Re: [PATCH RESEND] binder: handle PID namespace conversion for freeze operation

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: jongan.kim@lge.com
Cc: arve@android.com, tkjos@android.com, brauner@kernel.org,
	cmllamas@google.com, aliceryhl@google.com,
	linux-kernel@vger.kernel.org, kernel-team@android.com,
	ht.hong@lge.com, sunghoon.kim@lge.com, sanghun.lee@lge.com,
	jungsu.hwang@lge.com, seulgi.lee@lge.com
Subject: Re: [PATCH RESEND] binder: handle PID namespace conversion for freeze operation
Date: Thu, 8 Jan 2026 06:37:53 +0100	[thread overview]
Message-ID: <2026010828-squash-tranquil-7544@gregkh> (raw)
In-Reply-To: <20260108011011.450202-1-jongan.kim@lge.com>

On Thu, Jan 08, 2026 at 10:10:11AM +0900, jongan.kim@lge.com wrote:
> From: "JongAn Kim" <jongan.kim@lge.com>
> 
> Currently, when a freeze is attempted from a non-init PID namespace,
> there is a possibility that the wrong process in the init namespace
> may be frozen due to PID collision across namespaces.

I did not think that binder worked with pid namespaces.  I think I've
asked this before and was told it was not supported.

So how are you running into this?  What system requires this?

> For example, if a container with PID namespace has a process with
> PID 100 (which maps to PID 5000 in init namespace), attempting to
> freeze PID 100 from the container could incorrectly match a different
> process with PID 100 in the init namespace.
> 
> This patch fixes the issue by:
> 1. Converting the caller's PID from their namespace to init namespace
> 2. Matching against binder_proc->pid (which stores init namespace TGID)
> 3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes

Are you sure this is the only place pid namespaces come into play in
binder?  If this is going to be supported, I think all uses of pids need
to handle namespaces.

or am I confused as to what is broken here?

thanks,

greg k-h

WARNING: multiple messages have this Message-ID (diff)

From: jongan.kim@lge.com
To: gregkh@linuxfoundation.org, jongan.kim@lge.com
Cc: aliceryhl@google.com, arve@android.com, brauner@kernel.org,
	cmllamas@google.com, ht.hong@lge.com, jungsu.hwang@lge.com,
	kernel-team@android.com, linux-kernel@vger.kernel.org,
	sanghun.lee@lge.com, seulgi.lee@lge.com, sunghoon.kim@lge.com,
	tkjos@android.com
Subject: Re: [PATCH RESEND] binder: handle PID namespace conversion for freeze operation
Date: Fri,  9 Jan 2026 13:44:22 +0900	[thread overview]
Message-ID: <2026010828-squash-tranquil-7544@gregkh> (raw) (raw)
Message-ID: <20260109044422.1SNA7_LXu0GVzQU7aSw9g05ifS8KV0BZ4fgLWRvEUUA@z> (raw)
In-Reply-To: <20260108011011.450202-1-jongan.kim@lge.com>

From: Greg KH <gregkh@linuxfoundation.org>

> On Thu, Jan 08, 2026 at 10:10:11AM +0900, jongan.kim@lge.com wrote:
> > From: "JongAn Kim" <jongan.kim@lge.com>
> > 
> > Currently, when a freeze is attempted from a non-init PID namespace,
> > there is a possibility that the wrong process in the init namespace
> > may be frozen due to PID collision across namespaces.
>
> I did not think that binder worked with pid namespaces.  I think I've
> asked this before and was told it was not supported.
>
> So how are you running into this?  What system requires this?

Thank you for your feedback.
We isolated the pid namespace in order to run the legacy system within
Android Automotive. Upon contacting Google, we were informed that the
binder’s freeze operation currently does not support the pid namespace.
They also mentioned that once this binder freeze problem is resolved,
we can use pid namespace with android GKI.

> > For example, if a container with PID namespace has a process with
> > PID 100 (which maps to PID 5000 in init namespace), attempting to
> > freeze PID 100 from the container could incorrectly match a different
> > process with PID 100 in the init namespace.
> > 
> > This patch fixes the issue by:
> > 1. Converting the caller's PID from their namespace to init namespace
> > 2. Matching against binder_proc->pid (which stores init namespace TGID)
> > 3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes
>
> Are you sure this is the only place pid namespaces come into play in
> binder?  If this is going to be supported, I think all uses of pids need
> to handle namespaces.
> 
> or am I confused as to what is broken here?
>
> thanks,
>
> greg k-h

As far as we've confirmed, only the binder’s freeze ioctl operation receives
and processes a pid from user space. (other binder operation except freeze
handles pid as global pid in kernel space.)
Since binder_open() registers the pid to binder_procs based on the global pid
of the init namespace, the freeze operation does not function correctly when 
executed within a separate namespace. Moreover, in cases where duplicate pid 
exist, there is a potential risk of freezing an unintended process in the init
namespace.

Thanks. // JongAn, Kim

next prev parent reply	other threads:[~2026-01-08  5:37 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-03  2:41 [PATCH] binder: handle PID namespace conversion for freeze operation jongan.kim
2026-01-08  1:10 ` [PATCH RESEND] " jongan.kim
2026-01-08  5:37   ` Greg KH [this message]
     [not found]     ` <696087cf.050a0220.9a5fe.0a86SMTPIN_ADDED_BROKEN@mx.google.com>
2026-01-09  7:50       ` Greg KH
2026-01-09  8:39         ` Alice Ryhl
2026-01-15  8:06           ` jongan.kim
2026-01-15  8:41             ` Alice Ryhl
2026-01-16  5:52               ` jongan.kim
2026-01-16 10:52                 ` Alice Ryhl
2026-01-19  0:56                   ` jongan.kim
2026-01-09  4:44   ` jongan.kim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026010828-squash-tranquil-7544@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=aliceryhl@google.com \
    --cc=arve@android.com \
    --cc=brauner@kernel.org \
    --cc=cmllamas@google.com \
    --cc=ht.hong@lge.com \
    --cc=jongan.kim@lge.com \
    --cc=jungsu.hwang@lge.com \
    --cc=kernel-team@android.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sanghun.lee@lge.com \
    --cc=seulgi.lee@lge.com \
    --cc=sunghoon.kim@lge.com \
    --cc=tkjos@android.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox