Commit 320f1b1ed28c601cc152053a2f428a126cb608bc
Committed by
Al Viro
1 parent
148b38dc93
Exists in
master
and in
4 other branches
[AUDIT] ratelimit printk messages audit
some printk messages from the audit system can become excessive. This patch ratelimits those messages. It was found that messages, such as the audit backlog lost printk message could flood the logs to the point that a machine could take an nmi watchdog hit or otherwise become unresponsive. Signed-off-by: Eric Paris <eparis@redhat.com>
Showing 1 changed file with 18 additions and 9 deletions Side-by-side Diff
kernel/audit.c
... | ... | @@ -166,7 +166,8 @@ |
166 | 166 | case AUDIT_FAIL_SILENT: |
167 | 167 | break; |
168 | 168 | case AUDIT_FAIL_PRINTK: |
169 | - printk(KERN_ERR "audit: %s\n", message); | |
169 | + if (printk_ratelimit()) | |
170 | + printk(KERN_ERR "audit: %s\n", message); | |
170 | 171 | break; |
171 | 172 | case AUDIT_FAIL_PANIC: |
172 | 173 | panic("audit: %s\n", message); |
... | ... | @@ -234,11 +235,13 @@ |
234 | 235 | } |
235 | 236 | |
236 | 237 | if (print) { |
237 | - printk(KERN_WARNING | |
238 | - "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n", | |
239 | - atomic_read(&audit_lost), | |
240 | - audit_rate_limit, | |
241 | - audit_backlog_limit); | |
238 | + if (printk_ratelimit()) | |
239 | + printk(KERN_WARNING | |
240 | + "audit: audit_lost=%d audit_rate_limit=%d " | |
241 | + "audit_backlog_limit=%d\n", | |
242 | + atomic_read(&audit_lost), | |
243 | + audit_rate_limit, | |
244 | + audit_backlog_limit); | |
242 | 245 | audit_panic(message); |
243 | 246 | } |
244 | 247 | } |
... | ... | @@ -352,7 +355,11 @@ |
352 | 355 | audit_pid = 0; |
353 | 356 | } |
354 | 357 | } else { |
355 | - printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0)); | |
358 | + if (printk_ratelimit()) | |
359 | + printk(KERN_NOTICE "%s\n", skb->data + | |
360 | + NLMSG_SPACE(0)); | |
361 | + else | |
362 | + audit_log_lost("printk limit exceeded\n"); | |
356 | 363 | kfree_skb(skb); |
357 | 364 | } |
358 | 365 | } else { |
... | ... | @@ -1066,7 +1073,7 @@ |
1066 | 1073 | remove_wait_queue(&audit_backlog_wait, &wait); |
1067 | 1074 | continue; |
1068 | 1075 | } |
1069 | - if (audit_rate_check()) | |
1076 | + if (audit_rate_check() && printk_ratelimit()) | |
1070 | 1077 | printk(KERN_WARNING |
1071 | 1078 | "audit: audit_backlog=%d > " |
1072 | 1079 | "audit_backlog_limit=%d\n", |
1073 | 1080 | |
... | ... | @@ -1349,9 +1356,11 @@ |
1349 | 1356 | skb_queue_tail(&audit_skb_queue, ab->skb); |
1350 | 1357 | ab->skb = NULL; |
1351 | 1358 | wake_up_interruptible(&kauditd_wait); |
1352 | - } else { | |
1359 | + } else if (printk_ratelimit()) { | |
1353 | 1360 | struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); |
1354 | 1361 | printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0)); |
1362 | + } else { | |
1363 | + audit_log_lost("printk limit exceeded\n"); | |
1355 | 1364 | } |
1356 | 1365 | } |
1357 | 1366 | audit_buffer_free(ab); |