CVE-2021-47582: USB: core: Make do_proc_control() and do_proc_bulk() killable
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Make do_proc_control() and do_proc_bulk() killable
The USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke
usb_start_wait_urb(), which contains an uninterruptible wait with a
user-specified timeout value. If timeout value is very large and the
device being accessed does not respond in a reasonable amount of time,
the kernel will complain about "Task X blocked for more than N
seconds", as found in testing by syzbot:
INFO: task syz-executor.0:8700 blocked for more than 143 seconds.
Not tainted 5.14.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455 flags:0x00004004
Call Trace:
context_switch kernel/sched/core.c:4681 [inline]
__schedule+0xc07/0x11f0 kernel/sched/core.c:5938
schedule+0x14b/0x210 kernel/sched/core.c:6017
schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857
do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157
usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63
do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236
proc_bulk drivers/usb/core/devio.c:1273 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline]
usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713
...
To fix this problem, this patch replaces usbfs's calls to
usb_control_msg() and usb_bulk_msg() with special-purpose code that
does essentially the same thing (as recommended in the comment for
usb_start_wait_urb()), except that it always uses a killable wait and
it uses GFP_KERNEL rather than GFP_NOIO.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can let a process become stuck while waiting on a nonresponsive USB device with a very long timeout. The main business risk is local denial of service or operational disruption on systems where users or services can interact with USB devices through usbfs.
Executive priority
Treat this as a kernel reliability issue with local denial-of-service potential, not a confirmed remote compromise. Prioritize patching USB-exposed workstations, kiosks, build hosts, lab systems, and hardware appliances before general server fleets with no USB access.
Technical view
USBDEVFS_CONTROL and USBDEVFS_BULK ioctls used usb_start_wait_urb() with an uninterruptible wait and user-specified timeout. A nonresponsive USB device plus a large timeout could leave tasks blocked in D state and trigger hung-task warnings. The fix replaces those paths with killable waits for usbfs control and bulk handling.
Likely exposure
Exposure is most plausible on Linux systems allowing local users, containers, services, or hardware-facing workloads to access USB device nodes. Internet-only servers without USB access are less likely exposed. The source metadata lists affected Linux kernel ranges starting at 2.6.12 and fixed around 5.15.11 or 5.16, but distro backports must be confirmed.
Exploitation context
The supplied sources do not show active exploitation, and KEV is false. The described trigger came from syzbot testing. Abuse appears to require local access to usbfs ioctls and a USB device behavior that fails to respond within a reasonable time.
Researcher notes
The record lacks CVSS, CWE, and detailed distro mappings. The key behavioral change is replacing uninterruptible waits in usbfs control and bulk ioctl handling with killable waits. Avoid assuming privilege escalation or remote reachability without additional vendor evidence.
Mitigation direction
Apply vendor kernel updates containing the referenced stable fixes.
Confirm distribution advisories for backported fixes, not only upstream version numbers.
Restrict unnecessary access to USB device nodes and usbfs interfaces.
Reduce local untrusted user access on systems with attached USB devices.
Monitor for repeated hung-task warnings involving drivers/usb/core/devio.c.
Validation and detection
Inventory kernel versions and vendor patch levels across USB-capable systems.
Check whether users, containers, or services can access USB device nodes.
Review logs for hung tasks in usb_start_wait_urb or usbdev_ioctl paths.
Verify the stable commit or vendor equivalent is present.
Confirm regression tests cover USB ioctl timeout behavior if locally maintained.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47582 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.