Re: [BUG][RFC] broken use of __lookup_mnt() in path_overmounted()

[Al Viro <viro@zeniv.linux.org.uk>]

On Mon, Jun 02, 2025 at 11:17:25AM +0200, Christian Brauner wrote:

> Fwiw, I have pointed this out in one of my really early submission of
> this work and had asked whether we generally want the same check. That's
> also why I added the shadow-mount check into the automount path because
> that could be used for that sort of issue to afair but my memory is
> fuzzy here.

Actually, the check in do_move_mount() is too early.  Look:
(after having made sure . is on a private mount)
mount -t tmpfs none A
mkdir A/x
mount --make-shared A
mount --bind A/x B
mount --make-slave B
mount -t tmpfs other A/x
umount B

... and now move_mount() B beneath A/x.  See what happens?  We get one
secondary copy, attached on top of the root of primary.  _After_ we'd
entered attach_recursive_mnt(), so all checks in do_move_mount() have
nothing to catch - yet.  So we end up with that secondary being side-by-side
with the "other" tmpfs...

The unpleasant part is that we'll need to backport that stuff, so it
has to be done _before_ the do_move_mount()/attach_recursive_mnt()
cleanups ;-/

Once the side-by-side thing is eliminated, we can (and IMO should) add
mnt->mnt_overmount pointing to whatever's mounted on top of root of
mnt (NULL if nothing is).  That simplifies quite a few things, including
the prevention of side-by-side shite, but we can't do it first, more's
the pity...

Hell knows, maybe MNT_OVERMOUNTED as the first step would be doable -
it would allow for simpler (and lower-overhead) intermediate step
before the introduction of ->mnt_overmount and further simplifications...