[PATCH] coresight: tmc: Fix overflow when calculating is bigger than 2GiB

Mon Feb 23 01:50:41 PST 2026

Hi Leo

On 17/02/2026 13:19, Leo Yan wrote:
> When specifying a 2GB AUX buffer, the ETR driver ends up allocating only
> a 1MB buffer instead:
> 
>    # echo 'file coresight-tmc-etr.c +p' > \
> 	/sys/kernel/debug/dynamic_debug/control
>    # perf record -e cs_etm/@tmc_etr0,timestamp=0/u -C 0 -m ,2G -- test
>    coresight tmc_etr0: allocated buffer of size 1024KB in mode 0
> 
> The page index is an 'int' type, and shifting it by PAGE_SHIFT overflows
> when the resulting value exceeds 2GB.  This produces a negative value,
> causing the driver to fall back to the minimum buffer size (1MB).
> 
> Cast the page index to a wider type to accommodate large buffer sizes.
> Also fix a similar issue in the buffer offset calculation.
> 
> Reported-by: Michiel van Tol <michiel.vantol at arm.com>
> Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework")
> Fixes: eebe8dbd8630 ("coresight: tmc: Decouple the perf buffer allocation from sysfs mode")
> Signed-off-by: Leo Yan <leo.yan at arm.com>
> ---
>   drivers/hwtracing/coresight/coresight-tmc-etr.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> index cee82e52c4ea96b035f1db71b2d9a006bfc1c51e..990bbb721e1d712d7b93f1e36087fdaf9d3baa3b 100644
> --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
> +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> @@ -154,7 +154,7 @@ tmc_pages_get_offset(struct tmc_pages *tmc_pages, dma_addr_t addr)
>   	for (i = 0; i < tmc_pages->nr_pages; i++) {
>   		page_start = tmc_pages->daddrs[i];
>   		if (addr >= page_start && addr < (page_start + PAGE_SIZE))
> -			return i * PAGE_SIZE + (addr - page_start);
> +			return (long)i * PAGE_SIZE + (addr - page_start);
>   	}
>   
>   	return -EINVAL;
> @@ -1381,7 +1381,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event,
>   	node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
>   
>   	/* Use the minimum limit if the required size is smaller */
> -	size = nr_pages << PAGE_SHIFT;
> +	size = (ssize_t)nr_pages << PAGE_SHIFT;
>   	size = max_t(ssize_t, size, TMC_ETR_PERF_MIN_BUF_SIZE);
>   
>   	/*
> 

Thanks for the fix. Could we not fix the declaration of the variables 
instead ?  (Also add a comment to make sure people don't revert it back )

Cheers
Suzuki

> ---
> base-commit: eebe8dbd8630f51cf70b1f68a440cd3d7f7a914d
> change-id: 20260217-arm_coresight_fix_big_buffer_size-a8a41298369d
> 
> Best regards,