From patchwork Wed Jun  8 13:51:06 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Soenke Huster <soenke.huster@eknoes.de>
X-Patchwork-Id: 581181
Return-Path: <linux-bluetooth-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id E78DCC43334
 for <linux-bluetooth@archiver.kernel.org>;
 Wed,  8 Jun 2022 13:58:46 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S240528AbiFHN6p (ORCPT
 <rfc822;linux-bluetooth@archiver.kernel.org>);
 Wed, 8 Jun 2022 09:58:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40238 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S240835AbiFHN6l (ORCPT
 <rfc822;linux-bluetooth@vger.kernel.org>);
 Wed, 8 Jun 2022 09:58:41 -0400
X-Greylist: delayed 403 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; 
 Wed, 08 Jun 2022 06:58:38 PDT
Received: from giacobini.uberspace.de (giacobini.uberspace.de [185.26.156.129])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1557E10F1FD
 for <linux-bluetooth@vger.kernel.org>;
 Wed,  8 Jun 2022 06:58:35 -0700 (PDT)
Received: (qmail 27567 invoked by uid 990); 8 Jun 2022 13:51:52 -0000
Authentication-Results: giacobini.uberspace.de;
        auth=pass (plain)
From: Soenke Huster <soenke.huster@eknoes.de>
To: Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>
Cc: Soenke Huster <soenke.huster@eknoes.de>,
 linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org
Subject: [PATCH] Bluetooth: RFCOMM: Use skb_trim to trim checksum
Date: Wed,  8 Jun 2022 15:51:06 +0200
Message-Id: <20220608135105.146452-1-soenke.huster@eknoes.de>
X-Mailer: git-send-email 2.36.1
MIME-Version: 1.0
X-Rspamd-Bar: /
X-Rspamd-Report: BAYES_HAM(-2.970374) R_MISSING_CHARSET(0.5) MIME_GOOD(-0.1)
 MID_CONTAINS_FROM(1) SUSPICIOUS_RECIPS(1.5)
X-Rspamd-Score: -0.070374
Received: from unknown (HELO unkown) (::1)
 by giacobini.uberspace.de (Haraka/2.8.28) with ESMTPSA;
 Wed, 08 Jun 2022 15:51:52 +0200
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Use the skb helper instead of direct manipulation. This fixes the
following page fault, when connecting my Android phone:

    BUG: unable to handle page fault for address: ffffed1021de29ff
    #PF: supervisor read access in kernel mode
    #PF: error_code(0x0000) - not-present page
    RIP: 0010:rfcomm_run+0x831/0x4040 (net/bluetooth/rfcomm/core.c:1751)

Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
---
 net/bluetooth/rfcomm/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 7324764384b6..7360e905d045 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1747,8 +1747,8 @@ static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
 	type = __get_type(hdr->ctrl);
 
 	/* Trim FCS */
-	skb->len--; skb->tail--;
-	fcs = *(u8 *)skb_tail_pointer(skb);
+	skb_trim(skb, skb->len - 1);
+	fcs = *(skb->data + skb->len);
 
 	if (__check_fcs(skb->data, type, fcs)) {
 		BT_ERR("bad checksum in packet");