On ptrace_detach(), the TIF_SYSCALL_TRACE in thread->flags of the tracee is not cleared up. This results in the tracehook_report_syscall_* being called (though there's no longer a tracer listening to that) upon its further syscalls.
Example scenario - attach "strace" to a running process and kill it (the strace) with SIGKILL. You'll see that the syscall trace hooks are still being called. Signed-off-by: Ales Novak <alno...@suse.cz> Cc: Jiri Kosina <jkos...@suse.cz> --- kernel/ptrace.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 1d3b766..634740f 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -85,6 +85,7 @@ void __ptrace_unlink(struct task_struct *child) task_clear_jobctl_pending(child, JOBCTL_TRAP_MASK); task_clear_jobctl_trapping(child); + clear_tsk_thread_flag(child, TIF_SYSCALL_TRACE); /* * Reinstate JOBCTL_STOP_PENDING if group stop is in effect and * @child isn't dead. -- 2.7.0