From bcd2db3bc3813b2e2d36fc88740140332e280ae3 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Wed, 16 Aug 2023 16:20:48 -0400
Subject: [PATCH] backport of commit abaf1d68743dd65af8919f56687061eb29c4bdbe
 (#22378)

---
 changelog/22374.txt | 3 +++
 vault/expiration.go | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 changelog/22374.txt

diff --git a/changelog/22374.txt b/changelog/22374.txt
new file mode 100644
index 0000000000..2f744c5c33
--- /dev/null
+++ b/changelog/22374.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup.
+```
diff --git a/vault/expiration.go b/vault/expiration.go
index a49fed466a..eec7373990 100644
--- a/vault/expiration.go
+++ b/vault/expiration.go
@@ -237,8 +237,8 @@ func (r *revocationJob) OnFailure(err error) {
 	r.m.core.metricSink.IncrCounterWithLabels([]string{"expire", "lease_expiration", "error"}, 1, []metrics.Label{metricsutil.NamespaceLabel(r.ns)})
 
 	r.m.pendingLock.Lock()
-	defer r.m.pendingLock.Unlock()
 	pendingRaw, ok := r.m.pending.Load(r.leaseID)
+	r.m.pendingLock.Unlock()
 	if !ok {
 		r.m.logger.Warn("failed to find lease in pending map for revocation retry", "lease_id", r.leaseID)
 		return
@@ -266,7 +266,9 @@ func (r *revocationJob) OnFailure(err error) {
 			return
 		}
 
+		r.m.pendingLock.Lock()
 		r.m.markLeaseIrrevocable(r.nsCtx, le, err)
+		r.m.pendingLock.Unlock()
 		return
 	} else {
 		r.m.logger.Error("failed to revoke lease", "lease_id", r.leaseID, "error", err,
@@ -274,7 +276,9 @@ func (r *revocationJob) OnFailure(err error) {
 	}
 
 	pending.timer.Reset(newTimer)
+	r.m.pendingLock.Lock()
 	r.m.pending.Store(r.leaseID, pending)
+	r.m.pendingLock.Unlock()
 }
 
 func expireLeaseStrategyFairsharing(ctx context.Context, m *ExpirationManager, leaseID string, ns *namespace.Namespace) {