NOTE: I have requested a CVE identifier, and I'm sending this message,
to make tracking of the fix easier; however, to avoid missing security
fixes without CVE identifiers, you should *NOT* be cherry-picking a
specific patch in response to a notification about a kernel security
bug.

Since Linux kernel version 3.2, the mremap() syscall performs TLB
flushes after dropping pagetable locks. If a syscall such as
ftruncate() removes entries from the pagetables of a task that is in
the middle of mremap(), a stale TLB entry can remain for a short time
that permits access to a physical page after it has been released back
to the page allocator and reused.

This is CVE-2018-18281.

This is fixed in the following kernel versions:
4.9.135
4.14.78
4.18.16
4.19

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16
https://bugs.chromium.org/p/project-zero/issues/detail?id=1695