Red Hat Bugzilla – Bug 435329
[RHEL5.2] audit tests cause oom-kills
Last modified: 2008-05-21 10:32:50 EDT
Description of problem:
running the standard audit tests against the beta kernels, we noticed oom-kills
that were not present in U1.
Running the tests manually, we can see audispd eats 100% of the cpu and 90% of
memory within seconds of kicking off the tests.
Sample console output.
Version-Release number of selected component (if applicable):
/kernel/security/audit/audit-test-2088 - audit tests
Steps to Reproduce:
1.grab a RHEL-5 box with U2 installed and run the above audit testsuite
2.run top to notice the adverse cpu/memory conditions
3.check dmesg for the oom-kills after about 10 minutes
oom-kills (about 4)
On the same machine with a U1 distro and the same kernel, we did _not_ see
oom-kills. Upgrading to a U2 distro causes oom-kills
OK, I think I found the memory leak. I think you hit this when the internal
queue for audispd is max'ed out. From then on you potentially leak memory.
audit-1.6.5-3 was built to resolve this bug.
Observed the oom-kills also in the failed results for these two audit test-
ok, I found the culprit. Audispd was not detecting end of file when auditd
exited, closing the comm pipe, and it was still reading stdin. Each read
allocates memory. audit-1.6.5-4.el5 was built to re-address this problem.
*** Bug 436810 has been marked as a duplicate of this bug. ***
Tested with RHEL5.2-Server-20080306.0 + audit-1.6.5-4.el5 and the
audit-test-2088 syscalls test did not report any OOM-Kills.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.