systemd-journald: very large virt memory leak (heap)

[nyetwurk]

Debian 240-4

VSS/VSIZE growing very rapidly without bound.

#9141

https://bugzilla.redhat.com/show_bug.cgi?id=1665931

$ sudo pmap --extended $(pidof systemd-journald) | sort -rnk 2 | head
0000563884697000 7910112   33504   33504 rw---   [ anon ]
00007f6950a81000    8192    7432    7432 rw-s- system@2bbaf66c15df446c9f33ec3169b8d32a-0000000000000001-00057fc6d38900f9.journal
00007f6950080000    8192    6992    6992 rw-s- system@2bbaf66c15df446c9f33ec3169b8d32a-0000000000000001-00057fc6d38900f9.journal
00007f694f880000    8192    7272    7272 rw-s- system@2bbaf66c15df446c9f33ec3169b8d32a-0000000000000001-00057fc6d38900f9.journal
00007f694f080000    8192    7388    7388 rw-s- system@2bbaf66c15df446c9f33ec3169b8d32a-0000000000000001-00057fc6d38900f9.journal
00007f694e880000    8192    6616    6616 rw-s- system@2bbaf66c15df446c9f33ec3169b8d32a-0000000000000001-00057fc6d38900f9.journal
00007f694e080000    8192    6896    6896 rw-s- system@2bbaf66c15df446c9f33ec3169b8d32a-0000000000000001-00057fc6d38900f9.journal
00007f694d0b5000    8192    3368    3368 rw-s- system.journal
00007f694c8b5000    8192       8       8 rw---   [ anon ]
00007f694d8b5000    7980    4308    4308 rw-s- system@2bbaf66c15df446c9f33ec3169b8d32a-0000000000000001-00057fc6d38900f9.journal

-XX says its heap

$ sudo pmap -XX $(pidof systemd-journald)
9265:   /lib/systemd/systemd-journald
         Address Perm   Offset Device   Inode    Size KernelPageSize MMUPageSize   Rss   Pss Shared_Clean Shared_Dirty Private_Clean Private_Dirty Referenced Anonymous LazyFree AnonHugePages ShmemPmdMapped Shared_Hugetlb Private_Hugetlb Swap SwapPss Locked              VmFlags Mapping
....
    563884697000 rw-p 00000000  00:00       0 7946976              4           4 33652 33652            0            0             0         33652      30888     33652        0             0              0              0               0    0       0      0    rd wr mr mw me ac [heap]

Grows without bound until it is restarted

~$ sudo ps axuk-vsz | head
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      9265  0.0  1.0 8005204 89416 ?       Ss   Jan18   0:09 /lib/systemd/systemd-journald
mysql     1025  0.3  2.5 1867820 207312 ?      Sl   Jan18   5:47 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
nyet       987  0.2  0.2 1016720 23752 ?       Ssl  Jan18   4:14 /usr/bin/rslsync --config /etc/resilio-sync/nyet.conf
root       938  0.2  0.3 848372 24728 ?        Ssl  Jan18   3:59 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
clamav     710  0.0  7.4 842544 604508 ?       Ssl  Jan18   1:04 /usr/sbin/clamd --foreground=true
bind       966  0.0  0.7 446904 60704 ?        Ssl  Jan18   0:46 /usr/sbin/named -u bind
nobody     912  0.0  0.0 409888  3296 ?        Ssl  Jan18   0:19 /usr/bin/memcached -m 64 -p 11211 -u nobody -l 127.0.0.1
root       699  0.0  0.1 403960 11484 ?        Ssl  Jan18   0:00 /usr/lib/udisks2/udisksd
_graphi+ 16835  0.0  0.5 389808 45980 ?        Sl   00:00   0:03 (wsgi:_graphite)  -k start

More importantly, you can see it was fine until I "upgraded" systemd on around Jan 14

2019-01-14 06:26:04 upgrade systemd:amd64 240-3 240-4

[nyetwurk]

From the debian changelog:

systemd (240-4) unstable; urgency=medium

  [ Benjamin Drung ]
  * Fix shellcheck issues in initramfs-tools scripts

  [ Michael Biebl ]
  * Import patches from v240-stable branch (up to f02b5472c6)
    - Fixes a problem in logind closing the controlling terminal when using
      startx. (Closes: #918927)
    - Fixes various journald vulnerabilities via attacker controlled alloca.
      (CVE-2018-16864, CVE-2018-16865, Closes: #918841, Closes: #918848)
  * sd-device-monitor: Fix ordering of setting buffer size.
    Fixes an issue with uevents not being processed properly during coldplug
    stage and some kernel modules not being loaded via "udevadm trigger".
    (Closes: #917607)
  * meson: Stop setting -fPIE globally.
    Setting -fPIE globally can lead to miscompilations on certain
    architectures. Instead use the b_pie=true build option, which was
    introduced in meson 0.49. Bump the Build-Depends accordingly.
    (Closes: #909396)

[nyetwurk]

If anyone has a copy of systemd_240-3_amd64.deb I'd appreciate it so I can verify the regression.
Downgrading to https://snapshot.debian.org/package/systemd/240-3/#systemd_240-3 for testing. Will post results.

[nyetwurk]

Confirmed that rolling back to 240-3 fixes the issue.

Looks like it might be unique to downstream distros (e.g. debian, rh), possibly related to

https://salsa.debian.org/systemd-team/systemd/commit/ce0e48e43979e955df2413dca23c64088a729ed8

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918848
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918841

[nyetwurk]

Likely one of these three:
https://security-tracker.debian.org/tracker/CVE-2018-16864
084eeb8
https://security-tracker.debian.org/tracker/CVE-2018-16865
052c57f
ef4d6ab

[keszybz]

FWIW, I does seem that something is wrong. But I can't pinpoint the issue. I see a growth of RSS and VIRT over the time, and it doesn't seem to go back down. I don't think this is related to recent changes though. I get very similar behaviour with git master, v240-stable~10, v239-stable~10, and v238-stable~10, and finally with v238 (built with some work-arounds for the unrelated build issues). So right now I don't think that the recent patches are responsible.

There was 3de8ff5 'journald: bump rate limits'. It makes it easier to reach high memory use, because there's less throttling. So maybe the problem was there before, but it's been exposed by the limit changes.

@nyetwurk note that the debian package didn't restart journald on restart (I didn't check recently, but it was certainly true in the past). So it is possible that despite some upgrades, you were in fact running a yet-older version. If you can reliably reproduce the issue, then please bisect it to a specific patch.

[keszybz]

I'll also note that valgrind doesn't report anything, and I confirmed using gdb that the string that is allocated in 084eeb8 is in fact freed. I don't see any error in that patch.

[nyetwurk]

@keszybz Note that RSS is not apparently growing, so it might not be a memory leak that valgrind can detect; it may be memory fragmentation or some other mmap related leak that only leaks vm address space. Regarding journald restarting - downgrading to deb 240-3 definitely fixes it, and reinstalling 240-4 definitely brings the problem back. There were no cases where swapping between the two had no effect. Note that this is using deb packages which do not track this upstream repo 1:1. Time permitting I will try to narrow it down to a single deb patch.

[poettering]

Maybe ef30f7c?

[JustArchi]

I'm also suffering from this issue, also using 240-4 and also on Debian, thank you for trying to find out what is wrong. Everything worked fine previously.

root@archi:/var/log# sudo pmap --extended $(pidof systemd-journald) | sort -rnk 2 | head
00005633d1ed3000 31505468  171728  171728 rw---   [ anon ]
00007fdb56c40000    8192       8       8 rw---   [ anon ]
00007fdb561c6000    8192       8       8 rw---   [ anon ]
00007fdb578ba000    2532    1140    1140 rw-s- system.journal
00007fdb569c6000    2532    1300    1300 rw-s- system@13e12349e4894096875d81e596730116-0000000000009fe8-00057ff6e146d626.journal
00007fdb57b33000    2068       8       8 rw---   [ anon ]
00007fdb5914b000    2048       0       0 ----- libcap.so.2.25
00007fdb58f45000    2048       0       0 ----- libacl.so.1.1.0
00007fdb588fc000    2048       0       0 ----- libidn.so.11.6.16
00007fdb5937c000    2044       0       0 ----- libselinux.so.1

root@archi:/var/log# sudo ps axuk-vsz | head
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     19617  0.0  8.7 31558732 177508 ?     Ss   Jan18   0:56 /lib/systemd/systemd-journald

This was after upgrade from 240-3 to 240-4, I've rebooted the machine now and checking if it fixes the issue.

[keszybz]

Maybe ef30f7c?

I thought it's a candidate too, but it seems correct.

Also, please note that people report that is started occuring between -3 and -4 for them, which leaves 084eeb8 as the only good candidate. My thinking is that somehow allocating this string creates an allocation pattern that causes the address space to grow.

[JustArchi]

Reboot didn't fix the issue for me, every line being logged to logfiles seems to cause a memory leak, this is visible even by just executing sudo pmap --extended $(pidof systemd-journald) | sort -rnk 2 | head -n 1 in a loop, since it logs sudo usage to /var/log/auth.log. It's probably a good idea to prioritize this issue, as the memory leak is severe enough.

With sleep 0.1 and 10 lines per second logged, it's approx 1 MB of leak per ~20-30 seconds on my machine.

The workaround for now is having /bin/systemctl restart systemd-journald in cron, I've put it with execution of each hour since I can't really afford more than a few dozen megabytes of leak at most.

[shartge]

I just rebuild Debians systemd-240-4 with 084eeb8 removed and I can still reproduce the problem:

while true; do sudo pmap --extended $(pidof systemd-journald) | sort -rnk 2 | head -n 1; done
[...]
000055c36618f000  948500    4040    4040 rw---   [ anon ]
000055c36618f000  950548    4048    4048 rw---   [ anon ]
000055c36618f000  952600    4056    4056 rw---   [ anon ]
000055c36618f000  954652    4064    4064 rw---   [ anon ]
000055c36618f000  956704    4072    4072 rw---   [ anon ]
000055c36618f000  958756    4080    4080 rw---   [ anon ]
000055c36618f000  960808    4088    4088 rw---   [ anon ]
000055c36618f000  964904    4104    4104 rw---   [ anon ]
000055c36618f000  966952    4112    4112 rw---   [ anon ]
000055c36618f000  969000    4120    4120 rw---   [ anon ]
000055c36618f000  971048    4128    4128 rw---   [ anon ]
000055c36618f000  973096    4136    4136 rw---   [ anon ]
000055c36618f000  975144    4144    4144 rw---   [ anon ]
000055c36618f000  977192    4152    4152 rw---   [ anon ]

[nyetwurk]

https://bugzilla.redhat.com/show_bug.cgi?id=1666690

[vcaputo]

It appears this is purely a distribution-backport introduced leak, has anyone reproduced it in vanilla upstream v240?

If it's only a distro problem we don't really have anything to do here.

[nyetwurk]

deb 240-4 is fairly close to the vanilla 240 tag here. Still haven't had time to do bisect or test specific debian changes yet... I will add to this bug as I gather more information.

[shartge]

I recompiled the current HEAD of the vanilla systemd git, running inside a nspawn container and I am able to reproduce the problem.

systemd 240-285-g61a38e0 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
Detected virtualization systemd-nspawn.
Detected architecture x86-64.

# while true; do sudo pmap --extended $(pidof systemd-journald) | sort -rnk 2 | head -n 1; done
[....]
000055d188044000 1490304   67452   67452 rw---   [ anon ]
000055d188044000 1492356   67460   67460 rw---   [ anon ]
000055d188044000 1494408   67472   67472 rw---   [ anon ]
000055d188044000 1496464   67480   67480 rw---   [ anon ]
000055d188044000 1498516   67488   67488 rw---   [ anon ]
000055d188044000 1500568   67496   67496 rw---   [ anon ]
000055d188044000 1502620   67504   67504 rw---   [ anon ]
[....]

[nyetwurk]

@shartge any chance you have time to run a bisect? I may abandon my deb specific efforts and focus on trying to fix HEAD here then instead.

[shartge]

I am bisecting as I write this. 5 more steps to go.

[shartge]

Here are my first results:

2d5d2e0cc5171c6795d2a485841474345d9e30ab is the first bad commit
commit 2d5d2e0cc5171c6795d2a485841474345d9e30ab
Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date:   Wed Dec 5 18:48:23 2018 +0100

    basic/process-util: limit command line lengths to _SC_ARG_MAX
    
    This affects systemd-journald and systemd-coredump.
    
    Example entry:
    $ journalctl -o export -n1 'MESSAGE=Something logged'
    __CURSOR=s=976542d120c649f494471be317829ef9;i=34e;b=4871e4c474574ce4a462dfe3f1c37f06;m=c7d0c37dd2;t=57c4ac58f3b98;x=67598e942bd23dc0
    __REALTIME_TIMESTAMP=1544035467475864
    __MONOTONIC_TIMESTAMP=858200964562
    _BOOT_ID=4871e4c474574ce4a462dfe3f1c37f06
    PRIORITY=6
    _UID=1000
    _GID=1000
    _CAP_EFFECTIVE=0
    _SELINUX_CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    _AUDIT_SESSION=1
    _AUDIT_LOGINUID=1000
    _SYSTEMD_OWNER_UID=1000
    _SYSTEMD_UNIT=user@1000.service
    _SYSTEMD_SLICE=user-1000.slice
    _SYSTEMD_USER_SLICE=-.slice
    _SYSTEMD_INVOCATION_ID=1c4a469986d448719cb0f9141a10810e
    _MACHINE_ID=08a5690a2eed47cf92ac0a5d2e3cf6b0
    _HOSTNAME=krowka
    _TRANSPORT=syslog
    SYSLOG_FACILITY=17
    SYSLOG_IDENTIFIER=syslog-caller
    MESSAGE=Something logged
    _COMM=poc
    _EXE=/home/zbyszek/src/systemd-work3/poc
    _SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service
    _SYSTEMD_USER_UNIT=gnome-terminal-server.service
    SYSLOG_PID=4108
    SYSLOG_TIMESTAMP=Dec  5 19:44:27
    _PID=4108
    _CMDLINE=./poc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>
    _SOURCE_REALTIME_TIMESTAMP=1544035467475848
    
    $ journalctl -o export -n1 'MESSAGE=Something logged' --output-fields=_CMDLINE|wc
          6    2053 2097410
    
    2MB might be hard for some clients to use meaningfully, but OTOH, it is
    important to log the full commandline sometimes. For example, when the program
    is crashing, the exact argument list is useful.

:040000 040000 61de2318a2691f16b2f5118f1cb37b0918acd6e9 37383790b09baba9d83c00f1dc0a597e1f24a152 M      src

[shartge]

I tried a second time on a different machine, same results.

git bisect start
# good: [1742aae2aa8cd33897250d6fcfbe10928e43eb2f] NEWS: add one more name and adjust location
git bisect good 1742aae2aa8cd33897250d6fcfbe10928e43eb2f
# bad: [61a38e02650b8e7f097cadaa40aab0847605a383] wait-online: do not fail if we receive invalid messages
git bisect bad 61a38e02650b8e7f097cadaa40aab0847605a383
# bad: [b5af8c8cdf5fc7cc5d4108460270728375eb7fc4] udev: open control and netlink sockets before daemonization
git bisect bad b5af8c8cdf5fc7cc5d4108460270728375eb7fc4
# good: [7b77689c309dac3e7746befd3df5c13eb3f44bc6] Merge pull request #11328 from keszybz/static-array-size-declarations
git bisect good 7b77689c309dac3e7746befd3df5c13eb3f44bc6
# good: [ff650ffe348b3a22f2fe4ef6b579526d9e55a6ee] test: add testcases for the lines prefixed with whitespaces
git bisect good ff650ffe348b3a22f2fe4ef6b579526d9e55a6ee
# good: [3f1af087a99ee3d96cb4e6cacee6370ee76b81fd] Merge pull request #11352 from yuwata/rfe-11348
git bisect good 3f1af087a99ee3d96cb4e6cacee6370ee76b81fd
# bad: [2d5d2e0cc5171c6795d2a485841474345d9e30ab] basic/process-util: limit command line lengths to _SC_ARG_MAX
git bisect bad 2d5d2e0cc5171c6795d2a485841474345d9e30ab
# good: [82d9ac23fd5ab2befe2a95187640a8d38799dd64] udev-node: make link_find_prioritized() return negative value when nothing found
git bisect good 82d9ac23fd5ab2befe2a95187640a8d38799dd64
# good: [4f62556d71206ac814a020a954b397d4940e14c3] coredump: remove duplicate MESSAGE= prefix from message
git bisect good 4f62556d71206ac814a020a954b397d4940e14c3
# good: [084eeb865ca63887098e0945fb4e93c852b91b0f] journald: do not store the iovec entry for process commandline on stack
git bisect good 084eeb865ca63887098e0945fb4e93c852b91b0f
# first bad commit: [2d5d2e0cc5171c6795d2a485841474345d9e30ab] basic/process-util: limit command line lengths to _SC_ARG_MAX

[shartge]

Confirmation: Using current HEAD and reverting 2d5d2e0 fixes this problem for me.

[shartge]

But of course I have no idea what other problems this causes or will cause. I really don't know enough C to be of any more use here.

[JustArchi]

Now that we know the exact commit that caused it, let's just tag for @keszybz and wait for a bugfix, thanks for debugging this guys 🙂

[vcaputo]

@shartge Thank you very much for your help with the bisect.

@keszybz @poettering I suspect what's going on here just looks like a leak but is actually the process metadata caching exploding in size because get_process_cmdline() is always allocating _SC_ARG_MAX-sized buffers for the cmdline string now. Judging from CACHE_MAX @ 16KiB, if _SC_ARG_MAX is 2MiB, 32GiB would be the cap of cmdline memory alone.

[jamespharvey20]

Arch Linux, v240.34-3, which is pretty much upstream commit f02b547. It also cherry picks 8ca9e9 and ee0b9e.

I have a virtual machine with 1GB of memory, and this bug crashed the system. After this occurred, if I typed in open ssh sessions, I saw the characters echoing, but it wouldn't execute any commands. Opening new ssh sessions got to the point where it would show me my last login, but then nothing else - I let it go for an hour, before hard rebooting the VM. Trying to login from console (web virtual console for the VM) never got to a shell prompt either. Can't remember if it asked for my password or gave me last login info. (Also let this go for an hour, at the same time as trying a new ssh.)

Juicy part of log below, full log after the problem here:
systemd.bug.txt

That's the end of the log. Since I gave it an hour before rebooting, it should have synced, so I'm guessing it was just done at that point.

Hopefully not only the leak can be fixed, but whatever prevented it from gracefully restarting properly and crashed the system can be fixed.

On 12/21/2018, upgraded to 239.370-1 (3bf819c.) I don't think it had this bug, because it stayed up until 1/16/2019, when I upgraded to 240.34-3 (f02b547.) It then took the system down in about 5 days.

Jan 21 20:44:28 wiki kernel: systemd-network invoked oom-killer: gfp_mask=0x6200ca(GFP_HIGHUSER_MOVABLE), nodemask=(null), order=0, oom_score_adj=0
Jan 21 20:44:28 wiki kernel: systemd-network cpuset=/ mems_allowed=0
Jan 21 20:44:28 wiki kernel: CPU: 0 PID: 259 Comm: systemd-network Not tainted 4.20.2-arch1-1-ARCH #1
Jan 21 20:44:28 wiki kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
...
Jan 21 20:44:28 wiki kernel: Tasks state (memory values in pages):
Jan 21 20:44:28 wiki kernel: [  pid  ]   uid  tgid total_vm      rss pgtables_bytes swapents oom_score_adj name                                                                 
Jan 21 20:44:28 wiki kernel: [    244]     0   244  7278027    30544 58359808        0             0 systemd-journal                                                            
...
Jan 21 20:44:28 wiki kernel: Out of memory: Kill process 244 (systemd-journal) score 177 or sacrifice child
Jan 21 20:44:28 wiki kernel: Killed process 244 (systemd-journal) total-vm:29112108kB, anon-rss:122172kB, file-rss:0kB, shmem-rss:4kB
...
Jan 21 20:44:28 wiki systemd[1]: systemd-journald.service: Scheduled restart job, restart counter is at 1.
...
Jan 21 20:44:27 wiki systemd[1]: systemd-journald.service: Main process exited, code=killed, status=9/KILL
...
Jan 21 20:44:27 wiki systemd[1]: systemd-journald.service: Failed with result 'signal'.

[msekletar]

@shartge I posted a PR in attempt to fix this bug. I'd be super grateful if you could apply it on top of the HEAD and run it against your bisect script.

[shartge]

Will do, as soon as I have access to my testbed again.

But you can easily test this yourself, the reproducer is just running

while true; do sudo pmap --extended $(pidof systemd-journald) | sort -rnk 2 | head -n 1; done

and checking if the number in the second column grows or stays the same. (Using sudohere is important, even when running as root, to produce something for the journal to process.)

[shartge]

The heap does still grow with your change, but at a much much slower rate.

But it still grows with ever message processed. On a busy system this will still cause resource exhaustion after some time.

[shartge]

To put things in perspective:

vanilla HEAD: after 1000 iterations the heap is up to 2GiB in size:

1000: 0000556b0843a000 2005496 130772 130772 rw--- [ anon ]

vanilla + #11527: after 2000 iterations we are only up to ~13MiB:

2000: 000055843bc4f000 12724 8752 8752 rw--- [ anon ]

It will keep growing, roughly 8MiB per 2000 iterations.

[msekletar]

It will keep growing, roughly 8MiB per 2000 iterations.

Does the growth ever stop?

[shartge]

Does the growth ever stop?

If it does, I haven't been able to observe this yet. My test is at 30000 iterations right now and it is still growing.

[shartge]

Scratch that, I was looking at the wrong terminal. The test with your first attempt seems to have stabilized itself at

16314 00005640de29e000   75792   73576   73576 rw---   [ anon ]
16315 00005640de29e000   75792   73584   73584 rw---   [ anon ]
16316 00005640de29e000   75792   73592   73592 rw---   [ anon ]
16317 00005640de29e000   75792   73600   73600 rw---   [ anon ]
16318 00005640de29e000   77852   73608   73608 rw---   [ anon ]
16319 00005640de29e000   77852   73612   73612 rw---   [ anon ]
16320 00005640de29e000   77852   73616   73616 rw---   [ anon ]
16321 00005640de29e000   77852   73620   73620 rw---   [ anon ]
16322 00005640de29e000   77852   73628   73628 rw---   [ anon ]

So after roughlly 2^14 log messages we seem to hit an equilibrium.

[keszybz]

The cache is defined as 16*1024, which is exactly 2^14. Excellent guess!

[shartge]

JFTR: Applying #11527 on top of Debians 240-4 also fixes Bug#920018