GPUCORE-35268: Fix UAF due to use of MEM_FLAGS_CHANGE ioctl for JIT allocs
Through MEM_FLAGS_CHANGE ioctl Userspace can mark a native allocation as
evictable so that backing pages for it can be reclaimed by the shrinker
when system runs low on memory. The ioctl can also be used for the dma
buf imported memory to update the shareability attribute of its GPU
mapping.
The former case can be abused to mark an active JIT allocation as
evictable, due to which the active JIT allocation can be freed via the
shrinker. This would cause use after free on Kbase side when it handles
the JIT free softjob or kcpu command for the already freed allocation.
This commit restricts the use of MEM_FLAGS_CHANGE ioctl for JIT
allocations and for any other allocations that have NO_USER_FREE flag
set for them. There is no use case to support the ioctl in question for
such allocations.
A Base defect test has also been added to verify the changes.
Bug: 259695958
Provenance: https://code.ipdelivery.arm.com/c/GPU/mali-ddk/+/4739
Change-Id: I9571060946b3d8e1c59e497392a480570d9b39c5
1 file changed