A flaw possibility of memory leak in the Linux Kernel found.
There is no randomization of the exception stacks happening at all including boot-time randomization. These exception
stacks are mapped into the kernel at the same virtual address every time.
The exception stack(s) is a particularly easy target because its location can be computed based solely on CPU index and kernel version.
For the CPU-entry-area, the piece of per-cpu data that is mapped into the userspace page-tables for KPTI is not subject to any randomization (irrespective of KASLR settings). The KASLR-style randomization isn't enough, because attacker probably could discover even the task stacks at least on X86 systems without KPTI with something like the prefetch timing side channel that can test for PTE existence (see reference to the prefetch.pdf).
Sure, the system call stack is randomized, but that randomization happens after kernel entry and after pt_regs have been saved. It would be good if at least in the worst-case scenario of an attack against the kernel, an attacker wouldn't know fixed addresses where zeroes / kernel text pointers / other known values are stored.
As result, straight forward randomization scheme that avoids duplicates to spread the existing CPUs over the available space suggested (see reference to the patch).

References:
https://gruss.cc/files/prefetch.pdf
https://lore.kernel.org/lkml/Yz%2FmfJ1gjgshF19t@hirez.programming.kicks-ass.net/
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/mm/cpu_entry_area.c?h=v6.2-rc6&id=97e3d26b5e5f371b3ee223d94dd123e6c442ba80