CVE-2026-52965
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure
When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership.
However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource in front of the the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop.
Fix by deferring del_bulk_move to the success path only.
On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | fc5d96670eb2540d2572a14351e82ffe45d5ac11 < 0124a09e3e5f5f6080efe9663b27af27933f8382 | affected |
| Linux | Linux | fc5d96670eb2540d2572a14351e82ffe45d5ac11 < b2ed01e7ad3de80333e9b962a44024b094bc0b2b | affected |
| Linux | Linux | 6.13 | affected |
| Linux | Linux | 0 < 6.13 | unaffected |
| Linux | Linux | 7.0.10 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/0124a09e3e5f5f6080efe9663b27af27933f8382
- https://git.kernel.org/stable/c/b2ed01e7ad3de80333e9b962a44024b094bc0b2b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.