Re: [PATCH 2/3] soc: qcom: apr: Check response packet length by router type

Next message: Kevin Brodsky: "[PATCH 1/2] arm64: mm: Add note about overlays in PIE_EL1"
Previous message: Kevin Brodsky: "[PATCH 0/2] Add test for atomic uaccess with permission overlay"
Next in thread: Srinivas Kandagatla: "Re: [PATCH 2/3] soc: qcom: apr: Check response packet length by router type"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Konrad Dybcio

Date: Thu May 21 2026 - 05:47:55 EST

On 5/14/26 5:50 PM, Srinivas Kandagatla wrote:
> apr_callback() currently validates all received packets against
> APR_HDR_SIZE before queueing them for the RX worker. This is not correct
> for GPR packets, which use a different header size.
>
> Validate the received packet length against the header size matching the
> packet router type before copying the packet.
>
> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxxxxxxxx>
> ---
> drivers/soc/qcom/apr.c | 17 ++++++++++++++---
> 1 file changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
> index 127204c195ea..68b357462438 100644
> --- a/drivers/soc/qcom/apr.c
> +++ b/drivers/soc/qcom/apr.c
> @@ -165,9 +165,20 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf,
> struct apr_rx_buf *abuf;
> unsigned long flags;
>
> - if (len <= APR_HDR_SIZE) {
> - dev_err(apr->dev, "APR: Improper apr pkt received:%p %d\n",
> - buf, len);
> + switch (apr->type) {
> + case PR_TYPE_APR:
> + if (len <= APR_HDR_SIZE) {
> + dev_err(apr->dev, "APR: Improper apr pkt received:%p %d\n", buf, len);
> + return -EINVAL;
> + }
> + break;
> + case PR_TYPE_GPR:
> + if (len <= GPR_HDR_SIZE) {
> + dev_err(apr->dev, "APR: Improper gpr pkt received:%p %d\n", buf, len);

It first says "APR:" and then "[ag]pr" later, please at least make the
case consistent

> + return -EINVAL;
> + }
> + break;

Switch seems a little far-fetched, unless there'll be more packet types

Konrad