Re: Can AUDIT_LIST_RULES causes kthreadd-spam?

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Rinat Gadelshin <rgadelsh@gmail.com>, Paul Moore <paul@paul-moore.com>
Cc: audit@vger.kernel.org, linux-audit@redhat.com
Subject: Re: Can AUDIT_LIST_RULES causes kthreadd-spam?
Date: Thu, 4 May 2023 11:50:05 +0900	[thread overview]
Message-ID: <9ae2c1df-1f20-a40b-35ed-1dc76b122a4f@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <e5713a91-37b0-d32f-a0d2-eb668122c9e4@gmail.com>

On 2023/05/04 7:12, Rinat Gadelshin wrote:
> On 04.05.2023 00:27, Paul Moore wrote:
>> Can you be more specific about the kernel threads you are seeing, are
>> you seeing multiple "kauditd" threads?
>>
>> % ps -fC kauditd
>> UID          PID    PPID  C STIME TTY          TIME CMD
>> root          89       2  0 Apr28 ?        00:00:00 [kauditd]

I don't think so.

kernel audit subsystem uses kthread_run() in order to run short-lived kernel threads.

  $ git grep -nF kthread_run kernel/audit*.c
  kernel/audit.c:1006:    tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
  kernel/audit.c:1700:    kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
  kernel/audit_tree.c:789:        prune_thread = kthread_run(prune_tree_thread, NULL,
  kernel/auditfilter.c:1193:      tsk = kthread_run(audit_send_list_thread, dest, "audit_send_list");

I guess that either or both of audit_send_reply_thread/audit_send_list_thread is launched
for many times.

> Are there any debug options for the kernel that I can set, rebuild the kernel,
> re-run the test and clarify the situation?

Since comm name is not available but you can afford rebuilding kernels,
counting which thread is launched could be the first step. Also, any
characteristic aspects in your usage; e.g. creating many namespaces,
crating many audit rules?

Please try something like below diff:

diff --git a/kernel/audit.c b/kernel/audit.c
index 9bc0b0301198..c28cd4ac0f30 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -911,16 +911,19 @@ int audit_send_list_thread(void *_dest)
 	struct sk_buff *skb;
 	struct sock *sk = audit_get_sk(dest->net);
 
+	pr_info("Started %s\n", __func__);
 	/* wait for parent to finish and send an ACK */
 	audit_ctl_lock();
 	audit_ctl_unlock();
 
-	while ((skb = __skb_dequeue(&dest->q)) != NULL)
+	while ((skb = __skb_dequeue(&dest->q)) != NULL) {
+		pr_info("Calling netlink_unicast\n");
 		netlink_unicast(sk, skb, dest->portid, 0);
+	}
 
 	put_net(dest->net);
 	kfree(dest);
-
+	pr_info("Finished %s\n", __func__);
 	return 0;
 }
 
@@ -963,6 +966,7 @@ static void audit_free_reply(struct audit_reply *reply)
 static int audit_send_reply_thread(void *arg)
 {
 	struct audit_reply *reply = (struct audit_reply *)arg;
+	pr_info("Started %s\n", __func__);
 
 	audit_ctl_lock();
 	audit_ctl_unlock();
@@ -972,6 +976,7 @@ static int audit_send_reply_thread(void *arg)
 	netlink_unicast(audit_get_sk(reply->net), reply->skb, reply->portid, 0);
 	reply->skb = NULL;
 	audit_free_reply(reply);
+	pr_info("Finished %s\n", __func__);
 	return 0;
 }
 


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

