accel: ethosu: Validate SRAM size on submit

Regions with a BO are checked against the BO size, but the SRAM
region is not. The SRAM region doesn't have a BO, but the command stream
region size should be checked against the SRAM size. The job's
"sram_size" isn't useful here because an evil userspace could lie about
the size.

Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Link: https://lore.kernel.org/r/20260513185434.1667045-1-robh@kernel.org
Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
Reviewed-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>

diff --git a/drivers/accel/ethosu/ethosu_job.c b/drivers/accel/ethosu/ethosu_job.c
index 418463c03bfb04ba263d2be979cc081b9277635d..b76924645aaafa17c91460fc0e04e345b8819aa8 100644 (file)
--- a/drivers/accel/ethosu/ethosu_job.c
+++ b/drivers/accel/ethosu/ethosu_job.c
@@ -416,9 +416,21 @@ static int ethosu_ioctl_submit_job(struct drm_device *dev, struct drm_file *file
                struct drm_gem_object *gem;
 
                /* Can only omit a BO handle if the region is not used or used for SRAM */
-               if (!job->region_bo_handles[i] &&
-                   (!cmd_info->region_size[i] || (i == ETHOSU_SRAM_REGION && job->sram_size)))
-                       continue;
+               if (!job->region_bo_handles[i]) {
+                       if (!cmd_info->region_size[i])
+                               continue;
+                       if (i == ETHOSU_SRAM_REGION) {
+                               if (cmd_info->region_size[i] <= edev->npu_info.sram_size)
+                                       continue;
+
+                               dev_err(dev->dev,
+                                       "cmd stream region %d size greater than SRAM size (%llu > %u)\n",
+                                       i, cmd_info->region_size[i],
+                                       edev->npu_info.sram_size);
+                               ret = -EINVAL;
+                               goto out_cleanup_job;
+                       }
+               }
 
                if (job->region_bo_handles[i] && !cmd_info->region_size[i]) {
                        dev_err(dev->dev,