bifrost/r47p0/cve_patches/CVE-2024-0671.diff - manifest_repos/mali-driver - Git at Google

 From ca8909430de740a3cc4febedd192309b61b95364 Mon Sep 17 00:00:00 2001
 From: Raffaele Aquilone <raffaele.aquilone@arm.com>
 Date: Thu, 18 Jan 2024 15:17:35 +0000
 Subject: [PATCH] GPUCORE-41385 Fix small memory aliases of large memory
  allocations

 Previously, when creating a GPU mapping, the driver would only consider
 the alignment of the GPU VA and the tag attached to the corresponding
 physical page to decide whether to create a single MMU ATE at level 2
 for a 2 MB region or a set of MMU ATEs at level 3 of 4 kB each.

 The problem was that a small memory alias of a large memory allocation
 could satisfy both conditions if its GPU VA happens to be aligned to
 a large memory page. This would lead to the creation of a 2 MB mapping
 even if the user only requested a smaller region, e.g. 4 kB. Moreover,
 this would lead to problem during the teardown, leaving the MMU page
 table in an inconsistent state and potentially keeping the GPU mapping
 in existence, allowing use-after-free of a physical page after the
 original allocation is released.

 The driver now adds a third condition to the creation of a MMU ATE
 at level 2: the total number of MMU page table entries to map must be
 512, i.e. the user has requested a whole 2 MB region intentionally.

 A defect test has been introduced to reproduce the problem. The test
 creates a memory alias with 513 members of 4 kB each, which reproduces
 the conditions which are necessary to trigger the bug. After that,
 it frees the aliases and attempts a GPU write after free.

 TI2: ... (DDK precommit, r48p0)
 TI2: ... (Base defect and memory tests, r48p0)
 Change-Id: Ibc5652ce2bed9fb3b394cc3d6ce03871987db11d
 ---
  .../drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c       | 10 +++++++++-
  1 file changed, 9 insertions(+), 1 deletion(-)

 diff --git a/product/kernel/drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c b/product/kernel/drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c
 index 30a4fbc50b2..dd819c1b862 100644
 --- a/product/kernel/drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c
 +++ b/product/kernel/drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c
 @@ -2318,7 +2318,15 @@ static int mmu_insert_pages_no_flush(struct kbase_device *kbdev, struct kbase_mm
  		if (count > remain)
  			count = remain;

 -		if (!vindex && is_huge_head(*phys))
 +		/* There are 3 conditions to satisfy in order to create a level 2 ATE:
 +		 *
 +		 * - The GPU VA is aligned to 2 MB.
 +		 * - The physical address is tagged as the head of a 2 MB region,
 +		 *   which guarantees a contiguous physical address range.
 +		 * - There are actually 2 MB of virtual and physical pages to map,
 +		 *   i.e. 512 entries for the MMU page table.
 +		 */
 +		if (!vindex && is_huge_head(*phys) && (count == KBASE_MMU_PAGE_ENTRIES))
  			cur_level = MIDGARD_MMU_LEVEL(2);
  		else
  			cur_level = MIDGARD_MMU_BOTTOMLEVEL;
 --
 2.43.0
	From ca8909430de740a3cc4febedd192309b61b95364 Mon Sep 17 00:00:00 2001
	From: Raffaele Aquilone <raffaele.aquilone@arm.com>
	Date: Thu, 18 Jan 2024 15:17:35 +0000
	Subject: [PATCH] GPUCORE-41385 Fix small memory aliases of large memory
	allocations

	Previously, when creating a GPU mapping, the driver would only consider
	the alignment of the GPU VA and the tag attached to the corresponding
	physical page to decide whether to create a single MMU ATE at level 2
	for a 2 MB region or a set of MMU ATEs at level 3 of 4 kB each.

	The problem was that a small memory alias of a large memory allocation
	could satisfy both conditions if its GPU VA happens to be aligned to
	a large memory page. This would lead to the creation of a 2 MB mapping
	even if the user only requested a smaller region, e.g. 4 kB. Moreover,
	this would lead to problem during the teardown, leaving the MMU page
	table in an inconsistent state and potentially keeping the GPU mapping
	in existence, allowing use-after-free of a physical page after the
	original allocation is released.

	The driver now adds a third condition to the creation of a MMU ATE
	at level 2: the total number of MMU page table entries to map must be
	512, i.e. the user has requested a whole 2 MB region intentionally.

	A defect test has been introduced to reproduce the problem. The test
	creates a memory alias with 513 members of 4 kB each, which reproduces
	the conditions which are necessary to trigger the bug. After that,
	it frees the aliases and attempts a GPU write after free.

	TI2: ... (DDK precommit, r48p0)
	TI2: ... (Base defect and memory tests, r48p0)
	Change-Id: Ibc5652ce2bed9fb3b394cc3d6ce03871987db11d
	---
	.../drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c \| 10 +++++++++-
	1 file changed, 9 insertions(+), 1 deletion(-)

	diff --git a/product/kernel/drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c b/product/kernel/drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c
	index 30a4fbc50b2..dd819c1b862 100644
	--- a/product/kernel/drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c
	+++ b/product/kernel/drivers/gpu/arm/midgard/mmu/mali_kbase_mmu.c
	@@ -2318,7 +2318,15 @@ static int mmu_insert_pages_no_flush(struct kbase_device *kbdev, struct kbase_mm
	if (count > remain)
	count = remain;

	- if (!vindex && is_huge_head(*phys))
	+ /* There are 3 conditions to satisfy in order to create a level 2 ATE:
	+ *
	+ * - The GPU VA is aligned to 2 MB.
	+ * - The physical address is tagged as the head of a 2 MB region,
	+ * which guarantees a contiguous physical address range.
	+ * - There are actually 2 MB of virtual and physical pages to map,
	+ * i.e. 512 entries for the MMU page table.
	+ */
	+ if (!vindex && is_huge_head(*phys) && (count == KBASE_MMU_PAGE_ENTRIES))
	cur_level = MIDGARD_MMU_LEVEL(2);
	else
	cur_level = MIDGARD_MMU_BOTTOMLEVEL;
	--
	2.43.0