CVE-2026-53170

In the Linux kernel, the following vulnerability has been resolved:

accel/ethosu: reject DMA commands with uninitialized length

cmd state init() initializes the command state with memset(0xff), leaving dma->len at U64 MAX to signal missing setup. The only setter is NPU SET DMA0 LEN; if userspace omits this command and issues NPU OP DMA START, dma->len remains U64 MAX.

In dma length(), a positive stride added to U64 MAX wraps to a small value. With size0 == 1, check mul overflow() does not trigger and dma length() returns 0 instead of U64 MAX. The caller's U64 MAX check then passes, region size[] stays 0, and the bounds check in ethosu job.c is bypassed, allowing hardware to execute DMA with stale physical addresses.

Fix by checking for U64 MAX at the start of dma length() before any arithmetic, consistent with the sentinel value used throughout the driver to detect uninitialized fields.