Commit ee0e6e69 authored Mar 05, 2026 by Guenter Roeck Committed by Niklas Cassel Mar 06, 2026

ata: libata-eh: Fix detection of deferred qc timeouts



If the ata_qc_for_each_raw() loop finishes without finding a matching SCSI
command for any QC, the variable qc will hold a pointer to the last element
examined, which has the tag i == ATA_MAX_QUEUE - 1. This qc can match the
port deferred QC (ap->deferred_qc).

If that happens, the condition qc == ap->deferred_qc evaluates to true
despite the loop not breaking with a match on the SCSI command for this QC.
In that case, the error handler mistakenly intercepts a command that has
not been issued yet and that has not timed out, and thus erroneously
returning a timeout error.

Fix the problem by checking for i < ATA_MAX_QUEUE in addition to
qc == ap->deferred_qc.

The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.

Assisted-by: Gemini:gemini-3.1-pro
Fixes: eddb98ad ("ata: libata-eh: correctly handle deferred qc timeouts")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[cassel: modified commit log as suggested by Damien]
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Niklas Cassel <cassel@kernel.org>

parent b92b0075

drivers/ata/libata-eh.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -647,7 +647,7 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host host, struct ata_port ap,
		break;
		}

		if (qc == ap->deferred_qc) {
		if (i < ATA_MAX_QUEUE && qc == ap->deferred_qc) {
		/*
		* This is a deferred command that timed out while
		* waiting for the command queue to drain. Since the qc