Skip to content

Avoid re-locking reused UTXO futures#4673

Open
tnull wants to merge 1 commit into
lightningdevkit:mainfrom
tnull:2026-06-utxo-same-future-deadlock
Open

Avoid re-locking reused UTXO futures#4673
tnull wants to merge 1 commit into
lightningdevkit:mainfrom
tnull:2026-06-utxo-same-future-deadlock

Conversation

@tnull

@tnull tnull commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

UtxoLookup implementations may cache and return the same async future for repeated requests for a short channel id. When a replacement channel announcement arrived for an in-flight lookup, the async path held the future state while comparing the existing pending entry, which could point to that same state.

Drop the state guard before checking or replacing the pending entry so repeated lookups can update the pending announcement without re-entering the mutex.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe

@tnull
Avoid re-locking reused UTXO futures
fa1de66 
UtxoLookup implementations may cache and return the same async future for repeated requests for a short channel id. When a replacement channel announcement arrived for an in-flight lookup, the async path held the future state while comparing the existing pending entry, which could point to that same state.

Drop the state guard before checking or replacing the pending entry so repeated lookups can update the pending announcement without re-entering the mutex.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe
@tnull tnull requested a review from TheBlueMatt June 10, 2026 11:51
@ldk-reviews-bot

ldk-reviews-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@ldk-claude-review-bot

ldk-claude-review-bot commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

No issues found.

I reviewed the full diff. The deadlock fix in lightning/src/routing/utxo.rs (lines 442-451) is correct: when a UtxoLookup returns the same UtxoFuture for repeated SCID lookups, the pending-channels entry can point to the same future.state, and check_replace_previous_entry re-locks it via unsafe_well_ordered_double_lock_self (which is just .lock() on a non-reentrant std Mutex in both std and debug builds), causing a self-deadlock. Dropping the guard before the call and re-acquiring it after avoids this.

The fix is safe with respect to concurrency:

  • resolve_single_future only runs from check_resolved_futures, which acquires the internal lock held throughout this section, so it cannot interleave between the drop and re-lock.
  • UtxoFuture::resolve only sets complete and notifies; no synchronous processing occurs, so dropping the guard cannot lose an update — complete and channel_announce both end up set and are later collected.
  • Lock ordering is preserved (internalfuture.state); the pending state is released inside check_replace_previous_entry before future.state is re-acquired.

The added regression test is valid (both announcements share SCID 0 and the same on-chain bitcoin keys, so the replacement resolves successfully).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheBlueMatt TheBlueMatt Awaiting requested review from TheBlueMatt

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport 0.1 backport 0.2 backport 0.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tnull @ldk-reviews-bot @ldk-claude-review-bot