[PATCH v3 0/3] binder: handle PID namespace conversion for freeze operation

[PATCH v3 0/3] binder: handle PID namespace conversion for freeze operation

[jongan.kim]

From: JongAn Kim <jongan.kim@lge.com>

This patch series fixes PID namespace handling in binder's freeze operation
for both C and Rust implementations.

Changes in v3

1. Patch 1/3
- change to use task->tgid instead of task_tgid_nr_ns()

2. Patch 2/3
- Add Send/Sync traits for Pid
- Add AlwaysRefCounted for Pid with rust_helper_get_pid
- Add from_raw() constructor to Pid and Task
- Rename find_vpid_with_guard -> find_vpid
- Rename pid_task_with_guard -> pid_task 
- Convert init_pid_ns() to PidNamespace::init_ns()
- Add PartialEq/Eq for PidNamespace (Alice)
- Add rust/helpers/pid.c for get_pid() wrapper

3. Patch 3/3
- Use task::Pid typedef instead of u32/i32
- Use PidNamespace::init_ns() instead of init_pid_ns() 
- Compare PidNamespace directly with == instead of raw pointers
- Use Pid::find_vpid() and pid.pid_task() (dropped _with_guard suffix)
- Fix rustfmt import ordering (rcu before Arc)
- Rename TaskPid alias to PidT for clearer pid_t type indication
- Use task.group_leader().pid() instead of tgid_nr_ns() for consistency 
  with C

History

v1 : https://lore.kernel.org/lkml/20251203024140.175952-1-jongan.kim@lge.com/T/#u

v2 : https://lore.kernel.org/lkml/20260129084119.32994-1-jongan.kim@lge.com/T/#u
- add two more patches to implement the same logic in Rust binder


HeeSu Kim (2):
  rust: pid: add Pid abstraction and init_ns helper
  rust_binder: handle PID namespace conversion for freeze operation

JongAn Kim (1):
  binder: handle PID namespace conversion for freeze operation

 drivers/android/binder.c          |  53 +++++++++++-
 drivers/android/binder/process.rs |  37 +++++++-
 rust/helpers/helpers.c            |   1 +
 rust/helpers/pid.c                |   9 ++
 rust/kernel/lib.rs                |   1 +
 rust/kernel/pid.rs                | 138 ++++++++++++++++++++++++++++++
 rust/kernel/pid_namespace.rs      |  17 ++++
 rust/kernel/task.rs               |  13 +++
 8 files changed, 262 insertions(+), 7 deletions(-)
 create mode 100644 rust/helpers/pid.c
 create mode 100644 rust/kernel/pid.rs

-- 
2.25.1

[PATCH v3 1/3] binder: handle PID namespace conversion for freeze operation

[jongan.kim]

From: JongAn Kim <jongan.kim@lge.com>

Currently, when a freeze is attempted from a non-init PID namespace,
there is a possibility that the wrong process in the init namespace
may be frozen due to PID collision across namespaces.

For example, if a container with PID namespace has a process with
PID 100 (which maps to PID 5000 in init namespace), attempting to
freeze PID 100 from the container could incorrectly match a different
process with PID 100 in the init namespace.

This patch fixes the issue by:
1. Converting the caller's PID from their namespace to init namespace
2. Matching against binder_proc->pid (which stores init namespace TGID)
3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes

This change ensures correct PID handling when binder freeze occurs in
non-init PID namespace.

Signed-off-by: JongAn Kim <jongan.kim@lge.com>
---
v2 -> v3 : change to use task->tgid instead of task_tgid_nr_ns()

 drivers/android/binder.c | 53 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 50 insertions(+), 3 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 535fc881c8da..4c4366089ecb 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -5609,6 +5609,41 @@ static bool binder_txns_pending_ilocked(struct binder_proc *proc)
 	return false;
 }
 
+/**
+ * binder_convert_to_init_ns_tgid() - Convert pid to global pid(init namespace)
+ * @pid:    pid from user space
+ *
+ * Converts a process ID (TGID) from the caller's PID namespace to the
+ * corresponding TGID in the init namespace.
+ *
+ * Return: On success, returns TGID in init namespace (positive value).
+ *         On error, returns -EINVAL if pid <= 0, or -ESRCH if process
+ *         not found or not visible in init namespace.
+ */
+static int binder_convert_to_init_ns_tgid(u32 pid)
+{
+	struct task_struct *task;
+	int init_ns_pid = 0;
+
+	/* already in init namespace */
+	if (task_is_in_init_pid_ns(current))
+		return pid;
+
+	if (pid == 0)
+		return -EINVAL;
+
+	rcu_read_lock();
+	task = pid_task(find_vpid(pid), PIDTYPE_PID);
+	if (task)
+		init_ns_pid = task->tgid;
+	rcu_read_unlock();
+
+	if (!init_ns_pid)
+		return -ESRCH;
+
+	return init_ns_pid;
+}
+
 static void binder_add_freeze_work(struct binder_proc *proc, bool is_frozen)
 {
 	struct binder_node *prev = NULL;
@@ -5717,13 +5752,18 @@ static int binder_ioctl_get_freezer_info(
 	struct binder_proc *target_proc;
 	bool found = false;
 	__u32 txns_pending;
+	int init_ns_pid = 0;
 
 	info->sync_recv = 0;
 	info->async_recv = 0;
 
+	init_ns_pid = binder_convert_to_init_ns_tgid(info->pid);
+	if (init_ns_pid < 0)
+		return init_ns_pid;
+
 	mutex_lock(&binder_procs_lock);
 	hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
-		if (target_proc->pid == info->pid) {
+		if (target_proc->pid == init_ns_pid) {
 			found = true;
 			binder_inner_proc_lock(target_proc);
 			txns_pending = binder_txns_pending_ilocked(target_proc);
@@ -5869,6 +5909,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		struct binder_freeze_info info;
 		struct binder_proc **target_procs = NULL, *target_proc;
 		int target_procs_count = 0, i = 0;
+		int init_ns_pid = 0;
 
 		ret = 0;
 
@@ -5877,9 +5918,15 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 			goto err;
 		}
 
+		init_ns_pid = binder_convert_to_init_ns_tgid(info.pid);
+		if (init_ns_pid < 0) {
+			ret = init_ns_pid;
+			goto err;
+		}
+
 		mutex_lock(&binder_procs_lock);
 		hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
-			if (target_proc->pid == info.pid)
+			if (target_proc->pid == init_ns_pid)
 				target_procs_count++;
 		}
 
@@ -5900,7 +5947,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		}
 
 		hlist_for_each_entry(target_proc, &binder_procs, proc_node) {
-			if (target_proc->pid != info.pid)
+			if (target_proc->pid != init_ns_pid)
 				continue;
 
 			binder_inner_proc_lock(target_proc);
-- 
2.25.1

Re: [PATCH v3 1/3] binder: handle PID namespace conversion for freeze operation

[Yury Norov]

On Tue, Feb 03, 2026 at 03:59:26PM +0900, jongan.kim@lge.com wrote:
> From: JongAn Kim <jongan.kim@lge.com>
> 
> Currently, when a freeze is attempted from a non-init PID namespace,
> there is a possibility that the wrong process in the init namespace
> may be frozen due to PID collision across namespaces.
> 
> For example, if a container with PID namespace has a process with
> PID 100 (which maps to PID 5000 in init namespace), attempting to
> freeze PID 100 from the container could incorrectly match a different
> process with PID 100 in the init namespace.
> 
> This patch fixes the issue by:
> 1. Converting the caller's PID from their namespace to init namespace
> 2. Matching against binder_proc->pid (which stores init namespace TGID)
> 3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes
> 
> This change ensures correct PID handling when binder freeze occurs in
> non-init PID namespace.
> 
> Signed-off-by: JongAn Kim <jongan.kim@lge.com>
> ---
> v2 -> v3 : change to use task->tgid instead of task_tgid_nr_ns()
> 
>  drivers/android/binder.c | 53 +++++++++++++++++++++++++++++++++++++---
>  1 file changed, 50 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 535fc881c8da..4c4366089ecb 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -5609,6 +5609,41 @@ static bool binder_txns_pending_ilocked(struct binder_proc *proc)
>  	return false;
>  }
>  
> +/**
> + * binder_convert_to_init_ns_tgid() - Convert pid to global pid(init namespace)

For global PIDs we've got task_pid_nr(), see include/linux/pid.h:

 /*
  * the helpers to get the task's different pids as they are seen
  * from various namespaces
  *
  * task_xid_nr()     : global id, i.e. the id seen from the init namespace;
  * task_xid_vnr()    : virtual id, i.e. the id seen from the pid namespace of
  *                     current.
  * task_xid_nr_ns()  : id seen from the ns specified;
  *
  * see also pid_nr() etc in include/linux/pid.h
  */

I think task_tgid_nr(current) would work for you. Or I misunderstand
something?

If your "binder_convert" returns something not covered by one from
the above, please put your function in include/linux/pid.h and give
it a proper name.

> + * @pid:    pid from user space
> + *
> + * Converts a process ID (TGID) from the caller's PID namespace to the
> + * corresponding TGID in the init namespace.

Process ID (PID) is not the same as TGID, but you use the names
interchangeably. This is very confusing. Can you reword?

> + * Return: On success, returns TGID in init namespace (positive value).
> + *         On error, returns -EINVAL if pid <= 0, or -ESRCH if process
> + *         not found or not visible in init namespace.
> + */
> +static int binder_convert_to_init_ns_tgid(u32 pid)

This should use pid_t.

> +{
> +	struct task_struct *task;
> +	int init_ns_pid = 0;
> +
> +	/* already in init namespace */
> +	if (task_is_in_init_pid_ns(current))
> +		return pid;
> +
> +	if (pid == 0)
> +		return -EINVAL;

Can you comment what is wrong with pid == 0?

> +	rcu_read_lock();
> +	task = pid_task(find_vpid(pid), PIDTYPE_PID);
> +	if (task)
> +		init_ns_pid = task->tgid;

So I've been replying with the same suggestion to v2, but you did it
in this v3 yourself.

> +	rcu_read_unlock();
> +
> +	if (!init_ns_pid)
> +		return -ESRCH;

You can assign init_ns_pid to -ESRCH at declaration and drop this chunk.

> +
> +	return init_ns_pid;
> +}

Thanks,
Yury

Re: [PATCH v3 1/3] binder: handle PID namespace conversion for freeze operation

[jongan.kim]

On Tue, Feb 03, 2026 at 03:38:59PM -0500, Yury Norov wrote:
> On Tue, Feb 03, 2026 at 03:59:26PM +0900, jongan.kim@lge.com wrote:
> > From: JongAn Kim <jongan.kim@lge.com>
> >
> > Currently, when a freeze is attempted from a non-init PID namespace,
> > there is a possibility that the wrong process in the init namespace
> > may be frozen due to PID collision across namespaces.
> >
> > For example, if a container with PID namespace has a process with
> > PID 100 (which maps to PID 5000 in init namespace), attempting to
> > freeze PID 100 from the container could incorrectly match a different
> > process with PID 100 in the init namespace.
> >
> > This patch fixes the issue by:
> > 1. Converting the caller's PID from their namespace to init namespace
> > 2. Matching against binder_proc->pid (which stores init namespace TGID)
> > 3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes
> >
> > This change ensures correct PID handling when binder freeze occurs in
> > non-init PID namespace.
> >
> > Signed-off-by: JongAn Kim <jongan.kim@lge.com>
> > ---
> > v2 -> v3 : change to use task->tgid instead of task_tgid_nr_ns()
> >
> >  drivers/android/binder.c | 53 +++++++++++++++++++++++++++++++++++++---
> >  1 file changed, 50 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > index 535fc881c8da..4c4366089ecb 100644
> > --- a/drivers/android/binder.c
> > +++ b/drivers/android/binder.c
> > @@ -5609,6 +5609,41 @@ static bool binder_txns_pending_ilocked(struct binder_proc *proc)
> >        return false;
> >  }
> > 
> > +/**
> > + * binder_convert_to_init_ns_tgid() - Convert pid to global pid(init namespace)
> 
> For global PIDs we've got task_pid_nr(), see include/linux/pid.h:
> 
>  /*
>   * the helpers to get the task's different pids as they are seen
>   * from various namespaces
>   *
>   * task_xid_nr()     : global id, i.e. the id seen from the init namespace;
>   * task_xid_vnr()    : virtual id, i.e. the id seen from the pid namespace of
>   *                     current.
>   * task_xid_nr_ns()  : id seen from the ns specified;
>   *
>   * see also pid_nr() etc in include/linux/pid.h
>   */
> 
> I think task_tgid_nr(current) would work for you. Or I misunderstand
> something?
> 
> If your "binder_convert" returns something not covered by one from
> the above, please put your function in include/linux/pid.h and give
> it a proper name.

Thank you for the suggestion. However, task_tgid_nr(current) returns the TGID 
of the *current* process, not the target process we want to freeze.

What we need is to convert a TGID from the caller's PID namespace to the 
corresponding TGID in the init namespace for a *different* process (the one 
being frozen). The flow is:

1. User space passes a TGID in their own namespace
2. We find the task_struct for that TGID via find_vpid()
3. We return task->tgid, which is always in init namespace

This differs from the existing task_xid_nr() family because we're converting
a PID from one namespace (caller's) to init namespace for a different task.

> > + * @pid:    pid from user space
> > + *
> > + * Converts a process ID (TGID) from the caller's PID namespace to the
> > + * corresponding TGID in the init namespace.
> 
> Process ID (PID) is not the same as TGID, but you use the names
> interchangeably. This is very confusing. Can you reword?

Binder driver handles TGID for bind freeze operation.
To avoid confusion, I will unify the variable names and terminology to use
"TGID" consistently.

> > + * Return: On success, returns TGID in init namespace (positive value).
> > + *         On error, returns -EINVAL if pid <= 0, or -ESRCH if process
> > + *         not found or not visible in init namespace.
> > + */
> > +static int binder_convert_to_init_ns_tgid(u32 pid)
> 
> This should use pid_t.

Ok. I will change to use pid_t for next patch.
 
> > +{
> > +     struct task_struct *task;
> > +     int init_ns_pid = 0;
> > +
> > +     /* already in init namespace */
> > +     if (task_is_in_init_pid_ns(current))
> > +             return pid;
> > +
> > +     if (pid == 0)
> > +             return -EINVAL;
> 
> Can you comment what is wrong with pid == 0?

Since find_vpid() always returns NULL when the input value is 0, it returns
an EINVAL error before calling rcu_read_lock().

> > +     rcu_read_lock();
> > +     task = pid_task(find_vpid(pid), PIDTYPE_PID);
> > +     if (task)
> > +             init_ns_pid = task->tgid;
> 
> So I've been replying with the same suggestion to v2, but you did it
> in this v3 yourself.
> 
> > +     rcu_read_unlock();
> > +
> > +     if (!init_ns_pid)
> > +             return -ESRCH;
> 
> You can assign init_ns_pid to -ESRCH at declaration and drop this chunk.
>
> > +
> > +     return init_ns_pid;
> > +}
> 
> Thanks,
> Yury

Thanks for suggestion. I will apply it (init_ns_pid = -ESRCH) in the next
patch. 

Thanks,
JongAn Kim.

Re: [PATCH v3 1/3] binder: handle PID namespace conversion for freeze operation

[Yury Norov]

On Wed, Feb 04, 2026 at 06:05:21PM +0900, jongan.kim@lge.com wrote:
> On Tue, Feb 03, 2026 at 03:38:59PM -0500, Yury Norov wrote:
> > On Tue, Feb 03, 2026 at 03:59:26PM +0900, jongan.kim@lge.com wrote:
> > > From: JongAn Kim <jongan.kim@lge.com>
> > >
> > > Currently, when a freeze is attempted from a non-init PID namespace,
> > > there is a possibility that the wrong process in the init namespace
> > > may be frozen due to PID collision across namespaces.
> > >
> > > For example, if a container with PID namespace has a process with
> > > PID 100 (which maps to PID 5000 in init namespace), attempting to
> > > freeze PID 100 from the container could incorrectly match a different
> > > process with PID 100 in the init namespace.
> > >
> > > This patch fixes the issue by:
> > > 1. Converting the caller's PID from their namespace to init namespace
> > > 2. Matching against binder_proc->pid (which stores init namespace TGID)
> > > 3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes
> > >
> > > This change ensures correct PID handling when binder freeze occurs in
> > > non-init PID namespace.
> > >
> > > Signed-off-by: JongAn Kim <jongan.kim@lge.com>
> > > ---
> > > v2 -> v3 : change to use task->tgid instead of task_tgid_nr_ns()
> > >
> > >  drivers/android/binder.c | 53 +++++++++++++++++++++++++++++++++++++---
> > >  1 file changed, 50 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > > index 535fc881c8da..4c4366089ecb 100644
> > > --- a/drivers/android/binder.c
> > > +++ b/drivers/android/binder.c
> > > @@ -5609,6 +5609,41 @@ static bool binder_txns_pending_ilocked(struct binder_proc *proc)
> > >        return false;
> > >  }
> > > 
> > > +/**
> > > + * binder_convert_to_init_ns_tgid() - Convert pid to global pid(init namespace)
> > 
> > For global PIDs we've got task_pid_nr(), see include/linux/pid.h:
> > 
> >  /*
> >   * the helpers to get the task's different pids as they are seen
> >   * from various namespaces
> >   *
> >   * task_xid_nr()     : global id, i.e. the id seen from the init namespace;
> >   * task_xid_vnr()    : virtual id, i.e. the id seen from the pid namespace of
> >   *                     current.
> >   * task_xid_nr_ns()  : id seen from the ns specified;
> >   *
> >   * see also pid_nr() etc in include/linux/pid.h
> >   */
> > 
> > I think task_tgid_nr(current) would work for you. Or I misunderstand
> > something?
> > 
> > If your "binder_convert" returns something not covered by one from
> > the above, please put your function in include/linux/pid.h and give
> > it a proper name.
> 
> Thank you for the suggestion. However, task_tgid_nr(current) returns the TGID 
> of the *current* process, not the target process we want to freeze.
>
> What we need is to convert a TGID from the caller's PID namespace to the 
> corresponding TGID in the init namespace for a *different* process (the one 
> being frozen). The flow is:
> 
> 1. User space passes a TGID in their own namespace
> 2. We find the task_struct for that TGID via find_vpid()
> 3. We return task->tgid, which is always in init namespace
> 
> This differs from the existing task_xid_nr() family because we're converting
> a PID from one namespace (caller's) to init namespace for a different task.

OK, I think I see now. Thanks for the explanation. Maybe add it in commit
message?

> > > + * @pid:    pid from user space
> > > + *
> > > + * Converts a process ID (TGID) from the caller's PID namespace to the
> > > + * corresponding TGID in the init namespace.
> > 
> > Process ID (PID) is not the same as TGID, but you use the names
> > interchangeably. This is very confusing. Can you reword?
> 
> Binder driver handles TGID for bind freeze operation.
> To avoid confusion, I will unify the variable names and terminology to use
> "TGID" consistently.
> 
> > > + * Return: On success, returns TGID in init namespace (positive value).
> > > + *         On error, returns -EINVAL if pid <= 0, or -ESRCH if process
> > > + *         not found or not visible in init namespace.
> > > + */
> > > +static int binder_convert_to_init_ns_tgid(u32 pid)
> > 
> > This should use pid_t.
> 
> Ok. I will change to use pid_t for next patch.
>  
> > > +{
> > > +     struct task_struct *task;
> > > +     int init_ns_pid = 0;
> > > +
> > > +     /* already in init namespace */
> > > +     if (task_is_in_init_pid_ns(current))
> > > +             return pid;
> > > +
> > > +     if (pid == 0)
> > > +             return -EINVAL;
> > 
> > Can you comment what is wrong with pid == 0?
> 
> Since find_vpid() always returns NULL when the input value is 0, it returns
> an EINVAL error before calling rcu_read_lock().

OK, so it's a performance trick. Can you discuss performance impact
then? I just wonder how often this function is called with the pid
of idle task?  If no performance impact, maybe it's worth to keep
code simpler?

This also adds inconsistency: if you're running on behalf of root ns,
you return 0 if pid == 0, otherwise you return an error. That's weird
because idle is 0 for any namespace. If it's intended, can you explicitly
mention it?

If you still want to bail out early for pid == 0, maybe:
 
             if (pid == 0 || task_is_in_init_pid_ns(current))
                     return pid;

> > > +     rcu_read_lock();
> > > +     task = pid_task(find_vpid(pid), PIDTYPE_PID);
> > > +     if (task)
> > > +             init_ns_pid = task->tgid;
> > 
> > So I've been replying with the same suggestion to v2, but you did it
> > in this v3 yourself.
> > 
> > > +     rcu_read_unlock();
> > > +
> > > +     if (!init_ns_pid)
> > > +             return -ESRCH;
> > 
> > You can assign init_ns_pid to -ESRCH at declaration and drop this chunk.
> >
> > > +
> > > +     return init_ns_pid;
> > > +}
> > 
> > Thanks,
> > Yury
> 
> Thanks for suggestion. I will apply it (init_ns_pid = -ESRCH) in the next
> patch. 
> 
> Thanks,
> JongAn Kim.

Re: [PATCH v3 1/3] binder: handle PID namespace conversion for freeze operation

[jongan.kim]

On Wed, Feb 04, 2026 at 12:04:17PM -0500, Yury Norov wrote:
> On Wed, Feb 04, 2026 at 06:05:21PM +0900, jongan.kim@lge.com wrote:
> > On Tue, Feb 03, 2026 at 03:38:59PM -0500, Yury Norov wrote:
> > > On Tue, Feb 03, 2026 at 03:59:26PM +0900, jongan.kim@lge.com wrote:
> > > > From: JongAn Kim <jongan.kim@lge.com>
> > > >
> > > > Currently, when a freeze is attempted from a non-init PID namespace,
> > > > there is a possibility that the wrong process in the init namespace
> > > > may be frozen due to PID collision across namespaces.
> > > >
> > > > For example, if a container with PID namespace has a process with
> > > > PID 100 (which maps to PID 5000 in init namespace), attempting to
> > > > freeze PID 100 from the container could incorrectly match a different
> > > > process with PID 100 in the init namespace.
> > > >
> > > > This patch fixes the issue by:
> > > > 1. Converting the caller's PID from their namespace to init namespace
> > > > 2. Matching against binder_proc->pid (which stores init namespace TGID)
> > > > 3. Returning -EINVAL for invalid PIDs and -ESRCH for not-found processes
> > > >
> > > > This change ensures correct PID handling when binder freeze occurs in
> > > > non-init PID namespace.
> > > >
> > > > Signed-off-by: JongAn Kim <jongan.kim@lge.com>
> > > > ---
> > > > v2 -> v3 : change to use task->tgid instead of task_tgid_nr_ns()
> > > >
> > > >  drivers/android/binder.c | 53 +++++++++++++++++++++++++++++++++++++---
> > > >  1 file changed, 50 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > > > index 535fc881c8da..4c4366089ecb 100644
> > > > --- a/drivers/android/binder.c
> > > > +++ b/drivers/android/binder.c
> > > > @@ -5609,6 +5609,41 @@ static bool binder_txns_pending_ilocked(struct binder_proc *proc)
> > > >        return false;
> > > >  }
> > > >
> > > > +/**
> > > > + * binder_convert_to_init_ns_tgid() - Convert pid to global pid(init namespace)
> > >
> > > For global PIDs we've got task_pid_nr(), see include/linux/pid.h:
> > >
> > >  /*
> > >   * the helpers to get the task's different pids as they are seen
> > >   * from various namespaces
> > >   *
> > >   * task_xid_nr()     : global id, i.e. the id seen from the init namespace;
> > >   * task_xid_vnr()    : virtual id, i.e. the id seen from the pid namespace of
> > >   *                     current.
> > >   * task_xid_nr_ns()  : id seen from the ns specified;
> > >   *
> > >   * see also pid_nr() etc in include/linux/pid.h
> > >   */
> > >
> > > I think task_tgid_nr(current) would work for you. Or I misunderstand
> > > something?
> > >
> > > If your "binder_convert" returns something not covered by one from
> > > the above, please put your function in include/linux/pid.h and give
> > > it a proper name.
> >
> > Thank you for the suggestion. However, task_tgid_nr(current) returns the TGID
> > of the *current* process, not the target process we want to freeze.
> >
> > What we need is to convert a TGID from the caller's PID namespace to the
> > corresponding TGID in the init namespace for a *different* process (the one
> > being frozen). The flow is:
> >
> > 1. User space passes a TGID in their own namespace
> > 2. We find the task_struct for that TGID via find_vpid()
> > 3. We return task->tgid, which is always in init namespace
> >
> > This differs from the existing task_xid_nr() family because we're converting
> > a PID from one namespace (caller's) to init namespace for a different task.
> 
> OK, I think I see now. Thanks for the explanation. Maybe add it in commit
> message?
> 
> > > > + * @pid:    pid from user space
> > > > + *
> > > > + * Converts a process ID (TGID) from the caller's PID namespace to the
> > > > + * corresponding TGID in the init namespace.
> > >
> > > Process ID (PID) is not the same as TGID, but you use the names
> > > interchangeably. This is very confusing. Can you reword?
> >
> > Binder driver handles TGID for bind freeze operation.
> > To avoid confusion, I will unify the variable names and terminology to use
> > "TGID" consistently.
> >
> > > > + * Return: On success, returns TGID in init namespace (positive value).
> > > > + *         On error, returns -EINVAL if pid <= 0, or -ESRCH if process
> > > > + *         not found or not visible in init namespace.
> > > > + */
> > > > +static int binder_convert_to_init_ns_tgid(u32 pid)
> > >
> > > This should use pid_t.
> >
> > Ok. I will change to use pid_t for next patch.
> > 
> > > > +{
> > > > +     struct task_struct *task;
> > > > +     int init_ns_pid = 0;
> > > > +
> > > > +     /* already in init namespace */
> > > > +     if (task_is_in_init_pid_ns(current))
> > > > +             return pid;
> > > > +
> > > > +     if (pid == 0)
> > > > +             return -EINVAL;
> > >
> > > Can you comment what is wrong with pid == 0?
> >
> > Since find_vpid() always returns NULL when the input value is 0, it returns
> > an EINVAL error before calling rcu_read_lock().
> 
> OK, so it's a performance trick. Can you discuss performance impact
> then? I just wonder how often this function is called with the pid
> of idle task?  If no performance impact, maybe it's worth to keep
> code simpler?
> 
> This also adds inconsistency: if you're running on behalf of root ns,
> you return 0 if pid == 0, otherwise you return an error. That's weird
> because idle is 0 for any namespace. If it's intended, can you explicitly
> mention it?
> 
> If you still want to bail out early for pid == 0, maybe:
>  
>              if (pid == 0 || task_is_in_init_pid_ns(current))
>                      return pid;

You're right about the inconsistency. This function is not called frequently,
and I agree with your opinion.(make simple)

However, I've received feedback from the binder maintainer(Alice) suggesting
a different approach: instead of converting TGIDs, we should use the 
task_struct pointer directly for comparison.
https://lore.kernel.org/lkml/20260205050128.17532-1-jongan.kim@lge.com/
I'm planning to update the patch to implement this approach for both the C
and Rust code.

This means the current TGID conversion function will likely not be used in the
final implementation. Nevertheless, I really appreciate your detailed review
and valuable suggestions.

Thank you again for your time and thorough review.
Jong An, Kim.

> > > > +     rcu_read_lock();
> > > > +     task = pid_task(find_vpid(pid), PIDTYPE_PID);
> > > > +     if (task)
> > > > +             init_ns_pid = task->tgid;
> > >
> > > So I've been replying with the same suggestion to v2, but you did it
> > > in this v3 yourself.
> > >
> > > > +     rcu_read_unlock();
> > > > +
> > > > +     if (!init_ns_pid)
> > > > +             return -ESRCH;
> > >
> > > You can assign init_ns_pid to -ESRCH at declaration and drop this chunk.
> > >
> > > > +
> > > > +     return init_ns_pid;
> > > > +}
> > >
> > > Thanks,
> > > Yury
> >
> > Thanks for suggestion. I will apply it (init_ns_pid = -ESRCH) in the next
> > patch.
> >
> > Thanks,
> > JongAn Kim.

[PATCH v3 2/3] rust: pid: add Pid abstraction and init_ns helper

[jongan.kim]

From: HeeSu Kim <heesu0025.kim@lge.com>

Add a new Pid abstraction in rust/kernel/pid.rs that wraps the
kernel's struct pid and provides safe Rust interfaces for:
- find_vpid: Find a pid by number under RCU protection
- pid_task: Get the task associated with a pid under RCU protection

Also add init_ns() associated function to PidNamespace to get
a reference to the init PID namespace.

These abstractions use lifetime-bounded references tied to RCU guards
to ensure memory safety when accessing RCU-protected data structures.

Signed-off-by: HeeSu Kim <heesu0025.kim@lge.com>
---
v2 -> v3:
- Add Send/Sync traits for Pid
- Add AlwaysRefCounted for Pid with rust_helper_get_pid
- Add from_raw() constructor to Pid and Task
- Rename find_vpid_with_guard -> find_vpid
- Rename pid_task_with_guard -> pid_task 
- Convert init_pid_ns() to PidNamespace::init_ns()
- Add PartialEq/Eq for PidNamespace (Alice)
- Add rust/helpers/pid.c for get_pid() wrapper

 rust/helpers/helpers.c       |   1 +
 rust/helpers/pid.c           |   9 +++
 rust/kernel/lib.rs           |   1 +
 rust/kernel/pid.rs           | 138 +++++++++++++++++++++++++++++++++++
 rust/kernel/pid_namespace.rs |  17 +++++
 rust/kernel/task.rs          |  13 ++++
 6 files changed, 179 insertions(+)
 create mode 100644 rust/helpers/pid.c
 create mode 100644 rust/kernel/pid.rs

diff --git a/rust/helpers/helpers.c b/rust/helpers/helpers.c
index 79c72762ad9c..3138b88df24f 100644
--- a/rust/helpers/helpers.c
+++ b/rust/helpers/helpers.c
@@ -38,6 +38,7 @@
 #include "of.c"
 #include "page.c"
 #include "pci.c"
+#include "pid.c"
 #include "pid_namespace.c"
 #include "platform.c"
 #include "poll.c"
diff --git a/rust/helpers/pid.c b/rust/helpers/pid.c
new file mode 100644
index 000000000000..1337ca63ab0f
--- /dev/null
+++ b/rust/helpers/pid.c
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/pid.h>
+
+/* Get a reference on a struct pid. */
+struct pid *rust_helper_get_pid(struct pid *pid)
+{
+	return get_pid(pid);
+}
diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
index f812cf120042..60a518d65d0e 100644
--- a/rust/kernel/lib.rs
+++ b/rust/kernel/lib.rs
@@ -122,6 +122,7 @@
 pub mod page;
 #[cfg(CONFIG_PCI)]
 pub mod pci;
+pub mod pid;
 pub mod pid_namespace;
 pub mod platform;
 pub mod prelude;
diff --git a/rust/kernel/pid.rs b/rust/kernel/pid.rs
new file mode 100644
index 000000000000..253dbf689383
--- /dev/null
+++ b/rust/kernel/pid.rs
@@ -0,0 +1,138 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Process identifiers (PIDs).
+//!
+//! C header: [`include/linux/pid.h`](srctree/include/linux/pid.h)
+
+use crate::{
+    bindings,
+    sync::{aref::AlwaysRefCounted, rcu},
+    task::Task,
+    types::Opaque,
+};
+use core::ptr::NonNull;
+
+/// Wraps the kernel's `struct pid`.
+///
+/// This structure represents the Rust abstraction for a C `struct pid`.
+/// A `Pid` represents a process identifier that can be looked up in different
+/// PID namespaces.
+#[repr(transparent)]
+pub struct Pid {
+    inner: Opaque<bindings::pid>,
+}
+
+// SAFETY: `struct pid` is safely accessible from any thread.
+unsafe impl Send for Pid {}
+
+// SAFETY: `struct pid` is safely accessible from any thread.
+unsafe impl Sync for Pid {}
+
+impl Pid {
+    /// Returns a raw pointer to the inner C struct.
+    #[inline]
+    pub fn as_ptr(&self) -> *mut bindings::pid {
+        self.inner.get()
+    }
+
+    /// Creates a reference to a [`Pid`] from a valid pointer.
+    ///
+    /// # Safety
+    ///
+    /// The caller must ensure that `ptr` is valid and remains valid for the lifetime of the
+    /// returned [`Pid`] reference.
+    #[inline]
+    pub unsafe fn from_raw<'a>(ptr: *const bindings::pid) -> &'a Self {
+        // SAFETY: The safety requirements guarantee the validity of the dereference, while the
+        // `Pid` type being transparent makes the cast ok.
+        unsafe { &*ptr.cast() }
+    }
+
+    /// Finds a `struct pid` by its pid number within the current task's PID namespace.
+    ///
+    /// Returns `None` if no such pid exists.
+    ///
+    /// The returned reference is only valid for the duration of the RCU read-side
+    /// critical section represented by the `rcu::Guard`.
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use kernel::pid::Pid;
+    /// use kernel::sync::rcu;
+    ///
+    /// let guard = rcu::read_lock();
+    /// if let Some(pid) = Pid::find_vpid(1, &guard) {
+    ///     pr_info!("Found pid 1\n");
+    /// }
+    /// ```
+    ///
+    /// Returns `None` for non-existent PIDs:
+    ///
+    /// ```
+    /// use kernel::pid::Pid;
+    /// use kernel::sync::rcu;
+    ///
+    /// let guard = rcu::read_lock();
+    /// // PID 0 (swapper/idle) is not visible via find_vpid.
+    /// assert!(Pid::find_vpid(0, &guard).is_none());
+    /// ```
+    #[inline]
+    pub fn find_vpid<'a>(nr: i32, _rcu_guard: &'a rcu::Guard) -> Option<&'a Self> {
+        // SAFETY: Called under RCU protection as guaranteed by the Guard reference.
+        let ptr = unsafe { bindings::find_vpid(nr) };
+        if ptr.is_null() {
+            None
+        } else {
+            // SAFETY: `find_vpid` returns a valid pointer under RCU protection.
+            Some(unsafe { Self::from_raw(ptr) })
+        }
+    }
+
+    /// Gets the task associated with this PID.
+    ///
+    /// Returns `None` if no task is associated with this PID.
+    ///
+    /// The returned reference is only valid for the duration of the RCU read-side
+    /// critical section represented by the `rcu::Guard`.
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// use kernel::pid::Pid;
+    /// use kernel::sync::rcu;
+    ///
+    /// let guard = rcu::read_lock();
+    /// if let Some(pid) = Pid::find_vpid(1, &guard) {
+    ///     if let Some(task) = pid.pid_task(&guard) {
+    ///         pr_info!("Found task for pid 1\n");
+    ///     }
+    /// }
+    /// ```
+    #[inline]
+    pub fn pid_task<'a>(&'a self, _rcu_guard: &'a rcu::Guard) -> Option<&'a Task> {
+        // SAFETY: Called under RCU protection as guaranteed by the Guard reference.
+        let task_ptr = unsafe { bindings::pid_task(self.as_ptr(), bindings::pid_type_PIDTYPE_PID) };
+        if task_ptr.is_null() {
+            None
+        } else {
+            // SAFETY: `pid_task` returns a valid pointer under RCU protection.
+            Some(unsafe { Task::from_raw(task_ptr) })
+        }
+    }
+}
+
+// SAFETY: The type invariants guarantee that `Pid` is always refcounted.
+unsafe impl AlwaysRefCounted for Pid {
+    #[inline]
+    fn inc_ref(&self) {
+        // SAFETY: The existence of a shared reference means that the refcount is nonzero.
+        unsafe { bindings::get_pid(self.as_ptr()) };
+    }
+
+    #[inline]
+    unsafe fn dec_ref(obj: NonNull<Self>) {
+        // SAFETY: The safety requirements guarantee that the refcount is nonzero.
+        unsafe { bindings::put_pid(obj.cast().as_ptr()) }
+    }
+}
diff --git a/rust/kernel/pid_namespace.rs b/rust/kernel/pid_namespace.rs
index 979a9718f153..fc815945d614 100644
--- a/rust/kernel/pid_namespace.rs
+++ b/rust/kernel/pid_namespace.rs
@@ -38,6 +38,15 @@ pub unsafe fn from_ptr<'a>(ptr: *const bindings::pid_namespace) -> &'a Self {
         // `PidNamespace` type being transparent makes the cast ok.
         unsafe { &*ptr.cast() }
     }
+
+    /// Returns a reference to the init PID namespace.
+    ///
+    /// This is the root PID namespace that exists throughout the lifetime of the kernel.
+    #[inline]
+    pub fn init_ns() -> &'static Self {
+        // SAFETY: `init_pid_ns` is a global static that is valid for the lifetime of the kernel.
+        unsafe { Self::from_ptr(&raw const bindings::init_pid_ns) }
+    }
 }
 
 // SAFETY: Instances of `PidNamespace` are always reference-counted.
@@ -63,3 +72,11 @@ unsafe impl Send for PidNamespace {}
 // SAFETY: It's OK to access `PidNamespace` through shared references from other threads because
 // we're either accessing properties that don't change or that are properly synchronised by C code.
 unsafe impl Sync for PidNamespace {}
+
+impl PartialEq for PidNamespace {
+    fn eq(&self, other: &Self) -> bool {
+        self.as_ptr() == other.as_ptr()
+    }
+}
+
+impl Eq for PidNamespace {}
diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs
index 49fad6de0674..92a7d27ac3b3 100644
--- a/rust/kernel/task.rs
+++ b/rust/kernel/task.rs
@@ -204,6 +204,19 @@ pub fn as_ptr(&self) -> *mut bindings::task_struct {
         self.0.get()
     }
 
+    /// Creates a reference to a [`Task`] from a valid pointer.
+    ///
+    /// # Safety
+    ///
+    /// The caller must ensure that `ptr` is valid and remains valid for the lifetime of the
+    /// returned [`Task`] reference.
+    #[inline]
+    pub unsafe fn from_raw<'a>(ptr: *const bindings::task_struct) -> &'a Self {
+        // SAFETY: The safety requirements guarantee the validity of the dereference, while the
+        // `Task` type being transparent makes the cast ok.
+        unsafe { &*ptr.cast() }
+    }
+
     /// Returns the group leader of the given task.
     pub fn group_leader(&self) -> &Task {
         // SAFETY: The group leader of a task never changes after initialization, so reading this
-- 
2.25.1

Re: [PATCH v3 2/3] rust: pid: add Pid abstraction and init_ns helper

[Gary Guo]

On Tue Feb 3, 2026 at 6:59 AM GMT, jongan.kim wrote:
> From: HeeSu Kim <heesu0025.kim@lge.com>
>
> Add a new Pid abstraction in rust/kernel/pid.rs that wraps the
> kernel's struct pid and provides safe Rust interfaces for:
> - find_vpid: Find a pid by number under RCU protection
> - pid_task: Get the task associated with a pid under RCU protection
>
> Also add init_ns() associated function to PidNamespace to get
> a reference to the init PID namespace.
>
> These abstractions use lifetime-bounded references tied to RCU guards
> to ensure memory safety when accessing RCU-protected data structures.
>
> Signed-off-by: HeeSu Kim <heesu0025.kim@lge.com>
> ---
> v2 -> v3:
> - Add Send/Sync traits for Pid
> - Add AlwaysRefCounted for Pid with rust_helper_get_pid
> - Add from_raw() constructor to Pid and Task
> - Rename find_vpid_with_guard -> find_vpid
> - Rename pid_task_with_guard -> pid_task 
> - Convert init_pid_ns() to PidNamespace::init_ns()
> - Add PartialEq/Eq for PidNamespace (Alice)
> - Add rust/helpers/pid.c for get_pid() wrapper
>
>  rust/helpers/helpers.c       |   1 +
>  rust/helpers/pid.c           |   9 +++
>  rust/kernel/lib.rs           |   1 +
>  rust/kernel/pid.rs           | 138 +++++++++++++++++++++++++++++++++++
>  rust/kernel/pid_namespace.rs |  17 +++++
>  rust/kernel/task.rs          |  13 ++++
>  6 files changed, 179 insertions(+)
>  create mode 100644 rust/helpers/pid.c
>  create mode 100644 rust/kernel/pid.rs
>
> diff --git a/rust/helpers/helpers.c b/rust/helpers/helpers.c
> index 79c72762ad9c..3138b88df24f 100644
> --- a/rust/helpers/helpers.c
> +++ b/rust/helpers/helpers.c
> @@ -38,6 +38,7 @@
>  #include "of.c"
>  #include "page.c"
>  #include "pci.c"
> +#include "pid.c"
>  #include "pid_namespace.c"
>  #include "platform.c"
>  #include "poll.c"
> diff --git a/rust/helpers/pid.c b/rust/helpers/pid.c
> new file mode 100644
> index 000000000000..1337ca63ab0f
> --- /dev/null
> +++ b/rust/helpers/pid.c
> @@ -0,0 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#include <linux/pid.h>
> +
> +/* Get a reference on a struct pid. */
> +struct pid *rust_helper_get_pid(struct pid *pid)

This needs a __rust_helper annotation.

The rest looks superb. With this fixed:

    Reviewed-by: Gary Guo <gary@garyguo.net>

Best,
Gary

> +{
> +	return get_pid(pid);
> +}
> diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
> index f812cf120042..60a518d65d0e 100644
> --- a/rust/kernel/lib.rs
> +++ b/rust/kernel/lib.rs

[PATCH v3 3/3] rust_binder: handle PID namespace conversion for freeze operation

[jongan.kim]

From: HeeSu Kim <heesu0025.kim@lge.com>

Port PID namespace conversion logic from C binder to the Rust
implementation.

Without namespace conversion, freeze operations from non-init namespaces
can match wrong processes due to PID collision. This adds proper
conversion to ensure freeze operations target the correct process.

Signed-off-by: HeeSu Kim <heesu0025.kim@lge.com>
---
v2 -> v3:
- Use task::Pid typedef instead of u32/i32
- Use PidNamespace::init_ns() instead of init_pid_ns() 
- Compare PidNamespace directly with == instead of raw pointers
- Use Pid::find_vpid() and pid.pid_task() (dropped _with_guard suffix)
- Fix rustfmt import ordering (rcu before Arc)
- Rename TaskPid alias to PidT for clearer pid_t type indication
- Use task.group_leader().pid() instead of tgid_nr_ns() for consistency with C

 drivers/android/binder/process.rs | 37 +++++++++++++++++++++++++++----
 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/drivers/android/binder/process.rs b/drivers/android/binder/process.rs
index 132055b4790f..ea30bfac2e0b 100644
--- a/drivers/android/binder/process.rs
+++ b/drivers/android/binder/process.rs
@@ -22,6 +22,8 @@
     id_pool::IdPool,
     list::{List, ListArc, ListArcField, ListLinks},
     mm,
+    pid::Pid,
+    pid_namespace::PidNamespace,
     prelude::*,
     rbtree::{self, RBTree, RBTreeNode, RBTreeNodeReservation},
     seq_file::SeqFile,
@@ -29,9 +31,9 @@
     sync::poll::PollTable,
     sync::{
         lock::{spinlock::SpinLockBackend, Guard},
-        Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc,
+        rcu, Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc,
     },
-    task::Task,
+    task::{Pid as PidT, Task},
     types::ARef,
     uaccess::{UserSlice, UserSliceReader},
     uapi,
@@ -1498,17 +1500,42 @@ pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result {
     }
 }
 
+/// Convert a PID from the current namespace to the global (init) namespace.
+fn convert_to_init_ns_tgid(pid: PidT) -> Result<PidT> {
+    let current = kernel::current!();
+    let init_ns = PidNamespace::init_ns();
+
+    if current.active_pid_ns() == Some(init_ns) {
+        // Already in init namespace.
+        return Ok(pid);
+    }
+
+    if pid == 0 {
+        return Err(EINVAL);
+    }
+
+    let rcu_guard = rcu::read_lock();
+
+    let pid_struct = Pid::find_vpid(pid, &rcu_guard).ok_or(ESRCH)?;
+    let task = pid_struct.pid_task(&rcu_guard).ok_or(ESRCH)?;
+
+    Ok(task.group_leader().pid())
+}
+
 fn get_frozen_status(data: UserSlice) -> Result {
     let (mut reader, mut writer) = data.reader_writer();
 
     let mut info = reader.read::<BinderFrozenStatusInfo>()?;
+
+    let init_ns_pid = convert_to_init_ns_tgid(info.pid as PidT)?;
+
     info.sync_recv = 0;
     info.async_recv = 0;
     let mut found = false;
 
     for ctx in crate::context::get_all_contexts()? {
         ctx.for_each_proc(|proc| {
-            if proc.task.pid() == info.pid as _ {
+            if proc.task.pid() == init_ns_pid as _ {
                 found = true;
                 let inner = proc.inner.lock();
                 let txns_pending = inner.txns_pending_locked();
@@ -1530,13 +1557,15 @@ fn get_frozen_status(data: UserSlice) -> Result {
 fn ioctl_freeze(reader: &mut UserSliceReader) -> Result {
     let info = reader.read::<BinderFreezeInfo>()?;
 
+    let init_ns_pid = convert_to_init_ns_tgid(info.pid as PidT)?;
+
     // Very unlikely for there to be more than 3, since a process normally uses at most binder and
     // hwbinder.
     let mut procs = KVec::with_capacity(3, GFP_KERNEL)?;
 
     let ctxs = crate::context::get_all_contexts()?;
     for ctx in ctxs {
-        for proc in ctx.get_procs_with_pid(info.pid as i32)? {
+        for proc in ctx.get_procs_with_pid(init_ns_pid)? {
             procs.push(proc, GFP_KERNEL)?;
         }
     }
-- 
2.25.1

Re: [PATCH v3 3/3] rust_binder: handle PID namespace conversion for freeze operation

[Gary Guo]

On Tue Feb 3, 2026 at 6:59 AM GMT, jongan.kim wrote:
> From: HeeSu Kim <heesu0025.kim@lge.com>
>
> Port PID namespace conversion logic from C binder to the Rust
> implementation.
>
> Without namespace conversion, freeze operations from non-init namespaces
> can match wrong processes due to PID collision. This adds proper
> conversion to ensure freeze operations target the correct process.
>
> Signed-off-by: HeeSu Kim <heesu0025.kim@lge.com>
> ---
> v2 -> v3:
> - Use task::Pid typedef instead of u32/i32
> - Use PidNamespace::init_ns() instead of init_pid_ns() 
> - Compare PidNamespace directly with == instead of raw pointers
> - Use Pid::find_vpid() and pid.pid_task() (dropped _with_guard suffix)
> - Fix rustfmt import ordering (rcu before Arc)
> - Rename TaskPid alias to PidT for clearer pid_t type indication
> - Use task.group_leader().pid() instead of tgid_nr_ns() for consistency with C
>
>  drivers/android/binder/process.rs | 37 +++++++++++++++++++++++++++----
>  1 file changed, 33 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/android/binder/process.rs b/drivers/android/binder/process.rs
> index 132055b4790f..ea30bfac2e0b 100644
> --- a/drivers/android/binder/process.rs
> +++ b/drivers/android/binder/process.rs
> @@ -22,6 +22,8 @@
>      id_pool::IdPool,
>      list::{List, ListArc, ListArcField, ListLinks},
>      mm,
> +    pid::Pid,
> +    pid_namespace::PidNamespace,
>      prelude::*,
>      rbtree::{self, RBTree, RBTreeNode, RBTreeNodeReservation},
>      seq_file::SeqFile,
> @@ -29,9 +31,9 @@
>      sync::poll::PollTable,
>      sync::{
>          lock::{spinlock::SpinLockBackend, Guard},
> -        Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc,
> +        rcu, Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc,
>      },
> -    task::Task,
> +    task::{Pid as PidT, Task},
>      types::ARef,
>      uaccess::{UserSlice, UserSliceReader},
>      uapi,
> @@ -1498,17 +1500,42 @@ pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result {
>      }
>  }
>  
> +/// Convert a PID from the current namespace to the global (init) namespace.
> +fn convert_to_init_ns_tgid(pid: PidT) -> Result<PidT> {
> +    let current = kernel::current!();
> +    let init_ns = PidNamespace::init_ns();
> +
> +    if current.active_pid_ns() == Some(init_ns) {
> +        // Already in init namespace.
> +        return Ok(pid);
> +    }
> +
> +    if pid == 0 {
> +        return Err(EINVAL);
> +    }
> +
> +    let rcu_guard = rcu::read_lock();
> +
> +    let pid_struct = Pid::find_vpid(pid, &rcu_guard).ok_or(ESRCH)?;
> +    let task = pid_struct.pid_task(&rcu_guard).ok_or(ESRCH)?;
> +
> +    Ok(task.group_leader().pid())
> +}
> +
>  fn get_frozen_status(data: UserSlice) -> Result {
>      let (mut reader, mut writer) = data.reader_writer();
>  
>      let mut info = reader.read::<BinderFrozenStatusInfo>()?;
> +
> +    let init_ns_pid = convert_to_init_ns_tgid(info.pid as PidT)?;
> +
>      info.sync_recv = 0;
>      info.async_recv = 0;
>      let mut found = false;
>  
>      for ctx in crate::context::get_all_contexts()? {
>          ctx.for_each_proc(|proc| {
> -            if proc.task.pid() == info.pid as _ {
> +            if proc.task.pid() == init_ns_pid as _ {
>                  found = true;
>                  let inner = proc.inner.lock();
>                  let txns_pending = inner.txns_pending_locked();
> @@ -1530,13 +1557,15 @@ fn get_frozen_status(data: UserSlice) -> Result {
>  fn ioctl_freeze(reader: &mut UserSliceReader) -> Result {
>      let info = reader.read::<BinderFreezeInfo>()?;
>  
> +    let init_ns_pid = convert_to_init_ns_tgid(info.pid as PidT)?;
> +
>      // Very unlikely for there to be more than 3, since a process normally uses at most binder and
>      // hwbinder.
>      let mut procs = KVec::with_capacity(3, GFP_KERNEL)?;
>  
>      let ctxs = crate::context::get_all_contexts()?;
>      for ctx in ctxs {
> -        for proc in ctx.get_procs_with_pid(info.pid as i32)? {
> +        for proc in ctx.get_procs_with_pid(init_ns_pid)? {

I think this function already has `ARef<Task>` for all the process, so it feels
to me that the search should be simply based on task, rather than PID.

I.e. instead of pid_t -> struct pid -> struct tasks -> pid_t and then search
with it, we first get `Task` from VPID, and then search directly with it. This
would also make it no longer necessary to have the init namespace check.

(BTW, the current impl looks quite inefficient, get_procs_with_pid returns a vec
which is pushed again to a vec, perhaps using a callback or simply passing in a
`&mut Vec` is better?)

Best,
Gary

>              procs.push(proc, GFP_KERNEL)?;
>          }
>      }

Re: [PATCH v3 3/3] rust_binder: handle PID namespace conversion for freeze operation

[jongan.kim]

On Tue Feb 3, 2026 at 12:59:45PM +0000, Gary Guo wrote:
> On Tue Feb 3, 2026 at 6:59 AM GMT, jongan.kim wrote:
> > From: HeeSu Kim <heesu0025.kim@lge.com>
> >
> > Port PID namespace conversion logic from C binder to the Rust
> > implementation.
> >
> > Without namespace conversion, freeze operations from non-init namespaces
> > can match wrong processes due to PID collision. This adds proper
> > conversion to ensure freeze operations target the correct process.
> >
> > Signed-off-by: HeeSu Kim <heesu0025.kim@lge.com>
> > ---
> > v2 -> v3:
> > - Use task::Pid typedef instead of u32/i32
> > - Use PidNamespace::init_ns() instead of init_pid_ns()
> > - Compare PidNamespace directly with == instead of raw pointers
> > - Use Pid::find_vpid() and pid.pid_task() (dropped _with_guard suffix)
> > - Fix rustfmt import ordering (rcu before Arc)
> > - Rename TaskPid alias to PidT for clearer pid_t type indication
> > - Use task.group_leader().pid() instead of tgid_nr_ns() for consistency with C
> >
> >  drivers/android/binder/process.rs | 37 +++++++++++++++++++++++++++----
> >  1 file changed, 33 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/android/binder/process.rs b/drivers/android/binder/process.rs
> > index 132055b4790f..ea30bfac2e0b 100644
> > --- a/drivers/android/binder/process.rs
> > +++ b/drivers/android/binder/process.rs
> > @@ -22,6 +22,8 @@
> >      id_pool::IdPool,
> >      list::{List, ListArc, ListArcField, ListLinks},
> >      mm,
> > +    pid::Pid,
> > +    pid_namespace::PidNamespace,
> >      prelude::*,
> >      rbtree::{self, RBTree, RBTreeNode, RBTreeNodeReservation},
> >      seq_file::SeqFile,
> > @@ -29,9 +31,9 @@
> >      sync::poll::PollTable,
> >      sync::{
> >          lock::{spinlock::SpinLockBackend, Guard},
> > -        Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc,
> > +        rcu, Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc,
> >      },
> > -    task::Task,
> > +    task::{Pid as PidT, Task},
> >      types::ARef,
> >      uaccess::{UserSlice, UserSliceReader},
> >      uapi,
> > @@ -1498,17 +1500,42 @@ pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result {
> >      }
> >  }
> > 
> > +/// Convert a PID from the current namespace to the global (init) namespace.
> > +fn convert_to_init_ns_tgid(pid: PidT) -> Result<PidT> {
> > +    let current = kernel::current!();
> > +    let init_ns = PidNamespace::init_ns();
> > +
> > +    if current.active_pid_ns() == Some(init_ns) {
> > +        // Already in init namespace.
> > +        return Ok(pid);
> > +    }
> > +
> > +    if pid == 0 {
> > +        return Err(EINVAL);
> > +    }
> > +
> > +    let rcu_guard = rcu::read_lock();
> > +
> > +    let pid_struct = Pid::find_vpid(pid, &rcu_guard).ok_or(ESRCH)?;
> > +    let task = pid_struct.pid_task(&rcu_guard).ok_or(ESRCH)?;
> > +
> > +    Ok(task.group_leader().pid())
> > +}
> > +
> >  fn get_frozen_status(data: UserSlice) -> Result {
> >      let (mut reader, mut writer) = data.reader_writer();
> > 
> >      let mut info = reader.read::<BinderFrozenStatusInfo>()?;
> > +
> > +    let init_ns_pid = convert_to_init_ns_tgid(info.pid as PidT)?;
> > +
> >      info.sync_recv = 0;
> >      info.async_recv = 0;
> >      let mut found = false;
> > 
> >      for ctx in crate::context::get_all_contexts()? {
> >          ctx.for_each_proc(|proc| {
> > -            if proc.task.pid() == info.pid as _ {
> > +            if proc.task.pid() == init_ns_pid as _ {
> >                  found = true;
> >                  let inner = proc.inner.lock();
> >                  let txns_pending = inner.txns_pending_locked();
> > @@ -1530,13 +1557,15 @@ fn get_frozen_status(data: UserSlice) -> Result {
> >  fn ioctl_freeze(reader: &mut UserSliceReader) -> Result {
> >      let info = reader.read::<BinderFreezeInfo>()?;
> > 
> > +    let init_ns_pid = convert_to_init_ns_tgid(info.pid as PidT)?;
> > +
> >      // Very unlikely for there to be more than 3, since a process normally uses at most binder and
> >      // hwbinder.
> >      let mut procs = KVec::with_capacity(3, GFP_KERNEL)?;
> > 
> >      let ctxs = crate::context::get_all_contexts()?;
> >      for ctx in ctxs {
> > -        for proc in ctx.get_procs_with_pid(info.pid as i32)? {
> > +        for proc in ctx.get_procs_with_pid(init_ns_pid)? {
> 
> I think this function already has `ARef<Task>` for all the process, so it feels
> to me that the search should be simply based on task, rather than PID.
> 
> I.e. instead of pid_t -> struct pid -> struct tasks -> pid_t and then search
> with it, we first get `Task` from VPID, and then search directly with it. This
> would also make it no longer necessary to have the init namespace check.
> 
> (BTW, the current impl looks quite inefficient, get_procs_with_pid returns a vec
> which is pushed again to a vec, perhaps using a callback or simply passing in a
> `&mut Vec` is better?)
> 
> Best,
> Gary
> 
> >              procs.push(proc, GFP_KERNEL)?;
> >          }
> >      }

Thank you for the suggestions for more efficient structure.

Your proposal to use task-based search instead of PID-based search
could simplify the logic.

However, I have a few considerations:
1. The current implementation maintains consistency with the existing
C binder implementation. Any structural change here would ideally be
reflected in the  C code as well to keep both implementations aligned.

2. Since the majority of binder usage occurs in the init namespace, the
current early return (checking task_is_in_init_pid_ns) avoids the overhead
of find_vpid() and pid_task() calls in the common case. If we always go
through the task lookup path, this optimization would be lost.

3. Regarding the search mechanism and vec efficiency improvements you
mentioned, these seem like valuable optimizations but would represent
a broader architectural change to the binder driver.

I'd like to get input from the binder driver maintainers on whether:
- This kind of structural change is desired for the binder driver
- If so, whether it should be done as part of this PID namespace fix or
as a separate refactoring effort
- Whether both C and Rust implementations should be updated together

Alice, could you please advise on the preferred approach here?

Thanks,
JongAn Kim

Re: [PATCH v3 3/3] rust_binder: handle PID namespace conversion for freeze operation

[Alice Ryhl]

On Wed, Feb 04, 2026 at 06:11:47PM +0900, jongan.kim@lge.com wrote:
> On Tue Feb 3, 2026 at 12:59:45PM +0000, Gary Guo wrote:
> > On Tue Feb 3, 2026 at 6:59 AM GMT, jongan.kim wrote:
> > I think this function already has `ARef<Task>` for all the process, so it feels
> > to me that the search should be simply based on task, rather than PID.
> > 
> > I.e. instead of pid_t -> struct pid -> struct tasks -> pid_t and then search
> > with it, we first get `Task` from VPID, and then search directly with it. This
> > would also make it no longer necessary to have the init namespace check.
> > 
> > (BTW, the current impl looks quite inefficient, get_procs_with_pid returns a vec
> > which is pushed again to a vec, perhaps using a callback or simply passing in a
> > `&mut Vec` is better?)
> > 
> > Best,
> > Gary
> > 
> > >              procs.push(proc, GFP_KERNEL)?;
> > >          }
> > >      }
> 
> Thank you for the suggestions for more efficient structure.
> 
> Your proposal to use task-based search instead of PID-based search
> could simplify the logic.
> 
> However, I have a few considerations:
> 1. The current implementation maintains consistency with the existing
> C binder implementation. Any structural change here would ideally be
> reflected in the  C code as well to keep both implementations aligned.

Yes, the drivers should match.

> 2. Since the majority of binder usage occurs in the init namespace, the
> current early return (checking task_is_in_init_pid_ns) avoids the overhead
> of find_vpid() and pid_task() calls in the common case. If we always go
> through the task lookup path, this optimization would be lost.

Well, I suggested this approach too on the previous version:
https://lore.kernel.org/lkml/20260130015427.83556-1-jongan.kim@lge.com/
(I mentioned it on C Binder, but they should of course match.)

I'm not necessarily that concerned about the optimization. Freezing is
already a bit expensive to begin with.

> 3. Regarding the search mechanism and vec efficiency improvements you
> mentioned, these seem like valuable optimizations but would represent
> a broader architectural change to the binder driver.

Improving get_procs_with_pid() seems like a separate thing. Perhaps it
could be part of this other series:
https://lore.kernel.org/all/20260201000817.275382-1-shivamklr@cock.li/

Improving it here should only happen if you need to rewrite said
function *anyway*.

> I'd like to get input from the binder driver maintainers on whether:
> - This kind of structural change is desired for the binder driver
> - If so, whether it should be done as part of this PID namespace fix or
> as a separate refactoring effort

See above.

> - Whether both C and Rust implementations should be updated together
> 
> Alice, could you please advise on the preferred approach here?

Both implementations should be updated together.

Alice

Re: [PATCH v3 3/3] rust_binder: handle PID namespace conversion for freeze operation

[jongan.kim]

On Wed, Feb 04 2026 10:50:31AM +0000, Alice Ryhl wrote:
> On Wed, Feb 04, 2026 at 06:11:47PM +0900, jongan.kim@lge.com wrote:
> > On Tue Feb 3, 2026 at 12:59:45PM +0000, Gary Guo wrote:
> > > On Tue Feb 3, 2026 at 6:59 AM GMT, jongan.kim wrote:
> > > I think this function already has `ARef<Task>` for all the process, so it feels
> > > to me that the search should be simply based on task, rather than PID.
> > >
> > > I.e. instead of pid_t -> struct pid -> struct tasks -> pid_t and then search
> > > with it, we first get `Task` from VPID, and then search directly with it. This
> > > would also make it no longer necessary to have the init namespace check.
> > >
> > > (BTW, the current impl looks quite inefficient, get_procs_with_pid returns a vec
> > > which is pushed again to a vec, perhaps using a callback or simply passing in a
> > > `&mut Vec` is better?)
> > >
> > > Best,
> > > Gary
> > >
> > > >              procs.push(proc, GFP_KERNEL)?;
> > > >          }
> > > >      }
> >
> > Thank you for the suggestions for more efficient structure.
> >
> > Your proposal to use task-based search instead of PID-based search
> > could simplify the logic.
> >
> > However, I have a few considerations:
> > 1. The current implementation maintains consistency with the existing
> > C binder implementation. Any structural change here would ideally be
> > reflected in the  C code as well to keep both implementations aligned.
> 
> Yes, the drivers should match.
> 
> > 2. Since the majority of binder usage occurs in the init namespace, the
> > current early return (checking task_is_in_init_pid_ns) avoids the overhead
> > of find_vpid() and pid_task() calls in the common case. If we always go
> > through the task lookup path, this optimization would be lost.
> 
> Well, I suggested this approach too on the previous version:
> https://lore.kernel.org/lkml/20260130015427.83556-1-jongan.kim@lge.com/
> (I mentioned it on C Binder, but they should of course match.)
> 
> I'm not necessarily that concerned about the optimization. Freezing is
> already a bit expensive to begin with.

Sorry, I misunderstood your intention before. I will update the new patch
to apply your recommendations for both the Rust and C. Thank you for the
review and suggestions.

> > 3. Regarding the search mechanism and vec efficiency improvements you
> > mentioned, these seem like valuable optimizations but would represent
> > a broader architectural change to the binder driver.
> 
> Improving get_procs_with_pid() seems like a separate thing. Perhaps it
> could be part of this other series:
> https://lore.kernel.org/all/20260201000817.275382-1-shivamklr@cock.li/
> 
> Improving it here should only happen if you need to rewrite said
> function *anyway*.

Since we're changing the implementation to use task-based comparison instead
of PID-based comparison, we won't be using get_procs_with_pid() anymore and
will need to write a new function (e.g., get_procs_with_task()).

Would this approach align with the Rust binder development direction?

> > I'd like to get input from the binder driver maintainers on whether:
> > - This kind of structural change is desired for the binder driver
> > - If so, whether it should be done as part of this PID namespace fix or
> > as a separate refactoring effort
> 
> See above.
> 
> > - Whether both C and Rust implementations should be updated together
> >
> > Alice, could you please advise on the preferred approach here?
> 
> Both implementations should be updated together.

We will update both the Rust and C implementations together.

Thanks.
Jong An, Kim.

Re: [PATCH v3 3/3] rust_binder: handle PID namespace conversion for freeze operation

[Alice Ryhl]

On Thu, Feb 05, 2026 at 02:01:28PM +0900, jongan.kim@lge.com wrote:
> On Wed, Feb 04 2026 10:50:31AM +0000, Alice Ryhl wrote:
> > On Wed, Feb 04, 2026 at 06:11:47PM +0900, jongan.kim@lge.com wrote:
> > > 3. Regarding the search mechanism and vec efficiency improvements you
> > > mentioned, these seem like valuable optimizations but would represent
> > > a broader architectural change to the binder driver.
> > 
> > Improving get_procs_with_pid() seems like a separate thing. Perhaps it
> > could be part of this other series:
> > https://lore.kernel.org/all/20260201000817.275382-1-shivamklr@cock.li/
> > 
> > Improving it here should only happen if you need to rewrite said
> > function *anyway*.
> 
> Since we're changing the implementation to use task-based comparison instead
> of PID-based comparison, we won't be using get_procs_with_pid() anymore and
> will need to write a new function (e.g., get_procs_with_task()).
> 
> Would this approach align with the Rust binder development direction?

Replacing get_procs_with_pid() with a new get_procs_with_task() sounds
reasonable to me.

Alice