database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-01-26 09:41:40 +03:00
Code Activity

aio: io_uring: Fix danger of completion getting reused before being read

Browse Source 
We called io_uring_cqe_seen(..., cqe) before reading cqe->res. That allows the
completion to be reused, which in turn could lead to cqe->res being
overwritten. The window for that is very narrow and the likelihood of it
happening is very low, as we should never actually utilize all CQEs, but the
consequences would be bad.

This bug was reported to me privately.

Backpatch-through: 18
Discussion: https://postgr.es/m/bwo3e5lj2dgi2wzq4yvbyzu7nmwueczvvzioqsqo6azu6lm5oy@pbx75g2ach3p
This commit is contained in:
Andres Freund
2026-01-15 10:17:51 -05:00
parent d9c3c94365
commit 8077649907
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/backend/storage/aio/method_io_uring.c
View File

@@ -559,13 +559,14 @@ pgaio_uring_drain_locked(PgAioUringContext *context)
for (int i = 0; i < ncqes; i++)
{
struct io_uring_cqe *cqe = cqes[i];
PgAioHandle *ioh;
PgAioHandle *ioh = io_uring_cqe_get_data(cqe);
int result = cqe->res;
ioh = io_uring_cqe_get_data(cqe);
errcallback.arg = ioh;
io_uring_cqe_seen(&context->io_uring_ring, cqe);
pgaio_io_process_completion(ioh, cqe->res);
pgaio_io_process_completion(ioh, result);
errcallback.arg = NULL;
}