On 2023/05/10 21:12, Rinat Gadelshin wrote:
>> Please try to find who is calling audit_send_reply_thread for many times.
>>
> I've rebuilt the kernel with 'dump stack()'.
Oops, I thought dump_stack() shows pid and comm name, but
it is dump_stack_print_info() that shows pid and comm name.
> As far as I can see, it's the exit of `sendto` syscall.
> It seems that the kernel just creates a new kthreadd for each sendto syscall.
> But I think that I'm wrong and just missing something.
Yes, sendto() on netlink socket calls netlink_sendmsg().
For some reason, audit_send_reply() is called for many times.
audit_send_reply() is called by audit_receive_msg() for the following types.
AUDIT_GET
AUDIT_SIGNAL_INFO
AUDIT_TTY_GET
AUDIT_GET_FEATURE
Would you re-caputure with
- dump_stack();
+ pr_info("%s %s:%d type=%d\n", __func__, current->comm, current->pid,
type);
?
Regardless of the result of re-caputure, it seems there is no switch that can
prevent audit_send_reply() from calling kthread_run(audit_send_reply_thread).
But since kthreadd runs with PID=2 and PPID=0, you might be able to use
PID=2 and/or PPID=0 in your rules in order to let kernel audit subsystem
ignore kthreadd. (I can't test because I haven't found how to reproduce
audit_receive_msg() in my environment...)
# cat /proc/2/status
Name: kthreadd
Umask: 0000
State: S (sleeping)
Tgid: 2
Ngid: 0
Pid: 2
PPid: 0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
