From c4b7a7755f91081e430bbd58fec77194b05f834b Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Wed, 13 Jan 2016 09:15:18 -0500 Subject: audit: don't needlessly reset valid wait time After auditd has recovered from an overflowed queue, the first process that doesn't use reserves to make it through the queue checks should reset the audit backlog wait time to the configured value. After that, there is no need to keep resetting it. Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'kernel') diff --git a/kernel/audit.c b/kernel/audit.c index 5ffcbd354a52..6d00bd1ff249 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1400,7 +1400,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - if (!reserve) + if (!reserve && !audit_backlog_wait_time) audit_backlog_wait_time = audit_backlog_wait_time_master; ab = audit_buffer_alloc(ctx, gfp_mask, type); -- cgit v1.2.3-59-g8ed1b From eb8baf6aa3ba1fcb1c1fd2cc57e31195a42689fd Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 13 Jan 2016 09:15:18 -0500 Subject: audit: remove audit_backlog_wait_overflow It seems much more obvious and readable to simply use "0". Signed-off-by: Paul Moore --- kernel/audit.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'kernel') diff --git a/kernel/audit.c b/kernel/audit.c index 6d00bd1ff249..07d60e4b2af8 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -110,7 +110,6 @@ static u32 audit_backlog_limit = 64; #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ) static u32 audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME; static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; -static u32 audit_backlog_wait_overflow = 0; /* The identity of the user shutting down the audit system. */ kuid_t audit_sig_uid = INVALID_UID; @@ -1395,7 +1394,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, skb_queue_len(&audit_skb_queue), audit_backlog_limit); audit_log_lost("backlog limit exceeded"); - audit_backlog_wait_time = audit_backlog_wait_overflow; + audit_backlog_wait_time = 0; wake_up(&audit_backlog_wait); return NULL; } -- cgit v1.2.3-59-g8ed1b From f48a942926c58e4b2dfc3f21c58579d5435841ef Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Wed, 13 Jan 2016 09:15:19 -0500 Subject: audit: include auditd's threads in audit_log_start() wait exception Should auditd spawn threads, allow all members of its thread group to use the audit_backlog_limit reserves to bypass the queue limits too. Signed-off-by: Richard Guy Briggs [PM: minor upstream merge tweaks] Signed-off-by: Paul Moore --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'kernel') diff --git a/kernel/audit.c b/kernel/audit.c index 07d60e4b2af8..60c9c5adc5be 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1371,7 +1371,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; if (gfp_mask & __GFP_DIRECT_RECLAIM) { - if (audit_pid && audit_pid == current->pid) + if (audit_pid && audit_pid == current->tgid) gfp_mask &= ~__GFP_DIRECT_RECLAIM; else reserve = 0; -- cgit v1.2.3-59-g8ed1b From 1194b994bec308433cc84ffdb92fd668713b8f93 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Wed, 13 Jan 2016 09:18:54 -0500 Subject: audit: wake up threads if queue switched from limited to unlimited If the audit_backlog_limit is changed from a limited value to an unlimited value (zero) while the queue was overflowed, wake up the audit_backlog_wait queue to allow those processes to continue. Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore --- kernel/audit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'kernel') diff --git a/kernel/audit.c b/kernel/audit.c index 60c9c5adc5be..d7b675781934 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -523,7 +523,8 @@ static int kauditd_thread(void *dummy) skb = skb_dequeue(&audit_skb_queue); if (skb) { - if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit) + if (!audit_backlog_limit || + (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit)) wake_up(&audit_backlog_wait); if (audit_pid) kauditd_send_skb(skb); -- cgit v1.2.3-59-g8ed1b From d865e573b8a4f30fbb74fa7666ca81e3132eb547 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Wed, 13 Jan 2016 09:18:55 -0500 Subject: audit: Delete unnecessary checks before two function calls The functions consume_skb() and kfree_skb() test whether their argument is NULL and then return immediately. Thus the tests around their calls are not needed. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring [PM: tweak patch prefix] Signed-off-by: Paul Moore --- kernel/audit.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'kernel') diff --git a/kernel/audit.c b/kernel/audit.c index d7b675781934..d6dd95cc59e6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -508,8 +508,7 @@ static void flush_hold_queue(void) * if auditd just disappeared but we * dequeued an skb we need to drop ref */ - if (skb) - consume_skb(skb); + consume_skb(skb); } static int kauditd_thread(void *dummy) @@ -1232,9 +1231,7 @@ static void audit_buffer_free(struct audit_buffer *ab) if (!ab) return; - if (ab->skb) - kfree_skb(ab->skb); - + kfree_skb(ab->skb); spin_lock_irqsave(&audit_freelist_lock, flags); if (audit_freelist_count > AUDIT_MAXFREE) kfree(ab); -- cgit v1.2.3-59-g8ed1b