Bug 435329 - [RHEL5.2] audit tests cause oom-kills
[RHEL5.2] audit tests cause oom-kills
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Steve Grubb
Brian Brock
: Regression, TestBlocker
: 436810 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2008-02-28 13:55 EST by Don Zickus
Modified: 2008-05-21 10:32 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHEA-2008-0358
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 10:32:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Don Zickus 2008-02-28 13:55:39 EST
Description of problem:
running the standard audit tests against the beta kernels, we noticed oom-kills
that were not present in U1.

Running the tests manually, we can see audispd eats 100% of the cpu and 90% of
memory within seconds of kicking off the tests.

Sample console output.

Version-Release number of selected component (if applicable):
RHEL5.2-Server-20080225.2 distro
/kernel/security/audit/audit-test-2088 - audit tests

How reproducible:

Steps to Reproduce:
1.grab a RHEL-5 box with U2 installed and run the above audit testsuite
2.run top to notice the adverse cpu/memory conditions
3.check dmesg for the oom-kills after about 10 minutes
Actual results:
oom-kills (about 4)

Expected results:
no oom-kills

Additional info:
On the same machine with a U1 distro and the same kernel, we did _not_ see
oom-kills.  Upgrading to a U2 distro causes oom-kills
Comment 1 Steve Grubb 2008-03-03 15:59:22 EST
OK, I think I found the memory leak. I think you hit this when the internal
queue for audispd is max'ed out. From then on you potentially leak memory.
Comment 7 Steve Grubb 2008-03-04 17:54:45 EST
audit-1.6.5-3 was built to resolve this bug.
Comment 9 Eduard Benes 2008-03-05 10:35:59 EST
Observed the oom-kills also in the failed results for these two audit test-

RHTS job:
Comment 11 Steve Grubb 2008-03-14 11:01:32 EDT
ok, I found the culprit. Audispd was not detecting end of file when auditd
exited, closing the comm pipe, and it was still reading stdin. Each read
allocates memory. audit-1.6.5-4.el5 was built to re-address this problem.
Comment 12 Steve Grubb 2008-03-14 11:03:38 EDT
*** Bug 436810 has been marked as a duplicate of this bug. ***
Comment 13 Jeff Burke 2008-03-14 17:33:44 EDT
Tested with RHEL5.2-Server-20080306.0 + audit-1.6.5-4.el5 and the
audit-test-2088 syscalls test did not report any OOM-Kills.
Comment 16 errata-xmlrpc 2008-05-21 10:32:50 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.