syzbot

 sign-in | mailing list | source | docs
🐞 Open [1596]
Subsystems
🐞 Fixed [6231]
🐞 Invalid [15774]
Missing Backports [183]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

Applied filters: Label=subsystems:io-uring (drop)
Title Repro Cause bisect Fix bisect Count Last Reported Patched Closed Patch
general protection fault in vma_is_shmem mm io-uring C error 28 997d 999d 1/28 never mm/gup.c: Fix return value for __gup_longterm_locked()
KCSAN: data-race in io_submit_sqes / io_uring_show_fdinfo io-uring 1 16d 16d 23/28 never f024d3a8ded0 io_uring/fdinfo: annotate racy sq/cq head/tail reads
INFO: task hung in io_wq_put_and_exit (4) io-uring C unreliable 80 4d20h 208d 27/28 never cf960726eb65 io_uring/kbuf: reject zero sized provided buffers
WARNING: refcount bug in io_tx_ubuf_complete io-uring 15 54d 51d 27/28 never 67c007d6c12d io_uring/net: fix sendzc double notif flush
WARNING: refcount bug in io_send_zc_cleanup (2) io-uring C done 6 55d 55d 27/28 never 67c007d6c12d io_uring/net: fix sendzc double notif flush
KCSAN: data-race in io_req_task_cancel / io_wq_free_work io-uring 1 43d 43d 27/28 never 390513642ee6 io_uring: always do atomic put from iowq
INFO: task hung in io_sq_thread_stop fs io-uring C done 211 1550d 1710d 1/28 never io_uring: don't sleep schedule in SQPOLL thread if we need to park
WARNING in io_pin_pages io-uring C done 14 177d 175d 28/28 9d23h 0c0a4eae26ac io_uring: check for overflows in io_pin_pages
KMSAN: uninit-value in io_recv io-uring C 31 132d 133d 28/28 9d23h c6e60a0a68b7 io_uring/net: always initialize kmsg->msg.msg_inq upfront
KCSAN: data-race in __se_sys_io_uring_register / io_sqe_files_register (3) io-uring 1 185d 184d 28/28 9d23h e358e09a894d io_uring: protect register tracing
KASAN: slab-use-after-free Read in thread_group_cputime io-uring 3 50d 126d 28/28 9d23h 4b7cfa8b6c28 io_uring/sqpoll: zero sqd->thread on tctx errors
WARNING in __io_uring_free io-uring 1 182d 178d 28/28 9d23h 7eb75ce75271 io_uring/tctx: work around xa_store() allocation error issue
KCSAN: data-race in io_sq_thread / io_uring_try_cancel_requests (12) io-uring 4 127d 158d 28/28 9d23h a13030fd194c io_uring: simplify the SQPOLL thread check when cancelling requests
WARNING: locking bug in eventfd_signal_mask io-uring fs C done 6 134d 138d 28/28 9d23h a9c83a0ab66a io_uring/timeout: flush timeouts outside of the timeout lock
WARNING in __io_submit_flush_completions io-uring C 23 126d 146d 28/28 9d23h 60495b08cf7a io_uring: silence false positive warnings
KMSAN: uninit-value in io_nop io-uring C 39 166d 176d 28/28 9d23h ee116574de84 io_uring/nop: ensure nop->fd is always initialized
general protection fault in io_uring_show_fdinfo (2) io-uring C done 19 196d 195d 28/28 151d d50f94d761a5 io_uring/rsrc: get rid of the empty node and dummy_ubuf
general protection fault in io_sqe_buffer_register io-uring C done 55 193d 195d 28/28 151d d50f94d761a5 io_uring/rsrc: get rid of the empty node and dummy_ubuf
WARNING in io_sq_offload_create io-uring C 284 233d 238d 28/28 200d a09c17240bdf io_uring/sqpoll: retain test for whether the CPU is valid
INFO: rcu detected stall in sys_io_uring_enter (2) io-uring 37 217d 238d 28/28 206d eac2ca2d682f io_uring: check if we need to reschedule during overflow flush
KCSAN: data-race in io_sq_thread / io_sq_thread_park (9) io-uring 1 280d 276d 28/28 225d e4956dc7a84d io_uring/sqpoll: annotate debug task == current with data_race()
KMSAN: uninit-value in io_req_task_work_add_remote io-uring C 10 294d 296d 27/28 266d 0db4618e8fab io_uring/msg_ring: fix uninitialized use of target_req->flags
general protection fault in tomoyo_socket_bind_permission io-uring C 4 307d 307d 27/28 275d ad00e629145b io_uring/net: check socket is valid in io_bind()/io_listen()
general protection fault in __io_remove_buffers io-uring C done 3 303d 302d 27/28 275d bcc87d978b83 io_uring: fix error pbuf checking
WARNING in io_cqring_event_overflow (2) io-uring 16 319d 318d 27/28 275d 3b7c16be30e3 io_uring/msg_ring: fix overflow posting
KMSAN: uninit-value in io_req_cqe_overflow (3) io-uring C 16 336d 336d 26/28 294d 18414a4a2eab io_uring/net: assign kmsg inq/flags before buffer selection
KMSAN: uninit-value in io_issue_sqe io-uring 2 340d 354d 25/28 339d 18414a4a2eab io_uring/net: assign kmsg inq/flags before buffer selection
KMSAN: uninit-value in io_sendrecv_fail io-uring C 29 419d 426d 25/28 401d e21e1c45e1fe io_uring: clear opcode specific data for an early failure
KMSAN: uninit-value in io_rw_fail (2) io-uring 1 465d 461d 25/28 456d 0a535eddbe0d io_uring/rw: ensure io->bytes_done is always initialized
KMSAN: uninit-value in io_rw_fail io-uring C 25 472d 488d 25/28 469d 0a535eddbe0d io_uring/rw: ensure io->bytes_done is always initialized
WARNING in get_pte_pfn mm io-uring C error 2 501d 511d 25/28 471d c28ac3c7eb94 mm/mglru: skip special VMAs in lru_gen_look_around()
BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers (2) io-uring 86 587d 592d 25/28 512d f8024f1f36a3 io_uring/kbuf: don't allow registered buffer rings on highmem pages
UBSAN: array-index-out-of-bounds in io_setup_async_msg io-uring C done 3 612d 611d 25/28 512d c21a8027ad8a io_uring/net: fix iter retargeting for selected buf
general protection fault in io_get_cqe_overflow io-uring C done 2 594d 592d 25/28 512d 1658633c0465 io_uring: ensure io_lockdep_assert_cq_locked() handles disabled rings
general protection fault in io_sqpoll_wq_cpu_affinity io-uring 33 616d 627d 23/28 582d bd6fc5da4c51 io_uring: Don't set affinity on a dying sqpoll thread
general protection fault in io_uring_show_fdinfo io-uring C done 17 614d 622d 23/28 582d 32f5dea040ee io_uring/fdinfo: only print ->sq_array[] if it's there
WARNING in io_get_cqe_overflow io-uring 1 845d 844d 22/28 708d e12d7a46f65a io_uring/msg_ring: fix missing lock on overflow for IOPOLL
WARNING in io_cqring_event_overflow io-uring C 7 847d 855d 22/28 708d 544d163d659d io_uring: lock overflowing for IOPOLL
memory leak in io_submit_sqes (4) io-uring C 1 859d 858d 22/28 708d febb985c06cb io_uring/poll: add hash if ready poll request can't complete inline
WARNING in io_sync_cancel io-uring C error 3 881d 877d 22/28 708d 23fffb2f09ce io_uring/cancel: re-grab ctx mutex after finishing wait
WARNING in io_cqring_overflow_flush io-uring C 2 881d 877d 22/28 708d 52ea806ad983 io_uring: finish waiting before flushing overflow entries
KASAN: use-after-free Read in io_worker_get io-uring C done done 5 823d 858d 22/28 708d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: use-after-free Read in io_wq_worker_wake io-uring C done done 1 825d 858d 22/28 708d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: wild-memory-access Read in io_wq_worker_running io-uring C 39 853d 860d 22/28 708d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: use-after-free Read in tty_release io-uring serial C done 23 1140d 1150d 22/28 812d d89a4fac0fbc io_uring: fix assuming triggered poll waitqueue is the single poll
KASAN: use-after-free Read in pty_close serial io-uring fuse C done 4 1016d 1044d 22/28 812d 7a121ced6e64 io_uring: don't miss setting REQ_F_DOUBLE_POLL
KASAN: slab-out-of-bounds Read in io_uring_show_fdinfo io-uring C done 5 943d 949d 22/28 812d 00927931cb63 io_uring: fix fdinfo sqe offsets calculation
kernel BUG in commit_creds io-uring C done 5 1123d 1127d 22/28 812d 701521403cfb io_uring: abort file assignment prior to assigning creds
inconsistent lock state in kmem_cache_alloc io-uring C 4 956d 962d 22/28 812d b000145e9907 io_uring/rw: defer fsnotify calls to task context
KASAN: null-ptr-deref Write in io_file_get_normal io-uring fs C done 107 1057d 1141d 22/28 812d d5361233e9ab io_uring: drop the old style inflight file tracking
memory leak in iovec_from_user fs io-uring C 1 1129d 1125d 22/28 812d 323b190ba2de io_uring: free iovec if file assignment fails
WARNING in inet_csk_destroy_sock (2) io-uring net C done 8 860d 947d 22/28 812d e0833d1fedb0 dccp/tcp: Fixup bhash2 bucket when connect() fails.
WARNING in io_req_complete_failed io-uring C error 2 903d 899d 22/28 812d c06c6c5d2767 io_uring: always lock in io_apoll_task_func
WARNING: ODEBUG bug in kvm_xen_vcpu_set_attr kvm io-uring C done 4 1019d 1072d 22/28 812d af735db31285 KVM: x86/xen: Initialize Xen timer only once c03689913635 KVM: x86/xen: Stop Xen timer before changing IRQ
WARNING in __split_huge_page_tail arch mm io-uring C error 155 861d 933d 22/28 812d 5aae9265ee1a mm: prep_compound_tail() clear page->private
KASAN: use-after-free Write in io_sendrecv_fail io-uring C 75 943d 966d 22/28 812d a75155faef4e io_uring/net: fix UAF in io_sendrecv_fail()
KASAN: use-after-free Read in add_wait_queue fs io-uring C done done 13 1144d 1151d 22/28 812d d89a4fac0fbc io_uring: fix assuming triggered poll waitqueue is the single poll
BUG: unable to handle kernel NULL pointer dereference in io_do_iopoll fs io-uring C done 3 1095d 1094d 22/28 812d aa184e8671f0 io_uring: don't attempt to IOPOLL for MSG_RING requests
KASAN: use-after-free Read in __io_remove_buffers io-uring C done 2 1014d 1010d 22/28 812d ec8516f3b7c4 io_uring: fix free of unallocated buffer list
KASAN: use-after-free Read in filp_close io-uring fs C done 17 853d 1082d 22/28 812d 40a1926022d1 fix the breakage in close_fd_get_file() calling conventions change
BUG: Bad page map (5) mm io-uring C 35 853d 1111d 22/28 812d 4d24de9425f7 mm: MADV_COLLAPSE: refetch vm_end after reacquiring mmap_lock
KASAN: use-after-free Read in inet_bind2_bucket_find io-uring net C done 13 1067d 1073d 22/28 812d 593d1ebe00a4 Revert "net: Add a second bind table hashed by port and address"
WARNING: still has locks held in io_ring_submit_lock fs io-uring C done 3 1096d 1097d 22/28 812d e7637a492b9f io_uring: fix locking state for empty buffer group
KASAN: invalid-free in io_clean_op io-uring C 13 946d 963d 22/28 812d 4c17a496a7a0 io_uring/net: fix cleanup double free free_iov init
general protection fault in io_uring_register fs io-uring syz done 1 1344d 1340d 20/28 1164d 41d3a6bd1d37 io_uring: pin SQPOLL data before unlocking ring lock
KASAN: use-after-free Write in io_queue_worker_create fs io-uring C unreliable 132 1247d 1257d 20/28 1164d 71a85387546e io-wq: check for wq exit after adding new worker task_work e47498afeca9 io-wq: remove spurious bit clear on task_work addition
INFO: task hung in io_uring_del_tctx_node io-uring fs C unreliable 37 1167d 1330d 20/28 1164d 8bab4c09f24e io_uring: allow conditional reschedule for intensive iterators
possible deadlock in io_worker_cancel_cb fs io-uring C done 9 1246d 1250d 20/28 1164d d800c65c2d4e io-wq: drop wqe lock before creating new worker
BUG: unable to handle kernel paging request in __blk_mq_alloc_requests io-uring block C unreliable 107 1283d 1292d 20/28 1164d a22c00be90de block: assign correct tag before doing prefetch of request
INFO: task hung in io_uring_try_cancel_requests fs io-uring C error 41 1254d 1296d 20/28 1164d f75d118349be io_uring: harder fdinfo sq/cq ring iterating
WARNING in signalfd_cleanup fs io-uring C done 201 1211d 1226d 20/28 1164d 791f3465c4af io_uring: fix UAF due to missing POLLFREE handling
INFO: task hung in io_uring_cancel_generic (2) io-uring fs C done 97 1248d 1275d 20/28 1164d 78a780602075 io_uring: ensure task_work gets run as part of cancelations
INFO: rcu detected stall in io_wqe_worker (2) fs io-uring C done 2 1297d 1297d 20/28 1164d c5e0321e43de Revert "devlink: Remove not-executed trap policer notifications"
possible deadlock in io_poll_double_wake (3) io-uring fs C error done 703 1220d 1493d 20/28 1164d aa43477b0402 io_uring: poll rework
INFO: task hung in io_wqe_worker fs io-uring C unreliable 3 1306d 1302d 20/28 1164d 1d5f5ea7cb7d io-wq: remove worker to owner tw dependency
WARNING in io_link_timeout_fn fs io-uring C done 2 1465d 1464d 20/28 1283d 447c19f3b507 io_uring: fix ltout double free on completion race
general protection fault in io_commit_cqring (2) fs io-uring C done 82 1495d 1509d 20/28 1283d 51520426f4bc io_uring: handle setup-failed ctx in kill_timeouts
INFO: task hung in io_sq_thread_park (2) fs io-uring syz done 2 1405d 1401d 20/28 1283d 46fee9ab02cb io_uring: remove double poll entry on arm failure
INFO: task hung in __io_uring_cancel fs io-uring C done 5 1421d 1487d 20/28 1283d 28090c133869 io_uring: fix work_exit sqpoll cancellations
memory leak in create_io_worker io-uring fs C 5 1306d 1345d 20/28 1283d 66e70be72288 io-wq: fix memory leak in create_io_worker()
WARNING in io_wqe_enqueue io-uring fs C done 13 1442d 1442d 20/28 1283d e6ab8991c5d0 io_uring: fix false WARN_ONCE
WARNING in io_poll_double_wake fs io-uring C done done 1124 1385d 1486d 20/28 1283d a890d01e4ee0 io_uring: fix poll requests leaking second poll entries
INFO: task hung in io_wq_put_and_exit io-uring fs C unreliable 628 1284d 1345d 20/28 1283d 3b33e3f4a6c0 io-wq: fix silly logic error in io_task_work_match()
general protection fault in try_grab_compound_head mm io-uring C done 5 1384d 1412d 20/28 1283d d08af0a59684 mm/hugetlb: fix refs calculation from unaligned @vaddr
BUG: unable to handle kernel NULL pointer dereference in kiocb_done fs io-uring C unreliable done 3 1351d 1350d 20/28 1283d b8ce1b9d25cc io_uring: don't submit half-prepared drain request
WARNING in io_try_cancel_userdata fs io-uring syz unreliable 4 1358d 1362d 20/28 1283d dadebc350da2 io_uring: fix io_try_cancel_userdata race for iowq
general protection fault in __io_file_supports_nowait fs io-uring C done done 13 1348d 1353d 20/28 1283d c6d3d9cbd659 io_uring: fix queueing half-created requests
INFO: task hung in io_uring_cancel_generic io-uring fs C unreliable 151 1283d 1405d 20/28 1283d 1b48773f9fd0 io_uring: fix io_drain_req()
general protection fault in sock_from_file net io-uring C inconclusive 78 1347d 1354d 20/28 1283d c6d3d9cbd659 io_uring: fix queueing half-created requests
WARNING in io_rsrc_node_switch io-uring fs C done 174 1468d 1478d 20/28 1283d 47b228ce6f66 io_uring: fix unchecked error in switch_start()
WARNING in io_wq_submit_work (2) io-uring fs C done done 52 1342d 1345d 20/28 1283d 713b9825a4c4 io-wq: fix cancellation on create-worker failure
KASAN: stack-out-of-bounds Read in iov_iter_revert fs io-uring C error 14 1356d 1373d 20/28 1283d 89c2b3b74918 io_uring: reexpand under-reexpanded iters
WARNING in io_wq_put fs io-uring C unreliable 3 1517d 1528d 20/28 1283d f5d2d23bf0d9 io-wq: fix race around pending work on teardown
WARNING in io_uring_setup (2) fs io-uring C done 40 1468d 1478d 20/28 1283d 47b228ce6f66 io_uring: fix unchecked error in switch_start()
KASAN: use-after-free Read in idr_for_each (2) io-uring fs C error done 86 1522d 1684d 20/28 1487d 61cf93700fe6 io_uring: Convert personality_idr to XArray
INFO: task hung in io_uring_cancel_task_requests fs io-uring C 305 1522d 1556d 20/28 1497d 34343786ecc5 io_uring: unpark SQPOLL thread for cancelation
INFO: task hung in io_sq_thread_park fs io-uring C unreliable 263 1532d 1537d 20/28 1497d 3ebba796fa25 io_uring: ensure that SQPOLL thread is started for exit
memory leak in io_submit_sqes (2) fs io-uring C 1 1535d 1534d 20/28 1497d f01272541d2c io-wq: ensure all pending work is canceled on exit
possible deadlock in io_poll_double_wake (2) io-uring fs C error error 431 1497d 1690d 20/28 1497d 1c3b3e6527e5 io_uring: ignore double poll add on the same waitqueue head
inconsistent lock state in io_dismantle_req fs io-uring C 2 1565d 1565d 20/28 1497d 9ae1f8dd372e io_uring: fix inconsistent lock state
WARNING in io_uring_flush fs io-uring C unreliable 10 1572d 1581d 19/28 1528d 4325cb498cb7 io_uring: fix uring_flush in exit_files() warning
INFO: task hung in __io_uring_files_cancel io-uring fs C done 30 1569d 1636d 19/28 1528d bee749b187ac io_uring: fix files cancellation
general protection fault in io_disable_sqo_submit fs io-uring C done 124 1580d 1584d 19/28 1528d b4411616c26f io_uring: fix null-deref in io_disable_sqo_submit
WARNING in io_uring_cancel_task_requests io-uring fs syz done 69 1565d 1568d 19/28 1528d 70b2c60d3797 io_uring: fix sqo ownership false positive warning
BUG: corrupted list in io_file_get fs io-uring C done 3 1568d 1568d 19/28 1528d f609cbb8911e io_uring: fix list corruption for splice file_get
KASAN: null-ptr-deref Write in kthread_use_mm fs io-uring C done 2 1656d 1656d 15/28 1638d 4b70cf9dea4c io_uring: ensure consistent view of original task ->mm from SQPOLL
KASAN: use-after-free Write in io_submit_sqes fs io-uring C error 2 1655d 1654d 15/28 1638d cb8a8ae31074 io_uring: drop req/tctx io_identity separately
KASAN: use-after-free Read in io_wqe_worker fs io-uring C error 2 1691d 1693d 15/28 1642d c4068bf898dd io-wq: fix use-after-free in io_wq_worker_running
inconsistent lock state in xa_destroy io-uring fs C 755 1680d 1681d 15/28 1642d ca6484cd308a io_uring: no need to call xa_destroy() on empty xarray
INFO: task hung in io_uring_flush io-uring fs C done done 11 1732d 1739d 15/28 1642d b7ddce3cbf01 io_uring: fix cancel of deferred reqs with ->files
KASAN: use-after-free Write in io_wq_worker_running io-uring fs C error 14 1685d 1711d 15/28 1642d c4068bf898dd io-wq: fix use-after-free in io_wq_worker_running
general protection fault in io_poll_double_wake (2) fs io-uring C error 2 1692d 1691d 15/28 1668d 8706e04ed7d6 io_uring: always delete double poll wait entry on match
KASAN: use-after-free Read in do_madvise io-uring mm syz error 4 1727d 1728d 15/28 1687d 7867fd7cc44e mm: madvise: fix vma user-after-free
possible deadlock in __lock_task_sighand io-uring C done 12 1718d 1720d 15/28 1694d fd7d6de22414 io_uring: don't recurse on tsk->sighand->siglock with signalfd
possible deadlock in __io_queue_deferred fs io-uring C error 1 1741d 1739d 15/28 1702d 7271ef3a93a8 io_uring: fix recursive completion locking on oveflow flush
BUG: unable to handle kernel NULL pointer dereference in loop_rw_iter io-uring fs C done 24 1728d 1739d 15/28 1702d 2dd2111d0d38 io_uring: Fix NULL pointer dereference in loop_rw_iter()
KASAN: use-after-free Read in io_async_task_func fs io-uring syz error 1 1739d 1739d 15/28 1702d 6d816e088c35 io_uring: hold 'ctx' reference around task_work queue + execute
memory leak in io_submit_sqes fs io-uring C 2 1720d 1739d 15/28 1702d a36da65c4656 io_uring: fail poll arm on queue proc failure
general protection fault in io_poll_double_wake io-uring fs C done 8 1707d 1734d 15/28 1702d d4e7cd36a90e io_uring: sanitize double poll handling
possible deadlock in io_timeout_fn io-uring fs C done 4 1737d 1739d 15/28 1702d 51a4cc112c7a io_uring: defer file table grabbing request cleanup for locked requests