Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git loopfs_v1

commit ddeb155090598eeea4a577770cb7984e20952682
Author:     Christian Brauner <christian.brauner@ubuntu.com>
AuthorDate: Fri Apr 3 10:47:31 2020 +0200
Commit:     Christian Brauner <christian.brauner@ubuntu.com>
CommitDate: Wed Apr 8 15:11:36 2020 +0200

    kernfs: handle multiple namespace tags
    
    Since [1] kernfs supports namespace tags. This feature is essential to
    enable sysfs to present different views of on various parts depending on
    the namespace tag. For example, the /sys/class/net/ directory will only
    show network devices that belong to the network namespace that sysfs was
    mounted in. This is achieved by stashing a reference to the network
    namespace of the task mounting sysfs in the super block. And when a
    lookup operation is performed on e.g. /sys/class/net/ kernfs will
    compare the network namespace tag of the kernfs_node associated with the
    device and kobject of the network device to the network namespace of the
    network device. This ensures that only network devices owned by the
    network namespace sysfs was mounted in are shown, a feature which is
    essential to containers.
    For loopfs to show correct permissions in sysfs just as with network
    devices we need to be able to tag kernfs_super_info with additional
    namespaces. This extension was even already mentioned in a comment to
    struct kernfs_super_info:
      /*
       * Each sb is associated with one namespace tag, currently the
       * network namespace of the task which mounted this kernfs
       * instance.  If multiple tags become necessary, make the following
       * an array and compare kernfs_node tag against every entry.
       */
    This patch extends the kernfs_super_info and kernfs_fs_context ns
    pointers to fixed-size arrays of namespace tags. The size is taken from
    the namespaces currently supported by kobjects, i.e. we don't extend it
    to cover all namespace but only the ones kernfs needs to support.
    In addition, the kernfs_node struct gains an additional member that
    indicates the type of namespace this kernfs_node was tagged with. This
    allows us to simply retrieve the correct namespace tag from the
    kernfs_fs_context and kernfs_super_info ns array with a simple indexing
    operation. This has the advantage that we can just keep passing down the
    correct namespace instead of passing down the array.
    
    [1]: 608b4b9548de ("netns: Teach network device kobjects which namespace they are in.")
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

8789904e88  loop: use ns_capable for some loop operations
ddeb155090  kernfs: handle multiple namespace tags
e3796aa0eb  loopfs: only show devices in their correct instance
+-------------------------------+------------+------------+------------+
|                               | 8789904e88 | ddeb155090 | e3796aa0eb |
+-------------------------------+------------+------------+------------+
| boot_successes                | 32         | 6          | 0          |
| boot_failures                 | 1          | 11         | 1          |
| BUG:kernel_hang_in_boot_stage | 1          | 1          |            |
| BUG:KASAN:use-after-free_in_s | 0          | 10         | 1          |
+-------------------------------+------------+------------+------------+

If you fix the issue, kindly add following tag
Reported-by: kernel test robot <lkp@intel.com>

Sending all processes the KILL signal...
Unmounting remote filesystems...
Deactivating swap...
Unmounting local filesystems...
[  125.090607] ==================================================================
[  125.094839] BUG: KASAN: use-after-free in sysfs_kill_sb+0x3b/0x60
[  125.095755] Read of size 8 at addr ffff8881ea1e4458 by task umount/1194
[  125.096536] 
[  125.096740] CPU: 0 PID: 1194 Comm: umount Not tainted 5.6.0-00004-gddeb155090598 #1
[  125.097610] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[  125.098586] Call Trace:
[  125.099109]  dump_stack+0x23/0x3a
[  125.099542]  print_address_description+0x2d/0x7d0
[  125.100221]  ? sysfs_kill_sb+0x3b/0x60
[  125.100670]  ? sysfs_kill_sb+0x3b/0x60
[  125.101128]  __kasan_report+0x2da/0x3f9
[  125.101593]  ? sysfs_kill_sb+0x3b/0x60
[  125.102067]  kasan_report+0x1e/0x40
[  125.102498]  __asan_load8+0xcc/0x130
[  125.102924]  sysfs_kill_sb+0x3b/0x60
[  125.103354]  deactivate_locked_super+0xa7/0x100
[  125.103903]  deactivate_super+0x236/0x250
[  125.104395]  ? sget_fc+0x760/0x760
[  125.104829]  ? dput+0x129/0x8e0
[  125.105266]  cleanup_mnt+0x25b/0x300
[  125.105750]  __cleanup_mnt+0x16/0x20
[  125.106436]  task_work_run+0x1b5/0x230
[  125.106904]  prepare_exit_to_usermode+0x741/0x7a0
[  125.107465]  do_syscall_64+0x18d/0xb90
[  125.108083]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  125.108684] RIP: 0033:0x7f8bea4d9be7
[  125.109110] Code: c2 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 79 c2 0b 00 f7 d8 64 89 01 48
[  125.111214] RSP: 002b:00007ffc24027a78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
[  125.112078] RAX: 0000000000000000 RBX: 000056192f10dca0 RCX: 00007f8bea4d9be7
[  125.112916] RDX: 000056192f10da00 RSI: 0000000000000001 RDI: 000056192f10d9a0
[  125.113768] RBP: 000056192f10d960 R08: 000000000000000f R09: 000056192f10dca0
[  125.114617] R10: 0000000000000000 R11: 0000000000000206 R12: 000056192f10d9a0
[  125.115487] R13: 00007ffc24027ca8 R14: 0000000000000000 R15: 000056192f10d9a0
[  125.116365] 
[  125.116591] Allocated by task 217:
[  125.117018]  save_stack+0x21/0xf0
[  125.117424]  __kasan_kmalloc+0x10a/0x190
[  125.118023]  kasan_kmalloc+0xd/0x20
[  125.118423]  kmem_cache_alloc_trace+0x2db/0x520
[  125.118956]  kzalloc+0x8d/0xa0
[  125.119443]  kernfs_get_tree+0x36/0x560
[  125.119895]  sysfs_get_tree+0x29/0xf0
[  125.120324]  vfs_get_tree+0x89/0x360
[  125.120743]  do_new_mount+0x3d5/0x710
[  125.121184]  do_mount+0x1059/0x1820
[  125.121608]  __x64_sys_mount+0x187/0x260
[  125.122088]  do_syscall_64+0xc1/0xb90
[  125.122550]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  125.123167] 
[  125.123371] Freed by task 1194:
[  125.123775]  save_stack+0x21/0xf0
[  125.124195]  __kasan_slab_free+0x2c2/0x380
[  125.124704]  kasan_slab_free+0x12/0x20
[  125.125175]  slab_free_freelist_hook+0xea/0x360
[  125.125745]  kfree+0x1cc/0x700
[  125.126136]  kernfs_kill_sb+0xba/0xd0
[  125.126593]  sysfs_kill_sb+0x2a/0x60
[  125.127040]  deactivate_locked_super+0xa7/0x100
[  125.127618]  deactivate_super+0x236/0x250
[  125.128069]  cleanup_mnt+0x25b/0x300
[  125.128472]  __cleanup_mnt+0x16/0x20
[  125.128880]  task_work_run+0x1b5/0x230
[  125.129322]  prepare_exit_to_usermode+0x741/0x7a0
[  125.129856]  do_syscall_64+0x18d/0xb90
[  125.130325]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  125.130910] 
[  125.131126] The buggy address belongs to the object at ffff8881ea1e4440
[  125.131126]  which belongs to the cache kmalloc-64 of size 64
[  125.132629] The buggy address is located 24 bytes inside of

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 3deedcee02871a081abc26dc6896403b00c45d8c 8f3d9f354286745c751374f5f1fcafee6b3f3136 --
git bisect good b0d1392c9f05d3ff4d9ae37186efeeb2f1029e39  # 16:49  G     10     0    0   0  Merge 'chrome-platform-linux/chrome-platform-5.7-fixes' into devel-catchup-202004140116
git bisect  bad 05d3af6e61b781f53ec231fa4f8a228ef4a8cb86  # 18:19  B      0     1   17   0  Merge 'krzk-github/for-next/sound-asoc-s3c-i2s-fix' into devel-catchup-202004140116
git bisect  bad 99e96487c43a2878be14a22cf7658e5738e48041  # 19:06  B      0     1   17   0  Merge 'cgroup/iocost-delay-latency-v2' into devel-catchup-202004140116
git bisect  bad 57bc6818111f66129275b70b2f469fc1587b1a18  # 20:52  B      0     1   17   0  Merge 'brauner/loopfs_v1' into devel-catchup-202004140116
git bisect  bad ddeb155090598eeea4a577770cb7984e20952682  # 07:10  B      0     1   17   0  kernfs: handle multiple namespace tags
git bisect good 36eb087fffce637de710a065ce6ccf9d7b83d08a  # 14:58  G     11     0    0   0  loopfs: implement loopfs
git bisect good 8789904e88ee09e7b18a6ee424109205b23df79f  # 21:48  G     10     0    0   0  loop: use ns_capable for some loop operations
# first bad commit: [ddeb155090598eeea4a577770cb7984e20952682] kernfs: handle multiple namespace tags
git bisect good 8789904e88ee09e7b18a6ee424109205b23df79f  # 22:46  G     30     0    0   0  loop: use ns_capable for some loop operations
# extra tests with debug options
git bisect  bad ddeb155090598eeea4a577770cb7984e20952682  # 00:02  B      0     1   17   0  kernfs: handle multiple namespace tags
# extra tests on head commit of brauner/loopfs_v1
git bisect  bad e3796aa0ebdf297c4a3273c64aed421530d8a1e3  # 01:05  B      0     1   17   0  loopfs: only show devices in their correct instance
# bad: [e3796aa0ebdf297c4a3273c64aed421530d8a1e3] loopfs: only show devices in their correct instance

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/lkp(a)lists.01.org