How To Patch Linux Kernel

Patching the Linux kernel requires downloading the correct source code and applying a diff file with the patch command. Understanding How To Patch Linux Kernel is a core skill for system administrators and developers who need to apply security fixes or custom modifications. This guide walks you through the entire process, from preparation to verification, with clear steps and practical examples.

You don’t need to be a kernel expert to patch it. With a few command-line tools and some patience, you can update your kernel safely. Let’s start with the basics.

Understanding Kernel Patches

A kernel patch is a text file containing differences between two versions of source code. It tells you exactly what lines to add, remove, or change. The patch utility applies these changes automatically.

Patches come in two main forms: incremental patches (like patch-5.10.1-5.10.2) and cumulative patches (like patch-5.10.2). Incremental patches apply sequentially, while cumulative patches include all changes up to a specific version.

You’ll typically download patches from kernel.org or your distribution’s repository. Always verify the integrity of patch files using GPG signatures or checksums.

Now we get to the core procedure. Follow these steps carefully to avoid breaking your system.

Step 1: Prepare Your Environment

Before patching, ensure you have the necessary tools installed. You’ll need:

A C compiler (gcc)
Make and related build tools
Kernel headers or source code
The patch utility
Root access (or sudo privileges)

Install these on Debian/Ubuntu with:

sudo apt update
sudo apt install build-essential linux-source patch

On Red Hat/Fedora:

sudo dnf groupinstall "Development Tools"
sudo dnf install kernel-devel patch

Make sure you have enough disk space. A full kernel source tree takes about 1-2 GB, and compilation requires additional space.

Step 2: Download The Correct Kernel Source

You need the exact kernel version that the patch was created for. Check your current kernel version:

uname -r

Visit kernel.org and download the source tarball matching your version. For example, if you’re running 5.10.0, download linux-5.10.tar.xz.

Extract the source:

tar -xf linux-5.10.tar.xz
cd linux-5.10

If you’re patching a distribution kernel, you might need the distribution’s source package instead. For Ubuntu, use apt-get source linux-image-$(uname -r).

Step 3: Download The Patch File

Find the appropriate patch from kernel.org or your vendor. Patch files are usually named like patch-5.10.1.xz or patch-5.10.1-5.10.2.xz.

Download the patch to your working directory:

wget https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-5.10.1.xz

Decompress it:

unxz patch-5.10.1.xz

Always verify the patch’s authenticity. Check the GPG signature if available:

gpg --verify patch-5.10.1.sign

Step 4: Apply The Patch

Now comes the main event. From inside the kernel source directory, run:

patch -p1 < ../patch-5.10.1

The -p1 flag strips the first directory level from the patch file paths. Most kernel patches expect this.

If the patch applies cleanly, you'll see output like:

patching file Makefile
patching file arch/x86/kernel/cpu/common.c
...

If there are conflicts, the patch utility will create reject files (.rej). You'll need to resolve these manually.

For incremental patches, apply them in order. For example, to go from 5.10.0 to 5.10.2:

patch -p1 < ../patch-5.10.1
patch -p1 < ../patch-5.10.2

Step 5: Verify The Patch Applied Correctly

Check for any rejected files:

find . -name "*.rej"

If you find any, review the reject files and fix the conflicts manually. You can also use patch --dry-run before applying to check for potential issues.

Update the kernel version in the Makefile if needed. The patch usually does this automatically, but double-check:

head -5 Makefile

Step 6: Configure And Build The Kernel

Use your existing kernel configuration as a starting point:

cp /boot/config-$(uname -r) .config

Then update it for the new version:

make olddefconfig

This sets any new options to their default values. You can also run make menuconfig for a graphical interface.

Build the kernel and modules:

make -j$(nproc)
make modules_install

The -j$(nproc) flag speeds up compilation by using all CPU cores. This step can take 30 minutes to several hours depending on your hardware.

Step 7: Install The New Kernel

Install the kernel image and update the bootloader:

sudo make install

This copies the kernel to /boot and updates GRUB configuration. On some systems, you might need to run update-grub manually.

Reboot and select the new kernel from the boot menu:

sudo reboot

Step 8: Verify The Patch Worked

After rebooting, check the kernel version:

uname -r

It should reflect the patched version. Test critical functionality like networking, filesystems, and device drivers.

If something breaks, you can boot the old kernel from GRUB and troubleshoot.

Common Patch Application Methods

There are several ways to apply patches, depending on your workflow.

Using Git To Apply Patches

If you cloned the kernel from a Git repository, use git am for patches formatted as email:

git am < patch-file

For standard patches, use git apply:

git apply patch-file

Git provides better conflict resolution and version tracking.

Patching Distribution Kernels

Some distributions use custom kernel packages. For Ubuntu, you can patch the kernel source from the package manager:

apt-get source linux-image-$(uname -r)
cd linux-*
patch -p1 < /path/to/patch

Then rebuild the package with dpkg-buildpackage.

Applying Multiple Patches

For a series of patches, use a script or apply them sequentially:

for patch in /path/to/patches/*.patch; do
    patch -p1 < "$patch"
done

Always test each patch individually if possible.

Troubleshooting Common Patch Issues

Things don't always go smoothly. Here are common problems and solutions.

Patch Rejects And Conflicts

When a patch fails, it creates .rej files. Open these to see what went wrong. Common causes include:

Wrong kernel version
Already applied patches
Modified source files

To resolve conflicts, manually edit the source files to incorporate the changes from the reject file.

Missing Dependencies

Some patches require other patches to be applied first. Check the patch description or README for prerequisites.

If you get errors about missing symbols, you might need to enable certain kernel options in your configuration.

Compilation Errors After Patching

If the kernel fails to compile after patching, check for:

Incorrect configuration options
Missing header files
Compiler version incompatibilities

Try running make clean and rebuilding from scratch.

Best Practices For Kernel Patching

Follow these guidelines to minimize risks.

Always Backup Your System

Before patching, create a full system backup or at least backup your kernel configuration and /boot partition. A failed kernel can leave your system unbootable.

Test In A Virtual Machine First

If possible, test the patched kernel in a VM before deploying to production. This catches obvious issues without risking your main system.

Keep A Known-Good Kernel

Always keep at least one working kernel in your bootloader. Most distributions keep the last kernel, but verify this.

Document Your Changes

Record which patches you applied and why. This helps with debugging and future updates.

Automating Kernel Patching

For repeated patching, consider automation.

Using Scripts

Write a bash script that downloads, applies, and builds the kernel:

#!/bin/bash
VERSION="5.10.1"
cd /usr/src
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-$VERSION.tar.xz
tar -xf linux-$VERSION.tar.xz
cd linux-$VERSION
patch -p1 < /path/to/patch
make olddefconfig
make -j$(nproc)
make modules_install
make install

Using Configuration Management Tools

Tools like Ansible, Puppet, or Chef can manage kernel patching across multiple machines. This ensures consistency in enterprise environments.

Security Considerations

Kernel patches often address security vulnerabilities. Apply them promptly, but test thoroughly first.

Only download patches from trusted sources like kernel.org or your distribution's official repositories. Verify GPG signatures when available.

If you're patching a production system, have a rollback plan. This might include keeping the old kernel in GRUB or using a bootable rescue disk.

Frequently Asked Questions

What Is The Difference Between Patching And Upgrading The Kernel?

Patching applies small changes to an existing kernel version, while upgrading moves to a completely new version. Patches are typically smaller and faster to apply.

Can I Patch A Running Kernel Without Rebooting?

Live patching tools like kpatch or KGraft allow applying certain security patches without rebooting. However, most kernel patches require a reboot to take effect.

How Do I Revert A Kernel Patch?

To revert a patch, use the -R flag: patch -p1 -R < patch-file. Alternatively, boot the old kernel from GRUB and remove the patched kernel.

Why Does My Patch Fail With "Hunk #1 FAILED"?

This usually means the source code doesn't match what the patch expects. Check that you're using the correct kernel version and that no previous patches have been applied.

Do I Need To Patch Every Kernel Update?

Not necessarily. Only patch when you need a specific fix or feature not available in your current kernel. For general updates, it's easier to upgrade to a newer kernel version.

Conclusion

Patching the Linux kernel is a straightforward process once you understand the steps. Start with a test environment, always verify your patches, and keep backups. With practice, you'll be able to apply security fixes and custom modifications confidently.

Remember to check kernel.org for the latest patches and follow your distribution's guidelines for patching. The skill of kernel patching is invaluable for maintaining secure and optimized Linux systems.

If you encounter issues, the Linux kernel mailing list and various forums have extensive archives of common problems and solutions. Don't hesitate to search for specific error messages.

Now you have the knowledge to patch your Linux kernel effectively. Apply it wisely and keep your systems up to date.