Add a new thread-private flag, TDP_AUDITREC, to indicate whether or

not there is an audit record hung off of td_ar on the current thread.
Test this flag instead of td_ar when auditing syscall arguments or
checking for an audit record to commit on syscall return.  Under
these circumstances, td_pflags is much more likely to be in the cache
(especially if there is no auditing of the current system call), so
this should help reduce cache misses in the system call return path.

MFC after:      1 week
Reported by:    kris
Obtained from:  TrustedBSD Project

3 files changed, 15 insertions, 5 deletions

diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c
index 4ea76c6..b46c02c 100644
--- a/sys/security/audit/audit.c
+++ b/sys/security/audit/audit.c
@@ -492,6 +492,8 @@ audit_syscall_enter(unsigned short code, struct thread *td)
 	au_id_t auid;
 
 	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
+	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
+	    ("audit_syscall_enter: TDP_AUDITREC set"));
 
 	/*
 	 * In FreeBSD, each ABI has its own system call table, and hence
@@ -542,9 +544,13 @@ audit_syscall_enter(unsigned short code, struct thread *td)
 			panic("audit_failing_stop: thread continued");
 		}
 		td->td_ar = audit_new(event, td);
-	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0))
+		if (td->td_ar != NULL)
+			td->td_pflags |= TDP_AUDITREC;
+	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) {
 		td->td_ar = audit_new(event, td);
-	else
+		if (td->td_ar != NULL)
+			td->td_pflags |= TDP_AUDITREC;
+	} else
 		td->td_ar = NULL;
 }
 
@@ -572,6 +578,7 @@ audit_syscall_exit(int error, struct thread *td)
 
 	audit_commit(td->td_ar, error, retval);
 	td->td_ar = NULL;
+	td->td_pflags &= ~TDP_AUDITREC;
 }
 
 void
@@ -626,6 +633,8 @@ audit_thread_free(struct thread *td)
 {
 
 	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
+	KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
+	    ("audit_thread_free: TDP_AUDITREC set"));
 }
 
 void
diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h
index 227d2dc..5ba2aee 100644
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h
@@ -186,7 +186,7 @@ void	 audit_thread_free(struct thread *td);
  * audit_enabled flag before performing the actual call.
  */
 #define	AUDIT_ARG(op, args...)	do {					\
-	if (td->td_ar != NULL)						\
+	if (td->td_pflags & TDP_AUDITREC)				\
 		audit_arg_ ## op (args);				\
 } while (0)
 
@@ -202,7 +202,7 @@ void	 audit_thread_free(struct thread *td);
  * auditing is disabled, so we don't just check audit_enabled here.
  */
 #define	AUDIT_SYSCALL_EXIT(error, td)	do {				\
-	if (td->td_ar != NULL)						\
+	if (td->td_pflags & TDP_AUDITREC)				\
 		audit_syscall_exit(error, td);				\
 } while (0)
 
@@ -210,7 +210,7 @@ void	 audit_thread_free(struct thread *td);
  * A Macro to wrap the audit_sysclose() function.
  */
 #define	AUDIT_SYSCLOSE(td, fd)	do {					\
-	if (audit_enabled)						\
+	if (td->td_pflags & TDP_AUDITREC)				\
 		audit_sysclose(td, fd);					\
 } while (0)
 
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c
index b70b10d..7ca797d 100644
--- a/sys/security/audit/audit_syscalls.c
+++ b/sys/security/audit/audit_syscalls.c
@@ -96,6 +96,7 @@ audit(struct thread *td, struct audit_args *uap)
 		td->td_ar = audit_new(AUE_NULL, td);
 		if (td->td_ar == NULL)
 			return (ENOTSUP);
+		td->td_pflags |= TDP_AUDITREC;
 		ar = td->td_ar;
 	}