From: Samuel Moelius <sam.moelius@trailofbits.com>

`tracing_entries_write()` accepts a `buffer_size_kb` value as
`unsigned long`, checks only for zero, then shifts left by 10. On
64-bit, writing `18014398509481984` KB wraps the byte count to zero
and the ring buffer resize path accepts it as a tiny buffer instead
of rejecting an impossible huge size.

The fix also adds the same pre-scale overflow check to
`buffer_subbuf_size_write()`.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 kernel/trace/trace.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 6eb4d3097a4d..79da29c3d525 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -5735,7 +5735,7 @@ tracing_entries_write(struct file *filp, const char __user *ubuf,
 		return ret;
 
 	/* must have at least 1 entry */
-	if (!val)
+	if (!val || val > ULONG_MAX >> 10)
 		return -EINVAL;
 
 	/* value is in KB */
@@ -8206,6 +8206,9 @@ buffer_subbuf_size_write(struct file *filp, const char __user *ubuf,
 	if (ret)
 		return ret;
 
+	if (!val || val > ULONG_MAX / 1024)
+		return -EINVAL;
+
 	val *= 1024; /* value passed in is in KB */
 
 	pages = DIV_ROUND_UP(val, PAGE_SIZE);
-- 
2.43.0

On Tue,  2 Jun 2026 18:43:34 +0000
Sam Moelius <sam.moelius@trailofbits.com> wrote:

> From: Samuel Moelius <sam.moelius@trailofbits.com>
> 
> `tracing_entries_write()` accepts a `buffer_size_kb` value as
> `unsigned long`, checks only for zero, then shifts left by 10. On
> 64-bit, writing `18014398509481984` KB wraps the byte count to zero
> and the ring buffer resize path accepts it as a tiny buffer instead
> of rejecting an impossible huge size.
> 
> The fix also adds the same pre-scale overflow check to
> `buffer_subbuf_size_write()`.

Honestly, enter stupid values, get stupid results.

I don't think this is necessary. Nothing breaks but the person may get
confused by being confused by the confusing entries they make.

-- Steve