Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1w5VZU-003JvE-23
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 25 Mar 2026 21:15:24 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1w5VZT-00GX66-0c
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 25 Mar 2026 21:15:23 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <satyanarlapuram@gmail.com>)
	id 1w5VZS-00GX5t-2W
	for pgsql-hackers@lists.postgresql.org;
	Wed, 25 Mar 2026 21:15:23 +0000
Received: from mail-vs1-xe2f.google.com ([2607:f8b0:4864:20::e2f])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <satyanarlapuram@gmail.com>)
	id 1w5VZR-0000000123C-1h7X
	for pgsql-hackers@lists.postgresql.org;
	Wed, 25 Mar 2026 21:15:22 +0000
Received: by mail-vs1-xe2f.google.com with SMTP id
 ada2fe7eead31-60294768235so170709137.1
        for <pgsql-hackers@lists.postgresql.org>;
 Wed, 25 Mar 2026 14:15:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1774473320; cv=none;
        d=google.com; s=arc-20240605;
        b=U0sA16z1ytctoUP3L59+bSZnrZX3b2VqDX3UfGdghjE0XBsyNirh4txJvQ+/FuDhqo
         6wJYJIfZH70X/SJmRdsjVNvkDa9ITQ7evQ/CnnImegXcbOH3dRR7GDLfkTFnXdNxU+Oy
         AASL96R/QCtvWv1BEhLsSo22unU2mRgMhwBcro3sOP4IuNMfRmqwSYybeSIzE4/ZqmmP
         dAg6nP4A3mREkBAVRqH/LqtXatuZw4FfVlLbTMxnJ7f2vvK5Le1kAPD6MMBOGe8kT5lE
         cePkr+1jnQ1GeULHjhHJaSysYcNv4aR4PaqZzotEHa1CXaC7Pm4Wy8w3JDb8PJ7LGHoK
         yjVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=uXHxsxHYtqUvoldgwgk6IVmH2LXLIc5gmmMQOuZNUog=;
        fh=dxJXJbLzq9Nah1LUdsj4QTuQ3JoDScd0wp1YHY64NXM=;
        b=LWX0rZVF8tIPqqJ+M7N+s91g0TMkbRkqtFm/xrbQ0yplcU2KGsaHd2iqKIsX6LPHaV
         QdHgcY5BXMskcp6dDncpUIJFtQV82gWQ0FGelltwm16XP0kGYAGwyk8b7SdlbsLLaNBG
         CfrRQWj8KtP1q8tuPvptuLSd3LI+dvHWDuJAi/CyuwICQbdoITqhsoDJ03nlJh7fiQ5L
         KxkNOFzJcvF/c4njZGGgHnpxxnbRuScljgCSTSEvO5A9p2y/AgXAQdFimg/cX7cxsO+B
         E64ezUZ0chqSD8nSSPPSOJ4RsSEtM5pyrSq683LQyXtfU4DOXYoT9g8vySvYNiIQBP4X
         nBow==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774473320; x=1775078120;
 darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=uXHxsxHYtqUvoldgwgk6IVmH2LXLIc5gmmMQOuZNUog=;
        b=bQybeoCnmz0nHpu3YysUdS4wp76te3mVrGEkBJPTjbBu4NPiHlAZbdQSgGGlRTFNle
         NbP5UuZIyTfcTX8QQjwXekAMXWQFoAormj+6fdEt+y+ia+aZBwCI+1xIVcWFNBqk9pFK
         htceDYphD09qCYLdPQaD5Feaq2NGB2BiFMySIGR0p7hYZHdmO23jQfH4CrwQwOZheTC6
         CFW67ANo1j6bnNHvwhPb9eYzuqE3LxXcNy0SPuaBRwWyw/PvU0SiNs4WWbTehL9OXbmq
         V2RA9WbgfkjrGLNeYiBGEEI6GZtekoBBiGoEQqKfiOA28Aq+XU5l1sMbE9iPc7wjKSF3
         YTWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774473320; x=1775078120;
        h=to:subject:message-id:date:from:mime-version:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=uXHxsxHYtqUvoldgwgk6IVmH2LXLIc5gmmMQOuZNUog=;
        b=Edpm/H3NV7GWAlNm3CEkVErb7nwu8PO8y6eIn0eSne7UyDD+J7HJ09Lp92uOUOCcgK
         Qn+SYMcxqhsouqPsHClzjkNjwja6RX8fu9It3u2UAVFZ03L7dyGwAE8o87OhfPLGcaLF
         Mbx7FqAIiPB8sCRVTZQX5Ucb4v94+vSeK9nC0XScawN4XkwLrpuir862vbJ2f6JIFAnG
         vVC5le1g4X7grtxYqL3uJdScSOvOicSMhza/oI9DjuVwALVr7e5jQMhJZv9PpWeRTg2g
         h0tgg3L3P8SKP024gJr7K9ACmgDb4H1NFkM3bg3trYcgcjbj1HoPNc76Mnr1m6BNdAsf
         vuNw==
X-Gm-Message-State: AOJu0YyNUuvNYotj+zn84jSxiAQ0xlKhEqCJA3mZ8gB4Ablsci+WKHaB
	dZVnIlDRYIv7RPi07z2VTZ4eT8Ru+dAhsxADvr7RPNk8aMk86ZeaitoexMOMwG+ZgJEPmgRP317
	eQmPP6OFFaH8u+q9JFNwgnAP4k0A5bpLrPYY3
X-Gm-Gg: ATEYQzw56UqDLcd2MgX4eacZyq1EqUeyYBfT2xjCy7U3cxRi/MoMEAp4Tsqhq68jtcY
	xaLwQmdEe5THc42WdiBkJE5P+WkS+gACpD/HRCrmY9+yUYIc3KEjbd++5Sh209uISAXW1lrTKEX
	0cEtxFYRfOJwD1srFLVuqOGxqGDpc2LX/pv2l61sKUgyyij0KwHMPTd1o8u/ESjLlj2rSML1xLF
	EB2d9jyJS+AQqya0JRUlVDJJJ1vKc2aoaC7sZXBfxrk4WtfWRG3b2PLQ3yxG3A8woXogtk3Pg+f
	BP9WYP0=
X-Received: by 2002:a05:6102:4b0f:b0:602:91f2:6af6 with SMTP id
 ada2fe7eead31-60387292b42mr2582521137.17.1774473320209; Wed, 25 Mar 2026
 14:15:20 -0700 (PDT)
MIME-Version: 1.0
From: SATYANARAYANA NARLAPURAM <satyanarlapuram@gmail.com>
Date: Wed, 25 Mar 2026 14:15:08 -0700
X-Gm-Features: AQROBzBrMxeqb9N1KOETsw3_PDI_AtDonI67Mm0wNCA33gypPaddu3SkYppG7rc
Message-ID: 
 <CAHg+QDe_=ZahnRx37bzrqYenKn_S5YDQ00fTfwe-ZUmjqO=qLg@mail.gmail.com>
Subject: LockHasWaiters() crashes on fast-path locks
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Content-Type: multipart/mixed; boundary="000000000000ea42bd064ddfc39c"
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAHg%2BQDe_%3DZahnRx37bzrqYenKn_S5YDQ00fTfwe-ZUmjqO%3DqLg%40mail.gmail.com>
Precedence: bulk

--000000000000ea42bd064ddfc39c
Content-Type: multipart/alternative; boundary="000000000000ea42bc064ddfc39a"

--000000000000ea42bc064ddfc39a
Content-Type: text/plain; charset="UTF-8"

Hi Hackers,

LockHasWaiters() assumes that the LOCALLOCK's lock and proclock pointers
are populated, but this is not the case for locks acquired via the
fast-path optimization. Weak locks (< ShareUpdateExclusiveLock) on
relations may not be stored in the shared lock hash table, and the
LOCALLOCK entry is left with lock = NULL and proclock = NULL in such a case.

If LockHasWaiters() is called for such a lock, it dereferences those NULL
pointers when it reads proclock->holdMask and lock->waitMask, causing a
segfault.

The only existing caller is lazy_truncate_heap() in VACUUM, which queries
LockHasWaitersRelation(rel, AccessExclusiveLock). Since AccessExclusiveLock
is the strongest lock level, it is never fast-pathed, so the bug has never
been triggered in practice. However, any new caller that passes a weak lock
mode, for example, checking whether a DDL is waiting on an AccessShareLock
will crash. The fix is to transfer the lock to the main lock table before
we access them.

Attached a patch to address this issue.


Thanks,
Satya

--000000000000ea42bc064ddfc39a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi Hackers,</div><div><br></div>LockHasWaiters() assu=
mes that the LOCALLOCK&#39;s lock and proclock pointers are populated, but =
this is not the case for locks acquired via the fast-path optimization. Wea=
k locks (&lt; ShareUpdateExclusiveLock) on relations may not be stored in t=
he shared lock hash table, and the LOCALLOCK entry is left with lock =3D NU=
LL and proclock =3D NULL in such a case.<br><br>If LockHasWaiters() is call=
ed for such a lock, it dereferences those NULL pointers when it reads procl=
ock-&gt;holdMask and lock-&gt;waitMask, causing a segfault.<br><br>The only=
 existing caller is lazy_truncate_heap() in VACUUM, which queries LockHasWa=
itersRelation(rel, AccessExclusiveLock). Since AccessExclusiveLock is the s=
trongest lock level, it is never fast-pathed, so the bug has never been tri=
ggered in practice. However, any new caller that passes a weak lock mode, f=
or example, checking whether a DDL is waiting on an AccessShareLock will cr=
ash. The fix is to transfer the lock to the main lock table before we acces=
s them.<div><br></div><div>Attached a patch to address this issue.=C2=A0</d=
iv><div><br></div><div><br><div>Thanks,</div><div>Satya</div></div></div>

--000000000000ea42bc064ddfc39a--

--000000000000ea42bd064ddfc39c
Content-Type: application/octet-stream;
	name="0001-lock-has-waiters-fast-path-fix.patch"
Content-Disposition: attachment;
	filename="0001-lock-has-waiters-fast-path-fix.patch"
Content-Transfer-Encoding: base64
Content-ID: <f_mn6jj7n90>
X-Attachment-Id: f_mn6jj7n90

ZGlmZiAtLWdpdCBhL3NyYy9iYWNrZW5kL3N0b3JhZ2UvbG1nci9sb2NrLmMgYi9zcmMvYmFja2Vu
ZC9zdG9yYWdlL2xtZ3IvbG9jay5jCmluZGV4IGQ5MzBjNjZjLi5mZjliOWNhYSAxMDA2NDQKLS0t
IGEvc3JjL2JhY2tlbmQvc3RvcmFnZS9sbWdyL2xvY2suYworKysgYi9zcmMvYmFja2VuZC9zdG9y
YWdlL2xtZ3IvbG9jay5jCkBAIC03NDMsNiArNzQzLDIwIEBAIExvY2tIYXNXYWl0ZXJzKGNvbnN0
IExPQ0tUQUcgKmxvY2t0YWcsIExPQ0tNT0RFIGxvY2ttb2RlLCBib29sIHNlc3Npb25Mb2NrKQog
CSAqLwogCXBhcnRpdGlvbkxvY2sgPSBMb2NrSGFzaFBhcnRpdGlvbkxvY2sobG9jYWxsb2NrLT5o
YXNoY29kZSk7CiAKKwkvKgorCSAqIElmIHRoZSBsb2NrIHdhcyBhY3F1aXJlZCB2aWEgdGhlIGZh
c3QgcGF0aCwgbG9jYWxsb2NrLT5sb2NrIGFuZAorCSAqIGxvY2FsbG9jay0+cHJvY2xvY2sgd2ls
bCBiZSBOVUxMLiAgV2UgbXVzdCB0cmFuc2ZlciB0aGUgbG9jayB0byB0aGUKKwkgKiBtYWluIGxv
Y2sgdGFibGUgYmVmb3JlIHdlIGNhbiBpbnNwZWN0IExPQ0stPndhaXRNYXNrLgorCSAqLworCWlm
IChsb2NhbGxvY2stPmxvY2sgPT0gTlVMTCkKKwl7CisJCVBST0NMT0NLICAgKmZwX3Byb2Nsb2Nr
OworCisJCWZwX3Byb2Nsb2NrID0gRmFzdFBhdGhHZXRSZWxhdGlvbkxvY2tFbnRyeShsb2NhbGxv
Y2spOworCQlsb2NhbGxvY2stPmxvY2sgPSBmcF9wcm9jbG9jay0+dGFnLm15TG9jazsKKwkJbG9j
YWxsb2NrLT5wcm9jbG9jayA9IGZwX3Byb2Nsb2NrOworCX0KKwogCUxXTG9ja0FjcXVpcmUocGFy
dGl0aW9uTG9jaywgTFdfU0hBUkVEKTsKIAogCS8qCg==
--000000000000ea42bd064ddfc39c--