aio: io_uring: Fix danger of completion getting reused before being read

We called io_uring_cqe_seen(..., cqe) before reading cqe->res. That allows the
completion to be reused, which in turn could lead to cqe->res being
overwritten. The window for that is very narrow and the likelihood of it
happening is very low, as we should never actually utilize all CQEs, but the
consequences would be bad.

This bug was reported to me privately.

Backpatch-through: 18
Discussion: https://postgr.es/m/bwo3e5lj2dgi2wzq4yvbyzu7nmwueczvvzioqsqo6azu6lm5oy@pbx75g2ach3p

diff --git a/src/backend/storage/aio/method_io_uring.c b/src/backend/storage/aio/method_io_uring.c
index af58c6118ac1df1f4330297e9a62ea397a3b2992..f2527ae61dd26273f84abec9c9297cf79d396e51 100644 (file)
--- a/src/backend/storage/aio/method_io_uring.c
+++ b/src/backend/storage/aio/method_io_uring.c
@@ -559,13 +559,14 @@ pgaio_uring_drain_locked(PgAioUringContext *context)
                for (int i = 0; i < ncqes; i++)
                {
                        struct io_uring_cqe *cqe = cqes[i];
-                       PgAioHandle *ioh;
+                       PgAioHandle *ioh = io_uring_cqe_get_data(cqe);
+                       int result = cqe->res;
 
-                       ioh = io_uring_cqe_get_data(cqe);
                        errcallback.arg = ioh;
+
                        io_uring_cqe_seen(&context->io_uring_ring, cqe);
 
-                       pgaio_io_process_completion(ioh, cqe->res);
+                       pgaio_io_process_completion(ioh, result);
                        errcallback.arg = NULL;
                }