CVE-2025-37807
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-37807
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37807.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-37807
- Downstream
- Published
- 2025-05-08T07:15:51Z
- Modified
- 2025-08-09T20:01:27Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix kmemleak warning for percpu hashmap
Vlad Poenaru reported the following kmemleak issue:
unreferenced object 0x606fd7c44ac8 (size 32): backtrace (crc 0): pcpuallocnoprof+0x730/0xeb0 bpfmapallocpercpu+0x69/0xc0 preallocinit+0x9d/0x1b0 htabmapalloc+0x363/0x510 mapcreate+0x215/0x3a0 _sysbpf+0x16b/0x3e0 _x64sysbpf+0x18/0x20 dosyscall64+0x7b/0x150 entrySYSCALL64afterhwframe+0x4b/0x53
Further investigation shows the reason is due to not 8-byte aligned store of percpu pointer in htabelemsetptr(): *(void _percpu **)(l->key + key_size) = pptr;
Note that the whole htabelem alignment is 8 (for x8664). If the keysize is 4, that means pptr is stored in a location which is 4 byte aligned but not 8 byte aligned. In mm/kmemleak.c, scanblock() scans the memory based on 8 byte stride, so it won't detect above pptr, hence reporting the memory leak.
In htabmapalloc(), we already have
htab->elem_size = sizeof(struct htab_elem) + round_up(htab->map.key_size, 8); if (percpu) htab->elem_size += sizeof(void *); else htab->elem_size += round_up(htab->map.value_size, 8);So storing pptr with 8-byte alignment won't cause any problem and can fix kmemleak too.
The issue can be reproduced with bpf selftest as well: 1. Enable CONFIGDEBUGKMEMLEAK config 2. Add a getchar() before skel destroy in testhashmap() in progtests/foreach.c. The purpose is to keep map available so kmemleak can be detected. 3. run './testprogs -t foreach/hash_map &' and a kmemleak should be reported.
- References