{"paper":{"title":"Automatic Detection of Reference Counting Bugs in Linux Kernel Drivers","license":"http://creativecommons.org/licenses/by/4.0/","headline":"DrvHorn reduces reference counting verification in Linux kernel drivers to assertion checking through kernel modeling and program slicing.","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Joe Hattori, Ken Sakayori, Naoki Kobayashi","submitted_at":"2026-05-13T09:31:08Z","abstract_excerpt":"Reference counting bugs in Linux kernel drivers can lead to severe resource mismanagement and security vulnerabilities. We introduce DrvHorn, a novel automated tool to detect these bugs by reducing reference counting verification to an assertion checking problem leveraging the Linux driver interface. Through efficient modeling of the Linux kernel and aggressive program slicing, DrvHorn discovered 545 bugs, of which 424 were previously unknown, across all platform drivers in v6.6 Linux kernel, with a lower false positive rate of 29.9% compared to prior studies. To address the root causes of the"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"DrvHorn discovered 545 bugs, of which 424 were previously unknown, across all platform drivers in v6.6 Linux kernel, with a lower false positive rate of 29.9% compared to prior studies.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The kernel modeling and aggressive slicing preserve enough reference counting semantics to detect real bugs without excessive distortion or omission of relevant paths.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"DrvHorn automatically detects reference counting bugs in Linux kernel drivers by reducing verification to assertion checking, uncovering 545 bugs (424 new) in v6.6 with 29.9% false positives and 45 merged patches.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"DrvHorn reduces reference counting verification in Linux kernel drivers to assertion checking through kernel modeling and program slicing.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"36a303b30632affe50b1d8978ccca6b44b2115b4316f676b596e5fee9b253f84"},"source":{"id":"2605.13246","kind":"arxiv","version":1},"verdict":{"id":"03c7c3ed-42f3-4e78-89d9-c29946d1b65a","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T20:25:57.625437Z","strongest_claim":"DrvHorn discovered 545 bugs, of which 424 were previously unknown, across all platform drivers in v6.6 Linux kernel, with a lower false positive rate of 29.9% compared to prior studies.","one_line_summary":"DrvHorn automatically detects reference counting bugs in Linux kernel drivers by reducing verification to assertion checking, uncovering 545 bugs (424 new) in v6.6 with 29.9% false positives and 45 merged patches.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The kernel modeling and aggressive slicing preserve enough reference counting semantics to detect real bugs without excessive distortion or omission of relevant paths.","pith_extraction_headline":"DrvHorn reduces reference counting verification in Linux kernel drivers to assertion checking through kernel modeling and program slicing."},"references":{"count":16,"sample":[{"doi":"","year":null,"title":"Devicetree Kernel API,https://docs.kernel.org/devicetree/kernel-api. html","work_id":"619d2bc5-376f-4934-a3d4-8cd052b7a07a","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Linux and the Devicetree,https://docs.kernel.org/devicetree/usage-model. html","work_id":"4b3a3cbe-fda5-4446-8cb5-75611e4d9318","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"LLVM’s Analysis and Transform Passes,https://llvm.org/docs/Passes.html","work_id":"3ff5675f-14e7-41ab-87fb-b6af27309dd3","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"MITRE. CVE-2023-7192,https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2023-7192","work_id":"b2ab52ec-82af-48ab-817e-75e19333a217","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2006,"title":"ACM SIGOPS Operating Systems Review40(4), 73–85 (2006)","work_id":"b1f29bf8-da97-4a31-ba88-33154b6f410f","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":16,"snapshot_sha256":"62fc522f459f30f5661d0f5bfe704bfddddda35d87d36d9a612fa5e52a0ad1d5","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}