1

Is there a way to find which of the kernel modules printed the message to the kernel log? We see a few new entries in dmesg output and I am trying to figure out from which module it came from. The following are the entries I see.

kern  :err   : [Wed Sep  9 19:45:46 2020] RbTreeInsert: duplicated object
kern  :err   : [Wed Sep  9 19:45:46 2020] CreateNewUid: failed to insert to IdTree
kern  :err   : [Thu Sep 10 02:27:15 2020] RbTreeInsert: duplicated object
kern  :err   : [Thu Sep 10 02:27:15 2020] CreateNewUid: failed to insert to IdTree
kern  :err   : [Thu Sep 10 03:22:04 2020] RbTreeInsert: duplicated object

P.S:- Red Hat portal has an unverified statement staying this came from an AV agent that we have installed. I am trying to confirm it.

Sreeraj
  • 5,062

1 Answers1

3

I expect the function names (or whatever they are), RbTreeInsert and CreateNewUid, to appear as-is in the module binary. Thus, if your modules are uncompressed,

grep -r RbTreeInsert /lib/modules/$(uname -r)

will tell you which module contains the message, or, if they are compressed,

find /lib/modules/$(uname -r) -name \*.ko.xz -exec xzgrep RbTreeInsert {} +

(adjusting as necessary depending on the compression tool used).

I’m confident those messages don’t come from the Linux kernel itself or any modules shipped with it.

Stephen Kitt
  • 434,908
  • Thank you. I did think of that, but did not actually do it. Now I did it and there it is the suspected module. – Sreeraj Sep 11 '20 at 07:45