diff --git a/security/keys/encrypted.c b/security/keys/encrypted.c index b1cba5bf0a5e3..e14c4beb82131 100644 --- a/security/keys/encrypted.c +++ b/security/keys/encrypted.c @@ -708,6 +708,8 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen) char *new_master_desc = NULL; int ret = 0; + if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) + return -ENOKEY; if (datalen <= 0 || datalen > 32767 || !data) return -EINVAL; diff --git a/security/keys/trusted.c b/security/keys/trusted.c index 0c33e2ea1f3c3..7611f703be57b 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -1002,12 +1002,15 @@ static void trusted_rcu_free(struct rcu_head *rcu) */ static int trusted_update(struct key *key, const void *data, size_t datalen) { - struct trusted_key_payload *p = key->payload.data; + struct trusted_key_payload *p; struct trusted_key_payload *new_p; struct trusted_key_options *new_o; char *datablob; int ret = 0; + if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) + return -ENOKEY; + p = key->payload.data; if (!p->migratable) return -EPERM; if (datalen <= 0 || datalen > 32767 || !data) diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 69ff52c08e97b..49ec88167a4e9 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -97,7 +97,10 @@ int user_update(struct key *key, const void *data, size_t datalen) if (ret == 0) { /* attach the new data, displacing the old */ - zap = key->payload.data; + if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags)) + zap = key->payload.data; + else + zap = NULL; rcu_assign_pointer(key->payload.data, upayload); key->expiry = 0; }