Re: [PATCH v2 1/2] audit: fix removal of dangling executable rules

[Ricardo Robaina]

On Tue, May 26, 2026 at 8:00 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> On May 13, 2026 Ricardo Robaina <rrobaina@xxxxxxxxxx> wrote:
> >
> > When an audited executable is deleted from the disk, its dentry
> > becomes negative. Any later attempt to delete the associated audit
> > rule will lead to audit_alloc_mark() encountering this negative
> > dentry and immediately aborting, returning -ENOENT.
> >
> > This early abort prevents the subsystem from allocating the temporary
> > fsnotify mark needed to construct the search key, meaning the kernel
> > cannot find the existing rule in its own lists to delete it. This
> > leaves a dangling rule in memory, resulting in the following error
> > while attempting to delete the rule:
> >
> >  # ./audit-dupe-exe-deadlock.sh
> >  No rules
> >  Error deleting rule (No such file or directory)
> >  There was an error while processing parameters
> >
> >  # auditctl -l
> >  -a always,exit -S all -F exe=/tmp/file -F path=/tmp/file -F key=dr
> >
> >  # auditctl -D
> >  Error deleting rule (No such file or directory)
> >  There was an error while processing parameters
> >
> > This patch fixes this issue by removing the d_really_is_negative()
> > check. By doing so, a dummy mark can be successfully generated for
> > the deleted path, which allows the audit subsystem to properly match
> > and flush the dangling rule.
> >
> > Fixes: 76a53de6f7ff ("VFS/audit: introduce kern_path_parent() for audit")
> > Acked-by: Waiman Long <longman@xxxxxxxxxx>
> > Acked-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> > Signed-off-by: Ricardo Robaina <rrobaina@xxxxxxxxxx>
> > ---
> > Changes in v2:
> > - New patch order: now patch 1/2 (was 2/2 in v1) per maintainer feedback
> >
> >  kernel/audit_fsnotify.c | 4 ----
> >  1 file changed, 4 deletions(-)
>
> Annotated for stable, but merged into audit/dev as I want to give this a
> few extra weeks of soak time in linux-next.
>
> --
> paul-moore.com
>

Thanks, Paul!