Page MenuHomeFreeBSD
Differential D53176

audit: convert audit event class lookup to lockless
Needs ReviewPublic
Actions

Authored by gallatin on Fri, Oct 17, 6:36 PM.
Tags
None
Referenced Files
F132560530: D53176.id.diff
Fri, Oct 17, 11:51 PM
F132557377: D53176.diff
Fri, Oct 17, 11:12 PM
Unknown Object (File)
Fri, Oct 17, 9:42 PM
Unknown Object (File)
Fri, Oct 17, 8:57 PM
Unknown Object (File)
Fri, Oct 17, 8:55 PM
Unknown Object (File)
Fri, Oct 17, 8:24 PM
Subscribers
imp

Details

Reviewers
rwatson
mjg
gleb
markj
Summary

When system call auditing is configured, we see measurable performance loss on high core count servers due to atomic operations in the uncontended rw read lock of evclass_lock. This rw lock protects the evclass hash table. A contrived example of 64 threads continuously reading a byte from per-thread files shows 99% of the time spent in this stack: amd64_syscall -> audit_syscall_enter -> au_event_class -> __rw_rlock_int

Given that the evclass hash table can never have items removed, only added, using a mutex to serialize additions and converting to ck_list allows sufficient protection for lockless lookups. In the contrived example, this change increases performance from 5M reads/sec to 70M reads/sec on an AMD 7502P. In the real world, it gets us back about 1.5% CPU on busy servers.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

gallatin created this revision.Fri, Oct 17, 6:36 PM
Herald added a subscriber: imp. · View Herald TranscriptFri, Oct 17, 6:36 PM
gallatin requested review of this revision.Fri, Oct 17, 6:36 PM
mjg added a comment.EditedSat, Oct 18, 2:50 AM

Do you have stats how many classes can be realistically present? maybe this would be way faster single-threaded by iterating an array?

Revision Contents
Changeset List

PathSize
sys/
security/
audit/
28 lines

Diff 164449

View Options

sys/security/audit/audit_bsm_db.c

Loading...