From b82a26bb496be2ecf364da4ce3b024bc0942a093 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Wed, 16 Aug 2023 16:27:19 -0400 Subject: [PATCH] backport of commit abaf1d68743dd65af8919f56687061eb29c4bdbe (#22379) --- changelog/22374.txt | 3 +++ vault/expiration.go | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 changelog/22374.txt diff --git a/changelog/22374.txt b/changelog/22374.txt new file mode 100644 index 000000000..2f744c5c3 --- /dev/null +++ b/changelog/22374.txt @@ -0,0 +1,3 @@ +```release-note:bug +expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. +``` diff --git a/vault/expiration.go b/vault/expiration.go index 59f773895..4ea0145a6 100644 --- a/vault/expiration.go +++ b/vault/expiration.go @@ -240,8 +240,8 @@ func (r *revocationJob) OnFailure(err error) { r.m.core.metricSink.IncrCounterWithLabels([]string{"expire", "lease_expiration", "error"}, 1, []metrics.Label{metricsutil.NamespaceLabel(r.ns)}) r.m.pendingLock.Lock() - defer r.m.pendingLock.Unlock() pendingRaw, ok := r.m.pending.Load(r.leaseID) + r.m.pendingLock.Unlock() if !ok { r.m.logger.Warn("failed to find lease in pending map for revocation retry", "lease_id", r.leaseID) return @@ -269,7 +269,9 @@ func (r *revocationJob) OnFailure(err error) { return } + r.m.pendingLock.Lock() r.m.markLeaseIrrevocable(r.nsCtx, le, err) + r.m.pendingLock.Unlock() return } else { r.m.logger.Error("failed to revoke lease", "lease_id", r.leaseID, "error", err, @@ -277,7 +279,9 @@ func (r *revocationJob) OnFailure(err error) { } pending.timer.Reset(newTimer) + r.m.pendingLock.Lock() r.m.pending.Store(r.leaseID, pending) + r.m.pendingLock.Unlock() } func expireLeaseStrategyFairsharing(ctx context.Context, m *ExpirationManager, leaseID string, ns *namespace.Namespace) {