CVE-2026-31740

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel&amp;#39;s dev member<br /> <br /> The counter driver can use HW channels 1 and 2, while the PWM driver can<br /> use HW channels 0, 1, 2, 3, 4, 6, 7.<br /> <br /> The dev member is assigned both by the counter driver and the PWM driver<br /> for channels 1 and 2, to their own struct device instance, overwriting<br /> the previous value.<br /> <br /> The sub-drivers race to assign their own struct device pointer to the<br /> same struct rz_mtu3_channel&amp;#39;s dev member.<br /> <br /> The dev member of struct rz_mtu3_channel is used by the counter<br /> sub-driver for runtime PM.<br /> <br /> Depending on the probe order of the counter and PWM sub-drivers, the<br /> dev member may point to the wrong struct device instance, causing the<br /> counter sub-driver to do runtime PM actions on the wrong device.<br /> <br /> To fix this, use the parent pointer of the counter, which is assigned<br /> during probe to the correct struct device, not the struct device pointer<br /> inside the shared struct rz_mtu3_channel.