syzbot

 sign-in | mailing list | source | docs
🐞 Open [856]
🐞 Fixed [87]
🐞 Invalid [1353]
Missing Backports [132]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

UBSAN: array-index-out-of-bounds in aiptek_irq

Status: upstream: reported C repro on 2026/06/10 17:51
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+d0805b3019c91aa6f802@syzkaller.appspotmail.com
First crash: 5d04h, last: 2d07h
Bug presence (2)
Date Name Commit Repro Result
2026/06/11 linux-5.15.y (ToT) dc027a595035 C [report] UBSAN: array-index-out-of-bounds in aiptek_irq
2026/06/11 upstream (ToT) 9716c086c8e8 C Didn't crash
Similar bugs (6)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 UBSAN: array-index-out-of-bounds in aiptek_irq 15 C 17 18h52m 5d03h 0/3 upstream: reported C repro on 2026/06/10 19:26
android-6-1 UBSAN: array-index-out-of-bounds in aiptek_irq origin:upstream 15 C 47 5h16m 5d07h 0/2 upstream: reported C repro on 2026/06/10 15:23
linux-6.6 UBSAN: array-index-out-of-bounds in aiptek_irq 15 C 14 19h07m 5d02h 0/2 upstream: reported C repro on 2026/06/10 20:15
android-6-12 UBSAN: array-index-out-of-bounds in aiptek_irq origin:lts 15 C 107 1h11m 5d09h 0/1 premoderation: reported C repro on 2026/06/10 12:41
android-5-15 UBSAN: array-index-out-of-bounds in aiptek_irq 15 C 6 2d12h 4d15h 0/2 upstream: reported C repro on 2026/06/11 06:49
android-5-10 UBSAN: array-index-out-of-bounds in aiptek_irq 15 C 15 4d14h 5d09h 0/2 upstream: reported C repro on 2026/06/10 13:22

Sample crash report:
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
 aiptek_irq+0x1eaa/0x28f0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1674
 dummy_timer+0x880/0x30b0 drivers/usb/gadget/udc/dummy_hcd.c:1998
 call_timer_fn+0x17b/0x540 kernel/time/timer.c:1648
 expire_timers kernel/time/timer.c:1699 [inline]
 __run_timers+0x53e/0x800 kernel/time/timer.c:1970
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1983
 handle_softirqs+0x339/0x830 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xb/0x10 arch/x86/kernel/process.c:730
Code: b7 48 89 df e8 e6 97 f7 f7 eb ad e8 4f af f6 ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 cc 66 90 0f 00 2d d7 05 5f 00 fb f4 <c3> 0f 1f 40 00 41 57 41 56 53 49 be 00 00 00 00 00 fc ff df 65 48
RSP: 0018:ffffc90000d67d48 EFLAGS: 000002c2
RAX: fbca2809bb9b4700 RBX: ffff888016e98000 RCX: fbca2809bb9b4700
RDX: 0000000000000001 RSI: ffffffff8a2b3180 RDI: ffffffff8a7a09c0
RBP: ffffc90000d67e80 R08: ffff8880b913b30b R09: 1ffff11017227661
R10: dffffc0000000000 R11: ffffed1017227662 R12: 1ffff920001acfb4
R13: dffffc0000000000 R14: 1ffff11002dd3000 R15: 0000000000000000
 default_idle_call+0x81/0xc0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:202 [inline]
 do_idle+0x3a1/0x650 kernel/sched/idle.c:326
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:424
 start_secondary+0x330/0x430 arch/x86/kernel/smpboot.c:281
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>
================================================================================
----------------
Code disassembly (best guess):
   0:	b7 48                	mov    $0x48,%bh
   2:	89 df                	mov    %ebx,%edi
   4:	e8 e6 97 f7 f7       	call   0xf7f797ef
   9:	eb ad                	jmp    0xffffffb8
   b:	e8 4f af f6 ff       	call   0xfff6af5f
  10:	00 00                	add    %al,(%rax)
  12:	cc                   	int3
  13:	cc                   	int3
  14:	00 00                	add    %al,(%rax)
  16:	cc                   	int3
  17:	cc                   	int3
  18:	00 00                	add    %al,(%rax)
  1a:	cc                   	int3
  1b:	cc                   	int3
  1c:	00 00                	add    %al,(%rax)
  1e:	cc                   	int3
  1f:	66 90                	xchg   %ax,%ax
  21:	0f 00 2d d7 05 5f 00 	verw   0x5f05d7(%rip)        # 0x5f05ff
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	c3                   	ret <-- trapping instruction
  2b:	0f 1f 40 00          	nopl   0x0(%rax)
  2f:	41 57                	push   %r15
  31:	41 56                	push   %r14
  33:	53                   	push   %rbx
  34:	49 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%r14
  3b:	fc ff df
  3e:	65                   	gs
  3f:	48                   	rex.W

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/10 22:29 linux-5.15.y dc027a595035 f79bac11 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in aiptek_irq
2026/06/13 14:39 linux-5.15.y dc027a595035 1d2f3589 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in aiptek_irq
2026/06/10 17:50 linux-5.15.y dc027a595035 f79bac11 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in aiptek_irq
* Struck through repros no longer work on HEAD.