Commit 1333ab03 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Linus Torvalds

ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock

This test-case (simplified version of generated by syzkaller)

	#include <unistd.h>
	#include <sys/ptrace.h>
	#include <sys/wait.h>

	void test(void)
		for (;;) {
			if (fork()) {

			ptrace(PTRACE_SEIZE, getppid(), 0, 0);
			ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);

	int main(void)
		int np;

		for (np = 0; np < 8; ++np)
			if (!fork())

		while (wait(NULL) > 0)
		return 0;

triggers the 2nd WARN_ON_ONCE(!signr) warning in do_jobctl_trap().  The
problem is that __ptrace_unlink() clears task->jobctl under siglock but
task->ptrace is cleared without this lock held; this fools the "else"
branch which assumes that !PT_SEIZED means PT_PTRACED.

Note also that most of other PTRACE_SEIZE checks can race with detach
from the exiting tracer too.  Say, the callers of ptrace_trap_notify()
assume that SEIZED can't go away after it was checked.
Signed-off-by: default avatarOleg Nesterov <>
Reported-by: default avatarDmitry Vyukov <>
Cc: Tejun Heo <>
Cc: syzkaller <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
......@@ -73,12 +73,11 @@ void __ptrace_unlink(struct task_struct *child)
child->ptrace = 0;
child->parent = child->real_parent;
child->ptrace = 0;
* Clear all pending traps and TRAPPING. TRAPPING should be
* cleared regardless of JOBCTL_STOP_PENDING. Do it explicitly.
