CVE-2026-53204

In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-rsu: Fix NULL deref on rsu send msg() timeout in probe

rsu send msg() can return -ETIMEDOUT when wait for completion interruptible timeout() fires while the SMC call is still pending. In stratix10 rsu probe(), the error paths for COMMAND RSU DCMF VERSION, COMMAND RSU DCMF STATUS, COMMAND RSU MAX RETRY and COMMAND RSU GET SPT TABLE call stratix10 svc free channel() - which sets chan->scl to NULL - but then fall through and queue the next request on the same channel. The next svc kthread that runs will dereference pdata->chan->scl in its receive callback path, triggering a NULL pointer dereference identical to the one fixed by commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled") for the COMMAND RSU STATUS path.

Apply the same cleanup pattern to the remaining failure paths: remove the async client, free the channel, and return early so no further messages are queued on a channel whose scl has been cleared.

While at it, clean up stratix10 rsu probe() in two ways without changing behavior:

Also move init completion() next to mutex init() so sync-primitive initialization is grouped before anything that could trigger a callback.

v2: Add a minor clean-up of the function stratix10 rsu probe() to have a centralize exit for all the rsu send async msg() and rsu send msg().