arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in the ION subsystem in Android and other products, does not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory by triggering a dma_mmap call.
git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6829e274a623187c24f7cfc0e3d35f25d087fcc5
source.android.com/security/bulletin/2016-10-01.html
www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.0.3
www.securityfocus.com/bid/93318
github.com/torvalds/linux/commit/6829e274a623187c24f7cfc0e3d35f25d087fcc5
source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=6e2c437a2d0a85d90d3db85a7471f99764f7bbf8