From: James Morris <jmorris@redhat.com>

The patch below reduces kernel memory used by SELinux policy rules by about
37% on 64-bit systems.  This is because the size of struct avtab_node is 40
bytes on 64-bit, and defaults to a size-64 slab.

Creating a slab cache specifically for these structs saves considerable
amounts of kernel memory on 64-bit systems with large rulesets.  'Strict'
policy has over 300k rules, while 'targeted' policy has around 3k rules.

Here's the slabtop output with 64 and 40 byte sized slabs to show the
memory savings, for strict policy:

303475 303447  99%    0.06K   4975       61     19900K avtab_node 
303456 303447  99%    0.04K   3161       96     12644K avtab_node

Also, there are 57% more objects per slab.

Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/security/selinux/ss/avtab.c    |   12 ++++++++++--
 25-akpm/security/selinux/ss/avtab.h    |    2 ++
 25-akpm/security/selinux/ss/services.c |    1 +
 3 files changed, 13 insertions(+), 2 deletions(-)

diff -puN security/selinux/ss/avtab.c~reduce-selinux-kernel-memory-use-on-64-bit-systems security/selinux/ss/avtab.c
--- 25/security/selinux/ss/avtab.c~reduce-selinux-kernel-memory-use-on-64-bit-systems	Tue Aug 17 15:50:38 2004
+++ 25-akpm/security/selinux/ss/avtab.c	Tue Aug 17 15:50:38 2004
@@ -28,12 +28,14 @@
  (keyp->source_type << 9)) & \
  AVTAB_HASH_MASK)
 
+static kmem_cache_t *avtab_node_cachep;
+
 static struct avtab_node*
 avtab_insert_node(struct avtab *h, int hvalue, struct avtab_node * prev, struct avtab_node * cur,
 		  struct avtab_key *key, struct avtab_datum *datum)
 {
 	struct avtab_node * newnode;
-	newnode = (struct avtab_node *) kmalloc(sizeof(struct avtab_node),GFP_KERNEL);
+	newnode = kmem_cache_alloc(avtab_node_cachep, SLAB_KERNEL);
 	if (newnode == NULL)
 		return NULL;
 	memset(newnode, 0, sizeof(struct avtab_node));
@@ -226,7 +228,7 @@ void avtab_destroy(struct avtab *h)
 		while (cur != NULL) {
 			temp = cur;
 			cur = cur->next;
-			kfree(temp);
+			kmem_cache_free(avtab_node_cachep, temp);
 		}
 		h->htable[i] = NULL;
 	}
@@ -399,3 +401,9 @@ bad:
 	goto out;
 }
 
+void avtab_cache_init(void)
+{
+	avtab_node_cachep = kmem_cache_create("avtab_node",
+					      sizeof(struct avtab_node),
+					      0, SLAB_PANIC, NULL, NULL);
+}
diff -puN security/selinux/ss/avtab.h~reduce-selinux-kernel-memory-use-on-64-bit-systems security/selinux/ss/avtab.h
--- 25/security/selinux/ss/avtab.h~reduce-selinux-kernel-memory-use-on-64-bit-systems	Tue Aug 17 15:50:38 2004
+++ 25-akpm/security/selinux/ss/avtab.h	Tue Aug 17 15:50:38 2004
@@ -78,6 +78,8 @@ struct avtab_node *avtab_search_node(str
 
 struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
 
+void avtab_cache_init(void);
+
 #define AVTAB_HASH_BITS 15
 #define AVTAB_HASH_BUCKETS (1 << AVTAB_HASH_BITS)
 #define AVTAB_HASH_MASK (AVTAB_HASH_BUCKETS-1)
diff -puN security/selinux/ss/services.c~reduce-selinux-kernel-memory-use-on-64-bit-systems security/selinux/ss/services.c
--- 25/security/selinux/ss/services.c~reduce-selinux-kernel-memory-use-on-64-bit-systems	Tue Aug 17 15:50:38 2004
+++ 25-akpm/security/selinux/ss/services.c	Tue Aug 17 15:50:38 2004
@@ -1034,6 +1034,7 @@ int security_load_policy(void *data, siz
 	LOAD_LOCK;
 
 	if (!ss_initialized) {
+		avtab_cache_init();
 		if (policydb_read(&policydb, fp)) {
 			LOAD_UNLOCK;
 			return -EINVAL;
_