CVE-2026-46272
Description
Linux kernel's Coresight driver has a race condition between sysfs and perf modes, potentially triggering a WARN_ON and instability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel's Coresight driver has a race condition between sysfs and perf modes, potentially triggering a WARN_ON and instability.
Vulnerability
A race condition exists in the Linux kernel's Coresight driver (coresight-tmc-etr module) when attempting to use sysfs and perf modes simultaneously. The enablement of sysfs mode involves separate regions for buffer allocation and hardware enablement, allowing the perf mode to race and potentially trigger a WARN_ON in tmc_etr_enable_hw() in affected versions.
Exploitation
An attacker would need to trigger both sysfs and perf modes concurrently. The race condition occurs when sysfs mode is allocating its buffer and enabling hardware, while perf mode is also attempting to enable its hardware, leading to a conflict where drvdata->etr_buf is unexpectedly set by the perf mode before sysfs mode checks it.
Impact
The vulnerability manifests as a WARN_ON() in the kernel, indicating a potential instability or unexpected state. While not explicitly stated as leading to code execution or data corruption, the triggered warning suggests a failure in expected hardware tracing operations and could potentially lead to denial of service or system instability.
Mitigation
This vulnerability has been resolved in the Linux kernel. The fix involves double-checking if perf mode is in use before enabling hardware in sysfs mode, specifically retaining a check for CS_MODE_PERF. The specific fixed version is not detailed in the provided references, but the commit is available at [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
638a07194bbcdcoresight: tmc-etr: Fix race condition between sysfs and perf mode
1 file changed · +13 −1
drivers/hwtracing/coresight/coresight-tmc-etr.c+13 −1 modifieddiff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c index 60b0e0a6da057..9144b273d415f 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c @@ -1306,6 +1306,19 @@ static int tmc_enable_etr_sink_sysfs(struct coresight_device *csdev) raw_spin_lock_irqsave(&drvdata->spinlock, flags); + /* + * Since the sysfs buffer allocation and the hardware enablement is not + * in the same critical region, it's possible to race with the perf. + */ + if (coresight_get_mode(csdev) == CS_MODE_PERF) { + drvdata->sysfs_buf = NULL; + raw_spin_unlock_irqrestore(&drvdata->spinlock, flags); + + /* Free allocated memory out side of the spinlock */ + tmc_etr_free_sysfs_buf(sysfs_buf); + return -EBUSY; + } + /* * In sysFS mode we can have multiple writers per sink. Since this * sink is already enabled no memory is needed and the HW need not be -- cgit 1.3-korg
6906aa70d4fccoresight: tmc-etr: Fix race condition between sysfs and perf mode
1 file changed · +13 −1
drivers/hwtracing/coresight/coresight-tmc-etr.c+13 −1 modifieddiff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c index e0d83ee01b77a..fc0a946053dde 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c @@ -1306,6 +1306,19 @@ static int tmc_enable_etr_sink_sysfs(struct coresight_device *csdev) raw_spin_lock_irqsave(&drvdata->spinlock, flags); + /* + * Since the sysfs buffer allocation and the hardware enablement is not + * in the same critical region, it's possible to race with the perf. + */ + if (coresight_get_mode(csdev) == CS_MODE_PERF) { + drvdata->sysfs_buf = NULL; + raw_spin_unlock_irqrestore(&drvdata->spinlock, flags); + + /* Free allocated memory out side of the spinlock */ + tmc_etr_free_sysfs_buf(sysfs_buf); + return -EBUSY; + } + /* * In sysFS mode we can have multiple writers per sink. Since this * sink is already enabled no memory is needed and the HW need not be -- cgit 1.3-korg
e6e43e82c79ccoresight: tmc-etr: Fix race condition between sysfs and perf mode
1 file changed · +13 −1
drivers/hwtracing/coresight/coresight-tmc-etr.c+13 −1 modifieddiff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c index e0d83ee01b77a..fc0a946053dde 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c @@ -1306,6 +1306,19 @@ static int tmc_enable_etr_sink_sysfs(struct coresight_device *csdev) raw_spin_lock_irqsave(&drvdata->spinlock, flags); + /* + * Since the sysfs buffer allocation and the hardware enablement is not + * in the same critical region, it's possible to race with the perf. + */ + if (coresight_get_mode(csdev) == CS_MODE_PERF) { + drvdata->sysfs_buf = NULL; + raw_spin_unlock_irqrestore(&drvdata->spinlock, flags); + + /* Free allocated memory out side of the spinlock */ + tmc_etr_free_sysfs_buf(sysfs_buf); + return -EBUSY; + } + /* * In sysFS mode we can have multiple writers per sink. Since this * sink is already enabled no memory is needed and the HW need not be -- cgit 1.3-korg
38a07194bbcdcoresight: tmc-etr: Fix race condition between sysfs and perf mode
1 file changed · +13 −1
drivers/hwtracing/coresight/coresight-tmc-etr.c+13 −1 modifieddiff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c index 60b0e0a6da057..9144b273d415f 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c @@ -1306,6 +1306,19 @@ static int tmc_enable_etr_sink_sysfs(struct coresight_device *csdev) raw_spin_lock_irqsave(&drvdata->spinlock, flags); + /* + * Since the sysfs buffer allocation and the hardware enablement is not + * in the same critical region, it's possible to race with the perf. + */ + if (coresight_get_mode(csdev) == CS_MODE_PERF) { + drvdata->sysfs_buf = NULL; + raw_spin_unlock_irqrestore(&drvdata->spinlock, flags); + + /* Free allocated memory out side of the spinlock */ + tmc_etr_free_sysfs_buf(sysfs_buf); + return -EBUSY; + } + /* * In sysFS mode we can have multiple writers per sink. Since this * sink is already enabled no memory is needed and the HW need not be -- cgit 1.3-korg
6906aa70d4fccoresight: tmc-etr: Fix race condition between sysfs and perf mode
1 file changed · +13 −1
drivers/hwtracing/coresight/coresight-tmc-etr.c+13 −1 modifieddiff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c index e0d83ee01b77a..fc0a946053dde 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c @@ -1306,6 +1306,19 @@ static int tmc_enable_etr_sink_sysfs(struct coresight_device *csdev) raw_spin_lock_irqsave(&drvdata->spinlock, flags); + /* + * Since the sysfs buffer allocation and the hardware enablement is not + * in the same critical region, it's possible to race with the perf. + */ + if (coresight_get_mode(csdev) == CS_MODE_PERF) { + drvdata->sysfs_buf = NULL; + raw_spin_unlock_irqrestore(&drvdata->spinlock, flags); + + /* Free allocated memory out side of the spinlock */ + tmc_etr_free_sysfs_buf(sysfs_buf); + return -EBUSY; + } + /* * In sysFS mode we can have multiple writers per sink. Since this * sink is already enabled no memory is needed and the HW need not be -- cgit 1.3-korg
e6e43e82c79ccoresight: tmc-etr: Fix race condition between sysfs and perf mode
1 file changed · +13 −1
drivers/hwtracing/coresight/coresight-tmc-etr.c+13 −1 modifieddiff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c index e0d83ee01b77a..fc0a946053dde 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c @@ -1306,6 +1306,19 @@ static int tmc_enable_etr_sink_sysfs(struct coresight_device *csdev) raw_spin_lock_irqsave(&drvdata->spinlock, flags); + /* + * Since the sysfs buffer allocation and the hardware enablement is not + * in the same critical region, it's possible to race with the perf. + */ + if (coresight_get_mode(csdev) == CS_MODE_PERF) { + drvdata->sysfs_buf = NULL; + raw_spin_unlock_irqrestore(&drvdata->spinlock, flags); + + /* Free allocated memory out side of the spinlock */ + tmc_etr_free_sysfs_buf(sysfs_buf); + return -EBUSY; + } + /* * In sysFS mode we can have multiple writers per sink. Since this * sink is already enabled no memory is needed and the HW need not be -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"A race condition exists between the sysfs mode buffer allocation and hardware enablement, and the perf mode."
Attack vector
An attacker can trigger this vulnerability by attempting to run the sysfs mode and perf mode simultaneously. The enablement of sysfs mode is separated into two critical regions: one for buffer allocation and another for hardware enablement. This separation allows a race condition to occur with the perf mode, leading to a WARN_ON() being triggered in `tmc_etr_enable_hw()` [patch_id=4686514].
Affected code
The vulnerability resides in the `drivers/hwtracing/coresight/coresight-tmc-etr.c` file. Specifically, the `tmc_enable_etr_sink_sysfs()` function is modified to include a check for the perf mode before proceeding with sysfs buffer allocation and hardware enablement.
What the fix does
The patch addresses the race condition by adding a check within the sysfs mode enablement. Before allocating the sysfs buffer and enabling the hardware, the code now verifies if the perf mode is already active using `coresight_get_mode(csdev) == CS_MODE_PERF`. If the perf mode is detected, the sysfs buffer allocation is aborted, preventing the race condition and the subsequent WARN_ON() [patch_id=4686514].
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
2- Google Android and Linux Kernel: 50 Vulnerabilities Disclosed in Two BatchesVypr Intelligence · Jun 3, 2026
- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026Vypr Intelligence · Jun 3, 2026