Security Vulnerability Report
中文
CVE-2026-43227 CVSS 5.5 MEDIUM

CVE-2026-43227

Published: 2026-05-06 12:16:43
Last Modified: 2026-05-08 21:11:53
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/sh_tmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime. This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks. This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90 For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.18 (Specific commits fix this)
Linux Kernel stable branches prior to fixes: 016476afef99, 0e513cc6b9ce, 6f113ab549b8, etc.

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC Concept for CVE-2026-43227 * This code demonstrates the problematic locking scenario. * Triggering this requires a kernel configuration with PREEMPT_RT enabled * and hardware using the sh_tmu driver. */ #include <linux/module.h> #include <linux/kernel.h> #include <linux/spinlock.h> // Simulate the raw spinlock used by clockevent framework static DEFINE_RAW_SPINLOCK(tick_broadcast_lock); // Simulate the normal spinlock used by pm_runtime static DEFINE_SPINLOCK(dev_power_lock); void simulated_sh_tmu_clock_event_set_oneshot(void) { unsigned long flags; // Step 1: Clockevent framework acquires raw spinlock raw_spin_lock_irqsave(&tick_broadcast_lock, flags); // Step 2: Driver tries to manage power (BUG occurs here) // In the real vulnerability, this calls __pm_runtime_resume // which tries to acquire dev->power.lock (a normal spinlock) printk(KERN_INFO "Attempting to acquire normal lock inside raw lock context...\n"); // This next line would trigger the 'Invalid wait context' warning // or deadlock in PREEMPT_RT // spin_lock(&dev_power_lock); // spin_unlock(&dev_power_lock); raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); } int init_module(void) { printk(KERN_INFO "CVE-2026-43227 PoC Module Loaded\n"); simulated_sh_tmu_clock_event_set_oneshot(); return 0; } void cleanup_module(void) { printk(KERN_INFO "CVE-2026-43227 PoC Module Unloaded\n"); } MODULE_LICENSE("GPL");

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43227", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:42.537", "lastModified": "2026-05-08T21:11:53.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/sh_tmu: Always leave device running after probe\n\nThe TMU device can be used as both a clocksource and a clockevent\nprovider. The driver tries to be smart and power itself on and off, as\nwell as enabling and disabling its clock when it's not in operation.\nThis behavior is slightly altered if the TMU is used as an early\nplatform device in which case the device is left powered on after probe,\nbut the clock is still enabled and disabled at runtime.\n\nThis has worked for a long time, but recent improvements in PREEMPT_RT\nand PROVE_LOCKING have highlighted an issue. As the TMU registers itself\nas a clockevent provider, clockevents_register_device(), it needs to use\nraw spinlocks internally as this is the context of which the clockevent\nframework interacts with the TMU driver. However in the context of\nholding a raw spinlock the TMU driver can't really manage its power\nstate or clock with calls to pm_runtime_*() and clk_*() as these calls\nend up in other platform drivers using regular spinlocks to control\npower and clocks.\n\nThis mix of spinlock contexts trips a lockdep warning.\n\n =============================\n [ BUG: Invalid wait context ]\n 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted\n -----------------------------\n swapper/0/0 is trying to lock:\n ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88\n other info that might help us debug this:\n context-{5:5}\n 1 lock held by swapper/0/0:\n ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0\n #0: ffff8000817ec298\n ccree e6601000.crypto: ARM ccree device initialized\n (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8\n stack backtrace:\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT\n Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n Call trace:\n show_stack+0x14/0x1c (C)\n dump_stack_lvl+0x6c/0x90\n dump_stack+0x14/0x1c\n __lock_acquire+0x904/0x1584\n lock_acquire+0x220/0x34c\n _raw_spin_lock_irqsave+0x58/0x80\n __pm_runtime_resume+0x38/0x88\n sh_tmu_clock_event_set_oneshot+0x84/0xd4\n clockevents_switch_state+0xfc/0x13c\n tick_broadcast_set_event+0x30/0xa4\n __tick_broadcast_oneshot_control+0x1e0/0x3a8\n tick_broadcast_oneshot_control+0x30/0x40\n cpuidle_enter_state+0x40c/0x680\n cpuidle_enter+0x30/0x40\n do_idle+0x1f4/0x280\n cpu_startup_entry+0x34/0x40\n kernel_init+0x0/0x130\n do_one_initcall+0x0/0x230\n __primary_switched+0x88/0x90\n\nFor non-PREEMPT_RT builds this is not really an issue, but for\nPREEMPT_RT builds where normal spinlocks can sleep this might be an\nissue. Be cautious and always leave the power and clock running after\nprobe."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.10.252", "matchCriteriaId": "790A3A0E-E329-48DE-816C-2EDD7B22E08B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": tr ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.