syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1313]
Subsystems
🐞 Fixed [7194]
🐞 Invalid [19001]
Missing Backports [221]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

Applied filters: WithRepro (drop) Label=subsystems:io-uring (drop)
Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Closed Patch
INFO: task hung in io_sq_thread_stop fs io-uring 1 C done 211 1958d 2117d 1/29 never io_uring: don't sleep schedule in SQPOLL thread if we need to park
memory leak in path_openat (3) prio:high io-uring 3 C 1 15d 15d 25/29 never 2564ca2e31bd io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE
WARNING in io_pin_pages (2) io-uring prio:low -1 C 22 5d07h 7d22h 25/29 never 3996771b8f75 io_uring/memmap: bound io_pin_pages() by page array byte size
KASAN: null-ptr-deref Read in io_sqe_buffer_register prio:high io-uring 11 C done 54 292d 296d 2/29 never fixup: mm/gup: remove record_subpages()
general protection fault in vma_is_shmem mm io-uring 2 C error 28 1405d 1406d 1/29 never mm/gup.c: Fix return value for __gup_longterm_locked()
WARNING in io_wq_put_and_exit io-uring -1 syz 74 42d 118d 29/29 37d 41859843f27d io_uring/tctx: mark io_wq as exiting before error path teardown
INFO: task hung in io_wq_put_and_exit (6) io-uring 1 C error 74 154d 313d 29/29 52d 10dc95939817 io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop 1f293098a313 io_uring/io-wq: don't trigger hung task for syzbot craziness
INFO: task hung in io_uring_del_tctx_node (5) io-uring 1 C done 19 185d 243d 29/29 171d 101e596e7404 io_uring/fdinfo: cap SQ iteration at max SQ entries
memory leak in io_submit_sqes (5) io-uring 3 syz 3 208d 208d 29/29 171d 84230ad2d2af io_uring/poll: correctly handle io_poll_add() return value on update
INFO: task hung in io_uring_alloc_task_context (6) io-uring 1 syz 5 208d 238d 29/29 171d 101e596e7404 io_uring/fdinfo: cap SQ iteration at max SQ entries
KASAN: global-out-of-bounds Read in io_uring_show_fdinfo io-uring 17 C done 7 237d 240d 29/29 171d 8cd5a59e4d51 io_uring/fdinfo: validate opcode before checking if it's an 128b one
memory leak in iovec_from_user (2) io-uring 3 C 1 232d 229d 29/29 171d d3c9c213c0b8 io_uring/rw: ensure allocated iovec gets cleared for early failure
KASAN: slab-use-after-free Read in io_waitid_wait io-uring 19 C 3 264d 263d 29/29 241d 2f8229d53d98 io_uring/waitid: always prune wait queue entry in io_waitid_wait()
WARNING in __vmap_pages_range_noflush io-uring -1 C done 14 324d 323d 29/29 296d 33503c083fda io_uring/memmap: cast nr_pages to size_t before shifting
WARNING: ODEBUG bug in io_sq_offload_create io-uring -1 C 8 374d 375d 29/29 325d f2320f1dd6f6 io_uring/sqpoll: don't put task_struct on tctx setup failure
WARNING in io_register_clone_buffers io-uring -1 C 4 381d 377d 29/29 325d 1d27f11bf02b io_uring/rsrc: validate buffer count with offset for cloning
BUG: unable to handle kernel NULL pointer dereference in io_buffer_select io-uring 10 C 102 407d 413d 29/29 355d f446c6311e86 io_uring/memmap: don't use page_address() on a highmem page
BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek io-uring 10 C 68 408d 413d 29/29 355d f446c6311e86 io_uring/memmap: don't use page_address() on a highmem page
WARNING: refcount bug in io_send_zc_cleanup (2) io-uring 13 C done 6 463d 462d 28/29 382d 67c007d6c12d io_uring/net: fix sendzc double notif flush
INFO: task hung in io_wq_put_and_exit (4) io-uring 1 C unreliable 86 386d 616d 28/29 382d cf960726eb65 io_uring/kbuf: reject zero sized provided buffers
WARNING in io_pin_pages io-uring -1 C done 14 585d 582d 28/29 417d 0c0a4eae26ac io_uring: check for overflows in io_pin_pages
KMSAN: uninit-value in io_recv io-uring 7 C 31 540d 541d 28/29 417d c6e60a0a68b7 io_uring/net: always initialize kmsg->msg.msg_inq upfront
WARNING: locking bug in eventfd_signal_mask io-uring fs 4 C done 6 541d 545d 28/29 417d a9c83a0ab66a io_uring/timeout: flush timeouts outside of the timeout lock
WARNING in __io_submit_flush_completions io-uring -1 C 23 534d 554d 28/29 417d 60495b08cf7a io_uring: silence false positive warnings
KMSAN: uninit-value in io_nop io-uring 7 C 39 573d 583d 28/29 417d ee116574de84 io_uring/nop: ensure nop->fd is always initialized
general protection fault in io_uring_show_fdinfo (2) io-uring 2 C done 19 604d 603d 28/29 558d d50f94d761a5 io_uring/rsrc: get rid of the empty node and dummy_ubuf
general protection fault in io_sqe_buffer_register io-uring 2 C done 55 601d 603d 28/29 558d d50f94d761a5 io_uring/rsrc: get rid of the empty node and dummy_ubuf
WARNING in io_sq_offload_create io-uring -1 C 284 641d 645d 28/29 607d a09c17240bdf io_uring/sqpoll: retain test for whether the CPU is valid
KMSAN: uninit-value in io_req_task_work_add_remote io-uring 7 C 10 702d 703d 27/29 673d 0db4618e8fab io_uring/msg_ring: fix uninitialized use of target_req->flags
general protection fault in tomoyo_socket_bind_permission io-uring 2 C 4 714d 714d 27/29 682d ad00e629145b io_uring/net: check socket is valid in io_bind()/io_listen()
general protection fault in __io_remove_buffers io-uring 2 C done 3 711d 710d 27/29 682d bcc87d978b83 io_uring: fix error pbuf checking
KMSAN: uninit-value in io_req_cqe_overflow (3) io-uring 7 C 16 743d 744d 26/29 701d 18414a4a2eab io_uring/net: assign kmsg inq/flags before buffer selection
KMSAN: uninit-value in io_sendrecv_fail io-uring 7 C 29 826d 834d 25/29 808d e21e1c45e1fe io_uring: clear opcode specific data for an early failure
KMSAN: uninit-value in io_rw_fail io-uring 7 C 25 879d 895d 25/29 876d 0a535eddbe0d io_uring/rw: ensure io->bytes_done is always initialized
WARNING in get_pte_pfn mm io-uring -1 C error 2 908d 918d 25/29 879d c28ac3c7eb94 mm/mglru: skip special VMAs in lru_gen_look_around()
UBSAN: array-index-out-of-bounds in io_setup_async_msg io-uring 15 C done 3 1019d 1018d 25/29 919d c21a8027ad8a io_uring/net: fix iter retargeting for selected buf
general protection fault in io_get_cqe_overflow io-uring 2 C done 2 1001d 999d 25/29 919d 1658633c0465 io_uring: ensure io_lockdep_assert_cq_locked() handles disabled rings
general protection fault in io_uring_show_fdinfo io-uring 2 C done 17 1021d 1030d 23/29 989d 32f5dea040ee io_uring/fdinfo: only print ->sq_array[] if it's there
WARNING in io_cqring_event_overflow io-uring -1 C 7 1255d 1262d 22/29 1115d 544d163d659d io_uring: lock overflowing for IOPOLL
memory leak in io_submit_sqes (4) io-uring 3 C 1 1266d 1265d 22/29 1115d febb985c06cb io_uring/poll: add hash if ready poll request can't complete inline
WARNING in io_sync_cancel io-uring -1 C error 3 1288d 1284d 22/29 1115d 23fffb2f09ce io_uring/cancel: re-grab ctx mutex after finishing wait
WARNING in io_cqring_overflow_flush io-uring -1 C 2 1288d 1284d 22/29 1115d 52ea806ad983 io_uring: finish waiting before flushing overflow entries
KASAN: use-after-free Read in io_worker_get io-uring 19 C done done 5 1231d 1265d 22/29 1115d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: use-after-free Read in io_wq_worker_wake io-uring 19 C done done 1 1232d 1265d 22/29 1115d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: wild-memory-access Read in io_wq_worker_running io-uring 19 C 39 1261d 1267d 22/29 1115d e6db6f9398da io_uring/io-wq: only free worker if it was allocated for creation
KASAN: use-after-free Read in tty_release io-uring serial 19 C done 23 1548d 1558d 22/29 1219d d89a4fac0fbc io_uring: fix assuming triggered poll waitqueue is the single poll
KASAN: use-after-free Read in pty_close serial io-uring fuse 19 C done 4 1424d 1451d 22/29 1219d 7a121ced6e64 io_uring: don't miss setting REQ_F_DOUBLE_POLL
KASAN: slab-out-of-bounds Read in io_uring_show_fdinfo io-uring 19 C done 5 1351d 1356d 22/29 1219d 00927931cb63 io_uring: fix fdinfo sqe offsets calculation
kernel BUG in commit_creds lsm io-uring -1 C done 5 1530d 1535d 22/29 1219d 701521403cfb io_uring: abort file assignment prior to assigning creds
memory leak in __vsock_create net virt io-uring 3 C 1 1543d 1539d 22/29 1219d 7e97cfed9929 vsock: Fix memory leak in vsock_connect()
inconsistent lock state in kmem_cache_alloc io-uring 4 C 4 1363d 1370d 22/29 1219d b000145e9907 io_uring/rw: defer fsnotify calls to task context
KASAN: null-ptr-deref Write in io_file_get_normal io-uring fs 12 C done 107 1464d 1549d 22/29 1219d d5361233e9ab io_uring: drop the old style inflight file tracking
memory leak in iovec_from_user fs io-uring 3 C 1 1537d 1533d 22/29 1219d 323b190ba2de io_uring: free iovec if file assignment fails
WARNING in inet_csk_destroy_sock (2) io-uring net -1 C done 8 1268d 1355d 22/29 1219d e0833d1fedb0 dccp/tcp: Fixup bhash2 bucket when connect() fails.
WARNING in io_req_complete_failed io-uring -1 C error 2 1310d 1307d 22/29 1219d c06c6c5d2767 io_uring: always lock in io_apoll_task_func
WARNING: ODEBUG bug in kvm_xen_vcpu_set_attr kvm kvm-x86 io-uring -1 C done 4 1427d 1479d 22/29 1219d af735db31285 KVM: x86/xen: Initialize Xen timer only once c03689913635 KVM: x86/xen: Stop Xen timer before changing IRQ
WARNING in __split_huge_page_tail arch mm io-uring -1 C error 155 1268d 1340d 22/29 1219d 5aae9265ee1a mm: prep_compound_tail() clear page->private
KASAN: use-after-free Write in io_sendrecv_fail io-uring 22 C 75 1350d 1373d 22/29 1219d a75155faef4e io_uring/net: fix UAF in io_sendrecv_fail()
KASAN: use-after-free Read in add_wait_queue fs io-uring 19 C done done 13 1552d 1558d 22/29 1219d d89a4fac0fbc io_uring: fix assuming triggered poll waitqueue is the single poll
BUG: unable to handle kernel NULL pointer dereference in io_do_iopoll fs io-uring 10 C done 3 1503d 1502d 22/29 1219d aa184e8671f0 io_uring: don't attempt to IOPOLL for MSG_RING requests
KASAN: use-after-free Read in __io_remove_buffers io-uring 19 C done 2 1422d 1418d 22/29 1219d ec8516f3b7c4 io_uring: fix free of unallocated buffer list
KASAN: use-after-free Read in filp_close io-uring fs 19 C done 17 1261d 1489d 22/29 1219d 40a1926022d1 fix the breakage in close_fd_get_file() calling conventions change
KASAN: use-after-free Read in inet_bind2_bucket_find net io-uring 19 C done 13 1474d 1481d 22/29 1219d 593d1ebe00a4 Revert "net: Add a second bind table hashed by port and address"
WARNING: still has locks held in io_ring_submit_lock fs io-uring 4 C done 3 1504d 1504d 22/29 1219d e7637a492b9f io_uring: fix locking state for empty buffer group
KASAN: invalid-free in io_clean_op io-uring 24 C 13 1354d 1371d 22/29 1219d 4c17a496a7a0 io_uring/net: fix cleanup double free free_iov init
general protection fault in io_uring_register fs io-uring 2 syz done 1 1752d 1748d 20/29 1572d 41d3a6bd1d37 io_uring: pin SQPOLL data before unlocking ring lock
KASAN: use-after-free Write in io_queue_worker_create fs io-uring 22 C unreliable 132 1655d 1664d 20/29 1572d 71a85387546e io-wq: check for wq exit after adding new worker task_work e47498afeca9 io-wq: remove spurious bit clear on task_work addition
INFO: task hung in io_uring_del_tctx_node io-uring fs 1 C unreliable 37 1574d 1738d 20/29 1572d 8bab4c09f24e io_uring: allow conditional reschedule for intensive iterators
possible deadlock in io_worker_cancel_cb io-uring fs 4 C done 9 1653d 1657d 20/29 1572d d800c65c2d4e io-wq: drop wqe lock before creating new worker
BUG: unable to handle kernel paging request in __blk_mq_alloc_requests io-uring block 19 C unreliable 107 1691d 1699d 20/29 1572d a22c00be90de block: assign correct tag before doing prefetch of request
INFO: task hung in io_uring_try_cancel_requests fs io-uring 1 C error 41 1661d 1703d 20/29 1572d f75d118349be io_uring: harder fdinfo sq/cq ring iterating
WARNING in signalfd_cleanup fs io-uring -1 C done 201 1618d 1634d 20/29 1572d 791f3465c4af io_uring: fix UAF due to missing POLLFREE handling
INFO: task hung in io_uring_cancel_generic (2) io-uring fs 1 C done 97 1656d 1683d 20/29 1572d 78a780602075 io_uring: ensure task_work gets run as part of cancelations
INFO: rcu detected stall in io_wqe_worker (2) fs io-uring 1 C done 2 1704d 1704d 20/29 1572d c5e0321e43de Revert "devlink: Remove not-executed trap policer notifications"
possible deadlock in io_poll_double_wake (3) io-uring fs 4 C error done 703 1627d 1901d 20/29 1572d aa43477b0402 io_uring: poll rework
INFO: task hung in io_wqe_worker fs io-uring 1 C unreliable 3 1714d 1710d 20/29 1572d 1d5f5ea7cb7d io-wq: remove worker to owner tw dependency
WARNING in io_link_timeout_fn fs io-uring -1 C done 2 1872d 1872d 20/29 1691d 447c19f3b507 io_uring: fix ltout double free on completion race
general protection fault in io_commit_cqring (2) io-uring fs 12 C done 82 1903d 1916d 20/29 1691d 51520426f4bc io_uring: handle setup-failed ctx in kill_timeouts
INFO: task hung in io_sq_thread_park (2) fs io-uring 1 syz done 2 1812d 1808d 20/29 1691d 46fee9ab02cb io_uring: remove double poll entry on arm failure
INFO: task hung in __io_uring_cancel fs io-uring 1 C done 5 1829d 1895d 20/29 1691d 28090c133869 io_uring: fix work_exit sqpoll cancellations
memory leak in create_io_worker io-uring fs 3 C 5 1714d 1753d 20/29 1691d 66e70be72288 io-wq: fix memory leak in create_io_worker()
WARNING in io_wqe_enqueue io-uring fs -1 C done 13 1849d 1849d 20/29 1691d e6ab8991c5d0 io_uring: fix false WARN_ONCE
WARNING in io_poll_double_wake fs io-uring -1 C done done 1124 1792d 1894d 20/29 1691d a890d01e4ee0 io_uring: fix poll requests leaking second poll entries
INFO: task hung in io_wq_put_and_exit io-uring fs 1 C unreliable 628 1692d 1753d 20/29 1691d 3b33e3f4a6c0 io-wq: fix silly logic error in io_task_work_match()
general protection fault in try_grab_compound_head io-uring mm 7 C done 5 1792d 1820d 20/29 1691d d08af0a59684 mm/hugetlb: fix refs calculation from unaligned @vaddr
BUG: unable to handle kernel NULL pointer dereference in kiocb_done fs io-uring 10 C unreliable done 3 1758d 1758d 20/29 1691d b8ce1b9d25cc io_uring: don't submit half-prepared drain request
WARNING in io_try_cancel_userdata fs io-uring -1 syz unreliable 4 1765d 1769d 20/29 1691d dadebc350da2 io_uring: fix io_try_cancel_userdata race for iowq
general protection fault in __io_file_supports_nowait fs io-uring 2 C done done 13 1755d 1761d 20/29 1691d c6d3d9cbd659 io_uring: fix queueing half-created requests
INFO: task hung in io_uring_cancel_generic io-uring fs 1 C unreliable 151 1691d 1812d 20/29 1691d 1b48773f9fd0 io_uring: fix io_drain_req()
general protection fault in sock_from_file net io-uring 2 C inconclusive 78 1755d 1762d 20/29 1691d c6d3d9cbd659 io_uring: fix queueing half-created requests
WARNING in io_rsrc_node_switch io-uring fs -1 C done 174 1876d 1885d 20/29 1691d 47b228ce6f66 io_uring: fix unchecked error in switch_start()
WARNING in io_wq_submit_work (2) io-uring fs -1 C done done 52 1750d 1753d 20/29 1691d 713b9825a4c4 io-wq: fix cancellation on create-worker failure
KASAN: stack-out-of-bounds Read in iov_iter_revert fs io-uring 17 C error 14 1763d 1780d 20/29 1691d 89c2b3b74918 io_uring: reexpand under-reexpanded iters
WARNING in io_wq_put fs io-uring -1 C unreliable 3 1925d 1936d 20/29 1691d f5d2d23bf0d9 io-wq: fix race around pending work on teardown
WARNING in io_uring_setup (2) fs io-uring -1 C done 40 1876d 1885d 20/29 1691d 47b228ce6f66 io_uring: fix unchecked error in switch_start()
KASAN: use-after-free Read in idr_for_each (2) io-uring fs 19 C error done 86 1929d 2091d 20/29 1895d 61cf93700fe6 io_uring: Convert personality_idr to XArray
INFO: task hung in io_uring_cancel_task_requests fs io-uring 1 C 305 1929d 1964d 20/29 1905d 34343786ecc5 io_uring: unpark SQPOLL thread for cancelation
INFO: task hung in io_sq_thread_park fs io-uring 1 C unreliable 263 1940d 1945d 20/29 1905d 3ebba796fa25 io_uring: ensure that SQPOLL thread is started for exit
memory leak in io_submit_sqes (2) fs io-uring 3 C 1 1943d 1942d 20/29 1905d f01272541d2c io-wq: ensure all pending work is canceled on exit
possible deadlock in io_poll_double_wake (2) io-uring fs 4 C error error 431 1905d 2098d 20/29 1905d 1c3b3e6527e5 io_uring: ignore double poll add on the same waitqueue head
inconsistent lock state in io_dismantle_req fs io-uring 4 C 2 1972d 1972d 20/29 1905d 9ae1f8dd372e io_uring: fix inconsistent lock state
WARNING in io_uring_flush fs io-uring -1 C unreliable 10 1980d 1989d 19/29 1936d 4325cb498cb7 io_uring: fix uring_flush in exit_files() warning
INFO: task hung in __io_uring_files_cancel io-uring fs 1 C done 30 1977d 2044d 19/29 1936d bee749b187ac io_uring: fix files cancellation
general protection fault in io_disable_sqo_submit fs io-uring 2 C done 124 1987d 1991d 19/29 1936d b4411616c26f io_uring: fix null-deref in io_disable_sqo_submit
WARNING in io_uring_cancel_task_requests io-uring fs -1 syz done 69 1972d 1976d 19/29 1936d 70b2c60d3797 io_uring: fix sqo ownership false positive warning
BUG: corrupted list in io_file_get fs io-uring 8 C done 3 1976d 1976d 19/29 1936d f609cbb8911e io_uring: fix list corruption for splice file_get
KASAN: null-ptr-deref Write in kthread_use_mm io-uring fs 12 C done 2 2063d 2063d 15/29 2045d 4b70cf9dea4c io_uring: ensure consistent view of original task ->mm from SQPOLL
KASAN: use-after-free Write in io_submit_sqes fs io-uring 22 C error 2 2063d 2062d 15/29 2045d cb8a8ae31074 io_uring: drop req/tctx io_identity separately
KASAN: use-after-free Read in io_wqe_worker fs io-uring 19 C error 2 2099d 2100d 15/29 2049d c4068bf898dd io-wq: fix use-after-free in io_wq_worker_running
inconsistent lock state in xa_destroy io-uring fs 4 C 755 2087d 2088d 15/29 2049d ca6484cd308a io_uring: no need to call xa_destroy() on empty xarray
INFO: task hung in io_uring_flush io-uring fs 1 C done done 11 2140d 2147d 15/29 2049d b7ddce3cbf01 io_uring: fix cancel of deferred reqs with ->files
KASAN: use-after-free Write in io_wq_worker_running io-uring fs 22 C error 14 2092d 2119d 15/29 2049d c4068bf898dd io-wq: fix use-after-free in io_wq_worker_running
general protection fault in io_poll_double_wake (2) fs io-uring 2 C error 2 2099d 2098d 15/29 2075d 8706e04ed7d6 io_uring: always delete double poll wait entry on match
KASAN: use-after-free Read in do_madvise io-uring mm 19 syz error 4 2134d 2136d 15/29 2095d 7867fd7cc44e mm: madvise: fix vma user-after-free
possible deadlock in __lock_task_sighand io-uring 4 C done 12 2126d 2128d 15/29 2102d fd7d6de22414 io_uring: don't recurse on tsk->sighand->siglock with signalfd
possible deadlock in __io_queue_deferred fs io-uring 4 C error 1 2148d 2147d 15/29 2110d 7271ef3a93a8 io_uring: fix recursive completion locking on oveflow flush
BUG: unable to handle kernel NULL pointer dereference in loop_rw_iter io-uring fs 10 C done 24 2135d 2147d 15/29 2110d 2dd2111d0d38 io_uring: Fix NULL pointer dereference in loop_rw_iter()
KASAN: use-after-free Read in io_async_task_func io-uring fs 19 syz error 1 2146d 2146d 15/29 2110d 6d816e088c35 io_uring: hold 'ctx' reference around task_work queue + execute
memory leak in io_submit_sqes fs io-uring 3 C 2 2127d 2146d 15/29 2110d a36da65c4656 io_uring: fail poll arm on queue proc failure
general protection fault in io_poll_double_wake io-uring fs 2 C done 8 2114d 2142d 15/29 2110d d4e7cd36a90e io_uring: sanitize double poll handling
possible deadlock in io_timeout_fn io-uring fs 4 C done 4 2144d 2147d 15/29 2110d 51a4cc112c7a io_uring: defer file table grabbing request cleanup for locked requests