CVE-2026-52965

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure

When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership.

However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource in front of the the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop.

Fix by deferring del_bulk_move to the success path only.

On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxfc5d96670eb2540d2572a14351e82ffe45d5ac11 < 0124a09e3e5f5f6080efe9663b27af27933f8382affected
LinuxLinuxfc5d96670eb2540d2572a14351e82ffe45d5ac11 < b2ed01e7ad3de80333e9b962a44024b094bc0b2baffected
LinuxLinux6.13affected
LinuxLinux0 < 6.13unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References