Re: [PATCH 2/3] soc: qcom: apr: Check response packet length by router type
From: Srinivas Kandagatla
Date: Thu May 21 2026 - 13:31:12 EST
On 5/21/26 9:45 AM, Konrad Dybcio wrote:
> On 5/14/26 5:50 PM, Srinivas Kandagatla wrote:
>> apr_callback() currently validates all received packets against
>> APR_HDR_SIZE before queueing them for the RX worker. This is not correct
>> for GPR packets, which use a different header size.
>>
>> Validate the received packet length against the header size matching the
>> packet router type before copying the packet.
>>
>> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxxxxxxxx>
>> ---
>> drivers/soc/qcom/apr.c | 17 ++++++++++++++---
>> 1 file changed, 14 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
>> index 127204c195ea..68b357462438 100644
>> --- a/drivers/soc/qcom/apr.c
>> +++ b/drivers/soc/qcom/apr.c
>> @@ -165,9 +165,20 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf,
>> struct apr_rx_buf *abuf;
>> unsigned long flags;
>>
>> - if (len <= APR_HDR_SIZE) {
>> - dev_err(apr->dev, "APR: Improper apr pkt received:%p %d\n",
>> - buf, len);
>> + switch (apr->type) {
>> + case PR_TYPE_APR:
>> + if (len <= APR_HDR_SIZE) {
>> + dev_err(apr->dev, "APR: Improper apr pkt received:%p %d\n", buf, len);
>> + return -EINVAL;
>> + }
>> + break;
>> + case PR_TYPE_GPR:
>> + if (len <= GPR_HDR_SIZE) {
>> + dev_err(apr->dev, "APR: Improper gpr pkt received:%p %d\n", buf, len);
>
> It first says "APR:" and then "[ag]pr" later, please at least make the
> case consistent
Ah, seems like an overlook, thanks for spotting it, will fix this in
next spin.
>
>> + return -EINVAL;
>> + }
>> + break;
>
> Switch seems a little far-fetched, unless there'll be more packet types
never know... we have similar checks in the driver, atleast its
consistent with that.
--srini
>
> Konrad