From: Samuel Moelius <[email protected]> `tracing_entries_write()` accepts a `buffer_size_kb` value as `unsigned long`, checks only for zero, then shifts left by 10. On 64-bit, writing `18014398509481984` KB wraps the byte count to zero and the ring buffer resize path accepts it as a tiny buffer instead of rejecting an impossible huge size.
The fix also adds the same pre-scale overflow check to `buffer_subbuf_size_write()`. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius <[email protected]> --- kernel/trace/trace.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 6eb4d3097a4d..79da29c3d525 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -5735,7 +5735,7 @@ tracing_entries_write(struct file *filp, const char __user *ubuf, return ret; /* must have at least 1 entry */ - if (!val) + if (!val || val > ULONG_MAX >> 10) return -EINVAL; /* value is in KB */ @@ -8206,6 +8206,9 @@ buffer_subbuf_size_write(struct file *filp, const char __user *ubuf, if (ret) return ret; + if (!val || val > ULONG_MAX / 1024) + return -EINVAL; + val *= 1024; /* value passed in is in KB */ pages = DIV_ROUND_UP(val, PAGE_SIZE); -- 2.43.0
