As I can see, tkill and tgkill syscalls call do_tkill (kernel/signal.c:2336).
This function doesn't clear info struct, so it would contain what was on kernel
stack previously. And because SI_TKILL < 0, precautions in copy_siginfo_to_user
(kernel/signal.c:2154) won't prevent this data from going to userspace. Is it a
bug?