lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANypQFYQSxyaNEUeOKq4dvNe+jhcw3mna2ho0ZARth5cXj6YxA@mail.gmail.com>
Date: Tue, 10 Feb 2026 21:07:13 +0800
From: Jiaming Zhang <r772577952@...il.com>
To: linux-kernel@...r.kernel.org
Cc: brauner@...nel.org, jack@...e.cz, linux-fsdevel@...r.kernel.org, 
	viro@...iv.linux.org.uk, syzkaller@...glegroups.com
Subject: [Linux Kernel Bug] WARNING in exc_debug_kernel

Dear Linux kernel developers and maintainers,

We are writing to report a WARNING discovered in the system with our
generated syzkaller specifications. This issue is reproducible on the
latest version of linux (v6.19, commit
05f7e89ab9731565d8a62e3b5d1ec206485eeb0b).

We are trying to analyze the root cause. Currently, we found that the
WARNING can be triggered when the following conditions are satisfied:

!cpu_feature_enabled(X86_FEATURE_FRED)=true
dr6=16385 (0x4001), i.e. dr6=(DT_STEP|DR_TRAP0)
is_sysenter_singlestep(regs)=false

Intuitively, the results of is_sysenter_singlestep(regs) and !!(dr6 &
DR_STEP) should be consistent, but this is not the case. We suspect
that some previously executed syscalls may have corrupted the
consistency.

We have attached the kernel console output, kernel config, and
reproducers to assist with the analysis:

.config file:
https://drive.google.com/file/d/1Ybz9U1r0sJQ83PPzFcLn5vIaKBFyvehI/view?usp=drive_link
kernel console output:
https://drive.google.com/file/d/1cNWDnkNrSeGXLvi2E9a3FfJ-LsfFVl2b/view?usp=drive_link
symbolized report:
https://drive.google.com/file/d/1yHP847poR1PIPzc-0Xvt2x-PWWHz0CVC/view?usp=drive_link
C reproducer:
https://drive.google.com/file/d/13mJobL3WVKZL31ZzvY0o8WXa_HZZescr/view?usp=drive_link
syz reproducer:
https://drive.google.com/file/d/1UVuNeYMhOQuQD-p1u90xy3DopzPtBVJG/view?usp=drive_link

The issue report is also listed below (symbolized by syz-symbolize):

---

------------[ cut here ]------------
WARNING: arch/x86/kernel/traps.c:1284 at exc_debug_kernel+0x108/0x150
vol/linux/v6.19/arch/x86/kernel/traps.c:1284, CPU#0: repro.out/9697
Modules linked in:
CPU: 0 UID: 0 PID: 9697 Comm: repro.out Not tainted 6.19.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:exc_debug_kernel+0x108/0x150
vol/linux/v6.19/arch/x86/kernel/traps.c:1284
Code: ff 65 48 8b 05 d9 ef 1d 07 48 3b 44 24 08 75 26 48 83 c4 10 5b
41 5e 41 5f 5d e9 ae 60 da f5 cc 90 0f 0b 90 e9 71 ff ff ff 90 <0f> 0b
90 80 a3 91 00 00 00 fe eb b5 e8 87 3f 00 00 f3 0f 1e fa 41
RSP: 0018:fffffe0000016f20 EFLAGS: 00010002
RAX: ffffffff815bfe00 RBX: fffffe0000016f58 RCX: 0000000000110000
RDX: ffff8880219ebd80 RSI: 0000000000000000 RDI: 0000000000008001
RBP: 0000000000000001 R08: ffffffff8f5d9377 R09: 1ffffffff1ebb26e
R10: dffffc0000000000 R11: ffffffff8169a7c0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000004001 R15: 0000000000050202
FS:  0000000029677300(0000) GS:ffff8880994e3000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004c4c7000 CR4: 0000000000750ef0
DR0: 0000000000000006 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <#DB>
 asm_exc_debug+0x1e/0x40 vol/linux/v6.19/arch/x86/include/asm/idtentry.h:654
RIP: 0010:copy_user_generic
vol/linux/v6.19/arch/x86/include/asm/uaccess_64.h:126 [inline]
RIP: 0010:raw_copy_to_user
vol/linux/v6.19/arch/x86/include/asm/uaccess_64.h:147 [inline]
RIP: 0010:_inline_copy_to_user
vol/linux/v6.19/include/linux/uaccess.h:206 [inline]
RIP: 0010:_copy_to_user+0x85/0xb0 vol/linux/v6.19/lib/usercopy.c:26
Code: e8 70 3f 3e fd 4d 39 fc 72 3d 4d 39 ec 77 38 e8 01 3d 3e fd 4c
89 f7 89 de e8 c7 15 a6 fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4
0f 1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41
RSP: 0018:ffffc9000bbbfdd0 EFLAGS: 00050256
RAX: ffffffff84788d01 RBX: 0000000000000008 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffc9000bbbfe27 RDI: 0000000000000007
RBP: ffffc9000bbbfec0 R08: ffffc9000bbbfe27 R09: 1ffff92001777fc4
R10: dffffc0000000000 R11: fffff52001777fc5 R12: 0000000000000008
R13: 00007ffffffff000 R14: ffffc9000bbbfe20 R15: 0000000000000000
 </#DB>
 <TASK>
 copy_to_user vol/linux/v6.19/include/linux/uaccess.h:236 [inline]
 do_pipe2+0xc2/0x170 vol/linux/v6.19/fs/pipe.c:1040
 __do_sys_pipe2 vol/linux/v6.19/fs/pipe.c:1056 [inline]
 __se_sys_pipe2 vol/linux/v6.19/fs/pipe.c:1054 [inline]
 __x64_sys_pipe2+0x5a/0x70 vol/linux/v6.19/fs/pipe.c:1054
 do_syscall_x64 vol/linux/v6.19/arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe8/0xf80 vol/linux/v6.19/arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x44d989
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe605f93e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000125
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000044d989
RDX: 000000000044d989 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffe605f9400 R08: 0000000000000000 R09: 00007ffe605f9400
R10: ffffffffffffffff R11: 0000000000000206 R12: 000000000040bf20
R13: 0000000000000000 R14: 00000000004ba018 R15: 0000000000400488
 </TASK>
----------------
Code disassembly (best guess):
   0:   e8 70 3f 3e fd          call   0xfd3e3f75
   5:   4d 39 fc                cmp    %r15,%r12
   8:   72 3d                   jb     0x47
   a:   4d 39 ec                cmp    %r13,%r12
   d:   77 38                   ja     0x47
   f:   e8 01 3d 3e fd          call   0xfd3e3d15
  14:   4c 89 f7                mov    %r14,%rdi
  17:   89 de                   mov    %ebx,%esi
  19:   e8 c7 15 a6 fd          call   0xfda615e5
  1e:   0f 01 cb                stac
  21:   4c 89 ff                mov    %r15,%rdi
  24:   48 89 d9                mov    %rbx,%rcx
  27:   4c 89 f6                mov    %r14,%rsi
* 2a:   f3 a4                   rep movsb %ds:(%rsi),%es:(%rdi) <--
trapping instruction
  2c:   0f 1f 00                nopl   (%rax)
  2f:   48 89 cb                mov    %rcx,%rbx
  32:   0f 01 ca                clac
  35:   48 89 d8                mov    %rbx,%rax
  38:   5b                      pop    %rbx
  39:   41 5c                   pop    %r12
  3b:   41 5d                   pop    %r13
  3d:   41 5e                   pop    %r14
  3f:   41                      rex.B

---

Please let me know if any further information is required.

Best Regards,
Jiaming Zhang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ