Date: Thu, 30 Oct 2008 23:09:20 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r184489 - head/sys/security/audit Message-ID: <200810302309.m9UN9KdY063983@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rwatson Date: Thu Oct 30 23:09:19 2008 New Revision: 184489 URL: http://svn.freebsd.org/changeset/base/184489 Log: When we drop an audit record going to and audit pipe because the audit pipe has overflowed, drop the newest, rather than oldest, record. This makes overflow drop behavior consistent with memory allocation failure leading to drop, avoids touching the consumer end of the queue from a producer, and lowers the CPU overhead of dropping a record by dropping before memory allocation and copying. Obtained from: Apple, Inc. MFC after: 2 months Modified: head/sys/security/audit/audit_pipe.c Modified: head/sys/security/audit/audit_pipe.c ============================================================================== --- head/sys/security/audit/audit_pipe.c Thu Oct 30 21:58:39 2008 (r184488) +++ head/sys/security/audit/audit_pipe.c Thu Oct 30 23:09:19 2008 (r184489) @@ -424,17 +424,22 @@ audit_pipe_preselect(au_id_t auid, au_ev /* * Append individual record to a queue -- allocate queue-local buffer, and - * add to the queue. We try to drop from the head of the queue so that more - * recent events take precedence over older ones, but if allocation fails we - * do drop the new event. + * add to the queue. If the queue is full or we can't allocate memory, drop + * the newest record. */ static void audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) { - struct audit_pipe_entry *ape, *ape_remove; + struct audit_pipe_entry *ape; AUDIT_PIPE_LOCK_ASSERT(ap); + if (ap->ap_qlen >= ap->ap_qlimit) { + ap->ap_drops++; + audit_pipe_drops++; + return; + } + ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); if (ape == NULL) { ap->ap_drops++; @@ -453,15 +458,6 @@ audit_pipe_append(struct audit_pipe *ap, bcopy(record, ape->ape_record, record_len); ape->ape_record_len = record_len; - if (ap->ap_qlen >= ap->ap_qlimit) { - ape_remove = TAILQ_FIRST(&ap->ap_queue); - TAILQ_REMOVE(&ap->ap_queue, ape_remove, ape_queue); - audit_pipe_entry_free(ape_remove); - ap->ap_qlen--; - ap->ap_drops++; - audit_pipe_drops++; - } - TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); ap->ap_inserts++; ap->ap_qlen++;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810302309.m9UN9KdY063983>