This time captured by "console=lp0" :)
------------[ cut here ]------------
kernel BUG at kernel/exit.c:731!
invalid operand: 0000 [#1]
CPU: 0
EIP: 0060:[<c011e1ce>] Not tainted
EFLAGS: 00010296
EIP is at do_exit+0x20e/0x400
eax: 00000000 ebx: dffeeaa0 ecx: dc865940 edx: dcb5e000
esi: 00000000 edi: dd7026d0 ebp: dcb5fed0 esp: dcb5feb4
ds: 007b es: 007b ss: 0068
Process bomb.sh (pid: 11259, threadinfo=dcb5e000 task=dd7026d0)
Stack: dd7026d0 dcb44580 dcb5ff24 dd702c84 dcb5e000 00000009 00000009 dcb5fee4
c011e46a 00000009 dcb5e000 dd7026d0 dcb5ff0c c0127124 00000009 dd702c84
dcb5ff24 dcb5e000 dd702c84 dcb5ffc4 dd702c84 dcb5e000 dcb5ffb0 c0109156
Call Trace:
[<c011e46a>] do_group_exit+0x3a/0xb0
[<c0127124>] get_signal_to_deliver+0x244/0x350
[<c0109156>] do_signal0+0x66/0xe0
[<c010920b>] do_notify_resume+0x3b/0x40
[<c01093ea>] work_notifysig+0x13/0x15
Code: 0f 0b 02 4c 4f 32 c0 eb fe 8b 77 10 85 f6 75 ea 89 3c 24
<6>note: bomb.sh[11259] exited with preempt_count 1
It's not that easy to trigger, but it's 100% reproducible.