From: Mateusz Guzik <mjguzik@xxxxxxxxx>
commit 699ae6241920b0fa837fa57e61f7d5b0e2e65b58 upstream.
The EVM_NEW_FILE flag is unset if the file already existed at the time
of open and this can be checked without looking at i_writecount.
Not accessing it reduces traffic on the cacheline during parallel open
of the same file and drop the evm_file_release routine from second place
to bottom of the profile.
Fixes: 75a323e604fc ("evm: Make it independent from 'integrity' LSM")
Signed-off-by: Mateusz Guzik <mjguzik@xxxxxxxxx>
Reviewed-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # 6.9+
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
security/integrity/evm/evm_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -1084,7 +1084,8 @@ static void evm_file_release(struct file
if (!S_ISREG(inode->i_mode) || !(mode & FMODE_WRITE))
return;
- if (iint && atomic_read(&inode->i_writecount) == 1)
+ if (iint && iint->flags & EVM_NEW_FILE &&
+ atomic_read(&inode->i_writecount) == 1)
iint->flags &= ~EVM_NEW_FILE;
}
Patches currently in stable-queue which might be from mjguzik@xxxxxxxxx are
queue-6.11/evm-stop-avoidably-reading-i_writecount-in-evm_file_release.patch
