When we drop an audit record going to and audit pipe because the audit

pipe has overflowed, drop the newest, rather than oldest, record.  This
makes overflow drop behavior consistent with memory allocation failure
leading to drop, avoids touching the consumer end of the queue from a
producer, and lowers the CPU overhead of dropping a record by dropping
before memory allocation and copying.

Obtained from:	Apple, Inc.
MFC after:	2 months

1 files changed, 9 insertions, 13 deletions

diff --git a/sys/security/audit/audit_pipe.c b/sys/security/audit/audit_pipe.c
index 399f270..a50b922 100644
--- a/sys/security/audit/audit_pipe.c
+++ b/sys/security/audit/audit_pipe.c
@@ -424,17 +424,22 @@ audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class,
 
 /*
  * Append individual record to a queue -- allocate queue-local buffer, and
- * add to the queue.  We try to drop from the head of the queue so that more
- * recent events take precedence over older ones, but if allocation fails we
- * do drop the new event.
+ * add to the queue.  If the queue is full or we can't allocate memory, drop
+ * the newest record.
  */
 static void
 audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
 {
-	struct audit_pipe_entry *ape, *ape_remove;
+	struct audit_pipe_entry *ape;
 
 	AUDIT_PIPE_LOCK_ASSERT(ap);
 
+	if (ap->ap_qlen >= ap->ap_qlimit) {
+		ap->ap_drops++;
+		audit_pipe_drops++;
+		return;
+	}
+
 	ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO);
 	if (ape == NULL) {
 		ap->ap_drops++;
@@ -453,15 +458,6 @@ audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
 	bcopy(record, ape->ape_record, record_len);
 	ape->ape_record_len = record_len;
 
-	if (ap->ap_qlen >= ap->ap_qlimit) {
-		ape_remove = TAILQ_FIRST(&ap->ap_queue);
-		TAILQ_REMOVE(&ap->ap_queue, ape_remove, ape_queue);
-		audit_pipe_entry_free(ape_remove);
-		ap->ap_qlen--;
-		ap->ap_drops++;
-		audit_pipe_drops++;
-	}
-
 	TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue);
 	ap->ap_inserts++;
 	ap->ap_qlen++;