================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 0 PID: 6334 Comm: kworker/u4:26 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: bat_events batadv_nc_worker
Call Trace:
 <IRQ>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
 __ubsan_handle_out_of_bounds+0xe3/0xf0 lib/ubsan.c:348
 aiptek_irq+0x1ea9/0x28f0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1650
 dummy_timer+0x8de/0x3320 drivers/usb/gadget/udc/dummy_hcd.c:2003
 __run_hrtimer kernel/time/hrtimer.c:1754 [inline]
 __hrtimer_run_queues+0x520/0xc40 kernel/time/hrtimer.c:1818
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1835
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:lock_release+0x15/0x8c0 kernel/locking/lockdep.c:5762
Code: fa ff ff bb 2f 00 00 00 e9 24 fa ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 <48> 81 ec e0 00 00 00 49 89 f4 48 89 7c 24 18 65 48 8b 04 25 28 00
RSP: 0018:ffffc9000c037b20 EFLAGS: 00000282
RAX: 0000000000000000 RBX: ffff888078ab10c0 RCX: ffff88807a389e00
RDX: 0000000000000000 RSI: ffffffff8a4faf52 RDI: ffffffff8d132160
RBP: ffffc9000c037b50 R08: dffffc0000000000 R09: 1ffffffff2239aa0
R10: dffffc0000000000 R11: fffffbfff2239aa1 R12: dffffc0000000000
R13: ffffffff8a4faf52 R14: ffff888077550d00 R15: 000000000000011a
 rcu_lock_release include/linux/rcupdate.h:344 [inline]
 rcu_read_unlock include/linux/rcupdate.h:819 [inline]
 batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:412 [inline]
 batadv_nc_worker+0x291/0x610 net/batman-adv/network-coding.c:719
 process_one_work kernel/workqueue.c:2653 [inline]
 process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2730
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2811
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
================================================================================
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	bb 2f 00 00 00       	mov    $0x2f,%ebx
   5:	e9 24 fa ff ff       	jmp    0xfffffa2e
   a:	0f 1f 84 00 00 00 00 	nopl   0x0(%rax,%rax,1)
  11:	00
  12:	f3 0f 1e fa          	endbr64
  16:	55                   	push   %rbp
  17:	48 89 e5             	mov    %rsp,%rbp
  1a:	41 57                	push   %r15
  1c:	41 56                	push   %r14
  1e:	41 55                	push   %r13
  20:	41 54                	push   %r12
  22:	53                   	push   %rbx
  23:	48 83 e4 e0          	and    $0xffffffffffffffe0,%rsp
* 27:	48 81 ec e0 00 00 00 	sub    $0xe0,%rsp <-- trapping instruction
  2e:	49 89 f4             	mov    %rsi,%r12
  31:	48 89 7c 24 18       	mov    %rdi,0x18(%rsp)
  36:	65                   	gs
  37:	48                   	rex.W
  38:	8b                   	.byte 0x8b
  39:	04 25                	add    $0x25,%al
  3b:	28 00                	sub    %al,(%rax)