================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 1023 is out of range for type 'const int[34]'
CPU: 1 PID: 9932 Comm: syz.3.3183 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 dump_stack+0x15/0x24 lib/dump_stack.c:113
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
 aiptek_irq+0x2045/0x29b0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x360/0x520 drivers/usb/core/hcd.c:1675
 usb_hcd_giveback_urb+0x11f/0x3e0 drivers/usb/core/hcd.c:1758
 dummy_timer+0xa25/0x3270 drivers/usb/gadget/udc/dummy_hcd.c:2004
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x398/0x890 kernel/time/hrtimer.c:1749
 hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766
 handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
 __do_softirq kernel/softirq.c:680 [inline]
 invoke_softirq kernel/softirq.c:497 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:ptep_clear_flush+0x1/0x150 mm/pgtable-generic.c:94
Code: c3 e8 d3 04 c2 ff eb 8b e8 fc d6 4a 03 00 00 cc cc 00 00 cc cc 00 00 cc cc 90 90 90 90 90 90 90 90 90 90 90 b8 b7 02 59 c1 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 50 49 89 d5 48 89 75 d0 49 89
RSP: 0000:ffffc9000622fa50 EFLAGS: 00000246
RAX: 1ffff92000c45fb7 RBX: ffffc9000622fdb8 RCX: ffff888114643cc0
RDX: ffff88814e53f060 RSI: 00007f3b8140c000 RDI: ffff88813a02ad68
RBP: ffffc9000622fbf8 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000c45f3c R12: dffffc0000000000
R13: 800000013f0b1067 R14: 00007f3b8140c000 R15: ffff88814f660500
 do_wp_page+0x9b5/0xf70 mm/memory.c:-1
 handle_pte_fault mm/memory.c:5201 [inline]
 __handle_mm_fault mm/memory.c:5325 [inline]
 handle_mm_fault+0x114f/0x26b0 mm/memory.c:5465
 do_user_addr_fault+0x900/0x1030 arch/x86/mm/fault.c:1321
 handle_page_fault arch/x86/mm/fault.c:1464 [inline]
 exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1517
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0033:0x7f3b810507fc
Code: 23 83 c0 01 44 39 d0 75 dc 48 89 f0 25 ff 1f 00 00 49 89 34 c1 41 88 3c 00 31 c0 c3 66 90 41 38 3c 10 74 0b 41 88 3c 10 31 c0 <49> 89 34 d1 c3 b8 01 00 00 00 c3 66 0f 1f 84 00 00 00 00 00 48 83
RSP: 002b:00007ffe0e2cec88 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffff823df489 RCX: 0000000000000000
RDX: 0000000000001489 RSI: ffffffff823df489 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00007f3b81400000 R09: 00007f3b81402000
R10: 00000000823df48d R11: 0000000000000000 R12: 00007f3b81416038
R13: 0000000000000011 R14: ffffffff823df4e0 R15: 00007f3b81f45720
 </TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 1024 is out of range for type 'const int[34]'
CPU: 1 PID: 9932 Comm: syz.3.3183 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 dump_stack+0x15/0x24 lib/dump_stack.c:113
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
 aiptek_irq+0x1f14/0x29b0 drivers/input/tablet/aiptek.c:763
 __usb_hcd_giveback_urb+0x360/0x520 drivers/usb/core/hcd.c:1675
 usb_hcd_giveback_urb+0x11f/0x3e0 drivers/usb/core/hcd.c:1758
 dummy_timer+0xa25/0x3270 drivers/usb/gadget/udc/dummy_hcd.c:2004
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x398/0x890 kernel/time/hrtimer.c:1749
 hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766
 handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
 __do_softirq kernel/softirq.c:680 [inline]
 invoke_softirq kernel/softirq.c:497 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:ptep_clear_flush+0x1/0x150 mm/pgtable-generic.c:94
Code: c3 e8 d3 04 c2 ff eb 8b e8 fc d6 4a 03 00 00 cc cc 00 00 cc cc 00 00 cc cc 90 90 90 90 90 90 90 90 90 90 90 b8 b7 02 59 c1 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 50 49 89 d5 48 89 75 d0 49 89
RSP: 0000:ffffc9000622fa50 EFLAGS: 00000246
RAX: 1ffff92000c45fb7 RBX: ffffc9000622fdb8 RCX: ffff888114643cc0
RDX: ffff88814e53f060 RSI: 00007f3b8140c000 RDI: ffff88813a02ad68
RBP: ffffc9000622fbf8 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000c45f3c R12: dffffc0000000000
R13: 800000013f0b1067 R14: 00007f3b8140c000 R15: ffff88814f660500
 do_wp_page+0x9b5/0xf70 mm/memory.c:-1
 handle_pte_fault mm/memory.c:5201 [inline]
 __handle_mm_fault mm/memory.c:5325 [inline]
 handle_mm_fault+0x114f/0x26b0 mm/memory.c:5465
 do_user_addr_fault+0x900/0x1030 arch/x86/mm/fault.c:1321
 handle_page_fault arch/x86/mm/fault.c:1464 [inline]
 exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1517
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0033:0x7f3b810507fc
Code: 23 83 c0 01 44 39 d0 75 dc 48 89 f0 25 ff 1f 00 00 49 89 34 c1 41 88 3c 00 31 c0 c3 66 90 41 38 3c 10 74 0b 41 88 3c 10 31 c0 <49> 89 34 d1 c3 b8 01 00 00 00 c3 66 0f 1f 84 00 00 00 00 00 48 83
RSP: 002b:00007ffe0e2cec88 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffff823df489 RCX: 0000000000000000
RDX: 0000000000001489 RSI: ffffffff823df489 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00007f3b81400000 R09: 00007f3b81402000
R10: 00000000823df48d R11: 0000000000000000 R12: 00007f3b81416038
R13: 0000000000000011 R14: ffffffff823df4e0 R15: 00007f3b81f45720
 </TASK>
================================================================================
aiptek 9-1:0.0: aiptek_irq - usb_submit_urb failed with result -19
----------------
Code disassembly (best guess):
   0:	c3                   	ret
   1:	e8 d3 04 c2 ff       	call   0xffc204d9
   6:	eb 8b                	jmp    0xffffff93
   8:	e8 fc d6 4a 03       	call   0x34ad709
   d:	00 00                	add    %al,(%rax)
   f:	cc                   	int3
  10:	cc                   	int3
  11:	00 00                	add    %al,(%rax)
  13:	cc                   	int3
  14:	cc                   	int3
  15:	00 00                	add    %al,(%rax)
  17:	cc                   	int3
  18:	cc                   	int3
  19:	90                   	nop
  1a:	90                   	nop
  1b:	90                   	nop
  1c:	90                   	nop
  1d:	90                   	nop
  1e:	90                   	nop
  1f:	90                   	nop
  20:	90                   	nop
  21:	90                   	nop
  22:	90                   	nop
  23:	90                   	nop
  24:	b8 b7 02 59 c1       	mov    $0xc15902b7,%eax
  29:	55                   	push   %rbp
* 2a:	48 89 e5             	mov    %rsp,%rbp <-- trapping instruction
  2d:	41 57                	push   %r15
  2f:	41 56                	push   %r14
  31:	41 55                	push   %r13
  33:	41 54                	push   %r12
  35:	53                   	push   %rbx
  36:	50                   	push   %rax
  37:	49 89 d5             	mov    %rdx,%r13
  3a:	48 89 75 d0          	mov    %rsi,-0x30(%rbp)
  3e:	49                   	rex.WB
  3f:	89                   	.byte 0x89