From 11621934ca15ab9b624302e7bd87bc3f1bd343b2 Mon Sep 17 00:00:00 2001
From: Jelte Fennema-Nio <postgres@jeltef.nl>
Date: Sat, 13 Dec 2025 13:05:50 +0100
Subject: [PATCH v8 4/4] Don't use deprecated and insecure PQcancel psql and
 other tools anymore

All of our frontend tools that used our fe_utils to cancel queries,
including psql, still used PQcancel to send cancel requests to the
server. That function is insecure, because it does not use encryption to
send the cancel request. This starts using the new cancellation APIs
(introduced in 61461a300) for all these frontend tools. These APIs use
the same encryption settings as the connection that's being cancelled.
Since these APIs are not signal-safe this required a refactor to not
send the cancel request in a signal handler anymore, but instead using a
dedicated thread.

Similar logic was already used for Windows anyway, so this has the
benefit that it makes the cancel logic more uniform across our supported
platforms. In the pg_dump code there's still quite a bit of behavioural
difference though, because pg_dump is using threads for parallelism on
Windows, but processes on Unixes.
---
 meson.build                          |   2 +-
 src/bin/pg_amcheck/pg_amcheck.c      |   2 +-
 src/bin/pg_dump/Makefile             |   2 +-
 src/bin/pg_dump/meson.build          |   2 +
 src/bin/pg_dump/parallel.c           | 343 ++++++++------------
 src/bin/pg_dump/pg_backup_archiver.c |   2 +-
 src/bin/pg_dump/pg_backup_archiver.h |   8 +-
 src/bin/pg_dump/pg_backup_db.c       |   7 +-
 src/bin/pgbench/pgbench.c            |   2 +-
 src/bin/psql/common.c                |  10 +-
 src/bin/scripts/clusterdb.c          |   2 +-
 src/bin/scripts/reindexdb.c          |   2 +-
 src/bin/scripts/vacuuming.c          |   2 +-
 src/fe_utils/Makefile                |   2 +-
 src/fe_utils/cancel.c                | 469 ++++++++++++++++++++-------
 src/include/fe_utils/cancel.h        |  15 +-
 16 files changed, 520 insertions(+), 352 deletions(-)

diff --git a/meson.build b/meson.build
index 568e0e150bf..0ac0051a9b5 100644
--- a/meson.build
+++ b/meson.build
@@ -3650,7 +3650,7 @@ frontend_code = declare_dependency(
   include_directories: [postgres_inc],
   link_with: [fe_utils, common_static, pgport_static],
   sources: generated_headers_stamp,
-  dependencies: [os_deps, libintl],
+  dependencies: [os_deps, libintl, thread_dep],
 )
 
 backend_both_deps += [
diff --git a/src/bin/pg_amcheck/pg_amcheck.c b/src/bin/pg_amcheck/pg_amcheck.c
index 09ba0596400..2728bcdb1aa 100644
--- a/src/bin/pg_amcheck/pg_amcheck.c
+++ b/src/bin/pg_amcheck/pg_amcheck.c
@@ -478,7 +478,7 @@ main(int argc, char *argv[])
 	cparams.dbname = NULL;
 	cparams.override_dbname = NULL;
 
-	setup_cancel_handler(NULL);
+	setup_cancel_handler(NULL, NULL);
 
 	/* choose the database for our initial connection */
 	if (opts.alldb)
diff --git a/src/bin/pg_dump/Makefile b/src/bin/pg_dump/Makefile
index 79073b0a0ea..f76346c4f6c 100644
--- a/src/bin/pg_dump/Makefile
+++ b/src/bin/pg_dump/Makefile
@@ -21,7 +21,7 @@ export LZ4
 export ZSTD
 export with_icu
 
-override CPPFLAGS := -I$(libpq_srcdir) $(CPPFLAGS)
+override CPPFLAGS := -I$(libpq_srcdir) -I$(top_srcdir)/src/port $(CPPFLAGS)
 LDFLAGS_INTERNAL += -L$(top_builddir)/src/fe_utils -lpgfeutils $(libpq_pgport)
 
 OBJS = \
diff --git a/src/bin/pg_dump/meson.build b/src/bin/pg_dump/meson.build
index 79bd5036841..eb55d7a50cf 100644
--- a/src/bin/pg_dump/meson.build
+++ b/src/bin/pg_dump/meson.build
@@ -22,6 +22,8 @@ pg_dump_common_sources = files(
 pg_dump_common = static_library('libpgdump_common',
   pg_dump_common_sources,
   c_pch: pch_postgres_fe_h,
+  # port needs to be in include path due to pthread-win32.h
+  include_directories: ['../../port'],
   dependencies: [frontend_code, libpq, lz4, zlib, zstd],
   kwargs: internal_lib_args,
 )
diff --git a/src/bin/pg_dump/parallel.c b/src/bin/pg_dump/parallel.c
index 7e2e9f958ea..1d76e91fc48 100644
--- a/src/bin/pg_dump/parallel.c
+++ b/src/bin/pg_dump/parallel.c
@@ -60,6 +60,8 @@
 #include <fcntl.h>
 #endif
 
+#include "common/logging.h"
+#include "fe_utils/cancel.h"
 #include "fe_utils/string_utils.h"
 #include "parallel.h"
 #include "pg_backup_utils.h"
@@ -174,10 +176,6 @@ typedef struct DumpSignalInformation
 
 static volatile DumpSignalInformation signal_info;
 
-#ifdef WIN32
-static CRITICAL_SECTION signal_info_lock;
-#endif
-
 /*
  * Write a simple string to stderr --- must be safe in a signal handler.
  * We ignore the write() result since there's not much we could do about it.
@@ -209,6 +207,7 @@ static void WaitForTerminatingWorkers(ParallelState *pstate);
 static void set_cancel_handler(void);
 static void set_cancel_pstate(ParallelState *pstate);
 static void set_cancel_slot_archive(ParallelSlot *slot, ArchiveHandle *AH);
+static void StopWorkers(void);
 static void RunWorker(ArchiveHandle *AH, ParallelSlot *slot);
 static int	GetIdleWorker(ParallelState *pstate);
 static bool HasEveryWorkerTerminated(ParallelState *pstate);
@@ -410,32 +409,9 @@ ShutdownWorkersHard(ParallelState *pstate)
 	/*
 	 * Force early termination of any commands currently in progress.
 	 */
-#ifndef WIN32
-	/* On non-Windows, send SIGTERM to each worker process. */
-	for (i = 0; i < pstate->numWorkers; i++)
-	{
-		pid_t		pid = pstate->parallelSlot[i].pid;
-
-		if (pid != 0)
-			kill(pid, SIGTERM);
-	}
-#else
-
-	/*
-	 * On Windows, send query cancels directly to the workers' backends.  Use
-	 * a critical section to ensure worker threads don't change state.
-	 */
-	EnterCriticalSection(&signal_info_lock);
-	for (i = 0; i < pstate->numWorkers; i++)
-	{
-		ArchiveHandle *AH = pstate->parallelSlot[i].AH;
-		char		errbuf[1];
-
-		if (AH != NULL && AH->connCancel != NULL)
-			(void) PQcancel(AH->connCancel, errbuf, sizeof(errbuf));
-	}
-	LeaveCriticalSection(&signal_info_lock);
-#endif
+	LockCancelThread();
+	StopWorkers();
+	UnlockCancelThread();
 
 	/* Now wait for them to terminate. */
 	WaitForTerminatingWorkers(pstate);
@@ -519,74 +495,80 @@ WaitForTerminatingWorkers(ParallelState *pstate)
  * could leave a SQL command (e.g., CREATE INDEX on a large table) running
  * for a long time.  Instead, we try to send a cancel request and then die.
  * pg_dump probably doesn't really need this, but we might as well use it
- * there too.  Note that sending the cancel directly from the signal handler
- * is safe because PQcancel() is written to make it so.
+ * there too.
  *
- * In parallel operation on Unix, each process is responsible for canceling
- * its own connection (this must be so because nobody else has access to it).
- * Furthermore, the leader process should attempt to forward its signal to
- * each child.  In simple manual use of pg_dump/pg_restore, forwarding isn't
- * needed because typing control-C at the console would deliver SIGINT to
- * every member of the terminal process group --- but in other scenarios it
- * might be that only the leader gets signaled.
+ * On Unix, the signal handler wakes up a dedicated cancel thread via a
+ * self-pipe, which then sends the cancel and calls _exit().  This thread also
+ * forwards the signal to each child so they can also cancel their queries. In
+ * simple manual use of pg_dump/pg_restore, forwarding isn't needed because
+ * typing control-C at the console would deliver SIGINT to every member of the
+ * terminal process group --- but in other scenarios it might be that only the
+ * leader gets signaled.
  *
  * On Windows, the cancel handler runs in a separate thread, because that's
- * how SetConsoleCtrlHandler works.  We make it stop worker threads, send
- * cancels on all active connections, and then return FALSE, which will allow
- * the process to die.  For safety's sake, we use a critical section to
- * protect the PGcancel structures against being changed while the signal
- * thread runs.
+ * how SetConsoleCtrlHandler works.  We make it forcibly terminate the worker
+ * threads (so they can't report the query cancellations as errors), send
+ * cancels on all active connections, and then call _exit() to terminate the
+ * process.  Access to the shared PGcancelConn structures is serialized against
+ * the main thread by the cancel thread lock held around the callback.
  */
 
-#ifndef WIN32
-
 /*
- * Signal handler (Unix only)
+ * Cancel all active queries, print a termination message, and exit.
+ *
+ * Invoked from the cancel thread (Unix) or the Windows console handler thread.
+ * It never returns: after sending the cancels it calls _exit() so that the
+ * process terminates on cancel.  We use _exit() rather than exit() because the
+ * latter would invoke atexit handlers that can fail if we interrupted related
+ * code.
  */
-static void
-sigTermHandler(SIGNAL_ARGS)
+pg_noreturn static void
+CancelBackendsAndExit(void)
 {
+#ifdef WIN32
 	int			i;
-	char		errbuf[1];
 
 	/*
-	 * Some platforms allow delivery of new signals to interrupt an active
-	 * signal handler.  That could muck up our attempt to send PQcancel, so
-	 * disable the signals that set_cancel_handler enabled.
-	 */
-	pqsignal(SIGINT, PG_SIG_IGN);
-	pqsignal(SIGTERM, PG_SIG_IGN);
-	pqsignal(SIGQUIT, PG_SIG_IGN);
-
-	/*
-	 * If we're in the leader, forward signal to all workers.  (It seems best
-	 * to do this before PQcancel; killing the leader transaction will result
-	 * in invalid-snapshot errors from active workers, which maybe we can
-	 * quiet by killing workers first.)  Ignore any errors.
+	 * On Windows the workers are threads within this same process.  Once we
+	 * cancel their queries below they would receive the cancellation as an
+	 * error and report it, cluttering the user's screen in the brief window
+	 * before the process exits.  Forcibly terminate the worker threads first
+	 * so they can't do that.
+	 *
+	 * TerminateThread is unsafe in general (it may leak resources or leave
+	 * user-space locks held by the killed thread), but that's acceptable here
+	 * because we're about to end the whole process anyway.
 	 */
 	if (signal_info.pstate != NULL)
 	{
 		for (i = 0; i < signal_info.pstate->numWorkers; i++)
 		{
-			pid_t		pid = signal_info.pstate->parallelSlot[i].pid;
+			HANDLE		hThread = (HANDLE) signal_info.pstate->parallelSlot[i].hThread;
 
-			if (pid != 0)
-				kill(pid, SIGTERM);
+			if (hThread != INVALID_HANDLE_VALUE)
+				TerminateThread(hThread, 0);
 		}
 	}
+#endif
 
 	/*
-	 * Send QueryCancel if we have a connection to send to.  Ignore errors,
-	 * there's not much we can do about them anyway.
+	 * Stop workers first to avoid invalid-snapshot errors if the leader
+	 * cancels before workers.
 	 */
-	if (signal_info.myAH != NULL && signal_info.myAH->connCancel != NULL)
-		(void) PQcancel(signal_info.myAH->connCancel, errbuf, sizeof(errbuf));
+	StopWorkers();
+
+	if (signal_info.myAH != NULL && signal_info.myAH->cancelConn != NULL)
+		(void) PQcancelBlocking(signal_info.myAH->cancelConn);
 
 	/*
-	 * Report we're quitting, using nothing more complicated than write(2).
-	 * When in parallel operation, only the leader process should do this.
+	 * Print termination message. In parallel operation, only the leader
+	 * should print this. On Windows, workers are threads in the same process
+	 * and the console handler only runs in the leader context, so we can
+	 * always print it.
 	 */
+#ifndef WIN32
 	if (!signal_info.am_worker)
+#endif
 	{
 		if (progname)
 		{
@@ -596,111 +578,42 @@ sigTermHandler(SIGNAL_ARGS)
 		write_stderr("terminated by user\n");
 	}
 
-	/*
-	 * And die, using _exit() not exit() because the latter will invoke atexit
-	 * handlers that can fail if we interrupted related code.
-	 */
 	_exit(1);
 }
 
 /*
- * Enable cancel interrupt handler, if not already done.
- */
-static void
-set_cancel_handler(void)
-{
-	/*
-	 * When forking, signal_info.handler_set will propagate into the new
-	 * process, but that's fine because the signal handler state does too.
-	 */
-	if (!signal_info.handler_set)
-	{
-		signal_info.handler_set = true;
-
-		pqsignal(SIGINT, sigTermHandler);
-		pqsignal(SIGTERM, sigTermHandler);
-		pqsignal(SIGQUIT, sigTermHandler);
-	}
-}
-
-#else							/* WIN32 */
-
-/*
- * Console interrupt handler --- runs in a newly-started thread.
+ * Stop all worker processes/threads.
  *
- * After stopping other threads and sending cancel requests on all open
- * connections, we return FALSE which will allow the default ExitProcess()
- * action to be taken.
+ * On Unix, send SIGTERM to each worker process; their signal handlers will
+ * send cancel requests to their backends.
+ *
+ * On Windows, workers are threads in the same process, so we send cancel
+ * requests directly to their backends.
+ *
+ * Caller must hold the cancel thread lock (via LockCancelThread).
  */
-static BOOL WINAPI
-consoleHandler(DWORD dwCtrlType)
+static void
+StopWorkers(void)
 {
 	int			i;
-	char		errbuf[1];
 
-	if (dwCtrlType == CTRL_C_EVENT ||
-		dwCtrlType == CTRL_BREAK_EVENT)
-	{
-		/* Critical section prevents changing data we look at here */
-		EnterCriticalSection(&signal_info_lock);
-
-		/*
-		 * If in parallel mode, stop worker threads and send QueryCancel to
-		 * their connected backends.  The main point of stopping the worker
-		 * threads is to keep them from reporting the query cancels as errors,
-		 * which would clutter the user's screen.  We needn't stop the leader
-		 * thread since it won't be doing much anyway.  Do this before
-		 * canceling the main transaction, else we might get invalid-snapshot
-		 * errors reported before we can stop the workers.  Ignore errors,
-		 * there's not much we can do about them anyway.
-		 */
-		if (signal_info.pstate != NULL)
-		{
-			for (i = 0; i < signal_info.pstate->numWorkers; i++)
-			{
-				ParallelSlot *slot = &(signal_info.pstate->parallelSlot[i]);
-				ArchiveHandle *AH = slot->AH;
-				HANDLE		hThread = (HANDLE) slot->hThread;
-
-				/*
-				 * Using TerminateThread here may leave some resources leaked,
-				 * but it doesn't matter since we're about to end the whole
-				 * process.
-				 */
-				if (hThread != INVALID_HANDLE_VALUE)
-					TerminateThread(hThread, 0);
-
-				if (AH != NULL && AH->connCancel != NULL)
-					(void) PQcancel(AH->connCancel, errbuf, sizeof(errbuf));
-			}
-		}
+	if (signal_info.pstate == NULL)
+		return;
 
-		/*
-		 * Send QueryCancel to leader connection, if enabled.  Ignore errors,
-		 * there's not much we can do about them anyway.
-		 */
-		if (signal_info.myAH != NULL && signal_info.myAH->connCancel != NULL)
-			(void) PQcancel(signal_info.myAH->connCancel,
-							errbuf, sizeof(errbuf));
+	for (i = 0; i < signal_info.pstate->numWorkers; i++)
+	{
+#ifndef WIN32
+		pid_t		pid = signal_info.pstate->parallelSlot[i].pid;
 
-		LeaveCriticalSection(&signal_info_lock);
+		if (pid != 0)
+			kill(pid, SIGTERM);
+#else
+		ArchiveHandle *AH = signal_info.pstate->parallelSlot[i].AH;
 
-		/*
-		 * Report we're quitting, using nothing more complicated than
-		 * write(2).  (We might be able to get away with using pg_log_*()
-		 * here, but since we terminated other threads uncleanly above, it
-		 * seems better to assume as little as possible.)
-		 */
-		if (progname)
-		{
-			write_stderr(progname);
-			write_stderr(": ");
-		}
-		write_stderr("terminated by user\n");
+		if (AH != NULL && AH->cancelConn != NULL)
+			(void) PQcancelBlocking(AH->cancelConn);
+#endif
 	}
-
-	/* Always return FALSE to allow signal handling to continue */
-	return FALSE;
 }
 
 /*
@@ -709,58 +622,55 @@ consoleHandler(DWORD dwCtrlType)
 static void
 set_cancel_handler(void)
 {
-	if (!signal_info.handler_set)
-	{
-		signal_info.handler_set = true;
+	if (signal_info.handler_set)
+		return;
 
-		InitializeCriticalSection(&signal_info_lock);
+	signal_info.handler_set = true;
 
-		SetConsoleCtrlHandler(consoleHandler, TRUE);
-	}
-}
+	setup_cancel_handler(NULL, CancelBackendsAndExit);
 
-#endif							/* WIN32 */
+#ifndef WIN32
+	pqsignal(SIGTERM, CancelSignalHandler);
+	pqsignal(SIGQUIT, CancelSignalHandler);
+#endif
+}
 
 
 /*
  * set_archive_cancel_info
  *
- * Fill AH->connCancel with cancellation info for the specified database
+ * Fill AH->cancelConn with cancellation info for the specified database
  * connection; or clear it if conn is NULL.
  */
 void
 set_archive_cancel_info(ArchiveHandle *AH, PGconn *conn)
 {
-	PGcancel   *oldConnCancel;
+	PGcancelConn *oldCancelConn;
 
 	/*
-	 * Activate the interrupt handler if we didn't yet in this process.  On
-	 * Windows, this also initializes signal_info_lock; therefore it's
+	 * Activate the interrupt handler if we didn't yet in this process. It's
 	 * important that this happen at least once before we fork off any
 	 * threads.
 	 */
 	set_cancel_handler();
 
 	/*
-	 * On Unix, we assume that storing a pointer value is atomic with respect
-	 * to any possible signal interrupt.  On Windows, use a critical section.
+	 * Use mutex to prevent the cancel handler from using the pointer while
+	 * we're changing it.
 	 */
-
-#ifdef WIN32
-	EnterCriticalSection(&signal_info_lock);
-#endif
+	LockCancelThread();
 
 	/* Free the old one if we have one */
-	oldConnCancel = AH->connCancel;
+	oldCancelConn = AH->cancelConn;
 	/* be sure interrupt handler doesn't use pointer while freeing */
-	AH->connCancel = NULL;
+	AH->cancelConn = NULL;
 
-	if (oldConnCancel != NULL)
-		PQfreeCancel(oldConnCancel);
+	if (oldCancelConn != NULL)
+		PQcancelFinish(oldCancelConn);
 
 	/* Set the new one if specified */
 	if (conn)
-		AH->connCancel = PQgetCancel(conn);
+		AH->cancelConn = PQcancelCreate(conn);
 
 	/*
 	 * On Unix, there's only ever one active ArchiveHandle per process, so we
@@ -776,49 +686,35 @@ set_archive_cancel_info(ArchiveHandle *AH, PGconn *conn)
 		signal_info.myAH = AH;
 #endif
 
-#ifdef WIN32
-	LeaveCriticalSection(&signal_info_lock);
-#endif
+	UnlockCancelThread();
 }
 
 /*
  * set_cancel_pstate
  *
  * Set signal_info.pstate to point to the specified ParallelState, if any.
- * We need this mainly to have an interlock against Windows signal thread.
+ * We need this mainly to have an interlock against the cancel handler thread.
  */
 static void
 set_cancel_pstate(ParallelState *pstate)
 {
-#ifdef WIN32
-	EnterCriticalSection(&signal_info_lock);
-#endif
-
+	LockCancelThread();
 	signal_info.pstate = pstate;
-
-#ifdef WIN32
-	LeaveCriticalSection(&signal_info_lock);
-#endif
+	UnlockCancelThread();
 }
 
 /*
  * set_cancel_slot_archive
  *
  * Set ParallelSlot's AH field to point to the specified archive, if any.
- * We need this mainly to have an interlock against Windows signal thread.
+ * We need this mainly to have an interlock against the cancel handler thread.
  */
 static void
 set_cancel_slot_archive(ParallelSlot *slot, ArchiveHandle *AH)
 {
-#ifdef WIN32
-	EnterCriticalSection(&signal_info_lock);
-#endif
-
+	LockCancelThread();
 	slot->AH = AH;
-
-#ifdef WIN32
-	LeaveCriticalSection(&signal_info_lock);
-#endif
+	UnlockCancelThread();
 }
 
 
@@ -933,7 +829,7 @@ ParallelBackupStart(ArchiveHandle *AH)
 
 	/*
 	 * Temporarily disable query cancellation on the leader connection.  This
-	 * ensures that child processes won't inherit valid AH->connCancel
+	 * ensures that child processes won't inherit valid AH->cancelConn
 	 * settings and thus won't try to issue cancels against the leader's
 	 * connection.  No harm is done if we fail while it's disabled, because
 	 * the leader connection is idle at this point anyway.
@@ -951,6 +847,7 @@ ParallelBackupStart(ArchiveHandle *AH)
 		uintptr_t	handle;
 #else
 		pid_t		pid;
+		sigset_t	cancel_set;
 #endif
 		ParallelSlot *slot = &(pstate->parallelSlot[i]);
 		int			pipeMW[2],
@@ -979,6 +876,18 @@ ParallelBackupStart(ArchiveHandle *AH)
 		slot->hThread = handle;
 		slot->workerStatus = WRKR_IDLE;
 #else							/* !WIN32 */
+
+		/*
+		 * Block signals before fork so that no signal can arrive in the child
+		 * before ResetCancelAfterFork() has cleaned up the inherited cancel
+		 * state (pipe fds, signal handlers, mutex).
+		 */
+		sigemptyset(&cancel_set);
+		sigaddset(&cancel_set, SIGINT);
+		sigaddset(&cancel_set, SIGTERM);
+		sigaddset(&cancel_set, SIGQUIT);
+		sigprocmask(SIG_BLOCK, &cancel_set, NULL);
+
 		pid = fork();
 		if (pid == 0)
 		{
@@ -991,6 +900,12 @@ ParallelBackupStart(ArchiveHandle *AH)
 			/* instruct signal handler that we're in a worker now */
 			signal_info.am_worker = true;
 
+			signal_info.handler_set = false;
+			ResetCancelAfterFork();
+			pqsignal(SIGTERM, PG_SIG_DFL);
+			pqsignal(SIGQUIT, PG_SIG_DFL);
+			sigprocmask(SIG_UNBLOCK, &cancel_set, NULL);
+
 			/* close read end of Worker -> Leader */
 			closesocket(pipeWM[PIPE_READ]);
 			/* close write end of Leader -> Worker */
@@ -1019,6 +934,8 @@ ParallelBackupStart(ArchiveHandle *AH)
 		}
 
 		/* In Leader after successful fork */
+		sigprocmask(SIG_UNBLOCK, &cancel_set, NULL);
+
 		slot->pid = pid;
 		slot->workerStatus = WRKR_IDLE;
 
@@ -1407,8 +1324,12 @@ ListenToWorkers(ArchiveHandle *AH, ParallelState *pstate, bool do_wait)
 
 	if (!msg)
 	{
-		/* If do_wait is true, we must have detected EOF on some socket */
-		if (do_wait)
+		/*
+		 * If do_wait is true, we must have detected EOF on some socket. If
+		 * it's due to a cancel request, that's expected, otherwise it's a
+		 * problem.
+		 */
+		if (do_wait && !CancelRequested)
 			pg_fatal("a worker process died unexpectedly");
 		return false;
 	}
diff --git a/src/bin/pg_dump/pg_backup_archiver.c b/src/bin/pg_dump/pg_backup_archiver.c
index 46f4c518347..18ec9320166 100644
--- a/src/bin/pg_dump/pg_backup_archiver.c
+++ b/src/bin/pg_dump/pg_backup_archiver.c
@@ -5196,7 +5196,7 @@ CloneArchive(ArchiveHandle *AH)
 
 	/* The clone will have its own connection, so disregard connection state */
 	clone->connection = NULL;
-	clone->connCancel = NULL;
+	clone->cancelConn = NULL;
 	clone->currUser = NULL;
 	clone->currSchema = NULL;
 	clone->currTableAm = NULL;
diff --git a/src/bin/pg_dump/pg_backup_archiver.h b/src/bin/pg_dump/pg_backup_archiver.h
index c1528d78853..28febac0c43 100644
--- a/src/bin/pg_dump/pg_backup_archiver.h
+++ b/src/bin/pg_dump/pg_backup_archiver.h
@@ -288,8 +288,12 @@ struct _archiveHandle
 	char	   *savedPassword;	/* password for ropt->username, if known */
 	char	   *use_role;
 	PGconn	   *connection;
-	/* If connCancel isn't NULL, SIGINT handler will send a cancel */
-	PGcancel   *volatile connCancel;
+
+	/*
+	 * If cancelConn isn't NULL, SIGINT handler will trigger the cancel thread
+	 * to send a cancel.
+	 */
+	PGcancelConn *cancelConn;
 
 	int			connectToDB;	/* Flag to indicate if direct DB connection is
 								 * required */
diff --git a/src/bin/pg_dump/pg_backup_db.c b/src/bin/pg_dump/pg_backup_db.c
index 5c349279beb..0cc29a8aa70 100644
--- a/src/bin/pg_dump/pg_backup_db.c
+++ b/src/bin/pg_dump/pg_backup_db.c
@@ -84,7 +84,7 @@ ReconnectToServer(ArchiveHandle *AH, const char *dbname)
 
 	/*
 	 * Note: we want to establish the new connection, and in particular update
-	 * ArchiveHandle's connCancel, before closing old connection.  Otherwise
+	 * ArchiveHandle's cancelConn, before closing old connection.  Otherwise
 	 * an ill-timed SIGINT could try to access a dead connection.
 	 */
 	AH->connection = NULL;		/* dodge error check in ConnectDatabaseAhx */
@@ -164,12 +164,11 @@ void
 DisconnectDatabase(Archive *AHX)
 {
 	ArchiveHandle *AH = (ArchiveHandle *) AHX;
-	char		errbuf[1];
 
 	if (!AH->connection)
 		return;
 
-	if (AH->connCancel)
+	if (AH->cancelConn)
 	{
 		/*
 		 * If we have an active query, send a cancel before closing, ignoring
@@ -177,7 +176,7 @@ DisconnectDatabase(Archive *AHX)
 		 * helpful during pg_fatal().
 		 */
 		if (PQtransactionStatus(AH->connection) == PQTRANS_ACTIVE)
-			(void) PQcancel(AH->connCancel, errbuf, sizeof(errbuf));
+			(void) PQcancelBlocking(AH->cancelConn);
 
 		/*
 		 * Prevent signal handler from sending a cancel after this.
diff --git a/src/bin/pgbench/pgbench.c b/src/bin/pgbench/pgbench.c
index 0b2bb9340b5..85116e674f4 100644
--- a/src/bin/pgbench/pgbench.c
+++ b/src/bin/pgbench/pgbench.c
@@ -5336,7 +5336,7 @@ runInitSteps(const char *initialize_steps)
 	if ((con = doConnect()) == NULL)
 		pg_fatal("could not create connection for initialization");
 
-	setup_cancel_handler(NULL);
+	setup_cancel_handler(NULL, NULL);
 	SetCancelConn(con);
 
 	for (step = initialize_steps; *step != '\0'; step++)
diff --git a/src/bin/psql/common.c b/src/bin/psql/common.c
index 660f14559f5..fc3e020d6e9 100644
--- a/src/bin/psql/common.c
+++ b/src/bin/psql/common.c
@@ -305,23 +305,27 @@ volatile sig_atomic_t sigint_interrupt_enabled = false;
 
 sigjmp_buf	sigint_interrupt_jmp;
 
+#ifndef WIN32
 static void
 psql_cancel_callback(void)
 {
-#ifndef WIN32
 	/* if we are waiting for input, longjmp out of it */
 	if (sigint_interrupt_enabled)
 	{
 		sigint_interrupt_enabled = false;
 		siglongjmp(sigint_interrupt_jmp, 1);
 	}
-#endif
 }
+#endif
 
 void
 psql_setup_cancel_handler(void)
 {
-	setup_cancel_handler(psql_cancel_callback);
+#ifndef WIN32
+	setup_cancel_handler(psql_cancel_callback, NULL);
+#else
+	setup_cancel_handler(NULL, NULL);
+#endif
 }
 
 
diff --git a/src/bin/scripts/clusterdb.c b/src/bin/scripts/clusterdb.c
index 53bbb42c883..f282a88c76d 100644
--- a/src/bin/scripts/clusterdb.c
+++ b/src/bin/scripts/clusterdb.c
@@ -140,7 +140,7 @@ main(int argc, char *argv[])
 	cparams.prompt_password = prompt_password;
 	cparams.override_dbname = NULL;
 
-	setup_cancel_handler(NULL);
+	setup_cancel_handler(NULL, NULL);
 
 	if (alldb)
 	{
diff --git a/src/bin/scripts/reindexdb.c b/src/bin/scripts/reindexdb.c
index d7fb16d3c85..75613b995ee 100644
--- a/src/bin/scripts/reindexdb.c
+++ b/src/bin/scripts/reindexdb.c
@@ -211,7 +211,7 @@ main(int argc, char *argv[])
 	cparams.prompt_password = prompt_password;
 	cparams.override_dbname = NULL;
 
-	setup_cancel_handler(NULL);
+	setup_cancel_handler(NULL, NULL);
 
 	if (concurrentCons > 1 && syscatalog)
 		pg_fatal("cannot use multiple jobs to reindex system catalogs");
diff --git a/src/bin/scripts/vacuuming.c b/src/bin/scripts/vacuuming.c
index 67a7665c5d7..1b08423f422 100644
--- a/src/bin/scripts/vacuuming.c
+++ b/src/bin/scripts/vacuuming.c
@@ -58,7 +58,7 @@ vacuuming_main(ConnParams *cparams, const char *dbname,
 			   unsigned int tbl_count, int concurrentCons,
 			   const char *progname)
 {
-	setup_cancel_handler(NULL);
+	setup_cancel_handler(NULL, NULL);
 
 	/* Avoid opening extra connections. */
 	if (tbl_count > 0 && (concurrentCons > tbl_count))
diff --git a/src/fe_utils/Makefile b/src/fe_utils/Makefile
index cbfbf93ac69..809ab21cc0c 100644
--- a/src/fe_utils/Makefile
+++ b/src/fe_utils/Makefile
@@ -17,7 +17,7 @@ subdir = src/fe_utils
 top_builddir = ../..
 include $(top_builddir)/src/Makefile.global
 
-override CPPFLAGS := -DFRONTEND -I$(libpq_srcdir) $(CPPFLAGS)
+override CPPFLAGS := -DFRONTEND -I$(libpq_srcdir) -I$(top_srcdir)/src/port $(CPPFLAGS)
 
 OBJS = \
 	archive.o \
diff --git a/src/fe_utils/cancel.c b/src/fe_utils/cancel.c
index e6b75439f56..f40c4242145 100644
--- a/src/fe_utils/cancel.c
+++ b/src/fe_utils/cancel.c
@@ -2,9 +2,57 @@
  *
  * Query cancellation support for frontend code
  *
- * Assorted utility functions to control query cancellation with signal
- * handler for SIGINT.
+ * This module provides SIGINT/Ctrl-C handling for frontend tools that need
+ * to cancel queries or interrupt other operations. It combines four completely
+ * independent mechanisms, any combination of which can be used by a caller:
  *
+ * 1. Server cancel query request -- Often what applications need. When a query
+ *    is running, and the main thread is waiting for the result of that query
+ *    in a blocking manner, we want SIGINT/Ctrl-C to cancel that query. This
+ *    can be done by having the application call SetCancelConn() to register
+ *    the connection that is (or will be) running the query, prior to waiting
+ *    for the result. When SIGINT/Ctrl-C is received a cancel request for this
+ *    connection will then be sent to the server from a separate thread. That
+ *    in turn will then (assuming a co-operating server) cause the server to
+ *    cancel the query and send an error to the waiting client on the main
+ *    thread. The cancel connection is a process-wide global, so only one
+ *    connection can be the cancel target at a time. ResetCancelConn() can be
+ *    used to unregister the connection again, preventing sending a cancel
+ *    request if SIGINT/Ctrl-C is received after blocking wait has already
+ *    completed.
+ *
+ * 2. CancelRequested flag -- A more involved but also much more flexible way
+ *    of cancelling an operation. A volatile sig_atomic_t CancelRequested flag
+ *    is set to true whenever SIGINT is received. This means that the
+ *    application code can fully control what it does with this flag. The
+ *    primary usecase for this is when the application code is not blocked
+ *    (indefinitely), but needs to take an action when Ctrl-C is pressed, such
+ *    as break out of a long running loop.
+ *
+ * 3. Thread handler callback -- An optional function pointer registered via
+ *    setup_cancel_handler(). If set, this function is called from a separate
+ *    thread when a cancel signal is received. If multiple signals are received
+ *    in quick succession, the callback may be called only once. On Windows,
+ *    this is called from the console handler thread. On Unix, this is called
+ *    from the cancel thread that is woken by the signal handler. To ensure
+ *    safe access to shared data, the cancel thread holds the cancel thread
+ *    lock for the duration of the callback, so any other threads that need
+ *    to access the same data should also acquire that lock using
+ *    LockCancelThread()/UnlockCancelThread().
+ *
+ * 4. Signal handler callback -- The most complex way of canceling an
+ *    operation, which is not supported on Windows. An optional signal_callback
+ *    function pointer can be registered via setup_cancel_handler().  If set,
+ *    it is called directly from the signal handler, so it must be
+ *    async-signal-safe. Writing async-signal-safe code is not easy, so this is
+ *    only recommended as a last resort. psql uses this to longjmp back to the
+ *    main loop when no query is active. On Windows, this function is never
+ *    called, since the console handler runs in a separate thread, not a signal
+ *    handler.
+ *    NOTE: The signal handler callback is called AFTER setting CancelRequested
+ *    but BEFORE notifying the cancel thread to send a cancel request to the
+ *    server (if armed by SetCancelConn). This means that if the callback exits
+ *    or longjmps no cancel request will be sent to the server.
  *
  * Portions Copyright (c) 1996-2026, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
@@ -16,9 +64,21 @@
 
 #include "postgres_fe.h"
 
+#include <signal.h>
 #include <unistd.h>
 
+#ifndef WIN32
+#include <fcntl.h>
+#endif
+
+#ifdef WIN32
+#include "pthread-win32.h"
+#else
+#include <pthread.h>
+#endif
+
 #include "common/connect.h"
+#include "common/logging.h"
 #include "fe_utils/cancel.h"
 #include "fe_utils/string_utils.h"
 
@@ -36,11 +96,19 @@
 		(void) rc_; \
 	} while (0)
 
+
 /*
- * Contains all the information needed to cancel a query issued from
- * a database connection to the backend.
+ * Cancel connection that should be used to send cancel requests.
  */
-static PGcancel *volatile cancelConn = NULL;
+static PGcancelConn *cancelConn = NULL;
+
+/*
+ * Mutex held by the cancel thread for the duration of the cancel callback.
+ * SetCancelConn()/ResetCancelConn() on the main thread take this lock too,
+ * so they will wait for any in-flight cancel to finish before replacing or
+ * freeing cancelConn.
+ */
+static pthread_mutex_t cancel_thread_lock = PTHREAD_MUTEX_INITIALIZER;
 
 /*
  * Predetermined localized error strings --- needed to avoid trying
@@ -58,168 +126,180 @@ static const char *cancel_not_sent_msg = NULL;
  */
 volatile sig_atomic_t CancelRequested = false;
 
-#ifdef WIN32
-static CRITICAL_SECTION cancelConnLock;
-#endif
+/*
+ * Signal handler callback, called directly from signal handler context.
+ * Must be async-signal-safe.
+ */
+static void (*signal_callback_fn) (void) = NULL;
+
+/*
+ * Cancel thread callback, called from the cancel thread (Unix) or console
+ * handler (Windows) when a cancel signal is received.
+ */
+static void (*thread_callback_fn) (void) = NULL;
 
+#ifndef WIN32
 /*
- * Additional callback for cancellations.
+ * On Unix, the SIGINT signal handler cannot call PQcancelBlocking() directly
+ * because it is not async-signal-safe.  Instead, we use a pipe to wake a
+ * dedicated cancel thread: the signal handler writes a byte to the pipe, and
+ * the cancel thread's blocking read() returns, triggering the actual cancel
+ * request.
  */
-static void (*cancel_callback) (void) = NULL;
+static int	cancel_pipe[2] = {-1, -1};
+#endif
 
 
 /*
- * SetCancelConn
+ * Send a cancel request to the connection, if one is set.
  *
- * Set cancelConn to point to the current database connection.
+ * Called from the cancel thread (Unix) or the console handler thread
+ * (Windows), never from the signal handler itself.  The caller is
+ * responsible for holding cancel_thread_lock.
  */
-void
-SetCancelConn(PGconn *conn)
+static void
+SendCancelRequest(void)
 {
-	PGcancel   *oldCancelConn;
-
-#ifdef WIN32
-	EnterCriticalSection(&cancelConnLock);
-#endif
-
-	/* Free the old one if we have one */
-	oldCancelConn = cancelConn;
+	PGcancelConn *cc;
 
-	/* be sure handle_sigint doesn't use pointer while freeing */
-	cancelConn = NULL;
+	cc = cancelConn;
+	if (cc == NULL)
+		return;
 
-	if (oldCancelConn != NULL)
-		PQfreeCancel(oldCancelConn);
+	write_stderr(cancel_sent_msg);
 
-	cancelConn = PQgetCancel(conn);
+	if (!PQcancelBlocking(cc))
+	{
+		char	   *errmsg = PQcancelErrorMessage(cc);
 
-#ifdef WIN32
-	LeaveCriticalSection(&cancelConnLock);
-#endif
+		write_stderr(cancel_not_sent_msg);
+		if (errmsg)
+			write_stderr(errmsg);
+	}
+	/* Reset for possible reuse */
+	PQcancelReset(cc);
 }
 
+
 /*
- * ResetCancelConn
+ * Helper to replace cancelConn with a new value.
  *
- * Free the current cancel connection, if any, and set to NULL.
+ * Takes cancel_thread_lock, which also waits for any in-flight cancel
+ * callback to finish, since the cancel thread holds the same lock.
  */
-void
-ResetCancelConn(void)
+static void
+SetCancelConnInternal(PGcancelConn *newCancelConn)
 {
-	PGcancel   *oldCancelConn;
-
-#ifdef WIN32
-	EnterCriticalSection(&cancelConnLock);
-#endif
+	PGcancelConn *oldCancelConn;
 
+	LockCancelThread();
 	oldCancelConn = cancelConn;
-
-	/* be sure handle_sigint doesn't use pointer while freeing */
-	cancelConn = NULL;
+	cancelConn = newCancelConn;
+	UnlockCancelThread();
 
 	if (oldCancelConn != NULL)
-		PQfreeCancel(oldCancelConn);
-
-#ifdef WIN32
-	LeaveCriticalSection(&cancelConnLock);
-#endif
+		PQcancelFinish(oldCancelConn);
 }
 
-
 /*
- * Code to support query cancellation
- *
- * Note that sending the cancel directly from the signal handler is safe
- * because PQcancel() is written to make it so.  We use write() to report
- * to stderr because it's better to use simple facilities in a signal
- * handler.
+ * SetCancelConn
  *
- * On Windows, the signal canceling happens on a separate thread, because
- * that's how SetConsoleCtrlHandler works.  The PQcancel function is safe
- * for this (unlike PQrequestCancel).  However, a CRITICAL_SECTION is required
- * to protect the PGcancel structure against being changed while the signal
- * thread is using it.
+ * Set cancelConn to point to a cancel connection for the given database
+ * connection. This creates a new PGcancelConn that can be used to send
+ * cancel requests.
  */
-
-#ifndef WIN32
+void
+SetCancelConn(PGconn *conn)
+{
+	SetCancelConnInternal(PQcancelCreate(conn));
+}
 
 /*
- * handle_sigint
+ * ResetCancelConn
  *
- * Handle interrupt signals by canceling the current command, if cancelConn
- * is set.
+ * Clear cancelConn, preventing any pending cancel from being sent.
+ * Waits for any in-flight cancel request to complete first.
  */
-static void
-handle_sigint(SIGNAL_ARGS)
+void
+ResetCancelConn(void)
 {
-	char		errbuf[256];
+	SetCancelConnInternal(NULL);
+}
 
-	CancelRequested = true;
 
-	if (cancel_callback != NULL)
-		cancel_callback();
+/*
+ * LockCancelThread / UnlockCancelThread
+ *
+ * Acquire or release cancel_thread_lock.  External callers (e.g. pg_dump)
+ * use these to protect shared data that the cancel-thread callback also
+ * accesses, without exposing the mutex directly.
+ */
+void
+LockCancelThread(void)
+{
+	pthread_mutex_lock(&cancel_thread_lock);
+}
 
-	/* Send QueryCancel if we are processing a database query */
-	if (cancelConn != NULL)
-	{
-		if (PQcancel(cancelConn, errbuf, sizeof(errbuf)))
-		{
-			write_stderr(cancel_sent_msg);
-		}
-		else
-		{
-			write_stderr(cancel_not_sent_msg);
-			write_stderr(errbuf);
-		}
-	}
+void
+UnlockCancelThread(void)
+{
+	pthread_mutex_unlock(&cancel_thread_lock);
 }
 
+#ifndef WIN32
 /*
- * setup_cancel_handler
+ * ResetCancelAfterFork
+ *
+ * Reset cancel module state after fork(). Threads don't survive fork(), so the
+ * cancel thread and its pipe are gone. The mutex may have been held by the
+ * cancel thread at fork time, so we must reinitialize it rather than trying to
+ * unlock it.  cancelConn is NULLed without freeing because the parent process
+ * owns the underlying object.  The SIGINT handler is reset to SIG_DFL so that
+ * a signal arriving before setup_cancel_handler() is called again doesn't try
+ * to write to the closed pipe.
  *
- * Register query cancellation callback for SIGINT.
+ * The child will set up a fresh cancel thread when it later calls
+ * setup_cancel_handler().
  */
 void
-setup_cancel_handler(void (*query_cancel_callback) (void))
+ResetCancelAfterFork(void)
 {
-	cancel_callback = query_cancel_callback;
-	cancel_sent_msg = _("Cancel request sent\n");
-	cancel_not_sent_msg = _("Could not send cancel request: ");
+	close(cancel_pipe[0]);
+	close(cancel_pipe[1]);
+	cancel_pipe[0] = cancel_pipe[1] = -1;
 
-	pqsignal(SIGINT, handle_sigint);
-}
+	pthread_mutex_init(&cancel_thread_lock, NULL);
 
-#else							/* WIN32 */
+	cancelConn = NULL;
+	CancelRequested = false;
 
+	pqsignal(SIGINT, PG_SIG_DFL);
+}
+#endif
+
+#ifdef WIN32
+/*
+ * Console control handler for Windows.
+ *
+ * This runs in a separate thread created by the OS, so we can safely call
+ * the blocking cancel API directly.
+ */
 static BOOL WINAPI
 consoleHandler(DWORD dwCtrlType)
 {
-	char		errbuf[256];
-
 	if (dwCtrlType == CTRL_C_EVENT ||
 		dwCtrlType == CTRL_BREAK_EVENT)
 	{
 		CancelRequested = true;
 
-		if (cancel_callback != NULL)
-			cancel_callback();
+		LockCancelThread();
 
-		/* Send QueryCancel if we are processing a database query */
-		EnterCriticalSection(&cancelConnLock);
-		if (cancelConn != NULL)
-		{
-			if (PQcancel(cancelConn, errbuf, sizeof(errbuf)))
-			{
-				write_stderr(cancel_sent_msg);
-			}
-			else
-			{
-				write_stderr(cancel_not_sent_msg);
-				write_stderr(errbuf);
-			}
-		}
+		SendCancelRequest();
+
+		if (thread_callback_fn != NULL)
+			thread_callback_fn();
 
-		LeaveCriticalSection(&cancelConnLock);
+		UnlockCancelThread();
 
 		return TRUE;
 	}
@@ -228,16 +308,169 @@ consoleHandler(DWORD dwCtrlType)
 		return FALSE;
 }
 
+#else							/* !WIN32 */
+
+/*
+ * Signal handler that setup_cancel_handler configures for SIGINT. Exposed so
+ * other signals than SIGINT can use it if desired.
+ */
 void
-setup_cancel_handler(void (*callback) (void))
+CancelSignalHandler(SIGNAL_ARGS)
 {
-	cancel_callback = callback;
-	cancel_sent_msg = _("Cancel request sent\n");
-	cancel_not_sent_msg = _("Could not send cancel request: ");
+	int			save_errno = errno;
 
-	InitializeCriticalSection(&cancelConnLock);
+	CancelRequested = true;
 
-	SetConsoleCtrlHandler(consoleHandler, TRUE);
+	if (signal_callback_fn != NULL)
+		signal_callback_fn();
+
+	/* Wake up the cancel thread */
+	if (cancel_pipe[1] >= 0)
+	{
+		char		c = 1;
+		int			rc = write(cancel_pipe[1], &c, 1);
+
+		(void) rc;
+	}
+
+	errno = save_errno;
+}
+
+/*
+ * Thread main function for create_cancel_thread.  Waits for the signal
+ * handler to write a byte to the pipe, then calls the cancel callback.
+ */
+static void *
+cancel_thread_loop(void *arg)
+{
+	for (;;)
+	{
+		char		buf[16];
+		ssize_t		rc;
+
+		rc = read(cancel_pipe[0], buf, sizeof(buf));
+		if (rc <= 0)
+		{
+			if (errno == EINTR)
+				continue;
+			/* Pipe closed or error - exit thread */
+			break;
+		}
+
+		LockCancelThread();
+
+		SendCancelRequest();
+
+		if (thread_callback_fn != NULL)
+			thread_callback_fn();
+
+		/*
+		 * Drain any pending bytes from the cancel pipe, so that signals
+		 * received while we were already handling a cancel don't cause us to
+		 * wake up again and cancel a subsequent query.
+		 */
+		fcntl(cancel_pipe[0], F_SETFL, O_NONBLOCK);
+		while (read(cancel_pipe[0], buf, sizeof(buf)) > 0)
+			;					/* loop until pipe is fully drained */
+		fcntl(cancel_pipe[0], F_SETFL, 0);
+
+		UnlockCancelThread();
+	}
+
+	return NULL;
+}
+
+/*
+ * create_cancel_thread
+ *
+ * Create a dedicated thread and associated pipe for async-signal-safe cancel
+ * handling.  The pipe allows signal handlers (which cannot safely call complex
+ * functions) to wake up the thread by writing a byte.
+ *
+ * The write end of the pipe is set non-blocking so signal handlers never
+ * block.  The thread is created with all signals blocked so that signals are
+ * always delivered to the main thread.  The thread runs until process exit.
+ * No handle is returned because currently no callers need to join it.
+ */
+static void
+create_cancel_thread(void)
+{
+	sigset_t	save_set;
+	sigset_t	block_set;
+	pthread_t	thread;
+	int			rc;
+
+	if (pipe(cancel_pipe) < 0)
+	{
+		pg_log_error("could not create pipe for cancel: %m");
+		exit(1);
+	}
+
+	/*
+	 * Make the write end non-blocking, so that the signal handler won't block
+	 * if the pipe buffer is full (which is very unlikely in practice but
+	 * possible in theory).
+	 */
+	fcntl(cancel_pipe[1], F_SETFL, O_NONBLOCK);
+
+	/*
+	 * Block all signals before creating the cancel thread, so that it
+	 * inherits a signal mask with all signals blocked.  This ensures signals
+	 * are always delivered to the main thread, which matters because some
+	 * signal_callback functions call siglongjmp() back to a sigsetjmp() on
+	 * the main thread's stack, specifically the psql_cancel_callback
+	 * function.
+	 */
+	sigfillset(&block_set);
+	pthread_sigmask(SIG_BLOCK, &block_set, &save_set);
+
+	rc = pthread_create(&thread, NULL, cancel_thread_loop, NULL);
+
+	pthread_sigmask(SIG_SETMASK, &save_set, NULL);
+
+	if (rc != 0)
+	{
+		pg_log_error("could not create cancel thread: %s", strerror(rc));
+		exit(1);
+	}
+
+	pthread_detach(thread);
 }
 
-#endif							/* WIN32 */
+#endif							/* !WIN32 */
+
+
+/*
+ * setup_cancel_handler
+ *
+ * Set up signal handling for SIGINT (Unix) or console events (Windows) to
+ * perform cancel actions.
+ *
+ * signal_callback is invoked directly from the signal handler context on
+ * every SIGINT (on Unix), so it must be async-signal-safe.  Can be NULL.
+ * On Windows, signal handlers don't exist (the console handler runs in a
+ * separate thread), so signal_callback must be NULL.
+ *
+ * thread_callback is invoked from a dedicated cancel thread (Unix) or the
+ * console handler thread (Windows) when a signal is received. Can be NULL.
+ */
+void
+setup_cancel_handler(void (*signal_callback) (void),
+					 void (*thread_callback) (void))
+{
+#ifdef WIN32
+	Assert(signal_callback == NULL);
+#endif
+
+	signal_callback_fn = signal_callback;
+	thread_callback_fn = thread_callback;
+	cancel_sent_msg = _("Sending cancel request\n");
+	cancel_not_sent_msg = _("Could not send cancel request: ");
+
+#ifdef WIN32
+	SetConsoleCtrlHandler(consoleHandler, TRUE);
+#else
+	create_cancel_thread();
+	pqsignal(SIGINT, CancelSignalHandler);
+#endif
+}
diff --git a/src/include/fe_utils/cancel.h b/src/include/fe_utils/cancel.h
index e174fb83b92..feb1970d372 100644
--- a/src/include/fe_utils/cancel.h
+++ b/src/include/fe_utils/cancel.h
@@ -23,10 +23,15 @@ extern PGDLLIMPORT volatile sig_atomic_t CancelRequested;
 extern void SetCancelConn(PGconn *conn);
 extern void ResetCancelConn(void);
 
-/*
- * A callback can be optionally set up to be called at cancellation
- * time.
- */
-extern void setup_cancel_handler(void (*query_cancel_callback) (void));
+extern void setup_cancel_handler(void (*signal_callback) (void),
+								 void (*thread_callback) (void));
+
+extern void LockCancelThread(void);
+extern void UnlockCancelThread(void);
+
+#ifndef WIN32
+extern void ResetCancelAfterFork(void);
+extern void CancelSignalHandler(SIGNAL_ARGS);
+#endif
 
 #endif							/* CANCEL_H */
-- 
2.54.0

