Regions with a BO are checked against the BO size, but the SRAM region is not. The SRAM region doesn't have a BO, but the command stream region size should be checked against the SRAM size. The job's "sram_size" isn't useful here because an evil userspace could lie about the size.
Signed-off-by: Rob Herring (Arm) <[email protected]> --- drivers/accel/ethosu/ethosu_job.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/accel/ethosu/ethosu_job.c b/drivers/accel/ethosu/ethosu_job.c index ec85f4156744..e7b07cdbcced 100644 --- a/drivers/accel/ethosu/ethosu_job.c +++ b/drivers/accel/ethosu/ethosu_job.c @@ -417,9 +417,21 @@ static int ethosu_ioctl_submit_job(struct drm_device *dev, struct drm_file *file struct drm_gem_object *gem; /* Can only omit a BO handle if the region is not used or used for SRAM */ - if (!job->region_bo_handles[i] && - (!cmd_info->region_size[i] || (i == ETHOSU_SRAM_REGION && job->sram_size))) - continue; + if (!job->region_bo_handles[i]) { + if (!cmd_info->region_size[i]) + continue; + if (i == ETHOSU_SRAM_REGION) { + if (cmd_info->region_size[i] <= edev->npu_info.sram_size) + continue; + + dev_err(dev->dev, + "cmd stream region %d size greater than SRAM size (%llu > %u)\n", + i, cmd_info->region_size[i], + edev->npu_info.sram_size); + ret = -EINVAL; + goto out_cleanup_job; + } + } if (job->region_bo_handles[i] && !cmd_info->region_size[i]) { dev_err(dev->dev, -- 2.53.0
