diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-06-01 23:38:22 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-06-01 23:38:22 +0000 |
| commit | 8cd05b883330049d536a40e2f4c9ff92d0e6944e (patch) | |
| tree | ac29eb49d521ca90cd8d5f8f33f40750d6091e8c | |
| parent | 6cda62755612d706f30a99f70ff13ffa0f3f2422 (diff) | |
amd64: Clear the local TSS when creating a new thread
Otherwise it is copied from the creating thread. Then, if either thread
exits, the other is left with a dangling pointer, typically resulting in
a page fault upon the next context switch.
Reported by: syzkaller
Reviewed by: kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D30607
| -rw-r--r-- | sys/amd64/amd64/vm_machdep.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/amd64/amd64/vm_machdep.c b/sys/amd64/amd64/vm_machdep.c index 1acc5dc55c85..7d65269410e0 100644 --- a/sys/amd64/amd64/vm_machdep.c +++ b/sys/amd64/amd64/vm_machdep.c @@ -189,6 +189,8 @@ copy_thread(struct thread *td1, struct thread *td2) * pcb2->pcb_[fg]sbase: cloned above */ + pcb2->pcb_tssp = NULL; + /* Setup to release spin count in fork_exit(). */ td2->td_md.md_spinlock_count = 1; td2->td_md.md_saved_flags = PSL_KERNEL | PSL_I; |