CVE-2021-47582

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: core: Make do_proc_control() and do_proc_bulk() killable<br /> <br /> The USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke<br /> usb_start_wait_urb(), which contains an uninterruptible wait with a<br /> user-specified timeout value. If timeout value is very large and the<br /> device being accessed does not respond in a reasonable amount of time,<br /> the kernel will complain about "Task X blocked for more than N<br /> seconds", as found in testing by syzbot:<br /> <br /> INFO: task syz-executor.0:8700 blocked for more than 143 seconds.<br /> Not tainted 5.14.0-rc7-syzkaller #0<br /> "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> task:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455 flags:0x00004004<br /> Call Trace:<br /> context_switch kernel/sched/core.c:4681 [inline]<br /> __schedule+0xc07/0x11f0 kernel/sched/core.c:5938<br /> schedule+0x14b/0x210 kernel/sched/core.c:6017<br /> schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857<br /> do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85<br /> __wait_for_common kernel/sched/completion.c:106 [inline]<br /> wait_for_common kernel/sched/completion.c:117 [inline]<br /> wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157<br /> usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63<br /> do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236<br /> proc_bulk drivers/usb/core/devio.c:1273 [inline]<br /> usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline]<br /> usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713<br /> ...<br /> <br /> To fix this problem, this patch replaces usbfs&amp;#39;s calls to<br /> usb_control_msg() and usb_bulk_msg() with special-purpose code that<br /> does essentially the same thing (as recommended in the comment for<br /> usb_start_wait_urb()), except that it always uses a killable wait and<br /> it uses GFP_KERNEL rather than GFP_NOIO.