5.15-stable patches

added patches:
	soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch

diff --git a/queue-5.15/series b/queue-5.15/series
index 53bb935351f782186e11e0171374affe9b240bab..befdd473531c7626a118c6a971fad5fdaef906b7 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -58,3 +58,4 @@ hrtimers-unconditionally-update-target-cpu-base-afte.patch
 dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch
 phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch
 phy-ti-pipe3-fix-device-leak-at-unbind.patch
+soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch

diff --git a/queue-5.15/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch b/queue-5.15/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
new file mode 100644 (file)
index 0000000..3324579
--- /dev/null
+++ b/queue-5.15/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
@@ -0,0 +1,56 @@
+From 25daf9af0ac1bf12490b723b5efaf8dcc85980bc Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Wed, 30 Jul 2025 15:51:51 -0500
+Subject: soc: qcom: mdt_loader: Deal with zero e_shentsize
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 25daf9af0ac1bf12490b723b5efaf8dcc85980bc upstream.
+
+Firmware that doesn't provide section headers leave both e_shentsize and
+e_shnum 0, which obvious isn't compatible with the newly introduced
+stricter checks.
+
+Make the section-related checks conditional on either of these values
+being non-zero.
+
+Fixes: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header")
+Reported-by: Val Packett <val@packett.cool>
+Closes: https://lore.kernel.org/all/ece307c3-7d65-440f-babd-88cf9705b908@packett.cool/
+Reported-by: Neil Armstrong <neil.armstrong@linaro.org>
+Closes: https://lore.kernel.org/all/aec9cd03-6fc2-4dc8-b937-8b7cf7bf4128@linaro.org/
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Fixes: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()")
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-QRD
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250730-mdt-loader-shentsize-zero-v1-1-04f43186229c@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Cc: Yongqin Liu <yongqin.liu@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -39,12 +39,14 @@ static bool mdt_header_valid(const struc
+       if (phend > fw->size)
+               return false;
+ 
+-      if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+-              return false;
++      if (ehdr->e_shentsize || ehdr->e_shnum) {
++              if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++                      return false;
+ 
+-      shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
+-      if (shend > fw->size)
+-              return false;
++              shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++              if (shend > fw->size)
++                      return false;
++      }
+ 
+       return true;
+ }