syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1348]
Subsystems
🐞 Fixed [7123]
🐞 Invalid [18841]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

WARNING: refcount bug in call_timer_fn (4)

Status: upstream: reported on 2026/02/21 22:24
Subsystems: virt net
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+07dcf509f4c013e25dc5@syzkaller.appspotmail.com
First crash: 469d, last: 2d21h
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
cffd693a-ad90-416b-986f-9fa77d73a6bb assessment-security DenialOfService: ✅ Exploitable: ✅ FilesystemTrigger: ❌ NetworkTrigger: ✅ PeripheralTrigger: ❌ RemoteTrigger: ✅ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌ WARNING: refcount bug in call_timer_fn (4) 2026/05/17 00:43 2026/05/17 00:43 2026/05/17 01:41 de5aae85e5f28e2fa1c7deefcc24fe286abe5140
b5bfcc28-e5ee-451d-8615-5407b0e8628b repro WARNING: refcount bug in call_timer_fn (4) 2026/03/07 23:26 2026/03/07 23:26 2026/03/07 23:35 31e9c887f7dc24e04b3ca70d0d54fc34141844b0
Discussions (3)
Title Replies (including bot) Last reply
[syzbot] Monthly virt report (May 2026) 0 (1) 2026/05/24 20:32
[syzbot] Monthly trace report (Feb 2026) 0 (1) 2026/02/23 08:39
[syzbot] [net?] [trace?] WARNING: refcount bug in call_timer_fn (4) 0 (1) 2026/02/21 22:24
Similar bugs (6)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.6 WARNING: refcount bug in call_timer_fn 13 1 152d 152d 0/2 auto-obsoleted due to no activity on 2026/04/08 16:57
linux-6.6 WARNING: refcount bug in call_timer_fn (2) 13 1 21d 21d 0/2 upstream: reported on 2026/05/09 05:24
upstream WARNING: refcount bug in call_timer_fn net 13 1 1637d 1637d 0/29 closed as invalid on 2022/01/07 18:56
upstream WARNING: refcount bug in call_timer_fn (3) fs 13 1 568d 564d 0/29 auto-obsoleted due to no activity on 2025/02/05 18:30
upstream WARNING: refcount bug in call_timer_fn (2) acpi 13 1 662d 658d 0/29 auto-obsoleted due to no activity on 2024/11/03 21:47
linux-6.1 WARNING: refcount bug in call_timer_fn 13 1 820d 820d 0/3 auto-obsoleted due to no activity on 2024/06/09 18:08

Sample crash report:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28, CPU#0: syz.6.3472/23205
Modules linked in:
CPU: 0 UID: 0 PID: 23205 Comm: syz.6.3472 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28
Code: 34 37 89 0b 67 48 0f b9 3a eb 4a e8 38 ee 13 fd 48 8d 3d 31 37 89 0b 67 48 0f b9 3a eb 37 e8 25 ee 13 fd 48 8d 3d 2e 37 89 0b <67> 48 0f b9 3a eb 24 e8 12 ee 13 fd 48 8d 3d 2b 37 89 0b 67 48 0f
RSP: 0018:ffffc90000007c68 EFLAGS: 00010246
RAX: ffffffff84b1c9ab RBX: 0000000000000003 RCX: ffff8880340c3e00
RDX: 0000000000000100 RSI: ffffffff8f110f80 RDI: ffffffff903b00e0
RBP: ffffc90000007d70 R08: ffff8880340c3e00 R09: 0000000000000005
R10: 0000000000000004 R11: 0000000000000100 R12: 0000000000000000
R13: 0000000100024f05 R14: ffff8880296fa020 R15: ffff8880296fa1b8
FS:  0000000000000000(0000) GS:ffff88812529f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7c32bb544c CR3: 0000000060a25000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748
 expire_timers kernel/time/timer.c:1799 [inline]
 __run_timers kernel/time/timer.c:2374 [inline]
 __run_timer_base+0x652/0x8b0 kernel/time/timer.c:2386
 run_timer_base kernel/time/timer.c:2395 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2405
 handle_softirqs+0x22a/0x840 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:pfn_valid+0x1c/0x480 arch/x86/include/asm/cpufeature.h:-1
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 41 56 41 55 41 54 53 49 89 fe e8 2e 13 89 ff e9 f3 03 00 00 e8 24 13 89 ff <49> bc 00 00 00 00 00 fc ff df e9 18 04 00 00 e8 10 13 89 ff 48 c7
RSP: 0018:ffffc9000454f318 EFLAGS: 00000293
RAX: ffffffff823ca8ba RBX: 0000000000000001 RCX: ffff8880340c3e00
RDX: 0000000000000000 RSI: 0000000000153fb6 RDI: 0000000400000000
RBP: ffffc9000454f690 R08: ffffea00054fed87 R09: 1ffffd4000a9fdb0
R10: dffffc0000000000 R11: fffff94000a9fdb1 R12: dffffc0000000000
R13: 8000000153fb6007 R14: 0000000000153fb6 R15: 0000000000153fb6
 page_table_check_clear+0x21/0x4f0 mm/page_table_check.c:70
 ptep_get_and_clear_full arch/x86/include/asm/jump_label.h:-1 [inline]
 get_and_clear_full_ptes include/linux/pgtable.h:845 [inline]
 zap_present_folio_ptes mm/memory.c:1648 [inline]
 zap_present_ptes mm/memory.c:1730 [inline]
 do_zap_pte_range mm/memory.c:1832 [inline]
 zap_pte_range mm/memory.c:1934 [inline]
 zap_pmd_range mm/memory.c:2020 [inline]
 zap_pud_range mm/memory.c:2048 [inline]
 zap_p4d_range mm/memory.c:2069 [inline]
 __zap_vma_range+0x365c/0x4b70 mm/memory.c:2109
 unmap_vmas+0x3ac/0x570 mm/memory.c:2178
 exit_mmap+0x280/0x9e0 mm/mmap.c:1300
 __mmput+0x118/0x430 kernel/fork.c:1178
 exit_mm+0x1f6/0x2d0 kernel/exit.c:582
 do_exit+0x6a2/0x22c0 kernel/exit.c:964
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1119
 get_signal+0x1284/0x1330 kernel/signal.c:3037
 arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0xa9/0x680 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
 do_syscall_64+0x353/0x580 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe12f39ce59
Code: Unable to access opcode bytes at 0x7fe12f39ce2f.
RSP: 002b:00007fe1301960e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fe12f615fa8 RCX: 00007fe12f39ce59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fe12f615fa8
RBP: 00007fe12f615fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe12f616038 R14: 00007ffe2e129c90 R15: 00007ffe2e129d78
 </TASK>
----------------
Code disassembly (best guess):
   0:	34 37                	xor    $0x37,%al
   2:	89 0b                	mov    %ecx,(%rbx)
   4:	67 48 0f b9 3a       	ud1    (%edx),%rdi
   9:	eb 4a                	jmp    0x55
   b:	e8 38 ee 13 fd       	call   0xfd13ee48
  10:	48 8d 3d 31 37 89 0b 	lea    0xb893731(%rip),%rdi        # 0xb893748
  17:	67 48 0f b9 3a       	ud1    (%edx),%rdi
  1c:	eb 37                	jmp    0x55
  1e:	e8 25 ee 13 fd       	call   0xfd13ee48
  23:	48 8d 3d 2e 37 89 0b 	lea    0xb89372e(%rip),%rdi        # 0xb893758
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	eb 24                	jmp    0x55
  31:	e8 12 ee 13 fd       	call   0xfd13ee48
  36:	48 8d 3d 2b 37 89 0b 	lea    0xb89372b(%rip),%rdi        # 0xb893768
  3d:	67                   	addr32
  3e:	48                   	rex.W
  3f:	0f                   	.byte 0xf

Crashes (21):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/05/27 21:23 upstream eb3f4b7426cf 769cbc61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root WARNING: refcount bug in call_timer_fn
2026/05/24 12:28 upstream 4cbfe4502e3d c69befb3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce WARNING: refcount bug in call_timer_fn
2026/04/28 00:02 upstream 254f49634ee1 ce741359 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in call_timer_fn
2025/11/20 02:39 upstream 8b690556d8fe 26ee5237 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in call_timer_fn
2025/11/03 19:16 upstream 6146a0f1dfae 2c50b6a9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in call_timer_fn
2026/05/15 06:23 upstream 66182ca873a4 6ccb967e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 WARNING: refcount bug in call_timer_fn
2026/03/31 07:00 bpf c369299895a5 d0af506e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2026/01/28 05:45 bpf 63804fed149a 3029c699 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2026/01/24 03:32 bpf c072629f05d7 4f25b9b4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2025/10/18 02:50 bpf a1e83d4c0361 1c8c8cd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2025/10/08 04:53 bpf 23f3770e1a53 7e2882b3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2025/09/29 02:11 bpf bf40f4b87761 001c9061 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2026/03/12 09:08 bpf-next ca0f39a369c5 2d88ab01 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2026/02/19 14:10 bpf-next 4c51f90d45dc 746545b8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2025/08/30 11:45 bpf-next 98857d111c53 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2025/04/04 21:04 bpf-next 06a22366d6a1 1c4febdb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2025/02/15 09:42 bpf-next a4585442ade5 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2026/05/23 10:00 linux-next c1ecb239fa34 c69befb3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in call_timer_fn
2026/03/30 23:17 linux-next cf7c3c02fdd0 458630d8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce WARNING: refcount bug in call_timer_fn
2025/12/20 09:32 linux-next cc3aa43b44bd d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in call_timer_fn
2025/06/19 11:00 linux-next 6e5ab6fee68d ed3e87f7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in call_timer_fn
* Struck through repros no longer work on HEAD.