================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 255 is out of range for type 'const int[34]'
CPU: 0 PID: 911 Comm: syz.2.147 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
dump_stack+0x15/0x24 lib/dump_stack.c:113
ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x2045/0x29b0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x360/0x520 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x11f/0x3e0 drivers/usb/core/hcd.c:1758
dummy_timer+0xa25/0x3270 drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x398/0x890 kernel/time/hrtimer.c:1749
hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:stack_trace_consume_entry+0x1/0x290 kernel/stacktrace.c:83
Code: 00 00 00 48 3b 4c 24 78 75 09 48 8d 65 f0 5b 41 5e 5d c3 e8 31 46 98 03 90 90 90 90 90 90 90 90 90 90 90 90 b8 b6 63 6b ad 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 ba 00 00 00 00
RSP: 0018:ffffc900023af658 EFLAGS: 00000257
RAX: ffffffff8260bdfc RBX: ffffc900023af720 RCX: 0000000000475e00
RDX: ffffc900023afc01 RSI: ffffffff8260bdfc RDI: ffffc900023af720
RBP: ffffc900023af6f0 R08: ffffc900023af730 R09: ffffc900023af728
R10: 0000000000000000 R11: fffff52000475ed9 R12: ffff88811aef8000
R13: ffffffff866d3400 R14: ffffffff81620130 R15: ffffc900023af668
stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:380 [inline]
__kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
kasan_kmalloc include/linux/kasan.h:212 [inline]
__do_kmalloc_node mm/slab_common.c:938 [inline]
__kmalloc+0xb4/0x1e0 mm/slab_common.c:951
kmalloc include/linux/slab.h:568 [inline]
io_alloc_async_data io_uring/io_uring.c:1598 [inline]
io_req_prep_async+0x28c/0x6c0 io_uring/io_uring.c:1619
io_queue_sqe_fallback+0x60/0x1b0 io_uring/io_uring.c:1949
io_submit_state_end io_uring/io_uring.c:2205 [inline]
io_submit_sqes+0x18eb/0x1ba0 io_uring/io_uring.c:2321
__do_sys_io_uring_enter io_uring/io_uring.c:3430 [inline]
__se_sys_io_uring_enter+0x32c/0x1f50 io_uring/io_uring.c:3362
__x64_sys_io_uring_enter+0xe5/0x100 io_uring/io_uring.c:3362
x64_sys_call+0x4b2/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:427
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f4fc639ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4fc723ff38 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00002000000003c0 RCX: 00007f4fc639ce59
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000009
RBP: 00000000000001e5 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000a80
R13: 0000200000000a88 R14: 00000000000003c9 R15: 0000000000000000
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 256 is out of range for type 'const int[34]'
CPU: 0 PID: 911 Comm: syz.2.147 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
dump_stack+0x15/0x24 lib/dump_stack.c:113
ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1f14/0x29b0 drivers/input/tablet/aiptek.c:763
__usb_hcd_giveback_urb+0x360/0x520 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x11f/0x3e0 drivers/usb/core/hcd.c:1758
dummy_timer+0xa25/0x3270 drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x398/0x890 kernel/time/hrtimer.c:1749
hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:stack_trace_consume_entry+0x1/0x290 kernel/stacktrace.c:83
Code: 00 00 00 48 3b 4c 24 78 75 09 48 8d 65 f0 5b 41 5e 5d c3 e8 31 46 98 03 90 90 90 90 90 90 90 90 90 90 90 90 b8 b6 63 6b ad 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 ba 00 00 00 00
RSP: 0018:ffffc900023af658 EFLAGS: 00000257
RAX: ffffffff8260bdfc RBX: ffffc900023af720 RCX: 0000000000475e00
RDX: ffffc900023afc01 RSI: ffffffff8260bdfc RDI: ffffc900023af720
RBP: ffffc900023af6f0 R08: ffffc900023af730 R09: ffffc900023af728
R10: 0000000000000000 R11: fffff52000475ed9 R12: ffff88811aef8000
R13: ffffffff866d3400 R14: ffffffff81620130 R15: ffffc900023af668
stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:380 [inline]
__kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
kasan_kmalloc include/linux/kasan.h:212 [inline]
__do_kmalloc_node mm/slab_common.c:938 [inline]
__kmalloc+0xb4/0x1e0 mm/slab_common.c:951
kmalloc include/linux/slab.h:568 [inline]
io_alloc_async_data io_uring/io_uring.c:1598 [inline]
io_req_prep_async+0x28c/0x6c0 io_uring/io_uring.c:1619
io_queue_sqe_fallback+0x60/0x1b0 io_uring/io_uring.c:1949
io_submit_state_end io_uring/io_uring.c:2205 [inline]
io_submit_sqes+0x18eb/0x1ba0 io_uring/io_uring.c:2321
__do_sys_io_uring_enter io_uring/io_uring.c:3430 [inline]
__se_sys_io_uring_enter+0x32c/0x1f50 io_uring/io_uring.c:3362
__x64_sys_io_uring_enter+0xe5/0x100 io_uring/io_uring.c:3362
x64_sys_call+0x4b2/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:427
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f4fc639ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4fc723ff38 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00002000000003c0 RCX: 00007f4fc639ce59
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000009
RBP: 00000000000001e5 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000a80
R13: 0000200000000a88 R14: 00000000000003c9 R15: 0000000000000000
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x1f32/0x29b0 drivers/input/tablet/aiptek.c:763
Read of size 4 at addr ffffffff85e65740 by task syz.2.147/911
CPU: 0 PID: 911 Comm: syz.2.147 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x71/0x200 mm/kasan/report.c:316
print_report+0x4a/0x60 mm/kasan/report.c:420
kasan_report+0x122/0x150 mm/kasan/report.c:524
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
aiptek_irq+0x1f32/0x29b0 drivers/input/tablet/aiptek.c:763
__usb_hcd_giveback_urb+0x360/0x520 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x11f/0x3e0 drivers/usb/core/hcd.c:1758
dummy_timer+0xa25/0x3270 drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x398/0x890 kernel/time/hrtimer.c:1749
hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:stack_trace_consume_entry+0x1/0x290 kernel/stacktrace.c:83
Code: 00 00 00 48 3b 4c 24 78 75 09 48 8d 65 f0 5b 41 5e 5d c3 e8 31 46 98 03 90 90 90 90 90 90 90 90 90 90 90 90 b8 b6 63 6b ad 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 ba 00 00 00 00
RSP: 0018:ffffc900023af658 EFLAGS: 00000257
RAX: ffffffff8260bdfc RBX: ffffc900023af720 RCX: 0000000000475e00
RDX: ffffc900023afc01 RSI: ffffffff8260bdfc RDI: ffffc900023af720
RBP: ffffc900023af6f0 R08: ffffc900023af730 R09: ffffc900023af728
R10: 0000000000000000 R11: fffff52000475ed9 R12: ffff88811aef8000
R13: ffffffff866d3400 R14: ffffffff81620130 R15: ffffc900023af668
stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:380 [inline]
__kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
kasan_kmalloc include/linux/kasan.h:212 [inline]
__do_kmalloc_node mm/slab_common.c:938 [inline]
__kmalloc+0xb4/0x1e0 mm/slab_common.c:951
kmalloc include/linux/slab.h:568 [inline]
io_alloc_async_data io_uring/io_uring.c:1598 [inline]
io_req_prep_async+0x28c/0x6c0 io_uring/io_uring.c:1619
io_queue_sqe_fallback+0x60/0x1b0 io_uring/io_uring.c:1949
io_submit_state_end io_uring/io_uring.c:2205 [inline]
io_submit_sqes+0x18eb/0x1ba0 io_uring/io_uring.c:2321
__do_sys_io_uring_enter io_uring/io_uring.c:3430 [inline]
__se_sys_io_uring_enter+0x32c/0x1f50 io_uring/io_uring.c:3362
__x64_sys_io_uring_enter+0xe5/0x100 io_uring/io_uring.c:3362
x64_sys_call+0x4b2/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:427
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f4fc639ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4fc723ff38 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00002000000003c0 RCX: 00007f4fc639ce59
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000009
RBP: 00000000000001e5 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000a80
R13: 0000200000000a88 R14: 00000000000003c9 R15: 0000000000000000
The buggy address belongs to the variable:
aiptek_ids+0x120/0x160
The buggy address belongs to the physical page:
page:ffffea0000179940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5e65
flags: 0x1000(reserved|zone=0)
raw: 0000000000001000 ffffea0000179948 ffffea0000179948 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffffff85e65600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff85e65680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff85e65700: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
^
ffffffff85e65780: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
ffffffff85e65800: 07 f9 f9 f9 00 05 f9 f9 04 f9 f9 f9 00 f9 f9 f9
==================================================================
aiptek 5-1:0.0: aiptek_irq - usb_submit_urb failed with result -19
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 48 3b add %cl,0x3b(%rax)
5: 4c 24 78 rex.WR and $0x78,%al
8: 75 09 jne 0x13
a: 48 8d 65 f0 lea -0x10(%rbp),%rsp
e: 5b pop %rbx
f: 41 5e pop %r14
11: 5d pop %rbp
12: c3 ret
13: e8 31 46 98 03 call 0x3984649
18: 90 nop
19: 90 nop
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: 90 nop
23: 90 nop
24: b8 b6 63 6b ad mov $0xad6b63b6,%eax
29: 55 push %rbp
* 2a: 48 89 e5 mov %rsp,%rbp <-- trapping instruction
2d: 41 57 push %r15
2f: 41 56 push %r14
31: 41 55 push %r13
33: 41 54 push %r12
35: 53 push %rbx
36: 48 83 ec 20 sub $0x20,%rsp
3a: 48 rex.W
3b: ba 00 00 00 00 mov $0x0,%edx