CVE-2026-53204

Source
https://cve.org/CVERecord?id=CVE-2026-53204
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53204.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53204
Downstream
Published
2026-06-25T08:39:11.618Z
Modified
2026-07-08T08:07:24.436176547Z
Summary
firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe
Details

In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-rsu: Fix NULL deref on rsusendmsg() timeout in probe

rsusendmsg() can return -ETIMEDOUT when waitforcompletioninterruptibletimeout() fires while the SMC call is still pending. In stratix10rsuprobe(), the error paths for COMMANDRSUDCMFVERSION, COMMANDRSUDCMFSTATUS, COMMANDRSUMAXRETRY and COMMANDRSUGETSPTTABLE call stratix10svcfreechannel() - which sets chan->scl to NULL - but then fall through and queue the next request on the same channel. The next svc kthread that runs will dereference pdata->chan->scl in its receive callback path, triggering a NULL pointer dereference identical to the one fixed by commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled") for the COMMANDRSUSTATUS path.

Apply the same cleanup pattern to the remaining failure paths: remove the async client, free the channel, and return early so no further messages are queued on a channel whose scl has been cleared.

While at it, clean up stratix10rsuprobe() in two ways without changing behavior:

  • Drop redundant zero-initialization of fields already cleared by devmkzalloc(): client.receivecb, status.* and spt0/1address (INVALIDSPT_ADDRESS is 0x0).

  • Replace five identical 3-line error-cleanup blocks (stratix10svcremoveasyncclient() + stratix10svcfreechannel() + return ret) with goto labels (removeasyncclient, freechannel), matching the standard kernel resource-unwinding pattern and making it easier to extend the probe sequence without forgetting matching cleanup.

Also move initcompletion() next to mutexinit() so sync-primitive initialization is grouped before anything that could trigger a callback.


v2: Add a minor clean-up of the function stratix10rsuprobe() to have a centralize exit for all the rsusendasyncmsg() and rsusend_msg().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53204.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
15847537b623f844d9a08da99ff4568315e1d4f8
Fixed
6bc249d324241c64118a3018124798c28e2950f7
Fixed
bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53204.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53204.json"