On Mon, Jun 02, 2025 at 11:17:25AM +0200, Christian Brauner wrote: > Fwiw, I have pointed this out in one of my really early submission of > this work and had asked whether we generally want the same check. That's > also why I added the shadow-mount check into the automount path because > that could be used for that sort of issue to afair but my memory is > fuzzy here. Actually, the check in do_move_mount() is too early. Look: (after having made sure . is on a private mount) mount -t tmpfs none A mkdir A/x mount --make-shared A mount --bind A/x B mount --make-slave B mount -t tmpfs other A/x umount B ... and now move_mount() B beneath A/x. See what happens? We get one secondary copy, attached on top of the root of primary. _After_ we'd entered attach_recursive_mnt(), so all checks in do_move_mount() have nothing to catch - yet. So we end up with that secondary being side-by-side with the "other" tmpfs... The unpleasant part is that we'll need to backport that stuff, so it has to be done _before_ the do_move_mount()/attach_recursive_mnt() cleanups ;-/ Once the side-by-side thing is eliminated, we can (and IMO should) add mnt->mnt_overmount pointing to whatever's mounted on top of root of mnt (NULL if nothing is). That simplifies quite a few things, including the prevention of side-by-side shite, but we can't do it first, more's the pity... Hell knows, maybe MNT_OVERMOUNTED as the first step would be doable - it would allow for simpler (and lower-overhead) intermediate step before the introduction of ->mnt_overmount and further simplifications...
