CVE-2025-71078 (GCVE-0-2025-71078)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
Title
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
On systems using the hash MMU, there is a software SLB preload cache that
mirrors the entries loaded into the hardware SLB buffer. This preload
cache is subject to periodic eviction — typically after every 256 context
switches — to remove old entry.
To optimize performance, the kernel skips switch_mmu_context() in
switch_mm_irqs_off() when the prev and next mm_struct are the same.
However, on hash MMU systems, this can lead to inconsistencies between
the hardware SLB and the software preload cache.
If an SLB entry for a process is evicted from the software cache on one
CPU, and the same process later runs on another CPU without executing
switch_mmu_context(), the hardware SLB may retain stale entries. If the
kernel then attempts to reload that entry, it can trigger an SLB
multi-hit error.
The following timeline shows how stale SLB entries are created and can
cause a multi-hit error when a process moves between CPUs without a
MMU context switch.
CPU 0 CPU 1
----- -----
Process P
exec swapper/1
load_elf_binary
begin_new_exc
activate_mm
switch_mm_irqs_off
switch_mmu_context
switch_slb
/*
* This invalidates all
* the entries in the HW
* and setup the new HW
* SLB entries as per the
* preload cache.
*/
context_switch
sched_migrate_task migrates process P to cpu-1
Process swapper/0 context switch (to process P)
(uses mm_struct of Process P) switch_mm_irqs_off()
switch_slb
load_slb++
/*
* load_slb becomes 0 here
* and we evict an entry from
* the preload cache with
* preload_age(). We still
* keep HW SLB and preload
* cache in sync, that is
* because all HW SLB entries
* anyways gets evicted in
* switch_slb during SLBIA.
* We then only add those
* entries back in HW SLB,
* which are currently
* present in preload_cache
* (after eviction).
*/
load_elf_binary continues...
setup_new_exec()
slb_setup_new_exec()
sched_switch event
sched_migrate_task migrates
process P to cpu-0
context_switch from swapper/0 to Process P
switch_mm_irqs_off()
/*
* Since both prev and next mm struct are same we don't call
* switch_mmu_context(). This will cause the HW SLB and SW preload
* cache to go out of sync in preload_new_slb_context. Because there
* was an SLB entry which was evicted from both HW and preload cache
* on cpu-1. Now later in preload_new_slb_context(), when we will try
* to add the same preload entry again, we will add this to the SW
* preload cache and then will add it to the HW SLB. Since on cpu-0
* this entry was never invalidated, hence adding this entry to the HW
* SLB will cause a SLB multi-hit error.
*/
load_elf_binary cont
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5434ae74629af58ad0fc27143a9ea435f7734410 , < c9f865022a1823d814032a09906e91e4701a35fc
(git)
Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < b13a3dbfa196af68eae2031f209743735ad416bf (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 895123c309a34d2cfccf7812b41e17261a3a6f37 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 4ae1e46d8a290319f33f71a2710a1382ba5431e8 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 00312419f0863964625d6dcda8183f96849412c6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9f865022a1823d814032a09906e91e4701a35fc",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "b13a3dbfa196af68eae2031f209743735ad416bf",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "895123c309a34d2cfccf7812b41e17261a3a6f37",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "4ae1e46d8a290319f33f71a2710a1382ba5431e8",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "00312419f0863964625d6dcda8183f96849412c6",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/slb: Fix SLB multihit issue during SLB preload\n\nOn systems using the hash MMU, there is a software SLB preload cache that\nmirrors the entries loaded into the hardware SLB buffer. This preload\ncache is subject to periodic eviction \u2014 typically after every 256 context\nswitches \u2014 to remove old entry.\n\nTo optimize performance, the kernel skips switch_mmu_context() in\nswitch_mm_irqs_off() when the prev and next mm_struct are the same.\nHowever, on hash MMU systems, this can lead to inconsistencies between\nthe hardware SLB and the software preload cache.\n\nIf an SLB entry for a process is evicted from the software cache on one\nCPU, and the same process later runs on another CPU without executing\nswitch_mmu_context(), the hardware SLB may retain stale entries. If the\nkernel then attempts to reload that entry, it can trigger an SLB\nmulti-hit error.\n\nThe following timeline shows how stale SLB entries are created and can\ncause a multi-hit error when a process moves between CPUs without a\nMMU context switch.\n\nCPU 0 CPU 1\n----- -----\nProcess P\nexec swapper/1\n load_elf_binary\n begin_new_exc\n activate_mm\n switch_mm_irqs_off\n switch_mmu_context\n switch_slb\n /*\n * This invalidates all\n * the entries in the HW\n * and setup the new HW\n * SLB entries as per the\n * preload cache.\n */\ncontext_switch\nsched_migrate_task migrates process P to cpu-1\n\nProcess swapper/0 context switch (to process P)\n(uses mm_struct of Process P) switch_mm_irqs_off()\n switch_slb\n load_slb++\n /*\n * load_slb becomes 0 here\n * and we evict an entry from\n * the preload cache with\n * preload_age(). We still\n * keep HW SLB and preload\n * cache in sync, that is\n * because all HW SLB entries\n * anyways gets evicted in\n * switch_slb during SLBIA.\n * We then only add those\n * entries back in HW SLB,\n * which are currently\n * present in preload_cache\n * (after eviction).\n */\n load_elf_binary continues...\n setup_new_exec()\n slb_setup_new_exec()\n\n sched_switch event\n sched_migrate_task migrates\n process P to cpu-0\n\ncontext_switch from swapper/0 to Process P\n switch_mm_irqs_off()\n /*\n * Since both prev and next mm struct are same we don\u0027t call\n * switch_mmu_context(). This will cause the HW SLB and SW preload\n * cache to go out of sync in preload_new_slb_context. Because there\n * was an SLB entry which was evicted from both HW and preload cache\n * on cpu-1. Now later in preload_new_slb_context(), when we will try\n * to add the same preload entry again, we will add this to the SW\n * preload cache and then will add it to the HW SLB. Since on cpu-0\n * this entry was never invalidated, hence adding this entry to the HW\n * SLB will cause a SLB multi-hit error.\n */\nload_elf_binary cont\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:43.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc"
},
{
"url": "https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf"
},
{
"url": "https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37"
},
{
"url": "https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8"
},
{
"url": "https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6"
}
],
"title": "powerpc/64s/slb: Fix SLB multihit issue during SLB preload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71078",
"datePublished": "2026-01-13T15:34:43.437Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-13T15:34:43.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-71078\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-13T16:16:07.317\",\"lastModified\":\"2026-01-13T16:16:07.317\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/64s/slb: Fix SLB multihit issue during SLB preload\\n\\nOn systems using the hash MMU, there is a software SLB preload cache that\\nmirrors the entries loaded into the hardware SLB buffer. This preload\\ncache is subject to periodic eviction \u2014 typically after every 256 context\\nswitches \u2014 to remove old entry.\\n\\nTo optimize performance, the kernel skips switch_mmu_context() in\\nswitch_mm_irqs_off() when the prev and next mm_struct are the same.\\nHowever, on hash MMU systems, this can lead to inconsistencies between\\nthe hardware SLB and the software preload cache.\\n\\nIf an SLB entry for a process is evicted from the software cache on one\\nCPU, and the same process later runs on another CPU without executing\\nswitch_mmu_context(), the hardware SLB may retain stale entries. If the\\nkernel then attempts to reload that entry, it can trigger an SLB\\nmulti-hit error.\\n\\nThe following timeline shows how stale SLB entries are created and can\\ncause a multi-hit error when a process moves between CPUs without a\\nMMU context switch.\\n\\nCPU 0 CPU 1\\n----- -----\\nProcess P\\nexec swapper/1\\n load_elf_binary\\n begin_new_exc\\n activate_mm\\n switch_mm_irqs_off\\n switch_mmu_context\\n switch_slb\\n /*\\n * This invalidates all\\n * the entries in the HW\\n * and setup the new HW\\n * SLB entries as per the\\n * preload cache.\\n */\\ncontext_switch\\nsched_migrate_task migrates process P to cpu-1\\n\\nProcess swapper/0 context switch (to process P)\\n(uses mm_struct of Process P) switch_mm_irqs_off()\\n switch_slb\\n load_slb++\\n /*\\n * load_slb becomes 0 here\\n * and we evict an entry from\\n * the preload cache with\\n * preload_age(). We still\\n * keep HW SLB and preload\\n * cache in sync, that is\\n * because all HW SLB entries\\n * anyways gets evicted in\\n * switch_slb during SLBIA.\\n * We then only add those\\n * entries back in HW SLB,\\n * which are currently\\n * present in preload_cache\\n * (after eviction).\\n */\\n load_elf_binary continues...\\n setup_new_exec()\\n slb_setup_new_exec()\\n\\n sched_switch event\\n sched_migrate_task migrates\\n process P to cpu-0\\n\\ncontext_switch from swapper/0 to Process P\\n switch_mm_irqs_off()\\n /*\\n * Since both prev and next mm struct are same we don\u0027t call\\n * switch_mmu_context(). This will cause the HW SLB and SW preload\\n * cache to go out of sync in preload_new_slb_context. Because there\\n * was an SLB entry which was evicted from both HW and preload cache\\n * on cpu-1. Now later in preload_new_slb_context(), when we will try\\n * to add the same preload entry again, we will add this to the SW\\n * preload cache and then will add it to the HW SLB. Since on cpu-0\\n * this entry was never invalidated, hence adding this entry to the HW\\n * SLB will cause a SLB multi-hit error.\\n */\\nload_elf_binary cont\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…