From: Al Viro <viro@zeniv.linux.org.uk> mainline inclusion from mainline-v6.15 commit 12f147ddd6de7382dad54812e65f3f08d05809fc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICPSUV CVE: CVE-2025-38498 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). Reviewed-by: Christian Brauner <brauner@kernel.org> Fixes: 07b20889e305 ("beginning of the shared-subtree proper") Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/namespace.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index b682a044cf0e..ef1398d176c6 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2210,6 +2210,10 @@ static int do_change_type(struct path *path, int ms_flags) return -EINVAL; namespace_lock(); + if (!check_mnt(mnt)) { + err = -EINVAL; + goto out_unlock; + } if (type == MS_SHARED) { err = invent_group_ids(mnt, recurse); if (err) -- 2.39.2