On Mon, Apr 13, 2026 at 6:13 PM Linus Torvalds <[email protected]> wrote: > > On Fri, 10 Apr 2026 at 16:26, Paul Moore <[email protected]> wrote: > > > > We've only got a few audit patches for the v7.1 merge window, the > > highlights are below: > > Pulled. However, can I ask you to take a look at my reply to one of > the vfs pulls, which was actually triggered by audit overhead? > > It's entirely unrelated to this particular audit pull, but maybe you > have comments? See > > > https://lore.kernel.org/all/CAHk-=wiw53j3vmc1y58-e_8jubjtjgavxdrt+r-w3wpqn+z...@mail.gmail.com/ > > and it's really all about that current "get_fs_pwd()" in > audit_alloc_name(), and the cache contention it causes when lots of > processes share the same pwd and you get everybody just updating the > path refcounts. > > Would it be reasonable to do something along the lines I suggest, > where instead of getting that fairly "global" path refcount, instead > get a reference (with some way to do a copy-on-write break on it) to > 'struct fs_struct' instead? No, we don't have that infrastructure (but > it doesn't seem _hugely_ complicated - famous last words), and yes, in > a heavily threaded app you'd still have potentially lots of threads > sharing a 'struct fs_struct', but at least that thing is local to the > process, so it's not shared beyond that. > > And no, I don't expect that you'd actually start being interested in > the current root in auditing, but from a bigger VFS perspective, root > and pwd really are just two instances of the exact same thing and I > despise that spull that makes them different at a VFS level.
It seems reasonable. Perhaps some gotchas will pop up as someone writes the code, but it's worth a shot as far as I'm concerned. I say this a lot, and frankly, it should be evident to anyone who has looked at the code: the audit stuff is pretty garbage. It mostly works and solves real user problems, so there is that, but the design is awful and the implementation is worse. I have been off-and-on working on a replacement for some time, but most of the time I only get a day or so to work on it before another fire demands attention; progress is glacially slow. That said, if someone wants to send me a patch to convert audit to work off of fs_struct I'd happily take a closer look and merge it if all is well. -- paul-moore.com
