GitLab

SYSRET to a noncanonical address will blow up on Intel CPUs.  Linux
needs to prevent this from happening in two major cases, and the
criteria will become more complicated when support for larger virtual
address spaces is added.

A fast-path SYSCALL will fall through to the following instruction
using SYSRET without any particular checking.  To prevent fall-through
to a noncanonical address, Linux prevents the highest canonical page
from being mapped.  This test case checks a variety of possible maximum
addresses to make sure that either we can't map code there or that
SYSCALL fall-through works.

A slow-path system call can return anywhere.  Linux needs to make sure
that, if the return address is non-canonical, it won't use SYSRET.
This test cases causes sigreturn() to return to a variety of addresses
(with RCX == RIP) and makes sure that nothing explodes.

Some of this code comes from Kirill Shutemov.

Kirill reported the following output...