From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 17 Sep 2025 08:45:01 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v6.1.153~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=499e669cfa01aa6a1656832f195b409ea66d8227;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index 669725e58f..54f1cbbac1 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -41,3 +41,4 @@ can-j1939-j1939_local_ecu_get-undo-increment-when-j1.patch
 dmaengine-ti-edma-fix-memory-allocation-size-for-que.patch
 dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch
 phy-ti-pipe3-fix-device-leak-at-unbind.patch
+soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
diff --git a/queue-5.10/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch b/queue-5.10/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
new file mode 100644
index 0000000000..33245790f0
--- /dev/null
+++ b/queue-5.10/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
@@ -0,0 +1,56 @@
+From 25daf9af0ac1bf12490b723b5efaf8dcc85980bc Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Wed, 30 Jul 2025 15:51:51 -0500
+Subject: soc: qcom: mdt_loader: Deal with zero e_shentsize
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 25daf9af0ac1bf12490b723b5efaf8dcc85980bc upstream.
+
+Firmware that doesn't provide section headers leave both e_shentsize and
+e_shnum 0, which obvious isn't compatible with the newly introduced
+stricter checks.
+
+Make the section-related checks conditional on either of these values
+being non-zero.
+
+Fixes: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header")
+Reported-by: Val Packett <val@packett.cool>
+Closes: https://lore.kernel.org/all/ece307c3-7d65-440f-babd-88cf9705b908@packett.cool/
+Reported-by: Neil Armstrong <neil.armstrong@linaro.org>
+Closes: https://lore.kernel.org/all/aec9cd03-6fc2-4dc8-b937-8b7cf7bf4128@linaro.org/
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Fixes: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()")
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-QRD
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250730-mdt-loader-shentsize-zero-v1-1-04f43186229c@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Cc: Yongqin Liu <yongqin.liu@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -39,12 +39,14 @@ static bool mdt_header_valid(const struc
+ 	if (phend > fw->size)
+ 		return false;
+ 
+-	if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+-		return false;
++	if (ehdr->e_shentsize || ehdr->e_shnum) {
++		if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++			return false;
+ 
+-	shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
+-	if (shend > fw->size)
+-		return false;
++		shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++		if (shend > fw->size)
++			return false;
++	}
+ 
+ 	return true;
+ }