[PATCH v5 7/9] mm/mremap: Move TLB flush outside page table lock
torvalds at linux-foundation.org
Sat May 22 02:05:11 AEST 2021
On Fri, May 21, 2021 at 5:25 AM Liam Howlett <liam.howlett at oracle.com> wrote:
> mremap holds the mmap_sem in write mode as well, doesn't it? How is the user thread
> getting the new location?
No amount of locking protects against the HW page table walker (or,
indeed, software ones, but they are irrelevant).
And an attacker _knows_ the new address, because that's who would be
doing the mremap() in the first place - to trigger this bug.
More information about the Linuxppc-dev