CVE-2025-22072

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spufs: fix gang directory lifetimes<br /> <br /> prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have<br /> a problem with gang lifetimes - creation of a gang returns opened<br /> gang directory, which normally gets removed when that gets closed,<br /> but if somebody has created a context belonging to that gang and<br /> kept it alive until the gang got closed, removal failed and we<br /> ended up with a leak.<br /> <br /> Unfortunately, it had been fixed the wrong way. Dentry of gang<br /> directory was no longer pinned, and rmdir on close was gone.<br /> One problem was that failure of open kept calling simple_rmdir()<br /> as cleanup, which meant an unbalanced dput(). Another bug was<br /> in the success case - gang creation incremented link count on<br /> root directory, but that was no longer undone when gang got<br /> destroyed.<br /> <br /> Fix consists of<br /> * reverting the commit in question<br /> * adding a counter to gang, protected by -&gt;i_rwsem<br /> of gang directory inode.<br /> * having it set to 1 at creation time, dropped<br /> in both spufs_dir_close() and spufs_gang_close() and bumped<br /> in spufs_create_context(), provided that it&amp;#39;s not 0.<br /> * using simple_recursive_removal() to take the gang<br /> directory out when counter reaches zero.