================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 259 is out of range for type 'const int[34]'
CPU: 1 PID: 20600 Comm: kworker/u4:7 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: events_unbound nsim_dev_trap_report_work
Call Trace:
 <IRQ>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
 __ubsan_handle_out_of_bounds+0xe3/0xf0 lib/ubsan.c:348
 aiptek_irq+0x1ea9/0x28f0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1650
 dummy_timer+0x8de/0x3320 drivers/usb/gadget/udc/dummy_hcd.c:2003
 __run_hrtimer kernel/time/hrtimer.c:1754 [inline]
 __hrtimer_run_queues+0x520/0xc40 kernel/time/hrtimer.c:1818
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1835
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:___slab_alloc+0x78/0x12f0 mm/slub.c:3150
Code: 48 89 44 24 60 48 85 c0 75 20 83 fd ff 74 11 48 63 c5 48 0f a3 05 c0 43 54 15 0f 82 5d 03 00 00 bd ff ff ff ff e9 53 03 00 00 <48> 8b 7c 24 60 83 fd ff 0f 84 f5 00 00 00 48 8b 07 48 83 f8 ff 0f
RSP: 0018:ffffc9000e0f7978 EFLAGS: 00000206
RAX: fa5d57290b27c200 RBX: ffffffff81ded3e2 RCX: fa5d57290b27c200
RDX: dffffc0000000000 RSI: ffffffff8acacbe0 RDI: ffffffff8b1c9c20
RBP: 00000000ffffffff R08: ffffffff911cd5ef R09: 1ffffffff2239abd
R10: dffffc0000000000 R11: fffffbfff2239abe R12: ffff8880b8f44200
R13: ffff8880b8f441e0 R14: 0000000000000286 R15: ffff8880279eda00
 __slab_alloc mm/slub.c:3339 [inline]
 __slab_alloc_node mm/slub.c:3392 [inline]
 slab_alloc_node mm/slub.c:3485 [inline]
 kmem_cache_alloc_node+0x1e6/0x320 mm/slub.c:3540
 __alloc_skb+0x103/0x2c0 net/core/skbuff.c:643
 alloc_skb include/linux/skbuff.h:1316 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
 nsim_dev_trap_report_work+0x293/0xb10 drivers/net/netdevsim/dev.c:851
 process_one_work kernel/workqueue.c:2653 [inline]
 process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2730
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2811
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
================================================================================
----------------
Code disassembly (best guess):
   0:	48 89 44 24 60       	mov    %rax,0x60(%rsp)
   5:	48 85 c0             	test   %rax,%rax
   8:	75 20                	jne    0x2a
   a:	83 fd ff             	cmp    $0xffffffff,%ebp
   d:	74 11                	je     0x20
   f:	48 63 c5             	movslq %ebp,%rax
  12:	48 0f a3 05 c0 43 54 	bt     %rax,0x155443c0(%rip)        # 0x155443da
  19:	15
  1a:	0f 82 5d 03 00 00    	jb     0x37d
  20:	bd ff ff ff ff       	mov    $0xffffffff,%ebp
  25:	e9 53 03 00 00       	jmp    0x37d
* 2a:	48 8b 7c 24 60       	mov    0x60(%rsp),%rdi <-- trapping instruction
  2f:	83 fd ff             	cmp    $0xffffffff,%ebp
  32:	0f 84 f5 00 00 00    	je     0x12d
  38:	48 8b 07             	mov    (%rdi),%rax
  3b:	48 83 f8 ff          	cmp    $0xffffffffffffffff,%rax
  3f:	0f                   	.byte 0xf