[PATCH v5 4/4] apparmor: limit the number of buffers in percpu cache

John Johansen john.johansen at canonical.com
Tue Oct 17 09:26:35 UTC 2023


Force buffers to be returned to the global pool, regardless of contention
when the percpu cache is full. This ensures that the percpu buffer list
never grows longer than needed.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
  security/apparmor/lsm.c | 9 ++++++++-
  1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 52423d88854a..e6765f64f6bf 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -56,6 +56,7 @@ struct aa_local_cache {
  	struct list_head head;
  };
  
+#define MAX_LOCAL_COUNT 2
  #define RESERVE_COUNT 2
  static int reserve_count = RESERVE_COUNT;
  static int buffer_count;
@@ -1878,9 +1879,15 @@ void aa_put_buffer(char *buf)
  
  	cache = get_cpu_ptr(&aa_local_buffers);
  	if (!cache->hold) {
+		bool must_lock = cache->count >= MAX_LOCAL_COUNT;
+
  		put_cpu_ptr(&aa_local_buffers);
  
-		if (spin_trylock(&aa_buffers_lock)) {
+		if (must_lock) {
+			spin_lock(&aa_buffers_lock);
+			goto locked;
+		} else if (spin_trylock(&aa_buffers_lock)) {
+		locked:
  			/* put back on global list */
  			list_add(&aa_buf->list, &aa_global_buffers);
  			buffer_count++;
-- 
2.34.1




More information about the Linux-security-module-archive mailing list