Ubuntu
linux package

memory leaks when configuring a small rate limit in audit

  1. Plucky (25.04)
  2. Bug #2122554
Bug #2122554 reported by gerald.yang
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
gerald.yang
Noble
Fix Committed
High
gerald.yang
Plucky
Fix Committed
High
gerald.yang
Questing
Fix Released
High
gerald.yang

Bug Description

[Impact]

When the audit rate limit is exceeded, memory starts leaking, this can be observed by:
watch -d -n 1 grep -i SUnreclaim' /proc/meminfo

Unreclaimable slab grows rapidly and lead to run out of all available memory
Only reboot can recover it.

5.15 kernel doesn't have this issue, it's introduced later than 5.19 kernel,
and caused by LSM stacking code.

[Fix]

This upstream patch fixes the issue:
https://<email address hidden>/T/#t

and merged into maintainer's tree:
https://github.com/linux-audit/audit-kernel/commit/d2c773159327f4d2f6438acf1ae2ae9ac0ca46a9

[Test Plan]

Add the following line to set a small rate limit in /etc/audit/rules.d/audit.rules:
-a always,exit -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -r 100

Trigger permission denied by running the following command as a normal user:
while :; do cat /proc/1/environ; done

Make sure we see the warning message in kernel log:
[ 2531.862184] audit: rate limit exceeded

[Where problems could occur]

Originally the skb is leak and no one is able to process or free it anymore.
The above patch just frees the leaking skb when rate limit is exceeded,
there won't be any additional impact.

[ Other Info ]
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730

See original description
gerald.yang (gerald-yang-tw)
Changed in linux (Ubuntu):
importance: Undecided → High
status: New → In Progress
assignee: nobody → gerald.yang (gerald-yang-tw)
Changed in linux (Ubuntu Noble):
status: New → In Progress
Changed in linux (Ubuntu Plucky):
status: New → In Progress
Changed in linux (Ubuntu Noble):
importance: Undecided → High
Changed in linux (Ubuntu Plucky):
importance: Undecided → High
Changed in linux (Ubuntu Noble):
assignee: nobody → gerald.yang (gerald-yang-tw)
Changed in linux (Ubuntu Plucky):
assignee: nobody → gerald.yang (gerald-yang-tw)
gerald.yang (gerald-yang-tw)
description: updated
gerald.yang (gerald-yang-tw)
description: updated
gerald.yang (gerald-yang-tw)
Changed in linux (Ubuntu Noble):
importance: High → Critical
Changed in linux (Ubuntu Plucky):
importance: High → Critical
Changed in linux (Ubuntu Questing):
importance: High → Critical
Ubuntu Kernel Bot (ubuntu-kernel-bot)
tags: added: kernel-daily-bug
Stefan Bader (smb)
Changed in linux (Ubuntu Noble):
importance: Critical → High
Changed in linux (Ubuntu Plucky):
importance: Critical → High
Changed in linux (Ubuntu Questing):
importance: Critical → High
status: In Progress → Fix Committed
Changed in linux (Ubuntu Noble):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Plucky):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.14.0-34.34 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-plucky-linux' to 'verification-done-plucky-linux'. If the problem still exists, change the tag 'verification-needed-plucky-linux' to 'verification-failed-plucky-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-plucky-linux-v2 verification-needed-plucky-linux
Revision history for this message
gerald.yang (gerald-yang-tw) wrote :

I've verified the issue on 6.14.0-34 from plucky-proposed:
uname -a
Linux memleak-p 6.14.0-34-generic #34-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 17 09:21:29 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

This issue can not be reproduced anymore, unreclaimable slab doesn't increase when running:
while :; do cat /proc/1/environ; done

tags: added: verification-done-plucky-linux
removed: verification-needed-plucky-linux
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.8 KiB)

This bug was fixed in the package linux - 6.17.0-5.5

---------------
linux (6.17.0-5.5) questing; urgency=medium

  * questing/linux: 6.17.0-5.5 -proposed tracker (LP: #2125319)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/d2025.09.22)

  * [SRU] Failed to create source package: Unmet build dependencies:
    bpftool:native (LP: #2122310)
    - [Packaging] fix build profile spec for bpftool

  * UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer
    dereference (LP: #2125053)
    - SAUCE: fan: vxlan: check memory allocation for map

  * iproute2 breaking netplan DEP-8 tests in Questing, unexpected "fan-map" in
    JSON output (LP: #2124257)
    - SAUCE: fan: don't enforce a specific enum value for IFLA_VXLAN_FAN_MAP

  * memory leaks when configuring a small rate limit in audit (LP: #2122554)
    - SAUCE: audit: fix skb leak when audit rate limit is exceeded

  * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)
    - SAUCE: media: platform: amd: Introduce amd isp4 capture driver
    - SAUCE: media: platform: amd: low level support for isp4 firmware
    - SAUCE: media: platform: amd: Add isp4 fw and hw interface
    - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling
      added
    - SAUCE: media: platform: amd: isp4 video node and buffers handling added
    - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive
      errors
    - SAUCE: Documentation: add documentation of AMD isp 4 driver
    - [Config] Enable AMD_ISP4

  * 25.10 Snapdragon X Elite: Sync concept kernel changes (LP: #2121477)
    - phy: qcom: qmp-combo: Rename 'mode' to 'phy_mode'
    - phy: qcom: qmp-combo: store DP phy power state
    - phy: qcom: qmp-combo: introduce QMPPHY_MODE
    - phy: qcom: qmp-combo: register a typec mux to change the QMPPHY_MODE
    - arm64: dts: qcom: x1e80100-crd: Add USB multiport fingerprint reader
    - dt-bindings: arm: qcom: Add Dell Latitude 7455
    - dt-bindings: display: panel: samsung,atna40cu11: document ATNA40CU11
    - dt-bindings: display: panel: samsung,atna40ct06: document ATNA40CT06
    - drm/panel-edp: Add BOE NV140WUM-N64
    - arm64: dts: qcom: x1-crd: Enable HBR3 on external DPs
    - SAUCE: drm/dp: drm_edp_backlight_set_level: do not always send 3-byte
      commands
    - SAUCE: drm/edp-panel: Add touchscreen panel used by Lenovo X13s
    - SAUCE: net: qrtr: mhi: synchronize qrtr and mhi preparation
    - SAUCE: arm64: dts: qcom: x1e78100-t14s-oled: add eDP panel
    - SAUCE: wip: arm64: dts: qcom: x1e80100-crd: Add WiFi/BT pwrseq
    - SAUCE: wip: arm64: dts: qcom: x1e78100-t14s: enable bluetooth
    - SAUCE: drm/dp: clamp PWM bit count to advertised MIN and MAX
      capabilities
    - SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default
    - SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: Add Left/Right
      Speakers and Tweeter
    - SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: enable MICs LDO
    - SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: Mark audio channels
      as left-right swapped
    ...

Read more...

Changed in linux (Ubuntu Questing):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.8.0-86.87 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux' to 'verification-done-noble-linux'. If the problem still exists, change the tag 'verification-needed-noble-linux' to 'verification-failed-noble-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-v2 verification-needed-noble-linux
Revision history for this message
gerald.yang (gerald-yang-tw) wrote :

I've verified 6.8.0-86 in noble-proposed:
uname -a
Linux memleak 6.8.0-86-generic #87-Ubuntu SMP PREEMPT_DYNAMIC Mon Sep 22 18:03:36 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

With this kernel, the slab leak can not be reproduced anymore.

tags: added: verification-done-noble-linux
removed: verification-needed-noble-linux
Revision history for this message
Marco Ferrara (mfuk) wrote :

same for me:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.2 LTS
Release: 24.04
Codename: noble

$ uname -a
Linux ispsrejh 6.8.0-86-generic #87-Ubuntu SMP PREEMPT_DYNAMIC Mon Sep 22 18:03:36 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Thanks for your great job

Revision history for this message
gerald.yang (gerald-yang-tw) wrote (last edit ):

Thanks for verifying it Marco!

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-fde-6.8/6.8.0-1041.48~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure-fde-6.8' to 'verification-done-jammy-linux-azure-fde-6.8'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure-fde-6.8' to 'verification-failed-jammy-linux-azure-fde-6.8'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-azure-fde-6.8-v2 verification-needed-jammy-linux-azure-fde-6.8
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-oem-6.17/6.17.0-1004.4 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-oem-6.17' to 'verification-done-noble-linux-oem-6.17'. If the problem still exists, change the tag 'verification-needed-noble-linux-oem-6.17' to 'verification-failed-noble-linux-oem-6.17'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-oem-6.17-v2 verification-needed-noble-linux-oem-6.17
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/6.8.0-1012.16 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-bluefield' to 'verification-done-noble-linux-bluefield'. If the problem still exists, change the tag 'verification-needed-noble-linux-bluefield' to 'verification-failed-noble-linux-bluefield'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-bluefield-v2 verification-needed-noble-linux-bluefield
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.