SIGSEGV in peer_connected_serialize when peer disconnects during hook processing #8858
Description
Description
Lightning node crashes with SIGSEGV in peer_connected_serialize when a peer disconnects while the peer_connected hook is being processed by plugins.
Versions Affected
- v25.12
- v25.12.1
Environment
- Ubuntu 24.04
- Multiple plugins using
peer_connectedhook (cl-hive, CLBOSS)
Reproduction Pattern
The crash appears to occur when:
- A peer connects and sends
WIRE_CHANNEL_REESTABLISHfor an unknown channel - The
peer_connectedhook is dispatched to plugins - The peer disconnects before the hook chain completes
- CLN tries to serialize peer data that no longer exists
Crash Log (v25.12.1)
2026-01-21T21:27:46.240Z UNUSUAL 03d607f3e69fd032524a867b288216bfab263b6eaee4e07783799a6fe69bb84fac-lightningd: Unknown channel 9b66fa46fa77e41afcd8c44623fa3b1d63e8fa3951dd9685c6757676c66434a9 for WIRE_CHANNEL_REESTABLISH
2026-01-21T21:27:46.781Z **BROKEN** lightningd: FATAL SIGNAL 11 (version v25.12.1)
2026-01-21T21:27:46.781Z **BROKEN** lightningd: backtrace: common/daemon.c:46 (send_backtrace) 0x5886483c0570
2026-01-21T21:27:46.781Z **BROKEN** lightningd: backtrace: common/daemon.c:83 (crashdump) 0x5886483c05bf
2026-01-21T21:27:46.782Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0x7cd391a458cf
2026-01-21T21:27:46.782Z **BROKEN** lightningd: backtrace: lightningd/peer_control.c:1338 (peer_connected_serialize) 0x588648357d7e
2026-01-21T21:27:46.782Z **BROKEN** lightningd: backtrace: lightningd/plugin_hook.c:359 (plugin_hook_call_next) 0x5886483696e0
2026-01-21T21:27:46.782Z **BROKEN** lightningd: backtrace: lightningd/plugin_hook.c:299 (plugin_hook_callback) 0x588648369925
2026-01-21T21:27:46.782Z **BROKEN** lightningd: backtrace: lightningd/plugin.c:701 (plugin_response_handle) 0x588648363276
2026-01-21T21:27:46.782Z **BROKEN** lightningd: backtrace: lightningd/plugin.c:790 (plugin_read_json) 0x588648368432
2026-01-21T21:27:46.783Z **BROKEN** lightningd: backtrace: ccan/ccan/io/io.c:60 (next_plan) 0x5886483fa905
2026-01-21T21:27:46.783Z **BROKEN** lightningd: backtrace: ccan/ccan/io/io.c:422 (do_plan) 0x5886483fadd6
2026-01-21T21:27:46.784Z **BROKEN** lightningd: backtrace: ccan/ccan/io/io.c:439 (io_ready) 0x5886483fae93
2026-01-21T21:27:46.784Z **BROKEN** lightningd: backtrace: ccan/ccan/io/poll.c:470 (io_loop) 0x5886483fc8a1
2026-01-21T21:27:46.784Z **BROKEN** lightningd: backtrace: lightningd/io_loop_with_timers.c:22 (io_loop_with_timers) 0x588648337950
2026-01-21T21:27:46.784Z **BROKEN** lightningd: backtrace: lightningd/lightningd.c:1495 (main) 0x58864833d47f
Earlier Crash Log (v25.12)
Similar crash at line 1333:
2026-01-21T17:30:45.551Z UNUSUAL 03d607f3e69fd032524a867b288216bfab263b6eaee4e07783799a6fe69bb84fac-lightningd: Unknown channel 9b66fa46fa77e41afcd8c44623fa3b1d63e8fa3951dd9685c6757676c66434a9 for WIRE_CHANNEL_REESTABLISH
2026-01-21T17:30:46.156Z **BROKEN** lightningd: FATAL SIGNAL 11 (version v25.12)
2026-01-21T17:30:46.156Z **BROKEN** lightningd: backtrace: lightningd/peer_control.c:1333 (peer_connected_serialize) 0x55d8f3a2dd7e
Analysis
The crash occurs in peer_connected_serialize which is called during the plugin hook chain. The function appears to access peer data that has been freed/invalidated because the peer disconnected.
Looking at the backtrace:
plugin_hook_callbackreceives a response from a pluginplugin_hook_call_nextcalls the next hook in the chainpeer_connected_serializetries to serialize peer data- SIGSEGV - likely null pointer dereference on freed peer struct
Workaround
Disabling plugins that use the peer_connected hook reduces the crash frequency by narrowing the race window.
Suggested Fix
peer_connected_serialize should check if the peer still exists before accessing its data, similar to how other hook serializers handle disconnection during hook processing.