The Mali driver frees GPU page tables before removing the higher-level PTEs pointing to those page tables (and, therefore, also before issuing the required flushes). This means a racing memory write instruction on the GPU can write to an attacker-controlled physical address.
b9314770c55b858e1768dc0c89581aba6dcd511b77abe5a7a6849771f7835386