diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 2d1bb8af7696..988a7e227c45 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -843,6 +843,8 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen)
 	const char *format = NULL;
 	int ret = 0;
 
+	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+		return -ENOKEY;
 	if (datalen <= 0 || datalen > 32767 || !data)
 		return -EINVAL;
 
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 2d5d041f2049..9614dbcae8a9 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -1013,12 +1013,15 @@ static void trusted_rcu_free(struct rcu_head *rcu)
  */
 static int trusted_update(struct key *key, const void *data, size_t datalen)
 {
-	struct trusted_key_payload *p = key->payload.data;
+	struct trusted_key_payload *p;
 	struct trusted_key_payload *new_p;
 	struct trusted_key_options *new_o;
 	char *datablob;
 	int ret = 0;
 
+	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+		return -ENOKEY;
+	p = key->payload.data;
 	if (!p->migratable)
 		return -EPERM;
 	if (datalen <= 0 || datalen > 32767 || !data)
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index c7660a25a3e4..f89846f6bd36 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -117,7 +117,10 @@ int user_update(struct key *key, const void *data, size_t datalen)
 
 	if (ret == 0) {
 		/* attach the new data, displacing the old */
-		zap = key->payload.data;
+		if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+			zap = key->payload.data;
+		else
+			zap = NULL;
 		rcu_assign_keypointer(key, upayload);
 		key->expiry = 0;
 	}