do_change_type(): refuse to operate on unmounted/not ours mounts

roxanan1996 · roxanan1996 · commit a016821683ed · 2025-10-29T10:08:35.000+01:00
jira VULN-98610 cve CVE-2025-38498 commit-author Al Viro <viro@zeniv.linux.org.uk> commit 12f147d Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). Reviewed-by: Christian Brauner <brauner@kernel.org> Fixes: 07b2088 ("beginning of the shared-subtree proper") Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit 12f147d) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
diff --git a/fs/namespace.c b/fs/namespace.c
@@ -2329,6 +2329,10 @@ static int do_change_type(struct path *path, int ms_flags)
 		return -EINVAL;
 
 	namespace_lock();
+	if (!check_mnt(mnt)) {
+		err = -EINVAL;
+		goto out_unlock;
+	}
 	if (type == MS_SHARED) {
 		err = invent_group_ids(mnt, recurse);
 		if (err)
