[chasil]

...it's not just getting patched.

Kernelcare has given me 48 hotfixes on a 3.10 kernel that I booted last year.

    kcarectl --patch-info | awk '/^kpatch-name/{print ++n};{print}'
    ....
    48
    kpatch-name: 3.10.0/proc-restrict-pagemap-access-1062.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel: 
    kpatch-cve: 
    kpatch-cvss: 
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url: 

    uname: 3.10.0-1160.25.1.el7

[gnufx]

Is "kpatch" there actually the same thing as RHEL's kpatch? I thought Kernelcare used something proprietary.

[chasil]

The Kernelcare front end tool is kcarectl.

Ksplice (Oracle) was first, followed by kgraft (Suse), and kpatch (RedHat).

According to the article below, kpatch is x86/64 only, uses ftrace, provides runtime patches only until the next minor kernel release on a standard license, does not address all CVEs, and cannot be used with "SystemTop or kprobe."

"KernelCare has no such limitations."

https://blog.kernelcare.com/competitors/kpatch-overview-of-e...

[gnufx]

I asked because the listing said "kpatch" in the output of the command. I've never used Kernelcare, only suggested investigating it, despite it being proprietary.

Ksplice was done by MIT students, not Oracle. I used it long before Oracle bought it, initially with my own patches (and actually after that as a "legacy" customer). kpatch isn't just x86_64; it's in at least ppc64le RHEL 7, although not for the "alt kernel" on the POWER9 systems I use.

I don't know whether it's the case, but their comparison rather suggests Kernelcare is based on Ksplice.

[jaboutboul]

+1 for KernelCare.