================================================================================ UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31 index 547 is out of range for type 'const int[34]' CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:77 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118 dump_stack+0x15/0x1c lib/dump_stack.c:135 ubsan_epilogue+0xe/0x40 lib/ubsan.c:148 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347 aiptek_irq+0x1fdf/0x2860 drivers/input/tablet/aiptek.c:741 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450 expire_timers kernel/time/timer.c:1495 [inline] __run_timers+0x650/0x9e0 kernel/time/timer.c:1789 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802 __do_softirq+0x255/0x563 kernel/softirq.c:309 run_ksoftirqd+0x23/0x30 kernel/softirq.c:670 smpboot_thread_fn+0x474/0x850 kernel/smpboot.c:164 kthread+0x346/0x3d0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 ================================================================================ ================================================================== BUG: KASAN: global-out-of-bounds in aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741 Read of size 4 at addr ffffffff855b380c by task ksoftirqd/0/12 CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:77 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:435 [inline] kasan_report+0xe2/0x130 mm/kasan/report.c:452 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450 expire_timers kernel/time/timer.c:1495 [inline] __run_timers+0x650/0x9e0 kernel/time/timer.c:1789 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802 __do_softirq+0x255/0x563 kernel/softirq.c:309 run_ksoftirqd+0x23/0x30 kernel/softirq.c:670 smpboot_thread_fn+0x474/0x850 kernel/smpboot.c:164 kthread+0x346/0x3d0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 The buggy address belongs to the variable: .str.57+0xc/0x20 Memory state around the buggy address: ffffffff855b3700: 04 f9 f9 f9 00 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9 ffffffff855b3780: 06 f9 f9 f9 00 04 f9 f9 05 f9 f9 f9 00 03 f9 f9 >ffffffff855b3800: 00 03 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 ^ ffffffff855b3880: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 ffffffff855b3900: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ================================================================== ================================================================================ UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30 index 548 is out of range for type 'const int[34]' CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G B W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:77 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118 dump_stack+0x15/0x1c lib/dump_stack.c:135 ubsan_epilogue+0xe/0x40 lib/ubsan.c:148 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347 aiptek_irq+0x1ebf/0x2860 drivers/input/tablet/aiptek.c:763 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450 expire_timers kernel/time/timer.c:1495 [inline] __run_timers+0x650/0x9e0 kernel/time/timer.c:1789 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802 __do_softirq+0x255/0x563 kernel/softirq.c:309 run_ksoftirqd+0x23/0x30 kernel/softirq.c:670 smpboot_thread_fn+0x474/0x850 kernel/smpboot.c:164 kthread+0x346/0x3d0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 ================================================================================