CVE-2023-6241 Extending to non-Pixel devices

[sampleuserjohn]

I tried the exploit for CVE-2023-6241. It works perfectly fine on Pixel 8.

But, when I tried extending that to other vulnerable non-Pixel devices, it showed an error - CANNOT FIND REUSED PAGE:: ILLEGAL SEEK.

Is that something related to the defined TEST_VALUE=0x42424242 ?

I tested with Poco X6 Pro, Nothing Phone 2a, and Redmi Note 13 Pro+ by adding the offsets. All phones had the same error.

AND

Some devices with lower GPU revision levels with r32p1 gives this error - BAD FILE DESCRIPTOR

[sampleuserjohn]

@m-y-mo

[sampleuserjohn]

@m-y-mo please reply...

[sampleuserjohn]

@m-y-mo

[muadzie]

The "CANNOT FIND REUSED PAGE:: ILLEGAL SEEK" error is not directly related to TEST_VALUE=0x42424242. That value is just a placeholder pattern used for page verification.

Root cause: CVE-2023-6241 exploits a race condition in kbase_jit_grow() where kctx->reg_lock is dropped during kbase_mem_pool_grow(). The exploit was specifically calibrated for Pixel 8's kernel (android-gs-shusky-5.15) with specific Mali driver revisions (r46p0). Non-Pixel devices like Poco X6 Pro, Nothing Phone 2a, and Redmi Note 13 Pro+ use different kernel versions, different Mali driver builds, and different page table configurations — so the timing window, memory layout, and page allocation behavior all differ.
The "ILLEGAL SEEK" means the GPU MMU fault handler tried to grow the JIT region but the page table walk failed because the physical page indices got misaligned after the race — this is because the stale old_size/delta values don't match the actual nents on your device's kernel memory allocator behavior.

For r32p1 "BAD FILE DESCRIPTOR": Devices with r32p1 use an older Mali GPU architecture that may not fully support CSF (Command Stream Frontend) the same way. CVE-2023-6241 specifically targets CSF-based GPUs (Valhall r41p0 and above). On r32p1, the kbase context creation or ioctl paths may differ, causing the file descriptor to be rejected. Check if your Mali driver version supports KBASE_IOCTL_KCPU_QUEUE_CREATE — if not, the exploit path won't work at all.
What to check:

1. Verify your Mali driver version >= r41p0 (r32p1 is too old)
2. Check if /dev/mali is present and you can open it
3. Try dumping /d/mali/gpu_firmware_version to confirm CSF support
4. Recalculate GPU page table offsets for your specific kernel build — they differ per OEM
5. The race window also depends on memory pressure — try allocating more memory before triggering the grow to make kbase_mem_pool_grow take longer

@sampleuserjohn acept me