Re: audit_log_drain

* Steve Grubb (sgrubb(a)redhat.com) wrote: What is Kris's test program? I was simply using something like: while : do < /dev/null done With an audit rule to match that open. This causes congestion immediately. It shouldn't matter. The act of dropping should re-schedule a drain. I'd rather not see magic numbers (esp. if they are somewhat arbitrary). For my test, it at least always waits until the backlog to give a too full/busy message. My experience has been that once congested there's little to no recovery that will happen, so in that sense the change borders a bit on academic. I never tested with an audit buffer with long skb list. But, given all that I don't see the value of the old code. This differs from yours only in that I drop the 3, and change to requeueing at the head. Does it still work for you? thanks, -chris -- ===== kernel/audit.c 1.11 vs edited ===== --- 1.11/kernel/audit.c 2005-03-11 12:32:31 -08:00 +++ edited/kernel/audit.c 2005-04-06 15:28:52 -07:00 @@ -142,7 +142,6 @@ struct audit_buffer { int total; int type; int pid; - int count; /* Times requeued */ }; void audit_set_type(struct audit_buffer *ab, int type) @@ -522,9 +531,9 @@ static inline int audit_log_drain(struct retval = netlink_unicast(audit_sock, skb, audit_pid, MSG_DONTWAIT); } - if (retval == -EAGAIN && ab->count < 5) { - ++ab->count; - skb_queue_tail(&ab->sklist, skb); + if (retval == -EAGAIN && + (atomic_read(&audit_backlog)) < audit_backlog_limit) { + skb_queue_head(&ab->sklist, skb); audit_log_end_irq(ab); return 1; } @@ -662,7 +676,6 @@ struct audit_buffer *audit_log_start(str ab->total = 0; ab->type = AUDIT_KERNEL; ab->pid = 0; - ab->count = 0; #ifdef CONFIG_AUDITSYSCALL if (ab->ctx)