================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 1798 is out of range for type 'const int[34]'
CPU: 0 PID: 5893 Comm: kworker/0:7 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue:  0x0 (events)
Call Trace:
 <IRQ>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
 __ubsan_handle_out_of_bounds+0xe3/0xf0 lib/ubsan.c:348
 aiptek_irq+0x1eb8/0x2920 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x35d/0x520 drivers/usb/core/hcd.c:1648
 dummy_timer+0xa40/0x3420 drivers/usb/gadget/udc/dummy_hcd.c:2003
 __run_hrtimer kernel/time/hrtimer.c:1754 [inline]
 __hrtimer_run_queues+0x525/0xc10 kernel/time/hrtimer.c:1818
 hrtimer_run_softirq+0x177/0x290 kernel/time/hrtimer.c:1835
 handle_softirqs+0x27d/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:finish_task_switch+0x267/0x8f0 kernel/sched/core.c:5255
Code: 26 09 85 c0 0f 84 30 01 00 00 48 85 db 0f 85 4f 01 00 00 0f 1f 44 00 00 4c 89 e7 e8 93 3b 30 09 e8 7e 0b 30 00 fb 4c 8b 65 b8 <49> 8d bc 24 f8 15 00 00 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0
RSP: 0018:ffffc9000490fb20 EFLAGS: 00000282
RAX: 909a3b1dc6870500 RBX: 0000000000000000 RCX: 909a3b1dc6870500
RDX: dffffc0000000000 RSI: ffffffff8acacb60 RDI: ffffffff8b1c7be0
RBP: ffffc9000490fb70 R08: ffffffff8e8ae5ef R09: 1ffffffff1d15cbd
R10: dffffc0000000000 R11: fffffbfff1d15cbe R12: ffff88807db0da00
R13: 1ffff110171c79a9 R14: dffffc0000000000 R15: ffff8880b8e3cd48
 context_switch kernel/sched/core.c:5384 [inline]
 __schedule+0x15b6/0x4660 kernel/sched/core.c:6700
 schedule+0xbd/0x170 kernel/sched/core.c:6774
 worker_thread+0xc17/0xfe0 kernel/workqueue.c:2826
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
================================================================================
----------------
Code disassembly (best guess):
   0:	26 09 85 c0 0f 84 30 	es or  %eax,0x30840fc0(%rbp)
   7:	01 00                	add    %eax,(%rax)
   9:	00 48 85             	add    %cl,-0x7b(%rax)
   c:	db 0f                	fisttpl (%rdi)
   e:	85 4f 01             	test   %ecx,0x1(%rdi)
  11:	00 00                	add    %al,(%rax)
  13:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  18:	4c 89 e7             	mov    %r12,%rdi
  1b:	e8 93 3b 30 09       	call   0x9303bb3
  20:	e8 7e 0b 30 00       	call   0x300ba3
  25:	fb                   	sti
  26:	4c 8b 65 b8          	mov    -0x48(%rbp),%r12
* 2a:	49 8d bc 24 f8 15 00 	lea    0x15f8(%r12),%rdi <-- trapping instruction
  31:	00
  32:	48 89 f8             	mov    %rdi,%rax
  35:	48 c1 e8 03          	shr    $0x3,%rax
  39:	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax
  3e:	84 c0                	test   %al,%al