[Android 5.10] UBSAN: array-index-out-of-bounds in aiptek_irq
0 views
Skip to first unread message
syzbot
Jun 10, 2026, 9:22:33 AM (yesterday) Jun 10
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d11359bcf2ac Merge 0e33f8e4070b ("driver core: Don't let a..
git tree: android13-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=1276ddb6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=24485137faf0cce5
dashboard link: https://syzkaller.appspot.com/bug?extid=36b4693f9f44057362ba
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a1d186580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171390ae580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b48ee2efcbfa/disk-d11359bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/73648c0e0373/vmlinux-d11359bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aa231a2495a1/bzImage-d11359bc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+36b469...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:77
dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
dump_stack+0x15/0x1c lib/dump_stack.c:135
ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
aiptek_irq+0x1fdf/0x2860 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
expire_timers kernel/time/timer.c:1495 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1789
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
__do_softirq+0x255/0x563 kernel/softirq.c:309
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:405 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100293b40 RCX: 0000000000006fde
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff11020052768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
cpuidle_idle_call kernel/sched/idle.c:204 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:328
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
secondary_startup_64_no_verify+0xad/0xbb
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff855b380c by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:77
dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0xe2/0x130 mm/kasan/report.c:452
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
expire_timers kernel/time/timer.c:1495 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1789
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
__do_softirq+0x255/0x563 kernel/softirq.c:309
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:405 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100293b40 RCX: 0000000000006fde
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff11020052768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
cpuidle_idle_call kernel/sched/idle.c:204 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:328
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
secondary_startup_64_no_verify+0xad/0xbb
The buggy address belongs to the variable:
.str.57+0xc/0x20
Memory state around the buggy address:
ffffffff855b3700: 04 f9 f9 f9 00 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9
ffffffff855b3780: 06 f9 f9 f9 00 04 f9 f9 05 f9 f9 f9 00 03 f9 f9
>ffffffff855b3800: 00 03 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
^
ffffffff855b3880: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
ffffffff855b3900: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 548 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:77
dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
dump_stack+0x15/0x1c lib/dump_stack.c:135
ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
aiptek_irq+0x1ebf/0x2860 drivers/input/tablet/aiptek.c:763
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
expire_timers kernel/time/timer.c:1495 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1789
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
__do_softirq+0x255/0x563 kernel/softirq.c:309
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:405 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100293b40 RCX: 0000000000006fde
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff11020052768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
cpuidle_idle_call kernel/sched/idle.c:204 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:328
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
secondary_startup_64_no_verify+0xad/0xbb
================================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 00 00 add %al,(%rax)
2: 49 bd 00 00 00 00 00 movabs $0xdffffc0000000000,%r13
9: fc ff df
c: e9 67 ff ff ff jmp 0xffffff78
11: e8 d0 f7 fa ff call 0xfffaf7e6
16: 55 push %rbp
17: 48 89 e5 mov %rsp,%rbp
1a: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1f: 0f 00 2d b0 f6 61 00 verw 0x61f6b0(%rip) # 0x61f6d6
26: fb sti
27: f4 hlt
* 28: 5d pop %rbp <-- trapping instruction
29: c3 ret
2a: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
31: 00 00 00
34: 66 90 xchg %ax,%ax
36: 55 push %rbp
37: 48 89 e5 mov %rsp,%rbp
3a: 41 57 push %r15
3c: 41 56 push %r14
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d11359bcf2ac Merge 0e33f8e4070b ("driver core: Don't let a..
git tree: android13-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=1276ddb6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=24485137faf0cce5
dashboard link: https://syzkaller.appspot.com/bug?extid=36b4693f9f44057362ba
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16a1d186580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171390ae580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b48ee2efcbfa/disk-d11359bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/73648c0e0373/vmlinux-d11359bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aa231a2495a1/bzImage-d11359bc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+36b469...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:77
dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
dump_stack+0x15/0x1c lib/dump_stack.c:135
ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
aiptek_irq+0x1fdf/0x2860 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
expire_timers kernel/time/timer.c:1495 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1789
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
__do_softirq+0x255/0x563 kernel/softirq.c:309
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:405 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100293b40 RCX: 0000000000006fde
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff11020052768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
cpuidle_idle_call kernel/sched/idle.c:204 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:328
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
secondary_startup_64_no_verify+0xad/0xbb
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff855b380c by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:77
dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0xe2/0x130 mm/kasan/report.c:452
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
aiptek_irq+0x1ffd/0x2860 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
expire_timers kernel/time/timer.c:1495 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1789
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
__do_softirq+0x255/0x563 kernel/softirq.c:309
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:405 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100293b40 RCX: 0000000000006fde
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff11020052768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
cpuidle_idle_call kernel/sched/idle.c:204 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:328
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
secondary_startup_64_no_verify+0xad/0xbb
The buggy address belongs to the variable:
.str.57+0xc/0x20
Memory state around the buggy address:
ffffffff855b3700: 04 f9 f9 f9 00 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9
ffffffff855b3780: 06 f9 f9 f9 00 04 f9 f9 05 f9 f9 f9 00 03 f9 f9
>ffffffff855b3800: 00 03 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
^
ffffffff855b3880: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
ffffffff855b3900: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 548 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:77
dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
dump_stack+0x15/0x1c lib/dump_stack.c:135
ubsan_epilogue+0xe/0x40 lib/ubsan.c:148
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:347
aiptek_irq+0x1ebf/0x2860 drivers/input/tablet/aiptek.c:763
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1748
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1986
call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
expire_timers kernel/time/timer.c:1495 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1789
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
__do_softirq+0x255/0x563 kernel/softirq.c:309
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:405 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:default_idle+0x12/0x20 arch/x86/kernel/process.c:718
Code: 44 2a 00 00 49 bd 00 00 00 00 00 fc ff df e9 67 ff ff ff e8 d0 f7 fa ff 55 48 89 e5 0f 1f 44 00 00 0f 00 2d b0 f6 61 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 48 89 e5 41 57 41 56
RSP: 0018:ffffc90000107db8 EFLAGS: 00000252
RAX: ffff8881f7100000 RBX: ffff888100293b40 RCX: 0000000000006fde
RDX: 0000000000000001 RSI: ffffffff85409040 RDI: ffffffff85409000
RBP: ffffc90000107db8 R08: ffff8881f71573d3 R09: 1ffff1103ee2ae7a
R10: dffffc0000000000 R11: ffffed103ee2ae7b R12: 0000000000000000
R13: 1ffff11020052768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:709
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:114
cpuidle_idle_call kernel/sched/idle.c:204 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:328
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:425
start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:276
secondary_startup_64_no_verify+0xad/0xbb
================================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 00 00 add %al,(%rax)
2: 49 bd 00 00 00 00 00 movabs $0xdffffc0000000000,%r13
9: fc ff df
c: e9 67 ff ff ff jmp 0xffffff78
11: e8 d0 f7 fa ff call 0xfffaf7e6
16: 55 push %rbp
17: 48 89 e5 mov %rsp,%rbp
1a: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1f: 0f 00 2d b0 f6 61 00 verw 0x61f6b0(%rip) # 0x61f6d6
26: fb sti
27: f4 hlt
* 28: 5d pop %rbp <-- trapping instruction
29: c3 ret
2a: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
31: 00 00 00
34: 66 90 xchg %ax,%ax
36: 55 push %rbp
37: 48 89 e5 mov %rsp,%rbp
3a: 41 57 push %r15
3c: 41 56 push %r14
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 10, 2026, 11:23:29 AM (yesterday) Jun 10
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5bb904247956 ANDROID: GKI: update symbol list file for xia..
syzbot found the following issue on:
git tree: android14-6.1
console output: https://syzkaller.appspot.com/x/log.txt?x=16e613d2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=69841d35933a4e41
dashboard link: https://syzkaller.appspot.com/bug?extid=30ac19446748a08eb33d
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ad70ae580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10d1ddb6580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9a36b3c8b8f5/disk-5bb90424.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d07592c01758/vmlinux-5bb90424.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2dd4d1d45722/bzImage-5bb90424.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
dump_stack+0x15/0x24 lib/dump_stack.c:113
ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x208d/0x29b0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x364/0x520 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x11c/0x410 drivers/usb/core/hcd.c:1758
dummy_timer+0x88c/0x3070 drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x3bb/0x8e0 kernel/time/hrtimer.c:1749
hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:742
Code: 37 e3 b4 fc e9 3d ff ff ff 00 00 90 90 90 90 90 90 90 90 90 90 90 b8 0c 67 40 a5 55 48 89 e5 66 90 0f 00 2d 23 f3 63 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 90 90 90 90 90
RSP: 0018:ffffc90000147dd8 EFLAGS: 00000257
RAX: ffff8881f6f00000 RBX: ffff888100330000 RCX: be45b475e3e0d600
RDX: 0000000000000001 RSI: ffffffff85ca8e00 RDI: ffffffff85ca8dc0
RBP: ffffc90000147dd8 R08: ffff8881f6f348b3 R09: 1ffff1103ede6916
R10: 0000000000000000 R11: ffffffff85023e50 R12: dffffc0000000000
R13: 0000000000000001 R14: ffff888100330000 R15: dffffc0000000000
arch_cpu_idle+0x1c/0x20 arch/x86/kernel/process.c:733
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x354/0x640 kernel/sched/idle.c:323
cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:422
start_secondary+0x119/0x120 arch/x86/kernel/smpboot.c:281
secondary_startup_64_no_verify+0xce/0xdb
</TASK>
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff85e6f19c by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x71/0x200 mm/kasan/report.c:316
print_report+0x4a/0x60 mm/kasan/report.c:420
kasan_report+0x122/0x150 mm/kasan/report.c:524
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x364/0x520 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x11c/0x410 drivers/usb/core/hcd.c:1758
dummy_timer+0x88c/0x3070 drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x3bb/0x8e0 kernel/time/hrtimer.c:1749
hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:742
Code: 37 e3 b4 fc e9 3d ff ff ff 00 00 90 90 90 90 90 90 90 90 90 90 90 b8 0c 67 40 a5 55 48 89 e5 66 90 0f 00 2d 23 f3 63 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 90 90 90 90 90
RSP: 0018:ffffc90000147dd8 EFLAGS: 00000257
RAX: ffff8881f6f00000 RBX: ffff888100330000 RCX: be45b475e3e0d600
RDX: 0000000000000001 RSI: ffffffff85ca8e00 RDI: ffffffff85ca8dc0
RBP: ffffc90000147dd8 R08: ffff8881f6f348b3 R09: 1ffff1103ede6916
R10: 0000000000000000 R11: ffffffff85023e50 R12: dffffc0000000000
R13: 0000000000000001 R14: ffff888100330000 R15: dffffc0000000000
arch_cpu_idle+0x1c/0x20 arch/x86/kernel/process.c:733
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x354/0x640 kernel/sched/idle.c:323
cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:422
start_secondary+0x119/0x120 arch/x86/kernel/smpboot.c:281
secondary_startup_64_no_verify+0xce/0xdb
</TASK>
The buggy address belongs to the variable:
The buggy address belongs to the physical page:
page:ffffea0000179bc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5e6f
flags: 0x1000(reserved|zone=0)
raw: 0000000000001000 ffffea0000179bc8 ffffea0000179bc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffffff85e6f100: 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00
>ffffffff85e6f180: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 02 f9
^
ffffffff85e6f200: f9 f9 f9 f9 00 00 00 00 00 00 04 f9 f9 f9 f9 f9
ffffffff85e6f280: 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 00 00 00 02
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 4776 is out of range for type 'const int[34]'
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
dump_stack+0x15/0x24 lib/dump_stack.c:113
ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1f6d/0x29b0 drivers/input/tablet/aiptek.c:763
__usb_hcd_giveback_urb+0x364/0x520 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x11c/0x410 drivers/usb/core/hcd.c:1758
dummy_timer+0x88c/0x3070 drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x3bb/0x8e0 kernel/time/hrtimer.c:1749
hrtimer_run_softirq+0x19b/0x260 kernel/time/hrtimer.c:1766
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:742
Code: 37 e3 b4 fc e9 3d ff ff ff 00 00 90 90 90 90 90 90 90 90 90 90 90 b8 0c 67 40 a5 55 48 89 e5 66 90 0f 00 2d 23 f3 63 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 90 90 90 90 90
RSP: 0018:ffffc90000147dd8 EFLAGS: 00000257
RAX: ffff8881f6f00000 RBX: ffff888100330000 RCX: be45b475e3e0d600
RDX: 0000000000000001 RSI: ffffffff85ca8e00 RDI: ffffffff85ca8dc0
RBP: ffffc90000147dd8 R08: ffff8881f6f348b3 R09: 1ffff1103ede6916
R10: 0000000000000000 R11: ffffffff85023e50 R12: dffffc0000000000
R13: 0000000000000001 R14: ffff888100330000 R15: dffffc0000000000
arch_cpu_idle+0x1c/0x20 arch/x86/kernel/process.c:733
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x354/0x640 kernel/sched/idle.c:323
cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:422
start_secondary+0x119/0x120 arch/x86/kernel/smpboot.c:281
secondary_startup_64_no_verify+0xce/0xdb
</TASK>
================================================================================
aiptek 3-1:0.0: aiptek_irq - usb_submit_urb failed with result -19
----------------
Code disassembly (best guess), 1 bytes skipped:
0: e3 b4 jrcxz 0xffffffb6
2: fc cld
3: e9 3d ff ff ff jmp 0xffffff45
8: 00 00 add %al,(%rax)
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: b8 0c 67 40 a5 mov $0xa540670c,%eax
1a: 55 push %rbp
1b: 48 89 e5 mov %rsp,%rbp
1e: 66 90 xchg %ax,%ax
20: 0f 00 2d 23 f3 63 00 verw 0x63f323(%rip) # 0x63f34a
27: fb sti
28: f4 hlt
* 29: 5d pop %rbp <-- trapping instruction
2a: c3 ret
2b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
32: 00 00 00
35: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
syzbot
2:49 AM (13 hours ago) 2:49 AM
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 30f5554a846e Merge 5.15.208 into android13-5.15-lts
syzbot found the following issue on:
git tree: android13-5.15-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=17b7f186580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3ef8af16142b9dd4
dashboard link: https://syzkaller.appspot.com/bug?extid=0370e3eb6ccb3375862e
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14446156580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14a933d2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a5676830ce32/disk-30f5554a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/563836a1a6a9/vmlinux-30f5554a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e4bcd0a21472/bzImage-30f5554a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x30 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
dump_stack+0x15/0x20 lib/dump_stack.c:113
ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x208d/0x29b0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x208d/0x29b0 drivers/input/tablet/aiptek.c:741
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
expire_timers kernel/time/timer.c:1504 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1775
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
handle_softirqs+0x250/0x560 kernel/softirq.c:583
__do_softirq kernel/softirq.c:621 [inline]
invoke_softirq kernel/softirq.c:443 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
cpuidle_idle_call kernel/sched/idle.c:202 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:326
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
secondary_startup_64_no_verify+0xb1/0xbb
</TASK>
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
Read of size 4 at addr ffffffff857f35ec by task swapper/1/0
================================================================================
==================================================================
BUG: KASAN: global-out-of-bounds in aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Call Trace:
<IRQ>
__dump_stack+0x21/0x30 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0xf1/0x140 mm/kasan/report.c:444
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
aiptek_irq+0x20ab/0x29b0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
expire_timers kernel/time/timer.c:1504 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1775
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
handle_softirqs+0x250/0x560 kernel/softirq.c:583
__do_softirq kernel/softirq.c:621 [inline]
invoke_softirq kernel/softirq.c:443 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
cpuidle_idle_call kernel/sched/idle.c:202 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:326
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
secondary_startup_64_no_verify+0xb1/0xbb
</TASK>
The buggy address belongs to the variable:
.str.60+0xc/0x20
The buggy address belongs to the variable:
Memory state around the buggy address:
ffffffff857f3500: 00 f9 f9 f9 06 f9 f9 f9 07 f9 f9 f9 06 f9 f9 f9
>ffffffff857f3580: 00 04 f9 f9 05 f9 f9 f9 00 03 f9 f9 00 03 f9 f9
^
ffffffff857f3600: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
ffffffff857f3680: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9
==================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 548 is out of range for type 'const int[34]'
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
__dump_stack+0x21/0x30 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
dump_stack+0x15/0x20 lib/dump_stack.c:113
ubsan_epilogue+0xe/0x40 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1f6d/0x29b0 drivers/input/tablet/aiptek.c:763
__usb_hcd_giveback_urb+0x333/0x4f0 drivers/usb/core/hcd.c:1674
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1f6d/0x29b0 drivers/input/tablet/aiptek.c:763
usb_hcd_giveback_urb+0x119/0x410 drivers/usb/core/hcd.c:1751
dummy_timer+0x8be/0x30e0 drivers/usb/gadget/udc/dummy_hcd.c:1998
call_timer_fn+0x38/0x290 kernel/time/timer.c:1459
expire_timers kernel/time/timer.c:1504 [inline]
__run_timers+0x650/0x9e0 kernel/time/timer.c:1775
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1788
handle_softirqs+0x250/0x560 kernel/softirq.c:583
__do_softirq kernel/softirq.c:621 [inline]
invoke_softirq kernel/softirq.c:443 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670
irq_exit_rcu+0x9/0x10 kernel/softirq.c:682
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:730
Code: ff 4c 89 f7 e8 a2 a1 f4 fc e9 3d ff ff ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 55 48 89 e5 66 90 0f 00 2d e3 a1 50 00 fb f4 <5d> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90000157db8 EFLAGS: 00000246
RAX: 0000000000004ce4 RBX: ffff88810030bb40 RCX: 0000000000004ce4
RDX: 0000000000000001 RSI: ffffffff8563ad60 RDI: ffffffff8563ad20
RBP: ffffc90000157db8 R08: ffff8881f7138c73 R09: 1ffff1103ee2718e
R10: dffffc0000000000 R11: ffffed103ee2718f R12: 0000000000000000
R13: 1ffff11020061768 R14: dffffc0000000000 R15: dffffc0000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:721
default_idle_call+0x71/0x1d0 kernel/sched/idle.c:112
cpuidle_idle_call kernel/sched/idle.c:202 [inline]
do_idle+0x217/0x620 kernel/sched/idle.c:326
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:424
start_secondary+0x2e6/0x3a0 arch/x86/kernel/smpboot.c:281
secondary_startup_64_no_verify+0xb1/0xbb
</TASK>
================================================================================
----------------
Code disassembly (best guess):
0: ff 4c 89 f7 decl -0x9(%rcx,%rcx,4)
4: e8 a2 a1 f4 fc call 0xfcf4a1ab
9: e9 3d ff ff ff jmp 0xffffff4b
e: 00 00 add %al,(%rax)
10: cc int3
11: cc int3
12: 00 00 add %al,(%rax)
14: cc int3
15: cc int3
16: 00 00 add %al,(%rax)
18: cc int3
19: cc int3
1a: 00 55 48 add %dl,0x48(%rbp)
1d: 89 e5 mov %esp,%ebp
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d e3 a1 50 00 verw 0x50a1e3(%rip) # 0x50a20b
28: fb sti
29: f4 hlt
* 2a: 5d pop %rbp <-- trapping instruction
2b: c3 ret
2c: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
33: 00 00 00
36: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
3b: 55 push %rbp
3c: 48 89 e5 mov %rsp,%rbp
3f: 41 rex.B
Reply all
Reply to author
Forward
0 new messages