From: Breno Leitao <leitao@debian.org>
To: Michal Hocko <mhocko@suse.com>
Cc: Sasha Levin <sashal@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
corbet@lwn.net, skhan@linuxfoundation.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, gregkh@linuxfoundation.org,
ivaz@meta.com
Subject: Re: [PATCH] killswitch: add per-function short-circuit mitigation primitive
Date: Mon, 11 May 2026 06:40:16 -0700 [thread overview]
Message-ID: <agHW-lYKoWmuBLDQ@gmail.com> (raw)
In-Reply-To: <agHUp8ulaWJ75WU5@tiehlicka>
Hello Michal,
On Mon, May 11, 2026 at 03:07:51PM +0200, Michal Hocko wrote:
> > I work with these issues at Meta, and this approach would address a real
> > need we have.
> >
> > While livepatch could theoretically solve this problem, it's less suited
> > for rapid mitigation for a couple of reasons:
> >
> > 1) Livepatch rollout is inherently slower due to the blast radius if a
> > bug exists in the livepatch mechanism itself.
> >
> > 2) It's common to run hundreds of different kernel versions across a
> > fleet. Since livepatch is kernel-specific, a single CVE suddenly
> > requires building and deploying hundreds of individual livepatches—
> > far less practical than a simple sysfs write.
>
> LP is certainly a more laborous solution. I guess this is quite clear.
>
> It is also much safer option as it deals with all implementation details
> like consistency. All that is not done for fun. I am really wondering
> how admins are expected to a) know which kernel functions are ok/safe to
> disable and b) when it is safe to do so without introducing unsafe
> kernel state or introduce an outright bug that way.
You raise a valid concern. There's no simple answer. Making these decisions
requires deep understanding of both the code and the potential consequences.
The value proposition here (IMO) is the ability to completely disable a
code path by returning an error code (such as -EINVAL or -EBUSY) at key
entry points, rather than attempting surgical modifications.
While this approach is far from perfect, it can serve as an effective
stopgap measure until a proper fix is deployed or a livepatch becomes
available.
> Thiking about this I can see how waiting for an official LP can be time
> consuming and sometimes creating those is far from trivial. But would it
> make sense to have automated LP creation tooling available that would
> allow to return early from a function and relly on the existing
> infrastructure to do the right thing?
Absolutely. I view this as a progression of mitigation strategies, where
the ultimate goal is deploying a properly fixed kernel, but reaching that
endpoint may require intermediate steps.
1) Fix and deploy a new kernel:
* Pros: Lowest risk, permanent solution
* Cons:
- Requires reboot and extended downtime
2) Livepatch:
* Pros: Complete mitigation, clean approach, zero downtime
* Cons:
- Time-intensive rollout (requires bake time and health checks)
- Demands manual patch creation and review for each kernel version
(i.e., kernel developer involvement is essential)
3) This approach (killswitch):
* Pros: Immediate deployment capability
- Security engineers familiar with kernel code can act independently
* Cons:
- Risk of instability if the operator misjudges the impact
In short, I see killswitch as a complementary tool in the security
toolbox, not a universal solution.
--breno
prev parent reply other threads:[~2026-05-11 13:40 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 7:05 [PATCH] killswitch: add per-function short-circuit mitigation primitive Sasha Levin
2026-05-07 10:47 ` Greg KH
2026-05-07 13:40 ` Sasha Levin
2026-05-07 16:23 ` Greg KH
2026-05-07 15:21 ` Jonathan Corbet
2026-05-08 13:44 ` Sasha Levin
2026-05-08 15:40 ` Joshua Peisach
2026-05-08 15:48 ` Mathieu Desnoyers
2026-05-08 16:13 ` Sasha Levin
2026-05-08 16:18 ` Mathieu Desnoyers
2026-05-08 16:23 ` Sasha Levin
2026-05-08 16:26 ` Mathieu Desnoyers
2026-05-08 16:54 ` Sasha Levin
2026-05-08 20:56 ` Andrew Morton
2026-05-08 21:47 ` Sasha Levin
2026-05-08 23:49 ` Andrew Morton
2026-05-09 0:15 ` Sasha Levin
2026-05-09 0:36 ` Andrew Morton
2026-05-11 11:41 ` Breno Leitao
2026-05-11 13:07 ` Michal Hocko
2026-05-11 13:39 ` Sasha Levin
2026-05-11 13:49 ` Michal Hocko
2026-05-11 13:56 ` Sasha Levin
2026-05-11 14:25 ` Michal Hocko
2026-05-11 15:55 ` Sasha Levin
2026-05-11 16:10 ` Michal Hocko
2026-05-11 16:45 ` Sasha Levin
2026-05-11 17:10 ` Michal Hocko
2026-05-11 18:09 ` Sasha Levin
2026-05-11 13:40 ` Breno Leitao [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agHW-lYKoWmuBLDQ@gmail.com \
--to=leitao@debian.org \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=ivaz@meta.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=sashal@kernel.org \
--cc=skhan@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox