CVE-2025-22072 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
spufs: fix gang directory lifetimes
prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have
a problem with gang lifetimes - creation of a gang returns opened gang directory, which normally gets removed when that gets closed, but if somebody has created a context belonging to that gang and kept it alive until the gang got closed, removal failed and we ended up with a leak.
Unfortunately, it had been fixed the wrong way. Dentry of gang directory was no longer pinned, and rmdir on close was gone. One problem was that failure of open kept calling simple_rmdir() as cleanup, which meant an unbalanced dput(). Another bug was in the success case - gang creation incremented link count on root directory, but that was no longer undone when gang got destroyed.
Fix consists of * reverting the commit in question * adding a counter to gang, protected by ->i_rwsem of gang directory inode. * having it set to 1 at creation time, dropped in both spufs_dir_close() and spufs_gang_close() and bumped in spufs_create_context(), provided that it's not 0. * using simple_recursive_removal() to take the gang directory out when counter reaches zero.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability CVE-2025-22072 affects the Linux kernel's spufs (SPU File System) implementation, specifically addressing issues with gang directory lifetimes that could lead to resource leaks and potential denial of service conditions. This flaw exists within the PowerPC architecture's SPU (Synergistic Processing Unit) subsystem where gang directories manage groups of SPU contexts. The vulnerability stems from improper handling of directory reference counting and cleanup operations during gang creation and destruction phases, creating a scenario where system resources could become permanently tied up due to failed cleanup operations.
The technical root cause involves a flawed implementation of gang directory lifecycle management that was initially attempted to be fixed but was corrected incorrectly. Prior to the problematic fix, gang creation would return an opened gang directory that should normally be removed upon closure, but this cleanup process failed when contexts belonging to that gang remained active until the gang itself was closed. The original fix introduced a different approach that removed the dentry pinning mechanism and eliminated the rmdir operation on close, which created new issues including unbalanced dput() calls during failure scenarios and improper link count management on the root directory. This incorrect fix resulted in a resource leak condition where gang directory entries would remain in the filesystem even after the gang was destroyed, leading to potential exhaustion of directory entry resources.
The operational impact of this vulnerability manifests as resource leakage within the kernel's filesystem management subsystem, potentially leading to system instability and performance degradation over time. When contexts remain active beyond the gang's lifecycle, the system cannot properly clean up the associated gang directory entries, which can accumulate and eventually exhaust available filesystem resources. This condition creates a denial of service scenario where legitimate system operations may fail due to resource exhaustion, particularly affecting systems heavily utilizing SPU contexts and gang management. The vulnerability affects systems running Linux kernels with PowerPC SPU support, making it particularly relevant to high-performance computing environments and specialized embedded systems that rely on SPU processing capabilities.
The fix for this vulnerability involves reverting the incorrect implementation and implementing proper reference counting mechanisms for gang directories. The solution introduces a counter mechanism protected by the gang directory inode's ->i_rwsem lock, which is incremented during gang creation and properly managed during context creation and gang destruction operations. This approach ensures that the gang directory is only removed when all references are properly released, using simple_recursive_removal() to handle the cleanup when the counter reaches zero. The fix addresses the underlying CWE-404 issue related to improper resource management and prevents the unbalanced dput() calls that were causing the original failure scenarios. This remediation aligns with ATT&CK technique T1490 for resource exhaustion and addresses the improper cleanup patterns that could lead to system instability. The implementation ensures proper synchronization and reference counting across all code paths, eliminating the conditions that led to the resource leak while maintaining the intended functionality of the SPU filesystem management system.