syzbot |
sign-in | mailing list | source | docs | 🏰 |
| ID | Workflow | Result | Correct | Bug | Created | Started | Finished | Revision | Error |
|---|---|---|---|---|---|---|---|---|---|
| b5bfcc28-e5ee-451d-8615-5407b0e8628b | repro | ❓ | WARNING: refcount bug in call_timer_fn (4) | 2026/03/07 23:26 | 2026/03/07 23:26 | 2026/03/07 23:35 | 31e9c887f7dc24e04b3ca70d0d54fc34141844b0 |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] Monthly trace report (Feb 2026) | 0 (1) | 2026/02/23 08:39 |
| [syzbot] [net?] [trace?] WARNING: refcount bug in call_timer_fn (4) | 0 (1) | 2026/02/21 22:24 |
| Kernel | Title | Rank 🛈 | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| linux-6.6 | WARNING: refcount bug in call_timer_fn | 13 | 1 | 125d | 125d | 0/2 | auto-obsoleted due to no activity on 2026/04/08 16:57 | |||
| upstream | WARNING: refcount bug in call_timer_fn net | 13 | 1 | 1610d | 1610d | 0/29 | closed as invalid on 2022/01/07 18:56 | |||
| upstream | WARNING: refcount bug in call_timer_fn (3) fs | 13 | 1 | 542d | 538d | 0/29 | auto-obsoleted due to no activity on 2025/02/05 18:30 | |||
| upstream | WARNING: refcount bug in call_timer_fn (2) acpi | 13 | 1 | 636d | 632d | 0/29 | auto-obsoleted due to no activity on 2024/11/03 21:47 | |||
| linux-6.1 | WARNING: refcount bug in call_timer_fn | 13 | 1 | 793d | 793d | 0/3 | auto-obsoleted due to no activity on 2024/06/09 18:08 |
------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28, CPU#0: ktimers/0/16 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28 Code: 64 e3 f1 0a 67 48 0f b9 3a eb 4a e8 f8 2b 23 fd 48 8d 3d 61 e3 f1 0a 67 48 0f b9 3a eb 37 e8 e5 2b 23 fd 48 8d 3d 5e e3 f1 0a <67> 48 0f b9 3a eb 24 e8 d2 2b 23 fd 48 8d 3d 5b e3 f1 0a 67 48 0f RSP: 0018:ffffc90000157a28 EFLAGS: 00010246 RAX: ffffffff84a13cdb RBX: 0000000000000003 RCX: ffff88801cee0000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffffff8f932040 RBP: ffffc90000157b30 R08: ffff88801cee0000 R09: 0000000000000005 R10: 0000000000000100 R11: 0000000000000004 R12: 0000000000000000 R13: 00000000ffffd579 R14: ffff88805efae820 R15: ffff88805efae9b8 FS: 0000000000000000(0000) GS:ffff88812617d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000404030 CR3: 0000000040e8c000 CR4: 00000000003526f0 Call Trace: <TASK> call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1799 [inline] __run_timers kernel/time/timer.c:2374 [inline] __run_timer_base+0x6a3/0x9f0 kernel/time/timer.c:2386 run_timer_base kernel/time/timer.c:2395 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2405 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0x69/0x100 kernel/softirq.c:1151 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> ---------------- Code disassembly (best guess): 0: 64 e3 f1 fs jrcxz 0xfffffff4 3: 0a 67 48 or 0x48(%rdi),%ah 6: 0f b9 3a ud1 (%rdx),%edi 9: eb 4a jmp 0x55 b: e8 f8 2b 23 fd call 0xfd232c08 10: 48 8d 3d 61 e3 f1 0a lea 0xaf1e361(%rip),%rdi # 0xaf1e378 17: 67 48 0f b9 3a ud1 (%edx),%rdi 1c: eb 37 jmp 0x55 1e: e8 e5 2b 23 fd call 0xfd232c08 23: 48 8d 3d 5e e3 f1 0a lea 0xaf1e35e(%rip),%rdi # 0xaf1e388 * 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2f: eb 24 jmp 0x55 31: e8 d2 2b 23 fd call 0xfd232c08 36: 48 8d 3d 5b e3 f1 0a lea 0xaf1e35b(%rip),%rdi # 0xaf1e398 3d: 67 addr32 3e: 48 rex.W 3f: 0f .byte 0xf
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/04/28 00:02 | upstream | 254f49634ee1 | ce741359 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | WARNING: refcount bug in call_timer_fn | ||
| 2025/11/20 02:39 | upstream | 8b690556d8fe | 26ee5237 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | WARNING: refcount bug in call_timer_fn | ||
| 2025/11/03 19:16 | upstream | 6146a0f1dfae | 2c50b6a9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | WARNING: refcount bug in call_timer_fn | ||
| 2026/03/31 07:00 | bpf | c369299895a5 | d0af506e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2026/01/28 05:45 | bpf | 63804fed149a | 3029c699 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2026/01/24 03:32 | bpf | c072629f05d7 | 4f25b9b4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2025/10/18 02:50 | bpf | a1e83d4c0361 | 1c8c8cd8 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2025/10/08 04:53 | bpf | 23f3770e1a53 | 7e2882b3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2025/09/29 02:11 | bpf | bf40f4b87761 | 001c9061 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2026/03/12 09:08 | bpf-next | ca0f39a369c5 | 2d88ab01 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2026/02/19 14:10 | bpf-next | 4c51f90d45dc | 746545b8 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2025/08/30 11:45 | bpf-next | 98857d111c53 | 807a3b61 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2025/04/04 21:04 | bpf-next | 06a22366d6a1 | 1c4febdb | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2025/02/15 09:42 | bpf-next | a4585442ade5 | 40a34ec9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2026/03/30 23:17 | linux-next | cf7c3c02fdd0 | 458630d8 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-rust-kasan-gce | WARNING: refcount bug in call_timer_fn | ||
| 2025/12/20 09:32 | linux-next | cc3aa43b44bd | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | WARNING: refcount bug in call_timer_fn | ||
| 2025/06/19 11:00 | linux-next | 6e5ab6fee68d | ed3e87f7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | WARNING: refcount bug in call_timer_fn |