fs: refuse mnt id requests with invalid ids early

Unique mount ids start past the last valid old mount id value to not
confuse the two so reject invalid values early in copy_mnt_id_req().

Link: https://lore.kernel.org/r/20240704-work-mount-fixes-v1-1-d007c990de5f@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/namespace.c b/fs/namespace.c
index 56c1dcffb4dc82d846cf8efa104b8b141f3f0307..8e3603558e599132fe747c09eff43053b9ff9161 100644 (file)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -70,7 +70,8 @@ static DEFINE_IDA(mnt_id_ida);
 static DEFINE_IDA(mnt_group_ida);
 
 /* Don't allow confusion with old 32bit mount ID */
-static atomic64_t mnt_id_ctr = ATOMIC64_INIT(1ULL << 32);
+#define MNT_UNIQUE_ID_OFFSET (1ULL << 32)
+static atomic64_t mnt_id_ctr = ATOMIC64_INIT(MNT_UNIQUE_ID_OFFSET);
 
 static struct hlist_head *mount_hashtable __ro_after_init;
 static struct hlist_head *mountpoint_hashtable __ro_after_init;
@@ -5241,6 +5242,9 @@ static int copy_mnt_id_req(const struct mnt_id_req __user *req,
                return ret;
        if (kreq->spare != 0)
                return -EINVAL;
+       /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+       if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET)
+               return -EINVAL;
        return 0;
 }