bisecting fixing commit since daefdc9eb24bfa11ab77a4b2a9c3923f1051fe0b
building syzkaller on f80ce148aeb891e3335fb38ed9b48b005ca76529
testing commit daefdc9eb24bfa11ab77a4b2a9c3923f1051fe0b with gcc (GCC) 8.1.0
kernel signature: 287881cda9b25badae52613c1219d53c12f006e5db9e550b2c46f9baedafcc6e
run #0: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #1: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #2: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #3: crashed: KASAN: use-after-free Read in squashfs_get_id
run #4: crashed: KASAN: use-after-free Read in squashfs_get_id
run #5: crashed: KASAN: use-after-free Read in squashfs_get_id
run #6: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #7: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #8: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #9: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
testing current HEAD 4143d798313fffa39f05bf24dd560ace42225c26
testing commit 4143d798313fffa39f05bf24dd560ace42225c26 with gcc (GCC) 8.1.0
kernel signature: dcae7d2aca4f0c1250a4cc263df9a7d3f872ab91df8939db0408223f8fba98f8
run #0: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #1: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #2: crashed: KASAN: use-after-free Read in squashfs_get_id
run #3: crashed: KASAN: use-after-free Read in squashfs_get_id
run #4: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #5: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #6: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #7: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #8: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id
run #9: crashed: KASAN: use-after-free Read in squashfs_get_id
revisions tested: 2, total time: 24m16.799456311s (build: 17m50.612018035s, test: 5m52.856613947s)
the crash still happens on HEAD
commit msg: Linux 4.19.165
crash: KASAN: use-after-free Read in squashfs_get_id
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
SQUASHFS error: Unable to read inode 0x99001a
==================================================================
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
BUG: KASAN: use-after-free in squashfs_get_id+0x1bf/0x200 fs/squashfs/id.c:51
Read of size 8 at addr ffff8880a342ebc0 by task syz-executor.5/9987

CPU: 0 PID: 9987 Comm: syz-executor.5 Not tainted 4.19.165-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x17c/0x22a lib/dump_stack.c:118
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 squashfs_get_id+0x1bf/0x200 fs/squashfs/id.c:51
 squashfs_new_inode fs/squashfs/inode.c:64 [inline]
 squashfs_read_inode+0x1de/0x1cf0 fs/squashfs/inode.c:133
 squashfs_fill_super+0x135d/0x1a20 fs/squashfs/super.c:318
 mount_bdev+0x26f/0x330 fs/super.c:1158
 squashfs_mount+0x10/0x20 fs/squashfs/super.c:404
 mount_fs+0x7f/0x2a2 fs/super.c:1261
 vfs_kern_mount.part.11+0x58/0x3d0 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2469 [inline]
 do_mount+0x376/0x2710 fs/namespace.c:2799
 ksys_mount+0xba/0xe0 fs/namespace.c:3015
 __do_sys_mount fs/namespace.c:3029 [inline]
 __se_sys_mount fs/namespace.c:3026 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3026
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x460b4a
Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a 89 fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007f9a9f888a78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f9a9f888b10 RCX: 0000000000460b4a
RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007f9a9f888ad0
RBP: 00007f9a9f888ad0 R08: 00007f9a9f888b10 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
R13: 00000000200000c0 R14: 0000000020000200 R15: 0000000020010200

Allocated by task 188:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 kmem_cache_alloc_trace+0x152/0x3a0 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 aa_alloc_task_ctx security/apparmor/include/task.h:47 [inline]
 apparmor_task_alloc+0x46/0x2a0 security/apparmor/lsm.c:100
 security_task_alloc+0x42/0x80 security/security.c:987
 copy_process.part.2+0x1ac7/0x78e0 kernel/fork.c:1898
 copy_process kernel/fork.c:1722 [inline]
 _do_fork+0x166/0xc30 kernel/fork.c:2228
 kernel_thread+0x24/0x30 kernel/fork.c:2287
 call_usermodehelper_exec_work+0x186/0x200 kernel/umh.c:199
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2155
 worker_thread+0x85/0xb60 kernel/workqueue.c:2298
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 8485:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 kzfree+0x26/0x30 mm/slab_common.c:1574
 aa_free_task_ctx security/apparmor/include/task.h:61 [inline]
 apparmor_task_free+0xdf/0x160 security/apparmor/lsm.c:93
 security_task_free+0x3a/0x70 security/security.c:992
 __put_task_struct+0xc9/0x2d0 kernel/fork.c:688
 put_task_struct include/linux/sched/task.h:98 [inline]
 delayed_put_task_struct+0x145/0x220 kernel/exit.c:181
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0x93a/0x19b0 kernel/rcu/tree.c:2881
 __do_softirq+0x25e/0x92d kernel/softirq.c:292

The buggy address belongs to the object at ffff8880a342ebc0
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff8880a342ebc0, ffff8880a342ebe0)
The buggy address belongs to the page:
page:ffffea00028d0b80 count:1 mapcount:0 mapping:ffff88813bff61c0 index:0xffff8880a342efc1
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00029234c8 ffffea0002ca1908 ffff88813bff61c0
raw: ffff8880a342efc1 ffff8880a342e000 000000010000003f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a342ea80: 06 fc fc fc fc fc fc fc 06 fc fc fc fc fc fc fc
 ffff8880a342eb00: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
>ffff8880a342eb80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
                                           ^
 ffff8880a342ec00: 00 07 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8880a342ec80: 05 fc fc fc fc fc fc fc 05 fc fc fc fc fc fc fc
==================================================================
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50