[PATCH 2/3] soc: qcom: apr: Check response packet length by router type

Next message: Srinivas Kandagatla: "[PATCH 1/3] soc: qcom: apr: Remove service from IDR before registration failure"
Previous message: Srinivas Kandagatla: "[PATCH 0/3] soc: qcom: apr: improve RX processing"
In reply to: Srinivas Kandagatla: "[PATCH 0/3] soc: qcom: apr: improve RX processing"
Next in thread: Srinivas Kandagatla: "[PATCH 1/3] soc: qcom: apr: Remove service from IDR before registration failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Srinivas Kandagatla

Date: Thu May 14 2026 - 11:52:46 EST

apr_callback() currently validates all received packets against
APR_HDR_SIZE before queueing them for the RX worker. This is not correct
for GPR packets, which use a different header size.

Validate the received packet length against the header size matching the
packet router type before copying the packet.

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxxxxxxxx>
---
drivers/soc/qcom/apr.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
index 127204c195ea..68b357462438 100644
--- a/drivers/soc/qcom/apr.c
+++ b/drivers/soc/qcom/apr.c
@@ -165,9 +165,20 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf,
struct apr_rx_buf *abuf;
unsigned long flags;

- if (len <= APR_HDR_SIZE) {
- dev_err(apr->dev, "APR: Improper apr pkt received:%p %d\n",
- buf, len);
+ switch (apr->type) {
+ case PR_TYPE_APR:
+ if (len <= APR_HDR_SIZE) {
+ dev_err(apr->dev, "APR: Improper apr pkt received:%p %d\n", buf, len);
+ return -EINVAL;
+ }
+ break;
+ case PR_TYPE_GPR:
+ if (len <= GPR_HDR_SIZE) {
+ dev_err(apr->dev, "APR: Improper gpr pkt received:%p %d\n", buf, len);
+ return -EINVAL;
+ }
+ break;
+ default:
return -EINVAL;
}

--
2.47.3