[PATCH v5 7/9] mm/mremap: Move TLB flush outside page table lock

Linus Torvalds torvalds at linux-foundation.org
Sat May 22 02:05:11 AEST 2021

On Fri, May 21, 2021 at 5:25 AM Liam Howlett <liam.howlett at oracle.com> wrote:
> mremap holds the mmap_sem in write mode as well, doesn't it?  How is the user thread
> getting the new location?

No amount of locking protects against the HW page table walker (or,
indeed, software ones, but they are irrelevant).

And an attacker _knows_ the new address, because that's who would be
doing the mremap() in the first place - to trigger this bug.


More information about the Linuxppc-dev mailing list