================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 259 is out of range for type 'const int[34]'
CPU: 0 PID: 281 Comm: syz-executor Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 dump_stack+0x15/0x1c lib/dump_stack.c:135
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
 aiptek_irq+0x1fa2/0x2860 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x32f/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x11d/0x3f0 drivers/usb/core/hcd.c:1748
 dummy_timer+0xa34/0x31d0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x637/0x9a0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:sock_create net/socket.c:1487 [inline]
RIP: 0010:__sys_socket+0xc9/0x190 net/socket.c:1529
Code: 74 0e 4c 89 ef 49 89 cc e8 04 dc 09 fe 4c 89 e1 41 89 dc 41 83 e4 0f 4d 8b 6d 00 49 83 c5 28 4c 89 e8 48 c1 e8 03 80 3c 08 00 <74> 08 4c 89 ef e8 dd db 09 fe 49 8b 7d 00 4c 8d 45 c8 44 89 fe 44
RSP: 0018:ffffc90000b27ec8 EFLAGS: 00000246
RAX: 1ffff11024ab36fc RBX: 0000000000000001 RCX: dffffc0000000000
RDX: ffff88811de98000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b27f00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88812559b7e0 R14: 0000000000000006 R15: 000000000000000a
 __do_sys_socket net/socket.c:1538 [inline]
 __se_sys_socket net/socket.c:1536 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1536
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f30d61376c7
Code: f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6ddf7938 EFLAGS: 00000202 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f30d61376c7
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 000000000000000a
RBP: 00007fff6ddf806c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007f30d6381e00
R13: 00000000000927c0 R14: 000000000001e165 R15: 00007f30d6383fc0
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x1fc0/0x2860 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff855adaec by task syz-executor/281

CPU: 0 PID: 281 Comm: syz-executor Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x100/0x140 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 aiptek_irq+0x1fc0/0x2860 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x32f/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x11d/0x3f0 drivers/usb/core/hcd.c:1748
 dummy_timer+0xa34/0x31d0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x637/0x9a0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:sock_create net/socket.c:1487 [inline]
RIP: 0010:__sys_socket+0xc9/0x190 net/socket.c:1529
Code: 74 0e 4c 89 ef 49 89 cc e8 04 dc 09 fe 4c 89 e1 41 89 dc 41 83 e4 0f 4d 8b 6d 00 49 83 c5 28 4c 89 e8 48 c1 e8 03 80 3c 08 00 <74> 08 4c 89 ef e8 dd db 09 fe 49 8b 7d 00 4c 8d 45 c8 44 89 fe 44
RSP: 0018:ffffc90000b27ec8 EFLAGS: 00000246
RAX: 1ffff11024ab36fc RBX: 0000000000000001 RCX: dffffc0000000000
RDX: ffff88811de98000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b27f00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88812559b7e0 R14: 0000000000000006 R15: 000000000000000a
 __do_sys_socket net/socket.c:1538 [inline]
 __se_sys_socket net/socket.c:1536 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1536
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f30d61376c7
Code: f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6ddf7938 EFLAGS: 00000202 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f30d61376c7
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 000000000000000a
RBP: 00007fff6ddf806c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007f30d6381e00
R13: 00000000000927c0 R14: 000000000001e165 R15: 00007f30d6383fc0

The buggy address belongs to the variable:
 .str.21+0xc/0x20

Memory state around the buggy address:
 ffffffff855ad980: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
 ffffffff855ada00: 00 02 f9 f9 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9
>ffffffff855ada80: 05 f9 f9 f9 07 f9 f9 f9 00 05 f9 f9 04 f9 f9 f9
                                                          ^
 ffffffff855adb00: 00 f9 f9 f9 07 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9
 ffffffff855adb80: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 260 is out of range for type 'const int[34]'
CPU: 0 PID: 281 Comm: syz-executor Tainted: G    B             syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 dump_stack+0x15/0x1c lib/dump_stack.c:135
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
 aiptek_irq+0x1e71/0x2860 drivers/input/tablet/aiptek.c:763
 __usb_hcd_giveback_urb+0x32f/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x11d/0x3f0 drivers/usb/core/hcd.c:1748
 dummy_timer+0xa34/0x31d0 drivers/usb/gadget/udc/dummy_hcd.c:1986
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x637/0x9a0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:405 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:sock_create net/socket.c:1487 [inline]
RIP: 0010:__sys_socket+0xc9/0x190 net/socket.c:1529
Code: 74 0e 4c 89 ef 49 89 cc e8 04 dc 09 fe 4c 89 e1 41 89 dc 41 83 e4 0f 4d 8b 6d 00 49 83 c5 28 4c 89 e8 48 c1 e8 03 80 3c 08 00 <74> 08 4c 89 ef e8 dd db 09 fe 49 8b 7d 00 4c 8d 45 c8 44 89 fe 44
RSP: 0018:ffffc90000b27ec8 EFLAGS: 00000246
RAX: 1ffff11024ab36fc RBX: 0000000000000001 RCX: dffffc0000000000
RDX: ffff88811de98000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b27f00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88812559b7e0 R14: 0000000000000006 R15: 000000000000000a
 __do_sys_socket net/socket.c:1538 [inline]
 __se_sys_socket net/socket.c:1536 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1536
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f30d61376c7
Code: f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6ddf7938 EFLAGS: 00000202 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f30d61376c7
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 000000000000000a
RBP: 00007fff6ddf806c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007f30d6381e00
R13: 00000000000927c0 R14: 000000000001e165 R15: 00007f30d6383fc0
================================================================================
----------------
Code disassembly (best guess):
   0:	74 0e                	je     0x10
   2:	4c 89 ef             	mov    %r13,%rdi
   5:	49 89 cc             	mov    %rcx,%r12
   8:	e8 04 dc 09 fe       	call   0xfe09dc11
   d:	4c 89 e1             	mov    %r12,%rcx
  10:	41 89 dc             	mov    %ebx,%r12d
  13:	41 83 e4 0f          	and    $0xf,%r12d
  17:	4d 8b 6d 00          	mov    0x0(%r13),%r13
  1b:	49 83 c5 28          	add    $0x28,%r13
  1f:	4c 89 e8             	mov    %r13,%rax
  22:	48 c1 e8 03          	shr    $0x3,%rax
  26:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1)
* 2a:	74 08                	je     0x34 <-- trapping instruction
  2c:	4c 89 ef             	mov    %r13,%rdi
  2f:	e8 dd db 09 fe       	call   0xfe09dc11
  34:	49 8b 7d 00          	mov    0x0(%r13),%rdi
  38:	4c 8d 45 c8          	lea    -0x38(%rbp),%r8
  3c:	44 89 fe             	mov    %r15d,%esi
  3f:	44                   	rex.R