Hi Laurent, Sorry for the lack of time and no reply to this.
On Fri, Jul 14, 2017 at 02:40:02PM +0200, Laurent Bigonville wrote: > Le 09/07/17 à 21:58, Salvatore Bonaccorso a écrit : > > Hi > Hi, > > > Unconfirmed, but the behaviour you are seen might be related to the > > changes which went in in 4.11 around > > 264d509637d95f9404e52ced5003ad352e0f6a26 . > > > > https://git.kernel.org/linus/264d509637d95f9404e52ced5003ad352e0f6a26 > > > > I posted on the linux-audit mailing list and I get the following reply from > Paul Moore: > > > On Mon, Jul 10, 2017 at 10:59 AM, Laurent Bigonville<bi...@debian.org> > > wrote: > > > Hi, > > > > > > With 4.11.6 (that has been uploaded in debian unstable) I get a lot of > > > messages in dmesg like > > > > > > [100052.120468] audit: audit_lost=66041 audit_rate_limit=0 > > > audit_backlog_limit=8192 > > > [100052.120470] audit: kauditd hold queue overflow > > > > > > And it also seems that the messages are not stored in auditd logs anymore. > > > > > > https://git.kernel.org/linus/264d509637d95f9404e52ced5003ad352e0f6a26 > > > seems > > > to be included in this release > > > > > > An idea? > > I'm going to assume that your backlog limit is set to a sane value for > > your system's configuration, so that leaves me with two commits that > > may be of interest: > > > > * 1df30f8264b8 ("audit: fix the RCU locking for the auditd_connection > > structure") > > > > This was a manual backport of a v4.12 patch to v4.11, looking now, I > > see it should be in +v4.11.5 so that probably isn't your problem ... > > > > * c81be52a3ac0 ("audit: fix a race condition with the auditd tracking code") > > > > This patch is relatively new and was just sent up to Linus during the > > next merge window; it's a race condition fix so reproducing it can be > > tricky, although it may be easily reproducible on your system at the > > moment (luck you!). If you aren't in a position to apply the patch, > > the workaround is rather simple: restart auditd. > > > > If none of the above works, let me know, but I strongly suspect you're > > tripping over the race condition fixed in that last patch. > > I still should test the last patch he mentioned Did you manage to test the last patch he mentioned? And does it resolve the issue? Regards, Salvatore