5.15-stable patches

added patches:
	mm-kfence-randomize-the-freelist-on-initialization.patch

diff --git a/queue-5.15/mm-kfence-randomize-the-freelist-on-initialization.patch b/queue-5.15/mm-kfence-randomize-the-freelist-on-initialization.patch
new file mode 100644 (file)
index 0000000..06b2150
--- /dev/null
+++ b/queue-5.15/mm-kfence-randomize-the-freelist-on-initialization.patch
@@ -0,0 +1,80 @@
+From 870ff19251bf3910dda7a7245da826924045fedd Mon Sep 17 00:00:00 2001
+From: Pimyn Girgis <pimyn@google.com>
+Date: Tue, 20 Jan 2026 17:15:10 +0100
+Subject: mm/kfence: randomize the freelist on initialization
+
+From: Pimyn Girgis <pimyn@google.com>
+
+commit 870ff19251bf3910dda7a7245da826924045fedd upstream.
+
+Randomize the KFENCE freelist during pool initialization to make
+allocation patterns less predictable.  This is achieved by shuffling the
+order in which metadata objects are added to the freelist using
+get_random_u32_below().
+
+Additionally, ensure the error path correctly calculates the address range
+to be reset if initialization fails, as the address increment logic has
+been moved to a separate loop.
+
+Link: https://lkml.kernel.org/r/20260120161510.3289089-1-pimyn@google.com
+Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
+Signed-off-by: Pimyn Girgis <pimyn@google.com>
+Reviewed-by: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Marco Elver <elver@google.com>
+Cc: Ernesto Martnez Garca <ernesto.martinezgarcia@tugraz.at>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Pimyn Girgis <pimyn@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kfence/core.c |   25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+--- a/mm/kfence/core.c
++++ b/mm/kfence/core.c
+@@ -520,7 +520,7 @@ static bool __init kfence_init_pool(void
+ {
+       unsigned long addr = (unsigned long)__kfence_pool;
+       struct page *pages;
+-      int i;
++      int i, rand;
+       char *p;
+ 
+       if (!__kfence_pool)
+@@ -576,13 +576,30 @@ static bool __init kfence_init_pool(void
+               INIT_LIST_HEAD(&meta->list);
+               raw_spin_lock_init(&meta->lock);
+               meta->state = KFENCE_OBJECT_UNUSED;
+-              meta->addr = addr; /* Initialize for validation in metadata_to_pageaddr(). */
+-              list_add_tail(&meta->list, &kfence_freelist);
++              /* Use addr to randomize the freelist. */
++              meta->addr = i;
+ 
+               /* Protect the right redzone. */
+-              if (unlikely(!kfence_protect(addr + PAGE_SIZE)))
++              if (unlikely(!kfence_protect(addr + 2 * i * PAGE_SIZE + PAGE_SIZE))) {
++                      addr += 2 * i * PAGE_SIZE;
+                       goto err;
++              }
++      }
++
++      for (i = CONFIG_KFENCE_NUM_OBJECTS; i > 0; i--) {
++              rand = get_random_u32() % i;
++              swap(kfence_metadata[i - 1].addr, kfence_metadata[rand].addr);
++      }
++
++      for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) {
++              struct kfence_metadata *meta_1 = &kfence_metadata[i];
++              struct kfence_metadata *meta_2 = &kfence_metadata[meta_1->addr];
++
++              list_add_tail(&meta_2->list, &kfence_freelist);
++      }
+ 
++      for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) {
++              kfence_metadata[i].addr = addr;
+               addr += 2 * PAGE_SIZE;
+       }
+ 

diff --git a/queue-5.15/series b/queue-5.15/series
index 3419b738a5f0130450f583c348742c795ae0f8db..803c0f1f4f0b4c1bde0f0915a4e3931ec6aaacad 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -3,3 +3,4 @@ platform-x86-intel_telemetry-fix-swapped-arrays-in-pss-output.patch
 rbd-check-for-eod-after-exclusive-lock-is-ensured-to-be-held.patch
 arm-9468-1-fix-memset64-on-big-endian.patch
 kvm-don-t-clobber-irqfd-routing-type-when-deassigning-irqfd.patch
+mm-kfence-randomize-the-freelist-on-initialization.patch