Linux kernel libata deferred QC work cancellation flaw
CVE-2026-23355 Published on March 25, 2026
ata: libata: cancel pending work after clearing deferred_qc
In the Linux kernel, the following vulnerability has been resolved:
ata: libata: cancel pending work after clearing deferred_qc
Syzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by
ap->ops->qc_defer() returning non-zero before issuing the deferred qc.
ata_scsi_schedule_deferred_qc() is called during each command completion.
This function will check if there is a deferred QC, and if
ap->ops->qc_defer() returns zero, meaning that it is possible to queue the
deferred qc at this time (without being deferred), then it will queue the
work which will issue the deferred qc.
Once the work get to run, which can potentially be a very long time after
the work was scheduled, there is a WARN_ON() if ap->ops->qc_defer() returns
non-zero.
While we hold the ap->lock both when assigning and clearing deferred_qc,
and the work itself holds the ap->lock, the code currently does not cancel
the work after clearing the deferred qc.
This means that the following scenario can happen:
1) One or several NCQ commands are queued.
2) A non-NCQ command is queued, gets stored in ap->deferred_qc.
3) Last NCQ command gets completed, work is queued to issue the deferred
qc.
4) Timeout or error happens, ap->deferred_qc is cleared. The queued work is
currently NOT canceled.
5) Port is reset.
6) One or several NCQ commands are queued.
7) A non-NCQ command is queued, gets stored in ap->deferred_qc.
8) Work is finally run. Yet at this time, there is still NCQ commands in
flight.
The work in 8) really belongs to the non-NCQ command in 2), not to the
non-NCQ command in 7). The reason why the work is executed when it is not
supposed to, is because it was never canceled when ap->deferred_qc was
cleared in 4). Thus, ensure that we always cancel the work after clearing
ap->deferred_qc.
Another potential fix would have been to let ata_scsi_deferred_qc_work() do
nothing if ap->ops->qc_defer() returns non-zero. However, canceling the
work when clearing ap->deferred_qc seems slightly more logical, as we hold
the ap->lock when clearing ap->deferred_qc, so we know that the work cannot
be holding the lock. (The function could be waiting for the lock, but that
is okay since it will do nothing if ap->deferred_qc is not set.)
Products Associated with CVE-2026-23355
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version ce22aaed011206fed9cbd8c9c2d44718607f31ee and below 0d12453818c35e1ded84633152c6b05002ae48b9 is affected.
- Version 888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2 and below 6c5e8f16b5e8e614e829aaf38619bdd79107bb0a is affected.
- Version 5d61a38a60e62750526d94663b69b7ac5c7f07a5 and below 58e658763ba2aa9168d8516b98a6314d7461a53e is affected.
- Version 0ea84089dbf62a92dc7889c79e6b18fc89260808 and below aac9b27f7c1f2b2cf7f50a9ca633ecbbcaf22af9 is affected.
- Version 33abac5b5a5303ba2c66d89e063a806033be07fc is affected.
- Version 21e0d7a15a789e99be89231dae25cb6ffc482a7c is affected.
- Version 7.0-rc1 is affected.
- Before 7.0-rc1 is unaffected.
- Version 6.18.18, <= 6.18.* is unaffected.
- Version 6.19.7, <= 6.19.* is unaffected.
- Version 7.0-rc3, <= * is unaffected.