In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Fix ttmboswapout() infinite LRU walk on swapout failure
When ttmttswapout() fails, the current code calls ttmresourceaddbulkmove() followed by ttmresourcemovetolrutail() to restore the resource's bulkmove membership.
However, ttmresourcemovetolrutail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource in front of the the hitch. The next listforeachentry_continue() from the hitch finds the same resource again, causing an infinite loop.
Fix by deferring delbulkmove to the success path only.
On the success path, TTMTTFLAGSWAPPED has just been set by ttmttswapout() but the resource is still tracked in the bulkmove range, so ttmresourcedelbulkmove()'s !ttmresourceunevictable() guard would incorrectly skip the removal. Introduce ttmresourcedelbulkmove_unevictable() which bypasses that guard.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52965.json",
"cna_assigner": "Linux"
}