Skip to content

Commit 870ff19

Browse files
pimyn-girgisakpm00
pimyn-girgis
authored and
akpm00
committed
mm/kfence: randomize the freelist on initialization
Randomize the KFENCE freelist during pool initialization to make allocation patterns less predictable. This is achieved by shuffling the order in which metadata objects are added to the freelist using get_random_u32_below(). Additionally, ensure the error path correctly calculates the address range to be reset if initialization fails, as the address increment logic has been moved to a separate loop. Link: https://lkml.kernel.org/r/20260120161510.3289089-1-pimyn@google.com Fixes: 0ce20dd ("mm: add Kernel Electric-Fence infrastructure") Signed-off-by: Pimyn Girgis <pimyn@google.com> Reviewed-by: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Marco Elver <elver@google.com> Cc: Ernesto Martnez Garca <ernesto.martinezgarcia@tugraz.at> Cc: Greg KH <gregkh@linuxfoundation.org> Cc: Kees Cook <kees@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
1 parent 412a32f commit 870ff19

File tree

1 file changed

+19
-4
lines changed

1 file changed

+19
-4
lines changed

mm/kfence/core.c

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -596,7 +596,7 @@ static void rcu_guarded_free(struct rcu_head *h)
596596
static unsigned long kfence_init_pool(void)
597597
{
598598
unsigned long addr, start_pfn;
599-
int i;
599+
int i, rand;
600600

601601
if (!arch_kfence_init_pool())
602602
return (unsigned long)__kfence_pool;
@@ -647,13 +647,27 @@ static unsigned long kfence_init_pool(void)
647647
INIT_LIST_HEAD(&meta->list);
648648
raw_spin_lock_init(&meta->lock);
649649
meta->state = KFENCE_OBJECT_UNUSED;
650-
meta->addr = addr; /* Initialize for validation in metadata_to_pageaddr(). */
651-
list_add_tail(&meta->list, &kfence_freelist);
650+
/* Use addr to randomize the freelist. */
651+
meta->addr = i;
652652

653653
/* Protect the right redzone. */
654-
if (unlikely(!kfence_protect(addr + PAGE_SIZE)))
654+
if (unlikely(!kfence_protect(addr + 2 * i * PAGE_SIZE + PAGE_SIZE)))
655655
goto reset_slab;
656+
}
657+
658+
for (i = CONFIG_KFENCE_NUM_OBJECTS; i > 0; i--) {
659+
rand = get_random_u32_below(i);
660+
swap(kfence_metadata_init[i - 1].addr, kfence_metadata_init[rand].addr);
661+
}
656662

663+
for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) {
664+
struct kfence_metadata *meta_1 = &kfence_metadata_init[i];
665+
struct kfence_metadata *meta_2 = &kfence_metadata_init[meta_1->addr];
666+
667+
list_add_tail(&meta_2->list, &kfence_freelist);
668+
}
669+
for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) {
670+
kfence_metadata_init[i].addr = addr;
657671
addr += 2 * PAGE_SIZE;
658672
}
659673

@@ -666,6 +680,7 @@ static unsigned long kfence_init_pool(void)
666680
return 0;
667681

668682
reset_slab:
683+
addr += 2 * i * PAGE_SIZE;
669684
for (i = 0; i < KFENCE_POOL_SIZE / PAGE_SIZE; i++) {
670685
struct page *page;
671686

0 commit comments

Comments
 (0)