Public bug reported: SRU Justification
[Impact] When an admin enables audit at early boot via the "audit=1" kernel command line the audit queue behavior is slightly different; the audit subsystem goes to greater lengths to avoid dropping records, which unfortunately can result in problems when the audit daemon is forcibly stopped for an extended period of time. [Fix] upstream discussion: https://lore.kernel.org/all/cahc9vhqgx070poxzk_pusawgzppdqvpezvfybse2dnryrbw...@mail.gmail.com/T/ upstream commit: f26d04331360d42dbd6b58448bd98e4edbfbe1c5 [Test] configurations: auditctl -b 64 auditctl --backlog_wait_time 60000 auditctl -r 0 auditctl -w /root/aaa -p wrx shell scripts: #!/bin/bash i=0 while [ $i -le 66 ] do touch /root/aaa let i++ done mandatory conditions: add "audit=1" to the cmdline, and kill -19 pid_number(for /sbin/auditd). As long as we keep the audit_hold_queue non-empty, flush the hold queue will fall into an infinite loop. This could also trigger soft lockup when it drops into a infinite loop, e.g. kernel: [ 94.186433] watchdog: BUG: soft lockup - CPU#2 stuck for 11s! [kauditd:34] kernel: [ 94.187736] Modules linked in: xfs iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_ conntrack libcrc32c iptable_filter isofs xt_cgroup xt_tcpudp iptable_mangle ip_tables x_tables sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 pp dev crypto_simd glue_helper joydev vmwgfx ttm cryptd vmw_balloon drm_kms_helper intel_rapl_perf input_leds psmouse drm fb_sys_fops syscopyarea vmxnet3 sysfillrect parport_pc parport m ac_hid shpchp i2c_piix4 vmw_vsock_vmci_transport vsock sysimgblt vmw_vmci serio_raw mptspi mptscsih mptbase scsi_transport_spi pata_acpi floppy autofs4 kernel: [ 94.187757] CPU: 2 PID: 34 Comm: kauditd Not tainted 4.15.0-171-generic #180~16.04.1-Ubuntu kernel: [ 94.187757] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 kernel: [ 94.187800] skb_queue_head+0x47/0x50 kernel: [ 94.187803] kauditd_rehold_skb+0x18/0x20 kernel: [ 94.187805] kauditd_send_queue+0xcd/0x100 kernel: [ 94.187806] ? kauditd_retry_skb+0x20/0x20 kernel: [ 94.187808] ? kauditd_send_multicast_skb+0x80/0x80 kernel: [ 94.187809] kauditd_thread+0xa7/0x240 kernel: [ 94.187812] ? wait_woken+0x80/0x80 kernel: [ 94.187815] kthread+0x105/0x140 kernel: [ 94.187817] ? auditd_reset+0x90/0x90 kernel: [ 94.187818] ? kthread_bind+0x40/0x40 kernel: [ 94.187820] ret_from_fork+0x35/0x40 [Other Info] SF: #00330803 ** Affects: linux (Ubuntu) Importance: Critical Assignee: gerald.yang (gerald-yang-tw) Status: In Progress ** Affects: linux (Ubuntu Bionic) Importance: Critical Assignee: gerald.yang (gerald-yang-tw) Status: In Progress ** Affects: linux (Ubuntu Focal) Importance: Critical Assignee: gerald.yang (gerald-yang-tw) Status: In Progress ** Affects: linux (Ubuntu Impish) Importance: Critical Assignee: gerald.yang (gerald-yang-tw) Status: In Progress ** Affects: linux (Ubuntu Jammy) Importance: Critical Assignee: gerald.yang (gerald-yang-tw) Status: In Progress ** Tags: sts ** Changed in: linux (Ubuntu) Assignee: (unassigned) => gerald.yang (gerald-yang-tw) ** Changed in: linux (Ubuntu) Importance: Undecided => Critical ** Changed in: linux (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1965723 Title: audit: improve audit queue handling when "audit=1" on cmdline To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1965723/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
