================================================================================ UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31 index 255 is out of range for type 'const int[34]' CPU: 0 PID: 911 Comm: syz.2.147 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 dump_stack+0x15/0x24 lib/dump_stack.c:113 ubsan_epilogue+0xe/0x40 lib/ubsan.c:151 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282 aiptek_irq+0x2045/0x29b0 drivers/input/tablet/aiptek.c:741 __usb_hcd_giveback_urb+0x360/0x520 drivers/usb/core/hcd.c:1675 usb_hcd_giveback_urb+0x11f/0x3e0 drivers/usb/core/hcd.c:1758 dummy_timer+0xa25/0x3270 drivers/usb/gadget/udc/dummy_hcd.c:2004 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x398/0x890 kernel/time/hrtimer.c:1749 hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766 handle_softirqs+0x1d7/0x600 kernel/softirq.c:642 __do_softirq kernel/softirq.c:680 [inline] invoke_softirq kernel/softirq.c:497 [inline] __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729 irq_exit_rcu+0x9/0x10 kernel/softirq.c:741 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691 RIP: 0010:stack_trace_consume_entry+0x1/0x290 kernel/stacktrace.c:83 Code: 00 00 00 48 3b 4c 24 78 75 09 48 8d 65 f0 5b 41 5e 5d c3 e8 31 46 98 03 90 90 90 90 90 90 90 90 90 90 90 90 b8 b6 63 6b ad 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 ba 00 00 00 00 RSP: 0018:ffffc900023af658 EFLAGS: 00000257 RAX: ffffffff8260bdfc RBX: ffffc900023af720 RCX: 0000000000475e00 RDX: ffffc900023afc01 RSI: ffffffff8260bdfc RDI: ffffc900023af720 RBP: ffffc900023af6f0 R08: ffffc900023af730 R09: ffffc900023af728 R10: 0000000000000000 R11: fffff52000475ed9 R12: ffff88811aef8000 R13: ffffffff866d3400 R14: ffffffff81620130 R15: ffffc900023af668 stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:46 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:53 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:380 [inline] __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:212 [inline] __do_kmalloc_node mm/slab_common.c:938 [inline] __kmalloc+0xb4/0x1e0 mm/slab_common.c:951 kmalloc include/linux/slab.h:568 [inline] io_alloc_async_data io_uring/io_uring.c:1598 [inline] io_req_prep_async+0x28c/0x6c0 io_uring/io_uring.c:1619 io_queue_sqe_fallback+0x60/0x1b0 io_uring/io_uring.c:1949 io_submit_state_end io_uring/io_uring.c:2205 [inline] io_submit_sqes+0x18eb/0x1ba0 io_uring/io_uring.c:2321 __do_sys_io_uring_enter io_uring/io_uring.c:3430 [inline] __se_sys_io_uring_enter+0x32c/0x1f50 io_uring/io_uring.c:3362 __x64_sys_io_uring_enter+0xe5/0x100 io_uring/io_uring.c:3362 x64_sys_call+0x4b2/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:427 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f4fc639ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4fc723ff38 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 00002000000003c0 RCX: 00007f4fc639ce59 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000009 RBP: 00000000000001e5 R08: 0000000000000000 R09: 0000000000000008 R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000a80 R13: 0000200000000a88 R14: 00000000000003c9 R15: 0000000000000000 ================================================================================ ================================================================================ UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30 index 256 is out of range for type 'const int[34]' CPU: 0 PID: 911 Comm: syz.2.147 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 dump_stack+0x15/0x24 lib/dump_stack.c:113 ubsan_epilogue+0xe/0x40 lib/ubsan.c:151 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282 aiptek_irq+0x1f14/0x29b0 drivers/input/tablet/aiptek.c:763 __usb_hcd_giveback_urb+0x360/0x520 drivers/usb/core/hcd.c:1675 usb_hcd_giveback_urb+0x11f/0x3e0 drivers/usb/core/hcd.c:1758 dummy_timer+0xa25/0x3270 drivers/usb/gadget/udc/dummy_hcd.c:2004 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x398/0x890 kernel/time/hrtimer.c:1749 hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766 handle_softirqs+0x1d7/0x600 kernel/softirq.c:642 __do_softirq kernel/softirq.c:680 [inline] invoke_softirq kernel/softirq.c:497 [inline] __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729 irq_exit_rcu+0x9/0x10 kernel/softirq.c:741 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691 RIP: 0010:stack_trace_consume_entry+0x1/0x290 kernel/stacktrace.c:83 Code: 00 00 00 48 3b 4c 24 78 75 09 48 8d 65 f0 5b 41 5e 5d c3 e8 31 46 98 03 90 90 90 90 90 90 90 90 90 90 90 90 b8 b6 63 6b ad 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 ba 00 00 00 00 RSP: 0018:ffffc900023af658 EFLAGS: 00000257 RAX: ffffffff8260bdfc RBX: ffffc900023af720 RCX: 0000000000475e00 RDX: ffffc900023afc01 RSI: ffffffff8260bdfc RDI: ffffc900023af720 RBP: ffffc900023af6f0 R08: ffffc900023af730 R09: ffffc900023af728 R10: 0000000000000000 R11: fffff52000475ed9 R12: ffff88811aef8000 R13: ffffffff866d3400 R14: ffffffff81620130 R15: ffffc900023af668 stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:46 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:53 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:380 [inline] __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:212 [inline] __do_kmalloc_node mm/slab_common.c:938 [inline] __kmalloc+0xb4/0x1e0 mm/slab_common.c:951 kmalloc include/linux/slab.h:568 [inline] io_alloc_async_data io_uring/io_uring.c:1598 [inline] io_req_prep_async+0x28c/0x6c0 io_uring/io_uring.c:1619 io_queue_sqe_fallback+0x60/0x1b0 io_uring/io_uring.c:1949 io_submit_state_end io_uring/io_uring.c:2205 [inline] io_submit_sqes+0x18eb/0x1ba0 io_uring/io_uring.c:2321 __do_sys_io_uring_enter io_uring/io_uring.c:3430 [inline] __se_sys_io_uring_enter+0x32c/0x1f50 io_uring/io_uring.c:3362 __x64_sys_io_uring_enter+0xe5/0x100 io_uring/io_uring.c:3362 x64_sys_call+0x4b2/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:427 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f4fc639ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4fc723ff38 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 00002000000003c0 RCX: 00007f4fc639ce59 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000009 RBP: 00000000000001e5 R08: 0000000000000000 R09: 0000000000000008 R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000a80 R13: 0000200000000a88 R14: 00000000000003c9 R15: 0000000000000000 ================================================================================ ================================================================== BUG: KASAN: global-out-of-bounds in aiptek_irq+0x1f32/0x29b0 drivers/input/tablet/aiptek.c:763 Read of size 4 at addr ffffffff85e65740 by task syz.2.147/911 CPU: 0 PID: 911 Comm: syz.2.147 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 print_address_description+0x71/0x200 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:420 kasan_report+0x122/0x150 mm/kasan/report.c:524 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350 aiptek_irq+0x1f32/0x29b0 drivers/input/tablet/aiptek.c:763 __usb_hcd_giveback_urb+0x360/0x520 drivers/usb/core/hcd.c:1675 usb_hcd_giveback_urb+0x11f/0x3e0 drivers/usb/core/hcd.c:1758 dummy_timer+0xa25/0x3270 drivers/usb/gadget/udc/dummy_hcd.c:2004 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x398/0x890 kernel/time/hrtimer.c:1749 hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766 handle_softirqs+0x1d7/0x600 kernel/softirq.c:642 __do_softirq kernel/softirq.c:680 [inline] invoke_softirq kernel/softirq.c:497 [inline] __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729 irq_exit_rcu+0x9/0x10 kernel/softirq.c:741 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691 RIP: 0010:stack_trace_consume_entry+0x1/0x290 kernel/stacktrace.c:83 Code: 00 00 00 48 3b 4c 24 78 75 09 48 8d 65 f0 5b 41 5e 5d c3 e8 31 46 98 03 90 90 90 90 90 90 90 90 90 90 90 90 b8 b6 63 6b ad 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 ba 00 00 00 00 RSP: 0018:ffffc900023af658 EFLAGS: 00000257 RAX: ffffffff8260bdfc RBX: ffffc900023af720 RCX: 0000000000475e00 RDX: ffffc900023afc01 RSI: ffffffff8260bdfc RDI: ffffc900023af720 RBP: ffffc900023af6f0 R08: ffffc900023af730 R09: ffffc900023af728 R10: 0000000000000000 R11: fffff52000475ed9 R12: ffff88811aef8000 R13: ffffffff866d3400 R14: ffffffff81620130 R15: ffffc900023af668 stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:46 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:53 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:380 [inline] __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:212 [inline] __do_kmalloc_node mm/slab_common.c:938 [inline] __kmalloc+0xb4/0x1e0 mm/slab_common.c:951 kmalloc include/linux/slab.h:568 [inline] io_alloc_async_data io_uring/io_uring.c:1598 [inline] io_req_prep_async+0x28c/0x6c0 io_uring/io_uring.c:1619 io_queue_sqe_fallback+0x60/0x1b0 io_uring/io_uring.c:1949 io_submit_state_end io_uring/io_uring.c:2205 [inline] io_submit_sqes+0x18eb/0x1ba0 io_uring/io_uring.c:2321 __do_sys_io_uring_enter io_uring/io_uring.c:3430 [inline] __se_sys_io_uring_enter+0x32c/0x1f50 io_uring/io_uring.c:3362 __x64_sys_io_uring_enter+0xe5/0x100 io_uring/io_uring.c:3362 x64_sys_call+0x4b2/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:427 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f4fc639ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4fc723ff38 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 00002000000003c0 RCX: 00007f4fc639ce59 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000009 RBP: 00000000000001e5 R08: 0000000000000000 R09: 0000000000000008 R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000a80 R13: 0000200000000a88 R14: 00000000000003c9 R15: 0000000000000000 The buggy address belongs to the variable: aiptek_ids+0x120/0x160 The buggy address belongs to the physical page: page:ffffea0000179940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5e65 flags: 0x1000(reserved|zone=0) raw: 0000000000001000 ffffea0000179948 ffffea0000179948 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffffffff85e65600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff85e65680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff85e65700: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 ^ ffffffff85e65780: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 ffffffff85e65800: 07 f9 f9 f9 00 05 f9 f9 04 f9 f9 f9 00 f9 f9 f9 ================================================================== aiptek 5-1:0.0: aiptek_irq - usb_submit_urb failed with result -19 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 48 3b add %cl,0x3b(%rax) 5: 4c 24 78 rex.WR and $0x78,%al 8: 75 09 jne 0x13 a: 48 8d 65 f0 lea -0x10(%rbp),%rsp e: 5b pop %rbx f: 41 5e pop %r14 11: 5d pop %rbp 12: c3 ret 13: e8 31 46 98 03 call 0x3984649 18: 90 nop 19: 90 nop 1a: 90 nop 1b: 90 nop 1c: 90 nop 1d: 90 nop 1e: 90 nop 1f: 90 nop 20: 90 nop 21: 90 nop 22: 90 nop 23: 90 nop 24: b8 b6 63 6b ad mov $0xad6b63b6,%eax 29: 55 push %rbp * 2a: 48 89 e5 mov %rsp,%rbp <-- trapping instruction 2d: 41 57 push %r15 2f: 41 56 push %r14 31: 41 55 push %r13 33: 41 54 push %r12 35: 53 push %rbx 36: 48 83 ec 20 sub $0x20,%rsp 3a: 48 rex.W 3b: ba 00 00 00 00 mov $0x0,%edx