[PATCH v5 7/9] mm/mremap: Move TLB flush outside page table lock

[Linus Torvalds]

On Fri, May 21, 2021 at 5:25 AM Liam Howlett <liam.howlett at oracle.com> wrote:
>
> mremap holds the mmap_sem in write mode as well, doesn't it?  How is the user thread
> getting the new location?

No amount of locking protects against the HW page table walker (or,
indeed, software ones, but they are irrelevant).

And an attacker _knows_ the new address, because that's who would be
doing the mremap() in the first place - to trigger this bug.

             Linus