On Wed, Jul 08, 2026 at 02:22:47AM -0700, Yuan Tan wrote: > Hi all, > > We would like to ask for feedback on a proposed workflow for reporting Linux > kernel bugs found by an LLM-assisted code auditing tool that we have > been developing since earlier this year. > > Since February, we have been developing an LLM-driven kernel code auditing > tool called VEGA. It started as a side project, but the results became much > substantial than we expected: VEGA has found hundreds of valid bugs in Linux > kernel. > > That immediately created a practical problem: we do not want to dump a large > pile of bug reports onto mail lists and annoy the maintainers.
True, which is why we all end up with long lists of issues/patches at the moment. The initial reaction is "we need a dashboard for everyone to collab around!" like you did here, but I'd like to say this is not the best thing to do at all. syzbot can get away with a dashboard because someone is tending to it, triaging the "serious" bugs before they become public, and only letting the "would be nice to fix one day" type issues remain. That's a huge resource commitment that Google has made here, and that's great, but I doubt that anyone else will have those resources to do this type of thing. Instead, let's just work to get these things fixed. We all have hundreds of patches/reports in our internal systems right now, attempting to triage/rank/coordinate would just waste time. In other words, just grind through them, send patches out, and get these fixed. I'm doing this now, and I know many others are as well. We are all running "different" tools, and so we find different issues, so we can all just keep sending patches as we get them done. It's going to take a lot of effort (I've somehow convinced 8 interns to help me out with this this summer), but once we get it done, we'll be much better off. > The first thing we tried was to fix as many as we could ourselves. We > started working with a group of student volunteers. Most of them are > college students, so we have been training them, reviewing their patches, > and trying to build an internal review process before anything is sent to > the mailing list. The goal is to turn these findings into useful fixes, and > also to help new contributors grow into people who can reduce maintainer > workload instead of adding to it. > > The process was not perfect. Some patches were not good enough, and we also > made some mistakes early on when deciding what should be called a security > issue. Our internal review process has been improving with the help of the > community. That's great, keep it up! > But the remaining queue is still too large for us to handle. > > Recently Jamal pointed out problems around our tags. That made me realize > that we should probably stop treating this as an ad-hoc patch effort and > build something closer to syzbot: public, reproducible, trackable, > deduplicated, and useful to maintainers. Again, I think that effort is going to be larger than just getting the patches fixed and pushed out. It also turns into a central point-of-failure, which is what we do not want to have at all for the kernel. But hey, I could be totally wrong. Maybe some generous company that is involved in unleashing this hell on us would be so kind as to pony up to do the work to create this and help fix the issues that their tools are finding. Just like Google did in the past, there is precedent, but for some reason people don't like learning from history... It's going to be a long 18 months... greg k-h

