From: Maoyi Xie <maoyixie.tju@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: Amritha Nambiar <amritha.nambiar@intel.com>,
Simon Horman <horms@kernel.org>, David Wei <dw@davidwei.uk>,
Stanislav Fomichev <sdf@fomichev.me>,
Samiullah Khawaja <skhawaja@google.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Maoyi Xie <maoyixie.tju@gmail.com>
Subject: net: netdev-genl: NETDEV_A_NAPI_PID is the init-ns pid, not the caller's
Date: Mon, 15 Jun 2026 15:01:52 +0800 [thread overview]
Message-ID: <20260615070152.1211050-1-maoyixie.tju@gmail.com> (raw)
Hi all,
I noticed something in netdev_nl_napi_fill_one() and would appreciate
your view on whether it is a real problem.
It reports the NAPI kthread pid like this:
if (napi->thread) {
pid = task_pid_nr(napi->thread);
if (nla_put_u32(rsp, NETDEV_A_NAPI_PID, pid))
task_pid_nr() returns the pid in the initial pid namespace. It is put
into NETDEV_A_NAPI_PID without any translation to the caller's pid
namespace.
NETDEV_CMD_NAPI_GET has no GENL_ADMIN_PERM and the family is netnsok.
So a caller in a child pid namespace can read it. That caller then sees
the kthread's global pid. The kthread is not in that namespace, so the
value there should be 0.
This looks like the same case as commit 3799c2570982 ("io_uring/fdinfo:
translate SqThread PID through caller's pid_ns").
I checked it with a small reproducer and a fix. From a child pid
namespace the reproducer reads the kthread's global pid. With the fix it
reads 0. I am not sure how much this matters in practice. I would
appreciate it if you could let me know whether it is worth a fix. I am
happy to send the patch.
Thanks,
Maoyi
next reply other threads:[~2026-06-15 7:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 7:01 Maoyi Xie [this message]
2026-06-15 16:12 ` net: netdev-genl: NETDEV_A_NAPI_PID is the init-ns pid, not the caller's Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260615070152.1211050-1-maoyixie.tju@gmail.com \
--to=maoyixie.tju@gmail.com \
--cc=amritha.nambiar@intel.com \
--cc=davem@davemloft.net \
--cc=dw@davidwei.uk \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=skhawaja@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox