{"api_version":"1","generated_at":"2026-06-04T13:01:01+00:00","cve":"CVE-2026-46272","urls":{"html":"https://cve.report/CVE-2026-46272","api":"https://cve.report/api/cve/CVE-2026-46272.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46272","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46272"},"summary":{"title":"coresight: tmc-etr: Fix race condition between sysfs and perf mode","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc-etr: Fix race condition between sysfs and perf mode\n\nWhen trying to run perf and sysfs mode simultaneously, the WARN_ON()\nin tmc_etr_enable_hw() is triggered sometimes:\n\n WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc]\n [..snip..]\n Call trace:\n  tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P)\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L)\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc]\n  coresight_enable_path+0x1c8/0x218 [coresight]\n  coresight_enable_sysfs+0xa4/0x228 [coresight]\n  enable_source_store+0x58/0xa8 [coresight]\n  dev_attr_store+0x20/0x40\n  sysfs_kf_write+0x4c/0x68\n  kernfs_fop_write_iter+0x120/0x1b8\n  vfs_write+0x2c8/0x388\n  ksys_write+0x74/0x108\n  __arm64_sys_write+0x24/0x38\n  el0_svc_common.constprop.0+0x64/0x148\n  do_el0_svc+0x24/0x38\n  el0_svc+0x3c/0x130\n  el0t_64_sync_handler+0xc8/0xd0\n  el0t_64_sync+0x1ac/0x1b0\n ---[ end trace 0000000000000000 ]---\n\nSince the enablement of sysfs mode is separeted into two critical regions,\none for sysfs buffer allocation and another for hardware enablement, it's\npossible to race with the perf mode. Fix this by double check whether\nthe perf mode's been used before enabling the hardware in sysfs mode.\n\n mode:\n   [sysfs mode]                   [perf mode]\n   tmc_etr_get_sysfs_buffer()\n     spin_lock(&drvdata->spinlock)\n     [sysfs buffer allocation]\n     spin_unlock(&drvdata->spinlock)\n                                  spin_lock(&drvdata->spinlock)\n                                  tmc_etr_enable_hw()\n                                    drvdata->etr_buf = etr_perf->etr_buf\n                                  spin_unlock(&drvdata->spinlock)\n   spin_lock(&drvdata->spinlock)\n   tmc_etr_enable_hw()\n     WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at\n                                  the perf side\n   spin_unlock(&drvdata->spinlock)\n\nWith this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.\nThis ensures we verify whether the perf mode's already running before we\nactually allocate the buffer. Then we can save the time of\nallocating/freeing the sysfs buffer if race with the perf mode.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-03 18:16:29","updated_at":"2026-06-03 18:16:29"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53","name":"https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab","name":"https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c","name":"https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46272","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46272","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 296b01fd106e787d4463974a7f42d286a5df08cd 38a07194bbcddb18d77dad40ba9978d994c0b74c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 296b01fd106e787d4463974a7f42d286a5df08cd 6906aa70d4fc5900b954136e20e27c2be6d1acab git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 296b01fd106e787d4463974a7f42d286a5df08cd e6e43e82c79c97917cbe356c07e8a6f3f982ab53 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.5","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.5 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/hwtracing/coresight/coresight-tmc-etr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"38a07194bbcddb18d77dad40ba9978d994c0b74c","status":"affected","version":"296b01fd106e787d4463974a7f42d286a5df08cd","versionType":"git"},{"lessThan":"6906aa70d4fc5900b954136e20e27c2be6d1acab","status":"affected","version":"296b01fd106e787d4463974a7f42d286a5df08cd","versionType":"git"},{"lessThan":"e6e43e82c79c97917cbe356c07e8a6f3f982ab53","status":"affected","version":"296b01fd106e787d4463974a7f42d286a5df08cd","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/hwtracing/coresight/coresight-tmc-etr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.5"},{"lessThan":"6.5","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.5","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc-etr: Fix race condition between sysfs and perf mode\n\nWhen trying to run perf and sysfs mode simultaneously, the WARN_ON()\nin tmc_etr_enable_hw() is triggered sometimes:\n\n WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc]\n [..snip..]\n Call trace:\n  tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P)\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L)\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc]\n  coresight_enable_path+0x1c8/0x218 [coresight]\n  coresight_enable_sysfs+0xa4/0x228 [coresight]\n  enable_source_store+0x58/0xa8 [coresight]\n  dev_attr_store+0x20/0x40\n  sysfs_kf_write+0x4c/0x68\n  kernfs_fop_write_iter+0x120/0x1b8\n  vfs_write+0x2c8/0x388\n  ksys_write+0x74/0x108\n  __arm64_sys_write+0x24/0x38\n  el0_svc_common.constprop.0+0x64/0x148\n  do_el0_svc+0x24/0x38\n  el0_svc+0x3c/0x130\n  el0t_64_sync_handler+0xc8/0xd0\n  el0t_64_sync+0x1ac/0x1b0\n ---[ end trace 0000000000000000 ]---\n\nSince the enablement of sysfs mode is separeted into two critical regions,\none for sysfs buffer allocation and another for hardware enablement, it's\npossible to race with the perf mode. Fix this by double check whether\nthe perf mode's been used before enabling the hardware in sysfs mode.\n\n mode:\n   [sysfs mode]                   [perf mode]\n   tmc_etr_get_sysfs_buffer()\n     spin_lock(&drvdata->spinlock)\n     [sysfs buffer allocation]\n     spin_unlock(&drvdata->spinlock)\n                                  spin_lock(&drvdata->spinlock)\n                                  tmc_etr_enable_hw()\n                                    drvdata->etr_buf = etr_perf->etr_buf\n                                  spin_unlock(&drvdata->spinlock)\n   spin_lock(&drvdata->spinlock)\n   tmc_etr_enable_hw()\n     WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at\n                                  the perf side\n   spin_unlock(&drvdata->spinlock)\n\nWith this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.\nThis ensures we verify whether the perf mode's already running before we\nactually allocate the buffer. Then we can save the time of\nallocating/freeing the sysfs buffer if race with the perf mode."}],"providerMetadata":{"dateUpdated":"2026-06-03T15:50:14.618Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c"},{"url":"https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab"},{"url":"https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53"}],"title":"coresight: tmc-etr: Fix race condition between sysfs and perf mode","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46272","datePublished":"2026-06-03T15:50:14.618Z","dateReserved":"2026-05-13T15:03:33.109Z","dateUpdated":"2026-06-03T15:50:14.618Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-03 18:16:29","lastModifiedDate":"2026-06-03 18:16:29","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46272","Ordinal":"1","Title":"coresight: tmc-etr: Fix race condition between sysfs and perf mo","CVE":"CVE-2026-46272","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46272","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc-etr: Fix race condition between sysfs and perf mode\n\nWhen trying to run perf and sysfs mode simultaneously, the WARN_ON()\nin tmc_etr_enable_hw() is triggered sometimes:\n\n WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc]\n [..snip..]\n Call trace:\n  tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P)\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L)\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc]\n  coresight_enable_path+0x1c8/0x218 [coresight]\n  coresight_enable_sysfs+0xa4/0x228 [coresight]\n  enable_source_store+0x58/0xa8 [coresight]\n  dev_attr_store+0x20/0x40\n  sysfs_kf_write+0x4c/0x68\n  kernfs_fop_write_iter+0x120/0x1b8\n  vfs_write+0x2c8/0x388\n  ksys_write+0x74/0x108\n  __arm64_sys_write+0x24/0x38\n  el0_svc_common.constprop.0+0x64/0x148\n  do_el0_svc+0x24/0x38\n  el0_svc+0x3c/0x130\n  el0t_64_sync_handler+0xc8/0xd0\n  el0t_64_sync+0x1ac/0x1b0\n ---[ end trace 0000000000000000 ]---\n\nSince the enablement of sysfs mode is separeted into two critical regions,\none for sysfs buffer allocation and another for hardware enablement, it's\npossible to race with the perf mode. Fix this by double check whether\nthe perf mode's been used before enabling the hardware in sysfs mode.\n\n mode:\n   [sysfs mode]                   [perf mode]\n   tmc_etr_get_sysfs_buffer()\n     spin_lock(&drvdata->spinlock)\n     [sysfs buffer allocation]\n     spin_unlock(&drvdata->spinlock)\n                                  spin_lock(&drvdata->spinlock)\n                                  tmc_etr_enable_hw()\n                                    drvdata->etr_buf = etr_perf->etr_buf\n                                  spin_unlock(&drvdata->spinlock)\n   spin_lock(&drvdata->spinlock)\n   tmc_etr_enable_hw()\n     WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at\n                                  the perf side\n   spin_unlock(&drvdata->spinlock)\n\nWith this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.\nThis ensures we verify whether the perf mode's already running before we\nactually allocate the buffer. Then we can save the time of\nallocating/freeing the sysfs buffer if race with the perf mode.","Type":"Description","Title":"coresight: tmc-etr: Fix race condition between sysfs and perf mo"}]}}}