Linux Kernel Runtime PM Counter Underflow Vulnerability in RZ/MTU3 Counter Driver

A vulnerability has been identified in the Linux kernel's RZ/MTU3 counter driver, specifically in how the runtime power management (PM) counter is handled. The issue arises when the sysfs 'enable' file is written to multiple times. Writing '0' repeatedly causes the runtime PM usage count to underflow, while writing '1' increases the count, requiring an equal number of '0' writes to reset it. This mismanagement can disrupt the normal operation of hardware channels, particularly if PWM (Pulse Width Modulation) is active, as it can stop the PWM without properly managing the channel ownership.

Impact

Exploitation of this vulnerability leads to a runtime PM usage count underflow, causing improper management of hardware registers and channels, particularly disrupting PWM operations.

Reproduction

To reproduce this vulnerability, write '0' to the sysfs 'enable' file multiple times. This will cause the runtime PM usage count to underflow, generating an error message about the underflow. Additionally, if PWM is in progress, writing '0' will stop the PWM without the counter owning the channel, further demonstrating the disruption caused by the vulnerability.

Remediation

The vulnerability has been addressed in a patch available in the Linux kernel stable tree. Instructions for applying the patch can be found in the Linux kernel Git repository.