Re: [PATCH RESEND] binder: handle PID namespace conversion for freeze operation

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Alice Ryhl <aliceryhl@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: jongan.kim@lge.com, arve@android.com, brauner@kernel.org,
	 cmllamas@google.com, ht.hong@lge.com, jungsu.hwang@lge.com,
	 kernel-team@android.com, linux-kernel@vger.kernel.org,
	sanghun.lee@lge.com,  seulgi.lee@lge.com, sunghoon.kim@lge.com,
	tkjos@android.com
Subject: Re: [PATCH RESEND] binder: handle PID namespace conversion for freeze operation
Date: Fri, 9 Jan 2026 08:39:18 +0000	[thread overview]
Message-ID: <aWC-tgBQD9Lwn3Lu@google.com> (raw)
In-Reply-To: <2026010941-carwash-disabled-c713@gregkh>

On Fri, Jan 09, 2026 at 08:50:01AM +0100, Greg KH wrote:
> On Fri, Jan 09, 2026 at 01:44:22PM +0900, jongan.kim@lge.com wrote:
> > From: Greg KH <gregkh@linuxfoundation.org>
> > 
> > > On Thu, Jan 08, 2026 at 10:10:11AM +0900, jongan.kim@lge.com wrote:
> > > > From: "JongAn Kim" <jongan.kim@lge.com>
> > > > For example, if a container with PID namespace has a process with
> > > > PID 100 (which maps to PID 5000 in init namespace), attempting to
> > > > freeze PID 100 from the container could incorrectly match a different
> > > > process with PID 100 in the init namespace.
> > > > 
> > > > This patch fixes the issue by:
> > > > 1. Converting the caller's PID from their namespace to init namespace
> > > > 2. Matching against binder_proc->pid (which stores init namespace TGID)
> > > > 3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes
> > >
> > > Are you sure this is the only place pid namespaces come into play in
> > > binder?  If this is going to be supported, I think all uses of pids need
> > > to handle namespaces.
> > > 
> > > or am I confused as to what is broken here?
> > >
> > > thanks,
> > >
> > > greg k-h
> > 
> > As far as we've confirmed, only the binder’s freeze ioctl operation receives
> > and processes a pid from user space. (other binder operation except freeze
> > handles pid as global pid in kernel space.)
> 
> Are you sure?  Those pids come from userspace, how can they be "global"?

I guess the BINDER_FREEZE/BINDER_GET_FROZEN_INFO ioctls are the only
that takes a pid as *input*. All other pid uses in Binder are outputs.

> > Since binder_open() registers the pid to binder_procs based on the global pid
> > of the init namespace, the freeze operation does not function correctly when 
> > executed within a separate namespace. Moreover, in cases where duplicate pid 
> > exist, there is a potential risk of freezing an unintended process in the init
> > namespace.
> 
> So you are relying on the registration in the global namespace, but what
> about the others?  I see a lot of "raw" pids happening in the binder
> code, it's odd that this would only be an issue in that one ioctl.
> 
> And, I hate to ask, what about the rust version of binder in the tree
> now?  What does that do?  :)

Both drivers handle the BINDER_FREEZE ioctl in the same way. The freeze
operation takes a target pid to freeze as input, and loops through all
open Binder fds/binder_procs and picks out any procs for which the
target pid is equal to `task->group_leader->pid`, with `task` being the
task that originally opened said fd. Then those fds/binder_procs are
marked frozen meaning that new incoming transactions are rejected.

Alice

next prev parent reply	other threads:[~2026-01-09  8:39 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-03  2:41 [PATCH] binder: handle PID namespace conversion for freeze operation jongan.kim
2026-01-08  1:10 ` [PATCH RESEND] " jongan.kim
2026-01-08  5:37   ` Greg KH
     [not found]     ` <696087cf.050a0220.9a5fe.0a86SMTPIN_ADDED_BROKEN@mx.google.com>
2026-01-09  7:50       ` Greg KH
2026-01-09  8:39         ` Alice Ryhl [this message]
2026-01-15  8:06           ` jongan.kim
2026-01-15  8:41             ` Alice Ryhl
2026-01-16  5:52               ` jongan.kim
2026-01-16 10:52                 ` Alice Ryhl
2026-01-19  0:56                   ` jongan.kim
2026-01-09  4:44   ` jongan.kim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aWC-tgBQD9Lwn3Lu@google.com \
    --to=aliceryhl@google.com \
    --cc=arve@android.com \
    --cc=brauner@kernel.org \
    --cc=cmllamas@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=ht.hong@lge.com \
    --cc=jongan.kim@lge.com \
    --cc=jungsu.hwang@lge.com \
    --cc=kernel-team@android.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sanghun.lee@lge.com \
    --cc=seulgi.lee@lge.com \
    --cc=sunghoon.kim@lge.com \
    --cc=tkjos@android.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox