CVE-2026-43227

Source
https://cve.org/CVERecord?id=CVE-2026-43227
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43227.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43227
Downstream
Published
2026-05-06T11:28:25.629Z
Modified
2026-06-18T03:55:03.184350604Z
Summary
clocksource/drivers/sh_tmu: Always leave device running after probe
Details

In the Linux kernel, the following vulnerability has been resolved:

clocksource/drivers/sh_tmu: Always leave device running after probe

The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime.

This has worked for a long time, but recent improvements in PREEMPTRT and PROVELOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockeventsregisterdevice(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pmruntime*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks.

This mix of spinlock contexts trips a lockdep warning.

=============================
[ BUG: Invalid wait context ]
6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted
-----------------------------
swapper/0/0 is trying to lock:
ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88
other info that might help us debug this:
context-{5:5}
1 lock held by swapper/0/0:
ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0
 #0: ffff8000817ec298
ccree e6601000.crypto: ARM ccree device initialized
 (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8
stack backtrace:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT
Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
Call trace:
 show_stack+0x14/0x1c (C)
 dump_stack_lvl+0x6c/0x90
 dump_stack+0x14/0x1c
 __lock_acquire+0x904/0x1584
 lock_acquire+0x220/0x34c
 _raw_spin_lock_irqsave+0x58/0x80
 __pm_runtime_resume+0x38/0x88
 sh_tmu_clock_event_set_oneshot+0x84/0xd4
 clockevents_switch_state+0xfc/0x13c
 tick_broadcast_set_event+0x30/0xa4
 __tick_broadcast_oneshot_control+0x1e0/0x3a8
 tick_broadcast_oneshot_control+0x30/0x40
 cpuidle_enter_state+0x40c/0x680
 cpuidle_enter+0x30/0x40
 do_idle+0x1f4/0x280
 cpu_startup_entry+0x34/0x40
 kernel_init+0x0/0x130
 do_one_initcall+0x0/0x230
 __primary_switched+0x88/0x90

For non-PREEMPTRT builds this is not really an issue, but for PREEMPTRT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43227.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9570ef20423b549757aa484ad388f9a7d5bdc4d9
Fixed
79d650695773f03de36b99228a090d33d1c18264
Fixed
f0b31247e7d67a943b3a09d3cef7c0ae788d88e6
Fixed
016476afef993d1201a19decc9b5b2ea1e6620f2
Fixed
6f113ab549b864c1bc57d4f89846ee335394089a
Fixed
88c76792180dffd83f1c5b9dc8fdaeb145cb94e0
Fixed
bc59d5f3afe41fec5d673c27c703b761ae578d28
Fixed
0e513cc6b9cea190fe342cc222b1054e7e8acfc8
Fixed
b1278972b08e480990e2789bdc6a7c918bc349be

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43227.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.31
Fixed
5.10.252
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.202
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43227.json"