From 1ac9d69dc6292d204cac68b8ec18b6c61e33879e Mon Sep 17 00:00:00 2001 From: Andres Freund Date: Thu, 15 Jan 2026 10:17:51 -0500 Subject: [PATCH v1] aio: io_uring: Fix danger of completion getting reused before being read We called io_uring_cqe_seen(..., cqe) before reading cqe->res. That allows the completion to be reused, which in turn could lead to cqe->res being overwritten. The window for that is very narrow and the likelihood of it happening is very low, as we should never actually utilize all CQEs, but the consequences would be bad. This bug was reported to me privately. Backpatch-through: 18 --- src/backend/storage/aio/method_io_uring.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/backend/storage/aio/method_io_uring.c b/src/backend/storage/aio/method_io_uring.c index af58c6118ac..f2527ae61dd 100644 --- a/src/backend/storage/aio/method_io_uring.c +++ b/src/backend/storage/aio/method_io_uring.c @@ -559,13 +559,14 @@ pgaio_uring_drain_locked(PgAioUringContext *context) for (int i = 0; i < ncqes; i++) { struct io_uring_cqe *cqe = cqes[i]; - PgAioHandle *ioh; + PgAioHandle *ioh = io_uring_cqe_get_data(cqe); + int result = cqe->res; - ioh = io_uring_cqe_get_data(cqe); errcallback.arg = ioh; + io_uring_cqe_seen(&context->io_uring_ring, cqe); - pgaio_io_process_completion(ioh, cqe->res); + pgaio_io_process_completion(ioh, result); errcallback.arg = NULL; } -- 2.48.1.76.g4e746b1a31.dirty