I originally reported this: In the case of badframe, user struct is not unlocked here and may lead to deadlock:
https://github.com/qemu/qemu /blob/d4f7d56759f7c75270c13d5f3f5f736a9558929c/linux-user/m68k/signal.c#L380 In similar case, it in unlocked correctly: https://github.com/qemu/qemu /blob/d4f7d56759f7c75270c13d5f3f5f736a9558929c/linux-user/sh4/signal.c#L303 Laurant replied that frame needs to be initialized with NULL in the second case indeed: In fact, this case is a little bit different and wrong but to fix that the solution is to set frame to NULL when it is declared: linux-user/qemu.h: * Unlock an area of guest memory. The first LEN bytes must be flushed back to guest memory. host_ptr = NULL is explicitly allowed and does nothing. */ static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, long len) like for linux-user/aarch64/signal.c: long do_rt_sigreturn(CPUARMState *env) { struct target_rt_sigframe *frame = NULL; ... We have several targets with the same problem. Thanks, Mansour