Description
In the Linux kernel, the following vulnerability has been resolved: drm/buddy: Prevent BUG_ON by validating rounded allocation When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power-of-two via roundup_pow_of_two(). Similarly, for non-contiguous allocations with large min_block_size, the size is aligned up via round_up(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUG_ON(order > mm->max_order). Example scenarios: - 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G - 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10G Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing __alloc_contig_try_harder() fallback. This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON. v2: (Matt A) - Add Fixes, Cc stable, and Closes tags for context
Product status
0a1844bf0b532d84324453374ad6845f64066c28 (git) before d764b8dd420098a4d253b8a5b27568c897edb2cf
0a1844bf0b532d84324453374ad6845f64066c28 (git) before 6236c1cd9fdf433d39ed28b2491ccdfe7ae95061
0a1844bf0b532d84324453374ad6845f64066c28 (git) before ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727
0a1844bf0b532d84324453374ad6845f64066c28 (git) before 5488a29596cdba93a60a79398dc9b69d5bdadf92
6.7
Any version before 6.7
6.12.75 (semver)
6.18.16 (semver)
6.19.6 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/d764b8dd420098a4d253b8a5b27568c897edb2cf
git.kernel.org/...c/6236c1cd9fdf433d39ed28b2491ccdfe7ae95061
git.kernel.org/...c/ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727
git.kernel.org/...c/5488a29596cdba93a60a79398dc9b69d5bdadf92