Hmm, this is a surprising bug. syzbot provided a C reproducer, but the definition
of "struct serial_struct" used in that reproducer is wrong. As a result, syzbot was
reporting crash caused by passing wrong arguments. ;-)
close_delay field used in the C reproducer is sizeof(unsigned int) bytes rather than
sizeof(unsigned short) bytes, thus fields after close_delay field are incorrectly
interpreted.
----------------------------------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/serial.h>
struct bad_serial_struct {
int type;
int line;
unsigned int port;
int irq;
int flags;
int xmit_fifo_size;
int custom_divisor;
int baud_base;
unsigned int close_delay; /* Correct type is "unsigned short". */
char io_type;
char reserved_char[1];
int hub6;
unsigned short closing_wait;
unsigned short closing_wait2;
unsigned char *iomem_base;
unsigned short iomem_reg_shift;
unsigned int port_high;
unsigned long iomap_base;
};
int main(int argc, char *argv[])
{
struct bad_serial_struct ss = { };
int fd = open("/dev/ttyS3", O_RDONLY);
ss.type = 0xa;
ss.line = 0x400000;
ss.port = 0x100;
ss.irq = 0;
ss.flags = 0x400000;
ss.xmit_fifo_size = 0;
ss.custom_divisor = 0;
ss.baud_base = 0x80000;
ss.close_delay = 0x200ff;
ss.io_type = 0;
ss.reserved_char[0] = 0x41;
ss.hub6 = 3;
ss.closing_wait = 0;
ss.closing_wait2 = 0x7c5;
ss.iomem_base = NULL;
ss.iomem_reg_shift = 0;
ss.port_high = 0;
ss.iomap_base = 0;
ioctl(fd, TIOCSSERIAL, &ss);
return 0;
}
----------------------------------------
