Introducing kpatch: Dynamic Kernel Patching

In upstream development news, the kernel team here at Red Hat has been working on a dynamic kernel patching project called kpatch for several months.   At long last, the project has reached a point where we feel it's ready for a wider audience and are very excited to announce that we've released the kpatch code under GPLv2.

kpatch allows you to patch a Linux kernel without rebooting or restarting any processes.  This enables sysadmins to apply critical security patches to the kernel immediately, without having to wait for long-running tasks to complete, users to log off, or scheduled reboot windows.  It gives more control over uptime without sacrificing security or stability.

How it Works

With respect to granularity, kpatch works at the function level; put simply, old functions are replaced with new ones.  It has four main components:

• kpatch-build: a collection of tools which convert a source diff patch to a hot patch module. They work by compiling the kernel both with and without the source patch, comparing the binaries, and generating a hot patch module which includes new binary versions of the functions to be replaced.
• hot patch module: a kernel module (.ko file) which includes the replacement functions and metadata about the original functions.
• kpatch core module: a kernel module (.ko file) which provides an interface for the hot patch modules to register new functions for replacement.  It uses the kernel ftrace subsystem to hook into the original function's mcount call instruction, so that a call to the original function is redirected to the replacement function.
• kpatch utility: a command-line tool which allows a user to manage a collection of hot patch modules.  One or more hot patch modules may be configured to load at boot time, so that a system can remain patched even after a reboot into the same version of the kernel.

Learn More, Try it Out, and Get Involved

If you’d like to learn more about kpatch, check out the kpatch github project.  For the adventurous, there are even installation and quick start instructions for Fedora 20.  Better yet... we’d love for you to get involved and contribute to our collective efforts.

For those who do test kpatch, be warned: KPATCH IS STILL IN ACTIVE DEVELOPMENT.  IT IS NOT PRODUCTION READY, AND COULD CRASH YOUR SYSTEM.

We're very interested in getting your feedback!  Feel free to join the kpatch mailing list to report feedback, ask questions, or learn how to contribute.