CVE-2026-43410

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled<br /> <br /> When the Remote System Update (RSU) isn&amp;#39;t enabled in the First Stage<br /> Boot Loader (FSBL), the driver encounters a NULL pointer dereference when<br /> excute svc_normal_to_secure_thread() thread, resulting in a kernel panic:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008<br /> Mem abort info:<br /> ...<br /> Data abort info:<br /> ...<br /> [0000000000000008] user address but active_mm is swapper<br /> Internal error: Oops: 0000000096000004 [#1] SMP<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT<br /> Hardware name: SoCFPGA Stratix 10 SoCDK (DT)<br /> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : svc_normal_to_secure_thread+0x38c/0x990<br /> lr : svc_normal_to_secure_thread+0x144/0x990<br /> ...<br /> Call trace:<br /> svc_normal_to_secure_thread+0x38c/0x990 (P)<br /> kthread+0x150/0x210<br /> ret_from_fork+0x10/0x20<br /> Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402)<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The issue occurs because rsu_send_async_msg() fails when RSU is not enabled<br /> in firmware, causing the channel to be freed via stratix10_svc_free_channel().<br /> However, the probe function continues execution and registers<br /> svc_normal_to_secure_thread(), which subsequently attempts to access the<br /> already-freed channel, triggering the NULL pointer dereference.<br /> <br /> Fix this by properly cleaning up the async client and returning early on<br /> failure, preventing the thread from being used with an invalid channel.