amd64: Clear the local TSS when creating a new thread

Otherwise it is copied from the creating thread. Then, if either thread exits, the other is left with a dangling pointer, typically resulting in a page fault upon the next context switch. Reported by: syzkaller Reviewed by: kib MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30607
2021-06-01 19:38:22 -04:00 · 2021-06-01 19:38:22 -04:00 · 8cd05b8833
commit 8cd05b8833
parent 6cda627556
1 changed files with 2 additions and 0 deletions
--- a/sys/amd64/amd64/vm_machdep.c
+++ b/sys/amd64/amd64/vm_machdep.c
@ -189,6 +189,8 @@ copy_thread(struct thread *td1, struct thread *td2)
 	 * pcb2->pcb_[fg]sbase:	cloned above
 	 */

+	pcb2->pcb_tssp = NULL;
+
 	/* Setup to release spin count in fork_exit(). */
 	td2->td_md.md_spinlock_count = 1;
 	td2->td_md.md_saved_flags = PSL_KERNEL | PSL_I;