Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive
From: Song Liu
Date: Mon May 18 2026 - 02:41:06 EST
On Sun, May 17, 2026 at 6:49 AM Sasha Levin <sashal@xxxxxxxxxx> wrote:
>
> When a kernel (security) issue goes public, fleets stay exposed until a patched
> kernel is built, distributed, and rebooted into.
>
> For many such issues the simplest mitigation is to stop calling the buggy
> function. Killswitch provides that. An admin writes:
>
> echo "engage af_alg_sendmsg -1" \
> > /sys/kernel/security/killswitch/control
>
> After this, af_alg_sendmsg() returns -EPERM on every call without
> running its body. The mitigation takes effect immediately, and is dropped on
> the next reboot -- by which point a patched kernel is hopefully in place.
>
> A lot of recent kernel issues sit in code paths most installs only have enabled
> to support a relative minority of users: AF_ALG, ksmbd, nf_tables, vsock, ax25,
> and friends.
>
> For most users, the cost of "this socket family stops working for the day" is
> much smaller than the cost of running a known vulnerable kernel until the fix
> lands.
>
> Why not an existing facility:
>
> * livepatch needs a built, signed, per-kernel-version module per CVE.
> Under Secure Boot the operator can't sign their own, so they wait
> for the vendor, and only a minority of vendors actually ship
> livepatches. Killswitch covers the days before that module shows
> up.
>
> * fail_function (CONFIG_FUNCTION_ERROR_INJECTION) is disabled in
> most production kernels. Even where enabled, it only works on
> functions pre-annotated with ALLOW_ERROR_INJECTION() in source -
> no help for a freshly-disclosed CVE. The debugfs UI is blocked by
> lockdown=integrity and the override is probabilistic.
>
> * BPF override (bpf_override_return) honors the same
> ALLOW_ERROR_INJECTION() whitelist, and BPF itself is off in many
> production kernels. Even where on, the operator interface is
> "load a verified BPF program," not a one-line write.
If it is OK for killswitch to attach to any kernel functions, do we still
need ALLOW_ERROR_INJECTION() for fail_function and BPF
override? Shall we instead also allow fail_function and BPF override
to attach to any kernel functions?
Thanks,
Song