Re: [PATCH RESEND] binder: handle PID namespace conversion for freeze operation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alice Ryhl <aliceryhl@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: jongan.kim@lge.com, arve@android.com, brauner@kernel.org,
	 cmllamas@google.com, ht.hong@lge.com, jungsu.hwang@lge.com,
	 kernel-team@android.com, linux-kernel@vger.kernel.org,
	sanghun.lee@lge.com,  seulgi.lee@lge.com, sunghoon.kim@lge.com,
	tkjos@android.com
Subject: Re: [PATCH RESEND] binder: handle PID namespace conversion for freeze operation
Date: Fri, 9 Jan 2026 08:39:18 +0000	[thread overview]
Message-ID: <aWC-tgBQD9Lwn3Lu@google.com> (raw)
In-Reply-To: <2026010941-carwash-disabled-c713@gregkh>

On Fri, Jan 09, 2026 at 08:50:01AM +0100, Greg KH wrote:
> On Fri, Jan 09, 2026 at 01:44:22PM +0900, jongan.kim@lge.com wrote:
> > From: Greg KH <gregkh@linuxfoundation.org>
> > 
> > > On Thu, Jan 08, 2026 at 10:10:11AM +0900, jongan.kim@lge.com wrote:
> > > > From: "JongAn Kim" <jongan.kim@lge.com>
> > > > For example, if a container with PID namespace has a process with
> > > > PID 100 (which maps to PID 5000 in init namespace), attempting to
> > > > freeze PID 100 from the container could incorrectly match a different
> > > > process with PID 100 in the init namespace.
> > > > 
> > > > This patch fixes the issue by:
> > > > 1. Converting the caller's PID from their namespace to init namespace
> > > > 2. Matching against binder_proc->pid (which stores init namespace TGID)
> > > > 3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes
> > >
> > > Are you sure this is the only place pid namespaces come into play in
> > > binder?  If this is going to be supported, I think all uses of pids need
> > > to handle namespaces.
> > > 
> > > or am I confused as to what is broken here?
> > >
> > > thanks,
> > >
> > > greg k-h
> > 
> > As far as we've confirmed, only the binder’s freeze ioctl operation receives
> > and processes a pid from user space. (other binder operation except freeze
> > handles pid as global pid in kernel space.)
> 
> Are you sure?  Those pids come from userspace, how can they be "global"?

I guess the BINDER_FREEZE/BINDER_GET_FROZEN_INFO ioctls are the only
that takes a pid as *input*. All other pid uses in Binder are outputs.

> > Since binder_open() registers the pid to binder_procs based on the global pid
> > of the init namespace, the freeze operation does not function correctly when 
> > executed within a separate namespace. Moreover, in cases where duplicate pid 
> > exist, there is a potential risk of freezing an unintended process in the init
> > namespace.
> 
> So you are relying on the registration in the global namespace, but what
> about the others?  I see a lot of "raw" pids happening in the binder
> code, it's odd that this would only be an issue in that one ioctl.
> 
> And, I hate to ask, what about the rust version of binder in the tree
> now?  What does that do?  :)

Both drivers handle the BINDER_FREEZE ioctl in the same way. The freeze
operation takes a target pid to freeze as input, and loops through all
open Binder fds/binder_procs and picks out any procs for which the
target pid is equal to `task->group_leader->pid`, with `task` being the
task that originally opened said fd. Then those fds/binder_procs are
marked frozen meaning that new incoming transactions are rejected.

Alice

next prev parent reply	other threads:[~2026-01-09  8:39 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-03  2:41 [PATCH] binder: handle PID namespace conversion for freeze operation jongan.kim
2026-01-08  1:10 ` [PATCH RESEND] " jongan.kim
2026-01-08  5:37   ` Greg KH
2026-01-09  4:44     ` jongan.kim
     [not found]     ` <696087cf.050a0220.9a5fe.0a86SMTPIN_ADDED_BROKEN@mx.google.com>
2026-01-09  7:50       ` Greg KH
2026-01-09  8:39         ` Alice Ryhl [this message]
2026-01-15  8:06           ` jongan.kim
2026-01-15  8:41             ` Alice Ryhl
2026-01-16  5:52               ` jongan.kim
2026-01-16 10:52                 ` Alice Ryhl
2026-01-19  0:56                   ` jongan.kim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aWC-tgBQD9Lwn3Lu@google.com \
    --to=aliceryhl@google.com \
    --cc=arve@android.com \
    --cc=brauner@kernel.org \
    --cc=cmllamas@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=ht.hong@lge.com \
    --cc=jongan.kim@lge.com \
    --cc=jungsu.hwang@lge.com \
    --cc=kernel-team@android.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sanghun.lee@lge.com \
    --cc=seulgi.lee@lge.com \
    --cc=sunghoon.kim@lge.com \
    --cc=tkjos@android.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.