CVE-2025-37807: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix kmemleak warning for percpu hashmap

Vlad Poenaru reported the following kmemleak issue:

unreferenced object 0x606fd7c44ac8 (size 32):

backtrace (crc 0):
  pcpu_alloc_noprof+0x730/0xeb0
  bpf_map_alloc_percpu+0x69/0xc0
  prealloc_init+0x9d/0x1b0
  htab_map_alloc+0x363/0x510
  map_create+0x215/0x3a0
  __sys_bpf+0x16b/0x3e0
  __x64_sys_bpf+0x18/0x20
  do_syscall_64+0x7b/0x150
  entry_SYSCALL_64_after_hwframe+0x4b/0x53

Further investigation shows the reason is due to not 8-byte aligned store of percpu pointer in htabelemsetptr(): *(void _percpu **)(l->key + key_size) = pptr;

Note that the whole htabelem alignment is 8 (for x8664). If the keysize is 4, that means pptr is stored in a location which is 4 byte aligned but not 8 byte aligned. In mm/kmemleak.c, scanblock() scans the memory based on 8 byte stride, so it won't detect above pptr, hence reporting the memory leak.

In htabmapalloc(), we already have

    htab->elem_size = sizeof(struct htab_elem) +
                      round_up(htab->map.key_size, 8);
    if (percpu)
            htab->elem_size += sizeof(void *);
    else
            htab->elem_size += round_up(htab->map.value_size, 8);

So storing pptr with 8-byte alignment won't cause any problem and can fix kmemleak too.

The issue can be reproduced with bpf selftest as well:

1. Enable CONFIGDEBUGKMEMLEAK config
2. Add a getchar() before skel destroy in testhashmap() in progtests/foreach.c. The purpose is to keep map available so kmemleak can be detected.
3. run './testprogs -t foreach/hash_map &' and a kmemleak should be reported.