Extracting prog: 3m40.400194285s
Minimizing prog: 13m29.340533638s
Simplifying prog options: 1m21.466607798s
Extracting C: 42.75385639s
Simplifying C: 2m50.114006357s


extracting reproducer from 30 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io$rtl8150-syz_usb_control_io$lan78xx-syz_usb_control_io$hid-syz_usb_control_io$rtl8150-syz_usb_control_io$lan78xx-syz_usb_control_io$cdc_ncm-syz_usb_control_io$cdc_ecm-syz_usb_control_io$cdc_ecm-syz_usb_control_io$uac2-syz_usb_control_io$uac2-syz_usb_control_io$lan78xx-syz_usb_control_io$printer-syz_usb_control_io-syz_usb_control_io$uac1
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x2, 0x24, &(0x7f0000000180)=ANY=[@ANYBLOB="120100001d9167204f17316a3f26010203010902120001000000000904"], 0x0)
syz_usb_control_io$rtl8150(r0, 0x0, 0x0)
syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$rtl8150(r0, 0x0, 0x0)
syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0)
syz_usb_control_io$uac2(r0, 0x0, 0x0)
syz_usb_control_io$uac2(r0, 0x0, 0x0)
syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io-syz_open_dev$hidraw-ioctl$HIDIOCSFEATURE-syz_open_dev$hidraw
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x1, 0x36, &(0x7f00000002c0)=ANY=[@ANYBLOB="1201000000000008700cb6f000000000000109022400010000000009040000010300020009210000000122070009058103"], 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000400)={0x2c, &(0x7f0000000280)={0x0, 0x21, 0x7, {0x7, 0x0, "3d7da32915"}}, 0x0, 0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$hidraw(&(0x7f0000000000), 0x64, 0x100)
ioctl$HIDIOCSFEATURE(r1, 0xc0404806, 0x0)
syz_open_dev$hidraw(&(0x7f0000000080), 0x0, 0x4002)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f00000000c0)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x5ac, 0x8240, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x80, 0xb, "", [{{0x9, 0x4, 0x0, 0x2, 0x1, 0x3, 0x0, 0x1, 0x0, {0x9, 0x21, 0x7ffd, 0x0, 0x1, {0x22, 0x1e3}}, {{{0x9, 0x5, 0x81, 0x3, 0x400, 0x5, 0xa, 0x70}}}}}]}}]}}, 0x0)
syz_usb_connect$hid(0x2, 0x0, 0x0, &(0x7f0000000540)={0x0, 0x0, 0x1c, &(0x7f0000000200)={0x5, 0xf, 0x1c, 0x2, [@wireless={0xb, 0x10, 0x1, 0x8, 0x84, 0x2b, 0x4, 0x457, 0x20}, @ssp_cap={0xc, 0x10, 0xa, 0x2, 0x0, 0x10001, 0x0, 0x6}]}})
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, 0x0, &(0x7f00000001c0)={0x0, 0x22, 0x371, {0x9}}}, &(0x7f0000000080)={0xffffffffffffffeb, 0x0, 0x0, 0x0, 0x0, 0x0})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000001180)=ANY=[@ANYBLOB="12010000090003206d0414c34000ffff000109022400010400a000090400000103010100093700086ce82201000905815f"], 0x0)
syz_usb_control_io$hid(r0, &(0x7f00000001c0)={0x14, &(0x7f0000000dc0)=ANY=[@ANYBLOB="00020c0000000c0002"], 0x0, 0x0, 0x0}, 0x0)
syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000080)={0x7b, &(0x7f00000000c0)=ANY=[], 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000900)={0x84, 0x0, 0x0, 0x0, &(0x7f0000000500)={0x20, 0x0, 0x68}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io(r0, 0x0, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, &(0x7f00000005c0)={0x20, 0x0, 0x4, {0x5}}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000640)={0x18, &(0x7f0000000380)={0x40, 0x6, 0x5, "361ff0214c"}, 0x0, 0x0, 0x0, 0x0})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
single: successfully extracted reproducer
found reproducer with 8 syscalls
minimizing guilty program
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0)
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
syz_usb_disconnect(0xffffffffffffffff)
r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(0xffffffffffffffff, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, 0x0, 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa7, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x95, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5, "b3"}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0x0, 0x0, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0x80, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6e, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa6, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x94, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa0, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x8e, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa6, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x94, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0x0, 0x0)

program did not crash
testing program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa6, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x94, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0x0, &(0x7f0000000100))

program did not crash
extracting C reproducer
testing compiled C program (duration=37.804375707s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
program did not crash
simplifying guilty program options
testing program (duration=37.804375707s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa6, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x94, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
extracting C reproducer
testing compiled C program (duration=37.804375707s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
simplifying C reproducer
testing compiled C program (duration=37.804375707s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing compiled C program (duration=37.804375707s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing compiled C program (duration=37.804375707s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing compiled C program (duration=37.804375707s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing compiled C program (duration=37.804375707s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
testing program (duration=37.804375707s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa6, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x94, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
validation run: crashed=true
testing program (duration=37.804375707s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa6, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x94, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
validation run: crashed=true
testing program (duration=37.804375707s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_connect$uac3-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120110010000004058040350"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_connect$uac3(0x5, 0xa6, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0xe41, 0x4242, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x94, 0x3, 0x1, 0x48, 0x80, 0x5, {0x8, 0xb, 0x1, 0x1, 0x1, 0x24, 0x30, 0x80}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x30, 0x0, {{0xa, 0x24, 0x1, 0xb, 0xa, 0xab}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {[@format_type_i_discrete={0xe, 0x24, 0x2, 0x1, 0x9, 0x4, 0xe3, 0xf, "97b5c782d871"}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x4, 0x1, 0x4, 0x9}, @format_type_i_descriptor={0x6, 0x24, 0x2, 0x1, 0x1, 0x5}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0xc, 0x4, 0x9, 0x5}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0xf, 0x40, 0x40, {0xa, 0x25, 0x25, 0x6, 0x81, 0xd6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x30, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x20, 0x7, 0x9, 0x4, {0xa, 0x25, 0x25, 0x0, 0x3, 0x10}}}}}}}}]}}, 0x0)
syz_usb_ep_write(r0, 0x81, 0xffffffffffffff6d, &(0x7f0000000100)="019a18370cfb661ba08c228ce6ca19b6a99a071ca34c72c891f8a260fa00000080977dae8d64a30e92cd51117c4a71e26518e804c00058e6c7c0c363027251668bb650d90000000000")

program crashed: UBSAN: array-index-out-of-bounds in aiptek_irq
validation run: crashed=true
reproducing took 24m6.473451027s
repro crashed as (corrupted=false):
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x30 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 dump_stack+0x15/0x20 lib/dump_stack.c:113
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
 aiptek_irq+0x208d/0x29b0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
 expire_timers kernel/time/timer.c:1504 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1775
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
 handle_softirqs+0x250/0x560 kernel/softirq.c:583
 __do_softirq kernel/softirq.c:621 [inline]
 invoke_softirq kernel/softirq.c:443 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:202 [inline]
 do_idle+0x217/0x620 kernel/sched/idle.c:326
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
 start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff857f35ec by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x30 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0xf1/0x140 mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
 expire_timers kernel/time/timer.c:1504 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1775
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
 handle_softirqs+0x250/0x560 kernel/softirq.c:583
 __do_softirq kernel/softirq.c:621 [inline]
 invoke_softirq kernel/softirq.c:443 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:202 [inline]
 do_idle+0x217/0x620 kernel/sched/idle.c:326
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
 start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>

The buggy address belongs to the variable:
 .str.60+0xc/0x20

Memory state around the buggy address:
 ffffffff857f3480: f9 f9 f9 f9 06 f9 f9 f9 00 01 f9 f9 04 f9 f9 f9
 ffffffff857f3500: 00 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9 06 f9 f9 f9
>ffffffff857f3580: 00 04 f9 f9 05 f9 f9 f9 00 03 f9 f9 00 03 f9 f9
                                                          ^
 ffffffff857f3600: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 ffffffff857f3680: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 548 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B             syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x30 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 dump_stack+0x15/0x20 lib/dump_stack.c:113
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
 aiptek_irq+0x1f6d/0x29b0 drivers/input/tablet/aiptek.c:763
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
 expire_timers kernel/time/timer.c:1504 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1775
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
 handle_softirqs+0x250/0x560 kernel/softirq.c:583
 __do_softirq kernel/softirq.c:621 [inline]
 invoke_softirq kernel/softirq.c:443 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:202 [inline]
 do_idle+0x217/0x620 kernel/sched/idle.c:326
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
 start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>
================================================================================
----------------
Code disassembly (best guess):
   0:	ff 4c 89 f7          	decl   -0x9(%rcx,%rcx,4)
   4:	e8 a2 a1 f4 fc       	call   0xfcf4a1ab
   9:	e9 3d ff ff ff       	jmp    0xffffff4b
   e:	00 00                	add    %al,(%rax)
  10:	cc                   	int3
  11:	cc                   	int3
  12:	00 00                	add    %al,(%rax)
  14:	cc                   	int3
  15:	cc                   	int3
  16:	00 00                	add    %al,(%rax)
  18:	cc                   	int3
  19:	cc                   	int3
  1a:	00 55 48             	add    %dl,0x48(%rbp)
  1d:	89 e5                	mov    %esp,%ebp
  1f:	66 90                	xchg   %ax,%ax
  21:	0f 00 2d e3 a1 50 00 	verw   0x50a1e3(%rip)        # 0x50a20b
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	5d                   	pop    %rbp <-- trapping instruction
  2b:	c3                   	ret
  2c:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  33:	00 00 00
  36:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  3b:	55                   	push   %rbp
  3c:	48 89 e5             	mov    %rsp,%rbp
  3f:	41                   	rex.B

final repro crashed as (corrupted=false):
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x30 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 dump_stack+0x15/0x20 lib/dump_stack.c:113
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
 aiptek_irq+0x208d/0x29b0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
 expire_timers kernel/time/timer.c:1504 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1775
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
 handle_softirqs+0x250/0x560 kernel/softirq.c:583
 __do_softirq kernel/softirq.c:621 [inline]
 invoke_softirq kernel/softirq.c:443 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:202 [inline]
 do_idle+0x217/0x620 kernel/sched/idle.c:326
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
 start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff857f35ec by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x30 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0xf1/0x140 mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
 expire_timers kernel/time/timer.c:1504 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1775
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
 handle_softirqs+0x250/0x560 kernel/softirq.c:583
 __do_softirq kernel/softirq.c:621 [inline]
 invoke_softirq kernel/softirq.c:443 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:202 [inline]
 do_idle+0x217/0x620 kernel/sched/idle.c:326
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
 start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>

The buggy address belongs to the variable:
 .str.60+0xc/0x20

Memory state around the buggy address:
 ffffffff857f3480: f9 f9 f9 f9 06 f9 f9 f9 00 01 f9 f9 04 f9 f9 f9
 ffffffff857f3500: 00 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9 06 f9 f9 f9
>ffffffff857f3580: 00 04 f9 f9 05 f9 f9 f9 00 03 f9 f9 00 03 f9 f9
                                                          ^
 ffffffff857f3600: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 ffffffff857f3680: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 548 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B             syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x30 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 dump_stack+0x15/0x20 lib/dump_stack.c:113
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
 aiptek_irq+0x1f6d/0x29b0 drivers/input/tablet/aiptek.c:763
 __usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
 dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
 expire_timers kernel/time/timer.c:1504 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1775
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
 handle_softirqs+0x250/0x560 kernel/softirq.c:583
 __do_softirq kernel/softirq.c:621 [inline]
 invoke_softirq kernel/softirq.c:443 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
 default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
 cpuidle_idle_call kernel/sched/idle.c:202 [inline]
 do_idle+0x217/0x620 kernel/sched/idle.c:326
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
 start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>
================================================================================
----------------
Code disassembly (best guess):
   0:	ff 4c 89 f7          	decl   -0x9(%rcx,%rcx,4)
   4:	e8 a2 a1 f4 fc       	call   0xfcf4a1ab
   9:	e9 3d ff ff ff       	jmp    0xffffff4b
   e:	00 00                	add    %al,(%rax)
  10:	cc                   	int3
  11:	cc                   	int3
  12:	00 00                	add    %al,(%rax)
  14:	cc                   	int3
  15:	cc                   	int3
  16:	00 00                	add    %al,(%rax)
  18:	cc                   	int3
  19:	cc                   	int3
  1a:	00 55 48             	add    %dl,0x48(%rbp)
  1d:	89 e5                	mov    %esp,%ebp
  1f:	66 90                	xchg   %ax,%ax
  21:	0f 00 2d e3 a1 50 00 	verw   0x50a1e3(%rip)        # 0x50a20b
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	5d                   	pop    %rbp <-- trapping instruction
  2b:	c3                   	ret
  2c:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  33:	00 00 00
  36:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  3b:	55                   	push   %rbp
  3c:	48 89 e5             	mov    %rsp,%rbp
  3f:	41                   	rex.B