commit 320f1b1ed28c601cc152053a2f428a126cb608bc · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[AUDIT] ratelimit printk messages audit

some printk messages from the audit system can become excessive. This
patch ratelimits those messages. It was found that messages, such as
the audit backlog lost printk message could flood the logs to the point
that a machine could take an nmi watchdog hit or otherwise become
unresponsive.

Signed-off-by: Eric Paris <eparis@redhat.com>

authored by Eric Paris and committed by Al Viro 18 years ago 320f1b1e 148b38dc

+18 -9

1 changed file

expand all

unified split

kernel

audit.c

+18 -9

kernel/audit.c

··· 166 166 case AUDIT_FAIL_SILENT: 167 167 break; 168 168 case AUDIT_FAIL_PRINTK: 169 - printk(KERN_ERR "audit: %s\n", message); 169 + if (printk_ratelimit()) 170 + printk(KERN_ERR "audit: %s\n", message); 170 171 break; 171 172 case AUDIT_FAIL_PANIC: 172 173 panic("audit: %s\n", message); ··· 235 234 } 236 235 237 236 if (print) { 238 - printk(KERN_WARNING 239 - "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n", 240 - atomic_read(&audit_lost), 241 - audit_rate_limit, 242 - audit_backlog_limit); 237 + if (printk_ratelimit()) 238 + printk(KERN_WARNING 239 + "audit: audit_lost=%d audit_rate_limit=%d " 240 + "audit_backlog_limit=%d\n", 241 + atomic_read(&audit_lost), 242 + audit_rate_limit, 243 + audit_backlog_limit); 243 244 audit_panic(message); 244 245 } 245 246 } ··· 355 352 audit_pid = 0; 356 353 } 357 354 } else { 358 - printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0)); 355 + if (printk_ratelimit()) 356 + printk(KERN_NOTICE "%s\n", skb->data + 357 + NLMSG_SPACE(0)); 358 + else 359 + audit_log_lost("printk limit exceeded\n"); 359 360 kfree_skb(skb); 360 361 } 361 362 } else { ··· 1073 1066 remove_wait_queue(&audit_backlog_wait, &wait); 1074 1067 continue; 1075 1068 } 1076 - if (audit_rate_check()) 1069 + if (audit_rate_check() && printk_ratelimit()) 1077 1070 printk(KERN_WARNING 1078 1071 "audit: audit_backlog=%d > " 1079 1072 "audit_backlog_limit=%d\n", ··· 1356 1349 skb_queue_tail(&audit_skb_queue, ab->skb); 1357 1350 ab->skb = NULL; 1358 1351 wake_up_interruptible(&kauditd_wait); 1359 - } else { 1352 + } else if (printk_ratelimit()) { 1360 1353 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); 1361 1354 printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0)); 1355 + } else { 1356 + audit_log_lost("printk limit exceeded\n"); 1362 1357 } 1363 1358 } 1364 1359 audit_buffer_free(ab);