{"id":"CVE-2025-22072","summary":"spufs: fix gang directory lifetimes","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nspufs: fix gang directory lifetimes\n\nprior to \"[POWERPC] spufs: Fix gang destroy leaks\" we used to have\na problem with gang lifetimes - creation of a gang returns opened\ngang directory, which normally gets removed when that gets closed,\nbut if somebody has created a context belonging to that gang and\nkept it alive until the gang got closed, removal failed and we\nended up with a leak.\n\nUnfortunately, it had been fixed the wrong way.  Dentry of gang\ndirectory was no longer pinned, and rmdir on close was gone.\nOne problem was that failure of open kept calling simple_rmdir()\nas cleanup, which meant an unbalanced dput().  Another bug was\nin the success case - gang creation incremented link count on\nroot directory, but that was no longer undone when gang got\ndestroyed.\n\nFix consists of\n\t* reverting the commit in question\n\t* adding a counter to gang, protected by -\u003ei_rwsem\nof gang directory inode.\n\t* having it set to 1 at creation time, dropped\nin both spufs_dir_close() and spufs_gang_close() and bumped\nin spufs_create_context(), provided that it's not 0.\n\t* using simple_recursive_removal() to take the gang\ndirectory out when counter reaches zero.","modified":"2026-04-02T12:45:20.393894Z","published":"2025-04-16T14:12:24.571Z","related":["MGASA-2025-0142","MGASA-2025-0146"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22072.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/029d8c711f5e5fe8cf63e8a4a1a140a06e224e45"},{"type":"WEB","url":"https://git.kernel.org/stable/c/324f280806aab28ef757aecc18df419676c10ef8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/880e7b3da2e765c1f90c94c0539be039e96c7062"},{"type":"WEB","url":"https://git.kernel.org/stable/c/903733782f3ae28a2f7fe4dfb47c7fe3e079a528"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c134deabf4784e155d360744d4a6a835b9de4dd4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fc646a6c6d14b5d581f162a7e32999f789e3a3ac"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22072.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22072"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"877907d37da9694a34adc9dc3e2ce09400148cb5"},{"fixed":"880e7b3da2e765c1f90c94c0539be039e96c7062"},{"fixed":"324f280806aab28ef757aecc18df419676c10ef8"},{"fixed":"029d8c711f5e5fe8cf63e8a4a1a140a06e224e45"},{"fixed":"903733782f3ae28a2f7fe4dfb47c7fe3e079a528"},{"fixed":"fc646a6c6d14b5d581f162a7e32999f789e3a3ac"},{"fixed":"c134deabf4784e155d360744d4a6a835b9de4dd4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22072.json"}}],"schema_version":"1.7.5"}