GPUCORE-35499: Fix GROUP_SUSPEND kcpu suspend handling to prevent UAF

This commit fixes a buffer vulnerability that is provided for internal
test/dump use in kcpu queue to get a CSG's suspend buffer content. The
change ensures that the user supplied GPU VA mapped dump receiving
buffer must meet some additional expected attributes so as to avoid the
risk the dump buffer is abused from the user side, yielding potential
vulnerability of use after free in kbase GPU mapped buffers from the
said kcpu dump arrangement for CSG suspend buffer content.

TI2: 906872 (PLAN-39472r8 R38P1 DDK Precommit)
TI2: 906873 (PLAN-39568r4 R38 GPU Core CS CSF, targeted R38 test, red
             an unrelated issue, intermittent)
TI2: 907201 (PLAN-39568r4 R38 GPU Core CS CSF, rerun the targeted red)
TI2: 906018 (PLAN-2596r269 GPU Core CS CSF, 1 unrelated red)
TI2: 906307 (PLAN-2596r269 GPU Core CS CSF, rerun the red)
TI2: 906019 (PLAN-28130r51 GPUCORE CS Android-12-CSF-Minimal, the red
             is a trunk issue, multiple nightly reds in history)

(cherry picked from commit 3646ab9f80d1e57b6cdff4e0651f3f07f7065954)
Bug: 254445909
Change-Id: I25275830b56941f597e6ebb7e38bf8764a5a2555
diff --git a/mali_kbase/csf/mali_kbase_csf_kcpu.c b/mali_kbase/csf/mali_kbase_csf_kcpu.c
index 28d54e0..261ef76 100644
--- a/mali_kbase/csf/mali_kbase_csf_kcpu.c
+++ b/mali_kbase/csf/mali_kbase_csf_kcpu.c
@@ -648,9 +648,12 @@
 		u64 start, end, i;
 		if (((reg->flags & KBASE_REG_ZONE_MASK) != KBASE_REG_ZONE_SAME_VA) ||
-				reg->nr_pages < nr_pages ||
-				kbase_reg_current_backed_size(reg) !=
-					reg->nr_pages) {
+		    (kbase_reg_current_backed_size(reg) < nr_pages) ||
+		    !(reg->flags & KBASE_REG_CPU_WR) ||
+		    (reg->gpu_alloc->type != KBASE_MEM_TYPE_NATIVE) ||
+		    (reg->flags & KBASE_REG_DONT_NEED) ||
+		    (reg->flags & KBASE_REG_ACTIVE_JIT_ALLOC) ||
+		    (reg->flags & KBASE_REG_NO_USER_FREE)) {
 			ret = -EINVAL;
 			goto out_clean_pages;