4 files changed, 20 insertions, 25 deletions
diff --git a/kernel/exit.c b/kernel/exit.c
index 43077732619b..3b25b182d2be 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -843,6 +843,7 @@ fastcall NORET_TYPE void do_exit(long code)
        group_dead = atomic_dec_and_test(&tsk->signal->live);
        if (group_dead) {
                del_timer_sync(&tsk->signal->real_timer);
+                exit_itimers(tsk->signal);
                acct_process(code);
        }
        exit_mm(tsk);
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
index b3f3edc475de..7a51a5597c33 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
@@ -387,19 +387,25 @@ int posix_cpu_timer_del(struct k_itimer *timer)
        if (unlikely(p == NULL))
                return 0;
-        spin_lock(&p->sighand->siglock);
        if (!list_empty(&timer->it.cpu.entry)) {
-                /*
+                read_lock(&tasklist_lock);
-                 * Take us off the task's timer list.  We don't need to
+                if (unlikely(p->signal == NULL)) {
-                 * take tasklist_lock and check for the task being reaped.
+                        /*
-                 * If it was reaped, it already called posix_cpu_timers_exit
+                         * We raced with the reaping of the task.
-                 * and posix_cpu_timers_exit_group to clear all the timers
+                         * The deletion should have cleared us off the list.
-                 * that pointed to it.
+                         */
-                 */
+                        BUG_ON(!list_empty(&timer->it.cpu.entry));
-                list_del(&timer->it.cpu.entry);
+                } else {
-                put_task_struct(p);
+                        /*
+                         * Take us off the task's timer list.
+                         */
+                        spin_lock(&p->sighand->siglock);
+                        list_del(&timer->it.cpu.entry);
+                        spin_unlock(&p->sighand->siglock);
+                }
+                read_unlock(&tasklist_lock);
        }
-        spin_unlock(&p->sighand->siglock);
+        put_task_struct(p);
        return 0;
 }
diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
index b7b532acd9fc..dda3cda73c77 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -1157,7 +1157,7 @@ retry_delete:
 }
 /*
- * This is called by __exit_signal, only when there are no more
+ * This is called by do_exit or de_thread, only when there are no more
 * references to the shared signal_struct.
 */
 void exit_itimers(struct signal_struct *sig)
diff --git a/kernel/signal.c b/kernel/signal.c
index 50c992643771..f2b96b08fb44 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -397,20 +397,8 @@ void __exit_signal(struct task_struct *tsk)
        flush_sigqueue(&tsk->pending);
        if (sig) {
                /*
-                 * We are cleaning up the signal_struct here.  We delayed
+                 * We are cleaning up the signal_struct here.
-                 * calling exit_itimers until after flush_sigqueue, just in
-                 * case our thread-local pending queue contained a queued
-                 * timer signal that would have been cleared in
-                 * exit_itimers.  When that called sigqueue_free, it would
-                 * attempt to re-take the tasklist_lock and deadlock.  This
-                 * can never happen if we ensure that all queues the
-                 * timer's signal might be queued on have been flushed
-                 * first.  The shared_pending queue, and our own pending
-                 * queue are the only queues the timer could be on, since
-                 * there are no other threads left in the group and timer
-                 * signals are constrained to threads inside the group.
                 */
-                exit_itimers(sig);
                exit_thread_group_keys(sig);
                kmem_cache_free(signal_cachep, sig);
        }