syzbot

 sign-in | mailing list | source | docs
🐞 Open [1446]
Subsystems
🐞 Fixed [6945]
🐞 Invalid [18097]
Missing Backports [223]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

WARNING: refcount bug in call_timer_fn (4)

Status: upstream: reported on 2026/02/21 22:24
Subsystems: net trace
[Documentation on labels]
Reported-by: syzbot+07dcf509f4c013e25dc5@syzkaller.appspotmail.com
First crash: 376d, last: 7d17h
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] Monthly trace report (Feb 2026) 0 (1) 2026/02/23 08:39
[syzbot] [net?] [trace?] WARNING: refcount bug in call_timer_fn (4) 0 (1) 2026/02/21 22:24
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.6 WARNING: refcount bug in call_timer_fn 13 1 59d 59d 0/2 upstream: reported on 2025/12/29 16:57
upstream WARNING: refcount bug in call_timer_fn net 13 1 1545d 1545d 0/29 closed as invalid on 2022/01/07 18:56
upstream WARNING: refcount bug in call_timer_fn (3) fs 13 1 476d 472d 0/29 auto-obsoleted due to no activity on 2025/02/05 18:30
upstream WARNING: refcount bug in call_timer_fn (2) acpi 13 1 570d 566d 0/29 auto-obsoleted due to no activity on 2024/11/03 21:47
linux-6.1 WARNING: refcount bug in call_timer_fn 13 1 727d 727d 0/3 auto-obsoleted due to no activity on 2024/06/09 18:08

Sample crash report:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 29 at lib/refcount.c:28 refcount_warn_saturate+0x11a/0x1d0 lib/refcount.c:28
Modules linked in:
CPU: 1 UID: 0 PID: 29 Comm: ktimers/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:refcount_warn_saturate+0x11a/0x1d0 lib/refcount.c:28
Code: c0 30 3d 8b e8 c7 91 09 fd 90 0f 0b 90 90 eb d7 e8 ab 4a 45 fd c6 05 10 1a 47 0a 01 90 48 c7 c7 20 31 3d 8b e8 a7 91 09 fd 90 <0f> 0b 90 90 eb b7 e8 8b 4a 45 fd c6 05 ed 19 47 0a 01 90 48 c7 c7
RSP: 0018:ffffc90000a3f888 EFLAGS: 00010246
RAX: 74da3aaac3757600 RBX: 0000000000000003 RCX: ffff88801be99e00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
RBP: ffffc90000a3f990 R08: 0000000000000000 R09: 0000000000000100
R10: dffffc0000000000 R11: ffffed101712487b R12: 1ffff92000147f18
R13: ffff88805d5311b8 R14: ffff88805d531020 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff888126ef7000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000404030 CR3: 000000000d3a6000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x648/0x970 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x22f/0x710 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/11/20 02:39 upstream 8b690556d8fe 26ee5237 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in call_timer_fn
2025/11/03 19:16 upstream 6146a0f1dfae 2c50b6a9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in call_timer_fn
2026/01/28 05:45 bpf 63804fed149a 3029c699 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2026/01/24 03:32 bpf c072629f05d7 4f25b9b4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2025/10/18 02:50 bpf a1e83d4c0361 1c8c8cd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2025/10/08 04:53 bpf 23f3770e1a53 7e2882b3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2025/09/29 02:11 bpf bf40f4b87761 001c9061 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in call_timer_fn
2026/02/19 14:10 bpf-next 4c51f90d45dc 746545b8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2025/08/30 11:45 bpf-next 98857d111c53 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2025/04/04 21:04 bpf-next 06a22366d6a1 1c4febdb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2025/02/15 09:42 bpf-next a4585442ade5 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce WARNING: refcount bug in call_timer_fn
2025/12/20 09:32 linux-next cc3aa43b44bd d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in call_timer_fn
2025/06/19 11:00 linux-next 6e5ab6fee68d ed3e87f7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in call_timer_fn
* Struck through repros no longer work on HEAD.