In the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.
6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592