CVE-2026-23355 (GCVE-0-2026-23355)
Vulnerability from cvelistv5
Published
2026-03-25 10:27
Modified
2026-04-13 06:05
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ata: libata: cancel pending work after clearing deferred_qc Syzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by ap->ops->qc_defer() returning non-zero before issuing the deferred qc. ata_scsi_schedule_deferred_qc() is called during each command completion. This function will check if there is a deferred QC, and if ap->ops->qc_defer() returns zero, meaning that it is possible to queue the deferred qc at this time (without being deferred), then it will queue the work which will issue the deferred qc. Once the work get to run, which can potentially be a very long time after the work was scheduled, there is a WARN_ON() if ap->ops->qc_defer() returns non-zero. While we hold the ap->lock both when assigning and clearing deferred_qc, and the work itself holds the ap->lock, the code currently does not cancel the work after clearing the deferred qc. This means that the following scenario can happen: 1) One or several NCQ commands are queued. 2) A non-NCQ command is queued, gets stored in ap->deferred_qc. 3) Last NCQ command gets completed, work is queued to issue the deferred qc. 4) Timeout or error happens, ap->deferred_qc is cleared. The queued work is currently NOT canceled. 5) Port is reset. 6) One or several NCQ commands are queued. 7) A non-NCQ command is queued, gets stored in ap->deferred_qc. 8) Work is finally run. Yet at this time, there is still NCQ commands in flight. The work in 8) really belongs to the non-NCQ command in 2), not to the non-NCQ command in 7). The reason why the work is executed when it is not supposed to, is because it was never canceled when ap->deferred_qc was cleared in 4). Thus, ensure that we always cancel the work after clearing ap->deferred_qc. Another potential fix would have been to let ata_scsi_deferred_qc_work() do nothing if ap->ops->qc_defer() returns non-zero. However, canceling the work when clearing ap->deferred_qc seems slightly more logical, as we hold the ap->lock when clearing ap->deferred_qc, so we know that the work cannot be holding the lock. (The function could be waiting for the lock, but that is okay since it will do nothing if ap->deferred_qc is not set.)
References
Impacted products
Vendor Product Version
Linux Linux Version: ce22aaed011206fed9cbd8c9c2d44718607f31ee
Version: 888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2
Version: 5d61a38a60e62750526d94663b69b7ac5c7f07a5
Version: 0ea84089dbf62a92dc7889c79e6b18fc89260808
Version: 33abac5b5a5303ba2c66d89e063a806033be07fc
Version: 21e0d7a15a789e99be89231dae25cb6ffc482a7c
 Create a notification for this product.
   Linux Linux Version: 6.18.14   
Version: 6.19.4   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ata/libata-eh.c",
            "drivers/ata/libata-scsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0d12453818c35e1ded84633152c6b05002ae48b9",
              "status": "affected",
              "version": "ce22aaed011206fed9cbd8c9c2d44718607f31ee",
              "versionType": "git"
            },
            {
              "lessThan": "6c5e8f16b5e8e614e829aaf38619bdd79107bb0a",
              "status": "affected",
              "version": "888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2",
              "versionType": "git"
            },
            {
              "lessThan": "58e658763ba2aa9168d8516b98a6314d7461a53e",
              "status": "affected",
              "version": "5d61a38a60e62750526d94663b69b7ac5c7f07a5",
              "versionType": "git"
            },
            {
              "lessThan": "aac9b27f7c1f2b2cf7f50a9ca633ecbbcaf22af9",
              "status": "affected",
              "version": "0ea84089dbf62a92dc7889c79e6b18fc89260808",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "33abac5b5a5303ba2c66d89e063a806033be07fc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "21e0d7a15a789e99be89231dae25cb6ffc482a7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ata/libata-eh.c",
            "drivers/ata/libata-scsi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.18.18",
              "status": "affected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThan": "6.19.7",
              "status": "affected",
              "version": "6.19.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.18",
                  "versionStartIncluding": "6.18.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "6.19.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.18.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.19.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata: cancel pending work after clearing deferred_qc\n\nSyzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by\nap-\u003eops-\u003eqc_defer() returning non-zero before issuing the deferred qc.\n\nata_scsi_schedule_deferred_qc() is called during each command completion.\nThis function will check if there is a deferred QC, and if\nap-\u003eops-\u003eqc_defer() returns zero, meaning that it is possible to queue the\ndeferred qc at this time (without being deferred), then it will queue the\nwork which will issue the deferred qc.\n\nOnce the work get to run, which can potentially be a very long time after\nthe work was scheduled, there is a WARN_ON() if ap-\u003eops-\u003eqc_defer() returns\nnon-zero.\n\nWhile we hold the ap-\u003elock both when assigning and clearing deferred_qc,\nand the work itself holds the ap-\u003elock, the code currently does not cancel\nthe work after clearing the deferred qc.\n\nThis means that the following scenario can happen:\n1) One or several NCQ commands are queued.\n2) A non-NCQ command is queued, gets stored in ap-\u003edeferred_qc.\n3) Last NCQ command gets completed, work is queued to issue the deferred\n   qc.\n4) Timeout or error happens, ap-\u003edeferred_qc is cleared. The queued work is\n   currently NOT canceled.\n5) Port is reset.\n6) One or several NCQ commands are queued.\n7) A non-NCQ command is queued, gets stored in ap-\u003edeferred_qc.\n8) Work is finally run. Yet at this time, there is still NCQ commands in\n   flight.\n\nThe work in 8) really belongs to the non-NCQ command in 2), not to the\nnon-NCQ command in 7). The reason why the work is executed when it is not\nsupposed to, is because it was never canceled when ap-\u003edeferred_qc was\ncleared in 4). Thus, ensure that we always cancel the work after clearing\nap-\u003edeferred_qc.\n\nAnother potential fix would have been to let ata_scsi_deferred_qc_work() do\nnothing if ap-\u003eops-\u003eqc_defer() returns non-zero. However, canceling the\nwork when clearing ap-\u003edeferred_qc seems slightly more logical, as we hold\nthe ap-\u003elock when clearing ap-\u003edeferred_qc, so we know that the work cannot\nbe holding the lock. (The function could be waiting for the lock, but that\nis okay since it will do nothing if ap-\u003edeferred_qc is not set.)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:05:40.171Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0d12453818c35e1ded84633152c6b05002ae48b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c5e8f16b5e8e614e829aaf38619bdd79107bb0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/58e658763ba2aa9168d8516b98a6314d7461a53e"
        },
        {
          "url": "https://git.kernel.org/stable/c/aac9b27f7c1f2b2cf7f50a9ca633ecbbcaf22af9"
        }
      ],
      "title": "ata: libata: cancel pending work after clearing deferred_qc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23355",
    "datePublished": "2026-03-25T10:27:39.514Z",
    "dateReserved": "2026-01-13T15:37:46.000Z",
    "dateUpdated": "2026-04-13T06:05:40.171Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.