Re: [PATCH] killswitch: add per-function short-circuit mitigation primitive

Next message: Sasha Levin: "[PATCH AUTOSEL 7.0-5.15] scsi: smartpqi: Silence a recursive lock warning"
Previous message: Sasha Levin: "[PATCH AUTOSEL 7.0-6.1] powerpc/pasemi: Drop redundant res assignment"
In reply to: Breno Leitao: "Re: [PATCH] killswitch: add per-function short-circuit mitigation primitive"
Next in thread: Song Liu: "Re: [PATCH] killswitch: add per-function short-circuit mitigation primitive"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Mon May 11 2026 - 18:33:38 EST

On Mon, 11 May 2026 15:07:51 +0200 Michal Hocko <mhocko@xxxxxxxx> wrote:

> > 2) It's common to run hundreds of different kernel versions across a
> > fleet. Since livepatch is kernel-specific, a single CVE suddenly
> > requires building and deploying hundreds of individual livepatches—
> > far less practical than a simple sysfs write.
>
> LP is certainly a more laborous solution.

<another please-educate-akpm email>

Does a livepatch *have* to be distributed as a ready-to-load kernel
module?

Is it not possible to distribute a "livepatch" to the fleet as a single
string? Send out "make function some_bad_function() return -EINVAL"
and let scripting on each machine figure out how to locally write,
build, sign and install such a livepatch?

That would require that each machine locally contains enough data for
it to be able to build a kernel for the currently-running kernel, and
that each machine contains a build environment.

I *think* this is feasible on distro-based machines? But perhaps not
on stripped-down hyperscalar boxen?