/var/log/messages: backlog limit exceeded
David Woodhouse
dwmw2 at infradead.org
Mon Jun 20 15:27:07 UTC 2005
On Mon, 2005-06-20 at 10:50 +0100, David Woodhouse wrote:
> Assuming this approach is satisfactory we may want to look for more
> callers which can be converted to audit_log_start_wait(), and perhaps
> give a few more slots to the atomic callers, so there's always space
> for them.
Something like this...
--- kernel-2.6.9/linux-2.6.9/kernel/audit.c 2005-06-20 16:12:48.000000000 +0100
+++ kernel-2.6.9-running/linux-2.6.9/kernel/audit.c 2005-06-20 16:18:37.000000000 +0100
@@ -449,7 +449,7 @@ static int audit_receive_msg(struct sk_b
return -ESRCH;
if (audit_enabled && audit_filter_user(tsk, msg_type)) {
- ab = audit_log_start(NULL, msg_type);
+ ab = audit_log_start_wait(NULL, msg_type);
if (ab) {
audit_log_format(ab,
"user pid=%d uid=%u auid=%u msg='%.1024s'",
@@ -707,7 +707,7 @@ struct audit_buffer *__audit_log_start(s
return NULL;
while (audit_backlog_limit
- && skb_queue_len(&audit_skb_queue) > audit_backlog_limit) {
+ && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + wait?0:5) {
if (wait) {
int ret = 1;
/* Wait for auditd to drain the queue a little */
--
dwmw2
More information about the Linux-audit
mailing list