CVE-2026-23355
Description
In the Linux kernel, the following vulnerability has been resolved:
ata: libata: cancel pending work after clearing deferred_qc
Syzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by ap->ops->qc_defer() returning non-zero before issuing the deferred qc.
ata_scsi_schedule_deferred_qc() is called during each command completion. This function will check if there is a deferred QC, and if ap->ops->qc_defer() returns zero, meaning that it is possible to queue the deferred qc at this time (without being deferred), then it will queue the work which will issue the deferred qc.
Once the work get to run, which can potentially be a very long time after the work was scheduled, there is a WARN_ON() if ap->ops->qc_defer() returns non-zero.
While we hold the ap->lock both when assigning and clearing deferred_qc, and the work itself holds the ap->lock, the code currently does not cancel the work after clearing the deferred qc.
This means that the following scenario can happen: 1) One or several NCQ commands are queued. 2) A non-NCQ command is queued, gets stored in ap->deferred_qc. 3) Last NCQ command gets completed, work is queued to issue the deferred qc. 4) Timeout or error happens, ap->deferred_qc is cleared. The queued work is currently NOT canceled. 5) Port is reset. 6) One or several NCQ commands are queued. 7) A non-NCQ command is queued, gets stored in ap->deferred_qc. 8) Work is finally run. Yet at this time, there is still NCQ commands in flight.
The work in 8) really belongs to the non-NCQ command in 2), not to the non-NCQ command in 7). The reason why the work is executed when it is not supposed to, is because it was never canceled when ap->deferred_qc was cleared in 4). Thus, ensure that we always cancel the work after clearing ap->deferred_qc.
Another potential fix would have been to let ata_scsi_deferred_qc_work() do nothing if ap->ops->qc_defer() returns non-zero. However, canceling the work when clearing ap->deferred_qc seems slightly more logical, as we hold the ap->lock when clearing ap->deferred_qc, so we know that the work cannot be holding the lock. (The function could be waiting for the lock, but that is okay since it will do nothing if ap->deferred_qc is not set.)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's libata where pending work is not canceled after clearing deferred_qc can trigger a WARN_ON, leading to system instability.
In the Linux kernel's libata subsystem, a race condition exists where pending work (ata_scsi_deferred_qc_work) is not canceled after clearing the deferred_qc field. This can cause a WARN_ON() when the work eventually runs and finds that ap->ops->qc_defer() returns non-zero, indicating that the deferred command should not be issued at that time [1].
The race is triggered by a specific sequence: NCQ commands are queued, a non-NCQ command is deferred, then the last NCQ completes and schedules the work. If a timeout or error clears deferred_qc without canceling the work, and new NCQ commands are queued along with another non-NCQ command, the stale work runs later when NCQ commands are still in flight, causing the warning [1].
The impact is a kernel WARN_ON() which, while not directly exploitable for privilege escalation, can indicate a bug and lead to system instability or denial of service. The CVSS score of 5.5 (Medium) reflects this moderate severity.
The fix ensures that the work is canceled whenever deferred_qc is cleared, preventing the race. The patch has been applied to the Linux kernel stable trees [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.