GPUCORE-38292 Fix Use-After-Free Race with Memory-Pool Grow

This commit fixes a race condition in kbase_mmu_page_fault_worker when
a memory pool is required to grow. It addresses a potential racing
window where the worker is dealing with a given region's growable
pages on fault recovery yet the application side triggers a buffer
close on the specific region.

Change-Id: I25234396defd874ade30cf5075ed918e1142d96c
Bug: 287629203
Provenance: https://code.ipdelivery.arm.com/c/GPU/mali-ddk/+/5549
(cherry picked from commit 221aa13af3d02f6b820adba0f50db7d203c41ba6)

1 files changed, 3 insertions, 4 deletions

diff --git a/mali_kbase/mmu/mali_kbase_mmu.c b/mali_kbase/mmu/mali_kbase_mmu.c
index 46c2d4e..8f7b9b5 100644
--- a/mali_kbase/mmu/mali_kbase_mmu.c
+++ b/mali_kbase/mmu/mali_kbase_mmu.c
@@ -1331,6 +1331,7 @@ page_fault_retry:
 		kbase_gpu_vm_unlock(kctx);
 	} else {
 		int ret = -ENOMEM;
+		const u8 group_id = region->gpu_alloc->group_id;
 
 		kbase_gpu_vm_unlock(kctx);
 
@@ -1342,8 +1343,7 @@ page_fault_retry:
 			if (grow_2mb_pool) {
 				/* Round page requirement up to nearest 2 MB */
 				struct kbase_mem_pool *const lp_mem_pool =
-					&kctx->mem_pools.large[
-					region->gpu_alloc->group_id];
+					&kctx->mem_pools.large[group_id];
 
 				pages_to_grow = (pages_to_grow +
 					((1 << lp_mem_pool->order) - 1))
@@ -1353,8 +1353,7 @@ page_fault_retry:
 			} else {
 #endif
 				struct kbase_mem_pool *const mem_pool =
-					&kctx->mem_pools.small[
-					region->gpu_alloc->group_id];
+					&kctx->mem_pools.small[group_id];
 
 				ret = kbase_mem_pool_grow(mem_pool, pages_to_grow, kctx->task);
 #ifdef CONFIG_MALI_2MB_ALLOC