Skip to content

Avoid leaking stale filesystem store temp files#4676

Open
tnull wants to merge 1 commit into
lightningdevkit:mainfrom
tnull:2026-06-fs-store-stale-tmp-cleanup
Open

Avoid leaking stale filesystem store temp files#4676
tnull wants to merge 1 commit into
lightningdevkit:mainfrom
tnull:2026-06-fs-store-stale-tmp-cleanup

Conversation

@tnull

@tnull tnull commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Async filesystem writes may be awaited out of order, making older writes stale after their temporary data has already been created. Ensure those stale or failed write attempts do not leave historical plaintext data in *.tmp files.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe

@tnull
Avoid leaking stale filesystem store temp files
9de63a0 
Async filesystem writes may be awaited out of order, making older writes
stale after their temporary data has already been created. Ensure those
stale or failed write attempts do not leave historical plaintext data in
*.tmp files.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe
@tnull tnull requested a review from benthecarman June 10, 2026 14:24
@ldk-reviews-bot

ldk-reviews-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

👋 Thanks for assigning @benthecarman as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

ldk-claude-review-bot
ldk-claude-review-bot reviewed Jun 10, 2026
View reviewed changes
Comment thread lightning-persister/src/fs_store/common.rs
Comment on lines +359 to +366
if tmp_file_needs_cleanup {
if let Err(e) = remove_file_if_exists(&tmp_file_path) {
if write_res.is_ok() {
return Err(e);
}
}
})
}
write_res

@ldk-claude-review-bot ldk-claude-review-bot Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the write is stale (a newer version already won, so execute_locked_write skipped the callback and returned Ok(())), tmp_file_needs_cleanup is still true. If remove_file_if_exists then fails, this converts an otherwise-successful, consistent no-op write into an Err. The actual key data on disk is correct (the newer version persisted it), so the caller now sees a persistence failure for a write that effectively succeeded, which in LDK can trigger unnecessary error handling/retries.

Consider whether a failed temp-file cleanup should really fail the call in the stale case, or just be logged/ignored (as is done in the pre-lock failure path on line 304 with let _ = ...).

@ldk-claude-review-bot

ldk-claude-review-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

I've re-examined the full diff and surrounding code. The closure mutating tmp_file_needs_cleanup is fine against the FnOnce bound (common.rs:205), the temp File handle is dropped before the rename, and cleanup never targets a renamed/destination file. No new issues beyond the one already flagged in the prior pass.

Summary

No new issues found.

Previously posted (still applicable):

  • lightning-persister/src/fs_store/common.rs:366 — In the stale (out-of-order) write case, execute_locked_write skips the callback and returns Ok(()), but tmp_file_needs_cleanup remains true; if remove_file_if_exists then fails, an otherwise-successful, consistent no-op write is converted into an Err, inconsistent with the pre-lock failure path at line 304 which ignores cleanup errors with let _ = .... Worth deciding whether to fail the call or just log/ignore.

benthecarman
benthecarman reviewed Jun 10, 2026
View reviewed changes
Comment thread lightning-persister/src/fs_store/common.rs
if tmp_file_needs_cleanup {
if let Err(e) = remove_file_if_exists(&tmp_file_path) {
if write_res.is_ok() {
return Err(e);

@benthecarman benthecarman Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree with claude here, i think this if should be if write_res.is_err(). If we successfully persist but dont remove the file, its better to just continue on (list will clean it up eventually). However, also this seems like an impossible path to get to

@tnull tnull self-assigned this Jun 11, 2026
@tnull tnull force-pushed the 2026-06-fs-store-stale-tmp-cleanup branch from ffe263c to 9de63a0 Compare June 11, 2026 16:42
@tnull

tnull commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

Updated to line-wrap commit messages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benthecarman benthecarman benthecarman left review comments

+1 more reviewer

@ldk-claude-review-bot ldk-claude-review-bot ldk-claude-review-bot left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@tnull tnull

Labels

backport 0.3

Projects

Weekly Goals
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tnull @ldk-reviews-bot @ldk-claude-review-bot @benthecarman