{"id":"CVE-2026-43169","summary":"drm/buddy: Prevent BUG_ON by validating rounded allocation","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/buddy: Prevent BUG_ON by validating rounded allocation\n\nWhen DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is\nrounded up to the next power-of-two via roundup_pow_of_two().\nSimilarly, for non-contiguous allocations with large min_block_size,\nthe size is aligned up via round_up(). Both operations can produce a\nrounded size that exceeds mm-\u003esize, which later triggers\nBUG_ON(order \u003e mm-\u003emax_order).\n\nExample scenarios:\n- 9G CONTIGUOUS allocation on 10G VRAM memory:\n  roundup_pow_of_two(9G) = 16G \u003e 10G\n- 9G allocation with 8G min_block_size on 10G VRAM memory:\n  round_up(9G, 8G) = 16G \u003e 10G\n\nFix this by checking the rounded size against mm-\u003esize. For\nnon-contiguous or range allocations where size \u003e mm-\u003esize is invalid,\nreturn -EINVAL immediately. For contiguous allocations without range\nrestrictions, allow the request to fall through to the existing\n__alloc_contig_try_harder() fallback.\n\nThis ensures invalid user input returns an error or uses the fallback\npath instead of hitting BUG_ON.\n\nv2: (Matt A)\n- Add Fixes, Cc stable, and Closes tags for context","modified":"2026-06-18T03:54:39.500227892Z","published":"2026-05-06T11:27:45.356Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43169.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5488a29596cdba93a60a79398dc9b69d5bdadf92"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6236c1cd9fdf433d39ed28b2491ccdfe7ae95061"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d764b8dd420098a4d253b8a5b27568c897edb2cf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43169.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43169"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0a1844bf0b532d84324453374ad6845f64066c28"},{"fixed":"d764b8dd420098a4d253b8a5b27568c897edb2cf"},{"fixed":"6236c1cd9fdf433d39ed28b2491ccdfe7ae95061"},{"fixed":"ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727"},{"fixed":"5488a29596cdba93a60a79398dc9b69d5bdadf92"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43169.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43169.json"}}],"schema_version":"1.7.5"}