Commit c96b9d81a8a6 ("ipcache: Remove superfluous if condition")
triggers a double-free for cases a where there is a mix of users for
older and newer internal ipcache APIs. In this scenario, the older
ipcache APIs are used to inject entries into the ipcache, then
InjectLabels() attempts to allocate a new security identity reference
for the same CIDR and assumes that it already holds a reference to the
corresponding identity and releases its own reference. If the other
module ever releases its reference, then that results in freeing of the
identity regardless of its continued expected usage by users of the
newer ipcache APIs. This leads to policy recalculation that removes any
datapath allow rules for the corresponding CIDRs, ultimately resulting
in packet loss for the impacted CIDRs.

One such example involves CIDR identity restore startup logic in the
daemon. That path allocates identities then injects them into the
ipcache using older APIs. If any such CIDRs are used by network
policies, then the network policies subsystem will insert the CIDR into
the ipcache using newer ipcache APIs, which will then trigger this
double-free.

Fixes: c96b9d81a8a6 ("ipcache: Remove superfluous if condition")
Reported-by: Boris Petrovic <carnerito.b@gmail.com>
Reported-by: Kim-Eirik Karlsen <kim.eirik@gmail.com>
Reported-by: Jason Witkowski <jason@witkow.ski>
Signed-off-by: Joe Stringer <joe@cilium.io>