leo.yan@arm.com>
Date: Tue, 17 Feb 2026 13:19:43 +0000 (+0000)
Subject: coresight: tmc: Fix overflow when calculating is bigger than 2GiB
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f195d54deef1bc6dd3326394975baff02c7ae487;p=thirdparty%2Fkernel%2Flinux.git

coresight: tmc: Fix overflow when calculating is bigger than 2GiB

When specifying a 2GB AUX buffer, the ETR driver ends up allocating only
a 1MB buffer instead:

  # echo 'file coresight-tmc-etr.c +p' > \
	/sys/kernel/debug/dynamic_debug/control
  # perf record -e cs_etm/@tmc_etr0,timestamp=0/u -C 0 -m ,2G -- test
  coresight tmc_etr0: allocated buffer of size 1024KB in mode 0

The page index is an 'int' type, and shifting it by PAGE_SHIFT overflows
when the resulting value exceeds 2GB.  This produces a negative value,
causing the driver to fall back to the minimum buffer size (1MB).

Cast the page index to a wider type to accommodate large buffer sizes.
Also fix a similar issue in the buffer offset calculation.

Reported-by: Michiel van Tol <michiel.vantol@arm.com>
Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework")
Fixes: eebe8dbd8630 ("coresight: tmc: Decouple the perf buffer allocation from sysfs mode")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20260217-arm_coresight_fix_big_buffer_size-v1-1-774e893d8e3f@arm.com
---

diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
index 4dc1defe27a5..361a433e6f0c 100644
--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
+++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
@@ -154,7 +154,7 @@ tmc_pages_get_offset(struct tmc_pages *tmc_pages, dma_addr_t addr)
 	for (i = 0; i < tmc_pages->nr_pages; i++) {
 		page_start = tmc_pages->daddrs[i];
 		if (addr >= page_start && addr < (page_start + PAGE_SIZE))
-			return i * PAGE_SIZE + (addr - page_start);
+			return (long)i * PAGE_SIZE + (addr - page_start);
 	}
 
 	return -EINVAL;
@@ -1379,7 +1379,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event,
 	node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
 
 	/* Use the minimum limit if the required size is smaller */
-	size = nr_pages << PAGE_SHIFT;
+	size = (ssize_t)nr_pages << PAGE_SHIFT;
 	size = max_t(ssize_t, size, TMC_ETR_PERF_MIN_BUF_SIZE);
 
 	/*