do_exit() clears ->it_##clock##_expires, but nothing prevents another cpu to attach the timer to exiting process after that. arm_timer() tries to protect against this race, but the check is racy. After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and before do_exit() calls 'schedule() local timer interrupt can find tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu does sys_wait4) interrupted task has ->signal == NULL. At this moment exiting task has no pending cpu timers, they were cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(), so we can just return from irq. John Stultz recently confirmed this bug, see http://marc.theaimsgroup.com/?l=linux-kernel&m=115015841413687
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=30f1e3dd8c72abda343bcf415f7d8894a02b4290
dsd: Please add to genpatches-2.6.16.
Fixed in gentoo-sources-2.6.16-r11 / genpatches-2.6.16-23
Maintainers please bump to 2.6.16.23 preferably or genpatches-2.6.16-13; does not affect 2.6.17: ck-sources-2.6.16: marineam hardened-sources-2.6: johnm, hardened mips-sources-2.6.16: `Kumba rsbac-sources-2.6: kang sh-sources-2.6: vapier suspend2-sources-2.6: brix usermode-sources-2.6: dang xbox-sources-2.6: chrb, gimli xen-sources-2.6: chrb, agriffis
usermode-sources done.
Fixed in sys-kernel/suspend2-sources-2.6.16-r10.
Fixed in ck-sources-2.6.16_p12-r1.
All fixed, closing bug. rsbac-sources masked.
