This is a patch from the hardware vendor so I am assuming that the ask is not that the hardware vendor take responsibility but that they not release buggy hardware. That is what I mean about the validation issue.

The attack vector is shared in the patch so it isn't entirely a theory.

There is a comment from Linus about how this patch is only needed for some hardware and doesn't apply to others but I don't get his relevance there as different hardware validates against different use cases and their source logic might be entirely disparate.

So my validation talk is simply saying that bugs happen. My concern here is what more should a hardware vendor do beyond submitting a kernel patch? You can't just not have the bug, and if you recall the part someone else will just keep theirs in the field and take all the market share and roll the dice that their bugs don't get exploited.