• Eric Paris's avatar
    audit: preface audit printk with audit · 449cedf0
    Eric Paris authored
    There have been a number of reports of people seeing the message:
    "name_count maxed, losing inode data: dev=00:05, inode=3185"
    in dmesg.  These usually lead to people reporting problems to the filesystem
    group who are in turn clueless what they mean.
    
    Eventually someone finds me and I explain what is going on and that
    these come from the audit system.  The basics of the problem is that the
    audit subsystem never expects a single syscall to 'interact' (for some
    wish washy meaning of interact) with more than 20 inodes.  But in fact
    some operations like loading kernel modules can cause changes to lots of
    inodes in debugfs.
    
    There are a couple real fixes being bandied about including removing the
    fixed compile time limit of 20 or not auditing changes in debugfs (or
    both) but neither are small and obvious so I am not sending them for
    immediate inclusion (I hope Al forwards a real solution next devel
    window).
    
    In the meantime this patch simply adds 'audit' to the beginning of the
    crap message so if a user sees it, they come blame me first and we can
    talk about what it means and make sure we understand all of the reasons
    it can happen and make sure this gets solved correctly in the long run.
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    449cedf0
auditsc.c 66 KB