--- /dev/null
+From ee0e6e69a772d601e152e5368a1da25d656122a8 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 5 Mar 2026 18:48:05 -0800
+Subject: ata: libata-eh: Fix detection of deferred qc timeouts
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit ee0e6e69a772d601e152e5368a1da25d656122a8 upstream.
+
+If the ata_qc_for_each_raw() loop finishes without finding a matching SCSI
+command for any QC, the variable qc will hold a pointer to the last element
+examined, which has the tag i == ATA_MAX_QUEUE - 1. This qc can match the
+port deferred QC (ap->deferred_qc).
+
+If that happens, the condition qc == ap->deferred_qc evaluates to true
+despite the loop not breaking with a match on the SCSI command for this QC.
+In that case, the error handler mistakenly intercepts a command that has
+not been issued yet and that has not timed out, and thus erroneously
+returning a timeout error.
+
+Fix the problem by checking for i < ATA_MAX_QUEUE in addition to
+qc == ap->deferred_qc.
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: eddb98ad9364 ("ata: libata-eh: correctly handle deferred qc timeouts")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+[cassel: modified commit log as suggested by Damien]
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-eh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -649,7 +649,7 @@ void ata_scsi_cmd_error_handler(struct S
+ break;
+ }
+
+- if (qc == ap->deferred_qc) {
++ if (i < ATA_MAX_QUEUE && qc == ap->deferred_qc) {
+ /*
+ * This is a deferred command that timed out while
+ * waiting for the command queue to drain. Since the qc
projects / thirdparty / kernel / stable-queue.git / commitdiff
