================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 261 is out of range for type 'const int[34]'
CPU: 0 PID: 25760 Comm: kworker/0:7 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
 __ubsan_handle_out_of_bounds+0xe3/0xf0 lib/ubsan.c:348
 aiptek_irq+0x1eb8/0x2920 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x35d/0x520 drivers/usb/core/hcd.c:1648
 dummy_timer+0xa40/0x3420 drivers/usb/gadget/udc/dummy_hcd.c:2003
 __run_hrtimer kernel/time/hrtimer.c:1754 [inline]
 __hrtimer_run_queues+0x525/0xc10 kernel/time/hrtimer.c:1818
 hrtimer_run_softirq+0x177/0x290 kernel/time/hrtimer.c:1835
 handle_softirqs+0x27d/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:variable_test_bit arch/x86/include/asm/bitops.h:228 [inline]
RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:240 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
RIP: 0010:tag_get lib/radix-tree.c:115 [inline]
RIP: 0010:idr_get_free+0x3b6/0xa10 lib/radix-tree.c:1519
Code: 74 05 e8 cd c6 6b f7 4e 8b 64 fb 28 4c 8d b3 28 02 00 00 4c 89 f7 be 08 00 00 00 e8 74 c8 6b f7 31 f6 4c 0f a3 bb 28 02 00 00 <40> 0f 93 c5 40 0f 92 c6 bf 02 00 00 00 e8 b8 54 13 f7 40 84 ed 75
RSP: 0018:ffffc90002f76aa0 EFLAGS: 00000247
RAX: 1ffff11029297b01 RBX: ffff8881494bde40 RCX: ffffffff8a73930c
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881494be068
RBP: 000000000000000c R08: ffff8881494be06f R09: 1ffff11029297c0d
R10: dffffc0000000000 R11: ffffed1029297c0e R12: ffff88805f4d8dc2
R13: dffffc0000000000 R14: ffff8881494be068 R15: 0000000000000024
 idr_alloc_u32 lib/idr.c:48 [inline]
 idr_alloc_cyclic+0x28a/0x610 lib/idr.c:127
 __kernfs_new_node+0x139/0x7f0 fs/kernfs/dir.c:630
 kernfs_new_node+0x14c/0x260 fs/kernfs/dir.c:700
 __kernfs_create_file+0x4b/0x2e0 fs/kernfs/file.c:1068
 sysfs_add_file_mode_ns+0x237/0x2f0 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x431/0xd10 fs/sysfs/group.c:152
 internal_create_groups fs/sysfs/group.c:192 [inline]
 sysfs_create_groups+0x59/0x120 fs/sysfs/group.c:218
 really_probe+0x54c/0xae0 drivers/base/dd.c:737
 __driver_probe_device+0x1f5/0x390 drivers/base/dd.c:880
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:910
 __device_attach_driver+0x2ca/0x510 drivers/base/dd.c:1038
 bus_for_each_drv+0x252/0x2e0 drivers/base/bus.c:459
 __device_attach+0x2c1/0x420 drivers/base/dd.c:1110
 bus_probe_device+0x180/0x260 drivers/base/bus.c:580
 device_add+0x87c/0xc40 drivers/base/core.c:3700
 usb_set_configuration+0x1ad0/0x2150 drivers/usb/core/message.c:2265
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x12a/0x260 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x247/0xae0 drivers/base/dd.c:718
 __driver_probe_device+0x1f5/0x390 drivers/base/dd.c:880
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:910
 __device_attach_driver+0x2ca/0x510 drivers/base/dd.c:1038
 bus_for_each_drv+0x252/0x2e0 drivers/base/bus.c:459
 __device_attach+0x2c1/0x420 drivers/base/dd.c:1110
 bus_probe_device+0x180/0x260 drivers/base/bus.c:580
 device_add+0x87c/0xc40 drivers/base/core.c:3700
 usb_new_device+0x995/0x1550 drivers/usb/core/hub.c:2660
 hub_port_connect drivers/usb/core/hub.c:5529 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5669 [inline]
 port_event drivers/usb/core/hub.c:5833 [inline]
 hub_event+0x29d5/0x4a80 drivers/usb/core/hub.c:5915
 process_one_work kernel/workqueue.c:2653 [inline]
 process_scheduled_works+0xa60/0x1600 kernel/workqueue.c:2730
 worker_thread+0xa5e/0xfe0 kernel/workqueue.c:2811
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
================================================================================
----------------
Code disassembly (best guess):
   0:	74 05                	je     0x7
   2:	e8 cd c6 6b f7       	call   0xf76bc6d4
   7:	4e 8b 64 fb 28       	mov    0x28(%rbx,%r15,8),%r12
   c:	4c 8d b3 28 02 00 00 	lea    0x228(%rbx),%r14
  13:	4c 89 f7             	mov    %r14,%rdi
  16:	be 08 00 00 00       	mov    $0x8,%esi
  1b:	e8 74 c8 6b f7       	call   0xf76bc894
  20:	31 f6                	xor    %esi,%esi
  22:	4c 0f a3 bb 28 02 00 	bt     %r15,0x228(%rbx)
  29:	00
* 2a:	40 0f 93 c5          	setae  %bpl <-- trapping instruction
  2e:	40 0f 92 c6          	setb   %sil
  32:	bf 02 00 00 00       	mov    $0x2,%edi
  37:	e8 b8 54 13 f7       	call   0xf71354f4
  3c:	40 84 ed             	test   %bpl,%bpl
  3f:	75                   	.byte 0x75