This work addresses the critical issue of reference counting errors in Linux kernel drivers, which commonly lead to resource leaks and security vulnerabilities. It presents the first efficient reduction of reference counting verification to an assertion checking problem, integrating driver interface modeling, program slicing, and static analysis to enable large-scale, automated detection across all driver platforms. Applied to the Linux v6.6 kernel, the approach identified 545 reference counting bugs—including 424 previously unknown vulnerabilities—and contributed 45 patches that have been officially merged upstream. The method achieves a low false positive rate of 29.9%, substantially outperforming existing techniques in both precision and scalability.

Reference counting bugs in Linux kernel drivers can lead to severe resource mismanagement and security vulnerabilities. We introduce DrvHorn, a novel automated tool to detect these bugs by reducing reference counting verification to an assertion checking problem leveraging the Linux driver interface. Through efficient modeling of the Linux kernel and aggressive program slicing, DrvHorn discovered 545 bugs, of which 424 were previously unknown, across all platform drivers in v6.6 Linux kernel, with a lower false positive rate of 29.9% compared to prior studies. To address the root causes of these newly discovered bugs, we submitted patches to the Linux kernel, and 45 of them were merged.