CVE-2026-31741

Summary

In the Linux kernel, the following vulnerability has been resolved:

counter: rz-mtu3-cnt: prevent counter from being toggled multiple times

Runtime PM counter is incremented / decremented each time the sysfs enable file is written to.

If user writes 0 to the sysfs enable file multiple times, runtime PM usage count underflows, generating the following message.

rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!

At the same time, hardware registers end up being accessed with clocks off in rz_mtu3_terminate_counter() to disable an already disabled channel.

If user writes 1 to the sysfs enable file multiple times, runtime PM usage count will be incremented each time, requiring the same number of 0 writes to get it back to 0.

If user writes 0 to the sysfs enable file while PWM is in progress, PWM is stopped without counter being the owner of the underlying MTU3 channel.

Check against the cached count_is_enabled value and exit if the user is trying to set the same enable value.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux0be8907359df4c62319f5cb2c6981ff0d9ebf35a < 885aa739a07ab45e90dfa997205acec97979ce4eaffected
LinuxLinux0be8907359df4c62319f5cb2c6981ff0d9ebf35a < ced8b48420eddb1251f93c22dc23fa136490b3cdaffected
LinuxLinux0be8907359df4c62319f5cb2c6981ff0d9ebf35a < e07237df8538b0ae98dce112e4f6db093d767f80affected
LinuxLinux0be8907359df4c62319f5cb2c6981ff0d9ebf35a < f5f6f06d7e6d262026578b59ba7426eb04acce5daffected
LinuxLinux0be8907359df4c62319f5cb2c6981ff0d9ebf35a < 67c3f99bed6f422ba343d2b70a2eeeccdfd91befaffected
LinuxLinux6.4affected
LinuxLinux0 < 6.4unaffected
LinuxLinux6.6.134 <= 6.6.*unaffected
LinuxLinux6.12.81 <= 6.12.*unaffected
LinuxLinux6.18.22 <= 6.18.*unaffected
LinuxLinux6.19.12 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References