================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 259 is out of range for type 'const int[34]'
CPU: 1 PID: 28810 Comm: kworker/u4:42 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: bat_events batadv_nc_worker
Call Trace:
 <IRQ>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
 __ubsan_handle_out_of_bounds+0xe3/0xf0 lib/ubsan.c:348
 aiptek_irq+0x1ea9/0x28f0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1650
 dummy_timer+0x8de/0x3320 drivers/usb/gadget/udc/dummy_hcd.c:2003
 __run_hrtimer kernel/time/hrtimer.c:1754 [inline]
 __hrtimer_run_queues+0x520/0xc40 kernel/time/hrtimer.c:1818
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1835
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:debug_lockdep_rcu_enabled+0x29/0x30 kernel/rcu/update.c:320
Code: cc f3 0f 1e fa 31 c0 83 3d 0f 06 03 04 00 74 1d 83 3d 86 39 03 04 00 74 14 65 48 8b 0d a0 54 7b 75 31 c0 83 b9 dc 0a 00 00 00 <0f> 94 c0 c3 cc cc cc 66 0f 1f 00 48 8b 3c 24 e8 43 fb ff ff 66 90
RSP: 0018:ffffc90003627b58 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88807b681e00
RDX: 0000000000000000 RSI: ffffffff8b1c9c00 RDI: ffffffff8b1c9bc0
RBP: fffffffffffffe38 R08: dffffc0000000000 R09: 1ffffffff2239aa0
R10: dffffc0000000000 R11: fffffbfff2239aa1 R12: dffffc0000000000
R13: ffffffff8a4faf52 R14: ffff88805feb8d00 R15: 00000000000000b5
 rcu_read_unlock include/linux/rcupdate.h:815 [inline]
 batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:412 [inline]
 batadv_nc_worker+0x1f4/0x610 net/batman-adv/network-coding.c:719
 process_one_work kernel/workqueue.c:2653 [inline]
 process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2730
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2811
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
================================================================================
----------------
Code disassembly (best guess):
   0:	cc                   	int3
   1:	f3 0f 1e fa          	endbr64
   5:	31 c0                	xor    %eax,%eax
   7:	83 3d 0f 06 03 04 00 	cmpl   $0x0,0x403060f(%rip)        # 0x403061d
   e:	74 1d                	je     0x2d
  10:	83 3d 86 39 03 04 00 	cmpl   $0x0,0x4033986(%rip)        # 0x403399d
  17:	74 14                	je     0x2d
  19:	65 48 8b 0d a0 54 7b 	mov    %gs:0x757b54a0(%rip),%rcx        # 0x757b54c1
  20:	75
  21:	31 c0                	xor    %eax,%eax
  23:	83 b9 dc 0a 00 00 00 	cmpl   $0x0,0xadc(%rcx)
* 2a:	0f 94 c0             	sete   %al <-- trapping instruction
  2d:	c3                   	ret
  2e:	cc                   	int3
  2f:	cc                   	int3
  30:	cc                   	int3
  31:	66 0f 1f 00          	nopw   (%rax)
  35:	48 8b 3c 24          	mov    (%rsp),%rdi
  39:	e8 43 fb ff ff       	call   0xfffffb81
  3e:	66 90                	xchg   %ax,%ax