How to Use the Linux Kernel Kill Switch to Mitigate Vulnerabilities
Introduction
In response to rising Linux Privilege Escalation (LPE) vulnerabilities such as Copy Fail and Dirty Frag, NVIDIA engineer and stable kernel co-maintainer Sasha Levin has proposed a new kernel mechanism called killswitch. This tool allows system administrators to instantly disable a specific, vulnerable kernel function on a running system — without a full kernel update or reboot. By feeding the kernel a function name and a return value, the killswitch intercepts calls to that function and returns the specified value immediately, bypassing the actual vulnerable code. This guide walks you through using the killswitch safely and effectively.
What You Need
- A Linux kernel version that includes the killswitch patch (currently under review; may be backported to stable/LTS trees)
- Root privileges (sudo or direct root access) — all killswitch operations require root
- Knowledge of the exact kernel function name you want to disable (e.g.,
af_alg_sendmsg,ksmbd_*, etc.) - A desired return value (usually
-1for error, but can be any integer) - Access to the sysfs control file:
/sys/kernel/security/killswitch/control
Step-by-Step Guide
Step 1: Identify the Vulnerable Kernel Function
Before engaging the killswitch, you must determine which kernel function contains the security flaw. Common candidates mentioned in the proposal include:
af_alg_sendmsg— part of the AF_ALG cryptographic interface (exploited by Copy Fail)ksmbdfunctions — SMB server in kernelnftablesrelated functions — netfilter tablesvsock— virtual socket functionsax25— amateur radio AX.25 protocol
Check security advisories or your distribution’s alerts to find the exact function name. Be certain you have the right name; disabling the wrong function can break critical system services.
Step 2: Engage the Kill Switch via sysfs
Once you have the function name and desired return value, run the following command as root:
echo "engage <function_name> <return_value>" > /sys/kernel/security/killswitch/controlFor example, to disable af_alg_sendmsg and make it return -1 (error):
echo "engage af_alg_sendmsg -1" > /sys/kernel/security/killswitch/controlThe killswitch activates immediately across all CPU cores. Every subsequent call to that function will receive the specified return value without executing the actual code. The effect persists until you disengage it or until the system reboots.
Step 3: Verify the Kill Switch is Active
To confirm that the killswitch is engaged, check the kernel’s taint flags. When any killswitch is active, a new flag H (bit 20) is set in the taint mask. You can view the current taint flags with:
cat /proc/sys/kernel/taintedIf the output is 1048576 (or includes that value), the H flag is set. Additionally, any kernel crash that occurs while the killswitch is engaged will produce an “H” in the crash banner, alerting maintainers that the kernel was modified. Also, test that the affected functionality now returns errors. For example, if you disabled af_alg_sendmsg, try using an application that relies on AF_ALG (e.g., dm-crypt or OpenSSL with AF_ALG engine) — it should fail gracefully.
Step 4: Disengage the Kill Switch After Patching
Once the vulnerability has been fixed via a proper kernel update, you should remove the killswitch. As root, run:
echo "disengage <function_name>" > /sys/kernel/security/killswitch/controlFor example:
echo "disengage af_alg_sendmsg" > /sys/kernel/security/killswitch/controlNote: The taint flag H (bit 20) remains set until the next reboot, even after disengaging. This is intentional — it permanently marks the kernel as modified for the current session. A reboot clears the flag and restores the normal taint state.
Step 5 (Alternative): Apply Kill Switch Across a Fleet via Boot Parameter
If you need to mitigate a vulnerability on many machines simultaneously (e.g., through a bootloader configuration), use the kernel boot parameter:
killswitch=function1=value1,function2=value2,...For instance, in GRUB’s GRUB_CMDLINE_LINUX:
killswitch=af_alg_sendmsg=-1,ksmbd_ioctl=-1This engages the killswitch for both functions at boot time, before any userspace runs. The same rules apply: the functions are intercepted and return the specified value. After the vulnerability is fixed, update the boot parameter or remove it, then reboot to disengage.
Tips and Warnings
- Choose your target carefully. The killswitch proposal includes a dedicated section “Choosing the right target.” Disabling a function that is essential for your workload (e.g., a filesystem driver or network protocol) can render your system unusable. Test on non‑production systems first.
- It is a temporary measure. The killswitch does not fix the underlying vulnerability; it only prevents the vulnerable code from executing. Always apply the official kernel patch as soon as possible.
- Understand the taint implications. Engaging the killswitch taints your kernel with the
Hflag. This mark persists even after disengaging, until reboot. If you encounter a crash or bug while the taint is present, kernel maintainers will be aware that modifications were made, which may affect their debugging. - Be prepared for side effects. Any userspace program that depends on the disabled function will stop working. For example, disabling
af_alg_sendmsgbreaks all AF_ALG sockets — including encrypted storage or VPN software that uses kernel crypto. Plan for service disruption. - Community criticism. Some developers and Reddit users have described the killswitch as “a security feature that may be worse than the vulnerability.” Weigh the risk of leaving a flaw unpatched against the operational impact of killing a function. Use only when patching is not immediately possible.
- Keep documentation handy. The sysfs interface and boot parameter syntax are still evolving. Refer to the latest kernel documentation (once merged) or the original patch description for any changes.