CVE-2026-52965

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: Fix ttm bo swapout() infinite LRU walk on swapout failure

When ttm tt swapout() fails, the current code calls ttm resource add bulk move() followed by ttm resource move to lru tail() to restore the resource's bulk move membership.

However, ttm resource move to lru tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource in front of the the hitch. The next list for each entry continue() from the hitch finds the same resource again, causing an infinite loop.

Fix by deferring del bulk move to the success path only.

On the success path, TTM TT FLAG SWAPPED has just been set by ttm tt swapout() but the resource is still tracked in the bulk move range, so ttm resource del bulk move()'s !ttm resource unevictable() guard would incorrectly skip the removal. Introduce ttm resource del bulk move unevictable() which bypasses that guard.