Reduce memory churn in netlink_handler

auditd allocates a new struct auditd_event each time the netlink handler
(netlink_handler) reads a record. The handler keeps a single pointer
(cur_event) to the currently processed record. When the optional
configuration worker finishes, it sends the event back via reconfig_ev
and the pipe handler frees it. Thus only one event structure is normally
active in the netlink handler. A second structure exists only temporarily
during reconfiguration (held in reconfig_ev). Once an event is processed,
distribute_event() copies it into a new event_t structure for the dispatcher
queue. The dispatcher queue (audisp/queue.c) can hold up to the configured
depth (default 2000). Each queued entry is freed after all plugins process
it. The dispatch thread later frees the record.

Only one (occasionally two) auditd_event objects exist at any given time.
Preallocating a small static instance (or a pool of two) would remove nearly
all per‑event allocations without additional complexity.

Author: stevegrubb

src/auditd-event.c

@@ -54,6 +54,11 @@ extern volatile ATOMIC_INT stop;
 #endif
 
 extern void update_report_timer(unsigned int interval);
+/*
+ * This function is provided by auditd.c and marked weak so test utilities
+ * that don't link auditd.c can still link this file.
+ */
+extern int event_is_prealloc(struct auditd_event *e) __attribute__((weak));
 
 /* Local function prototypes */
 static void send_ack(const struct auditd_event *e, int ack_type,
@@ -580,7 +585,8 @@ void cleanup_event(struct auditd_event *e)
 	// into the middle of the reply allocation. Check for it.
 	if (e->reply.message != e->reply.msg.data)
 		free((void *)e->reply.message);
-	free(e);
+	if (!event_is_prealloc || !event_is_prealloc(e))
+		free(e);
 }
 
 /* This function takes a  reconfig event and sends it to the handler */

src/auditd.c

@@ -82,6 +82,12 @@ static const char *pidfile = "/var/run/auditd.pid";
 static const char *state_file = "/var/run/auditd.state";
 static int init_pipe[2];
 static int do_fork = 1, opt_aggregate_only = 0, config_dir_set = 0;
+/*
+ * Small pool of reusable event structures. The netlink handler needs
+ * one event while processing the current record and a second for
+ * reconfigure work. Keeping them here avoids repeated allocations.
+ */
+struct auditd_event event_pool[2];
 static struct auditd_event *cur_event = NULL, *reconfig_ev = NULL;
 static ATOMIC_INT hup_info_requested = 0;
 static ATOMIC_INT usr1_info_requested = 0, usr2_info_requested = 0;
@@ -95,6 +101,9 @@ int send_audit_event(int type, const char *str);
 static void clean_exit(void);
 static int get_reply(int fd, struct audit_reply *rep, int seq);
 static char *getsubj(char *subj);
+/* Manage access to the preallocated event pool */
+static struct auditd_event *alloc_pool_event(void);
+int event_is_prealloc(struct auditd_event *e);
 
 enum startup_state {startup_disable=0, startup_enable, startup_nochange,
 	startup_INVALID};
@@ -536,6 +545,30 @@ static void tell_parent(int status)
 	} while (rc < 0 && errno == EINTR);
 }
 
+/*
+ * alloc_pool_event - return an unused entry from event_pool
+ *
+ * The pool holds two structures so the netlink handler and the
+ * configuration worker can each have one. NULL is returned if both
+ * are already in use.
+ */
+static struct auditd_event *alloc_pool_event(void)
+{
+	if (cur_event != &event_pool[0] && reconfig_ev != &event_pool[0])
+		return &event_pool[0];
+	if (cur_event != &event_pool[1] && reconfig_ev != &event_pool[1])
+		return &event_pool[1];
+	return NULL;
+}
+
+/*
+ * event_is_prealloc - true if 'e' points into event_pool
+ */
+int event_is_prealloc(struct auditd_event *e)
+{
+	return e == &event_pool[0] || e == &event_pool[1];
+}
+
 static void netlink_handler(struct ev_loop *loop, struct ev_io *io,
 			int revents)
 {
@@ -546,7 +579,8 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io,
 	// FIXME: backing down to 3 until IPC is faster
 	while (rc > 0 && cnt < 3) {
 		if (cur_event == NULL) {
-			if ((cur_event = malloc(sizeof(*cur_event))) == NULL) {
+			cur_event = alloc_pool_event();
+				if (cur_event == NULL) {
 				char emsg[DEFAULT_BUF_SZ];
 				if (*subj)
 					snprintf(emsg, sizeof(emsg),
@@ -1079,9 +1113,8 @@ int main(int argc, char *argv[])
 		} 
 	} 
 	if (rc <= 0)
-		send_audit_event(AUDIT_DAEMON_END, 
+		send_audit_event(AUDIT_DAEMON_END,
 		"op=terminate auid=-1 uid=-1 ses=-1 pid=-1 subj=? res=success");
-	free(cur_event);
 
 	// Tear down IO watchers Part 2
 	if (!opt_aggregate_only)