ACK/Cmnt: [SRU][N/P/Q][PATCH 0/1] UBUNTU: SAUCE: memory leaks when configuring a small rate limit in audit

Stefan Bader stefan.bader at canonical.com
Fri Sep 12 09:23:53 UTC 2025 

On 11/09/2025 10:51, Gerald Yang wrote:
> BugLink: https://bugs.launchpad.net/bugs/2122554
> 
> [Impact]
> 
> When the audit rate limit is exceeded, memory starts leaking, this can be observed by:
> watch -d -n 1 grep -i SUnreclaim' /proc/meminfo
> 
> Unreclaimable slab grows rapidly and lead to run out of all available memory
> Only reboot can recover it.
> 
> 5.15 kernel doesn't have this issue, it's introduced later than 5.19 kernel,
> and caused by LSM stacking code.
> 
> [Fix]
> 
> This upstream patch fixes the issue:
> https://lore.kernel.org/audit/ea31a17a30e6bb284168353606436752@paul-moore.com/T/#t
> 
> and merged into maintainer's tree:
> https://github.com/linux-audit/audit-kernel/commit/d2c773159327f4d2f6438acf1ae2ae9ac0ca46a9
> 
> [Test Plan]
> 
> Add the following line to set a small rate limit in /etc/audit/rules.d/audit.rules:
> -a always,exit -F arch=b64 -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -r 100
> 
> Trigger permission denied by running the following command as a normal user:
> while :; do cat /proc/1/environ; done
> 
> Make sure we see the warning message in kernel log:
> [ 2531.862184] audit: rate limit exceeded
> 
> [Where problems could occur]
> 
> Originally the skb is leak and no one is able to process or free it anymore.
> The above patch just frees the leaking skb when rate limit is exceeded,
> there won't be any additional impact.
> 
> [ Other Info ]
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730
> 
> Gerald Yang (1):
>    audit: fix skb leak when audit rate limit is exceeded
> 
>   kernel/audit.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 

I understand the haste but we try to avoid changes which are not 
upstream, yet as much as possible. There is always the danger of things 
changing before they hit. That said, an early integration point is 
linux-next. That is a middle ground which is acceptable. It looks like 
the change made it there and we can add

(backported from commit d2c773159327f4d2f6438acf1ae2ae9ac0ca46a9 linux-next)

instead of your maintainer tree reference when applying.

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250912/05abfb4d/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250912/05abfb4d/attachment-0001.sig>

More information about the kernel-team mailing list