From c32ec988ac2364a059b433556d0f1588c941bf5c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 7 Feb 2026 16:30:51 +0100 Subject: [PATCH] 5.15-stable patches added patches: mm-kfence-randomize-the-freelist-on-initialization.patch --- ...omize-the-freelist-on-initialization.patch | 80 +++++++++++++++++++ queue-5.15/series | 1 + 2 files changed, 81 insertions(+) create mode 100644 queue-5.15/mm-kfence-randomize-the-freelist-on-initialization.patch diff --git a/queue-5.15/mm-kfence-randomize-the-freelist-on-initialization.patch b/queue-5.15/mm-kfence-randomize-the-freelist-on-initialization.patch new file mode 100644 index 0000000000..06b2150365 --- /dev/null +++ b/queue-5.15/mm-kfence-randomize-the-freelist-on-initialization.patch @@ -0,0 +1,80 @@ +From 870ff19251bf3910dda7a7245da826924045fedd Mon Sep 17 00:00:00 2001 +From: Pimyn Girgis +Date: Tue, 20 Jan 2026 17:15:10 +0100 +Subject: mm/kfence: randomize the freelist on initialization + +From: Pimyn Girgis + +commit 870ff19251bf3910dda7a7245da826924045fedd upstream. + +Randomize the KFENCE freelist during pool initialization to make +allocation patterns less predictable. This is achieved by shuffling the +order in which metadata objects are added to the freelist using +get_random_u32_below(). + +Additionally, ensure the error path correctly calculates the address range +to be reset if initialization fails, as the address increment logic has +been moved to a separate loop. + +Link: https://lkml.kernel.org/r/20260120161510.3289089-1-pimyn@google.com +Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure") +Signed-off-by: Pimyn Girgis +Reviewed-by: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Marco Elver +Cc: Ernesto Martnez Garca +Cc: Greg KH +Cc: Kees Cook +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Pimyn Girgis +Signed-off-by: Greg Kroah-Hartman +--- + mm/kfence/core.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +--- a/mm/kfence/core.c ++++ b/mm/kfence/core.c +@@ -520,7 +520,7 @@ static bool __init kfence_init_pool(void + { + unsigned long addr = (unsigned long)__kfence_pool; + struct page *pages; +- int i; ++ int i, rand; + char *p; + + if (!__kfence_pool) +@@ -576,13 +576,30 @@ static bool __init kfence_init_pool(void + INIT_LIST_HEAD(&meta->list); + raw_spin_lock_init(&meta->lock); + meta->state = KFENCE_OBJECT_UNUSED; +- meta->addr = addr; /* Initialize for validation in metadata_to_pageaddr(). */ +- list_add_tail(&meta->list, &kfence_freelist); ++ /* Use addr to randomize the freelist. */ ++ meta->addr = i; + + /* Protect the right redzone. */ +- if (unlikely(!kfence_protect(addr + PAGE_SIZE))) ++ if (unlikely(!kfence_protect(addr + 2 * i * PAGE_SIZE + PAGE_SIZE))) { ++ addr += 2 * i * PAGE_SIZE; + goto err; ++ } ++ } ++ ++ for (i = CONFIG_KFENCE_NUM_OBJECTS; i > 0; i--) { ++ rand = get_random_u32() % i; ++ swap(kfence_metadata[i - 1].addr, kfence_metadata[rand].addr); ++ } ++ ++ for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) { ++ struct kfence_metadata *meta_1 = &kfence_metadata[i]; ++ struct kfence_metadata *meta_2 = &kfence_metadata[meta_1->addr]; ++ ++ list_add_tail(&meta_2->list, &kfence_freelist); ++ } + ++ for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) { ++ kfence_metadata[i].addr = addr; + addr += 2 * PAGE_SIZE; + } + diff --git a/queue-5.15/series b/queue-5.15/series index 3419b738a5..803c0f1f4f 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -3,3 +3,4 @@ platform-x86-intel_telemetry-fix-swapped-arrays-in-pss-output.patch rbd-check-for-eod-after-exclusive-lock-is-ensured-to-be-held.patch arm-9468-1-fix-memset64-on-big-endian.patch kvm-don-t-clobber-irqfd-routing-type-when-deassigning-irqfd.patch +mm-kfence-randomize-the-freelist-on-initialization.patch -- 2.47.3