ACK: [SRU][N/P/Q][PATCH 0/1] UBUNTU: SAUCE: memory leaks when configuring a small rate limit in audit

[Wen-chien Jesse Sung]

Gerald Yang <gerald.yang at canonical.com> writes:

> BugLink: https://bugs.launchpad.net/bugs/2122554
>
> [Impact]
>
> When the audit rate limit is exceeded, memory starts leaking, this can be observed by:
> watch -d -n 1 grep -i SUnreclaim' /proc/meminfo
>
> Unreclaimable slab grows rapidly and lead to run out of all available memory
> Only reboot can recover it.
>
> 5.15 kernel doesn't have this issue, it's introduced later than 5.19 kernel,
> and caused by LSM stacking code.
>
> [Fix]
>
> This upstream patch fixes the issue:
> https://lore.kernel.org/audit/ea31a17a30e6bb284168353606436752@paul-moore.com/T/#t
>
> and merged into maintainer's tree:
> https://github.com/linux-audit/audit-kernel/commit/d2c773159327f4d2f6438acf1ae2ae9ac0ca46a9
>
> [Test Plan]
>
> Add the following line to set a small rate limit in /etc/audit/rules.d/audit.rules:
> -a always,exit -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -r 100
>
> Trigger permission denied by running the following command as a normal user:
> while :; do cat /proc/1/environ; done
>
> Make sure we see the warning message in kernel log:
> [ 2531.862184] audit: rate limit exceeded
>
> [Where problems could occur]
>
> Originally the skb is leak and no one is able to process or free it anymore.
> The above patch just frees the leaking skb when rate limit is exceeded,
> there won't be any additional impact.
>
> [ Other Info ]
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730
>
> Gerald Yang (1):
>   audit: fix skb leak when audit rate limit is exceeded
>
>  kernel/audit.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> -- 
> 2.43.0
>
>
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Wen-chien Jesse Sung <jesse.sung at canonical.com>