CVE-2021-47582

In the Linux kernel, the following vulnerability has been resolved: USB:
core: Make do_proc_control() and do_proc_bulk() killable The
USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke usb_start_wait_urb(),
which contains an uninterruptible wait with a user-specified timeout value.
If timeout value is very large and the device being accessed does not
respond in a reasonable amount of time, the kernel will complain about
“Task X blocked for more than N seconds”, as found in testing by syzbot:
INFO: task syz-executor.0:8700 blocked for more than 143 seconds. Not
tainted 5.14.0-rc7-syzkaller #0 “echo 0 >
/proc/sys/kernel/hung_task_timeout_secs” disables this message.
task:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455
flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4681
[inline] __schedule+0xc07/0x11f0 kernel/sched/core.c:5938
schedule+0x14b/0x210 kernel/sched/core.c:6017 schedule_timeout+0x98/0x2f0
kernel/time/timer.c:1857 do_wait_for_common+0x2da/0x480
kernel/sched/completion.c:85 __wait_for_common
kernel/sched/completion.c:106 [inline] wait_for_common
kernel/sched/completion.c:117 [inline]
wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157
usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63
do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236 proc_bulk
drivers/usb/core/devio.c:1273 [inline] usbdev_do_ioctl
drivers/usb/core/devio.c:2547 [inline] usbdev_ioctl+0x3441/0x6b10
drivers/usb/core/devio.c:2713 … To fix this problem, this patch replaces
usbfs’s calls to usb_control_msg() and usb_bulk_msg() with special-purpose
code that does essentially the same thing (as recommended in the comment
for usb_start_wait_urb()), except that it always uses a killable wait and
it uses GFP_KERNEL rather than GFP_NOIO.