Homepage

Incorrect Synchronization Affecting kernel-rt-debug package, versions *

Severity

 Recommended
low

Based on CentOS security rating.

Threat Intelligence

EPSS
0.02% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS10-KERNELRTDEBUG-16460304
  • published7 May 2026
  • disclosed6 May 2026
Report a new vulnerability Found a mistake?

Introduced: 6 May 2026

NewCVE-2026-43227  (opens in a new tab)
CWE-821  (opens in a new tab)

How to fix?

There is no fixed version for Centos:10 kernel-rt-debug.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-rt-debug package and not the kernel-rt-debug package as distributed by Centos. See How to fix? for Centos:10 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

clocksource/drivers/sh_tmu: Always leave device running after probe

The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime.

This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks.

This mix of spinlock contexts trips a lockdep warning.

=============================
[ BUG: Invalid wait context ]
6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted
-----------------------------
swapper/0/0 is trying to lock:
ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88
other info that might help us debug this:
context-{5:5}
1 lock held by swapper/0/0:
ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0
 #0: ffff8000817ec298
ccree e6601000.crypto: ARM ccree device initialized
 (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8
stack backtrace:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT
Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
Call trace:
 show_stack+0x14/0x1c (C)
 dump_stack_lvl+0x6c/0x90
 dump_stack+0x14/0x1c
 __lock_acquire+0x904/0x1584
 lock_acquire+0x220/0x34c
 _raw_spin_lock_irqsave+0x58/0x80
 __pm_runtime_resume+0x38/0x88
 sh_tmu_clock_event_set_oneshot+0x84/0xd4
 clockevents_switch_state+0xfc/0x13c
 tick_broadcast_set_event+0x30/0xa4
 __tick_broadcast_oneshot_control+0x1e0/0x3a8
 tick_broadcast_oneshot_control+0x30/0x40
 cpuidle_enter_state+0x40c/0x680
 cpuidle_enter+0x30/0x40
 do_idle+0x1f4/0x280
 cpu_startup_entry+0x34/0x40
 kernel_init+0x0/0x130
 do_one_initcall+0x0/0x230
 __primary_switched+0x88/0x90

For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe.

CVSS Base Scores

version 3.1