When an admin enables audit at early boot via the "audit=1" kernel command line, netlink send errors seen will cause the audit subsystem to drop some records or return records to the queue. And all records will be printed via printk() in the kauditd_hold_skb(), but actually only the records that will be dropped need to be printed via printk(). Signed-off-by: Gaosheng Cui <cuigaosheng1(a)huawei.com&gt; --- kernel/audit.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 7690c29d4ee4..eb3e44c849be 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -568,10 +568,6 @@ static void kauditd_rehold_skb(struct sk_buff *skb, __always_unused int error) */ static void kauditd_hold_skb(struct sk_buff *skb, int error) { - /* at this point it is uncertain if we will ever send this to auditd so - * try to send the message via printk before we go any further */ - kauditd_printk_skb(skb); - /* can we just silently drop the message? */ if (!audit_default) goto drop; @@ -600,6 +596,11 @@ static void kauditd_hold_skb(struct sk_buff *skb, int error) /* we have no other options - drop the message */ audit_log_lost("kauditd hold queue overflow"); drop: + /* at this point it is uncertain if we will ever send this to auditd so + * try to send the message via printk before we go any further + */ + kauditd_printk_skb(skb); + kfree_skb(skb); } -- 2.30.0