{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43227","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.994Z","datePublished":"2026-05-06T11:28:25.629Z","dateUpdated":"2026-05-11T22:20:27.826Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:20:27.826Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/sh_tmu: Always leave device running after probe\n\nThe TMU device can be used as both a clocksource and a clockevent\nprovider. The driver tries to be smart and power itself on and off, as\nwell as enabling and disabling its clock when it's not in operation.\nThis behavior is slightly altered if the TMU is used as an early\nplatform device in which case the device is left powered on after probe,\nbut the clock is still enabled and disabled at runtime.\n\nThis has worked for a long time, but recent improvements in PREEMPT_RT\nand PROVE_LOCKING have highlighted an issue. As the TMU registers itself\nas a clockevent provider, clockevents_register_device(), it needs to use\nraw spinlocks internally as this is the context of which the clockevent\nframework interacts with the TMU driver. However in the context of\nholding a raw spinlock the TMU driver can't really manage its power\nstate or clock with calls to pm_runtime_*() and clk_*() as these calls\nend up in other platform drivers using regular spinlocks to control\npower and clocks.\n\nThis mix of spinlock contexts trips a lockdep warning.\n\n    =============================\n    [ BUG: Invalid wait context ]\n    6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted\n    -----------------------------\n    swapper/0/0 is trying to lock:\n    ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88\n    other info that might help us debug this:\n    context-{5:5}\n    1 lock held by swapper/0/0:\n    ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0\n     #0: ffff8000817ec298\n    ccree e6601000.crypto: ARM ccree device initialized\n     (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8\n    stack backtrace:\n    CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT\n    Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n    Call trace:\n     show_stack+0x14/0x1c (C)\n     dump_stack_lvl+0x6c/0x90\n     dump_stack+0x14/0x1c\n     __lock_acquire+0x904/0x1584\n     lock_acquire+0x220/0x34c\n     _raw_spin_lock_irqsave+0x58/0x80\n     __pm_runtime_resume+0x38/0x88\n     sh_tmu_clock_event_set_oneshot+0x84/0xd4\n     clockevents_switch_state+0xfc/0x13c\n     tick_broadcast_set_event+0x30/0xa4\n     __tick_broadcast_oneshot_control+0x1e0/0x3a8\n     tick_broadcast_oneshot_control+0x30/0x40\n     cpuidle_enter_state+0x40c/0x680\n     cpuidle_enter+0x30/0x40\n     do_idle+0x1f4/0x280\n     cpu_startup_entry+0x34/0x40\n     kernel_init+0x0/0x130\n     do_one_initcall+0x0/0x230\n     __primary_switched+0x88/0x90\n\nFor non-PREEMPT_RT builds this is not really an issue, but for\nPREEMPT_RT builds where normal spinlocks can sleep this might be an\nissue. Be cautious and always leave the power and clock running after\nprobe."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/clocksource/sh_tmu.c"],"versions":[{"version":"9570ef20423b549757aa484ad388f9a7d5bdc4d9","lessThan":"79d650695773f03de36b99228a090d33d1c18264","status":"affected","versionType":"git"},{"version":"9570ef20423b549757aa484ad388f9a7d5bdc4d9","lessThan":"f0b31247e7d67a943b3a09d3cef7c0ae788d88e6","status":"affected","versionType":"git"},{"version":"9570ef20423b549757aa484ad388f9a7d5bdc4d9","lessThan":"016476afef993d1201a19decc9b5b2ea1e6620f2","status":"affected","versionType":"git"},{"version":"9570ef20423b549757aa484ad388f9a7d5bdc4d9","lessThan":"6f113ab549b864c1bc57d4f89846ee335394089a","status":"affected","versionType":"git"},{"version":"9570ef20423b549757aa484ad388f9a7d5bdc4d9","lessThan":"88c76792180dffd83f1c5b9dc8fdaeb145cb94e0","status":"affected","versionType":"git"},{"version":"9570ef20423b549757aa484ad388f9a7d5bdc4d9","lessThan":"bc59d5f3afe41fec5d673c27c703b761ae578d28","status":"affected","versionType":"git"},{"version":"9570ef20423b549757aa484ad388f9a7d5bdc4d9","lessThan":"0e513cc6b9cea190fe342cc222b1054e7e8acfc8","status":"affected","versionType":"git"},{"version":"9570ef20423b549757aa484ad388f9a7d5bdc4d9","lessThan":"b1278972b08e480990e2789bdc6a7c918bc349be","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/clocksource/sh_tmu.c"],"versions":[{"version":"2.6.31","status":"affected"},{"version":"0","lessThan":"2.6.31","status":"unaffected","versionType":"semver"},{"version":"5.10.252","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.202","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"5.10.252"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"5.15.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"6.1.165"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"6.6.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/79d650695773f03de36b99228a090d33d1c18264"},{"url":"https://git.kernel.org/stable/c/f0b31247e7d67a943b3a09d3cef7c0ae788d88e6"},{"url":"https://git.kernel.org/stable/c/016476afef993d1201a19decc9b5b2ea1e6620f2"},{"url":"https://git.kernel.org/stable/c/6f113ab549b864c1bc57d4f89846ee335394089a"},{"url":"https://git.kernel.org/stable/c/88c76792180dffd83f1c5b9dc8fdaeb145cb94e0"},{"url":"https://git.kernel.org/stable/c/bc59d5f3afe41fec5d673c27c703b761ae578d28"},{"url":"https://git.kernel.org/stable/c/0e513cc6b9cea190fe342cc222b1054e7e8acfc8"},{"url":"https://git.kernel.org/stable/c/b1278972b08e480990e2789bdc6a7c918bc349be"}],"title":"clocksource/drivers/sh_tmu: Always leave device running after probe","x_generator":{"engine":"bippy-1.2.0"}}}}