syzbot

 sign-in | mailing list | source | docs
🐞 Open [921] Subsystems 🐞 Fixed [4771] 🐞 Invalid [11247] Missing Backports [29] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

Applied filters: Label=subsystems:io-uring (drop)
Title Repro Cause bisect Fix bisect Count Last Reported Patched Closed Patch
general protection fault in io_uring_show_fdinfo io-uring C done 17 17d 26d 23/25 never 32f5dea040ee io_uring/fdinfo: only print ->sq_array[] if it's there
UBSAN: array-index-out-of-bounds in io_setup_async_msg io-uring C done 3 15d 14d 21/25 never c21a8027ad8a io_uring/net: fix iter retargeting for selected buf
general protection fault in io_sqpoll_wq_cpu_affinity io-uring 33 19d 30d 23/25 never bd6fc5da4c51 io_uring: Don't set affinity on a dying sqpoll thread
INFO: task hung in io_sq_thread_stop fs io-uring C done 211 954d 1113d 1/25 never io_uring: don't sleep schedule in SQPOLL thread if we need to park
general protection fault in vma_is_shmem mm io-uring C error 28 401d 402d 1/25 never mm/gup.c: Fix return value for __gup_longterm_locked()
general protection fault in vma_interval_tree_remove mm io-uring C done 13 496d 513d 1/25 never mm/mmap: fix advanced maple tree API for mmap_region() mm/mmap: qvoid dereferencing next on null in BUG_ON()
WARNING in io_get_cqe_overflow io-uring 1 248d 248d 24/25 111d e12d7a46f65a io_uring/msg_ring: fix missing lock on overflow for IOPOLL
WARNING in io_cqring_event_overflow io-uring C 7 251d 258d 24/25 111d 544d163d659d io_uring: lock overflowing for IOPOLL
memory leak in io_submit_sqes (4) io-uring C 1 262d 261d 24/25 111d febb985c06cb io_uring/poll: add hash if ready poll request can't complete inline
WARNING in io_sync_cancel io-uring C error 3 284d 280d 24/25 111d 23fffb2f09ce io_uring/cancel: re-grab ctx mutex after finishing wait
WARNING in io_cqring_overflow_flush io-uring C 2 285d 281d 24/25 111d 52ea806ad983 io_uring: finish waiting before flushing overflow entries
KASAN: use-after-free Read in io_worker_get io-uring C done done 5 227d 261d 24/25 111d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: use-after-free Read in io_wq_worker_wake io-uring C done done 1 228d 261d 24/25 111d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: wild-memory-access Read in io_wq_worker_running io-uring C 39 257d 264d 24/25 111d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: use-after-free Read in tty_release io-uring serial C done 23 544d 554d 24/25 215d d89a4fac0fbc io_uring: fix assuming triggered poll waitqueue is the single poll
KASAN: use-after-free Read in pty_close fuse serial io-uring C done 4 420d 447d 24/25 215d 7a121ced6e64 io_uring: don't miss setting REQ_F_DOUBLE_POLL
KASAN: slab-out-of-bounds Read in io_uring_show_fdinfo io-uring C done 5 347d 352d 24/25 215d 00927931cb63 io_uring: fix fdinfo sqe offsets calculation
kernel BUG in commit_creds io-uring C done 5 527d 531d 24/25 215d 701521403cfb io_uring: abort file assignment prior to assigning creds
inconsistent lock state in kmem_cache_alloc io-uring C 4 359d 366d 24/25 215d b000145e9907 io_uring/rw: defer fsnotify calls to task context
KASAN: null-ptr-deref Write in io_file_get_normal io-uring fs C done 107 461d 545d 24/25 215d d5361233e9ab io_uring: drop the old style inflight file tracking
memory leak in iovec_from_user fs io-uring C 1 533d 529d 24/25 215d 323b190ba2de io_uring: free iovec if file assignment fails
WARNING in inet_csk_destroy_sock (2) io-uring net C done 8 264d 351d 24/25 215d e0833d1fedb0 dccp/tcp: Fixup bhash2 bucket when connect() fails.
WARNING in io_req_complete_failed io-uring C error 2 307d 303d 24/25 215d c06c6c5d2767 io_uring: always lock in io_apoll_task_func
WARNING: ODEBUG bug in kvm_xen_vcpu_set_attr kvm io-uring C done 4 423d 475d 24/25 215d af735db31285 KVM: x86/xen: Initialize Xen timer only once c03689913635 KVM: x86/xen: Stop Xen timer before changing IRQ
WARNING in __split_huge_page_tail io-uring arch mm C error 155 264d 336d 24/25 215d 5aae9265ee1a mm: prep_compound_tail() clear page->private
KASAN: use-after-free Write in io_sendrecv_fail io-uring C 75 346d 369d 24/25 215d a75155faef4e io_uring/net: fix UAF in io_sendrecv_fail()
KASAN: use-after-free Read in add_wait_queue fs io-uring C done done 13 548d 554d 24/25 215d d89a4fac0fbc io_uring: fix assuming triggered poll waitqueue is the single poll
BUG: unable to handle kernel NULL pointer dereference in io_do_iopoll fs io-uring C done 3 499d 498d 24/25 215d aa184e8671f0 io_uring: don't attempt to IOPOLL for MSG_RING requests
KASAN: use-after-free Read in __io_remove_buffers io-uring C done 2 418d 414d 24/25 215d ec8516f3b7c4 io_uring: fix free of unallocated buffer list
KASAN: use-after-free Read in filp_close io-uring fs C done 17 257d 485d 24/25 215d 40a1926022d1 fix the breakage in close_fd_get_file() calling conventions change
BUG: Bad page map (5) mm io-uring C 35 256d 514d 24/25 215d 4d24de9425f7 mm: MADV_COLLAPSE: refetch vm_end after reacquiring mmap_lock
KASAN: use-after-free Read in inet_bind2_bucket_find net io-uring C done 13 470d 477d 24/25 215d 593d1ebe00a4 Revert "net: Add a second bind table hashed by port and address"
WARNING: still has locks held in io_ring_submit_lock fs io-uring C done 3 500d 500d 24/25 215d e7637a492b9f io_uring: fix locking state for empty buffer group
KASAN: invalid-free in io_clean_op io-uring C 13 350d 367d 24/25 215d 4c17a496a7a0 io_uring/net: fix cleanup double free free_iov init
general protection fault in io_uring_register io-uring fs syz done 1 748d 744d 22/25 568d 41d3a6bd1d37 io_uring: pin SQPOLL data before unlocking ring lock
KASAN: use-after-free Write in io_queue_worker_create fs io-uring C unreliable 132 651d 660d 22/25 568d 71a85387546e io-wq: check for wq exit after adding new worker task_work e47498afeca9 io-wq: remove spurious bit clear on task_work addition
INFO: task hung in io_uring_del_tctx_node io-uring fs C unreliable 37 570d 734d 22/25 568d 8bab4c09f24e io_uring: allow conditional reschedule for intensive iterators
possible deadlock in io_worker_cancel_cb fs io-uring C done 9 649d 653d 22/25 568d d800c65c2d4e io-wq: drop wqe lock before creating new worker
BUG: unable to handle kernel paging request in __blk_mq_alloc_requests io-uring block C unreliable 107 687d 695d 22/25 568d a22c00be90de block: assign correct tag before doing prefetch of request
INFO: task hung in io_uring_try_cancel_requests fs io-uring C error 41 657d 699d 22/25 568d f75d118349be io_uring: harder fdinfo sq/cq ring iterating
WARNING in signalfd_cleanup fs io-uring C done 201 615d 630d 22/25 568d 791f3465c4af io_uring: fix UAF due to missing POLLFREE handling
INFO: task hung in io_uring_cancel_generic (2) io-uring fs C done 97 652d 679d 22/25 568d 78a780602075 io_uring: ensure task_work gets run as part of cancelations
INFO: rcu detected stall in io_wqe_worker (2) io-uring fs C done 2 700d 700d 22/25 568d c5e0321e43de Revert "devlink: Remove not-executed trap policer notifications"
possible deadlock in io_poll_double_wake (3) io-uring fs C error done 703 624d 897d 22/25 568d aa43477b0402 io_uring: poll rework
INFO: task hung in io_wqe_worker fs io-uring C unreliable 3 710d 706d 22/25 568d 1d5f5ea7cb7d io-wq: remove worker to owner tw dependency
WARNING in io_link_timeout_fn fs io-uring C done 2 868d 868d 22/25 687d 447c19f3b507 io_uring: fix ltout double free on completion race
general protection fault in io_commit_cqring (2) fs io-uring C done 82 899d 912d 22/25 687d 51520426f4bc io_uring: handle setup-failed ctx in kill_timeouts
INFO: task hung in io_sq_thread_park (2) fs io-uring syz done 2 809d 805d 22/25 687d 46fee9ab02cb io_uring: remove double poll entry on arm failure
INFO: task hung in __io_uring_cancel fs io-uring C done 5 825d 891d 22/25 687d 28090c133869 io_uring: fix work_exit sqpoll cancellations
memory leak in create_io_worker io-uring fs C 5 710d 749d 22/25 687d 66e70be72288 io-wq: fix memory leak in create_io_worker()
WARNING in io_wqe_enqueue io-uring fs C done 13 845d 845d 22/25 687d e6ab8991c5d0 io_uring: fix false WARN_ONCE
WARNING in io_poll_double_wake fs io-uring C done done 1124 788d 890d 22/25 687d a890d01e4ee0 io_uring: fix poll requests leaking second poll entries
INFO: task hung in io_wq_put_and_exit io-uring fs C unreliable 628 688d 749d 22/25 687d 3b33e3f4a6c0 io-wq: fix silly logic error in io_task_work_match()
general protection fault in try_grab_compound_head mm io-uring C done 5 788d 816d 22/25 687d d08af0a59684 mm/hugetlb: fix refs calculation from unaligned @vaddr
BUG: unable to handle kernel NULL pointer dereference in kiocb_done fs io-uring C unreliable done 3 755d 754d 22/25 687d b8ce1b9d25cc io_uring: don't submit half-prepared drain request
WARNING in io_try_cancel_userdata fs io-uring syz unreliable 4 761d 765d 22/25 687d dadebc350da2 io_uring: fix io_try_cancel_userdata race for iowq
general protection fault in __io_file_supports_nowait fs io-uring C done done 13 752d 757d 22/25 687d c6d3d9cbd659 io_uring: fix queueing half-created requests
INFO: task hung in io_uring_cancel_generic io-uring fs C unreliable 151 687d 808d 22/25 687d 1b48773f9fd0 io_uring: fix io_drain_req()
general protection fault in sock_from_file net io-uring C inconclusive 78 751d 758d 22/25 687d c6d3d9cbd659 io_uring: fix queueing half-created requests
WARNING in io_rsrc_node_switch io-uring fs C done 174 872d 881d 22/25 687d 47b228ce6f66 io_uring: fix unchecked error in switch_start()
WARNING in io_wq_submit_work (2) io-uring fs C done done 52 746d 749d 22/25 687d 713b9825a4c4 io-wq: fix cancellation on create-worker failure
KASAN: stack-out-of-bounds Read in iov_iter_revert fs io-uring C error 14 759d 776d 22/25 687d 89c2b3b74918 io_uring: reexpand under-reexpanded iters
WARNING in io_wq_put io-uring fs C unreliable 3 921d 932d 22/25 687d f5d2d23bf0d9 io-wq: fix race around pending work on teardown
WARNING in io_uring_setup (2) fs io-uring C done 40 872d 881d 22/25 687d 47b228ce6f66 io_uring: fix unchecked error in switch_start()
KASAN: use-after-free Read in idr_for_each (2) io-uring fs C error done 86 925d 1087d 22/25 891d 61cf93700fe6 io_uring: Convert personality_idr to XArray
INFO: task hung in io_uring_cancel_task_requests fs io-uring C 305 925d 960d 22/25 901d 34343786ecc5 io_uring: unpark SQPOLL thread for cancelation
INFO: task hung in io_sq_thread_park fs io-uring C unreliable 263 936d 941d 22/25 901d 3ebba796fa25 io_uring: ensure that SQPOLL thread is started for exit
memory leak in io_submit_sqes (2) io-uring fs C 1 939d 938d 22/25 901d f01272541d2c io-wq: ensure all pending work is canceled on exit
possible deadlock in io_poll_double_wake (2) io-uring fs C error error 431 901d 1094d 22/25 901d 1c3b3e6527e5 io_uring: ignore double poll add on the same waitqueue head
inconsistent lock state in io_dismantle_req io-uring fs C 2 968d 968d 22/25 901d 9ae1f8dd372e io_uring: fix inconsistent lock state
WARNING in io_uring_flush fs io-uring C unreliable 10 976d 985d 21/25 932d 4325cb498cb7 io_uring: fix uring_flush in exit_files() warning
INFO: task hung in __io_uring_files_cancel io-uring fs C done 30 973d 1040d 21/25 932d bee749b187ac io_uring: fix files cancellation
general protection fault in io_disable_sqo_submit io-uring fs C done 124 983d 987d 21/25 932d b4411616c26f io_uring: fix null-deref in io_disable_sqo_submit
WARNING in io_uring_cancel_task_requests io-uring fs syz done 69 968d 972d 21/25 932d 70b2c60d3797 io_uring: fix sqo ownership false positive warning
BUG: corrupted list in io_file_get fs io-uring C done 3 972d 972d 21/25 932d f609cbb8911e io_uring: fix list corruption for splice file_get
KASAN: null-ptr-deref Write in kthread_use_mm fs io-uring C done 2 1060d 1059d 17/25 1041d 4b70cf9dea4c io_uring: ensure consistent view of original task ->mm from SQPOLL
KASAN: use-after-free Write in io_submit_sqes fs io-uring C error 2 1059d 1058d 17/25 1041d cb8a8ae31074 io_uring: drop req/tctx io_identity separately
KASAN: use-after-free Read in io_wqe_worker io-uring fs C error 2 1095d 1096d 17/25 1045d c4068bf898dd io-wq: fix use-after-free in io_wq_worker_running
inconsistent lock state in xa_destroy io-uring fs C 755 1083d 1084d 17/25 1045d ca6484cd308a io_uring: no need to call xa_destroy() on empty xarray
INFO: task hung in io_uring_flush io-uring fs C done done 11 1136d 1143d 17/25 1045d b7ddce3cbf01 io_uring: fix cancel of deferred reqs with ->files
KASAN: use-after-free Write in io_wq_worker_running io-uring fs C error 14 1088d 1115d 17/25 1045d c4068bf898dd io-wq: fix use-after-free in io_wq_worker_running
general protection fault in io_poll_double_wake (2) fs io-uring C error 2 1095d 1094d 17/25 1071d 8706e04ed7d6 io_uring: always delete double poll wait entry on match
KASAN: use-after-free Read in do_madvise io-uring mm syz error 4 1131d 1132d 17/25 1091d 7867fd7cc44e mm: madvise: fix vma user-after-free
possible deadlock in __lock_task_sighand io-uring C done 12 1122d 1124d 17/25 1098d fd7d6de22414 io_uring: don't recurse on tsk->sighand->siglock with signalfd
possible deadlock in __io_queue_deferred fs io-uring C error 1 1145d 1143d 17/25 1106d 7271ef3a93a8 io_uring: fix recursive completion locking on oveflow flush
BUG: unable to handle kernel NULL pointer dereference in loop_rw_iter io-uring fs C done 24 1132d 1143d 17/25 1106d 2dd2111d0d38 io_uring: Fix NULL pointer dereference in loop_rw_iter()
KASAN: use-after-free Read in io_async_task_func fs io-uring syz error 1 1143d 1142d 17/25 1106d 6d816e088c35 io_uring: hold 'ctx' reference around task_work queue + execute
memory leak in io_submit_sqes fs io-uring C 2 1123d 1142d 17/25 1106d a36da65c4656 io_uring: fail poll arm on queue proc failure
general protection fault in io_poll_double_wake io-uring fs C done 8 1110d 1138d 17/25 1106d d4e7cd36a90e io_uring: sanitize double poll handling
possible deadlock in io_timeout_fn io-uring fs C done 4 1141d 1143d 17/25 1106d 51a4cc112c7a io_uring: defer file table grabbing request cleanup for locked requests