================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 1798 is out of range for type 'const int[34]'
CPU: 1 PID: 14712 Comm: dhcpcd-run-hook Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
dump_stack_lvl+0x188/0x24e lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1e87/0x28f0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x35d/0x520 drivers/usb/core/hcd.c:1673
dummy_timer+0xa21/0x3420 drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1751 [inline]
__hrtimer_run_queues+0x522/0xc90 kernel/time/hrtimer.c:1815
hrtimer_run_softirq+0x173/0x290 kernel/time/hrtimer.c:1832
handle_softirqs+0x291/0x910 kernel/softirq.c:596
__do_softirq kernel/softirq.c:630 [inline]
invoke_softirq kernel/softirq.c:470 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:679
irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:pte_alloc_one+0x1c7/0x310 arch/x86/mm/pgtable.c:33
Code: df be 26 00 00 00 ba 01 00 00 00 e8 13 cc 9f 00 eb 79 e8 cc 55 48 00 eb 0f e8 c5 55 48 00 48 89 df 31 f6 e8 0b a4 8d 00 31 db <48> c7 04 24 0e 36 e0 45 4b c7 44 3d 00 00 00 00 00 43 c7 44 3d 08
RSP: 0018:ffffc90003627460 EFLAGS: 00000293
RAX: ffffffff8139cc17 RBX: ffffea00018462c0 RCX: ffff88802e49da00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003627508 R08: ffffffff90af22e7 R09: 1ffffffff215e45c
R10: dffffc0000000000 R11: fffffbfff215e45d R12: dffffc0000000000
R13: 1ffff920006c4e8c R14: 0000000000000200 R15: dffffc0000000000
__pte_alloc+0x21/0x150 mm/memory.c:468
copy_pte_range mm/memory.c:1042 [inline]
copy_pmd_range mm/memory.c:1177 [inline]
copy_pud_range mm/memory.c:1214 [inline]
copy_p4d_range mm/memory.c:1238 [inline]
copy_page_range+0x322f/0x3a60 mm/memory.c:1332
dup_mmap kernel/fork.c:703 [inline]
dup_mm kernel/fork.c:1547 [inline]
copy_mm+0xeb0/0x1680 kernel/fork.c:1596
copy_process+0x19a6/0x40c0 kernel/fork.c:2357
kernel_clone+0x24b/0x900 kernel/fork.c:2764
__do_sys_clone kernel/fork.c:2905 [inline]
__se_sys_clone kernel/fork.c:2889 [inline]
__x64_sys_clone+0x1a7/0x220 kernel/fork.c:2889
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fbb46e87636
Code: 89 df e8 6d e8 f6 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 52 89 c5 85 c0 75 31 64 48 8b 04 25 10 00 00
RSP: 002b:00007ffe726d40a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007ffe726d40a8 RCX: 00007fbb46e87636
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 000055c618ac9c30 R08: 0000000000000000 R09: 0000000000000040
R10: 00007fbb46cedf50 R11: 0000000000000246 R12: 000055c618ad7b88
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
================================================================================
----------------
Code disassembly (best guess):
0: df be 26 00 00 00 fistpll 0x26(%rsi)
6: ba 01 00 00 00 mov $0x1,%edx
b: e8 13 cc 9f 00 call 0x9fcc23
10: eb 79 jmp 0x8b
12: e8 cc 55 48 00 call 0x4855e3
17: eb 0f jmp 0x28
19: e8 c5 55 48 00 call 0x4855e3
1e: 48 89 df mov %rbx,%rdi
21: 31 f6 xor %esi,%esi
23: e8 0b a4 8d 00 call 0x8da433
28: 31 db xor %ebx,%ebx
* 2a: 48 c7 04 24 0e 36 e0 movq $0x45e0360e,(%rsp) <-- trapping instruction
31: 45
32: 4b c7 44 3d 00 00 00 movq $0x0,0x0(%r13,%r15,1)
39: 00 00
3b: 43 rex.XB
3c: c7 .byte 0xc7
3d: 44 rex.R
3e: 3d .byte 0x3d
3f: 08 .byte 0x8