Description of problem: running the standard audit tests against the beta kernels, we noticed oom-kills that were not present in U1. Running the tests manually, we can see audispd eats 100% of the cpu and 90% of memory within seconds of kicking off the tests. Sample console output. http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046108 http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046150 http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046183 Version-Release number of selected component (if applicable): RHEL5.2-Server-20080225.2 distro kernel-2.6.18-83.el5 /kernel/security/audit/audit-test-2088 - audit tests How reproducible: very Steps to Reproduce: 1.grab a RHEL-5 box with U2 installed and run the above audit testsuite 2.run top to notice the adverse cpu/memory conditions 3.check dmesg for the oom-kills after about 10 minutes Actual results: oom-kills (about 4) Expected results: no oom-kills Additional info: On the same machine with a U1 distro and the same kernel, we did _not_ see oom-kills. Upgrading to a U2 distro causes oom-kills
OK, I think I found the memory leak. I think you hit this when the internal queue for audispd is max'ed out. From then on you potentially leak memory.
audit-1.6.5-3 was built to resolve this bug.
Observed the oom-kills also in the failed results for these two audit test- suites: /kernel/security/audit/audit-test-1195 /kernel/security/audit/audit-test-1212 RHTS job: http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=16883
ok, I found the culprit. Audispd was not detecting end of file when auditd exited, closing the comm pipe, and it was still reading stdin. Each read allocates memory. audit-1.6.5-4.el5 was built to re-address this problem.
*** Bug 436810 has been marked as a duplicate of this bug. ***
Tested with RHEL5.2-Server-20080306.0 + audit-1.6.5-4.el5 and the audit-test-2088 syscalls test did not report any OOM-Kills.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2008-0358.html