Description
In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure

When ttm_tt_swapout() fails, the current code calls
ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail()
to restore the resource's bulk_move membership.

However, ttm_resource_move_to_lru_tail() places the resource at the tail
of the LRU list which, relative to the walk cursor's hitch node (placed
immediately after the resource when it was yielded), puts the resource
*in front of the* the hitch. The next list_for_each_entry_continue() from
the hitch finds the same resource again, causing an infinite loop.

Fix by deferring del_bulk_move to the success path only.

On the success path, TTM_TT_FLAG_SWAPPED has just been set by
ttm_tt_swapout() but the resource is still tracked in the bulk_move range,
so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would
incorrectly skip the removal. Introduce
ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes an infinite loop during the swapout process of the DRM TTM allocator, which can lock the kernel and result in a denial of service. The loop occurs when a failed swapout attempts to restore bulk_move membership, placing the resource ahead of its own hitch node and leading the walk cursor to revisit the same resource repeatedly. The flaw is tied to internal resource management and does not directly expose data or provide remote code execution. The likely attack vector is local: an attacker with the ability to load or interact with DRM drivers, or with elevated kernel privileges, could trigger swapout failures and induce the loop.

Affected Systems

All Linux kernel installations that employ the DRM TTM subsystem are potentially impacted. The issue does not specify a particular kernel version, so any build of the Linux kernel that includes the drm/ttm component before the patch is vulnerable until the kernel is updated. Vendors should verify that their kernel releases incorporate the commit that defers the bulk_move deletion to the successful swapout path.

Risk and Exploitability

The CVSS score is not provided, and EPSS information is unavailable, so the exact exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. However, because the flaw can cause a kernel freeze, the risk is significant for systems that require high availability. Exploitation requires a local attacker with sufficient privileges to induce swapout failures or to load modified DRM modules, making the attack less likely in a strictly remote scenario.

Generated by OpenCVE AI on June 24, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the DRM TTM swapout fix.
  • If upgrading is not immediately possible, consider disabling the DRM TTM module or limiting its use by removing hardware or software that relies on it.
  • Check kernel logs for indications of swapout failures and monitor system responsiveness for potential DoS symptoms.

Generated by OpenCVE AI on June 24, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-631

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership. However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource *in front of the* the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop. Fix by deferring del_bulk_move to the success path only. On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.
Title drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:45.090Z

Reserved: 2026-06-09T07:44:35.374Z

Link: CVE-2026-52965

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:30:06Z

Weaknesses