AppArmor changehat regression in 3.13.0-2.17-generic

Running the changehat_misc.sh AppArmor regression test results in a kernel paging request bug.

$ apt-get source apparmor
$ cd apparmor-2.8.0/tests/regression/apparmor/
$ make all
$ sudo VERBOSE=1 bash changehat_misc.sh
ok: NO CHANGEHAT (access parent file)
ok: NO CHANGEHAT (access sub file)
ok: CHANGEHAT (access parent file)
ok: CHANGEHAT (access sub file)
ok: FORK BETWEEN CHANGEHATS (access parent file)
ok: FORK BETWEEN CHANGEHATS (access sub file)
ok: CHANGEHAT (subprofile->subprofile)

*** A 'Killed' message from bash is expected for the following test
/home/tyhicks/apparmor-2.8.0/tests/regression/apparmor/prologue.inc: line 176: 5394 Killed $testexec "$@" > $outfile 2>&1
ok: CHANGEHAT (subprofile->subprofile w/ bad magic)
ok: CHANGEHAT (bad subprofile)

*** A 'Killed' message from bash is expected for the following test
Error: changehat_fail failed. Test 'CHANGEHAT (bad token)' was expected to 'signal9'. Reason for failure 'FAIL: changehat sub failed - Permission denied'
ok: CHANGEHAT (noexit subprofile (token=0))
ok: CHANGEHAT (exit noexit subprofile (token=0))
ok: CHANGEHAT (subprofile/write to /proc/attr/current)
ok: CHANGEHAT (exit subprofile/write to /proc/attr/current)
ok: CHANGEHAT (noexit subprofile/write 0 to /proc/attr/current)
ok: CHANGEHAT (noexit subprofile/write 00000000 to /proc/attr/current)
ok: CHANGEHAT (noexit subprofile/write "" to /proc/attr/current)
ok: CHANGEHAT (exit of noexit subprofile/write 0 to /proc/attr/current)
ok: CHANGEHAT (exit of noexit subprofile/write 00000000 to /proc/attr/current)
ok: CHANGEHAT (exit of noexit subprofile/write "" to /proc/attr/current)
ok: CHANGEHAT PTHREAD (access parent file)
ok: CHANGEHAT PTHREAD (access sub file)

The "CHANGEHAT (bad token)" test is the sub-test that triggers the issue. In the output pasted above, the test fails. I've seen the test pass and I've also seen it make my testing VM unresponsive. In this instance, the following output was printed to kern.log:

BUG: unable to handle kernel paging request at 0000002fbead7d08
IP: [<ffffffff8170cebe>] _raw_spin_lock+0xe/0x50
PGD 3abf3067 PUD 0
Oops: 0002 [#1] SMP
Modules linked in: parport_pc ppdev rfcomm bnep bluetooth kvm_intel kvm microcode vmwgfx psmouse serio_raw ttm i2c_piix4 pvpanic drm mac_hid lp parport floppy
CPU: 0 PID: 5394 Comm: changehat_twice Not tainted 3.13.0-2-generic #17-Ubuntu
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff880029693000 ti: ffff88002e2ae000 task.ti: ffff88002e2ae000
RIP: 0010:[<ffffffff8170cebe>] [<ffffffff8170cebe>] _raw_spin_lock+0xe/0x50
RSP: 0018:ffff88002e2afb68 EFLAGS: 00010006
RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
RDX: 0000000000000292 RSI: ffff88002e2afba8 RDI: 0000002fbead7d08
RBP: ffff88002e2afb68 R08: 0000000000000246 R09: ffffffff815f8f57
R10: ffffea0000b892c0 R11: ffff88002e2afa0e R12: ffffffff8130961f
R13: ffff88002e2afba8 R14: 0000002fbead7d08 R15: ffff880031672c30
FS: 00007f959607b740(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000002fbead7d08 CR3: 00000000305cd000 CR4: 00000000000006f0
Stack:
 ffff88002e2afb98 ffffffff81075ee7 ffffffff8130961f 0000000000000009
 0000000000000000 0000000000000000 ffff88002e2afbd0 ffffffff81075f4c
 0000000000000292 ffff88002e2afc08 ffff880031672c00 0000000000000026
Call Trace:
 [<ffffffff81075ee7>] __lock_task_sighand+0x47/0x80
 [<ffffffff8130961f>] ? apparmor_cred_prepare+0x2f/0x50
 [<ffffffff81075f4c>] do_send_sig_info+0x2c/0x80
 [<ffffffff81075fbe>] send_sig_info+0x1e/0x30
 [<ffffffff813023ed>] aa_audit+0x13d/0x190
 [<ffffffff8130c18c>] aa_audit_file+0xbc/0x130
 [<ffffffff8130961f>] ? apparmor_cred_prepare+0x2f/0x50
 [<ffffffff81304c82>] aa_change_hat+0x202/0x530
 [<ffffffff81308f76>] aa_setprocattr_changehat+0x116/0x1d0
 [<ffffffff8130a0cd>] apparmor_setprocattr+0x25d/0x300
 [<ffffffff812cee26>] security_setprocattr+0x16/0x20
 [<ffffffff8121fbf7>] proc_pid_attr_write+0x107/0x130
 [<ffffffff811b7594>] vfs_write+0xb4/0x1f0
 [<ffffffff811b7fc9>] SyS_write+0x49/0xa0
 [<ffffffff81715b3f>] tracesys+0xe1/0xe6
Code: 66 83 07 02 f6 47 02 01 74 e5 0f 1f 00 e8 44 13 ff ff eb db 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 b8 00 00 02 00 <3e> 0f c1 07 89 c2 c1 ea 10 66 39 c2 75 02 5d c3 83 e2 fe 0f b7
RIP [<ffffffff8170cebe>] _raw_spin_lock+0xe/0x50
 RSP <ffff88002e2afb68>
CR2: 0000002fbead7d08
---[ end trace 1858591fdb0528f3 ]---

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-2-generic 3.13.0-2.17
ProcVersionSignature: User Name 3.13.0-2.17-generic 3.13.0-rc7
Uname: Linux 3.13.0-2-generic x86_64
ApportVersion: 2.13.1-0ubuntu1
Architecture: amd64
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
Date: Mon Jan 13 12:42:22 2014
HibernationDevice: RESUME=UUID=d9e8eaa6-cec8-41e2-85bf-92b4be437dfe
InstallationDate: Installed on 2013-10-23 (82 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20131021.1)
IwConfig:
 eth0 no wireless extensions.

 lo no wireless extensions.
Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: Bochs Bochs
ProcFB:

ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-2-generic root=UUID=b31fe6e8-ad15-4046-b1a4-681fbcd8b44a ro quiet splash
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon.
RelatedPackageVersions:
 linux-restricted-modules-3.13.0-2-generic N/A
 linux-backports-modules-3.13.0-2-generic N/A
 linux-firmware 1.121
RfKill:

SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 01/01/2011
dmi.bios.vendor: Bochs
dmi.bios.version: Bochs
dmi.chassis.type: 1
dmi.chassis.vendor: Bochs
dmi.modalias: dmi:bvnBochs:bvrBochs:bd01/01/2011:svnBochs:pnBochs:pvr:cvnBochs:ct1:cvr:
dmi.product.name: Bochs
dmi.sys.vendor: Bochs