Bug 435329 - [RHEL5.2] audit tests cause oom-kills
Summary: [RHEL5.2] audit tests cause oom-kills
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit
Version: 5.2
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Brian Brock
URL:
Whiteboard:
: 436810 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-28 18:55 UTC by Don Zickus
Modified: 2008-05-21 14:32 UTC (History)
3 users (show)

Fixed In Version: RHEA-2008-0358
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 14:32:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2008:0358 0 normal SHIPPED_LIVE audit enhancement and bug fix update 2008-05-20 12:47:07 UTC

Description Don Zickus 2008-02-28 18:55:39 UTC
Description of problem:
running the standard audit tests against the beta kernels, we noticed oom-kills
that were not present in U1.

Running the tests manually, we can see audispd eats 100% of the cpu and 90% of
memory within seconds of kicking off the tests.

Sample console output.
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046108
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046150
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046183

Version-Release number of selected component (if applicable):
RHEL5.2-Server-20080225.2 distro
kernel-2.6.18-83.el5
/kernel/security/audit/audit-test-2088 - audit tests

How reproducible:
very

Steps to Reproduce:
1.grab a RHEL-5 box with U2 installed and run the above audit testsuite
2.run top to notice the adverse cpu/memory conditions
3.check dmesg for the oom-kills after about 10 minutes
  
Actual results:
oom-kills (about 4)

Expected results:
no oom-kills

Additional info:
On the same machine with a U1 distro and the same kernel, we did _not_ see
oom-kills.  Upgrading to a U2 distro causes oom-kills

Comment 1 Steve Grubb 2008-03-03 20:59:22 UTC
OK, I think I found the memory leak. I think you hit this when the internal
queue for audispd is max'ed out. From then on you potentially leak memory.

Comment 7 Steve Grubb 2008-03-04 22:54:45 UTC
audit-1.6.5-3 was built to resolve this bug.

Comment 9 Eduard Benes 2008-03-05 15:35:59 UTC
Observed the oom-kills also in the failed results for these two audit test-
suites:
  /kernel/security/audit/audit-test-1195
  /kernel/security/audit/audit-test-1212

RHTS job:
  http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=16883

Comment 11 Steve Grubb 2008-03-14 15:01:32 UTC
ok, I found the culprit. Audispd was not detecting end of file when auditd
exited, closing the comm pipe, and it was still reading stdin. Each read
allocates memory. audit-1.6.5-4.el5 was built to re-address this problem.

Comment 12 Steve Grubb 2008-03-14 15:03:38 UTC
*** Bug 436810 has been marked as a duplicate of this bug. ***

Comment 13 Jeff Burke 2008-03-14 21:33:44 UTC
Tested with RHEL5.2-Server-20080306.0 + audit-1.6.5-4.el5 and the
audit-test-2088 syscalls test did not report any OOM-Kills.

Comment 16 errata-xmlrpc 2008-05-21 14:32:50 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2008-0358.html



Note You need to log in before you can comment on or make changes to this bug.