Hi Takashi,
> The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
> call that may be endlessly blocked by a task with userfaultd
> technique, and this will result in a hung task watchdog trigger.
>
> Just like the similar fix for hci_sock_sendmsg() in commit
> 92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
> the memcpy_from_msg() out of lock_sock() for addressing the hang.
>
> This should be the last piece for fixing CVE-2021-3640 after a few
> already queued fixes.
>
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> ---
> net/bluetooth/sco.c | 23 +++++++++++++++--------
> 1 file changed, 15 insertions(+), 8 deletions(-)
patch has been applied to bluetooth-next tree.
Regards
Marcel
