On Fri, May 21, 2021 at 5:25 AM Liam Howlett <liam.howl...@oracle.com> wrote: > > mremap holds the mmap_sem in write mode as well, doesn't it? How is the user > thread > getting the new location?
No amount of locking protects against the HW page table walker (or,
indeed, software ones, but they are irrelevant).
And an attacker _knows_ the new address, because that's who would be
doing the mremap() in the first place - to trigger this bug.
Linus
