Can AUDIT_LIST_RULES causes kthreadd-spam?
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Sat May 6 06:50:26 UTC 2023
On 2023/05/06 7:12, Rinat Gadelshin wrote:
> The only one `auditctl -l` request was performed.
> I see the following response in syslog for the request:
Thanks for rules.
I tried "auditctl -l" with these rules, and I got only
audit: Started audit_send_list_thread
audit: Calling netlink_unicast (repeated for 32 times)
audit: Finished audit_send_list_thread
as output; audit_send_reply_thread is not called in my environment.
That is, for some reason (maybe some process is interfering each other)
audit_send_reply_thread is needlessly called in your environment?
In that case, fixing the cause of audit_send_reply_thread being called
could reduce the spam.
Please try to find who is calling audit_send_reply_thread for many times.
diff --git a/kernel/audit.c b/kernel/audit.c
index 9bc0b0301198..bf4fef7da692 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1006,6 +1011,7 @@ static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int
tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
if (IS_ERR(tsk))
goto err;
+ dump_stack();
return;
More information about the Linux-audit
mailing list