[v5.15] UBSAN: array-index-out-of-bounds in aiptek_irq
0 views
Skip to first unread message
syzbot
Jun 10, 2026, 1:51:32 PM (17 hours ago) Jun 10
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: dc027a595035 Linux 5.15.209
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=100fd3d2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=353ae28c40b35af5
dashboard link: https://syzkaller.appspot.com/bug?extid=d0805b3019c91aa6f802
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/586ac2a2fd9d/disk-dc027a59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/06dcb6a2fcd3/vmlinux-dc027a59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/567131e0cbcc/bzImage-dc027a59.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0805b...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 6491 Comm: syz.3.456 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<IRQ>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1eaa/0x28f0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1674
dummy_timer+0x880/0x30b0 drivers/usb/gadget/udc/dummy_hcd.c:1998
call_timer_fn+0x17b/0x540 kernel/time/timer.c:1648
expire_timers kernel/time/timer.c:1699 [inline]
__run_timers+0x53e/0x800 kernel/time/timer.c:1970
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1983
handle_softirqs+0x339/0x830 kernel/softirq.c:576
__do_softirq kernel/softirq.c:610 [inline]
invoke_softirq kernel/softirq.c:450 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xbc/0x120 kernel/locking/spinlock.c:194
Code: c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f7 44 24 20 00 02 00 00 41 c6 04 07 f8 75 4b f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 4f 9d 8b f7 65 8b 05 70 86 3b 76 85 c0 74 3c 48 c7 04 24 0e 36
RSP: 0018:ffffc900039075c0 EFLAGS: 00000206
RAX: dffffc0000000004 RBX: 0000000000000a06 RCX: 577cad2042642500
RDX: dffffc0000000000 RSI: ffffffff8a2b3180 RDI: 0000000000000001
RBP: ffffc90003907650 R08: ffffffff901d8177 R09: 1ffffffff203b02e
R10: dffffc0000000000 R11: fffffbfff203b02f R12: dffffc0000000000
R13: 0000000000000000 R14: ffff888029fcd6c0 R15: 1ffff92000720eb8
spin_unlock_irqrestore include/linux/spinlock.h:419 [inline]
__wake_up_common_lock kernel/sched/wait.c:140 [inline]
__wake_up_sync_key+0x128/0x190 kernel/sched/wait.c:205
__unix_dgram_recvmsg+0x4c0/0xd90 net/unix/af_unix.c:2342
____sys_recvmsg+0x2cd/0x5e0 net/socket.c:-1
___sys_recvmsg+0x21a/0x5c0 net/socket.c:2706
do_recvmmsg+0x382/0x850 net/socket.c:2800
__sys_recvmmsg net/socket.c:2879 [inline]
__do_sys_recvmmsg net/socket.c:2902 [inline]
__se_sys_recvmmsg net/socket.c:2895 [inline]
__x64_sys_recvmmsg+0x195/0x250 net/socket.c:2895
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f6534effe59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6533138028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f6535179090 RCX: 00007f6534effe59
RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000003
RBP: 00007f6534f95d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6535179128 R14: 00007f6535179090 R15: 00007ffc9ce083c8
</TASK>
================================================================================
----------------
Code disassembly (best guess):
0: c7 44 24 20 00 00 00 movl $0x0,0x20(%rsp)
7: 00
8: 9c pushf
9: 8f 44 24 20 pop 0x20(%rsp)
d: f7 44 24 20 00 02 00 testl $0x200,0x20(%rsp)
14: 00
15: 41 c6 04 07 f8 movb $0xf8,(%r15,%rax,1)
1a: 75 4b jne 0x67
1c: f7 c3 00 02 00 00 test $0x200,%ebx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 4f 9d 8b f7 call 0xf78b9d7e <-- trapping instruction
2f: 65 8b 05 70 86 3b 76 mov %gs:0x763b8670(%rip),%eax # 0x763b86a6
36: 85 c0 test %eax,%eax
38: 74 3c je 0x76
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: 04 24 add $0x24,%al
3e: 0e (bad)
3f: 36 ss
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: dc027a595035 Linux 5.15.209
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=100fd3d2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=353ae28c40b35af5
dashboard link: https://syzkaller.appspot.com/bug?extid=d0805b3019c91aa6f802
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/586ac2a2fd9d/disk-dc027a59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/06dcb6a2fcd3/vmlinux-dc027a59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/567131e0cbcc/bzImage-dc027a59.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0805b...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 6491 Comm: syz.3.456 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<IRQ>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1eaa/0x28f0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1674
dummy_timer+0x880/0x30b0 drivers/usb/gadget/udc/dummy_hcd.c:1998
call_timer_fn+0x17b/0x540 kernel/time/timer.c:1648
expire_timers kernel/time/timer.c:1699 [inline]
__run_timers+0x53e/0x800 kernel/time/timer.c:1970
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1983
handle_softirqs+0x339/0x830 kernel/softirq.c:576
__do_softirq kernel/softirq.c:610 [inline]
invoke_softirq kernel/softirq.c:450 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xbc/0x120 kernel/locking/spinlock.c:194
Code: c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f7 44 24 20 00 02 00 00 41 c6 04 07 f8 75 4b f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 4f 9d 8b f7 65 8b 05 70 86 3b 76 85 c0 74 3c 48 c7 04 24 0e 36
RSP: 0018:ffffc900039075c0 EFLAGS: 00000206
RAX: dffffc0000000004 RBX: 0000000000000a06 RCX: 577cad2042642500
RDX: dffffc0000000000 RSI: ffffffff8a2b3180 RDI: 0000000000000001
RBP: ffffc90003907650 R08: ffffffff901d8177 R09: 1ffffffff203b02e
R10: dffffc0000000000 R11: fffffbfff203b02f R12: dffffc0000000000
R13: 0000000000000000 R14: ffff888029fcd6c0 R15: 1ffff92000720eb8
spin_unlock_irqrestore include/linux/spinlock.h:419 [inline]
__wake_up_common_lock kernel/sched/wait.c:140 [inline]
__wake_up_sync_key+0x128/0x190 kernel/sched/wait.c:205
__unix_dgram_recvmsg+0x4c0/0xd90 net/unix/af_unix.c:2342
____sys_recvmsg+0x2cd/0x5e0 net/socket.c:-1
___sys_recvmsg+0x21a/0x5c0 net/socket.c:2706
do_recvmmsg+0x382/0x850 net/socket.c:2800
__sys_recvmmsg net/socket.c:2879 [inline]
__do_sys_recvmmsg net/socket.c:2902 [inline]
__se_sys_recvmmsg net/socket.c:2895 [inline]
__x64_sys_recvmmsg+0x195/0x250 net/socket.c:2895
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f6534effe59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6533138028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f6535179090 RCX: 00007f6534effe59
RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000003
RBP: 00007f6534f95d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6535179128 R14: 00007f6535179090 R15: 00007ffc9ce083c8
</TASK>
================================================================================
----------------
Code disassembly (best guess):
0: c7 44 24 20 00 00 00 movl $0x0,0x20(%rsp)
7: 00
8: 9c pushf
9: 8f 44 24 20 pop 0x20(%rsp)
d: f7 44 24 20 00 02 00 testl $0x200,0x20(%rsp)
14: 00
15: 41 c6 04 07 f8 movb $0xf8,(%r15,%rax,1)
1a: 75 4b jne 0x67
1c: f7 c3 00 02 00 00 test $0x200,%ebx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 4f 9d 8b f7 call 0xf78b9d7e <-- trapping instruction
2f: 65 8b 05 70 86 3b 76 mov %gs:0x763b8670(%rip),%eax # 0x763b86a6
36: 85 c0 test %eax,%eax
38: 74 3c je 0x76
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: 04 24 add $0x24,%al
3e: 0e (bad)
3f: 36 ss
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 10, 2026, 3:26:32 PM (15 hours ago) Jun 10
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 228da13e907e Linux 6.1.175
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1246fdb6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4dd3c1715f0a309b
dashboard link: https://syzkaller.appspot.com/bug?extid=74b75376ca81b21ff7ca
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a1730af56ab4/disk-228da13e.raw.xz
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/eafe9b37a422/vmlinux-228da13e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7353ac7f337a/bzImage-228da13e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
CPU: 1 PID: 8650 Comm: syz.4.1152 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
dump_stack_lvl+0x188/0x24e lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1eaa/0x28f0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1675
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1eaa/0x28f0 drivers/input/tablet/aiptek.c:741
dummy_timer+0x8d0/0x3330 drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1751 [inline]
__hrtimer_run_queues+0x54a/0xd50 kernel/time/hrtimer.c:1815
hrtimer_run_softirq+0x183/0x2a0 kernel/time/hrtimer.c:1832
handle_softirqs+0x2a1/0x930 kernel/softirq.c:596
__do_softirq kernel/softirq.c:630 [inline]
invoke_softirq kernel/softirq.c:470 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:679
irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:unlock_page_memcg+0x2/0xb0 mm/memcontrol.c:2168
Code: 93 ff 48 8d 35 00 00 00 00 48 c7 c7 60 de b2 8c 5b 41 5c 41 5d 41 5e 41 5f e9 da b1 8a ff 66 2e 0f 1f 84 00 00 00 00 00 41 57 <41> 56 53 49 bf 00 00 00 00 00 fc ff df 48 8d 5f 08 48 89 d8 48 c1
RSP: 0000:ffffc900037dfa18 EFLAGS: 00000293
RAX: ffffffff81c579ab RBX: ffffea0001cabac0 RCX: ffff88802e8a5a00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffea0001cabac0
RBP: 0000000000000000 R08: ffffea0001cabaf3 R09: 1ffffd400039575e
R10: dffffc0000000000 R11: fffff9400039575f R12: dffffc0000000000
R13: 1ffffd4000395758 R14: ffff88804ce82af8 R15: 0000000000000000
page_add_file_rmap+0x8d8/0x1500 mm/rmap.c:1331
do_set_pte+0x2f4/0x460 mm/memory.c:4422
filemap_map_pages+0xc8b/0x11c0 mm/filemap.c:3513
do_fault_around mm/memory.c:4598 [inline]
do_read_fault mm/memory.c:4624 [inline]
do_fault mm/memory.c:4758 [inline]
handle_pte_fault mm/memory.c:5029 [inline]
__handle_mm_fault mm/memory.c:5171 [inline]
handle_mm_fault+0x2991/0x3ee0 mm/memory.c:5292
do_user_addr_fault+0x51f/0xb10 arch/x86/mm/fault.c:1338
handle_page_fault arch/x86/mm/fault.c:1429 [inline]
exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1482
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0033:0x7f39bfe71756
Code: ff 48 83 e8 01 48 89 de bf 01 00 00 00 48 c1 e0 0e 48 c1 ee 06 48 01 c8 48 89 d9 81 e6 ff 3f 00 00 48 c1 e9 03 83 e1 07 d3 e7 <40> 84 bc 06 20 20 00 00 0f 85 20 fe ff ff e9 d4 fd ff ff 0f 1f 80
RSP: 002b:00007ffe3e96aad0 EFLAGS: 00010202
RAX: 000000110c308000 RBX: ffffffff81b7eb56 RCX: 0000000000000002
RDX: 0000000000000b56 RSI: 0000000000001fad RDI: 0000000000000004
RBP: 0000000000000000 R08: 00007f39c0200000 R09: 00007f39c0202000
R10: 0000000081b7eb5a R11: 0000000000000000 R12: 00007f39c0216038
R13: 000000000000003c R14: ffffffff81b7e9f3 R15: 00007f39c0d45720
</TASK>
================================================================================
----------------
Code disassembly (best guess):
0: 93 xchg %eax,%ebx
================================================================================
----------------
Code disassembly (best guess):
1: ff 48 8d decl -0x73(%rax)
4: 35 00 00 00 00 xor $0x0,%eax
9: 48 c7 c7 60 de b2 8c mov $0xffffffff8cb2de60,%rdi
10: 5b pop %rbx
11: 41 5c pop %r12
13: 41 5d pop %r13
15: 41 5e pop %r14
17: 41 5f pop %r15
19: e9 da b1 8a ff jmp 0xff8ab1f8
1e: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
25: 00 00 00
28: 41 57 push %r15
* 2a: 41 56 push %r14 <-- trapping instruction
2c: 53 push %rbx
2d: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
34: fc ff df
37: 48 8d 5f 08 lea 0x8(%rdi),%rbx
3b: 48 89 d8 mov %rbx,%rax
3e: 48 rex.W
3f: c1 .byte 0xc1
syzbot
Jun 10, 2026, 4:15:27 PM (14 hours ago) Jun 10
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 924b4a879cbb Linux 6.6.142
syzbot found the following issue on:
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=101e48ae580000
kernel config: https://syzkaller.appspot.com/x/.config?x=90249d2d52c08134
dashboard link: https://syzkaller.appspot.com/bug?extid=6313f2d45d446029fbad
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bd13425862f1/disk-924b4a87.raw.xz
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/eaa5de9e440b/vmlinux-924b4a87.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a9aa3293c15/bzImage-924b4a87.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 4775 is out of range for type 'const int[34]'
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: events_unbound nsim_dev_trap_report_work
Call Trace:
<IRQ>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
__ubsan_handle_out_of_bounds+0xe3/0xf0 lib/ubsan.c:348
aiptek_irq+0x1ea9/0x28f0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1650
dummy_timer+0x8de/0x3320 drivers/usb/gadget/udc/dummy_hcd.c:2003
__run_hrtimer kernel/time/hrtimer.c:1754 [inline]
__hrtimer_run_queues+0x520/0xc40 kernel/time/hrtimer.c:1818
hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1835
handle_softirqs+0x280/0x820 kernel/softirq.c:578
__do_softirq kernel/softirq.c:612 [inline]
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:220 [inline]
RIP: 0010:unwind_next_frame+0x29c/0x2970 arch/x86/kernel/unwind_orc.c:494
Code: 8d 44 6d 00 48 8d 84 00 fc 19 09 8f 48 89 44 24 30 48 3d 20 ee b2 8f 0f 83 f4 1c 00 00 48 8d 44 6d 00 48 8d 84 00 fc 19 09 8f <48> 3d 20 ee b2 8f 0f 87 db 1c 00 00 89 ef 44 89 ee e8 9e f2 4b 00
RSP: 0018:ffffc9000be374f8 EFLAGS: 00000287
RAX: ffffffff8f0f8098 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffff88802c2f0000 RSI: 00000000000058f8 RDI: 000000000009c000
RBP: 000000000001111a R08: ffffc9000be37690 R09: 0000000000000009
R10: 0000000000000004 R11: 0000000000000000 R12: ffffc9000be375c8
R13: 0000000000011119 R14: ffffc9000be375fd R15: 00000000000058f8
arch_stack_walk+0x144/0x190 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xaa/0x100 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4e/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:522
____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:237
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1811 [inline]
slab_free_freelist_hook+0x130/0x1a0 mm/slub.c:1837
slab_free mm/slub.c:3830 [inline]
__kmem_cache_free+0xba/0x1e0 mm/slub.c:3843
skb_kfree_head net/core/skbuff.c:946 [inline]
skb_free_head net/core/skbuff.c:958 [inline]
skb_release_data+0x5dc/0x7b0 net/core/skbuff.c:988
skb_release_all net/core/skbuff.c:1054 [inline]
__kfree_skb net/core/skbuff.c:1068 [inline]
consume_skb+0xb2/0x110 net/core/skbuff.c:1284
nsim_dev_trap_report drivers/net/netdevsim/dev.c:821 [inline]
nsim_dev_trap_report_work+0x77e/0xb10 drivers/net/netdevsim/dev.c:851
process_one_work kernel/workqueue.c:2653 [inline]
process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2730
worker_thread+0xa55/0xfc0 kernel/workqueue.c:2811
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
</TASK>
================================================================================
----------------
Code disassembly (best guess):
0: 8d 44 6d 00 lea 0x0(%rbp,%rbp,2),%eax
================================================================================
----------------
Code disassembly (best guess):
4: 48 8d 84 00 fc 19 09 lea -0x70f6e604(%rax,%rax,1),%rax
b: 8f
c: 48 89 44 24 30 mov %rax,0x30(%rsp)
11: 48 3d 20 ee b2 8f cmp $0xffffffff8fb2ee20,%rax
17: 0f 83 f4 1c 00 00 jae 0x1d11
1d: 48 8d 44 6d 00 lea 0x0(%rbp,%rbp,2),%rax
22: 48 8d 84 00 fc 19 09 lea -0x70f6e604(%rax,%rax,1),%rax
29: 8f
* 2a: 48 3d 20 ee b2 8f cmp $0xffffffff8fb2ee20,%rax <-- trapping instruction
30: 0f 87 db 1c 00 00 ja 0x1d11
36: 89 ef mov %ebp,%edi
38: 44 89 ee mov %r13d,%esi
3b: e8 9e f2 4b 00 call 0x4bf2de
syzbot
Jun 10, 2026, 6:30:22 PM (12 hours ago) Jun 10
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: dc027a595035 Linux 5.15.209
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=150a38ae580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=139948ae580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/586ac2a2fd9d/disk-dc027a59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/06dcb6a2fcd3/vmlinux-dc027a59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/567131e0cbcc/bzImage-dc027a59.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0805b...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Code: b7 48 89 df e8 e6 97 f7 f7 eb ad e8 4f af f6 ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 cc 66 90 0f 00 2d d7 05 5f 00 fb f4 <c3> 0f 1f 40 00 41 57 41 56 53 49 be 00 00 00 00 00 fc ff df 65 48
RSP: 0018:ffffc90000d67d48 EFLAGS: 000002c2
RAX: fbca2809bb9b4700 RBX: ffff888016e98000 RCX: fbca2809bb9b4700
RDX: 0000000000000001 RSI: ffffffff8a2b3180 RDI: ffffffff8a7a09c0
RBP: ffffc90000d67e80 R08: ffff8880b913b30b R09: 1ffff11017227661
R10: dffffc0000000000 R11: ffffed1017227662 R12: 1ffff920001acfb4
R13: dffffc0000000000 R14: 1ffff11002dd3000 R15: 0000000000000000
default_idle_call+0x81/0xc0 kernel/sched/idle.c:112
cpuidle_idle_call kernel/sched/idle.c:202 [inline]
do_idle+0x3a1/0x650 kernel/sched/idle.c:326
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:424
start_secondary+0x330/0x430 arch/x86/kernel/smpboot.c:281
secondary_startup_64_no_verify+0xb1/0xbb
2: 89 df mov %ebx,%edi
4: e8 e6 97 f7 f7 call 0xf7f797ef
9: eb ad jmp 0xffffffb8
b: e8 4f af f6 ff call 0xfff6af5f
10: 00 00 add %al,(%rax)
12: cc int3
13: cc int3
14: 00 00 add %al,(%rax)
16: cc int3
17: cc int3
18: 00 00 add %al,(%rax)
1a: cc int3
1b: cc int3
1c: 00 00 add %al,(%rax)
1e: cc int3
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d d7 05 5f 00 verw 0x5f05d7(%rip) # 0x5f05ff
28: fb sti
29: f4 hlt
* 2a: c3 ret <-- trapping instruction
2b: 0f 1f 40 00 nopl 0x0(%rax)
2f: 41 57 push %r15
31: 41 56 push %r14
33: 53 push %rbx
34: 49 be 00 00 00 00 00 movabs $0xdffffc0000000000,%r14
3b: fc ff df
3e: 65 gs
3f: 48 rex.W
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: dc027a595035 Linux 5.15.209
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=353ae28c40b35af5
dashboard link: https://syzkaller.appspot.com/bug?extid=d0805b3019c91aa6f802
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104c33d2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=d0805b3019c91aa6f802
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=139948ae580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/586ac2a2fd9d/disk-dc027a59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/06dcb6a2fcd3/vmlinux-dc027a59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/567131e0cbcc/bzImage-dc027a59.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d0805b...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 547 is out of range for type 'const int[34]'
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<IRQ>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1eaa/0x28f0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1674
dummy_timer+0x880/0x30b0 drivers/usb/gadget/udc/dummy_hcd.c:1998
call_timer_fn+0x17b/0x540 kernel/time/timer.c:1648
expire_timers kernel/time/timer.c:1699 [inline]
__run_timers+0x53e/0x800 kernel/time/timer.c:1970
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1983
handle_softirqs+0x339/0x830 kernel/softirq.c:576
__do_softirq kernel/softirq.c:610 [inline]
invoke_softirq kernel/softirq.c:450 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:default_idle+0xb/0x10 arch/x86/kernel/process.c:730
<IRQ>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xdf/0xf0 lib/ubsan.c:282
aiptek_irq+0x1eaa/0x28f0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1674
dummy_timer+0x880/0x30b0 drivers/usb/gadget/udc/dummy_hcd.c:1998
call_timer_fn+0x17b/0x540 kernel/time/timer.c:1648
expire_timers kernel/time/timer.c:1699 [inline]
__run_timers+0x53e/0x800 kernel/time/timer.c:1970
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1983
handle_softirqs+0x339/0x830 kernel/softirq.c:576
__do_softirq kernel/softirq.c:610 [inline]
invoke_softirq kernel/softirq.c:450 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
Code: b7 48 89 df e8 e6 97 f7 f7 eb ad e8 4f af f6 ff 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 cc 66 90 0f 00 2d d7 05 5f 00 fb f4 <c3> 0f 1f 40 00 41 57 41 56 53 49 be 00 00 00 00 00 fc ff df 65 48
RSP: 0018:ffffc90000d67d48 EFLAGS: 000002c2
RAX: fbca2809bb9b4700 RBX: ffff888016e98000 RCX: fbca2809bb9b4700
RDX: 0000000000000001 RSI: ffffffff8a2b3180 RDI: ffffffff8a7a09c0
RBP: ffffc90000d67e80 R08: ffff8880b913b30b R09: 1ffff11017227661
R10: dffffc0000000000 R11: ffffed1017227662 R12: 1ffff920001acfb4
R13: dffffc0000000000 R14: 1ffff11002dd3000 R15: 0000000000000000
default_idle_call+0x81/0xc0 kernel/sched/idle.c:112
cpuidle_idle_call kernel/sched/idle.c:202 [inline]
do_idle+0x3a1/0x650 kernel/sched/idle.c:326
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:424
start_secondary+0x330/0x430 arch/x86/kernel/smpboot.c:281
secondary_startup_64_no_verify+0xb1/0xbb
</TASK>
================================================================================
----------------
Code disassembly (best guess):
0: b7 48 mov $0x48,%bh
================================================================================
----------------
Code disassembly (best guess):
2: 89 df mov %ebx,%edi
4: e8 e6 97 f7 f7 call 0xf7f797ef
9: eb ad jmp 0xffffffb8
b: e8 4f af f6 ff call 0xfff6af5f
10: 00 00 add %al,(%rax)
12: cc int3
13: cc int3
14: 00 00 add %al,(%rax)
16: cc int3
17: cc int3
18: 00 00 add %al,(%rax)
1a: cc int3
1b: cc int3
1c: 00 00 add %al,(%rax)
1e: cc int3
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d d7 05 5f 00 verw 0x5f05d7(%rip) # 0x5f05ff
28: fb sti
29: f4 hlt
* 2a: c3 ret <-- trapping instruction
2b: 0f 1f 40 00 nopl 0x0(%rax)
2f: 41 57 push %r15
31: 41 56 push %r14
33: 53 push %rbx
34: 49 be 00 00 00 00 00 movabs $0xdffffc0000000000,%r14
3b: fc ff df
3e: 65 gs
3f: 48 rex.W
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
4:27 AM (2 hours ago) 4:27 AM
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 228da13e907e Linux 6.1.175
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15fffdb6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=29caf4bae4b0566f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10c8c8ae580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12dc6156580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bf27a408696a/disk-228da13e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/264d4943ab43/vmlinux-228da13e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a499b0d2a133/Image-228da13e.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+74b753...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
index 38062 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
ubsan_epilogue+0x14/0x48 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xd0/0xf8 lib/ubsan.c:282
aiptek_irq+0x1974/0x22c0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x2e0/0x500 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x100/0x3b8 drivers/usb/core/hcd.c:1758
dummy_timer+0x5e8/0x244c drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1751 [inline]
__hrtimer_run_queues+0x438/0xc40 kernel/time/hrtimer.c:1815
hrtimer_run_softirq+0x160/0x400 kernel/time/hrtimer.c:1832
handle_softirqs+0x318/0xc60 kernel/softirq.c:596
__do_softirq+0x14/0x20 kernel/softirq.c:630
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
call_on_irq_stack+0x30/0x48 arch/arm64/kernel/entry.S:897
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
invoke_softirq kernel/softirq.c:477 [inline]
__irq_exit_rcu+0x23c/0x438 kernel/softirq.c:679
irq_exit_rcu+0x14/0x84 kernel/softirq.c:691
__el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
default_idle_call+0x68/0xd8 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x35c/0x600 kernel/sched/idle.c:323
cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:422
secondary_start_kernel+0x198/0x1bc arch/arm64/kernel/smp.c:265
__secondary_switched+0xb0/0xb4 arch/arm64/kernel/head.S:618
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 38063 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
ubsan_epilogue+0x14/0x48 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xd0/0xf8 lib/ubsan.c:282
aiptek_irq+0x1844/0x22c0 drivers/input/tablet/aiptek.c:763
__usb_hcd_giveback_urb+0x2e0/0x500 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x100/0x3b8 drivers/usb/core/hcd.c:1758
dummy_timer+0x5e8/0x244c drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1751 [inline]
__hrtimer_run_queues+0x438/0xc40 kernel/time/hrtimer.c:1815
hrtimer_run_softirq+0x160/0x400 kernel/time/hrtimer.c:1832
handle_softirqs+0x318/0xc60 kernel/softirq.c:596
__do_softirq+0x14/0x20 kernel/softirq.c:630
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
call_on_irq_stack+0x30/0x48 arch/arm64/kernel/entry.S:897
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
invoke_softirq kernel/softirq.c:477 [inline]
__irq_exit_rcu+0x23c/0x438 kernel/softirq.c:679
irq_exit_rcu+0x14/0x84 kernel/softirq.c:691
__el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
default_idle_call+0x68/0xd8 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x35c/0x600 kernel/sched/idle.c:323
cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:422
secondary_start_kernel+0x198/0x1bc arch/arm64/kernel/smp.c:265
__secondary_switched+0xb0/0xb4 arch/arm64/kernel/head.S:618
================================================================================
aiptek 1-1:0.0: aiptek_irq - usb_submit_urb failed with result -19
HEAD commit: 228da13e907e Linux 6.1.175
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=29caf4bae4b0566f
dashboard link: https://syzkaller.appspot.com/bug?extid=74b75376ca81b21ff7ca
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10c8c8ae580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12dc6156580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bf27a408696a/disk-228da13e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/264d4943ab43/vmlinux-228da13e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a499b0d2a133/Image-228da13e.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+74b753...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:741:31
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
ubsan_epilogue+0x14/0x48 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xd0/0xf8 lib/ubsan.c:282
aiptek_irq+0x1974/0x22c0 drivers/input/tablet/aiptek.c:741
__usb_hcd_giveback_urb+0x2e0/0x500 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x100/0x3b8 drivers/usb/core/hcd.c:1758
dummy_timer+0x5e8/0x244c drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1751 [inline]
__hrtimer_run_queues+0x438/0xc40 kernel/time/hrtimer.c:1815
hrtimer_run_softirq+0x160/0x400 kernel/time/hrtimer.c:1832
handle_softirqs+0x318/0xc60 kernel/softirq.c:596
__do_softirq+0x14/0x20 kernel/softirq.c:630
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
call_on_irq_stack+0x30/0x48 arch/arm64/kernel/entry.S:897
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
invoke_softirq kernel/softirq.c:477 [inline]
__irq_exit_rcu+0x23c/0x438 kernel/softirq.c:679
irq_exit_rcu+0x14/0x84 kernel/softirq.c:691
__el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
default_idle_call+0x68/0xd8 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x35c/0x600 kernel/sched/idle.c:323
cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:422
secondary_start_kernel+0x198/0x1bc arch/arm64/kernel/smp.c:265
__secondary_switched+0xb0/0xb4 arch/arm64/kernel/head.S:618
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in drivers/input/tablet/aiptek.c:763:30
index 38063 is out of range for type 'const int[34]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
ubsan_epilogue+0x14/0x48 lib/ubsan.c:151
__ubsan_handle_out_of_bounds+0xd0/0xf8 lib/ubsan.c:282
aiptek_irq+0x1844/0x22c0 drivers/input/tablet/aiptek.c:763
__usb_hcd_giveback_urb+0x2e0/0x500 drivers/usb/core/hcd.c:1675
usb_hcd_giveback_urb+0x100/0x3b8 drivers/usb/core/hcd.c:1758
dummy_timer+0x5e8/0x244c drivers/usb/gadget/udc/dummy_hcd.c:2004
__run_hrtimer kernel/time/hrtimer.c:1751 [inline]
__hrtimer_run_queues+0x438/0xc40 kernel/time/hrtimer.c:1815
hrtimer_run_softirq+0x160/0x400 kernel/time/hrtimer.c:1832
handle_softirqs+0x318/0xc60 kernel/softirq.c:596
__do_softirq+0x14/0x20 kernel/softirq.c:630
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
call_on_irq_stack+0x30/0x48 arch/arm64/kernel/entry.S:897
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
invoke_softirq kernel/softirq.c:477 [inline]
__irq_exit_rcu+0x23c/0x438 kernel/softirq.c:679
irq_exit_rcu+0x14/0x84 kernel/softirq.c:691
__el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
default_idle_call+0x68/0xd8 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x35c/0x600 kernel/sched/idle.c:323
cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:422
secondary_start_kernel+0x198/0x1bc arch/arm64/kernel/smp.c:265
__secondary_switched+0xb0/0xb4 arch/arm64/kernel/head.S:618
================================================================================
aiptek 1-1:0.0: aiptek_irq - usb_submit_urb failed with result -19
Reply all
Reply to author
Forward
0 new messages