Home

Description

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch "x86/mm: only invalidate final translations with INVLPGB" which is currently under review (see <https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>) would probably be making the impact of this a lot worse.

PUBLISHED Reserved 2024-12-29 | Published 2025-04-16 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 618d5612ecb7bfc1c85342daafeb2b47e29e77a3
affected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 556d446068f90981e5d71ca686bdaccdd545d491
affected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1
affected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 0708fd6bd8161871bfbadced2ca4319b84ab44fe
affected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 7085895c59e4057ffae17f58990ccb630087d0d2
affected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 93224deb50a8d20df3884f3672ce9f982129aa50
affected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 320ac1af4c0bdb92c864dc9250d1329234820edf
affected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be
affected

016c4d92cd16f569c6485ae62b076c1a4b779536 (git) before 3ef938c3503563bfc2ac15083557f880d29c2e64
affected

Default status
affected

4.20
affected

Any version before 4.20
unaffected

5.4.292 (semver)
unaffected

5.10.236 (semver)
unaffected

5.15.180 (semver)
unaffected

6.1.134 (semver)
unaffected

6.6.87 (semver)
unaffected

6.12.23 (semver)
unaffected

6.13.11 (semver)
unaffected

6.14.2 (semver)
unaffected

6.15 (original_commit_for_fix)
unaffected

References

lists.debian.org/debian-lts-announce/2025/05/msg00045.html

lists.debian.org/debian-lts-announce/2025/05/msg00030.html

git.kernel.org/...c/618d5612ecb7bfc1c85342daafeb2b47e29e77a3

git.kernel.org/...c/556d446068f90981e5d71ca686bdaccdd545d491

git.kernel.org/...c/0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1

git.kernel.org/...c/0708fd6bd8161871bfbadced2ca4319b84ab44fe

git.kernel.org/...c/7085895c59e4057ffae17f58990ccb630087d0d2

git.kernel.org/...c/93224deb50a8d20df3884f3672ce9f982129aa50

git.kernel.org/...c/320ac1af4c0bdb92c864dc9250d1329234820edf

git.kernel.org/...c/78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be

git.kernel.org/...c/3ef938c3503563bfc2ac15083557f880d29c2e64

cve.org (CVE-2025-22045)

nvd.nist.gov (CVE-2025-22045)

Download JSON