{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-71078","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:30:19.648Z","datePublished":"2026-01-13T15:34:43.437Z","dateUpdated":"2026-05-11T21:54:18.759Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:54:18.759Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/slb: Fix SLB multihit issue during SLB preload\n\nOn systems using the hash MMU, there is a software SLB preload cache that\nmirrors the entries loaded into the hardware SLB buffer. This preload\ncache is subject to periodic eviction — typically after every 256 context\nswitches — to remove old entry.\n\nTo optimize performance, the kernel skips switch_mmu_context() in\nswitch_mm_irqs_off() when the prev and next mm_struct are the same.\nHowever, on hash MMU systems, this can lead to inconsistencies between\nthe hardware SLB and the software preload cache.\n\nIf an SLB entry for a process is evicted from the software cache on one\nCPU, and the same process later runs on another CPU without executing\nswitch_mmu_context(), the hardware SLB may retain stale entries. If the\nkernel then attempts to reload that entry, it can trigger an SLB\nmulti-hit error.\n\nThe following timeline shows how stale SLB entries are created and can\ncause a multi-hit error when a process moves between CPUs without a\nMMU context switch.\n\nCPU 0 CPU 1\n----- -----\nProcess P\nexec swapper/1\n load_elf_binary\n begin_new_exc\n activate_mm\n switch_mm_irqs_off\n switch_mmu_context\n switch_slb\n /*\n * This invalidates all\n * the entries in the HW\n * and setup the new HW\n * SLB entries as per the\n * preload cache.\n */\ncontext_switch\nsched_migrate_task migrates process P to cpu-1\n\nProcess swapper/0 context switch (to process P)\n(uses mm_struct of Process P) switch_mm_irqs_off()\n switch_slb\n load_slb++\n /*\n * load_slb becomes 0 here\n * and we evict an entry from\n * the preload cache with\n * preload_age(). We still\n * keep HW SLB and preload\n * cache in sync, that is\n * because all HW SLB entries\n * anyways gets evicted in\n * switch_slb during SLBIA.\n * We then only add those\n * entries back in HW SLB,\n * which are currently\n * present in preload_cache\n * (after eviction).\n */\n load_elf_binary continues...\n setup_new_exec()\n slb_setup_new_exec()\n\n sched_switch event\n sched_migrate_task migrates\n process P to cpu-0\n\ncontext_switch from swapper/0 to Process P\n switch_mm_irqs_off()\n /*\n * Since both prev and next mm struct are same we don't call\n * switch_mmu_context(). This will cause the HW SLB and SW preload\n * cache to go out of sync in preload_new_slb_context. Because there\n * was an SLB entry which was evicted from both HW and preload cache\n * on cpu-1. Now later in preload_new_slb_context(), when we will try\n * to add the same preload entry again, we will add this to the SW\n * preload cache and then will add it to the HW SLB. Since on cpu-0\n * this entry was never invalidated, hence adding this entry to the HW\n * SLB will cause a SLB multi-hit error.\n */\nload_elf_binary cont\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/powerpc/include/asm/book3s/64/mmu-hash.h","arch/powerpc/kernel/process.c","arch/powerpc/mm/book3s64/internal.h","arch/powerpc/mm/book3s64/mmu_context.c","arch/powerpc/mm/book3s64/slb.c"],"versions":[{"version":"5434ae74629af58ad0fc27143a9ea435f7734410","lessThan":"01324c0328181b94cf390bda22ff91c75126ea57","status":"affected","versionType":"git"},{"version":"5434ae74629af58ad0fc27143a9ea435f7734410","lessThan":"2e9a95d60f1df7b57618fd5ef057aef331575bd2","status":"affected","versionType":"git"},{"version":"5434ae74629af58ad0fc27143a9ea435f7734410","lessThan":"c9f865022a1823d814032a09906e91e4701a35fc","status":"affected","versionType":"git"},{"version":"5434ae74629af58ad0fc27143a9ea435f7734410","lessThan":"b13a3dbfa196af68eae2031f209743735ad416bf","status":"affected","versionType":"git"},{"version":"5434ae74629af58ad0fc27143a9ea435f7734410","lessThan":"895123c309a34d2cfccf7812b41e17261a3a6f37","status":"affected","versionType":"git"},{"version":"5434ae74629af58ad0fc27143a9ea435f7734410","lessThan":"4ae1e46d8a290319f33f71a2710a1382ba5431e8","status":"affected","versionType":"git"},{"version":"5434ae74629af58ad0fc27143a9ea435f7734410","lessThan":"00312419f0863964625d6dcda8183f96849412c6","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/powerpc/include/asm/book3s/64/mmu-hash.h","arch/powerpc/kernel/process.c","arch/powerpc/mm/book3s64/internal.h","arch/powerpc/mm/book3s64/mmu_context.c","arch/powerpc/mm/book3s64/slb.c"],"versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","status":"unaffected","versionType":"semver"},{"version":"5.10.248","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.198","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.160","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.64","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.4","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.10.248"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.1.160"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.12.64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.18.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57"},{"url":"https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2"},{"url":"https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc"},{"url":"https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf"},{"url":"https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37"},{"url":"https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8"},{"url":"https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6"}],"title":"powerpc/64s/slb: Fix SLB multihit issue during SLB preload","x_generator":{"engine":"bippy-1.2.0"}}}}