On Tue, May 12, 2026 at 4:12 PM Paul Moore <[email protected]> wrote: > > On Apr 14, 2026 Ricardo Robaina <[email protected]> wrote: > > > > When an audited executable is deleted from the disk, its dentry > > becomes negative. Any later attempt to delete the associated audit > > rule will lead to audit_alloc_mark() encountering this negative > > dentry and immediately aborting, returning -ENOENT. > > > > This early abort prevents the subsystem from allocating the temporary > > fsnotify mark needed to construct the search key, meaning the kernel > > cannot find the existing rule in its own lists to delete it. This > > leaves a dangling rule in memory, resulting in the following error > > while attempting to delete the rule: > > > > # ./audit-dupe-exe-deadlock.sh > > No rules > > Error deleting rule (No such file or directory) > > There was an error while processing parameters > > > > # auditctl -l > > -a always,exit -S all -F exe=/tmp/file -F path=/tmp/file -F key=dr > > > > # auditctl -D > > Error deleting rule (No such file or directory) > > There was an error while processing parameters > > > > This patch fixes this issue by removing the d_really_is_negative() > > check. By doing so, a dummy mark can be successfully generated for > > the deleted path, which allows the audit subsystem to properly match > > and flush the dangling rule. > > > > Fixes: 76a53de6f7ff ("VFS/audit: introduce kern_path_parent() for audit") > > Acked-by: Waiman Long <[email protected]> > > Signed-off-by: Ricardo Robaina <[email protected]> > > Acked-by: Richard Guy Briggs <[email protected]> > > --- > > kernel/audit_fsnotify.c | 4 ---- > > 1 file changed, 4 deletions(-) > > Good catch. I might reorder the patchset so this patch comes first > in the patchset, but this isn't a big deal either way. > > -- > paul-moore.com >
I'm sending the v2 reordered. Thanks for reviewing it as well!
