net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

Summary

CVE	CVE-2024-40995
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2024-07-12 13:15:20 UTC
Updated	2026-05-12 12:17:02 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() syzbot found hanging tasks waiting on rtnl_lock [1] A reproducer is available in the syzbot bug. When a request to add multiple actions with the same index is sent, the second request will block forever on the first request. This holds rtnl_lock, and causes tasks to hang. Return -EAGAIN to prevent infinite looping, while keeping documented behavior. [1] INFO: task kworker/1:0:5088 blocked for more than 143 seconds. Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000 Workqueue: events_power_efficient reg_check_chans_work Call Trace: <TASK> context_switch kernel/sched/core.c:5409 [inline] __schedule+0xf15/0x5d00 kernel/sched/core.c:6746 __schedule_loop kernel/sched/core.c:6823 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6838 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 wiphy_lock include/net/cfg80211.h:5953 [inline] reg_leave_invalid_chans net/wireless/reg.c:2466 [inline] reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-835

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 0190c1d452a91c38a3462abdd81752be1b9006a8 0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74 git	Not specified
CNA	Linux	Linux	affected 0190c1d452a91c38a3462abdd81752be1b9006a8 c6a7da65a296745535a964be1019ec7691b0cb90 git	Not specified
CNA	Linux	Linux	affected 0190c1d452a91c38a3462abdd81752be1b9006a8 25987a97eec4d5f897cd04ee1b45170829c610da git	Not specified
CNA	Linux	Linux	affected 0190c1d452a91c38a3462abdd81752be1b9006a8 6fc78d67f51aeb9a542d39a8714e16bc411582d4 git	Not specified
CNA	Linux	Linux	affected 0190c1d452a91c38a3462abdd81752be1b9006a8 5f926aa96b08b6c47178fe1171e7ae331c695fc2 git	Not specified
CNA	Linux	Linux	affected 0190c1d452a91c38a3462abdd81752be1b9006a8 7a0e497b597df7c4cf2b63fc6e9188b6cabe5335 git	Not specified
CNA	Linux	Linux	affected 0190c1d452a91c38a3462abdd81752be1b9006a8 d864319871b05fadd153e0aede4811ca7008f5d6 git	Not specified
CNA	Linux	Linux	affected 4.19	Not specified
CNA	Linux	Linux	unaffected 4.19 semver	Not specified
CNA	Linux	Linux	unaffected 5.4.279 5.4.* semver	Not specified
CNA	Linux	Linux	unaffected 5.10.221 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.162 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.96 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.36 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.9.7 6.9.* semver	Not specified
CNA	Linux	Linux	unaffected 6.10 * original_commit_for_fix	Not specified
ADP	Siemens	RUGGEDCOM RST2428P	affected V3.1 custom	Not specified
ADP	Siemens	RUGGEDCOM RST2428P	unaffected * custom	Not specified
ADP	Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family	unaffected * custom	Not specified
ADP	Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family	unaffected * custom	Not specified
ADP	Siemens	SCALANCE XCM-/XRM-/XCH-/XRH-300 Family	affected V3.1 custom	Not specified
ADP	Siemens	SCALANCE XCM-/XRM-/XCH-/XRH-300 Family	unaffected * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem	affected * custom	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/5f926aa96b08b6c47178fe1171e7ae331c695fc2	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/7a0e497b597df7c4cf2b63fc6e9188b6cabe5335	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/0d8a2d287c8a394c0d4653f0c6c7be4c688e5a74	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/25987a97eec4d5f897cd04ee1b45170829c610da	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
cert-portal.siemens.com/productcert/html/ssa-265688.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/d864319871b05fadd153e0aede4811ca7008f5d6	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/c6a7da65a296745535a964be1019ec7691b0cb90	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
cert-portal.siemens.com/productcert/html/ssa-613116.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
cert-portal.siemens.com/productcert/html/ssa-355557.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
lists.debian.org/debian-lts-announce/2025/01/msg00001.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org
git.kernel.org/stable/c/6fc78d67f51aeb9a542d39a8714e16bc411582d4	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.