1 files changed, 6 insertions, 4 deletions

diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 8177010174f7..e72548b5897e 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -546,7 +546,8 @@ static int keyring_search_iterator(const void *object, void *iterator_data)
                 }
 
                 if (key->expiry && ctx->now.tv_sec >= key->expiry) {
-                        ctx->result = ERR_PTR(-EKEYEXPIRED);
+                        if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED))
+                                ctx->result = ERR_PTR(-EKEYEXPIRED);
                         kleave(" = %d [expire]", ctx->skipped_ret);
                         goto skipped;
                 }
@@ -628,6 +629,10 @@ static bool search_nested_keyrings(struct key *keyring,
                ctx->index_key.type->name,
                ctx->index_key.description);
 
+#define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK)
+        BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
+               (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
+
         if (ctx->index_key.description)
                 ctx->index_key.desc_len = strlen(ctx->index_key.description);
 
@@ -637,7 +642,6 @@ static bool search_nested_keyrings(struct key *keyring,
         if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE ||
             keyring_compare_object(keyring, &ctx->index_key)) {
                 ctx->skipped_ret = 2;
-                ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK;
                 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
                 case 1:
                         goto found;
@@ -649,8 +653,6 @@ static bool search_nested_keyrings(struct key *keyring,
         }
 
         ctx->skipped_ret = 0;
-        if (ctx->flags & KEYRING_SEARCH_NO_STATE_CHECK)
-                ctx->flags &= ~KEYRING_SEARCH_DO_STATE_CHECK;
 
         /* Start processing a new keyring */
 descend_to_keyring: