kernel: x86: espfix(64) bypass via set_thread_area and CLONE_SETTLS
It was found that the espfix functionality could be bypassed by installing a 16-bit RW data segment into GDT instead of LDT which espfix checks, and using that segment on the stack. A local, unprivileged user could potentially use this flaw to leak kernel stack addresses...