Linux kernel patch lets admins instantly make any function return a fixed value via securityfs, bridging the gap between vuln disclosure and patched kernel deployment.
Key Takeaways
Engage via echo "engage af_alg_sendmsg -1" > /sys/kernel/security/killswitch/control; takes effect immediately across all CPUs, drops on reboot.
Uses kprobes + ftrace + FUNCTION_ERROR_INJECTION; text_poke_bp() ensures SMP-safe activation before the write() returns.
Boot parameter killswitch=fn1=val,fn2=val supports fleet rollout via bootloader/PXE config during the patch window.
Choosing the wrong target is dangerous: skipping af_alg_count_tsgl causes worse OOB writes; correct pattern is highest-level syscall-handler entry point like af_alg_sendmsg.
