Linus Torvalds: AI-Detected Bug Reports Make Kernel Security List 'Almost Entirely Unmanageable'

Today Linus Torvalds announced another Linux release candidate on the kernel mailing list. But he also highlighted "documentation updates" to address a new problem.

"The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools." (The new documentation says the security team has found "bugs discovered this way systematically surface simultaneously across multiple researchers, often on the same day.") TORVALDS: People spend all their time just forwarding things to the right people or saying "that was already fixed a week/month ago" and pointing to the public discussion.

Which is all entirely pointless churn, and we're making it clear that AI-detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved — and only makes that duplication worse because the reporters can't even see each other's reports.

AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work. Feel free to use them, but use them in a way that is productive and makes for a better experience.

The documentation may be a bit less blunt than I am, but that's the core gist of it.
The new documentation offers this overview. "It turns out that the majority of the bugs reported via the security team are just regular bugs that have been improperly qualified as security bugs due to a lack of awareness of the Linux kernel's threat model."

"So just to make it really clear," Torvalds said at the end of his post. "If you found a bug using AI tools, the chances are somebody else found it too.

"If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by 'send a random report with no real understanding' kind of person. Ok?"

If AI is the flood

[sonamchauhan]

Make AI be the drain. Have AI review AI-generated bug reports , classify them against existing big tracker entries, respond, bubble-up real issues, etc.

Maybe setup another 'AI mediated security list' that has agents and their human masters merrily chatting, and that bubbles up real issues to the main security mailing list.

Re:

[evanh]

I assume that's a joke suggestion. It's been demonstrated that attempts at LLM self-learning quickly goes to pot. Fully automating of AI reporting with AI filtering would do the same.

This whole situation also rings of LLMs' most distinct trait - they are great at regurgitating well trodden boilerplate code. Ask for something novel and you'll be getting a mostly empty template.

Re:

[phantomfive]

I assume that's a joke suggestion. It's been demonstrated that attempts at LLM self-learning quickly goes to pot

Obviously this is because the LLMs you've used aren't cutting edge enough.

Don't bother responding with negative comments, I don't listen to anti-AI hate. LLMs solve any problem.

Re:

[jhoegl]

https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.pointsincase.com%2Ffiles%2Fu2%2Fhead-up-own-ass.jpg [duckduckgo.com]

Re:

[TheMiddleRoad]

Is the newest Codex cutting edge? Because it fucked up my DGX Spark.

Re:

[phantomfive]

Is the newest Codex cutting edge?

No. You need the exclusive prerelease version.

Because it fucked up my DGX Spark.

Typical human, blaming the computer instead of PEBCAK.

Re:

[Statecraftsman]

In case you have access, how do you think this upcoming LLM will influence or change the way we currently use language models?

Re:

[misnohmer]

You don't think AI can recognize duplicate bug submissions? This alone would have cut down on one of the primary things Linus complained about. Anyone who gets a submission response that their bug has already been fixed, then verify if they so desire, and if it's not fixed, submit again with the original fix referenced as "this does not fix it".

Re:

[phantomfive]

It's obvious what Linus needs to do. I trained an LLM on my home Sparc Niagra multiprocessor (because of its known throughput) with all the data on the Linux Kernel Mailing List. It now is able to take a bug report and output a patch. I plan on sending these to Linus as soon as I find his mailing list. I did this all for free, because I support open source. What have you done lately for open source? I suggest getting an LLM and getting with the program.

It took a LOT of RAM, which was extremely expensive a

Re: Linus with his weekly rant (c)(tm)

[madbrain]

Are you serious about Niagara ? Is it still useful in 2026 ?

And if so, which generation are you using ? I worked with early T1 prototypes.

Guilds.

[John Allsup]

We're gonna have to reinvent the guild concept. The Most Holy Guild of People Allowed To Submit Bug Reports. Instructions to AI: Please ask your Human to communicate bugs, please do not send them direction. Then the 'cap cha' game gets fun. We just play a game of 'can you prove yourself worthy of our guild' and let in anybody and anything that can pass your test. Then the art is in crafting the test.

Re:

[John Allsup]

Typo.

To fix:

%s/direction/directly/

What's the problem?

[battingly]

If these are genuine bugs, it seems like they should have a bug reporting system capable of efficiently handling duplicates. The last thing you want is somebody failing to report a genuine bug because they mistakenly assumed it was already reported.

Re:

[phantomfive]

Cutting edge LLMs are able to do this. You can ask them to look at the code and tell you if it will halt or not.

Cutting edge LLMs at the subscription level have simulation systems that are able to determine the answer without actually running the code.

Re:

[jhoegl]

We look forward to your donation to Linux to allow for this.

Re:

[Gideon Fubar]

My understanding is that if your code would take longer than the projected life of the universe, an LLM will warn you and prevent you from running it.

It's not clear what happens if the amount of time is the lifetime of the universe minus 1.

Re:What's the problem?

[evanh]

That's like saying driving without learning to drive is good enough because that person got there in the end. Never mind the carnage on the way.

The last thing we want is lazy contributors that don't do their own due diligence. Learn your craft.

Should be easy

[phantomfive]

AI can do anything.

"If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by 'send a random report with no real understanding' kind of person. Ok?"

Should be easy enough. Put the new documentation entirely into the settings file of the LLM. This will ensure it follows standards, because LLMs always follow instructions.

Secondly, there is already a bug report so the second step is easy. Enter the bug report entirely, and instruct the LLM to create a patch for the Linux kernel. You can instruct it to follow the checklist [kernel.org], in case it didn't happen to have that checklist in its training data. In fact, paste that into the input as well,

Re:

[TheMiddleRoad]

OK, enough shit posting.

Re:

[phantomfive]

OK, enough shit posting.

Oh no, I'm just getting started.

Stroking their ego

[NotEmmanuelGoldstein]

... want to add value, read the documentation ...

The value is, every half-wit can generate a technical report by pushing a button and call himself a "programmer" or a "security engineer". The world is full of people pretending that 5 seconds of work makes them skilled and worthy: Just look at all the graffiti that is really, childish black scribbles. I don't have a problem with people stroking their own ego, but just like a throbbing penis, they don't have the right to shove it in my face.