do_change_type(): refuse to operate on unmounted/not ours mounts

PlaidCat · PlaidCat · commit 2dd717852068 · 2025-12-01T12:52:21.000-05:00
jira KERNEL-216 cve CVE-2025-38498 Rebuild_History Non-Buildable kernel-5.14.0-611.9.1.el9_7 commit-author Al Viro <viro@zeniv.linux.org.uk> commit 12f147d Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). Reviewed-by: Christian Brauner <brauner@kernel.org> Fixes: 07b2088 ("beginning of the shared-subtree proper") Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit 12f147d) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/fs/namespace.c b/fs/namespace.c
@@ -2330,6 +2330,10 @@ static int do_change_type(struct path *path, int ms_flags)
 		return -EINVAL;
 
 	namespace_lock();
+	if (!check_mnt(mnt)) {
+		err = -EINVAL;
+		goto out_unlock;
+	}
 	if (type == MS_SHARED) {
 		err = invent_group_ids(mnt, recurse);
 		if (err)
