← Back to team overview

kernel-packages team mailing list archive

[Bug 1558120] Re: Kernel can be oopsed using remap_file_pages

 

This bug was fixed in the package linux - 4.4.0-23.41

---------------
linux (4.4.0-23.41) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1582431

  * zfs: disable module checks for zfs when cross-compiling (LP: #1581127)
    - [Packaging] disable zfs module checks when cross-compiling

  * Xenial update to v4.4.10 stable release (LP: #1580754)
    - Revert "UBUNTU: SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for
      recursive method calls"
    - Revert "UBUNTU: SAUCE: nbd: ratelimit error msgs after socket close"
    - Revert: "powerpc/tm: Check for already reclaimed tasks"
    - RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips
    - ipvs: handle ip_vs_fill_iph_skb_off failure
    - ipvs: correct initial offset of Call-ID header search in SIP persistence
      engine
    - ipvs: drop first packet to redirect conntrack
    - mfd: intel-lpss: Remove clock tree on error path
    - nbd: ratelimit error msgs after socket close
    - ata: ahci_xgene: dereferencing uninitialized pointer in probe
    - mwifiex: fix corner case association failure
    - CNS3xxx: Fix PCI cns3xxx_write_config()
    - clk-divider: make sure read-only dividers do not write to their register
    - soc: rockchip: power-domain: fix err handle while probing
    - clk: rockchip: free memory in error cases when registering clock branches
    - clk: meson: Fix meson_clk_register_clks() signature type mismatch
    - clk: qcom: msm8960: fix ce3_core clk enable register
    - clk: versatile: sp810: support reentrance
    - clk: qcom: msm8960: Fix ce3_src register offset
    - lpfc: fix misleading indentation
    - ath9k: ar5008_hw_cmn_spur_mitigate: add missing mask_m & mask_p
      initialisation
    - mac80211: fix statistics leak if dev_alloc_name() fails
    - tracing: Don't display trigger file for events that can't be enabled
    - MD: make bio mergeable
    - Minimal fix-up of bad hashing behavior of hash_64()
    - mm, cma: prevent nr_isolated_* counters from going negative
    - mm/zswap: provide unique zpool name
    - ARM: EXYNOS: Properly skip unitialized parent clock in power domain on
    - ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel
    - xen: Fix page <-> pfn conversion on 32 bit systems
    - xen/balloon: Fix crash when ballooning on x86 32 bit PAE
    - xen/evtchn: fix ring resize when binding new events
    - HID: wacom: Add support for DTK-1651
    - HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk
    - Input: zforce_ts - fix dual touch recognition
    - proc: prevent accessing /proc/<PID>/environ until it's ready
    - mm: update min_free_kbytes from khugepaged after core initialization
    - batman-adv: fix DAT candidate selection (must use vid)
    - batman-adv: Check skb size before using encapsulated ETH+VLAN header
    - batman-adv: Fix broadcast/ogm queue limit on a removed interface
    - batman-adv: Reduce refcnt of removed router when updating route
    - writeback: Fix performance regression in wb_over_bg_thresh()
    - MAINTAINERS: Remove asterisk from EFI directory names
    - x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO
    - ARM: cpuidle: Pass on arm_cpuidle_suspend()'s return value
    - ARC: Add missing io barriers to io{read,write}{16,32}be()
    - x86/sysfb_efi: Fix valid BAR address range check
    - ACPICA: Dispatcher: Update thread ID for recursive method calls
    - powerpc: Fix bad inline asm constraint in create_zero_mask()
    - libahci: save port map for forced port map
    - ata: ahci-platform: Add ports-implemented DT bindings.
    - USB: serial: cp210x: add ID for Link ECU
    - USB: serial: cp210x: add Straizona Focusers device ids
    - nvmem: mxs-ocotp: fix buffer overflow in read
    - gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading
    - drm/amdgpu: make sure vertical front porch is at least 1
    - drm/amdgpu: set metadata pointer to NULL after freeing.
    - iio: ak8975: Fix NULL pointer exception on early interrupt
    - iio: ak8975: fix maybe-uninitialized warning
    - drm/radeon: make sure vertical front porch is at least 1
    - drm/i915/ddi: Fix eDP VDD handling during booting and suspend/resume
    - drm/i915: Fix eDP low vswing for Broadwell
    - drm/i915: Make RPS EI/thresholds multiple of 25 on SNB-BDW
    - drm/i915: Fake HDMI live status
    - lib/test-string_helpers.c: fix and improve string_get_size() tests
    - drm/i915/skl: Fix DMC load on Skylake J0 and K0
    - Linux 4.4.10

  * HDMI audio playback noise  observed on AMD Polaris 10/11 GPU (LP: #1577288)
    - ALSA: hda: add AMD Polaris-10/11 AZ PCI IDs with proper driver caps

  * [i915_bpo] Update i915 backport driver (LP: #1580114)
    - SAUCE: i915_bpo: Drop is_preliminary from BXT/KBL.
    - SAUCE: i915_bpo: Sync with v4.6-rc7

  * CVE-2016-4486 (LP: #1578497)
    - net: fix infoleak in rtnetlink

  * CVE-2016-4485 (LP: #1578496)
    - net: fix infoleak in llc

  * drm.ko < kernel version 4.5 has a dead lock bug (LP: #1579610)
    - drm: Balance error path for GEM handle allocation

  * Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not
    supported by compiler (LP: #1574982)
    - SAUCE: (no-up) disable -pie when gcc has it enabled by default

  * system freeze after vt switching (LP: #1542939)
    - drm/atomic: Add __drm_atomic_helper_connector_reset, v2.
    - drm/atomic: Remove drm_atomic_connectors_for_crtc.

  * CVE-2016-4558 (LP: #1579140)
    - bpf: fix refcnt overflow

  * Kernel Panic on EC2 After Upgrading from 14.04 to 16.04 via do-release-
    upgrade -d (LP: #1573231)
    - SAUCE: (no-up) x86/topology: Handle CPUID bogosity gracefully

  * PCI Call Traces  hw csum failure in dmesg with  4.4.0-2-generic
    (LP: #1544978)
    - net/mlx4_en: Fix endianness bug in IPV6 csum calculation

  * Missing libunwind support in perf (LP: #1248289)
    - [Config] Add liblzma-dev to enable libunwind support in perf

  * thunderbolt hotplug is broken (LP: #1577898)
    - SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for recursive method
      calls

  * Kernel can be oopsed using remap_file_pages (LP: #1558120)
    - SAUCE: mm/mmap: fix oopsing on remap_file_pages

  * ZFS is confused by user namespaces (uid/gid mapping) when used with
    acltype=posixac (LP: #1567558)
    - zfs: Fix user namespaces uid/gid mapping

  * oops when propagating mounts into containers - RIP:
    0010:[<ffffffff8123cb3e>] [<ffffffff8123cb3e>] propagate_one+0xbe/0x1c0
    (LP: #1572316)
    - fs/pnode.c: treat zero mnt_group_id-s as unequal
    - propogate_mnt: Handle the first propogated copy being a slave

  * OOPS on wily+ for Haswell-ULT and Broadwell (LP: #1577748)
    - PNP: Add Broadwell to Intel MCH size workaround
    - PNP: Add Haswell-ULT to Intel MCH size workaround

  * Xenial update to v4.4.9 stable release (LP: #1578798)
    - block: loop: fix filesystem corruption in case of aio/dio
    - x86/mce: Avoid using object after free in genpool
    - kvm: x86: do not leak guest xcr0 into host interrupt handlers
    - ARM: dts: AM43x-epos: Fix clk parent for synctimer
    - ARM: mvebu: Correct unit address for linksys
    - ARM: OMAP2: Fix up interconnect barrier initialization for DRA7
    - ARM: OMAP2+: hwmod: Fix updating of sysconfig register
    - assoc_array: don't call compare_object() on a node
    - usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host
    - xhci: resume USB 3 roothub first
    - usb: xhci: fix wild pointers in xhci_mem_cleanup
    - xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers
    - usb: hcd: out of bounds access in for_each_companion
    - usb: gadget: f_fs: Fix use-after-free
    - dm cache metadata: fix READ_LOCK macros and cleanup WRITE_LOCK macros
    - dm cache metadata: fix cmd_read_lock() acquiring write lock
    - lib: lz4: fixed zram with lz4 on big endian machines
    - debugfs: Make automount point inodes permanently empty
    - dmaengine: dw: fix master selection
    - dmaengine: hsu: correct use of channel status register
    - dmaengine: pxa_dma: fix the maximum requestor line
    - sched/cgroup: Fix/cleanup cgroup teardown/init
    - x86/mm/xen: Suppress hugetlbfs in PV guests
    - x86 EDAC, sb_edac.c: Repair damage introduced when "fixing" channel address
    - ALSA: hda - Don't trust the reported actual power state
    - ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m
    - ALSA: hda - Keep powering up ADCs on Cirrus codecs
    - ALSA: hda - add PCI ID for Intel Broxton-T
    - ALSA: pcxhr: Fix missing mutex unlock
    - ALSA: hda - Add dock support for ThinkPad X260
    - asm-generic/futex: Re-enable preemption in futex_atomic_cmpxchg_inatomic()
    - futex: Handle unlock_pi race gracefully
    - futex: Acknowledge a new waiter in counter before plist
    - drm/nouveau/core: use vzalloc for allocating ramht
    - drm/qxl: fix cursor position with non-zero hotspot
    - drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
    - Revert "drm/radeon: disable runtime pm on PX laptops without dGPU power
      control"
    - Revert "drm/amdgpu: disable runtime pm on PX laptops without dGPU power
      control"
    - cpufreq: intel_pstate: Fix processing for turbo activation ratio
    - iwlwifi: pcie: lower the debug level for RSA semaphore access
    - iwlwifi: mvm: fix memory leak in paging
    - crypto: ccp - Prevent information leakage on export
    - crypto: sha1-mb - use corrcet pointer while completing jobs
    - crypto: talitos - fix crash in talitos_cra_init()
    - crypto: talitos - fix AEAD tcrypt tests
    - powerpc: scan_features() updates incorrect bits for REAL_LE
    - powerpc: Update cpu_user_features2 in scan_features()
    - powerpc: Update TM user feature bits in scan_features()
    - nl80211: check netlink protocol in socket release notification
    - netlink: don't send NETLINK_URELEASE for unbound sockets
    - Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay
    - xen kconfig: don't "select INPUT_XEN_KBDDEV_FRONTEND"
    - pinctrl: mediatek: correct debounce time unit in mtk_gpio_set_debounce
    - pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs
    - iommu/amd: Fix checking of pci dma aliases
    - iommu/dma: Restore scatterlist offsets correctly
    - drm/amdgpu: when suspending, if uvd/vce was running. need to cancel delay
      work.
    - drm/amdgpu: use defines for CRTCs and AMFT blocks
    - drm/amdgpu: bump the afmt limit for CZ, ST, Polaris
    - amdgpu/uvd: add uvd fw version for amdgpu
    - drm/amdgpu: fix regression on CIK (v2)
    - drm/radeon: add a quirk for a XFX R9 270X
    - drm/radeon: fix initial connector audio value
    - drm/radeon: forbid mapping of userptr bo through radeon device file
    - drm/radeon: fix vertical bars appear on monitor (v2)
    - drm: Loongson-3 doesn't fully support wc memory
    - drm/nouveau/gr/gf100: select a stream master to fixup tfb offset queries
    - drm/dp/mst: Validate port in drm_dp_payload_send_msg()
    - drm/dp/mst: Restore primary hub guid on resume
    - drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1()
    - pwm: brcmstb: Fix check of devm_ioremap_resource() return code
    - drm/i915: Cleanup phys status page too
    - drm/i915: skl_update_scaler() wants a rotation bitmask instead of bit number
    - drm/amdkfd: uninitialized variable in dbgdev_wave_control_set_registers()
    - drm/i915: Fixup the free space logic in ring_prepare
    - drm/i915: Use fw_domains_put_with_fifo() on HSW
    - perf intel-pt: Fix segfault tracing transactions
    - i2c: cpm: Fix build break due to incompatible pointer types
    - i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared
    - toshiba_acpi: Fix regression caused by hotkey enabling value
    - EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback
    - ASoC: s3c24xx: use const snd_soc_component_driver pointer
    - ASoC: ssm4567: Reset device before regcache_sync()
    - ASoC: dapm: Make sure we have a card when displaying component widgets
    - ASoC: rt5640: Correct the digital interface data select
    - vb2-memops: Fix over allocation of frame vectors
    - v4l2-dv-timings.h: fix polarity for 4k formats
    - cxl: Keep IRQ mappings on context teardown
    - IB/mlx5: Expose correct max_sge_rd limit
    - IB/security: Restrict use of the write() interface
    - efi: Fix out-of-bounds read in variable_matches()
    - efi: Expose non-blocking set_variable() wrapper to efivars
    - x86/apic: Handle zero vector gracefully in clear_vector_irq()
    - workqueue: fix ghost PENDING flag while doing MQ IO
    - slub: clean up code for kmem cgroup support to kmem_cache_free_bulk
    - cgroup, cpuset: replace cpuset_post_attach_flush() with
      cgroup_subsys->post_attach callback
    - memcg: relocate charge moving from ->attach to ->post_attach
    - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check
    - numa: fix /proc/<pid>/numa_maps for THP
    - mm: vmscan: reclaim highmem zone if buffer_heads is over limit
    - mm/hwpoison: fix wrong num_poisoned_pages accounting
    - cgroup: make sure a parent css isn't freed before its children
    - videobuf2-core: Check user space planes array in dqbuf
    - videobuf2-v4l2: Verify planes array in buffer dequeueing
    - Revert "regulator: core: Fix nested locking of supplies"
    - regulator: core: fix regulator_lock_supply regression
    - regulator: core: Ensure we lock all regulators
    - regulator: core: Fix nested locking of supplies
    - locking/mcs: Fix mcs_spin_lock() ordering
    - spi/rockchip: Make sure spi clk is on in rockchip_spi_set_cs
    - irqchip/sunxi-nmi: Fix error check of of_io_request_and_map()
    - irqchip/mxs: Fix error check of of_io_request_and_map()
    - regulator: s5m8767: fix get_register() error handling
    - paride: make 'verbose' parameter an 'int' again
    - scsi_dh: force modular build if SCSI is a module
    - fbdev: da8xx-fb: fix videomodes of lcd panels
    - misc/bmp085: Enable building as a module
    - misc: mic/scif: fix wrap around tests
    - PM / OPP: Initialize u_volt_min/max to a valid value
    - PM / Domains: Fix removal of a subdomain
    - rtc: hym8563: fix invalid year calculation
    - rtc: vr41xx: Wire up alarm_irq_enable
    - rtc: ds1685: passing bogus values to irq_restore
    - rtc: rx8025: remove rv8803 id
    - rtc: max77686: Properly handle regmap_irq_get_virq() error code
    - drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
    - perf evlist: Reference count the cpu and thread maps at set_maps()
    - x86/mm/kmmio: Fix mmiotrace for hugepages
    - ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()
    - serial: sh-sci: Remove cpufreq notifier to fix crash/deadlock
    - mtd: spi-nor: remove micron_quad_enable()
    - mtd: brcmnand: Fix v7.1 register offsets
    - mtd: nand: Drop mtd.owner requirement in nand_scan
    - perf hists browser: Only offer symbol scripting when a symbol is under the
      cursor
    - perf tools: handle spaces in file names obtained from /proc/pid/maps
    - perf stat: Document --detailed option
    - ext4: fix races between page faults and hole punching
    - ext4: move unlocked dio protection from ext4_alloc_file_blocks()
    - ext4: fix races between buffered IO and collapse / insert range
    - ext4: fix races of writeback with punch hole and zero range
    - ARM: OMAP3: Add cpuidle parameters table for omap3430
    - ARM: prima2: always enable reset controller
    - ARM: EXYNOS: select THERMAL_OF
    - ARM: dts: armada-375: use armada-370-sata for SATA
    - ARM: dts: pxa: fix dma engine node to pxa3xx-nand
    - bus: imx-weim: Take the 'status' property value into account
    - jme: Do not enable NIC WoL functions on S0
    - jme: Fix device PM wakeup API usage
    - unbreak allmodconfig KCONFIG_ALLCONFIG=...
    - thermal: rockchip: fix a impossible condition caused by the warning
    - sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race
    - megaraid_sas: add missing curly braces in ioctl handler
    - stm class: Select CONFIG_SRCU
    - extcon: max77843: Use correct size for reading the interrupt register
    - Linux 4.4.9

  * Stoney powerplay support (LP: #1578305)
    - amdgpu/powerplay: Add Stoney to list of early init cases

  * CVE-2016-2117 (LP: #1561403)
    - atl2: Disable unimplemented scatter/gather feature

  * CVE-2016-2187 (LP: #1575706)
    - Input: gtco - fix crash on detecting device without endpoints

  * zfs posix default permissions lost on reboot or unmount (LP: #1574801)
    - Fix ZPL miswrite of default POSIX ACL

  * WARNING: at /build/linux-aWXT0l/linux-4.4.0/drivers/pci/pci.c:1595
    [travis3EN] (LP: #1574697)
    - net/mlx4_core: Implement pci_resume callback
    - net/mlx4_core: Avoid repeated calls to pci enable/disable

  * Add support to thinkpad keyboard backlight (LP: #1574498)
    - thinkpad_acpi: Add support for keyboard backlight

  * Please enable kconfig X86_LEGACY_VM86 for i386 (LP: #1499089)
    - [Config] CONFIG_VM86=y, CONFIG_X86_LEGACY_VM86=y

  * Miscellaneous Ubuntu changes
    - updateconfigs for Linux v4.4.9

 -- Kamal Mostafa <kamal@xxxxxxxxxxxxx>  Mon, 16 May 2016 15:16:29 -0700

** Changed in: linux (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2117

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2187

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4485

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4486

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4558

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1558120

Title:
  Kernel can be oopsed using remap_file_pages

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Wily:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  [SRU][WILY][XENIAL]

  [JUSTIFICATION]
  Running stress-ng --remap 4 will trip an oops on the remap.

  The bug is introduced by the mm/mmap.c changes in patch
  d15bd6cdbb1c2080fb1fca0035e5af1994f4d14f ("UBUNTU: SAUCE: AUFS").
  AUFS introduced a subtle bug into remap_file_pages; calls to
  do_mmap_pgoff can lead to a change of the vma->vm_file and so the
  vma_fput(vma) on the file is incorrect; we should instead fput on the
  original file.

  [FIX]
  fput the original file rather than the vma->vm_file.  Without the fix, stress-ng --remap 4 will produce an oops in a few seconds, with the fix it is rock solid.

  [REGRESSION POTENTIAL]
  This only changes the deprecated system call remap_file_pages which is not used much and it is also deprecated, so it should be avoided by user space applications anyhow.

  --------------------------------------------------------------------

  While faffing around with the deprecated system call remap_file_pages
  I was able to trigger an OOPs that can be reproduced every time.

  uname -a
  Linux lenovo 4.4.0-13-generic #29-Ubuntu SMP Fri Mar 11 19:31:18 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

  [   27.298469] mmap: stress-ng-remap (4061) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
  [   28.956497] BUG: unable to handle kernel NULL pointer dereference at 0000000000000228
  [   28.956555] IP: [<ffffffff811a94f8>] shmem_fault+0x38/0x1e0
  [   28.956594] PGD aded1067 PUD add32067 PMD 0
  [   28.956625] Oops: 0000 [#1] SMP
  [   28.956649] Modules linked in: nls_iso8859_1 drbg ansi_cprng xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables binfmt_misc zfs(PO) zunicode(PO) zcommon(PO) znvpair(PO) spl(O) zavl(PO) uvcvideo intel_rapl x86_pkg_temp_thermal intel_powerclamp videobuf2_vmalloc coretemp videobuf2_memops crct10dif_pclmul videobuf2_v4l2 crc32_pclmul videobuf2_core v4l2_common snd_hda_codec_hdmi videodev aesni_intel snd_hda_codec_realtek snd_hda_codec_generic media aes_x86_64 lrw snd_seq_midi gf128mul glue_helper ablk_helper snd_seq_midi_event cryptd snd_hda_intel snd_hda_codec snd_hda_core
  [   28.957162]  snd_hwdep snd_rawmidi joydev input_leds arc4 serio_raw rtl8192ce rtl_pci rtl8192c_common snd_pcm rtlwifi snd_seq mac80211 thinkpad_acpi nvram cfg80211 snd_seq_device mei_me mei lpc_ich snd_timer shpchp snd soundcore mac_hid kvm_intel kvm irqbypass parport_pc ppdev lp parport autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear mmc_block i915 psmouse i2c_algo_bit drm_kms_helper e1000e ahci syscopyarea libahci sdhci_pci sysfillrect sysimgblt sdhci ptp fb_sys_fops pps_core drm wmi fjes video
  [   28.957570] CPU: 2 PID: 4061 Comm: stress-ng-remap Tainted: P           O    4.4.0-13-generic #29-Ubuntu
  [   28.957623] Hardware name: LENOVO 2320CTO/2320CTO, BIOS G2ET31WW (1.11 ) 05/24/2012
  [   28.957666] task: ffff8800add2ee00 ti: ffff8800adf7c000 task.ti: ffff8800adf7c000
  [   28.957707] RIP: 0010:[<ffffffff811a94f8>]  [<ffffffff811a94f8>] shmem_fault+0x38/0x1e0
  [   28.957754] RSP: 0000:ffff8800adf7fd38  EFLAGS: 00010246
  [   28.957780] RAX: ffff880194f06900 RBX: 0000000000000000 RCX: 0000000000000054
  [   28.957820] RDX: 0000000000000000 RSI: ffff8800adf7fda8 RDI: ffff8800a990f0c8
  [   28.957860] RBP: ffff8800adf7fd98 R08: 0000000000000000 R09: ffff8800adf7fe68
  [   28.957899] R10: 0000000000000000 R11: 00003ffffffff000 R12: ffff8800a990f0c8
  [   28.957939] R13: ffff8800adf7fe68 R14: ffff8800adf0de90 R15: 00007f83ba57b000
  [   28.957979] FS:  00007f83bc46c740(0000) GS:ffff88019e280000(0000) knlGS:0000000000000000
  [   28.958024] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   28.958056] CR2: 0000000000000228 CR3: 00000000ade92000 CR4: 00000000001406e0
  [   28.958096] Stack:
  [   28.958109]  ffff8800aafb3840 00000200adf7fd68 ffff8800adfaf108 ffff8800adfaf190
  [   28.958158]  ffffffff81a25e80 ffff8800adfaf190 0000000000000000 00000000b7865150
  [   28.958206]  0000000000000000 ffff8800a990f0c8 ffff8800adf7fe68 ffff8800adf0de90
  [   28.958254] Call Trace:
  [   28.958273]  [<ffffffff811ba900>] __do_fault+0x50/0xe0
  [   28.958305]  [<ffffffff811be33b>] handle_mm_fault+0xf8b/0x1820
  [   28.958339]  [<ffffffff81221e52>] ? __dentry_kill+0x162/0x1e0
  [   28.958374]  [<ffffffff8122b6a4>] ? mntput+0x24/0x40
  [   28.958405]  [<ffffffff8106a537>] __do_page_fault+0x197/0x400
  [   28.958439]  [<ffffffff8106a7c2>] do_page_fault+0x22/0x30
  [   28.958472]  [<ffffffff8181eef8>] page_fault+0x28/0x30
  [   28.958501] Code: 41 54 53 49 89 fc 48 83 ec 40 c7 45 ac 00 02 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d8 31 c0 48 8b 87 a0 00 00 00 48 8b 58 20 <48> 83 bb 28 02 00 00 00 0f 85 98 00 00 00 48 8b 43 30 48 8d 56
  [   28.958726] RIP  [<ffffffff811a94f8>] shmem_fault+0x38/0x1e0

  How to reproduce:

  git clone git://kernel.ubuntu.com/cking/stress-ng
  cd stress-ng
  make clean; make
  ./stress-ng --remap 8 -t 20
  ---
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/pcmC0D0p:   king       2522 F...m pulseaudio
   /dev/snd/controlC0:  king       2522 F.... pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 16.04
  EcryptfsInUse: Yes
  HibernationDevice: RESUME=UUID=bdef26b7-e88c-4196-97a3-b6d47447ce86
  InstallationDate: Installed on 2015-11-04 (135 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  MachineType: LENOVO 2320CTO
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-13-generic root=UUID=324e5943-0fda-445d-a814-d3a80ff92ab8 ro quiet splash nomdmonddf nomdmonisw vt.handoff=7
  ProcVersionSignature: Ubuntu 4.4.0-13.29-generic 4.4.5
  RelatedPackageVersions:
   linux-restricted-modules-4.4.0-13-generic N/A
   linux-backports-modules-4.4.0-13-generic  N/A
   linux-firmware                            1.156
  RfKill:
   0: phy0: Wireless LAN
    Soft blocked: no
    Hard blocked: no
  Tags:  xenial
  Uname: Linux 4.4.0-13-generic x86_64
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip libvirtd lpadmin lxd plugdev sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 05/24/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G2ET31WW (1.11 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2320CTO
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvrG2ET31WW(1.11):bd05/24/2012:svnLENOVO:pn2320CTO:pvrThinkPadX230:rvnLENOVO:rn2320CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 2320CTO
  dmi.product.version: ThinkPad X230
  dmi.sys.vendor: LENOVO
  ---
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/pcmC0D0p:   king       2522 F...m pulseaudio
   /dev/snd/controlC0:  king       2522 F.... pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 16.04
  EcryptfsInUse: Yes
  HibernationDevice: RESUME=UUID=bdef26b7-e88c-4196-97a3-b6d47447ce86
  InstallationDate: Installed on 2015-11-04 (135 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  MachineType: LENOVO 2320CTO
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-13-generic root=UUID=324e5943-0fda-445d-a814-d3a80ff92ab8 ro quiet splash nomdmonddf nomdmonisw vt.handoff=7
  ProcVersionSignature: Ubuntu 4.4.0-13.29-generic 4.4.5
  RelatedPackageVersions:
   linux-restricted-modules-4.4.0-13-generic N/A
   linux-backports-modules-4.4.0-13-generic  N/A
   linux-firmware                            1.156
  RfKill:
   0: phy0: Wireless LAN
    Soft blocked: no
    Hard blocked: no
  Tags:  xenial
  Uname: Linux 4.4.0-13-generic x86_64
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip libvirtd lpadmin lxd plugdev sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 05/24/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G2ET31WW (1.11 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2320CTO
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvrG2ET31WW(1.11):bd05/24/2012:svnLENOVO:pn2320CTO:pvrThinkPadX230:rvnLENOVO:rn2320CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 2320CTO
  dmi.product.version: ThinkPad X230
  dmi.sys.vendor: LENOVO
  ---
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/pcmC0D0p:   king       2522 F...m pulseaudio
   /dev/snd/controlC0:  king       2522 F.... pulseaudio
  CurrentDesktop: Unity
  DistroRelease: Ubuntu 16.04
  EcryptfsInUse: Yes
  HibernationDevice: RESUME=UUID=bdef26b7-e88c-4196-97a3-b6d47447ce86
  InstallationDate: Installed on 2015-11-04 (135 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  MachineType: LENOVO 2320CTO
  Package: linux (not installed)
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-13-generic root=UUID=324e5943-0fda-445d-a814-d3a80ff92ab8 ro quiet splash nomdmonddf nomdmonisw vt.handoff=7
  ProcVersionSignature: Ubuntu 4.4.0-13.29-generic 4.4.5
  RelatedPackageVersions:
   linux-restricted-modules-4.4.0-13-generic N/A
   linux-backports-modules-4.4.0-13-generic  N/A
   linux-firmware                            1.156
  RfKill:
   0: phy0: Wireless LAN
    Soft blocked: no
    Hard blocked: no
  Tags:  xenial
  Uname: Linux 4.4.0-13-generic x86_64
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip libvirtd lpadmin lxd plugdev sambashare sudo
  _MarkForUpload: True
  dmi.bios.date: 05/24/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G2ET31WW (1.11 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2320CTO
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvrG2ET31WW(1.11):bd05/24/2012:svnLENOVO:pn2320CTO:pvrThinkPadX230:rvnLENOVO:rn2320CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 2320CTO
  dmi.product.version: ThinkPad X230
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558120/+subscriptions


References