================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
 __ubsan_handle_out_of_bounds+0xe3/0xf0 lib/ubsan.c:348
 aiptek_irq+0x1ea9/0x28f0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1650
 dummy_timer+0x8de/0x3320 drivers/usb/gadget/udc/dummy_hcd.c:2003
 __run_hrtimer kernel/time/hrtimer.c:1754 [inline]
 __hrtimer_run_queues+0x520/0xc40 kernel/time/hrtimer.c:1818
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1835
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:sk_filter_trim_cap+0x0/0x900 net/core/filter.c:127
Code: d9 80 e1 07 fe c1 38 c1 0f 8c 6e ff ff ff 48 89 df e8 04 b9 5b f9 e9 61 ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <f3> 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48
RSP: 0018:ffffc900000e6a18 EFLAGS: 00000287
RAX: ffffffff88b54269 RBX: ffff88807e3c1000 RCX: 0000000000100000
RDX: 0000000000000001 RSI: ffff888025c28280 RDI: ffff88807e3c1000
RBP: 0000000000000000 R08: ffff88805d2135a3 R09: 1ffff1100ba426b4
R10: dffffc0000000000 R11: ffffed100ba426b5 R12: dffffc0000000000
R13: ffffffff9769c4d8 R14: 0000000000000002 R15: ffff888025c28280
 sk_filter include/linux/filter.h:888 [inline]
 do_one_broadcast net/netlink/af_netlink.c:1482 [inline]
 netlink_broadcast_filtered+0x6f4/0x1110 net/netlink/af_netlink.c:1536
 netlink_broadcast+0x37/0x50 net/netlink/af_netlink.c:1560
 uevent_net_broadcast_untagged lib/kobject_uevent.c:331 [inline]
 kobject_uevent_net_broadcast+0x364/0x530 lib/kobject_uevent.c:409
 kobject_uevent_env+0x550/0x8b0 lib/kobject_uevent.c:608
 device_add+0x5e8/0xc50 drivers/base/core.c:3666
 cdev_device_add+0x1d6/0x390 fs/char_dev.c:556
 mousedev_create+0x547/0x680 drivers/input/mousedev.c:907
 mousedev_connect+0x26/0x3a0 drivers/input/mousedev.c:981
 input_attach_handler drivers/input/input.c:1064 [inline]
 input_register_device+0xcdc/0x1070 drivers/input/input.c:2470
 aiptek_probe+0x14f7/0x1b70 drivers/input/tablet/aiptek.c:1845
 usb_probe_interface+0x5c9/0xb20 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x25b/0xb20 drivers/base/dd.c:718
 __driver_probe_device+0x1ef/0x390 drivers/base/dd.c:880
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:910
 __device_attach_driver+0x2ca/0x510 drivers/base/dd.c:1038
 bus_for_each_drv+0x252/0x2e0 drivers/base/bus.c:459
 __device_attach+0x2c2/0x420 drivers/base/dd.c:1110
 bus_probe_device+0x180/0x260 drivers/base/bus.c:573
 device_add+0x88e/0xc50 drivers/base/core.c:3700
 usb_set_configuration+0x1a79/0x20c0 drivers/usb/core/message.c:2265
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x13d/0x270 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x25b/0xb20 drivers/base/dd.c:718
 __driver_probe_device+0x1ef/0x390 drivers/base/dd.c:880
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:910
 __device_attach_driver+0x2ca/0x510 drivers/base/dd.c:1038
 bus_for_each_drv+0x252/0x2e0 drivers/base/bus.c:459
 __device_attach+0x2c2/0x420 drivers/base/dd.c:1110
 bus_probe_device+0x180/0x260 drivers/base/bus.c:573
 device_add+0x88e/0xc50 drivers/base/core.c:3700
 usb_new_device+0xa3c/0x1660 drivers/usb/core/hub.c:2660
 hub_port_connect drivers/usb/core/hub.c:5529 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5669 [inline]
 port_event drivers/usb/core/hub.c:5833 [inline]
 hub_event+0x29bf/0x49f0 drivers/usb/core/hub.c:5915
 process_one_work kernel/workqueue.c:2653 [inline]
 process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2730
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2811
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
================================================================================
----------------
Code disassembly (best guess):
   0:	d9 80 e1 07 fe c1    	flds   -0x3e01f81f(%rax)
   6:	38 c1                	cmp    %al,%cl
   8:	0f 8c 6e ff ff ff    	jl     0xffffff7c
   e:	48 89 df             	mov    %rbx,%rdi
  11:	e8 04 b9 5b f9       	call   0xf95bb91a
  16:	e9 61 ff ff ff       	jmp    0xffffff7c
  1b:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  22:	00 00 00
  25:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
* 2a:	f3 0f 1e fa          	endbr64 <-- trapping instruction
  2e:	55                   	push   %rbp
  2f:	48 89 e5             	mov    %rsp,%rbp
  32:	41 57                	push   %r15
  34:	41 56                	push   %r14
  36:	41 55                	push   %r13
  38:	41 54                	push   %r12
  3a:	53                   	push   %rbx
  3b:	48 83 e4 e0          	and    $0xffffffffffffffe0,%rsp
  3f:	48                   	rex.W