If the command stream has larger padding sizes than the IFM and OFM
diminsions, then the calculations will underflow to a negative value.
The result is a very large region bounds which is caught on submit, but
it's better to catch it earlier.

Current mesa ethosu driver has a signedness bug which resulted in
padding of 127 (the max) and triggers this issue.

Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
---
 drivers/accel/ethosu/ethosu_gem.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/accel/ethosu/ethosu_gem.c b/drivers/accel/ethosu/ethosu_gem.c
index a735f860a119..d1169001c83d 100644
--- a/drivers/accel/ethosu/ethosu_gem.c
+++ b/drivers/accel/ethosu/ethosu_gem.c
@@ -245,11 +245,14 @@ static int calc_sizes(struct drm_device *ddev,
 			((st->ifm.stride_kernel >> 1) & 0x1) + 1;
 		u32 stride_x = ((st->ifm.stride_kernel >> 5) & 0x2) +
 			(st->ifm.stride_kernel & 0x1) + 1;
-		u32 ifm_height = st->ofm.height[2] * stride_y +
+		s32 ifm_height = st->ofm.height[2] * stride_y +
 			st->ifm.height[2] - (st->ifm.pad_top + st->ifm.pad_bottom);
-		u32 ifm_width  = st->ofm.width * stride_x +
+		s32 ifm_width = st->ofm.width * stride_x +
 			st->ifm.width - (st->ifm.pad_left + st->ifm.pad_right);
 
+		if (ifm_height < 0 || ifm_width < 0)
+			return -EINVAL;
+
 		len = feat_matrix_length(info, &st->ifm, ifm_width,
 					 ifm_height, st->ifm.depth);
 		dev_dbg(ddev->dev, "op %d: IFM:%d:0x%llx-0x%llx\n",

-- 
2.51.0

On Wed, 18 Feb 2026 at 23:22, Rob Herring (Arm) <robh@kernel.org> wrote:
>
> If the command stream has larger padding sizes than the IFM and OFM
> diminsions, then the calculations will underflow to a negative value.

Nit is "diminsions" -> "dimensions"

> The result is a very large region bounds which is caught on submit, but
> it's better to catch it earlier.
>
> Current mesa ethosu driver has a signedness bug which resulted in
> padding of 127 (the max) and triggers this issue.
>
> Signed-off-by: Rob Herring (Arm) <robh@kernel.org>

Reviewed-and-Tested-by: Anders Roxell <anders.roxell@linaro.org>

> ---
>  drivers/accel/ethosu/ethosu_gem.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/accel/ethosu/ethosu_gem.c b/drivers/accel/ethosu/ethosu_gem.c
> index a735f860a119..d1169001c83d 100644
> --- a/drivers/accel/ethosu/ethosu_gem.c
> +++ b/drivers/accel/ethosu/ethosu_gem.c
> @@ -245,11 +245,14 @@ static int calc_sizes(struct drm_device *ddev,
>                         ((st->ifm.stride_kernel >> 1) & 0x1) + 1;
>                 u32 stride_x = ((st->ifm.stride_kernel >> 5) & 0x2) +
>                         (st->ifm.stride_kernel & 0x1) + 1;
> -               u32 ifm_height = st->ofm.height[2] * stride_y +
> +               s32 ifm_height = st->ofm.height[2] * stride_y +
>                         st->ifm.height[2] - (st->ifm.pad_top + st->ifm.pad_bottom);
> -               u32 ifm_width  = st->ofm.width * stride_x +
> +               s32 ifm_width = st->ofm.width * stride_x +
>                         st->ifm.width - (st->ifm.pad_left + st->ifm.pad_right);
>
> +               if (ifm_height < 0 || ifm_width < 0)
> +                       return -EINVAL;
> +
>                 len = feat_matrix_length(info, &st->ifm, ifm_width,
>                                          ifm_height, st->ifm.depth);
>                 dev_dbg(ddev->dev, "op %d: IFM:%d:0x%llx-0x%llx\n",
>
> --
> 2.51.0
>