Not sure this is a bug in QEMU usermode, but I've tracked a crash that happens when running ARM guest code linked against bionic (from Android). More specifically when a detached thread exits.
In bionic, threads are created with the flag CLONE_CHILD_CLEARTID [1]. When a detached thread exits normally, bionic calls set_tid_address with nullptr to reset the address, before unmapping the thread memory [2] and exiting.
The problem seems to be that the handling of TARGET_NR_set_tid_address does not reset TaskState->child_tidptr, and this lead to a SIGSEGV during handling of TARGET_NR_exit [3]