CVE-2026-31740

Description

In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member The counter driver can use HW channels 1 and 2, while the PWM driver can use HW channels 0, 1, 2, 3, 4, 6, 7. The dev member is assigned both by the counter driver and the PWM driver for channels 1 and 2, to their own struct device instance, overwriting the previous value. The sub-drivers race to assign their own struct device pointer to the same struct rz_mtu3_channel's dev member. The dev member of struct rz_mtu3_channel is used by the counter sub-driver for runtime PM. Depending on the probe order of the counter and PWM sub-drivers, the dev member may point to the wrong struct device instance, causing the counter sub-driver to do runtime PM actions on the wrong device. To fix this, use the parent pointer of the counter, which is assigned during probe to the correct struct device, not the struct device pointer inside the shared struct rz_mtu3_channel.

References

• https://git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0
• https://git.kernel.org/stable/c/2932095c114b98cbb40ccf34fc00d613cb17cead
• https://git.kernel.org/stable/c/633dfbf0eb2766c597c1a59dd83035c82e14791d
• https://git.kernel.org/stable/c/63be324c795262f0e316c6fe9b329d83afa1ec93
• https://git.kernel.org/stable/c/6562290225c197e2e193a53de2a517815288dcd1