Seth Jenkins discovered an arbitrary write primitive in Pixel kernel exploitation but lacked a KASLR leak. He researched the Linux kernel's linear mapping, which directly maps physical memory to a virtual address region. On Android ARM64, this linear mapping has a fixed virtual address due to memory hot-plugging requirements and limited virtual address bits. Consequently, the phys_to_virt calculation becomes static, with PHYS_OFFSET consistently being 0x80000000.Further compounding this, Pixel phones decompress the kernel at a static physical address, 0x80010000, on every boot. This allows for the static calculation of kernel virtual addresses for any kernel data entry. For instance, the modprobe_path string can be reliably accessed at 0xffffff8001ff2398. In practice, a static kernel base of 0xffffff8000010000 can be used on Pixels to derive kernel symbol virtual addresses, bypassing the need for a KASLR leak for arbitrary read-write primitives.The linear mapping also allows kernel data regions to be mapped read-write, though text regions remain non-executable. Even on devices with randomized physical kernel load addresses, the non-randomized linear mapping aids exploitation by allowing attackers to target predictable physical memory locations. Memory spraying techniques can place data at known kernel virtual addresses, simplifying the forging of kernel data structures.Both the lack of linear map randomization and the static kernel physical address on Pixels are considered intended behavior by the Linux kernel team and Google. While KASLR remains valuable against remote attacks, its effectiveness against local attackers is diminished. Preserving KASLR integrity through engineering efforts is crucial for overall security. Future improvements could include randomizing the linear map, increasing physical page allocation entropy, and randomizing kernel physical addresses.