* [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers
@ 2025-09-17 17:41 Leo Yan
2025-09-17 17:41 ` [PATCH 1/2] coresight: trbe: Prevent overflow in PERF_IDX2OFF() Leo Yan
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Leo Yan @ 2025-09-17 17:41 UTC (permalink / raw)
To: Will Deacon, Mark Rutland, Suzuki K Poulose, Mike Leach,
James Clark, Alexander Shishkin, Anshuman Khandual, Tamas Zsoldos
Cc: coresight, linux-arm-kernel, linux-kernel, linux-perf-users,
Leo Yan
If the AUX buffer size is specified as 2 GiB or larger, the expression
"(buf)->nr_pages << PAGE_SHIFT" may exceed 0x8000_0000. Since
(buf)->nr_pages is a signed integer, the shift can overflow and produce
a negative value. As a result, PERF_IDX2OFF() fails to work correctly.
Fix this by casting (buf)->nr_pages to unsigned long before the shift,
which allows PERF_IDX2OFF() to handle large buffers properly.
Signed-off-by: Leo Yan <leo.yan@arm.com>
---
Leo Yan (2):
coresight: trbe: Prevent overflow in PERF_IDX2OFF()
perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
drivers/hwtracing/coresight/coresight-trbe.c | 3 ++-
drivers/perf/arm_spe_pmu.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
---
base-commit: 5aca7966d2a7255ba92fd5e63268dd767b223aa5
change-id: 20250917-fix_aux_trace_index-9745674f5061
Best regards,
--
Leo Yan <leo.yan@arm.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] coresight: trbe: Prevent overflow in PERF_IDX2OFF()
2025-09-17 17:41 [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers Leo Yan
@ 2025-09-17 17:41 ` Leo Yan
2025-09-17 17:41 ` [PATCH 2/2] perf: arm_spe: " Leo Yan
2025-09-18 16:43 ` [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers Will Deacon
2 siblings, 0 replies; 4+ messages in thread
From: Leo Yan @ 2025-09-17 17:41 UTC (permalink / raw)
To: Will Deacon, Mark Rutland, Suzuki K Poulose, Mike Leach,
James Clark, Alexander Shishkin, Anshuman Khandual, Tamas Zsoldos
Cc: coresight, linux-arm-kernel, linux-kernel, linux-perf-users,
Leo Yan
Cast nr_pages to unsigned long to avoid overflow when handling large
AUX buffer sizes (>= 2 GiB).
Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver")
Signed-off-by: Leo Yan <leo.yan@arm.com>
---
drivers/hwtracing/coresight/coresight-trbe.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hwtracing/coresight/coresight-trbe.c b/drivers/hwtracing/coresight/coresight-trbe.c
index 8267dd1a2130d37d9507791620ea7bc8cbcd675c..8f426f94e32a15fd26e6c4e42385a5d93a7b7c1a 100644
--- a/drivers/hwtracing/coresight/coresight-trbe.c
+++ b/drivers/hwtracing/coresight/coresight-trbe.c
@@ -23,7 +23,8 @@
#include "coresight-self-hosted-trace.h"
#include "coresight-trbe.h"
-#define PERF_IDX2OFF(idx, buf) ((idx) % ((buf)->nr_pages << PAGE_SHIFT))
+#define PERF_IDX2OFF(idx, buf) \
+ ((idx) % ((unsigned long)(buf)->nr_pages << PAGE_SHIFT))
/*
* A padding packet that will help the user space tools
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
2025-09-17 17:41 [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers Leo Yan
2025-09-17 17:41 ` [PATCH 1/2] coresight: trbe: Prevent overflow in PERF_IDX2OFF() Leo Yan
@ 2025-09-17 17:41 ` Leo Yan
2025-09-18 16:43 ` [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers Will Deacon
2 siblings, 0 replies; 4+ messages in thread
From: Leo Yan @ 2025-09-17 17:41 UTC (permalink / raw)
To: Will Deacon, Mark Rutland, Suzuki K Poulose, Mike Leach,
James Clark, Alexander Shishkin, Anshuman Khandual, Tamas Zsoldos
Cc: coresight, linux-arm-kernel, linux-kernel, linux-perf-users,
Leo Yan
Cast nr_pages to unsigned long to avoid overflow when handling large
AUX buffer sizes (>= 2 GiB).
Fixes: d5d9696b0380 ("drivers/perf: Add support for ARMv8.2 Statistical Profiling Extension")
Signed-off-by: Leo Yan <leo.yan@arm.com>
---
drivers/perf/arm_spe_pmu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/perf/arm_spe_pmu.c b/drivers/perf/arm_spe_pmu.c
index 369e77ad5f13ffb490bf8f128fee5180d1254bc6..8f14cb324e018349fbe19c5c20d92a9cdcfd2e73 100644
--- a/drivers/perf/arm_spe_pmu.c
+++ b/drivers/perf/arm_spe_pmu.c
@@ -97,7 +97,8 @@ struct arm_spe_pmu {
#define to_spe_pmu(p) (container_of(p, struct arm_spe_pmu, pmu))
/* Convert a free-running index from perf into an SPE buffer offset */
-#define PERF_IDX2OFF(idx, buf) ((idx) % ((buf)->nr_pages << PAGE_SHIFT))
+#define PERF_IDX2OFF(idx, buf) \
+ ((idx) % ((unsigned long)(buf)->nr_pages << PAGE_SHIFT))
/* Keep track of our dynamic hotplug state */
static enum cpuhp_state arm_spe_pmu_online;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers
2025-09-17 17:41 [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers Leo Yan
2025-09-17 17:41 ` [PATCH 1/2] coresight: trbe: Prevent overflow in PERF_IDX2OFF() Leo Yan
2025-09-17 17:41 ` [PATCH 2/2] perf: arm_spe: " Leo Yan
@ 2025-09-18 16:43 ` Will Deacon
2 siblings, 0 replies; 4+ messages in thread
From: Will Deacon @ 2025-09-18 16:43 UTC (permalink / raw)
To: Mark Rutland, Suzuki K Poulose, Mike Leach, James Clark,
Alexander Shishkin, Anshuman Khandual, Tamas Zsoldos, Leo Yan
Cc: catalin.marinas, kernel-team, Will Deacon, coresight,
linux-arm-kernel, linux-kernel, linux-perf-users
On Wed, 17 Sep 2025 18:41:37 +0100, Leo Yan wrote:
> If the AUX buffer size is specified as 2 GiB or larger, the expression
> "(buf)->nr_pages << PAGE_SHIFT" may exceed 0x8000_0000. Since
> (buf)->nr_pages is a signed integer, the shift can overflow and produce
> a negative value. As a result, PERF_IDX2OFF() fails to work correctly.
>
> Fix this by casting (buf)->nr_pages to unsigned long before the shift,
> which allows PERF_IDX2OFF() to handle large buffers properly.
>
> [...]
Applied to will (for-next/perf), thanks!
[1/2] coresight: trbe: Prevent overflow in PERF_IDX2OFF()
https://git.kernel.org/will/c/105f56877f2d
[2/2] perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
https://git.kernel.org/will/c/a29fea30dd93
Cheers,
--
Will
https://fixes.arm64.dev
https://next.arm64.dev
https://will.arm64.dev
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-09-18 16:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-17 17:41 [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers Leo Yan
2025-09-17 17:41 ` [PATCH 1/2] coresight: trbe: Prevent overflow in PERF_IDX2OFF() Leo Yan
2025-09-17 17:41 ` [PATCH 2/2] perf: arm_spe: " Leo Yan
2025-09-18 16:43 ` [PATCH 0/2] perf: Fix overflow in PERF_IDX2OFF() for Arm SPE and TRBE drivers Will Deacon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).