CVE-2025-37807

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix kmemleak warning for percpu hashmap

Vlad Poenaru reported the following kmemleak issue:

unreferenced object 0x606fd7c44ac8 (size 32): backtrace (crc 0): pcpuallocnoprof+0x730/0xeb0 bpfmapallocpercpu+0x69/0xc0 preallocinit+0x9d/0x1b0 htabmapalloc+0x363/0x510 map_create+0x215/0x3a0 __sys_bpf+0x16b/0x3e0 __x64sysbpf+0x18/0x20 dosyscall64+0x7b/0x150 entrySYSCALL64afterhwframe+0x4b/0x53

Further investigation shows the reason is due to not 8-byte aligned store of percpu pointer in htabelemset_ptr(): *(void _percpu **)(l->key + keysize) = pptr;

Note that the whole htabelem alignment is 8 (for x8664). If the keysize is 4, that means pptr is stored in a location which is 4 byte aligned but not 8 byte aligned. In mm/kmemleak.c, scanblock() scans the memory based on 8 byte stride, so it won't detect above pptr, hence reporting the memory leak.

In htabmapalloc(), we already have

    htab->elem_size = sizeof(struct htab_elem) +
                      round_up(htab->map.key_size, 8);
    if (percpu)
            htab->elem_size += sizeof(void *);
    else
            htab->elem_size += round_up(htab->map.value_size, 8);

So storing pptr with 8-byte alignment won't cause any problem and can fix kmemleak too.

The issue can be reproduced with bpf selftest as well: 1. Enable CONFIGDEBUGKMEMLEAK config 2. Add a getchar() before skel destroy in testhashmap() in progtests/foreach.c. The purpose is to keep map available so kmemleak can be detected. 3. run './testprogs -t foreach/hash_map &' and a kmemleak should be reported.