CVE-2026-23355

In the Linux kernel, the following vulnerability has been resolved:

ata: libata: cancel pending work after clearing deferred qc

Syzbot reported a WARN ON() in ata scsi deferred qc work(), caused by ap->ops->qc defer() returning non-zero before issuing the deferred qc.

ata scsi schedule deferred qc() is called during each command completion. This function will check if there is a deferred QC, and if ap->ops->qc defer() returns zero, meaning that it is possible to queue the deferred qc at this time (without being deferred), then it will queue the work which will issue the deferred qc.

Once the work get to run, which can potentially be a very long time after the work was scheduled, there is a WARN ON() if ap->ops->qc defer() returns non-zero.

While we hold the ap->lock both when assigning and clearing deferred qc, and the work itself holds the ap->lock, the code currently does not cancel the work after clearing the deferred qc.

This means that the following scenario can happen:

The work in 8) really belongs to the non-NCQ command in 2), not to the non-NCQ command in 7). The reason why the work is executed when it is not supposed to, is because it was never canceled when ap->deferred qc was cleared in 4). Thus, ensure that we always cancel the work after clearing ap->deferred qc.

Another potential fix would have been to let ata scsi deferred qc work() do nothing if ap->ops->qc defer() returns non-zero. However, canceling the work when clearing ap->deferred qc seems slightly more logical, as we hold the ap->lock when clearing ap->deferred qc, so we know that the work cannot be holding the lock. (The function could be waiting for the lock, but that is okay since it will do nothing if ap->deferred qc is not set.)