Linux Maintainer Greg Kroah-Hartman Says AI Tools Now Useful, Finding Real Bugs (theregister.com) 41
Linux kernel maintainer Greg Kroah-Hartman tells The Register that AI-driven code review has "really jumped" for Linux. "There must have been some inflection point somewhere with the tools..."
"Something happened a month ago, and the world switched. Now we have real reports." It's not just Linux, he continued. "All open source projects have real reports that are made with AI, but they're good, and they're real." Security teams across major open source projects talk informally and frequently, he noted, and everyone is seeing the same shift. "All open source security teams are hitting this right now...."
For now, AI is showing up more as a reviewer and assistant than as a full author of Linux kernel code, but that line is starting to blur. Kroah-Hartman has already done his own experiments with AI-generated patches. "I did a really stupid prompt," he recounted. "I said, 'Give me this,' and it spit out 60: 'Here's 60 problems I found, and here's the fixes for them.' About one-third were wrong, but they still pointed out a relatively real problem, and two-thirds of the patches were right." Mind you, those working patches still needed human cleanup, better changelogs, and integration work, but they were far from useless. "The tools are good," he said. "We can't ignore this stuff. It's coming up, and it's getting better...." [H]e said that for "simple little error conditions, properly detecting error conditions," AI could already generate dozens of usable patches today.
The sudden increase in AI-generated reports and AI-assisted work has also spurred a parallel push to build AI into the kernel's own review infrastructure. A key piece of that is Sashiko, a tool originally developed at Google and now donated to the Linux Foundation.
Kroah-Hartman said some patches are being generated with AI now. "You have a little co-develop tag for that now. We're seeing some things for some new features, but we're seeing AI mostly being used in the review."
For now, AI is showing up more as a reviewer and assistant than as a full author of Linux kernel code, but that line is starting to blur. Kroah-Hartman has already done his own experiments with AI-generated patches. "I did a really stupid prompt," he recounted. "I said, 'Give me this,' and it spit out 60: 'Here's 60 problems I found, and here's the fixes for them.' About one-third were wrong, but they still pointed out a relatively real problem, and two-thirds of the patches were right." Mind you, those working patches still needed human cleanup, better changelogs, and integration work, but they were far from useless. "The tools are good," he said. "We can't ignore this stuff. It's coming up, and it's getting better...." [H]e said that for "simple little error conditions, properly detecting error conditions," AI could already generate dozens of usable patches today.
The sudden increase in AI-generated reports and AI-assisted work has also spurred a parallel push to build AI into the kernel's own review infrastructure. A key piece of that is Sashiko, a tool originally developed at Google and now donated to the Linux Foundation.
Kroah-Hartman said some patches are being generated with AI now. "You have a little co-develop tag for that now. We're seeing some things for some new features, but we're seeing AI mostly being used in the review."
For me, it is last few months... (Score:5, Informative)
since AI agents became usable and started to bring results.
Of course, you must have skills usually not associated with the manager caste - ask precise questions, be realistic in expectations, and be ready to jump in and fix in ten minutes instead of spending time on 5 prompts. Among others.
So it is not a question about AI being usable or not; it is a question about it being useful enough to cover its expenses and ensure ROI.
An improbable thing to happen.
Re: (Score:2)
Compare this to what you would have said last year.
Re: (Score:3)
Compare this to what you would have said last year.
I remember it well enough.
Read under "its expenses". All this is extremely costly and needs skills I started to enumerate. It is also cheap today, but it will not remain so.
If not for the Chinese factor, prices would have skyrocketed already. Real competition there is what keeps prices in check. And this, while being good for us, is not so good for (esp. US) AI industry. No real perspective on ROI, and we have yet to see what happens when the bubble bursts.
Just the other day, I compared AI agent use to the
Re: For me, it is last few months... (Score:1)
The ROI is at the nation-state level. The ones who benefit are the rich and powerful in control right now. The reason it is being gatekept is to give the elite the power now that will be harder to wrestle from later.
Re: For me, it is last few months... (Score:2)
Re: (Score:3, Interesting)
The answer to that is "absolutely not"
If you can't code worth a damn, then of course the AI is going to find a lot of "bugs" and many of those bugs aren't even bugs, they generate warnings in the compiler otherwise the program would not compile in the first place. The first thing you do when you want to eliminate bugs is "treat all warnings as errors"
You don't need AI for that.
I'm sure AI is useful for finding errors that don't show up as warnings first, but I can tell you first and second hand that your av
Re: (Score:2, Insightful)
Everything about about this is: https://www.youtube.com/watch?v=LQCU36pkH7c
Re: For me, it is last few months... (Score:3)
I'm not here to hype AI. After decades wielding terminals and IDEs I'm being forced to use it. I still want to write code that I don't because it will hurt my AI use metrics that count toward my performance. This is what it's like at a major tech company in 2026. But the picture has changed. AI can search through our codebase and find real bugs. Subtle ones.
Posts like this are unhelpful because they paint a picture that there are these limitations that really aren't there anymore. If you're not getting the
Re: (Score:2)
If you can't code worth a damn, then of course the AI is going to find a lot of "bugs"...
If you're asserting that Greg Kroah-Hartman can't code worth a damn, you might want to find out who he is and think again.
Re: (Score:2)
"If you can't code worth a damn, then of course the AI is going to find a lot of "bugs" ..."
But this is Greg Kroah-Hartman we are talking about here, and many other kernel devs. If you are saying they can't code worth a damn then we cannot take you seriously.
Also note that may bugs, either logical errors or silly memory use mistakes (use after free, out of bounds array access, etc, etc) or UB, are not detected by the compiler as errors or warnings.
So, if AI can find those bugs what is not to like? Of course
Re: (Score:2)
In fairness, this is the Kernel we are talking about, and those dudes actually do know what they are doing.
Kernel code is fucking hard. The last kernel coding I ever did was on Minix in the early 1990s for Operating Systems class at University. That was a total brain bender. But heres the thing, Minix was an intentionally simpler kernel designed for teaching and included an extremely comprehensive textbook, that just doesn't exist (I think) for Linux.
The Linux Kernel may well be the most complicated code by
Re: (Score:1)
it is a question about it being useful enough to cover its expenses and ensure ROI. An improbable thing to happen.
With them currently needing bout 15x as much revenue as they have to keep the lights on? Very improbable indeed.
Re: (Score:2)
One thing that would be interesting (Score:3)
That's because right now if you really want to hack somebody's data you can do it. There is a company out of Israel that will sell you software if you have enough money had enough connections and that software can break into just about any phone in existence. If they can break into the phones they can get past most encryption mechanisms.
So the question is what happens if intelligence agencies and law enforcement can no longer get data when they really want it.
I'm not so naive to think that is going to be a glorious time of freedom.
Facebook for example is facing an existential crisis from AI slop. There is so much slop and it is so hard to tell from the real content they are having a hard time getting data they can sell. Advertising rates are also at risk although it's less of an issue because as it stands advertising on Facebook is pretty useless and largely done out of habit. But the risk of slop overwhelming their data collection is a much bigger deal.
I bring it up because Facebook didn't just roll over and die. They are going around the world buying off politicians and getting laws passed requiring age verification that will in turn let them identify real users from bots so that they can continue to collect your data and sell it to their advertisers and governments and whatnot.
My point being that when a large powerful group faces a problem they solve it. And when somebody with that much money in power has a problem and they solve it it's usually to your detriment and mine.
What I would expect is that we are going to lose more freedoms. And any attempt to save those freedoms will fail because at the end of the day we would have to vote for politicians that would protect those freedoms and I think the 2024 elections proved that it's pretty easy to get people to do the opposite if you dangle cheap eggs in front of them...
Re: One thing that would be interesting (Score:3)
I see that AI can find bugs that are tedious to find and only exists in corner cases that normal humans usually don't test. For every successful positive test case there can be a large number of negative cases with subvariants. That's where AI might be helpful - create all those test runs.
But to write code that's maintainable, with high performance and stable - that's a different thing.
Test code that doesn't work - just generate a new batch, it won't damage the product you deliver but it might have some fla
Code review is not what AI is being sold as (Score:4, Insightful)
There's nothing wrong with using AI tools to review code and identify issues, real humans will review those issues and solutions after all. It's a far cry from what the AI industry claims AI tools will be useful for, specifically writing all the code in the first place.
Writing good code requires creativity, hard work and accountability; reviewing code is all over the map, it doesn't require creativity and does not come with accountability. Sounds like something AI might be suited for.
Re:Code review is not what AI is being sold as (Score:5, Insightful)
Re: (Score:3, Funny)
Re: (Score:3)
The principle problem with humans is that they're completely unreliable, due to basic design.
They seem particularly unreliable when asked to tell the difference between a headmaster and a fundamental rule.
Re: (Score:2)
This is a good approach (Score:2)
Instead of using AI to "increase productivity" by quickly generating bloated, inefficient, bug-ridden, insecure slop, the better use of the tools is to find bugs, security weaknesses and unhandled edge conditions. AI research should focus on creating better code, bug-free, efficient and secure with all edge cases handled
He was one of the best of us (Score:1)
In No Way Worth the Cost (Score:2)
Re: (Score:2)
Re: (Score:2)
It will cure cancer. In combination with robotics it will make personalized cancer treatments based each person's tumor genome. Basically once you have a few biopsies of a person's cancer, you can determine what proteins, DNA, and RNA are aberrant and design a treatment against that.
Re: (Score:2)
Yep (Score:2)
Unfort. e'ryone picked an opinion/side two yrs ago (Score:2, Informative)
Unfortunately everyone picked an opinion two years ago, when AI was genuinely garbage beyond some basic bash scripts or a top 1000 bug/question on stack exchange (which mostly overlap). AI started getting really good in Dec '24, particularly spring '25 and by August 2025 even the $20/mo tier of chatgpt was starting to get legit as OpenAI started to try catching up with (now market leader) Anthropic and their blessed claude code. The 4.5/4.6 models released this year are nothing short of incredible, and the
Re: (Score:2)
The question is not what bugs they find (Score:3)
The question is what bugs they miss. Because that determines whether you still need to do a full review and that review does not actually get mich faster when there are fewer bugs.
LLMs can't explain themselves (Score:2)
One issue with the overall architecture (which is just statistical prediction) is that it can't really provide useful insights on why it did what it did. Which was requirement of expert systems back in the day.
Honestly, it seem like building better static analysis tools for finding these kind of problems is a better way to go overall. The tools could be more relaxed on reporting potential issues and allow more false positive versus focusing on reporting things that are certainly bugs, but still be based on
Re: (Score:2)
One issue with the overall architecture (which is just statistical prediction) is that it can't really provide useful insights on why it did what it did.
I think you're describing the models from a year ago. Most of the improvements in capability since then (and the improvements have been really large) are directly due to changes that have the AI model talk to itself to better reason out its response before providing it, and one of the results of that is that most of the time they absolutely can explain why they did what they did. There are exceptions, but they are the exception, not the rule.
It's interesting to compare this with humans. Humans generall
Re: (Score:3)
That's not completely true anymore, but in particular not that relevant if it can do a post-hoc explanation.
Why you're right: Generating something does not allow the LLM to explain it without making up a new explanation (with caveats)
Why you're wrong: Thinking models first generate a thinking trace and then answer based on this. The thinking trace is a good explanation for the answer that comes after
Why it doesn't matter: If a second run can explain the code (in a second run), it is not important what the r
Who cares about code, replace government with AI (Score:2)
Re: (Score:1)
I for one welcome our new AI overloards (Score:1)