diff --git a/security/keys/gc.c b/security/keys/gc.c
index f85d6381c06..9e496adfa3d 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -174,8 +174,10 @@ static noinline void key_gc_unused_key(struct key *key)
 {
 	key_check(key);
 
-	/* Throw away the key data */
-	if (key->type->destroy)
+	/* Throw away the key data if the key is instantiated */
+	if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
+	    !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
+	    key->type->destroy)
 		key->type->destroy(key);
 
 	security_key_free(key);