The problem arises when a threaded process calls request_module().
request_module() calls kernel_thread(), which does a clone(CLONE_VM).
The created kernel thread in turn executes exec_usermodehelper, this
calls set_user() with dumpclear=1, which leads to set_user() marking
the current task as not dumpable.
The problem is, that current->mm of the kernel thread is shared (from
the clone(CLONE_VM)) with the task doing the request_module() (and in
turn with all other threads of the process). As the dumpable flag
happens to be a property of the tasks mm, set_user also marks the
process (and all threads) as not dumpable.
Then see the following piece of code in proc_pid_make_inode()
(fs/proc/base.c):
inode->i_uid = 0;
inode->i_gid = 0;
if (ino == PROC_PID_INO || task_dumpable(task)) {
inode->i_uid = task->euid;
inode->i_gid = task->egid;
}
set_user() just marked the tasks mm as not dumpable, so the files in
/proc/<pid> (where ino != PROC_PID_INO) get UID 0.
BTW, the problem should also occur with _every_ process running into a
request_module().
Danek, can you please try changing the second argument to set_user()
into 0, ie.
/* Become root */
set_user(0, 0);
Apart from not setting current as not dumpable (which wasn't done by
the old code anyway), this should not change anything.
Andreas
-- Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG --------------------------------------------------------- +49 521 1365800 - af@devcon.net - www.devcon.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/