fs: reject invalid last mount id early

Unique mount ids start past the last valid old mount id value to not
confuse the two. If a last mount id has been specified, reject any
invalid values early.

Link: https://lore.kernel.org/r/20240704-work-mount-fixes-v1-2-d007c990de5f@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/namespace.c b/fs/namespace.c
index 8e3603558e599132fe747c09eff43053b9ff9161..ade356c7f14abcdd204f2cd180614629e20dc4a7 100644 (file)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5375,6 +5375,7 @@ SYSCALL_DEFINE4(listmount, const struct mnt_id_req __user *, req,
        const size_t maxcount = 1000000;
        struct mnt_namespace *ns __free(mnt_ns_release) = NULL;
        struct mnt_id_req kreq;
+       u64 last_mnt_id;
        ssize_t ret;
 
        if (flags & ~LISTMOUNT_REVERSE)
@@ -5395,6 +5396,11 @@ SYSCALL_DEFINE4(listmount, const struct mnt_id_req __user *, req,
        if (ret)
                return ret;
 
+       last_mnt_id = kreq.param;
+       /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+       if (last_mnt_id != 0 && last_mnt_id <= MNT_UNIQUE_ID_OFFSET)
+               return -EINVAL;
+
        kmnt_ids = kvmalloc_array(nr_mnt_ids, sizeof(*kmnt_ids),
                                  GFP_KERNEL_ACCOUNT);
        if (!kmnt_ids)
@@ -5409,7 +5415,7 @@ SYSCALL_DEFINE4(listmount, const struct mnt_id_req __user *, req,
                return -ENOENT;
 
        scoped_guard(rwsem_read, &namespace_sem)
-               ret = do_listmount(ns, kreq.mnt_id, kreq.param, kmnt_ids,
+               ret = do_listmount(ns, kreq.mnt_id, last_mnt_id, kmnt_ids,
                                   nr_mnt_ids, (flags & LISTMOUNT_REVERSE));
        if (ret <= 0)
                return ret;