PowerVR has an issue where PVRSRVAcquireProcessHandleBase() can cause psProcessHandleBase reuse when PIDs are reused.
18d88674b2b9ce3ddaccd51818379af5893ab0c36e6eb07d67ee93245da55ea8
A security-relevant race between mremap() and THP code has been discovered. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.
d415d186ac0cd0e8590e6af8e512c75a753a301cb3c1ff5d14ad6ae5cf28a43e