Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Beyond Crash-to-Patch: Patch Evolution for Linux Kernel Repair

Luyao Bai, Kenan Alghythee, Hang Zhang, Xiaoguang Wang

Abstract

Linux kernel bug repair is typically approached as a direct mapping from crash reports to code patches. In practice, however, kernel fixes undergo iterative revision on mailing lists before acceptance, with reviewer feedback shaping correctness, concurrency handling, and API compliance. This iterative refinement process encodes valuable repair knowledge that existing automated approaches overlook. We present a large-scale study of kernel patch evolution, reconstructing 6946 syzbot-linked bug-fix lifecycles that connect crash reports, reproducers, mailing-list discussions, revision histories, and merged fixes. Our analysis confirms that accepted repairs are frequently non-local and governed by reviewer-enforced constraints not present in bug reports. Building on these insights, we develop PatchAdvisor, a repair framework that integrates retrieval-based memory with a fine-tuned diagnostic advisor to guide a coding agent toward reviewer-aligned patches. Evaluation on temporally held-out syzbot cases demonstrates that leveraging patch-evolution history yields measurable gains in both reviewer-aligned refinement signals and end-to-end repair quality compared to unguided and retrieval-only baselines.

Beyond Crash-to-Patch: Patch Evolution for Linux Kernel Repair

Abstract

Linux kernel bug repair is typically approached as a direct mapping from crash reports to code patches. In practice, however, kernel fixes undergo iterative revision on mailing lists before acceptance, with reviewer feedback shaping correctness, concurrency handling, and API compliance. This iterative refinement process encodes valuable repair knowledge that existing automated approaches overlook. We present a large-scale study of kernel patch evolution, reconstructing 6946 syzbot-linked bug-fix lifecycles that connect crash reports, reproducers, mailing-list discussions, revision histories, and merged fixes. Our analysis confirms that accepted repairs are frequently non-local and governed by reviewer-enforced constraints not present in bug reports. Building on these insights, we develop PatchAdvisor, a repair framework that integrates retrieval-based memory with a fine-tuned diagnostic advisor to guide a coding agent toward reviewer-aligned patches. Evaluation on temporally held-out syzbot cases demonstrates that leveraging patch-evolution history yields measurable gains in both reviewer-aligned refinement signals and end-to-end repair quality compared to unguided and retrieval-only baselines.

Paper Structure

This paper contains 29 sections, 1 equation, 7 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. Data Collection and Engineering
  4. Broader LKML Archive Collection
  5. syzbot-Grounded Dataset Construction
  6. Repair Artifact Recovery
  7. Dataset Representation
  8. Analysis Framework
  9. Findings from syzbot-Linked Patch Evolution
  10. A Multi-dimensional View of Kernel Patch and Patch Evolution
  11. Classification Dimensions
  12. Patch Evolution Dynamics
  13. Empirical Insights from Kernel Patch Evolution
  14. Accepted Fixes Are Often Non-Local
  15. Small Final Patches Can Take Long Diagnostic Effort
  16. ...and 14 more sections

Figures (7)

  • Figure 1: Review effort across patch versions. A quarterly stacked area chart showing the average number of discussion replies per patch version for syzbot-reported bugs. The lower layer (V1) represents initial proposals; upper layers (V2--V6+) represent subsequent revisions. The dashed line tracks the quarterly bug count.
  • Figure 2: End-to-end pipeline for building PatchAdvisor from syzbot data: bug reports and patch history are collected and analyzed, compiled into layered memory and training corpora, and then retrieved at inference time to guide LLM-based patch or review generation.
  • Figure 3: Patch comparison for KASAN slab-use-after-free in sock_def_readable (bug f5007221, ATM LEC subsystem). (a) Without guidance, the coding agent targets the wrong subsystem. (b) With advisor context, it locates the correct file. (c) The official fix requires a full RCU refactoring beyond current model capabilities.
  • Figure : Common interface for analyzers in our framework.
  • Figure : A warning reported in kcov is fixed by adding cleanup in the NFC subsystem.
  • ...and 2 more figures