CVE-2026-46272 (GCVE-0-2026-46272)

Vulnerability from cvelistv5 – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
coresight: tmc-etr: Fix race condition between sysfs and perf mode
Summary
In the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode When trying to run perf and sysfs mode simultaneously, the WARN_ON() in tmc_etr_enable_hw() is triggered sometimes: WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] [..snip..] Call trace: tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] coresight_enable_path+0x1c8/0x218 [coresight] coresight_enable_sysfs+0xa4/0x228 [coresight] enable_source_store+0x58/0xa8 [coresight] dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 kernfs_fop_write_iter+0x120/0x1b8 vfs_write+0x2c8/0x388 ksys_write+0x74/0x108 __arm64_sys_write+0x24/0x38 el0_svc_common.constprop.0+0x64/0x148 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x1ac/0x1b0 ---[ end trace 0000000000000000 ]--- Since the enablement of sysfs mode is separeted into two critical regions, one for sysfs buffer allocation and another for hardware enablement, it's possible to race with the perf mode. Fix this by double check whether the perf mode's been used before enabling the hardware in sysfs mode. mode: [sysfs mode] [perf mode] tmc_etr_get_sysfs_buffer() spin_lock(&drvdata->spinlock) [sysfs buffer allocation] spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() drvdata->etr_buf = etr_perf->etr_buf spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at the perf side spin_unlock(&drvdata->spinlock) With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf. This ensures we verify whether the perf mode's already running before we actually allocate the buffer. Then we can save the time of allocating/freeing the sysfs buffer if race with the perf mode.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 296b01fd106e787d4463974a7f42d286a5df08cd , < 38a07194bbcddb18d77dad40ba9978d994c0b74c (git)
Affected: 296b01fd106e787d4463974a7f42d286a5df08cd , < 6906aa70d4fc5900b954136e20e27c2be6d1acab (git)
Affected: 296b01fd106e787d4463974a7f42d286a5df08cd , < e6e43e82c79c97917cbe356c07e8a6f3f982ab53 (git)
Create a notification for this product.
Linux Linux Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.18.14 , ≤ 6.18.* (semver)
Unaffected: 6.19.4 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-tmc-etr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "38a07194bbcddb18d77dad40ba9978d994c0b74c",
              "status": "affected",
              "version": "296b01fd106e787d4463974a7f42d286a5df08cd",
              "versionType": "git"
            },
            {
              "lessThan": "6906aa70d4fc5900b954136e20e27c2be6d1acab",
              "status": "affected",
              "version": "296b01fd106e787d4463974a7f42d286a5df08cd",
              "versionType": "git"
            },
            {
              "lessThan": "e6e43e82c79c97917cbe356c07e8a6f3f982ab53",
              "status": "affected",
              "version": "296b01fd106e787d4463974a7f42d286a5df08cd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hwtracing/coresight/coresight-tmc-etr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc-etr: Fix race condition between sysfs and perf mode\n\nWhen trying to run perf and sysfs mode simultaneously, the WARN_ON()\nin tmc_etr_enable_hw() is triggered sometimes:\n\n WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc]\n [..snip..]\n Call trace:\n  tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P)\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L)\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc]\n  coresight_enable_path+0x1c8/0x218 [coresight]\n  coresight_enable_sysfs+0xa4/0x228 [coresight]\n  enable_source_store+0x58/0xa8 [coresight]\n  dev_attr_store+0x20/0x40\n  sysfs_kf_write+0x4c/0x68\n  kernfs_fop_write_iter+0x120/0x1b8\n  vfs_write+0x2c8/0x388\n  ksys_write+0x74/0x108\n  __arm64_sys_write+0x24/0x38\n  el0_svc_common.constprop.0+0x64/0x148\n  do_el0_svc+0x24/0x38\n  el0_svc+0x3c/0x130\n  el0t_64_sync_handler+0xc8/0xd0\n  el0t_64_sync+0x1ac/0x1b0\n ---[ end trace 0000000000000000 ]---\n\nSince the enablement of sysfs mode is separeted into two critical regions,\none for sysfs buffer allocation and another for hardware enablement, it\u0027s\npossible to race with the perf mode. Fix this by double check whether\nthe perf mode\u0027s been used before enabling the hardware in sysfs mode.\n\n mode:\n   [sysfs mode]                   [perf mode]\n   tmc_etr_get_sysfs_buffer()\n     spin_lock(\u0026drvdata-\u003espinlock)\n     [sysfs buffer allocation]\n     spin_unlock(\u0026drvdata-\u003espinlock)\n                                  spin_lock(\u0026drvdata-\u003espinlock)\n                                  tmc_etr_enable_hw()\n                                    drvdata-\u003eetr_buf = etr_perf-\u003eetr_buf\n                                  spin_unlock(\u0026drvdata-\u003espinlock)\n   spin_lock(\u0026drvdata-\u003espinlock)\n   tmc_etr_enable_hw()\n     WARN_ON(drvdata-\u003eetr_buf) // WARN sicne etr_buf initialized at\n                                  the perf side\n   spin_unlock(\u0026drvdata-\u003espinlock)\n\nWith this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.\nThis ensures we verify whether the perf mode\u0027s already running before we\nactually allocate the buffer. Then we can save the time of\nallocating/freeing the sysfs buffer if race with the perf mode."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T15:50:14.618Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53"
        }
      ],
      "title": "coresight: tmc-etr: Fix race condition between sysfs and perf mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46272",
    "datePublished": "2026-06-03T15:50:14.618Z",
    "dateReserved": "2026-05-13T15:03:33.109Z",
    "dateUpdated": "2026-06-03T15:50:14.618Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46272\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-03T18:16:29.023\",\"lastModified\":\"2026-06-03T18:16:29.023\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncoresight: tmc-etr: Fix race condition between sysfs and perf mode\\n\\nWhen trying to run perf and sysfs mode simultaneously, the WARN_ON()\\nin tmc_etr_enable_hw() is triggered sometimes:\\n\\n WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc]\\n [..snip..]\\n Call trace:\\n  tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P)\\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L)\\n  tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc]\\n  coresight_enable_path+0x1c8/0x218 [coresight]\\n  coresight_enable_sysfs+0xa4/0x228 [coresight]\\n  enable_source_store+0x58/0xa8 [coresight]\\n  dev_attr_store+0x20/0x40\\n  sysfs_kf_write+0x4c/0x68\\n  kernfs_fop_write_iter+0x120/0x1b8\\n  vfs_write+0x2c8/0x388\\n  ksys_write+0x74/0x108\\n  __arm64_sys_write+0x24/0x38\\n  el0_svc_common.constprop.0+0x64/0x148\\n  do_el0_svc+0x24/0x38\\n  el0_svc+0x3c/0x130\\n  el0t_64_sync_handler+0xc8/0xd0\\n  el0t_64_sync+0x1ac/0x1b0\\n ---[ end trace 0000000000000000 ]---\\n\\nSince the enablement of sysfs mode is separeted into two critical regions,\\none for sysfs buffer allocation and another for hardware enablement, it\u0027s\\npossible to race with the perf mode. Fix this by double check whether\\nthe perf mode\u0027s been used before enabling the hardware in sysfs mode.\\n\\n mode:\\n   [sysfs mode]                   [perf mode]\\n   tmc_etr_get_sysfs_buffer()\\n     spin_lock(\u0026drvdata-\u003espinlock)\\n     [sysfs buffer allocation]\\n     spin_unlock(\u0026drvdata-\u003espinlock)\\n                                  spin_lock(\u0026drvdata-\u003espinlock)\\n                                  tmc_etr_enable_hw()\\n                                    drvdata-\u003eetr_buf = etr_perf-\u003eetr_buf\\n                                  spin_unlock(\u0026drvdata-\u003espinlock)\\n   spin_lock(\u0026drvdata-\u003espinlock)\\n   tmc_etr_enable_hw()\\n     WARN_ON(drvdata-\u003eetr_buf) // WARN sicne etr_buf initialized at\\n                                  the perf side\\n   spin_unlock(\u0026drvdata-\u003espinlock)\\n\\nWith this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.\\nThis ensures we verify whether the perf mode\u0027s already running before we\\nactually allocate the buffer. Then we can save the time of\\nallocating/freeing the sysfs buffer if race with the perf mode.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.