Bug 440075 - auditd memory leak (11GB in 5 minutes)
Summary: auditd memory leak (11GB in 5 minutes)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: rawhide
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-01 16:39 UTC by Joe Nall
Modified: 2008-04-08 20:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-04-08 19:37:59 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
/etc/audit/audit.rules (8.82 KB, text/plain)
2008-04-01 18:03 UTC, Joe Nall
no flags Details
/etc/audit/auditd.conf (499 bytes, text/plain)
2008-04-01 18:04 UTC, Joe Nall
no flags Details

Description Joe Nall 2008-04-01 16:39:50 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008033120 Fedora/3.0-0.51.beta5rc2.fc9 Firefox/3.0b5

Description of problem:
auditd grew from 40m to over 12GB in a test application run

Tasks: 178 total,   2 running, 176 sleeping,   0 stopped,   0 zombie
Cpu(s): 15.3%us, 52.6%sy,  0.0%ni, 14.2%id, 14.0%wa,  0.0%hi,  4.0%si,  0.0%st
Mem:   6064320k total,  6034416k used,    29904k free,    94976k buffers
Swap:  2040244k total,  1290880k used,   749364k free,   208632k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                             
 1874 root      17  -3 12.0g 4.6g  528 S 14.2 79.3   1:22.75 auditd          

Version-Release number of selected component (if applicable):
audit-1.7-1.fc9.x86_64 

How reproducible:
Didn't try


Steps to Reproduce:
MLS/Permissive system with several daemons generating audit

Actual Results:
Rapidly increasing memory usage

Expected Results:
Stable memory usage

Additional info:

Comment 1 Joe Nall 2008-04-01 16:43:21 UTC
Sorry about the wimpy bug report. The machine was becoming very sluggish and I was worried about 
losing the browser session when the machine died.

Comment 2 Steve Grubb 2008-04-01 16:53:55 UTC
Can you give me any details about the auditd.conf file? I am curious if it was
in the shipped default config or changed in any way. Thanks.

Comment 3 Joe Nall 2008-04-01 18:03:52 UTC
Created attachment 299935 [details]
/etc/audit/audit.rules

Comment 4 Joe Nall 2008-04-01 18:04:37 UTC
Created attachment 299936 [details]
/etc/audit/auditd.conf

Comment 5 Steve Grubb 2008-04-04 21:35:20 UTC
The auditd configuration looks fairly simple. I was worried that you have email
notification turned on or something else somewhat different like exec command
kind of action.

Were there anything related to auditd in syslog that was unusual? Which glibc
was installed at the time? Have there been any recurrences?

Comment 6 Steve Grubb 2008-04-05 01:48:29 UTC
OK, I found the memory leak. It was in the End of Event code. This would only be
triggered on the 2.6.25 kernel since previous kernels do not send EOE records.
audit-1.7-3.fc9 was built to address this problem, please give it a try.

Comment 7 Steve Grubb 2008-04-08 19:37:59 UTC
I am closing this bug report as I'm pretty sure the leak I found is the one that
is causing the problems. If you find a recurrance of this, please note the
audit, kernel, and glibc versions. Thanks for reporting the problem.

Comment 8 Joe Nall 2008-04-08 20:11:04 UTC
1.7.3 fixed the memory leak for me.


Note You need to log in before you can comment on or make changes to this bug.