From fb7f872b762ebc973066fc8e627312f09620a754 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 29 Feb 2024 10:30:27 -0500
Subject: [PATCH] core/login: fix potential deadlock for failed logins when
 user lockout is enabled (#25697)

* core: fix potential deadlock for failed logins

* changelog
---
 changelog/25697.txt       | 3 +++
 vault/request_handling.go | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 changelog/25697.txt

diff --git a/changelog/25697.txt b/changelog/25697.txt
new file mode 100644
index 0000000000..ecc2ac1867
--- /dev/null
+++ b/changelog/25697.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/login: Fixed a potential deadlock when a login fails and user lockout is enabled.
+```
diff --git a/vault/request_handling.go b/vault/request_handling.go
index d6da40ccdd..281a5982d4 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -2440,6 +2440,8 @@ func (c *Core) LocalGetUserFailedLoginInfo(ctx context.Context, userKey FailedLo
 // LocalUpdateUserFailedLoginInfo updates the failed login information for a user based on alias name and mountAccessor
 func (c *Core) LocalUpdateUserFailedLoginInfo(ctx context.Context, userKey FailedLoginUser, failedLoginInfo *FailedLoginInfo, deleteEntry bool) error {
 	c.userFailedLoginInfoLock.Lock()
+	defer c.userFailedLoginInfoLock.Unlock()
+
 	switch deleteEntry {
 	case false:
 		// update entry in the map
@@ -2482,7 +2484,6 @@ func (c *Core) LocalUpdateUserFailedLoginInfo(ctx context.Context, userKey Faile
 		// delete the entry from the map, if no key exists it is no-op
 		delete(c.userFailedLoginInfo, userKey)
 	}
-	c.userFailedLoginInfoLock.Unlock()
 	return nil
 }