In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe

rsu_send_msg() can return -ETIMEDOUT when
wait_for_completion_interruptible_timeout() fires while the SMC call is still
pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION,
COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE
call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then
fall through and queue the next request on the same channel. The next svc
kthread that runs will dereference pdata->chan->scl in its receive callback
path, triggering a NULL pointer dereference identical to the one fixed by
commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference
when RSU is disabled") for the COMMAND_RSU_STATUS path.

Apply the same cleanup pattern to the remaining failure paths: remove the
async client, free the channel, and return early so no further messages are
queued on a channel whose scl has been cleared.

While at it, clean up stratix10_rsu_probe() in two ways without changing
behavior:

- Drop redundant zero-initialization of fields already cleared by
  devm_kzalloc(): client.receive_cb, status.* and spt0/1_address
  (INVALID_SPT_ADDRESS is 0x0).

- Replace five identical 3-line error-cleanup blocks
  (stratix10_svc_remove_async_client() + stratix10_svc_free_channel() +
  return ret) with goto labels (remove_async_client, free_channel),
  matching the standard kernel resource-unwinding pattern and making it
  easier to extend the probe sequence without forgetting matching
  cleanup.

Also move init_completion() next to mutex_init() so sync-primitive
initialization is grouped before anything that could trigger a
callback.

---
v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a
    centralize exit for all the rsu_send_async_msg() and rsu_send_msg().

https://git.kernel.org/stable/c/6bc249d324241c64118a3018124798c28e2950f7

https://git.kernel.org/stable/c/bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/firmware/stratix10-rsu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"15847537b623f844d9a08da99ff4568315e1d4f8","lessThan":"6bc249d324241c64118a3018124798c28e2950f7","versionType":"git","status":"affected"},{"version":"15847537b623f844d9a08da99ff4568315e1d4f8","lessThan":"bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/firmware/stratix10-rsu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.19","status":"affected"},{"version":"0","lessThan":"6.19","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]