* [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs
@ 2026-07-08 9:22 Yuan Tan
2026-07-08 9:58 ` Paolo Abeni
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Yuan Tan @ 2026-07-08 9:22 UTC (permalink / raw)
To: linux-kernel, workflows
Cc: yuantan098, jhs, gregkh, sven, netdev, netfilter-devel,
linux-crypto
Hi all,
We would like to ask for feedback on a proposed workflow for reporting Linux
kernel bugs found by an LLM-assisted code auditing tool that we have
been developing since earlier this year.
Since February, we have been developing an LLM-driven kernel code auditing
tool called VEGA. It started as a side project, but the results became much
substantial than we expected: VEGA has found hundreds of valid bugs in Linux
kernel.
That immediately created a practical problem: we do not want to dump a large
pile of bug reports onto mail lists and annoy the maintainers.
The first thing we tried was to fix as many as we could ourselves. We
started working with a group of student volunteers. Most of them are
college students, so we have been training them, reviewing their patches,
and trying to build an internal review process before anything is sent to
the mailing list. The goal is to turn these findings into useful fixes, and
also to help new contributors grow into people who can reduce maintainer
workload instead of adding to it.
The process was not perfect. Some patches were not good enough, and we also
made some mistakes early on when deciding what should be called a security
issue. Our internal review process has been improving with the help of the
community.
Since March, we picked up non-root triggerable bug first and have worked on
fixes for more than 100 validated kernel bugs. we especially want to thank
the students and professor who have helped a lot with this effort.
But the remaining queue is still too large for us to handle.
Recently Jamal pointed out problems around our tags. That made me realize
that we should probably stop treating this as an ad-hoc patch effort and
build something closer to syzbot: public, reproducible, trackable,
deduplicated, and useful to maintainers.
So this mail is an RFC for a VEGA reporting workflow.
The rough idea
==============
VEGA would have a public dashboard, similar to syzbot, and would
send selected bug reports to the relevant kernel mailing lists.
The goal is to send reports that contain enough information for maintainers
or other developers to pick up, understand, reproduce and fix the issue.
For each public report, we expect to include:
- a description of the bug
- the tested kernel tree and commit
- the kernel config and environment
- the crash log
- a minimized user-space reproducer
- the suspected introducing commit
- a suggested fix patch
The suggested fix patch is meant to reduce maintainer burden. It still need
human review, but hopefully it can save a lot time from building a patch
from scratch.
What will be public
===================
All VEGA findings that we have evaluated as not having major security
impact can be published on the VEGA dashboard. The dashboard would make it
possible to see what VEGA found, whether the issue was reproduced, whether
a fix exists, whether it was reported to a mailing list, and whether it has
been fixed upstream.
For issues that we have validated as having possible serious security
impact, we will not publish it on the public dashboard before going through
the appropriate kernel security process.
Dumping everything onto the mailing list may be annoying. During the initial
stage, reports will be rate-limited and sent manually. We will check for
duplicates against lore/upstream, and make sure the issue is not already
fixed or reported.
Report identity and tags
========================
Each public VEGA report will have a stable identity, similar to
syzbot reports.
One possible format is:
Reported-by: VEGA <vega+HASH@DOMAIN>
Closes: <public dashboard URL>
=========
We would like to hear what maintainers think about this before we start
sending these reports.
We do not want VEGA to become another source of mailing list noise. The goal
is to make LLM-based bug finding transparent and useful, and to make sure
the reports come with enough context, reproducers, suggested fixes, and
tracking so that they reduce work rather than create more.
Thanks,
Yuan
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs 2026-07-08 9:22 [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs Yuan Tan @ 2026-07-08 9:58 ` Paolo Abeni 2026-07-08 10:47 ` Laurent Pinchart ` (2 subsequent siblings) 3 siblings, 0 replies; 7+ messages in thread From: Paolo Abeni @ 2026-07-08 9:58 UTC (permalink / raw) To: Yuan Tan, linux-kernel, workflows Cc: jhs, gregkh, sven, netdev, netfilter-devel, linux-crypto, Eric Dumazet, Jakub Kicinski Hi, On 7/8/26 11:22 AM, Yuan Tan wrote: > The rough idea > ============== > > VEGA would have a public dashboard, similar to syzbot, and would > send selected bug reports to the relevant kernel mailing lists. > > The goal is to send reports that contain enough information for maintainers > or other developers to pick up, understand, reproduce and fix the issue. > > For each public report, we expect to include: > > - a description of the bug > - the tested kernel tree and commit > - the kernel config and environment > - the crash log > - a minimized user-space reproducer > - the suspected introducing commit > - a suggested fix patch > > The suggested fix patch is meant to reduce maintainer burden. It still need > human review, but hopefully it can save a lot time from building a patch > from scratch. Thanks for sharing. This sounds very interesting to me, modulo final impact on the ML - overall load is severely increased since the LLM era, while the maintainers pool not so much. A few notes on top of my head: - the amount/rate of reports is critical. The higher the rate, the better need to be the reproducer and the suggested patch. - the crash log should include the decoded stack trace. - IIRC syzbot reports sharing is [always] human moderated/limited/controlled. I think that is the correct default and I hope it should be possible for you, too. - it's not entirely clear to me who exactly is 'you' and would appreciate more info about that. - it would be great to discuss this topic in person, i.e. in the upcoming NetDev. Thanks, Paolo ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs 2026-07-08 9:22 [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs Yuan Tan 2026-07-08 9:58 ` Paolo Abeni @ 2026-07-08 10:47 ` Laurent Pinchart 2026-07-08 14:07 ` Andrew Lunn 2026-07-08 14:55 ` Greg KH 3 siblings, 0 replies; 7+ messages in thread From: Laurent Pinchart @ 2026-07-08 10:47 UTC (permalink / raw) To: Yuan Tan Cc: linux-kernel, workflows, jhs, gregkh, sven, netdev, netfilter-devel, linux-crypto On Wed, Jul 08, 2026 at 02:22:47AM -0700, Yuan Tan wrote: > Hi all, > > We would like to ask for feedback on a proposed workflow for reporting Linux > kernel bugs found by an LLM-assisted code auditing tool that we have > been developing since earlier this year. > > Since February, we have been developing an LLM-driven kernel code auditing > tool called VEGA. It started as a side project, but the results became much > substantial than we expected: VEGA has found hundreds of valid bugs in Linux > kernel. > > That immediately created a practical problem: we do not want to dump a large > pile of bug reports onto mail lists and annoy the maintainers. > > The first thing we tried was to fix as many as we could ourselves. We > started working with a group of student volunteers. Most of them are > college students, so we have been training them, reviewing their patches, > and trying to build an internal review process before anything is sent to > the mailing list. The goal is to turn these findings into useful fixes, and > also to help new contributors grow into people who can reduce maintainer > workload instead of adding to it. > > The process was not perfect. Some patches were not good enough, and we also > made some mistakes early on when deciding what should be called a security > issue. Our internal review process has been improving with the help of the > community. > > Since March, we picked up non-root triggerable bug first and have worked on > fixes for more than 100 validated kernel bugs. we especially want to thank > the students and professor who have helped a lot with this effort. > > But the remaining queue is still too large for us to handle. > > Recently Jamal pointed out problems around our tags. That made me realize > that we should probably stop treating this as an ad-hoc patch effort and > build something closer to syzbot: public, reproducible, trackable, > deduplicated, and useful to maintainers. > > So this mail is an RFC for a VEGA reporting workflow. > > The rough idea > ============== > > VEGA would have a public dashboard, similar to syzbot, and would > send selected bug reports to the relevant kernel mailing lists. > > The goal is to send reports that contain enough information for maintainers > or other developers to pick up, understand, reproduce and fix the issue. > > For each public report, we expect to include: > > - a description of the bug > - the tested kernel tree and commit > - the kernel config and environment > - the crash log > - a minimized user-space reproducer > - the suspected introducing commit > - a suggested fix patch > > The suggested fix patch is meant to reduce maintainer burden. It still need > human review, but hopefully it can save a lot time from building a patch > from scratch. Will the information included in the public report (including the suggested fix) be written by a human or an LLM ? In the latter case I don't see how you could reasonably claim to reduce maintainer burden, so that would be a big NACK as far as I'm concerned. > What will be public > =================== > > All VEGA findings that we have evaluated as not having major security > impact can be published on the VEGA dashboard. The dashboard would make it > possible to see what VEGA found, whether the issue was reproduced, whether > a fix exists, whether it was reported to a mailing list, and whether it has > been fixed upstream. > > For issues that we have validated as having possible serious security > impact, we will not publish it on the public dashboard before going through > the appropriate kernel security process. > > Dumping everything onto the mailing list may be annoying. During the initial > stage, reports will be rate-limited and sent manually. We will check for > duplicates against lore/upstream, and make sure the issue is not already > fixed or reported. > > Report identity and tags > ======================== > > Each public VEGA report will have a stable identity, similar to > syzbot reports. > > One possible format is: > > Reported-by: VEGA <vega+HASH@DOMAIN> > Closes: <public dashboard URL> > > ========= > > We would like to hear what maintainers think about this before we start > sending these reports. > > We do not want VEGA to become another source of mailing list noise. The goal > is to make LLM-based bug finding transparent and useful, and to make sure > the reports come with enough context, reproducers, suggested fixes, and > tracking so that they reduce work rather than create more. -- Regards, Laurent Pinchart ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs 2026-07-08 9:22 [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs Yuan Tan 2026-07-08 9:58 ` Paolo Abeni 2026-07-08 10:47 ` Laurent Pinchart @ 2026-07-08 14:07 ` Andrew Lunn 2026-07-08 14:55 ` Greg KH 3 siblings, 0 replies; 7+ messages in thread From: Andrew Lunn @ 2026-07-08 14:07 UTC (permalink / raw) To: Yuan Tan Cc: linux-kernel, workflows, jhs, gregkh, sven, netdev, netfilter-devel, linux-crypto > The rough idea > ============== > > VEGA would have a public dashboard, similar to syzbot, and would > send selected bug reports to the relevant kernel mailing lists. > > The goal is to send reports that contain enough information for maintainers > or other developers to pick up, understand, reproduce and fix the issue. > > For each public report, we expect to include: > > - a description of the bug > - the tested kernel tree and commit > - the kernel config and environment > - the crash log > - a minimized user-space reproducer > - the suspected introducing commit > - a suggested fix patch It would be nice if you could try to parse the git logs for the driver and extrapolate its age, and if it is still being actively Maintained by somebody. We see lots of LLM generated patches for theoretical bugs, mostly in error paths, for drivers which are EOL, and it is unlikely anybody is still using the hardware. Such patches waste Reviewer/Maintainer time. Maybe even make this part of your triage process. Prioritise issues found on newer, used drivers, over old likely unused drives. Andrew ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs 2026-07-08 9:22 [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs Yuan Tan ` (2 preceding siblings ...) 2026-07-08 14:07 ` Andrew Lunn @ 2026-07-08 14:55 ` Greg KH 2026-07-11 2:14 ` Yuan Tan 3 siblings, 1 reply; 7+ messages in thread From: Greg KH @ 2026-07-08 14:55 UTC (permalink / raw) To: Yuan Tan Cc: linux-kernel, workflows, jhs, sven, netdev, netfilter-devel, linux-crypto On Wed, Jul 08, 2026 at 02:22:47AM -0700, Yuan Tan wrote: > Hi all, > > We would like to ask for feedback on a proposed workflow for reporting Linux > kernel bugs found by an LLM-assisted code auditing tool that we have > been developing since earlier this year. > > Since February, we have been developing an LLM-driven kernel code auditing > tool called VEGA. It started as a side project, but the results became much > substantial than we expected: VEGA has found hundreds of valid bugs in Linux > kernel. > > That immediately created a practical problem: we do not want to dump a large > pile of bug reports onto mail lists and annoy the maintainers. True, which is why we all end up with long lists of issues/patches at the moment. The initial reaction is "we need a dashboard for everyone to collab around!" like you did here, but I'd like to say this is not the best thing to do at all. syzbot can get away with a dashboard because someone is tending to it, triaging the "serious" bugs before they become public, and only letting the "would be nice to fix one day" type issues remain. That's a huge resource commitment that Google has made here, and that's great, but I doubt that anyone else will have those resources to do this type of thing. Instead, let's just work to get these things fixed. We all have hundreds of patches/reports in our internal systems right now, attempting to triage/rank/coordinate would just waste time. In other words, just grind through them, send patches out, and get these fixed. I'm doing this now, and I know many others are as well. We are all running "different" tools, and so we find different issues, so we can all just keep sending patches as we get them done. It's going to take a lot of effort (I've somehow convinced 8 interns to help me out with this this summer), but once we get it done, we'll be much better off. > The first thing we tried was to fix as many as we could ourselves. We > started working with a group of student volunteers. Most of them are > college students, so we have been training them, reviewing their patches, > and trying to build an internal review process before anything is sent to > the mailing list. The goal is to turn these findings into useful fixes, and > also to help new contributors grow into people who can reduce maintainer > workload instead of adding to it. > > The process was not perfect. Some patches were not good enough, and we also > made some mistakes early on when deciding what should be called a security > issue. Our internal review process has been improving with the help of the > community. That's great, keep it up! > But the remaining queue is still too large for us to handle. > > Recently Jamal pointed out problems around our tags. That made me realize > that we should probably stop treating this as an ad-hoc patch effort and > build something closer to syzbot: public, reproducible, trackable, > deduplicated, and useful to maintainers. Again, I think that effort is going to be larger than just getting the patches fixed and pushed out. It also turns into a central point-of-failure, which is what we do not want to have at all for the kernel. But hey, I could be totally wrong. Maybe some generous company that is involved in unleashing this hell on us would be so kind as to pony up to do the work to create this and help fix the issues that their tools are finding. Just like Google did in the past, there is precedent, but for some reason people don't like learning from history... It's going to be a long 18 months... greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs 2026-07-08 14:55 ` Greg KH @ 2026-07-11 2:14 ` Yuan Tan 2026-07-11 5:33 ` Greg KH 0 siblings, 1 reply; 7+ messages in thread From: Yuan Tan @ 2026-07-11 2:14 UTC (permalink / raw) To: Greg KH, andrew, Paolo Abeni, laurent.pinchart, hdanton Cc: linux-kernel, workflows, jhs, sven, netdev, netfilter-devel, linux-crypto, Yuan Tan Hi All, Thanks for the thoughtful feedback, and apologies for the delayed reply. 1. Regarding Paolo's question, a bit more context about who we are. I first got involved in the kernel community during undergrad with guidance from Zhangjin Wu <falcon@tinylab.org>. I started building VEGA earlier this year while I was a PhD student at UC Riverside. I recently dropout and start a company called Nebula Security with my labmates. We want to help fix bugs in open source software. The volunteer bug-fixing group that mainly includes students from Lanzhou University, where I did my undergraduate studies, and UC Riverside. I will be at NetDev as well. See you there :) 2. To answer Laurent's question: All bug reports are human-reviewed. For the past four months, we have been including a human-written and reviewed patch when reporting bugs, with LLMs used only as an assistive tool. However, because the volume is large and there are some bugs we do not know how to fix well, we would like to make some bug reports public in the interest of transparency. 3. To Hillf's point: if we start sending reports, the initial volume will stay well below that level. 4. Regarding Andrew's point: Early on, we used syzbot config for scanning and validation, and that did lead us to spend time on code paths and features that may not matter much in practice. We should definitely prioritize fixing bugs in actively maintained code. 5. And to Greg's point: On Wed, Jul 8, 2026 at 7:55 AM Greg KH <gregkh@linuxfoundation.org> wrote: > > On Wed, Jul 08, 2026 at 02:22:47AM -0700, Yuan Tan wrote: > > Hi all, > > > > We would like to ask for feedback on a proposed workflow for reporting Linux > > kernel bugs found by an LLM-assisted code auditing tool that we have > > been developing since earlier this year. > > > > Since February, we have been developing an LLM-driven kernel code auditing > > tool called VEGA. It started as a side project, but the results became much > > substantial than we expected: VEGA has found hundreds of valid bugs in Linux > > kernel. > > > > That immediately created a practical problem: we do not want to dump a large > > pile of bug reports onto mail lists and annoy the maintainers. > > True, which is why we all end up with long lists of issues/patches at > the moment. The initial reaction is "we need a dashboard for everyone > to collab around!" like you did here, but I'd like to say this is not > the best thing to do at all. > > syzbot can get away with a dashboard because someone is tending to it, > triaging the "serious" bugs before they become public, and only letting > the "would be nice to fix one day" type issues remain. That's a huge > resource commitment that Google has made here, and that's great, but I > doubt that anyone else will have those resources to do this type of > thing. > > Instead, let's just work to get these things fixed. We all have > hundreds of patches/reports in our internal systems right now, > attempting to triage/rank/coordinate would just waste time. In other > words, just grind through them, send patches out, and get these fixed. > > I'm doing this now, and I know many others are as well. We are all > running "different" tools, and so we find different issues, so we can > all just keep sending patches as we get them done. It's going to take a > lot of effort (I've somehow convinced 8 interns to help me out with this > this summer), but once we get it done, we'll be much better off. Yes, getting bugs fixed is the most important thing. The reason we considered a syzbot-like workflow is that there are some validated bugs which we currently do not know how to fix well ourselves. For those cases we thought the community might have simpler ideas once the report is made reproducible and concrete. But we agree that any process around this should help move fixes forward, not create another layer of overhead. > > > The first thing we tried was to fix as many as we could ourselves. We > > started working with a group of student volunteers. Most of them are > > college students, so we have been training them, reviewing their patches, > > and trying to build an internal review process before anything is sent to > > the mailing list. The goal is to turn these findings into useful fixes, and > > also to help new contributors grow into people who can reduce maintainer > > workload instead of adding to it. > > > > The process was not perfect. Some patches were not good enough, and we also > > made some mistakes early on when deciding what should be called a security > > issue. Our internal review process has been improving with the help of the > > community. > > That's great, keep it up! > > > But the remaining queue is still too large for us to handle. > > > > Recently Jamal pointed out problems around our tags. That made me realize > > that we should probably stop treating this as an ad-hoc patch effort and > > build something closer to syzbot: public, reproducible, trackable, > > deduplicated, and useful to maintainers. > > Again, I think that effort is going to be larger than just getting the > patches fixed and pushed out. It also turns into a central > point-of-failure, which is what we do not want to have at all for the > kernel. > > But hey, I could be totally wrong. Maybe some generous company that is > involved in unleashing this hell on us would be so kind as to pony up to > do the work to create this and help fix the issues that their tools are > finding. Just like Google did in the past, there is precedent, but for > some reason people don't like learning from history... We have also received some bug bounty rewards from Google, which gives us some resources to put back into this effort. We are prepared to invest more engineering time in fixing these bugs, and we are also considering hiring engineers to help. Will you also be attending NetDev in person? If so, perhaps we can chat there :) > > It's going to be a long 18 months... > > greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs 2026-07-11 2:14 ` Yuan Tan @ 2026-07-11 5:33 ` Greg KH 0 siblings, 0 replies; 7+ messages in thread From: Greg KH @ 2026-07-11 5:33 UTC (permalink / raw) To: Yuan Tan Cc: andrew, Paolo Abeni, laurent.pinchart, hdanton, linux-kernel, workflows, jhs, sven, netdev, netfilter-devel, linux-crypto On Fri, Jul 10, 2026 at 07:14:36PM -0700, Yuan Tan wrote: > > But hey, I could be totally wrong. Maybe some generous company that is > > involved in unleashing this hell on us would be so kind as to pony up to > > do the work to create this and help fix the issues that their tools are > > finding. Just like Google did in the past, there is precedent, but for > > some reason people don't like learning from history... > > We have also received some bug bounty rewards from Google, which gives > us some resources to put back into this effort. That's good, but I don't want you to have to rely on Google's bug bounty money, as that is not going to be reliable if past history is any indication :( > We are prepared to invest more engineering time in fixing these bugs, > and we are also considering hiring engineers to help. > > Will you also be attending NetDev in person? If so, perhaps we can chat there :) Unfortunatly due to passport/visa issues, I can not attend this year, but will be speaking remotely. I will be in Prague later this year at OSS and Plumbers. thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-07-11 5:33 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-07-08 9:22 [RFC] VEGA: a syzbot-like workflow for LLM-found kernel bugs Yuan Tan 2026-07-08 9:58 ` Paolo Abeni 2026-07-08 10:47 ` Laurent Pinchart 2026-07-08 14:07 ` Andrew Lunn 2026-07-08 14:55 ` Greg KH 2026-07-11 2:14 ` Yuan Tan 2026-07-11 5:33 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox