fs: refuse mnt id requests with invalid ids early

Unique mount ids start past the last valid old mount id value to not confuse the two so reject invalid values early in copy_mnt_id_req(). Link: https://lore.kernel.org/r/20240704-work-mount-fixes-v1-1-d007c990de5f@kernel.org Signed-off-by: Christian Brauner <brauner@kernel.org>
author: Christian Brauner <brauner@kernel.org> 2024-07-04 10:58:34 +0200
committer: Christian Brauner <brauner@kernel.org> 2024-07-08 06:32:14 +0200
commit: 80744d0e7a81c35795a2754049eafff76abbe371 (patch)
tree: f7e7662b28ca7ffe05e85d7320f483f3c39c1325
parent: 5e8a9cebc5580ca7c01d6c151017187785dc0dfe (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index 56c1dcffb4dc..8e3603558e59 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -70,7 +70,8 @@ static DEFINE_IDA(mnt_id_ida);
 static DEFINE_IDA(mnt_group_ida);
 
 /* Don't allow confusion with old 32bit mount ID */
-static atomic64_t mnt_id_ctr = ATOMIC64_INIT(1ULL << 32);
+#define MNT_UNIQUE_ID_OFFSET (1ULL << 32)
+static atomic64_t mnt_id_ctr = ATOMIC64_INIT(MNT_UNIQUE_ID_OFFSET);
 
 static struct hlist_head *mount_hashtable __ro_after_init;
 static struct hlist_head *mountpoint_hashtable __ro_after_init;
@@ -5241,6 +5242,9 @@ static int copy_mnt_id_req(const struct mnt_id_req __user *req,
 		return ret;
 	if (kreq->spare != 0)
 		return -EINVAL;
+	/* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+	if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET)
+		return -EINVAL;
 	return 0;
 }
author	Christian Brauner <brauner@kernel.org>	2024-07-04 10:58:34 +0200
committer	Christian Brauner <brauner@kernel.org>	2024-07-08 06:32:14 +0200
commit	80744d0e7a81c35795a2754049eafff76abbe371 (patch)
tree	f7e7662b28ca7ffe05e85d7320f483f3c39c1325
parent	5e8a9cebc5580ca7c01d6c151017187785dc0dfe (diff)