some logs about the issue // Re: Flush the hold queue fall into an infinite loop.

[  257.972293] CPU: 79 PID: 550 Comm: kauditd Kdump: loaded Tainted: G           OE    --------- -t - 4.18.0-147.5.2.5.h781.eulerosv2r10.x86_64 #1 [  257.972294] Hardware name: Huawei CH121 V5/IT11SPCA1, BIOS 7.93 01/14/2021 [  257.972295] Call Trace: [  257.972297]  <IRQ> [  257.972307]  dump_stack+0x6f/0xab [  257.972314]  watchdog_timer_fn+0x222/0x2e0 [  257.972316]  ? watchdog+0x50/0x50 [  257.972322]  __hrtimer_run_queues+0x125/0x2f0 [  257.972326]  ? recalibrate_cpu_khz+0x10/0x10 [  257.972329]  hrtimer_interrupt+0xe5/0x240 [  257.972331]  ? sched_clock+0x5/0x10 [  257.972334]  smp_apic_timer_interrupt+0x6a/0x130 [  257.972336]  apic_timer_interrupt+0xf/0x20 [  257.972337]  </IRQ> [  257.972341] RIP: 0010:_raw_spin_unlock_irqrestore+0x11/0x20 [  257.972343] Code: ff ff 7f 5b 44 89 e8 5d 41 5c 41 5d c3 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 c6 07 00 0f 1f 40 00 48 89 f7 57 9d <0f> 1f 44 00 00 c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 c6 07 [  257.972344] RSP: 0018:ffffb7d90e2d3e38 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 [  257.972347] RAX: 0000000000000286 RBX: ffff9bb017d18b00 RCX: ffff9bb017d19900 [  257.972347] RDX: ffffffff8fb8fef0 RSI: 0000000000000286 RDI: 0000000000000286 [  257.972348] RBP: ffffffff8fb8fef0 R08: 000000000002b3a0 R09: ffffffff8e7829a2 [  257.972349] R10: ffffd9126778fa00 R11: 00000000000f4240 R12: ffffffff8fb8ff04 [  257.972350] R13: 0000000000000000 R14: ffff9bb017d18bf4 R15: ffff9bb017d18b00 [  257.972356]  ? netlink_attachskb+0xb2/0x1d0 [  257.972362]  skb_dequeue+0x57/0x70 [  257.972367]  kauditd_send_queue+0x37/0x100 [  257.972369]  ? kauditd_retry_skb+0x20/0x20 [  257.972370]  ? kauditd_send_multicast_skb+0x90/0x90 [  257.972372]  kauditd_thread+0xa5/0x230 [  257.972377]  ? finish_wait+0x80/0x80 [  257.972378]  ? auditd_reset+0x90/0x90 [  257.972381]  kthread+0x10d/0x130 [  257.972383]  ? kthread_flush_work_fn+0x10/0x10 [  257.972385]  ret_from_fork+0x35/0x40 [  269.972020] Sample cputime: 3999999736 ns(HZ: 1000) [  269.972022] Sample cpurate: 0 us, 3984966800 sy, 0 ni, 0 id, 0 wa, 15034536 hi, 0 si, 0 st [  269.972023] Sample softirq: [  269.972023] Sample hardirq: [  269.972232]         no hard irqs found. [  269.972233] watchdog: BUG: soft lockup - CPU#79 stuck for 22s! [kauditd:550]

When we add "audit=1" to the cmdline, kauditd will take up 100% cpu resource.As follows: configurations: auditctl -b 64 auditctl --backlog_wait_time 60000 auditctl -r 0 auditctl -w /root/aaa  -p wrx shell scripts： #!/bin/bash i=0 while [ $i -le 66 ] do touch /root/aaa let i++ done mandatory conditions: add "audit=1" to the cmdline, and kill -19 pid_number(for /sbin/auditd). As long as we keep the audit_hold_queue non-empty, flush the hold queue will fall into an infinite loop. > 713 static int kauditd_send_queue(struct sock *sk, u32 portid, >  714                               struct sk_buff_head *queue, >  715                               unsigned int retry_limit, >  716                               void (*skb_hook)(struct sk_buff *skb), >  717                               void (*err_hook)(struct sk_buff *skb)) >  718 { >  719         int rc = 0; >  720         struct sk_buff *skb; >  721         unsigned int failed = 0; >  722 >  723         /* NOTE: kauditd_thread takes care of all our locking, > we just use >  724          *       the netlink info passed to us (e.g. sk and > portid) */ >  725 >  726         while ((skb = skb_dequeue(queue))) { >  727                 /* call the skb_hook for each skb we touch */ >  728                 if (skb_hook) >  729                         (*skb_hook)(skb); >  730 >  731                 /* can we send to anyone via unicast? */ >  732                 if (!sk) { >  733                         if (err_hook) >  734                                 (*err_hook)(skb); >  735                         continue; >  736                 } >  737 >  738 retry: >  739                 /* grab an extra skb reference in case of error */ >  740                 skb_get(skb); >  741                 rc = netlink_unicast(sk, skb, portid, 0); >  742                 if (rc < 0) { >  743                         /* send failed - try a few times unless > fatal error */ >  744                         if (++failed >= retry_limit || >  745                             rc == -ECONNREFUSED || rc == -EPERM) { >  746                                 sk = NULL; >  747                                 if (err_hook) >  748                                         (*err_hook)(skb); >  749                                 if (rc == -EAGAIN) >  750                                         rc = 0; >  751                                 /* continue to drain the queue */ >  752                                 continue; >  753                         } else >  754                                 goto retry; >  755                 } else { >  756                         /* skb sent - drop the extra reference > and continue */ >  757                         consume_skb(skb); >  758                         failed = 0; >  759                 } >  760         } >  761 >  762         return (rc >= 0 ? 0 : rc); >  763 } When kauditd attempt to flush the hold queue, the queue parameter is &audit_hold_queue, and if netlink_unicast(line 741 ) return -EAGAIN, sk will be NULL(line 746), so err_hook(kauditd_rehold_skb) will be call. Then continue, skb_dequeue(line 726) and err_hook(kauditd_rehold_skb,line 733) will fall into an infinite loop. I don't really understand the value of audit_hold_queue, can we remove it, or stop droping the logs into kauditd_rehold_skb when the auditd is abnormal? Look forward your reply. Thank you very much. Gaosheng.