diff options
author | Mateusz Guzik <mjguzik@gmail.com> | 2024-08-06 15:36:07 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2024-10-10 04:49:40 +0200 |
commit | 699ae6241920b0fa837fa57e61f7d5b0e2e65b58 (patch) | |
tree | b99ff2c7fe9901af26c9381c16689731432170e6 | |
parent | ima: fix buffer overrun in ima_eventdigest_init_common (diff) | |
download | linux-699ae6241920b0fa837fa57e61f7d5b0e2e65b58.tar.xz linux-699ae6241920b0fa837fa57e61f7d5b0e2e65b58.zip |
evm: stop avoidably reading i_writecount in evm_file_release
The EVM_NEW_FILE flag is unset if the file already existed at the time
of open and this can be checked without looking at i_writecount.
Not accessing it reduces traffic on the cacheline during parallel open
of the same file and drop the evm_file_release routine from second place
to bottom of the profile.
Fixes: 75a323e604fc ("evm: Make it independent from 'integrity' LSM")
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org # 6.9+
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-rw-r--r-- | security/integrity/evm/evm_main.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 6924ed508ebd..377e57e9084f 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -1084,7 +1084,8 @@ static void evm_file_release(struct file *file) if (!S_ISREG(inode->i_mode) || !(mode & FMODE_WRITE)) return; - if (iint && atomic_read(&inode->i_writecount) == 1) + if (iint && iint->flags & EVM_NEW_FILE && + atomic_read(&inode->i_writecount) == 1) iint->flags &= ~EVM_NEW_FILE; } |