amd64: Clear the local TSS when creating a new thread

Otherwise it is copied from the creating thread.  Then, if either thread
exits, the other is left with a dangling pointer, typically resulting in
a page fault upon the next context switch.

Reported by:	syzkaller
Reviewed by:	kib
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D30607

diff --git a/sys/amd64/amd64/vm_machdep.c b/sys/amd64/amd64/vm_machdep.c
index 1acc5dc55c85baf1fa918b5fc5a14c88f2413567..7d65269410e0c94a3d5f7398172bd068a024a1fe 100644 (file)
--- a/sys/amd64/amd64/vm_machdep.c
+++ b/sys/amd64/amd64/vm_machdep.c
@@ -189,6 +189,8 @@ copy_thread(struct thread *td1, struct thread *td2)
         * pcb2->pcb_[fg]sbase: cloned above
         */
 
+       pcb2->pcb_tssp = NULL;
+
        /* Setup to release spin count in fork_exit(). */
        td2->td_md.md_spinlock_count = 1;
        td2->td_md.md_saved_flags = PSL_KERNEL | PSL_I;