On Apr 14, 2026 Ricardo Robaina <[email protected]> wrote: > > When an audited executable is deleted from the disk, its dentry > becomes negative. Any later attempt to delete the associated audit > rule will lead to audit_alloc_mark() encountering this negative > dentry and immediately aborting, returning -ENOENT. > > This early abort prevents the subsystem from allocating the temporary > fsnotify mark needed to construct the search key, meaning the kernel > cannot find the existing rule in its own lists to delete it. This > leaves a dangling rule in memory, resulting in the following error > while attempting to delete the rule: > > # ./audit-dupe-exe-deadlock.sh > No rules > Error deleting rule (No such file or directory) > There was an error while processing parameters > > # auditctl -l > -a always,exit -S all -F exe=/tmp/file -F path=/tmp/file -F key=dr > > # auditctl -D > Error deleting rule (No such file or directory) > There was an error while processing parameters > > This patch fixes this issue by removing the d_really_is_negative() > check. By doing so, a dummy mark can be successfully generated for > the deleted path, which allows the audit subsystem to properly match > and flush the dangling rule. > > Fixes: 76a53de6f7ff ("VFS/audit: introduce kern_path_parent() for audit") > Acked-by: Waiman Long <[email protected]> > Signed-off-by: Ricardo Robaina <[email protected]> > Acked-by: Richard Guy Briggs <[email protected]> > --- > kernel/audit_fsnotify.c | 4 ---- > 1 file changed, 4 deletions(-)
Good catch. I might reorder the patchset so this patch comes first in the patchset, but this isn't a big deal either way. -- paul-moore.com
