CVE-2026-43227
Awaiting Analysis Awaiting Analysis - Queue
Clocksource Race Condition in Linux Kernel TMU Driver

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/sh_tmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime. This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks. This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90 For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43227
EUVD
EUVD-2026-27788
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.18.0-arm64-renesas-09926-gee959e7c5e34
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the TMU (Timer Management Unit) device driver in the Linux kernel. The TMU device acts as both a clocksource and a clockevent provider. The driver attempts to manage its power state by turning the device and its clock on and off when not in use. However, when used as an early platform device, the device is left powered on after initialization (probe), but the clock is still enabled and disabled at runtime.

The issue arises because the TMU driver uses raw spinlocks internally when registering as a clockevent provider. In this context, it cannot safely manage power or clock states using the usual runtime power management calls, which rely on regular spinlocks. This mismatch leads to lock dependency (lockdep) warnings and invalid wait contexts, especially in PREEMPT_RT (real-time) builds where normal spinlocks can sleep.

The vulnerability is that improper handling of power and clock management under these locking conditions can cause kernel warnings or potential deadlocks, affecting system stability.


How can this vulnerability impact me? :

This vulnerability can impact system stability and reliability, particularly on systems using PREEMPT_RT (real-time) Linux kernel builds. The improper locking and power management interaction can cause lockdep warnings and invalid wait contexts, which may lead to kernel deadlocks or crashes.

For non-PREEMPT_RT builds, this issue is less critical and may not cause noticeable problems. However, on real-time systems where timing and responsiveness are critical, this vulnerability could disrupt normal operation and cause system hangs or degraded performance.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a lockdep warning related to invalid wait context in the Linux kernel, specifically involving the TMU driver and raw spinlocks.

To detect this issue on your system, you should monitor kernel logs for messages similar to the following lockdep warning:

  • [ BUG: Invalid wait context ]
  • swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock)

You can check kernel logs using commands like:

  • dmesg | grep -i 'BUG: Invalid wait context'
  • journalctl -k | grep -i 'BUG: Invalid wait context'

Additionally, monitoring for lockdep warnings or stack traces involving __pm_runtime_resume and sh_tmu_clock_event_set_oneshot functions can help identify the problem.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to ensure that the TMU device is always left powered on and its clock running after the probe, especially in PREEMPT_RT builds.

This avoids the problematic power management calls that occur while holding raw spinlocks, which cause the lockdep warnings.

Therefore, you should verify and, if necessary, modify the TMU driver or platform device initialization to leave the device powered and clock enabled after probe.

If you are using a kernel version prior to the fix, consider updating to a version where this issue is resolved.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information about CVE-2026-43227 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart