[PATCH] audit: remove the audit freelist
Paul Moore
paul at paul-moore.com
Fri Dec 2 21:59:04 UTC 2016
On Thu, Dec 1, 2016 at 7:09 PM, Florian Westphal <fw at strlen.de> wrote:
> Paul Moore <paul at paul-moore.com> wrote:
>> On Wed, Nov 30, 2016 at 8:44 PM, Florian Westphal <fw at strlen.de> wrote:
>> > Paul Moore <paul at paul-moore.com> wrote:
>> >> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw at strlen.de> wrote:
>> >> > allows better debugging as freeing audit buffers now always honors slub
>> >> > debug hooks (e.g. object poisoning) and leak checker can detect the
>> >> > free operation.
>> >> >
>> >> > Removal also results in a small speedup (using
>> >> > single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
>> >> >
>> >> > super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
>> >> > Before:
>> >> > 294953
>> >> > After:
>> >> > 298013
>> >> >
>> >> > (alloc/free no longer serializes on spinlock, allocator can use percpu
>> >> > pool).
>> >> >
>> >> > Signed-off-by: Florian Westphal <fw at strlen.de>
>> >> > ---
>> >> > kernel/audit.c | 53 ++++++++---------------------------------------------
>> >> > 1 file changed, 8 insertions(+), 45 deletions(-)
>> >>
>> >> Sorry for the delay, I was hoping to have some time to play around
>> >> with this and offer a more meaningful comment ... I've often wondered
>> >> about converting audit_buffer, and audit_context for that matter, over
>> >> to their own kmem_cache; have you considered that? Or was this
>> >> proposed due to simplicity?
>> >
>> > Not sure I understand, you could still convert it on top of this.
>> > (Although audit_buffer is just 24 bytes after this patch so it will
>> > come from 32byte kmalloc slab).
>>
>> I'm not arguing against this patch, partly just musing out loud,
>> partly just seeing if you had experimented with creating a
>> audit_buffer specific kmem_cache (I'm guessing the answer here is
>> "no"). If we do convert to a kmem_cache this patch would be the
>> obvious first step.
>
> It does convert to a kmem_cache, indirectly.
>
> kmalloc() uses builtin_constant_size() magic to resolve the kmalloc to
> kmem_cache_alloc, using the precreated kmalloc_caches[] in slab_common.c .
Yes, understood, I just think there may be some advantages (tracking,
etc.) to using a dedicated audit_buffer kmem_cache rather than the
system wide bucket.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list