do_change_type(): refuse to operate on unmounted/not ours mounts

JIRA: https://issues.redhat.com/browse/RHEL-107307
Upstream status: Linus
CVE: CVE-2025-38498

commit 12f147d
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Wed Jun 4 12:27:08 2025 -0400

    do_change_type(): refuse to operate on unmounted/not ours mounts

    Ensure that propagation settings can only be changed for mounts located
    in the caller's mount namespace. This change aligns permission checking
    with the rest of mount(2).

    Reviewed-by: Christian Brauner <brauner@kernel.org>
    Fixes: 07b2088 ("beginning of the shared-subtree proper")
    Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Signed-off-by: Ian Kent <ikent@redhat.com>

Author: Ian Kent

fs/namespace.c

@@ -2709,6 +2709,10 @@ static int do_change_type(struct path *path, int ms_flags)
 		return -EINVAL;
 
 	namespace_lock();
+	if (!check_mnt(mnt)) {
+		err = -EINVAL;
+		goto out_unlock;
+	}
 	if (type == MS_SHARED) {
 		err = invent_group_ids(mnt, recurse);
 		if (err)