Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp871757rwo;
        Wed, 2 Aug 2023 05:39:02 -0700 (PDT)
X-Google-Smtp-Source: APBJJlHKhXR2evzsZs7B4j/2eo0+uNC/yn5xH/3uPmYEUEnArcbYc6AmRVfPMoENz2z8WRFGOdLd
X-Received: by 2002:a05:6a20:1441:b0:134:3a9b:4cd7 with SMTP id a1-20020a056a20144100b001343a9b4cd7mr18051715pzi.23.1690979942186;
        Wed, 02 Aug 2023 05:39:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690979942; cv=none;
        d=google.com; s=arc-20160816;
        b=MzXmqUDEPyJVglQxtSrBnCmFmqEKl6oDo0aR6w9vRE2o91JvZDlWSzDQd8zvqkewAR
         yFj+QmL4+9ncee6mVrlOQCfwSE8Gb0K/eBROgme+ofUtb9GUVfC2i5cWZrg2+SAbV76Q
         wv5LiFa7HpZv+RfHZwOirGqKoIguhw4UBewTUfTjs6Yv32iR/sUlPGbj/WJO/UM0kAN/
         LuaaU2kwdQNzvroX5lLKswKSMgn0NuapqixR5KiIw7x8xMah13RLOB1c8rtCw3I0kbKV
         6NG725VPSWYTOZXMwtvYaGL4QOqXjITaEQ/B2g6Yf8YROpMCKsB/oHrqEKVxRTpcbe1m
         FZLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=zgH0vwLxgVEL/TC5uesNSmTZc/AhaA0j5cDeN00Fa+s=;
        fh=Rc4u+TUA4r5lvBk4XaVGYxB3W43pew+MjuDwD2uzoac=;
        b=SrHgXGmrJmKRPdSx1go8jQzCRUF7JQNqnGgpJkHOIjmpMhNY5RUbsjrNCPHa8oBJN4
         0cDwvOKNtbaj59h364L/QCwKCQmkAsmgrq4tuAIL+KGlKRQ5icnY9gC0x+TZILQAYPby
         SAhZNpoQgO2ftsBZRarzBiiAVaFOHshXEuCrb14HnuQ01rEwLbqWyH3hyYKKM6OS8a1a
         c078mbS38XDtMv1YF0B2crJNksE6vI2OIu8ML5XCkRAAK3uw8RpRT8d4/IEm9/kxoni4
         RSBnldDugpZZo9kYphbCpY8k05PG1etpzmiMXebg1JySxnAkTZ5OGqO31Ca8/BzvVdJT
         rOxw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d3-20020a634f03000000b00563ddd523a9si10352551pgb.348.2023.08.02.05.38.49;
        Wed, 02 Aug 2023 05:39:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232812AbjHBMcW (ORCPT <rfc822;antony.sucheston@gmail.com>
        + 99 others); Wed, 2 Aug 2023 08:32:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54252 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232364AbjHBMcV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Aug 2023 08:32:21 -0400
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8C9689B
        for <linux-kernel@vger.kernel.org>; Wed,  2 Aug 2023 05:32:19 -0700 (PDT)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6EC97113E;
        Wed,  2 Aug 2023 05:33:02 -0700 (PDT)
Received: from [10.57.1.113] (unknown [10.57.1.113])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 326043F6C4;
        Wed,  2 Aug 2023 05:32:18 -0700 (PDT)
Message-ID: <463b2ab6-f7b5-f1fc-8e99-e2ad93c21675@arm.com>
Date:   Wed, 2 Aug 2023 13:32:16 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.9.0
Subject: Re: [RESEND PATCH] coresight: tmc: Explicit type conversions to
 prevent integer overflow
Content-Language: en-US
To:     Ruidong Tian <tianruidong@linux.alibaba.com>,
        coresight@lists.linaro.org
Cc:     mike.leach@linaro.org, alexander.shishkin@linux.intel.com,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
References: <20230714084349.31567-1-tianruidong@linux.alibaba.com>
 <61f11ffe-473c-a36e-c51d-9e526a6fd375@arm.com>
 <a448f505-fef4-e1b7-c31e-e1f310c16e8f@linux.alibaba.com>
From:   James Clark <james.clark@arm.com>
In-Reply-To: <a448f505-fef4-e1b7-c31e-e1f310c16e8f@linux.alibaba.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,SUSPICIOUS_RECIPS,
        T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 02/08/2023 13:25, Ruidong Tian wrote:
> Hi James,
> 
> Sorry, some local patch caused inaccurate information. Please allow me
> to reintroduce the question:
> 
> If you use perf with 1G AUX buffer, you can get 1G perf data. Perf
> workload is kernel build here:
> 
>     perf record -C 0 -m ,1G -e cs_etm// taskset -c 0 make
> 
>     [ perf record: Captured and wrote 1025.557 MB perf.data ]
> 
> But if you use 2G AUX buffer, perf was executed unexpectedly：
> 
>     perf record -C 0 -m ,2G -e cs_etm// taskset -c 0 make
> 
>     [ perf record: Captured and wrote 2.615 MB perf.data ]
> 
> There are just 2.615 MB perf data rather than 2G, if you probe function
> "tmc_alloc_etr_buf" in
> 
> coresight_tmc module, you can find some clues:
> 
>   perf probe -m coresight_tmc "tmc_alloc_etr_buf size:s64"
> 
>   perf record -e probe:tmc_alloc_etr_buf -aR -- perf record -C 0 -m ,2G
> -e cs_etm// -o cs.data taskset -c 0 make
> 
>   perf script
>             perf 118267 [064]  4640.324670: probe:tmc_alloc_etr_buf:
> (ffff80007a9dce60) size_s64=-2147483648
>             perf 118267 [064]  4640.324681: probe:tmc_alloc_etr_buf:
> (ffff80007a9dce60) size_s64=1048576
> 
> It's pretty obvious what's going on here. The first call of
> tmc_alloc_etr_buf in alloc_etr_buf was
> 
> failed because of overflow, the second call of tmc_alloc_etr_buf just
> alloc 1M AUX buffer which
> 
> is default ETR buffer size rather than 2G. That is why we can just get
> 2.615MB ( 1M AUX data
> 
> + perf header ).
> 
> It is necessary to check the conversion from int to s64 in coresight_tmc
> driver. The issue[1] also
> 
> exists in coresight/perf, but it's different from this topic.
> 

Thanks for the investigation, that makes more sense to me now. Are you
able to send a v2 of the patch with an updated commit message describing
these symptoms instead?

And you can also add:

Reviewed-by: James Clark <james.clark@arm.com>

> 
> [1]:
> https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/
> 
> Thanks
> Ruidong
> 
> On 2023/7/24 23:38, James Clark wrote:
>>
>> On 14/07/2023 09:43, Ruidong Tian wrote:
>>> Perf cs_etm session will failed when AUX buffer > 1G.
>>>
>>>    perf record -C 0 -m ,2G -e cs_etm// -- taskset -c 0 ls
>>>    failed to mmap with 12 (Cannot allocate memory)
>>>
>>> In coresight tmc driver, "nr_pages << PAGE_SHIFT" will overflow when
>>> nr_pages >= 0x80000(correspond to 1G AUX buffer). Explicit convert
>>> nr_pages
>>> to 64 bit to avoid overflow.
>>>
>> Hi Ruidong,
>>
>> I couldn't reproduce this exact issue with the error message in the
>> commit message. Is it not another manifestation related to this change
>> [1]? I don't actually get any error message, but I was able to get a
>> warning in dmesg even with [1] applied.
>>
>> Does the overflow not result in a successful session but with the wrong
>> buffer size?
>>
>> I think the change makes sense, but maybe we also need a check for
>> MAX_ORDER because I can trigger the same WARN_ON from [1]. Or maybe I'm
>> a bit confused because of the other change and not being able to
>> reproduce this exactly coming at the same time.
>>
>> [1]:
>> https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/
>>
>> Thanks
>> James
>>
>>> Signed-off-by: Ruidong Tian <tianruidong@linux.alibaba.com>
>>> ---
>>>   drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
>>>   drivers/hwtracing/coresight/coresight-tmc.h     | 2 +-
>>>   2 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c
>>> b/drivers/hwtracing/coresight/coresight-tmc-etr.c
>>> index 766325de0e29..1425ecd1cf78 100644
>>> --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
>>> +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
>>> @@ -1267,7 +1267,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata,
>>> struct perf_event *event,
>>>        * than the size requested via sysfs.
>>>        */
>>>       if ((nr_pages << PAGE_SHIFT) > drvdata->size) {
>>> -        etr_buf = tmc_alloc_etr_buf(drvdata, (nr_pages << PAGE_SHIFT),
>>> +        etr_buf = tmc_alloc_etr_buf(drvdata, ((ssize_t)nr_pages <<
>>> PAGE_SHIFT),
>>>                           0, node, NULL);
>>>           if (!IS_ERR(etr_buf))
>>>               goto done;
>>> diff --git a/drivers/hwtracing/coresight/coresight-tmc.h
>>> b/drivers/hwtracing/coresight/coresight-tmc.h
>>> index b97da39652d2..0ee48c5ba764 100644
>>> --- a/drivers/hwtracing/coresight/coresight-tmc.h
>>> +++ b/drivers/hwtracing/coresight/coresight-tmc.h
>>> @@ -325,7 +325,7 @@ ssize_t tmc_sg_table_get_data(struct tmc_sg_table
>>> *sg_table,
>>>   static inline unsigned long
>>>   tmc_sg_table_buf_size(struct tmc_sg_table *sg_table)
>>>   {
>>> -    return sg_table->data_pages.nr_pages << PAGE_SHIFT;
>>> +    return (unsigned long)sg_table->data_pages.nr_pages << PAGE_SHIFT;
>>>   }
>>>     struct coresight_device *tmc_etr_get_catu_device(struct
>>> tmc_drvdata *drvdata);