4 files changed, 19 insertions, 11 deletions
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 927db9f35ad6..696ccfa08d10 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -845,6 +845,8 @@ static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
        size_t datalen = prep->datalen;
        int ret = 0;
+        if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+                return -ENOKEY;
        if (datalen <= 0 || datalen > 32767 || !prep->data)
                return -EINVAL;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index fb111eafcb89..1c3872aeed14 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
        /* the key is probably readable - now try to read it */
 can_read_key:
-        ret = key_validate(key);
+        ret = -EOPNOTSUPP;
-        if (ret == 0) {
+        if (key->type->read) {
-                ret = -EOPNOTSUPP;
+                /* Read the data with the semaphore held (since we might sleep)
-                if (key->type->read) {
+                 * to protect against the key being updated or revoked.
-                        /* read the data with the semaphore held (since we
+                 */
-                         * might sleep) */
+                down_read(&key->sem);
-                        down_read(&key->sem);
+                ret = key_validate(key);
+                if (ret == 0)
                        ret = key->type->read(key, buffer, buflen);
-                        up_read(&key->sem);
+                up_read(&key->sem);
-                }
        }
 error2:
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 903dace648a1..16dec53184b6 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -1007,13 +1007,16 @@ static void trusted_rcu_free(struct rcu_head *rcu)
 */
 static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 {
-        struct trusted_key_payload *p = key->payload.data[0];
+        struct trusted_key_payload *p;
        struct trusted_key_payload *new_p;
        struct trusted_key_options *new_o;
        size_t datalen = prep->datalen;
        char *datablob;
        int ret = 0;
+        if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+                return -ENOKEY;
+        p = key->payload.data[0];
        if (!p->migratable)
                return -EPERM;
        if (datalen <= 0 || datalen > 32767 || !prep->data)
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 28cb30f80256..8705d79b2c6f 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -120,7 +120,10 @@ int user_update(struct key *key, struct key_preparsed_payload *prep)
        if (ret == 0) {
                /* attach the new data, displacing the old */
-                zap = key->payload.data[0];
+                if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+                        zap = key->payload.data[0];
+                else
+                        zap = NULL;
                rcu_assign_keypointer(key, upayload);
                key->expiry = 0;
        }