From 135ed491d1ce7abc135ac53a41354dcab4987dc0 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 22 Jan 2024 12:06:34 +0100
Subject: [PATCH] Do not drop keys from keyring on successfull reencryption
 recovery.

The key might be needed in activation of ordinary LUKS2 device
provided the recovery took place in before device activation
and actually finished LUKS2 device reencryption.

Fixes: #863.
---
 lib/luks2/luks2_reencrypt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index 05bef5b2..72160036 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -4463,7 +4463,8 @@ int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
 	r = reencrypt_recovery(cd, hdr, device_size, vks);
 
 out:
-	crypt_drop_keyring_key(cd, vks);
+	if (r < 0)
+		crypt_drop_keyring_key(cd, vks);
 	return r;
 }
 #endif