{"api_version":"1","generated_at":"2026-05-08T04:13:14+00:00","cve":"CVE-2026-43227","urls":{"html":"https://cve.report/CVE-2026-43227","api":"https://cve.report/api/cve/CVE-2026-43227.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43227","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43227"},"summary":{"title":"clocksource/drivers/sh_tmu: Always leave device running after probe","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/sh_tmu: Always leave device running after probe\n\nThe TMU device can be used as both a clocksource and a clockevent\nprovider. The driver tries to be smart and power itself on and off, as\nwell as enabling and disabling its clock when it's not in operation.\nThis behavior is slightly altered if the TMU is used as an early\nplatform device in which case the device is left powered on after probe,\nbut the clock is still enabled and disabled at runtime.\n\nThis has worked for a long time, but recent improvements in PREEMPT_RT\nand PROVE_LOCKING have highlighted an issue. As the TMU registers itself\nas a clockevent provider, clockevents_register_device(), it needs to use\nraw spinlocks internally as this is the context of which the clockevent\nframework interacts with the TMU driver. However in the context of\nholding a raw spinlock the TMU driver can't really manage its power\nstate or clock with calls to pm_runtime_*() and clk_*() as these calls\nend up in other platform drivers using regular spinlocks to control\npower and clocks.\n\nThis mix of spinlock contexts trips a lockdep warning.\n\n    =============================\n    [ BUG: Invalid wait context ]\n    6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted\n    -----------------------------\n    swapper/0/0 is trying to lock:\n    ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88\n    other info that might help us debug this:\n    context-{5:5}\n    1 lock held by swapper/0/0:\n    ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0\n     #0: ffff8000817ec298\n    ccree e6601000.crypto: ARM ccree device initialized\n     (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8\n    stack backtrace:\n    CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT\n    Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n    Call trace:\n     show_stack+0x14/0x1c (C)\n     dump_stack_lvl+0x6c/0x90\n     dump_stack+0x14/0x1c\n     __lock_acquire+0x904/0x1584\n     lock_acquire+0x220/0x34c\n     _raw_spin_lock_irqsave+0x58/0x80\n     __pm_runtime_resume+0x38/0x88\n     sh_tmu_clock_event_set_oneshot+0x84/0xd4\n     clockevents_switch_state+0xfc/0x13c\n     tick_broadcast_set_event+0x30/0xa4\n     __tick_broadcast_oneshot_control+0x1e0/0x3a8\n     tick_broadcast_oneshot_control+0x30/0x40\n     cpuidle_enter_state+0x40c/0x680\n     cpuidle_enter+0x30/0x40\n     do_idle+0x1f4/0x280\n     cpu_startup_entry+0x34/0x40\n     kernel_init+0x0/0x130\n     do_one_initcall+0x0/0x230\n     __primary_switched+0x88/0x90\n\nFor non-PREEMPT_RT builds this is not really an issue, but for\nPREEMPT_RT builds where normal spinlocks can sleep this might be an\nissue. Be cautious and always leave the power and clock running after\nprobe.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 12:16:42","updated_at":"2026-05-06 13:07:51"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/6f113ab549b864c1bc57d4f89846ee335394089a","name":"https://git.kernel.org/stable/c/6f113ab549b864c1bc57d4f89846ee335394089a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f0b31247e7d67a943b3a09d3cef7c0ae788d88e6","name":"https://git.kernel.org/stable/c/f0b31247e7d67a943b3a09d3cef7c0ae788d88e6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/79d650695773f03de36b99228a090d33d1c18264","name":"https://git.kernel.org/stable/c/79d650695773f03de36b99228a090d33d1c18264","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/88c76792180dffd83f1c5b9dc8fdaeb145cb94e0","name":"https://git.kernel.org/stable/c/88c76792180dffd83f1c5b9dc8fdaeb145cb94e0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/016476afef993d1201a19decc9b5b2ea1e6620f2","name":"https://git.kernel.org/stable/c/016476afef993d1201a19decc9b5b2ea1e6620f2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b1278972b08e480990e2789bdc6a7c918bc349be","name":"https://git.kernel.org/stable/c/b1278972b08e480990e2789bdc6a7c918bc349be","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0e513cc6b9cea190fe342cc222b1054e7e8acfc8","name":"https://git.kernel.org/stable/c/0e513cc6b9cea190fe342cc222b1054e7e8acfc8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bc59d5f3afe41fec5d673c27c703b761ae578d28","name":"https://git.kernel.org/stable/c/bc59d5f3afe41fec5d673c27c703b761ae578d28","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43227","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43227","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 79d650695773f03de36b99228a090d33d1c18264 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 f0b31247e7d67a943b3a09d3cef7c0ae788d88e6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 016476afef993d1201a19decc9b5b2ea1e6620f2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 6f113ab549b864c1bc57d4f89846ee335394089a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 88c76792180dffd83f1c5b9dc8fdaeb145cb94e0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 bc59d5f3afe41fec5d673c27c703b761ae578d28 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 0e513cc6b9cea190fe342cc222b1054e7e8acfc8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 b1278972b08e480990e2789bdc6a7c918bc349be git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.252 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.202 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.165 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.128 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.16 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.6 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/clocksource/sh_tmu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"79d650695773f03de36b99228a090d33d1c18264","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"f0b31247e7d67a943b3a09d3cef7c0ae788d88e6","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"016476afef993d1201a19decc9b5b2ea1e6620f2","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"6f113ab549b864c1bc57d4f89846ee335394089a","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"88c76792180dffd83f1c5b9dc8fdaeb145cb94e0","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"bc59d5f3afe41fec5d673c27c703b761ae578d28","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"0e513cc6b9cea190fe342cc222b1054e7e8acfc8","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"b1278972b08e480990e2789bdc6a7c918bc349be","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/clocksource/sh_tmu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.252","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.202","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.165","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.128","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.16","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.252","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.202","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.165","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.128","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/sh_tmu: Always leave device running after probe\n\nThe TMU device can be used as both a clocksource and a clockevent\nprovider. The driver tries to be smart and power itself on and off, as\nwell as enabling and disabling its clock when it's not in operation.\nThis behavior is slightly altered if the TMU is used as an early\nplatform device in which case the device is left powered on after probe,\nbut the clock is still enabled and disabled at runtime.\n\nThis has worked for a long time, but recent improvements in PREEMPT_RT\nand PROVE_LOCKING have highlighted an issue. As the TMU registers itself\nas a clockevent provider, clockevents_register_device(), it needs to use\nraw spinlocks internally as this is the context of which the clockevent\nframework interacts with the TMU driver. However in the context of\nholding a raw spinlock the TMU driver can't really manage its power\nstate or clock with calls to pm_runtime_*() and clk_*() as these calls\nend up in other platform drivers using regular spinlocks to control\npower and clocks.\n\nThis mix of spinlock contexts trips a lockdep warning.\n\n    =============================\n    [ BUG: Invalid wait context ]\n    6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted\n    -----------------------------\n    swapper/0/0 is trying to lock:\n    ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88\n    other info that might help us debug this:\n    context-{5:5}\n    1 lock held by swapper/0/0:\n    ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0\n     #0: ffff8000817ec298\n    ccree e6601000.crypto: ARM ccree device initialized\n     (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8\n    stack backtrace:\n    CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT\n    Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n    Call trace:\n     show_stack+0x14/0x1c (C)\n     dump_stack_lvl+0x6c/0x90\n     dump_stack+0x14/0x1c\n     __lock_acquire+0x904/0x1584\n     lock_acquire+0x220/0x34c\n     _raw_spin_lock_irqsave+0x58/0x80\n     __pm_runtime_resume+0x38/0x88\n     sh_tmu_clock_event_set_oneshot+0x84/0xd4\n     clockevents_switch_state+0xfc/0x13c\n     tick_broadcast_set_event+0x30/0xa4\n     __tick_broadcast_oneshot_control+0x1e0/0x3a8\n     tick_broadcast_oneshot_control+0x30/0x40\n     cpuidle_enter_state+0x40c/0x680\n     cpuidle_enter+0x30/0x40\n     do_idle+0x1f4/0x280\n     cpu_startup_entry+0x34/0x40\n     kernel_init+0x0/0x130\n     do_one_initcall+0x0/0x230\n     __primary_switched+0x88/0x90\n\nFor non-PREEMPT_RT builds this is not really an issue, but for\nPREEMPT_RT builds where normal spinlocks can sleep this might be an\nissue. Be cautious and always leave the power and clock running after\nprobe."}],"providerMetadata":{"dateUpdated":"2026-05-06T11:28:25.629Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/79d650695773f03de36b99228a090d33d1c18264"},{"url":"https://git.kernel.org/stable/c/f0b31247e7d67a943b3a09d3cef7c0ae788d88e6"},{"url":"https://git.kernel.org/stable/c/016476afef993d1201a19decc9b5b2ea1e6620f2"},{"url":"https://git.kernel.org/stable/c/6f113ab549b864c1bc57d4f89846ee335394089a"},{"url":"https://git.kernel.org/stable/c/88c76792180dffd83f1c5b9dc8fdaeb145cb94e0"},{"url":"https://git.kernel.org/stable/c/bc59d5f3afe41fec5d673c27c703b761ae578d28"},{"url":"https://git.kernel.org/stable/c/0e513cc6b9cea190fe342cc222b1054e7e8acfc8"},{"url":"https://git.kernel.org/stable/c/b1278972b08e480990e2789bdc6a7c918bc349be"}],"title":"clocksource/drivers/sh_tmu: Always leave device running after probe","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43227","datePublished":"2026-05-06T11:28:25.629Z","dateReserved":"2026-05-01T14:12:55.994Z","dateUpdated":"2026-05-06T11:28:25.629Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 12:16:42","lastModifiedDate":"2026-05-06 13:07:51","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43227","Ordinal":"1","Title":"clocksource/drivers/sh_tmu: Always leave device running after pr","CVE":"CVE-2026-43227","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43227","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/sh_tmu: Always leave device running after probe\n\nThe TMU device can be used as both a clocksource and a clockevent\nprovider. The driver tries to be smart and power itself on and off, as\nwell as enabling and disabling its clock when it's not in operation.\nThis behavior is slightly altered if the TMU is used as an early\nplatform device in which case the device is left powered on after probe,\nbut the clock is still enabled and disabled at runtime.\n\nThis has worked for a long time, but recent improvements in PREEMPT_RT\nand PROVE_LOCKING have highlighted an issue. As the TMU registers itself\nas a clockevent provider, clockevents_register_device(), it needs to use\nraw spinlocks internally as this is the context of which the clockevent\nframework interacts with the TMU driver. However in the context of\nholding a raw spinlock the TMU driver can't really manage its power\nstate or clock with calls to pm_runtime_*() and clk_*() as these calls\nend up in other platform drivers using regular spinlocks to control\npower and clocks.\n\nThis mix of spinlock contexts trips a lockdep warning.\n\n    =============================\n    [ BUG: Invalid wait context ]\n    6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted\n    -----------------------------\n    swapper/0/0 is trying to lock:\n    ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88\n    other info that might help us debug this:\n    context-{5:5}\n    1 lock held by swapper/0/0:\n    ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0\n     #0: ffff8000817ec298\n    ccree e6601000.crypto: ARM ccree device initialized\n     (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8\n    stack backtrace:\n    CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT\n    Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n    Call trace:\n     show_stack+0x14/0x1c (C)\n     dump_stack_lvl+0x6c/0x90\n     dump_stack+0x14/0x1c\n     __lock_acquire+0x904/0x1584\n     lock_acquire+0x220/0x34c\n     _raw_spin_lock_irqsave+0x58/0x80\n     __pm_runtime_resume+0x38/0x88\n     sh_tmu_clock_event_set_oneshot+0x84/0xd4\n     clockevents_switch_state+0xfc/0x13c\n     tick_broadcast_set_event+0x30/0xa4\n     __tick_broadcast_oneshot_control+0x1e0/0x3a8\n     tick_broadcast_oneshot_control+0x30/0x40\n     cpuidle_enter_state+0x40c/0x680\n     cpuidle_enter+0x30/0x40\n     do_idle+0x1f4/0x280\n     cpu_startup_entry+0x34/0x40\n     kernel_init+0x0/0x130\n     do_one_initcall+0x0/0x230\n     __primary_switched+0x88/0x90\n\nFor non-PREEMPT_RT builds this is not really an issue, but for\nPREEMPT_RT builds where normal spinlocks can sleep this might be an\nissue. Be cautious and always leave the power and clock running after\nprobe.","Type":"Description","Title":"clocksource/drivers/sh_tmu: Always leave device running after pr"}]}}}