From 8077649907d40b9831358d0c5121a8c58267a988 Mon Sep 17 00:00:00 2001 From: Andres Freund Date: Thu, 15 Jan 2026 10:17:51 -0500 Subject: [PATCH] aio: io_uring: Fix danger of completion getting reused before being read We called io_uring_cqe_seen(..., cqe) before reading cqe->res. That allows the completion to be reused, which in turn could lead to cqe->res being overwritten. The window for that is very narrow and the likelihood of it happening is very low, as we should never actually utilize all CQEs, but the consequences would be bad. This bug was reported to me privately. Backpatch-through: 18 Discussion: https://postgr.es/m/bwo3e5lj2dgi2wzq4yvbyzu7nmwueczvvzioqsqo6azu6lm5oy@pbx75g2ach3p --- src/backend/storage/aio/method_io_uring.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/backend/storage/aio/method_io_uring.c b/src/backend/storage/aio/method_io_uring.c index af58c6118ac..f2527ae61dd 100644 --- a/src/backend/storage/aio/method_io_uring.c +++ b/src/backend/storage/aio/method_io_uring.c @@ -559,13 +559,14 @@ pgaio_uring_drain_locked(PgAioUringContext *context) for (int i = 0; i < ncqes; i++) { struct io_uring_cqe *cqe = cqes[i]; - PgAioHandle *ioh; + PgAioHandle *ioh = io_uring_cqe_get_data(cqe); + int result = cqe->res; - ioh = io_uring_cqe_get_data(cqe); errcallback.arg = ioh; + io_uring_cqe_seen(&context->io_uring_ring, cqe); - pgaio_io_process_completion(ioh, cqe->res); + pgaio_io_process_completion(ioh, result); errcallback.arg = NULL; }