cve/published/2025/CVE-2025-22072.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22072: spufs: fix gang directory lifetimes

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 spufs: fix gang directory lifetimes

 prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have
 a problem with gang lifetimes - creation of a gang returns opened
 gang directory, which normally gets removed when that gets closed,
 but if somebody has created a context belonging to that gang and
 kept it alive until the gang got closed, removal failed and we
 ended up with a leak.

 Unfortunately, it had been fixed the wrong way.  Dentry of gang
 directory was no longer pinned, and rmdir on close was gone.
 One problem was that failure of open kept calling simple_rmdir()
 as cleanup, which meant an unbalanced dput().  Another bug was
 in the success case - gang creation incremented link count on
 root directory, but that was no longer undone when gang got
 destroyed.

 Fix consists of
 	* reverting the commit in question
 	* adding a counter to gang, protected by ->i_rwsem
 of gang directory inode.
 	* having it set to 1 at creation time, dropped
 in both spufs_dir_close() and spufs_gang_close() and bumped
 in spufs_create_context(), provided that it's not 0.
 	* using simple_recursive_removal() to take the gang
 directory out when counter reaches zero.

 The Linux kernel CVE team has assigned CVE-2025-22072 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.1.134 with commit 880e7b3da2e765c1f90c94c0539be039e96c7062
 	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.6.87 with commit 324f280806aab28ef757aecc18df419676c10ef8
 	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.12.23 with commit 029d8c711f5e5fe8cf63e8a4a1a140a06e224e45
 	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.13.11 with commit 903733782f3ae28a2f7fe4dfb47c7fe3e079a528
 	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.14.2 with commit fc646a6c6d14b5d581f162a7e32999f789e3a3ac
 	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.15 with commit c134deabf4784e155d360744d4a6a835b9de4dd4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22072
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/platforms/cell/spufs/gang.c
 	arch/powerpc/platforms/cell/spufs/inode.c
 	arch/powerpc/platforms/cell/spufs/spufs.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/880e7b3da2e765c1f90c94c0539be039e96c7062
 	https://git.kernel.org/stable/c/324f280806aab28ef757aecc18df419676c10ef8
 	https://git.kernel.org/stable/c/029d8c711f5e5fe8cf63e8a4a1a140a06e224e45
 	https://git.kernel.org/stable/c/903733782f3ae28a2f7fe4dfb47c7fe3e079a528
 	https://git.kernel.org/stable/c/fc646a6c6d14b5d581f162a7e32999f789e3a3ac
 	https://git.kernel.org/stable/c/c134deabf4784e155d360744d4a6a835b9de4dd4
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22072: spufs: fix gang directory lifetimes

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	spufs: fix gang directory lifetimes

	prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have
	a problem with gang lifetimes - creation of a gang returns opened
	gang directory, which normally gets removed when that gets closed,
	but if somebody has created a context belonging to that gang and
	kept it alive until the gang got closed, removal failed and we
	ended up with a leak.

	Unfortunately, it had been fixed the wrong way. Dentry of gang
	directory was no longer pinned, and rmdir on close was gone.
	One problem was that failure of open kept calling simple_rmdir()
	as cleanup, which meant an unbalanced dput(). Another bug was
	in the success case - gang creation incremented link count on
	root directory, but that was no longer undone when gang got
	destroyed.

	Fix consists of
	* reverting the commit in question
	* adding a counter to gang, protected by ->i_rwsem
	of gang directory inode.
	* having it set to 1 at creation time, dropped
	in both spufs_dir_close() and spufs_gang_close() and bumped
	in spufs_create_context(), provided that it's not 0.
	* using simple_recursive_removal() to take the gang
	directory out when counter reaches zero.

	The Linux kernel CVE team has assigned CVE-2025-22072 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.1.134 with commit 880e7b3da2e765c1f90c94c0539be039e96c7062
	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.6.87 with commit 324f280806aab28ef757aecc18df419676c10ef8
	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.12.23 with commit 029d8c711f5e5fe8cf63e8a4a1a140a06e224e45
	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.13.11 with commit 903733782f3ae28a2f7fe4dfb47c7fe3e079a528
	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.14.2 with commit fc646a6c6d14b5d581f162a7e32999f789e3a3ac
	Issue introduced in 2.6.22 with commit 877907d37da9694a34adc9dc3e2ce09400148cb5 and fixed in 6.15 with commit c134deabf4784e155d360744d4a6a835b9de4dd4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22072
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/platforms/cell/spufs/gang.c
	arch/powerpc/platforms/cell/spufs/inode.c
	arch/powerpc/platforms/cell/spufs/spufs.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/880e7b3da2e765c1f90c94c0539be039e96c7062
	https://git.kernel.org/stable/c/324f280806aab28ef757aecc18df419676c10ef8
	https://git.kernel.org/stable/c/029d8c711f5e5fe8cf63e8a4a1a140a06e224e45
	https://git.kernel.org/stable/c/903733782f3ae28a2f7fe4dfb47c7fe3e079a528
	https://git.kernel.org/stable/c/fc646a6c6d14b5d581f162a7e32999f789e3a3ac
	https://git.kernel.org/stable/c/c134deabf4784e155d360744d4a6a835b9de4dd4