435329 – [RHEL5.2] audit tests cause oom-kills

Bug 435329 - [RHEL5.2] audit tests cause oom-kills

Summary: [RHEL5.2] audit tests cause oom-kills

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	5.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	436810 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-02-28 18:55 UTC by Don Zickus
Modified:	2008-05-21 14:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:	RHEA-2008-0358
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-21 14:32:50 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2008:0358	0	normal	SHIPPED_LIVE	audit enhancement and bug fix update	2008-05-20 12:47:07 UTC

Description Don Zickus 2008-02-28 18:55:39 UTC

Description of problem:
running the standard audit tests against the beta kernels, we noticed oom-kills
that were not present in U1.

Running the tests manually, we can see audispd eats 100% of the cpu and 90% of
memory within seconds of kicking off the tests.

Sample console output.
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046108
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046150
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046183

Version-Release number of selected component (if applicable):
RHEL5.2-Server-20080225.2 distro
kernel-2.6.18-83.el5
/kernel/security/audit/audit-test-2088 - audit tests

How reproducible:
very

Steps to Reproduce:
1.grab a RHEL-5 box with U2 installed and run the above audit testsuite
2.run top to notice the adverse cpu/memory conditions
3.check dmesg for the oom-kills after about 10 minutes
  
Actual results:
oom-kills (about 4)

Expected results:
no oom-kills

Additional info:
On the same machine with a U1 distro and the same kernel, we did _not_ see
oom-kills.  Upgrading to a U2 distro causes oom-kills

Comment 1 Steve Grubb 2008-03-03 20:59:22 UTC

OK, I think I found the memory leak. I think you hit this when the internal
queue for audispd is max'ed out. From then on you potentially leak memory.

Comment 7 Steve Grubb 2008-03-04 22:54:45 UTC

audit-1.6.5-3 was built to resolve this bug.

Comment 9 Eduard Benes 2008-03-05 15:35:59 UTC

Observed the oom-kills also in the failed results for these two audit test-
suites:
  /kernel/security/audit/audit-test-1195
  /kernel/security/audit/audit-test-1212

RHTS job:
  http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=16883

Comment 11 Steve Grubb 2008-03-14 15:01:32 UTC

ok, I found the culprit. Audispd was not detecting end of file when auditd
exited, closing the comm pipe, and it was still reading stdin. Each read
allocates memory. audit-1.6.5-4.el5 was built to re-address this problem.

Comment 12 Steve Grubb 2008-03-14 15:03:38 UTC

*** Bug 436810 has been marked as a duplicate of this bug. ***

Comment 13 Jeff Burke 2008-03-14 21:33:44 UTC

Tested with RHEL5.2-Server-20080306.0 + audit-1.6.5-4.el5 and the
audit-test-2088 syscalls test did not report any OOM-Kills.

Comment 16 errata-xmlrpc 2008-05-21 14:32:50 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2008-0358.html

Note You need to log in before you can comment on or make changes to this bug.