Warning: Permanently added '10.128.0.97' (ED25519) to the list of known hosts.
executing program
syzkaller login: [   42.991412][ T4297] loop0: detected capacity change from 0 to 32768
[   43.002345][ T4297] ==================================================================
[   43.004142][ T4297] BUG: KASAN: use-after-free in diWrite+0xb48/0x15cc
[   43.005692][ T4297] Write of size 32 at addr ffff0000d4a090c0 by task syz-executor248/4297
[   43.007624][ T4297] 
[   43.008113][ T4297] CPU: 1 PID: 4297 Comm: syz-executor248 Not tainted 6.1.128-syzkaller #0
[   43.009983][ T4297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   43.012245][ T4297] Call trace:
[   43.012960][ T4297]  dump_backtrace+0x1c8/0x1f4
[   43.014027][ T4297]  show_stack+0x2c/0x3c
[   43.014986][ T4297]  dump_stack_lvl+0x108/0x170
[   43.016021][ T4297]  print_report+0x174/0x4c0
[   43.017041][ T4297]  kasan_report+0xd4/0x130
[   43.018082][ T4297]  kasan_check_range+0x264/0x2a4
[   43.019206][ T4297]  memcpy+0x60/0x90
[   43.020053][ T4297]  diWrite+0xb48/0x15cc
[   43.020961][ T4297]  txCommit+0x750/0x5574
[   43.021927][ T4297]  add_missing_indices+0x760/0xa8c
[   43.023057][ T4297]  jfs_readdir+0x18ac/0x3030
[   43.024090][ T4297]  iterate_dir+0x1f4/0x4ec
[   43.025044][ T4297]  __arm64_sys_getdents64+0x1c4/0x4a0
[   43.026258][ T4297]  invoke_syscall+0x98/0x2bc
[   43.027295][ T4297]  el0_svc_common+0x138/0x258
[   43.028341][ T4297]  do_el0_svc+0x58/0x13c
[   43.029281][ T4297]  el0_svc+0x58/0x168
[   43.030207][ T4297]  el0t_64_sync_handler+0x84/0xf0
[   43.031355][ T4297]  el0t_64_sync+0x18c/0x190
[   43.032363][ T4297] 
[   43.032866][ T4297] Allocated by task 4281:
[   43.033797][ T4297]  kasan_set_track+0x4c/0x80
[   43.034833][ T4297]  kasan_save_alloc_info+0x24/0x30
[   43.035970][ T4297]  __kasan_slab_alloc+0x74/0x8c
[   43.037131][ T4297]  slab_post_alloc_hook+0x74/0x458
[   43.038278][ T4297]  kmem_cache_alloc_bulk+0x430/0x4fc
[   43.039464][ T4297]  napi_skb_cache_get+0x12c/0x1e8
[   43.040574][ T4297]  __napi_build_skb+0x28/0x310
[   43.041597][ T4297]  __napi_alloc_skb+0x1f8/0x4e4
[   43.042682][ T4297]  napi_get_frags+0x78/0x148
[   43.043712][ T4297]  gve_rx_poll+0x1158/0x2bbc
[   43.044756][ T4297]  gve_napi_poll+0xd4/0x2ac
[   43.045761][ T4297]  __napi_poll+0xb4/0x3f0
[   43.046784][ T4297]  net_rx_action+0x5cc/0xd3c
[   43.047806][ T4297]  handle_softirqs+0x318/0xd58
[   43.048843][ T4297]  __do_softirq+0x14/0x20
[   43.049781][ T4297] 
[   43.050275][ T4297] Freed by task 4281:
[   43.051207][ T4297]  kasan_set_track+0x4c/0x80
[   43.052221][ T4297]  kasan_save_free_info+0x38/0x5c
[   43.053317][ T4297]  ____kasan_slab_free+0x144/0x1c0
[   43.054460][ T4297]  __kasan_slab_free+0x18/0x28
[   43.055486][ T4297]  kmem_cache_free+0x2f0/0x588
[   43.056534][ T4297]  kfree_skbmem+0x10c/0x19c
[   43.057575][ T4297]  skb_attempt_defer_free+0x274/0x41c
[   43.058782][ T4297]  tcp_recvmsg_locked+0xdd4/0x1ce4
[   43.059926][ T4297]  tcp_recvmsg+0x1dc/0x714
[   43.060901][ T4297]  inet_recvmsg+0x124/0x210
[   43.061893][ T4297]  sock_read_iter+0x2dc/0x3d4
[   43.062952][ T4297]  vfs_read+0x5bc/0x8b4
[   43.063923][ T4297]  ksys_read+0x15c/0x26c
[   43.064878][ T4297]  __arm64_sys_read+0x7c/0x90
[   43.065905][ T4297]  invoke_syscall+0x98/0x2bc
[   43.066920][ T4297]  el0_svc_common+0x138/0x258
[   43.067954][ T4297]  do_el0_svc+0x58/0x13c
[   43.068905][ T4297]  el0_svc+0x58/0x168
[   43.069777][ T4297]  el0t_64_sync_handler+0x84/0xf0
[   43.070914][ T4297]  el0t_64_sync+0x18c/0x190
[   43.071914][ T4297] 
[   43.072425][ T4297] The buggy address belongs to the object at ffff0000d4a09000
[   43.072425][ T4297]  which belongs to the cache skbuff_head_cache of size 240
[   43.075629][ T4297] The buggy address is located 192 bytes inside of
[   43.075629][ T4297]  240-byte region [ffff0000d4a09000, ffff0000d4a090f0)
[   43.078613][ T4297] 
[   43.079187][ T4297] The buggy address belongs to the physical page:
[   43.080630][ T4297] page:00000000dbcb1846 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114a09
[   43.082879][ T4297] flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
[   43.084633][ T4297] raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c086c000
[   43.086542][ T4297] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   43.088414][ T4297] page dumped because: kasan: bad access detected
[   43.089805][ T4297] 
[   43.090302][ T4297] Memory state around the buggy address:
[   43.091593][ T4297]  ffff0000d4a08f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   43.093331][ T4297]  ffff0000d4a09000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.095127][ T4297] >ffff0000d4a09080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   43.096978][ T4297]                                            ^
[   43.098341][ T4297]  ffff0000d4a09100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   43.100120][ T4297]  ffff0000d4a09180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.101895][ T4297] ==================================================================
[   43.104464][ T4297] Disabling lock debugging due to kernel taint
[   43.105985][ T4297] ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0
[   43.105985][ T4297] 
[   43.108577][ T4297] ERROR: (device loop0): remounting filesystem as read-only
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program