[PATCH] ata: libata-eh: Fix detection of deferred qc timeouts

Next message: Menglong Dong: " Re: [PATCH bpf-next] selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c"
Previous message: sun jian: "Re: [PATCH v3 v3 1/2] selftests/harness: order TEST_F and XFAIL_ADD constructors"
Next in thread: Damien Le Moal: "Re: [PATCH] ata: libata-eh: Fix detection of deferred qc timeouts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guenter Roeck

Date: Thu Mar 05 2026 - 21:49:25 EST

If the `ata_qc_for_each_raw()` loop finishes without finding a matching
`scmd`, `qc` will hold a pointer to the last element examined, which is
accociated with `i == ATA_MAX_QUEUE - 1`. This element can match
`ap->deferred_qc`. If that happens, the condition `qc == ap->deferred_qc`
evaluates to true despite the loop not breaking on a scmd match.
In that case, the error handler mistakenly intercepts a command that
completed normally after an unrelated SCSI timeout, returning a timeout
error instead of success.

Fix the problem by checking for i < ATA_MAX_QUEUE in addition to
qc == ap->deferred_qc.

The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.

Assisted-by: Gemini:gemini-3.1-pro
Cc: Damien Le Moal <dlemoal@xxxxxxxxxx>
Cc: Niklas Cassel <cassel@xxxxxxxxxx>
Fixes: eddb98ad9364 ("ata: libata-eh: correctly handle deferred qc timeouts")
Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
---
drivers/ata/libata-eh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
index b373cceb95d2..44fddfbb7629 100644
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -647,7 +647,7 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap,
break;
}

- if (qc == ap->deferred_qc) {
+ if (i < ATA_MAX_QUEUE && qc == ap->deferred_qc) {
/*
* This is a deferred command that timed out while
* waiting for the command queue to drain. Since the qc
--
2.45.2