Re: [PATCH] killswitch: add per-function short-circuit mitigation primitive

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

From: Michal Hocko <mhocko@suse.com>
To: Sasha Levin <sashal@kernel.org>
Cc: Breno Leitao <leitao@debian.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	corbet@lwn.net, skhan@linuxfoundation.org,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org, gregkh@linuxfoundation.org
Subject: Re: [PATCH] killswitch: add per-function short-circuit mitigation primitive
Date: Mon, 11 May 2026 16:25:57 +0200	[thread overview]
Message-ID: <agHm9Vj7bPPCRS1g@tiehlicka> (raw)
In-Reply-To: <agHgDgwu8H9Opzpl@laps>

On Mon 11-05-26 09:56:30, Sasha Levin wrote:
> On Mon, May 11, 2026 at 03:49:24PM +0200, Michal Hocko wrote:
> > On Mon 11-05-26 09:39:32, Sasha Levin wrote:
> > > On Mon, May 11, 2026 at 03:07:51PM +0200, Michal Hocko wrote:
> > > > On Mon 11-05-26 04:41:38, Breno Leitao wrote:
> > > > > On Fri, May 08, 2026 at 05:47:04PM -0400, Sasha Levin wrote:
> > > > > > On Fri, May 08, 2026 at 01:56:30PM -0700, Andrew Morton wrote:
> > > > > > > On Thu,  7 May 2026 03:05:45 -0400 Sasha Levin <sashal@kernel.org> wrote:
> > > > > > >
> > > > > > > > When a (security) issue goes public, fleets stay exposed until a patched kernel
> > > > > > > > is built, distributed, and rebooted into.
> > > > > > > >
> > > > > > > > For many such issues the simplest mitigation is to stop calling the buggy
> > > > > > > > function. Killswitch provides that. An admin writes:
> > > > > > > >
> > > > > > > >     echo "engage af_alg_sendmsg -1" \
> > > > > > > >         > /sys/kernel/security/killswitch/control
> > > > > > >
> > > > > > > It certainly sounds useful, but what would I know.  How do we hunt down
> > > > > > > suitable operations people (aka "target audience") to find out how
> > > > > > > useful this is to them?
> > > > > >
> > > > > > I'm not entierly sure here... If folks have suggestions on folks to loop in,
> > > > > > that'll be great!
> > > > >
> > > > > I work with these issues at Meta, and this approach would address a real
> > > > > need we have.
> > > 
> > > Thanks for the feedback!
> > > 
> > > > > While livepatch could theoretically solve this problem, it's less suited
> > > > > for rapid mitigation for a couple of reasons:
> > > > >
> > > > > 1) Livepatch rollout is inherently slower due to the blast radius if a
> > > > >    bug exists in the livepatch mechanism itself.
> > > > >
> > > > > 2) It's common to run hundreds of different kernel versions across a
> > > > >    fleet. Since livepatch is kernel-specific, a single CVE suddenly
> > > > >    requires building and deploying hundreds of individual livepatches—
> > > > >    far less practical than a simple sysfs write.
> > > >
> > > > LP is certainly a more laborous solution. I guess this is quite clear.
> > > > It is also much safer option as it deals with all implementation details
> > > > like consistency. All that is not done for fun. I am really wondering
> > > > how admins are expected to a) know which kernel functions are ok/safe to
> > > > disable and b) when it is safe to do so without introducing unsafe
> > > > kernel state or introduce an outright bug that way.
> > > 
> > > In a similar way to how they would know if a given livepatch is safe to apply -
> > > ideally it would be communicated by the vendor/distro/kernel team.
> > 
> > You have missed my point. KLP takes an extra steps to make sure patching
> > a particular function is safe to modify or to put the change into the
> > effect.
> 
> Safety checks like making sure the patched function is on the stack, or did you
> mean something else?

Yes, exactly what LP infrastructure already provides.

> > > "On Debian XX.YY, use the following command to mitigate CVE-AAAA-BBBB:
> > > 
> > >  echo "engage woops -1" > /sys/kernel/security/killswitch/control"
> > > 
> > > > Thiking about this I can see how waiting for an official LP can be time
> > > > consuming and sometimes creating those is far from trivial. But would it
> > > > make sense to have automated LP creation tooling available that would
> > > > allow to return early from a function and relly on the existing
> > > > infrastructure to do the right thing?
> > > 
> > > This would definitely help (and in light of how the last couple of weeks played
> > > out, the case for livepatches definitely increased), but not all
> > > vendors/distros provide livepatches.
> > 
> > The point I've tried to make is that you (as an admin) shouldn't depend
> > on your vendor to provide you with an official LP just to disable a
> > certain function(ality). That is/should be a trivial case where the LP
> > should be ideally generated automagically if you have a tooling
> > available. I might be wrong and overlook some complexity here.
> 
> Module signing is what stops that approach for me.

OK, so the actual constrain here is that you cannot load your own
modules. That was not really clear from your description. I assume you
cannot enroll your own key and sign?
-- 
Michal Hocko
SUSE Labs

next prev parent reply	other threads:[~2026-05-11 14:25 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-07  7:05 [PATCH] killswitch: add per-function short-circuit mitigation primitive Sasha Levin
2026-05-07 10:47 ` Greg KH
2026-05-07 13:40   ` Sasha Levin
2026-05-07 16:23     ` Greg KH
2026-05-07 15:21 ` Jonathan Corbet
2026-05-08 13:44   ` Sasha Levin
2026-05-08 15:40 ` Joshua Peisach
2026-05-08 15:48   ` Mathieu Desnoyers
2026-05-08 16:13     ` Sasha Levin
2026-05-08 16:18       ` Mathieu Desnoyers
2026-05-08 16:23         ` Sasha Levin
2026-05-08 16:26           ` Mathieu Desnoyers
2026-05-08 16:54             ` Sasha Levin
2026-05-08 20:56 ` Andrew Morton
2026-05-08 21:47   ` Sasha Levin
2026-05-08 23:49     ` Andrew Morton
2026-05-09  0:15       ` Sasha Levin
2026-05-09  0:36         ` Andrew Morton
2026-05-11 11:41     ` Breno Leitao
2026-05-11 13:07       ` Michal Hocko
2026-05-11 13:39         ` Sasha Levin
2026-05-11 13:49           ` Michal Hocko
2026-05-11 13:56             ` Sasha Levin
2026-05-11 14:25               ` Michal Hocko [this message]
2026-05-11 15:55                 ` Sasha Levin
2026-05-11 16:10                   ` Michal Hocko
2026-05-11 16:45                     ` Sasha Levin
2026-05-11 17:10                       ` Michal Hocko
2026-05-11 18:09                         ` Sasha Levin
2026-05-11 13:40         ` Breno Leitao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=agHm9Vj7bPPCRS1g@tiehlicka \
    --to=mhocko@suse.com \
    --cc=akpm@linux-foundation.org \
    --cc=corbet@lwn.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=leitao@debian.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=skhan@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox