Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wfv5p-005mxr-2H for pgsql-hackers@arkaria.postgresql.org; Sat, 04 Jul 2026 07:47:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wfv5o-009si2-1J for pgsql-hackers@arkaria.postgresql.org; Sat, 04 Jul 2026 07:47:16 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wfv5n-009sht-2d for pgsql-hackers@lists.postgresql.org; Sat, 04 Jul 2026 07:47:16 +0000 Received: from mail-wm1-x333.google.com ([2a00:1450:4864:20::333]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wfv5l-00000001QeH-0Ayz for pgsql-hackers@lists.postgresql.org; Sat, 04 Jul 2026 07:47:14 +0000 Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-493c00f74baso7962105e9.0 for ; Sat, 04 Jul 2026 00:47:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783151230; x=1783756030; darn=lists.postgresql.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=rfLKTIsF2yp0nn4cHHBpyKA9FRWZlf1o69r4LXCv+V8=; b=E4/gKIa4Ptp1pAhQfp598wMliikE88Zgb7qo1DDtVPLIcKAQ3r+qZhMLstk0+Lvi7Y nJa8fEDl/eYyBwLPxV/h7m4VeJiSGaFDWIi8bDPSw4dBC3p3CGQLRTR+FHW78Aw0ekJ6 P6vANBrBISNLNq1wOtko5Ru8g8iFzOHr/kM9ono+92u7xOJZxrC1SNMFLKVU4DLo+/2W fkBOtLsx0Asn57uWA4bDu+NQAjZ0unR8grYlhdw1acwyfL4hu7q9sDU6sh7ut4kmw1BQ Gn35r/E6Te5AiOjMmKvzGPlooTA8KD8GoJuUi6Rx2PUhM1EENzw54Ds3aAUwGBBpGAIh VytQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783151230; x=1783756030; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rfLKTIsF2yp0nn4cHHBpyKA9FRWZlf1o69r4LXCv+V8=; b=BZxcHjUSLtv95F7diKrFjbPMy++nK903pZ1OkYf9IUljc0ra4ueMsg1+/uH7UjxLYn cAUYc4Y8s+cwzvKQnlhAJOMe94X0mybhQHbD0xtNoYyMEvswhoykpgagZmURXEYR4R74 BKcFVWD8RsXJA2sQOUXarSVfSpR17YqMzIlzdSuYfQ//Vt9lIikebi3TyjzmvoTN5V2e 39uTDsGuh1jYnBLfq0+gPFx6Esmr/B/zsrn730W8UIo/jzGnow3+eeMyP/iF+fU9M6vB /bLYOexTe4d6+kLLHZrQ0kLBafA1gltHQj3SoU6k1HIFgzLQIHC2gYbKAoJkAS6sL/r1 LyjA== X-Gm-Message-State: AOJu0Yx+n4F/zVv7MLqyRR0GD9pn9IDtkin6iWgevN0TS3gtPeQ2GbAM giV7Ffv6sSRtp6toqaTlrYQG/R1zkG1Ck8v2pXKXGHuaGoA0oig8mum6zKFj0g== X-Gm-Gg: AfdE7cmsLNH2D7pDNQ/dl9+TKTUeySgkUbxNWAy2eOJqj7N/ZtjWC3ofVU1jCxn/Mey N+6y3xU3uYKV9/uhOqXMc2k8WaGLDt/yizi+gZItxxc/qYCROTfyWIfFyWK2QeMQ23h1Yx9eaPT f6IVD6e0mUSfaRds/R0738YNCBAUjr//5zP93t4vMI8B456ASxz1dyslBoHjqQa59gnNBhMWT6B 3lY++ozIMa2N4P1hQ4IHZt06GQ97y0tagsnpOOBxiazfUz64/4Pt1hD01aJhK02fXGZrjbCPW/s O0Dj2UM29ub0ne03lkvdgADcUoFiH+vcmNzOWvmWWW4fKnMtF0zOJSc/LXm82S8D5Aj31aM8xdP qjaUJ6qmKMwzXgsPiice4/pofz/+/xnfalQ2GLNkoPmSKdQCE4ptbxiJlE2Wa3Med/mnNtlc51k iNApm+S294Tdtd9PYH+/3fNuKMl1d5LnlzXCMZ9HIlQbvSBXhUju20PLFL7QmftMRAsV395fyx X-Received: by 2002:a05:600c:4a22:b0:493:c3e0:c4 with SMTP id 5b1f17b1804b1-493d11f1593mr15161105e9.22.1783151230227; Sat, 04 Jul 2026 00:47:10 -0700 (PDT) Received: from bdtpg (ec2-15-237-197-144.eu-west-3.compute.amazonaws.com. [15.237.197.144]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-47aa039af67sm6880945f8f.17.2026.07.04.00.47.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jul 2026 00:47:09 -0700 (PDT) Date: Sat, 4 Jul 2026 07:47:08 +0000 From: Bertrand Drouvot To: pgsql-hackers@lists.postgresql.org Subject: Fix races conditions in DropRole() and GrantRole() Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="xlWYagR37YwJXkF8" Content-Disposition: inline List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --xlWYagR37YwJXkF8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi hackers, While working on [1], I observed that DropRole() and GrantRole() have the same "use stale data after the lock is acquired" issues. Indeed, DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. Examples: 1/ DROP ROLE + concurrent DROP ROLE CREATE ROLE testrole; gdb breakpoint at user.c:1198 (before LockSharedObject) on session 1 session 1: DROP ROLE testrole; session 1 is paused by the breakpoint session 2: DROP ROLE testrole; continue session 1 produces: ERROR: could not find tuple for role 24662 2/ GRANT ROLE + concurrent DROP ROLE CREATE ROLE testrole; CREATE ROLE testmember; gdb breakpoint at user.c:1716 (before LockSharedObject) on session 1 session 1: GRANT testrole TO testmember; session is paused by the breakpoint session 2: DROP ROLE testrole; continue session 1: GRANT ROLE succeeds It produces an orphaned pg_auth_members entry: postgres=# SELECT m.member::regrole, m.roleid, r.rolname FROM pg_auth_members m LEFT JOIN pg_roles r ON m.roleid = r.oid WHERE r.oid IS NULL; member | roleid | rolname ------------+--------+--------- testmember | 16386 | The patch attached fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. Remark: AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. [1]: https://postgr.es/m/akZUpiDa1UfmzYxL%40bdtpg Regards, -- Bertrand Drouvot PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com --xlWYagR37YwJXkF8 Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v1-0001-Add-RoleNameGetOid-with-invalidation-based-retry-.patch"